[2.7] bpo-29136: Add TLS 1.3 cipher suites and OP_NO_TLSv1_3 (GH-1363) (#3446)
* bpo-29136: Add TLS 1.3 support
TLS 1.3 introduces a new, distinct set of cipher suites. The TLS 1.3
cipher suites don't overlap with cipher suites from TLS 1.2 and earlier.
Since Python sets its own set of permitted ciphers, TLS 1.3 handshake
will fail as soon as OpenSSL 1.1.1 is released. Let's enable the common
AES-GCM and ChaCha20 suites.
Additionally the flag OP_NO_TLSv1_3 is added. It defaults to 0 (no op) with
OpenSSL prior to 1.1.1. This allows applications to opt-out from TLS 1.3
now.
Signed-off-by: Christian Heimes <christian@python.org>.
(cherry picked from commit cb5b68abdeb1b1d56c581d5b4d647018703d61e3)
diff --git a/Modules/_ssl.c b/Modules/_ssl.c
index 5b4cec2..f70af26 100644
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -4282,6 +4282,11 @@
PyModule_AddIntConstant(m, "OP_NO_TLSv1_1", SSL_OP_NO_TLSv1_1);
PyModule_AddIntConstant(m, "OP_NO_TLSv1_2", SSL_OP_NO_TLSv1_2);
#endif
+#ifdef SSL_OP_NO_TLSv1_3
+ PyModule_AddIntConstant(m, "OP_NO_TLSv1_3", SSL_OP_NO_TLSv1_3);
+#else
+ PyModule_AddIntConstant(m, "OP_NO_TLSv1_3", 0);
+#endif
PyModule_AddIntConstant(m, "OP_CIPHER_SERVER_PREFERENCE",
SSL_OP_CIPHER_SERVER_PREFERENCE);
PyModule_AddIntConstant(m, "OP_SINGLE_DH_USE", SSL_OP_SINGLE_DH_USE);
@@ -4333,6 +4338,14 @@
Py_INCREF(r);
PyModule_AddObject(m, "HAS_ALPN", r);
+#if defined(TLS1_3_VERSION) && !defined(OPENSSL_NO_TLS1_3)
+ r = Py_True;
+#else
+ r = Py_False;
+#endif
+ Py_INCREF(r);
+ PyModule_AddObject(m, "HAS_TLSv1_3", r);
+
/* Mappings for error codes */
err_codes_to_names = PyDict_New();
err_names_to_codes = PyDict_New();