[Python-checkins] bpo-35926: Add support for OpenSSL 1.1.1b on Windows (GH-11779)

Steve Dower webhook-mailer at python.org
Thu May 16 12:41:41 EDT 2019

• Previous message (by thread): [Python-checkins] bpo-35926: Add support for OpenSSL 1.1.1b on Windows (GH-11779)
• Next message (by thread): [Python-checkins] bpo-36511: Windows ARM32 buildbot changes (GH-12917)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---

https://github.com/python/cpython/commit/aa73841a8fdded4a462d045d1eb03899cbeecd65
commit: aa73841a8fdded4a462d045d1eb03899cbeecd65
branch: 3.7
author: Steve Dower <steve.dower at python.org>
committer: GitHub <noreply at github.com>
date: 2019年05月16日T09:41:36-07:00
summary:
bpo-35926: Add support for OpenSSL 1.1.1b on Windows (GH-11779)
files:
A Misc/NEWS.d/next/Windows/2019-03-01-16-43-45.bpo-35926.mLszHo.rst
M .azure-pipelines/ci.yml
M Lib/test/test_asyncio/test_sslproto.py
M Lib/test/test_ssl.py
M Misc/ACKS
M Modules/_ssl.c
M PCbuild/get_externals.bat
M PCbuild/openssl.props
M PCbuild/openssl.vcxproj
M PCbuild/prepare_ssl.bat
M PCbuild/python.props
M PCbuild/readme.txt
diff --git a/.azure-pipelines/ci.yml b/.azure-pipelines/ci.yml
index 15a83dd0370e..1576599379c4 100644
--- a/.azure-pipelines/ci.yml
+++ b/.azure-pipelines/ci.yml
@@ -59,7 +59,7 @@ jobs:
 variables:
 testRunTitle: '$(build.sourceBranchName)-linux'
 testRunPlatform: linux
- openssl_version: 1.1.0j
+ openssl_version: 1.1.1b
 
 steps:
 - template: ./posix-steps.yml
@@ -116,7 +116,7 @@ jobs:
 variables:
 testRunTitle: '$(Build.SourceBranchName)-linux-coverage'
 testRunPlatform: linux-coverage
- openssl_version: 1.1.0j
+ openssl_version: 1.1.1b
 
 steps:
 - template: ./posix-steps.yml
diff --git a/Lib/test/test_asyncio/test_sslproto.py b/Lib/test/test_asyncio/test_sslproto.py
index 6c0b0e2a0187..6d085f303546 100644
--- a/Lib/test/test_asyncio/test_sslproto.py
+++ b/Lib/test/test_asyncio/test_sslproto.py
@@ -494,8 +494,8 @@ def test_start_tls_server_1(self):
 
