Skip to content

bpo-32378: LibreSSL NPN workaround #5253

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
tiran wants to merge 1 commit into from
Closed

bpo-32378: LibreSSL NPN workaround #5253

tiran wants to merge 1 commit into from

Conversation

@tiran
Copy link
Member

@tiran tiran commented Jan 20, 2018
edited by bedevere-bot
Loading

The ssl module now contains a workaround for missing NPN support in LibreSSL
2.6.1. Upstream has removed NPN without setting OPENSSL_NO_NEXTPROTONEG.

Obsoletes PR #4930
See libressl/portable#368

https://bugs.python.org/issue32378

@tiran
bpo-32378: LibreSSL NPN workaround
d91d150 
The ssl module now contains a workaround for missing NPN support in LibreSSL
2.6.1. Upstream has removed NPN without setting OPENSSL_NO_NEXTPROTONEG.
@tiran tiran added type-bug An unexpected behavior, bug, or error needs backport to 3.6 labels Jan 20, 2018
@tiran tiran mentioned this pull request Jan 26, 2018
Closed
4a6f656c
4a6f656c reviewed Jan 28, 2018
View reviewed changes
Modules/_ssl.c
* designated OPENSSL_NO_NEXTPROTONEG feature flag. See upstream issue
* https://github.com/libressl-portable/portable/issues/368
*/
#if defined(LIBRESSL_VERSION_NUMBER) && !defined(TLSEXT_TYPE_next_proto_neg)
Copy link

@4a6f656c 4a6f656c Jan 28, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is not really a LibreSSL quirk - due to various history, no one can set OPENSSL_NO_NEXTPROTONEG without breaking multiple open source projects (each in different ways). As such, I would strongly recommend conditioning on the availability of TLSEXT_TYPE_next_proto_neg, rather than trying to map this to OPENSSL_NO_NEXTPROTONEG.

If you wish to retain this approach, the comment above could at least be updated to explain why OPENSSL_NO_NEXTPROTONEG cannot be set via LibreSSL (or OpenSSL for that matter).

@tiran
Copy link
Member Author

tiran commented Feb 24, 2018

I'm closing my PR in favor of GH-5343

@tiran tiran closed this Feb 24, 2018
@tiran tiran deleted the bpo-32378-libressl-npn-2 branch February 24, 2018 19:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@4a6f656c 4a6f656c 4a6f656c left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

awaiting merge type-bug An unexpected behavior, bug, or error

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@tiran @4a6f656c @the-knights-who-say-ni @bedevere-bot