Bug #1197391 “Tls v1.2 support” : Bugs : pyOpenSSL

Revision history for this message

Jean-Paul Calderone (exarkun) wrote on 2013-07-03:

#1

Can you check your code into a branch and link it to this ticket? Thanks.

Revision history for this message

Shilpa (heyshilps) wrote on 2013-07-04:

#2

Hi, I am running into issues while installing bzr..
I have the rpm instlled already

[root@pocdev bazar]# rpm -ivh epel-release-5-4.noarch.rpm
warning: epel-release-5-4.noarch.rpm: Header V3 DSA/SHA1 Signature, key ID 217521f6: NOKEY
Preparing... ########################################### [100%]
package epel-release-5-4.noarch is already installed
[root@pocdev bazar]#

but when I try to yum install, I get this.

[root@pocdev bazar]# yum install bzr
Loaded plugins: fastestmirror, refresh-packagekit, security
Loading mirror speeds from cached hostfile
Could not retrieve mirrorlist http://mirrors.fedoraproject.org/mirrorlist?repo=epel-5&arch=x86_64 error was
14: PYCURL ERROR 6 - "Couldn't resolve host 'mirrors.fedoraproject.org'"
Error: Cannot find a valid baseurl for repo: epel
[root@pocdev bazar]#

what am I doing wrong..?

Revision history for this message

Shilpa (heyshilps) wrote on 2013-07-04:

#3

Tried various debug suggestions. unable to resolve the path. Here are the two repo files, I am trying with.

***************
[root@pocdev yum.repos.d]# cat epel.repo
[epel]
name=Extra Packages for Enterprise Linux 5 - $basearch
#baseurl=http://157.235.187.3/pub/epel/5/$basearch
mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=epel-5&arch=$basearch
failovermethod=priority
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL

[epel-debuginfo]
name=Extra Packages for Enterprise Linux 5 - $basearch - Debug
#baseurl=http://download.fedoraproject.org/pub/epel/5/$basearch/debug
mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=epel-debug-5&arch=$basearch
failovermethod=priority
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL
gpgcheck=1

[epel-source]
name=Extra Packages for Enterprise Linux 5 - $basearch - Source
#baseurl=http://download.fedoraproject.org/pub/epel/5/SRPMS
mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=epel-source-5&arch=$basearch
failovermethod=priority
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL
gpgcheck=1

*********************

[root@pocdev yum.repos.d]# cat epel-testing.repo
[epel-testing]
name=Extra Packages for Enterprise Linux 5 - Testing - $basearch
#baseurl=http://157.235.187.3/pub/epel/testing/5/$basearch
mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=testing-epel5&arch=$basearch
failovermethod=priority
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL

[epel-testing-debuginfo]
name=Extra Packages for Enterprise Linux 5 - Testing - $basearch - Debug
#baseurl=http://download.fedoraproject.org/pub/epel/testing/5/$basearch/debug
mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=testing-debug-epel5&arch=$basearch
failovermethod=priority
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL
gpgcheck=1

[epel-testing-source]
name=Extra Packages for Enterprise Linux 5 - Testing - $basearch - Source
#baseurl=http://download.fedoraproject.org/pub/epel/testing/5/SRPMS
mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=testing-source-epel5&arch=$basearch
failovermethod=priority
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL
gpgcheck=1
[root@pocdev yum.repos.d]#
****************

Only the mirrors are valid path.

Here is the error:

**************
[root@pocdev yum.repos.d]# yum install bzr
Loaded plugins: fastestmirror, refresh-packagekit, security
Determining fastest mirrors
Could not retrieve mirrorlist http://mirrors.fedoraproject.org/mirrorlist?repo=epel-5&arch=x86_64 error was
14: PYCURL ERROR 6 - "Couldn't resolve host 'mirrors.fedoraproject.org'"
Error: Cannot find a valid baseurl for repo: epel
[root@pocdev yum.repos.d]#
*************

nslookup mirrors.fedoraproject.org gives me

Server: 157.235.187.3
Address: 157.235.187.3#53

and its present under /etc/resolv.conf

***********
# Generated by NetworkManager
search ap.mot-solutions.com
nameserver 157.235.187.3
nameserver 157.235.187.131
nameserver 10.179.0.3
search mirrors.fedoraproject.org
157.235.187.3#53
*************

Tried various debug suggestions. unable to resolve the path. Here are the two repo files, I am trying with.

***************
[root@pocdev yum.repos.d]# cat epel.repo
[epel]
name=Extra Packages for Enterprise Linux 5 - $basearch
#baseurl=http://157.235.187.3/pub/epel/5/$basearch
mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=epel-5&arch=$basearch
failovermethod=priority
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL

[epel-debuginfo]
name=Extra Packages for Enterprise Linux 5 - $basearch - Debug
#baseurl=http://download.fedoraproject.org/pub/epel/5/$basearch/debug
mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=epel-debug-5&arch=$basearch
failovermethod=priority
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL
gpgcheck=1

[epel-source]
name=Extra Packages for Enterprise Linux 5 - $basearch - Source
#baseurl=http://download.fedoraproject.org/pub/epel/5/SRPMS
mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=epel-source-5&arch=$basearch
failovermethod=priority
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL
gpgcheck=1

*********************

[root@pocdev yum.repos.d]# cat epel-testing.repo
[epel-testing]
name=Extra Packages for Enterprise Linux 5 - Testing - $basearch 
#baseurl=http://157.235.187.3/pub/epel/testing/5/$basearch
mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=testing-epel5&arch=$basearch
failovermethod=priority
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL

[epel-testing-debuginfo]
name=Extra Packages for Enterprise Linux 5 - Testing - $basearch - Debug
#baseurl=http://download.fedoraproject.org/pub/epel/testing/5/$basearch/debug
mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=testing-debug-epel5&arch=$basearch
failovermethod=priority
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL
gpgcheck=1

[epel-testing-source]
name=Extra Packages for Enterprise Linux 5 - Testing - $basearch - Source
#baseurl=http://download.fedoraproject.org/pub/epel/testing/5/SRPMS
mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=testing-source-epel5&arch=$basearch
failovermethod=priority
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL
gpgcheck=1
[root@pocdev yum.repos.d]# 
****************

Only the mirrors are valid path.