 server_context = test_utils.simple_server_sslcontext()
 client_context = test_utils.simple_client_sslcontext()
- if sys.platform.startswith('freebsd'):
- # bpo-35031: Some FreeBSD buildbots fail to run this test
+ if sys.platform.startswith('freebsd') or sys.platform.startswith('win'):
+ # bpo-35031: Some FreeBSD and Windows buildbots fail to run this test
 # as the eof was not being received by the server if the payload
 # size is not big enough. This behaviour only appears if the
 # client is using TLS1.3.
diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
index 422d6f2f445a..73b6bdf01e7f 100644
--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
@@ -2214,7 +2214,7 @@ def wrap_conn(self):
 self.sock, server_side=True)
 self.server.selected_npn_protocols.append(self.sslconn.selected_npn_protocol())
 self.server.selected_alpn_protocols.append(self.sslconn.selected_alpn_protocol())
- except (ConnectionResetError, BrokenPipeError) as e:
+ except (ConnectionResetError, BrokenPipeError, ConnectionAbortedError) as e:
 # We treat ConnectionResetError as though it were an
 # SSLError - OpenSSL on Ubuntu abruptly closes the
 # connection when asked to use an unsupported protocol.
@@ -2222,6 +2222,9 @@ def wrap_conn(self):
 # BrokenPipeError is raised in TLS 1.3 mode, when OpenSSL
 # tries to send session tickets after handshake.
 # https://github.com/openssl/openssl/issues/6342
+ #
+ # ConnectionAbortedError is raised in TLS 1.3 mode, when OpenSSL
+ # tries to send session tickets after handshake when using WinSock.
 self.server.conn_errors.append(str(e))
 if self.server.chatty:
 handle_error("\n server: bad connection attempt from " + repr(self.addr) + ":\n")
@@ -2352,7 +2355,7 @@ def run(self):
 sys.stdout.write(" server: read %r (%s), sending back %r (%s)...\n"
 % (msg, ctype, msg.lower(), ctype))
 self.write(msg.lower())
- except ConnectionResetError:
+ except (ConnectionResetError, ConnectionAbortedError):
 # XXX: OpenSSL 1.1.1 sometimes raises ConnectionResetError
 # when connection is not shut down gracefully.
 if self.server.chatty and support.verbose:
@@ -2362,6 +2365,18 @@ def run(self):
 )
 self.close()
 self.running = False
+ except ssl.SSLError as err:
+ # On Windows sometimes test_pha_required_nocert receives the
+ # PEER_DID_NOT_RETURN_A_CERTIFICATE exception
+ # before the 'tlsv13 alert certificate required' exception.
+ # If the server is stopped when PEER_DID_NOT_RETURN_A_CERTIFICATE
+ # is received test_pha_required_nocert fails with ConnectionResetError
+ # because the underlying socket is closed
+ if 'PEER_DID_NOT_RETURN_A_CERTIFICATE' == err.reason:
+ if self.server.chatty and support.verbose:
+ sys.stdout.write(err.args[1])
+ # test_pha_required_nocert is expecting this exception
+ raise ssl.SSLError('tlsv13 alert certificate required')
 except OSError:
 if self.server.chatty:
 handle_error("Test server failure:\n")
diff --git a/Misc/ACKS b/Misc/ACKS
index 025944f318f9..2d887bcb6a0f 100644
--- a/Misc/ACKS
+++ b/Misc/ACKS
@@ -1088,6 +1088,7 @@ Tim Mitchell
 Zubin Mithra
 Florian Mladitsch
 Doug Moen
+Paul Monson
 The Dragon De Monsyne
 Bastien Montagne
 Skip Montanaro
diff --git a/Misc/NEWS.d/next/Windows/2019-03-01-16-43-45.bpo-35926.mLszHo.rst b/Misc/NEWS.d/next/Windows/2019-03-01-16-43-45.bpo-35926.mLszHo.rst
new file mode 100644
index 000000000000..03249c6a168a
--- /dev/null
+++ b/Misc/NEWS.d/next/Windows/2019-03-01-16-43-45.bpo-35926.mLszHo.rst
@@ -0,0 +1 @@
+Update to OpenSSL 1.1.1b for Windows.
diff --git a/Modules/_ssl.c b/Modules/_ssl.c
index fff1a28843d0..30c91f59310f 100644
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -669,7 +669,7 @@ fill_and_set_sslerror(PySSLSocket *sslsock, PyObject *type, int ssl_errno,
 if (msg == NULL)
 goto fail;
 
- init_value = Py_BuildValue("iN", ssl_errno, msg);
+ init_value = Py_BuildValue("iN", ERR_GET_REASON(ssl_errno), msg);
 if (init_value == NULL)
 goto fail;
 
diff --git a/PCbuild/get_externals.bat b/PCbuild/get_externals.bat
index 887fdc941171..27722bb9c4d6 100644
--- a/PCbuild/get_externals.bat
+++ b/PCbuild/get_externals.bat
@@ -49,7 +49,7 @@ echo.Fetching external libraries...
 
 set libraries=
 set libraries=%libraries% bzip2-1.0.6
-if NOT "%IncludeSSLSrc%"=="false" set libraries=%libraries% openssl-1.1.0j
+if NOT "%IncludeSSLSrc%"=="false" set libraries=%libraries% openssl-1.1.1b
 set libraries=%libraries% sqlite-3.21.0.0
 if NOT "%IncludeTkinterSrc%"=="false" set libraries=%libraries% tcl-core-8.6.9.0
 if NOT "%IncludeTkinterSrc%"=="false" set libraries=%libraries% tk-8.6.9.0
@@ -72,7 +72,7 @@ for %%e in (%libraries%) do (
 echo.Fetching external binaries...
 
 set binaries=
-if NOT "%IncludeSSL%"=="false" set binaries=%binaries% openssl-bin-1.1.0j
+if NOT "%IncludeSSL%"=="false" set binaries=%binaries% openssl-bin-1.1.1b
 if NOT "%IncludeTkinter%"=="false" set binaries=%binaries% tcltk-8.6.9.0
 if NOT "%IncludeSSLSrc%"=="false" set binaries=%binaries% nasm-2.11.06
 
diff --git a/PCbuild/openssl.props b/PCbuild/openssl.props
index 8c78cd4ab108..a7e16793c7f2 100644
--- a/PCbuild/openssl.props
+++ b/PCbuild/openssl.props
@@ -11,7 +11,8 @@
 </ItemDefinitionGroup>
 <PropertyGroup>
 <_DLLSuffix>-1_1</_DLLSuffix>
- <_DLLSuffix Condition="$(Platform) == 'x64'">$(_DLLSuffix)-x64</_DLLSuffix>
+ <_DLLSuffix Condition="$(Platform) == 'ARM'">$(_DLLSuffix)-arm</_DLLSuffix>
+ <_DLLSuffix Condition="$(Platform) == 'ARM64'">$(_DLLSuffix)-arm64</_DLLSuffix>
 </PropertyGroup>
 <ItemGroup>
 <_SSLDLL Include="$(opensslOutDir)\libcrypto$(_DLLSuffix).dll" />
diff --git a/PCbuild/openssl.vcxproj b/PCbuild/openssl.vcxproj
index 1a36d08ec06c..0da6f6749584 100644
--- a/PCbuild/openssl.vcxproj
+++ b/PCbuild/openssl.vcxproj
@@ -1,37 +1,21 @@
 <?xml version="1.0" encoding="utf-8"?>
 <Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 <ItemGroup Label="ProjectConfigurations">
- <ProjectConfiguration Include="Debug|Win32">
- <Configuration>Debug</Configuration>
- <Platform>Win32</Platform>
- </ProjectConfiguration>
 <ProjectConfiguration Include="Release|Win32">
 <Configuration>Release</Configuration>
 <Platform>Win32</Platform>
 </ProjectConfiguration>
- <ProjectConfiguration Include="PGInstrument|Win32">
- <Configuration>PGInstrument</Configuration>
- <Platform>Win32</Platform>
- </ProjectConfiguration>
- <ProjectConfiguration Include="PGInstrument|x64">
- <Configuration>PGInstrument</Configuration>
- <Platform>x64</Platform>
- </ProjectConfiguration>
- <ProjectConfiguration Include="PGUpdate|Win32">
- <Configuration>PGUpdate</Configuration>
- <Platform>Win32</Platform>
- </ProjectConfiguration>
- <ProjectConfiguration Include="PGUpdate|x64">
- <Configuration>PGUpdate</Configuration>
+ <ProjectConfiguration Include="Release|x64">
+ <Configuration>Release</Configuration>
 <Platform>x64</Platform>
 </ProjectConfiguration>
- <ProjectConfiguration Include="Debug|x64">
- <Configuration>Debug</Configuration>
- <Platform>x64</Platform>
+ <ProjectConfiguration Include="Release|ARM">
+ <Configuration>Release</Configuration>
+ <Platform>ARM</Platform>
 </ProjectConfiguration>
- <ProjectConfiguration Include="Release|x64">
+ <ProjectConfiguration Include="Release|ARM64">
 <Configuration>Release</Configuration>
- <Platform>x64</Platform>
+ <Platform>ARM64</Platform>
 </ProjectConfiguration>
 </ItemGroup>
 <PropertyGroup Label="Globals">
@@ -40,15 +24,36 @@
 
 <Import Project="python.props" />
 <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
- 
- <PropertyGroup Label="Configuration">
+
+ <PropertyGroup Label="Configuration" Condition="$(Platform) == 'Win32'">
 <ConfigurationType>Makefile</ConfigurationType>
 <Bitness>32</Bitness>
- <Bitness Condition="$(Platform) == 'x64'">64</Bitness>
 <ArchName>x86</ArchName>
- <ArchName Condition="$(Platform) == 'x64'">amd64</ArchName>
 <OpenSSLPlatform>VC-WIN32</OpenSSLPlatform>
- <OpenSSLPlatform Condition="$(Platform) == 'x64'">VC-WIN64A</OpenSSLPlatform>
+ <SupportSigning>true</SupportSigning>
+ </PropertyGroup>
+
+ <PropertyGroup Label="Configuration" Condition="$(Platform) == 'x64'">
+ <ConfigurationType>Makefile</ConfigurationType>
+ <Bitness>64</Bitness>
+ <ArchName>amd64</ArchName>
+ <OpenSSLPlatform>VC-WIN64A-masm</OpenSSLPlatform>
+ <SupportSigning>true</SupportSigning>
+ </PropertyGroup>
+
+ <PropertyGroup Label="Configuration" Condition="$(Platform) == 'ARM'">
+ <ConfigurationType>Makefile</ConfigurationType>
+ <Bitness>ARM</Bitness>
+ <ArchName>ARM</ArchName>
+ <OpenSSLPlatform>VC-WIN32-ARM</OpenSSLPlatform>
+ <SupportSigning>true</SupportSigning>
+ </PropertyGroup>
+
+ <PropertyGroup Label="Configuration" Condition="$(Platform) == 'ARM64'">
+ <ConfigurationType>Makefile</ConfigurationType>
+ <Bitness>ARM64</Bitness>
+ <ArchName>ARM64</ArchName>
+ <OpenSSLPlatform>VC-WIN64-ARM</OpenSSLPlatform>
 <SupportSigning>true</SupportSigning>
 </PropertyGroup>
 
diff --git a/PCbuild/prepare_ssl.bat b/PCbuild/prepare_ssl.bat
index bd4b548528c5..88fd0225f5ea 100644
--- a/PCbuild/prepare_ssl.bat
+++ b/PCbuild/prepare_ssl.bat
@@ -42,7 +42,7 @@ if ERRORLEVEL 1 (echo Cannot locate MSBuild.exe on PATH or as MSBUILD variable &
 call "%PCBUILD%\find_python.bat" "%PYTHON%"
 if ERRORLEVEL 1 (echo Cannot locate python.exe on PATH or as PYTHON variable & exit /b 3)
 
-call "%PCBUILD%\get_externals.bat" --openssl-src %ORG_SETTING%
+call "%PCBUILD%\get_externals.bat" --openssl-src --no-openssl %ORG_SETTING%
 
 if "%PERL%" == "" where perl > "%TEMP%\perl.loc" 2> nul && set /P PERL= <"%TEMP%\perl.loc" & del "%TEMP%\perl.loc"
 if "%PERL%" == "" (echo Cannot locate perl.exe on PATH or as PERL variable & exit /b 4)
@@ -51,4 +51,8 @@ if "%PERL%" == "" (echo Cannot locate perl.exe on PATH or as PERL variable & exi
 if errorlevel 1 exit /b
 %MSBUILD% "%PCBUILD%\openssl.vcxproj" /p:Configuration=Release /p:Platform=x64
 if errorlevel 1 exit /b
+%MSBUILD% "%PCBUILD%\openssl.vcxproj" /p:Configuration=Release /p:Platform=ARM
+if errorlevel 1 exit /b
+%MSBUILD% "%PCBUILD%\openssl.vcxproj" /p:Configuration=Release /p:Platform=ARM64
+if errorlevel 1 exit /b
 
diff --git a/PCbuild/python.props b/PCbuild/python.props
index 683fbb6e6f84..58877ee06698 100644
--- a/PCbuild/python.props
+++ b/PCbuild/python.props
@@ -49,8 +49,8 @@
 <sqlite3Dir>$(ExternalsDir)sqlite-3.21.0.0\</sqlite3Dir>
 <bz2Dir>$(ExternalsDir)bzip2-1.0.6\</bz2Dir>
 <lzmaDir>$(ExternalsDir)xz-5.2.2\</lzmaDir>
- <opensslDir>$(ExternalsDir)openssl-1.1.0j\</opensslDir>
- <opensslOutDir>$(ExternalsDir)openssl-bin-1.1.0j\$(ArchName)\</opensslOutDir>
+ <opensslDir>$(ExternalsDir)openssl-1.1.1b\</opensslDir>
+ <opensslOutDir>$(ExternalsDir)openssl-bin-1.1.1b\$(ArchName)\</opensslOutDir>
 <opensslIncludeDir>$(opensslOutDir)include</opensslIncludeDir>
 <nasmDir>$(ExternalsDir)\nasm-2.11.06\</nasmDir>
 <zlibDir>$(ExternalsDir)\zlib-1.2.11\</zlibDir>
diff --git a/PCbuild/readme.txt b/PCbuild/readme.txt
index 1f2fb929efd9..c44722b98887 100644
--- a/PCbuild/readme.txt
+++ b/PCbuild/readme.txt
@@ -165,7 +165,7 @@ _lzma
 Homepage:
 http://tukaani.org/xz/
 _ssl
- Python wrapper for version 1.1.0h of the OpenSSL secure sockets
+ Python wrapper for version 1.1.1b of the OpenSSL secure sockets
 library, which is downloaded from our binaries repository at
 https://github.com/python/cpython-bin-deps.
 

---

• Previous message (by thread): [Python-checkins] bpo-35926: Add support for OpenSSL 1.1.1b on Windows (GH-11779)
• Next message (by thread): [Python-checkins] bpo-36511: Windows ARM32 buildbot changes (GH-12917)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---

More information about the Python-checkins mailing list