Here is the error:

**************
[root@pocdev yum.repos.d]# yum install bzr
Loaded plugins: fastestmirror, refresh-packagekit, security
Determining fastest mirrors
Could not retrieve mirrorlist http://mirrors.fedoraproject.org/mirrorlist?repo=epel-5&arch=x86_64 error was
14: PYCURL ERROR 6 - "Couldn't resolve host 'mirrors.fedoraproject.org'"
Error: Cannot find a valid baseurl for repo: epel
[root@pocdev yum.repos.d]# 
*************

nslookup mirrors.fedoraproject.org  gives me

Server:		157.235.187.3
Address:	157.235.187.3#53

and its present under /etc/resolv.conf

***********
# Generated by NetworkManager
search ap.mot-solutions.com
nameserver 157.235.187.3
nameserver 157.235.187.131
nameserver 10.179.0.3
search mirrors.fedoraproject.org
157.235.187.3#53
*************

Revision history for this message

Ben Summerton (bns4412) wrote on 2013-08-09:

#4

Here is a patch file that should let PyOpenSSL use TLS v1.1 and v1.2:

From 2bf22122239ea5b3a0d059a546679121f6a1d346 Mon Sep 17 00:00:00 2001
From: Ben Summerton <email address hidden>
Date: Fri, 9 Aug 2013 10:48:15 -0400
Subject: [PATCH] Added TLS 1.1 & 1.2 support.

---
OpenSSL/ssl/context.c | 10 ++++++++--
OpenSSL/ssl/context.h | 2 ++
OpenSSL/ssl/ssl.c | 4 ++++
3 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/OpenSSL/ssl/context.c b/OpenSSL/ssl/context.c
index e971c0a..5268ecb 100644
--- a/OpenSSL/ssl/context.c
+++ b/OpenSSL/ssl/context.c
@@ -292,8 +292,8 @@ Context(method) -> Context instance\n\
OpenSSL.SSL.Context instances define the parameters for setting up new SSL\n\
connections.\n\
\n\
-:param method: One of " SSLv2_METHOD_TEXT "SSLv3_METHOD, SSLv23_METHOD, or\n\
- TLSv1_METHOD.\n\
+:param method: One of " SSLv2_METHOD_TEXT "SSLv3_METHOD, SSLv23_METHOD,\n\
+ TLSv1_METHOD, TLSv1_1_METHOD, OR TLSv1_2_METHOD.\n\
";

#undef SSLv2_METHOD_TEXT
@@ -1262,6 +1262,12 @@ ssl_Context_init(ssl_ContextObj *self, int i_method) {
         case ssl_TLSv1_METHOD:
             method = TLSv1_method();
             break;
+ case ssl_TLSv1_1_METHOD:
+ method = TLSv1_1_method();
+ break;
+ case ssl_TLSv1_2_METHOD:
+ method = TLSv1_2_method();
+ break;
         default:
             PyErr_SetString(PyExc_ValueError, "No such protocol");
             return NULL;
diff --git a/OpenSSL/ssl/context.h b/OpenSSL/ssl/context.h
index 19b5e9e..989d8f1 100644
--- a/OpenSSL/ssl/context.h
+++ b/OpenSSL/ssl/context.h
@@ -38,6 +38,8 @@ typedef struct {
#define ssl_SSLv3_METHOD (2)
#define ssl_SSLv23_METHOD (3)
#define ssl_TLSv1_METHOD (4)
+#define ssl_TLSv1_1_METHOD (5)
+#define ssl_TLSv1_2_METHOD (6)

#endif
diff --git a/OpenSSL/ssl/ssl.c b/OpenSSL/ssl/ssl.c
index 5725d5d..3ad0d96 100644
--- a/OpenSSL/ssl/ssl.c
+++ b/OpenSSL/ssl/ssl.c
@@ -185,6 +185,8 @@ do { \
     PyModule_AddIntConstant(module, "SSLv3_METHOD", ssl_SSLv3_METHOD);
     PyModule_AddIntConstant(module, "SSLv23_METHOD", ssl_SSLv23_METHOD);
     PyModule_AddIntConstant(module, "TLSv1_METHOD", ssl_TLSv1_METHOD);
+ PyModule_AddIntConstant(module, "TLSv1_1_METHOD", ssl_TLSv1_1_METHOD);
+ PyModule_AddIntConstant(module, "TLSv1_2_METHOD", ssl_TLSv1_2_METHOD);

     /* Verify constants */
     PyModule_AddIntConstant(module, "VERIFY_NONE", SSL_VERIFY_NONE);
@@ -204,6 +206,8 @@ do { \
     PyModule_AddIntConstant(module, "OP_NO_SSLv2", SSL_OP_NO_SSLv2);
     PyModule_AddIntConstant(module, "OP_NO_SSLv3", SSL_OP_NO_SSLv3);
     PyModule_AddIntConstant(module, "OP_NO_TLSv1", SSL_OP_NO_TLSv1);
+ PyModule_AddIntConstant(module, "OP_NO_TLSv1_1", SSL_OP_NO_TLSv1_1);
+ PyModule_AddIntConstant(module, "OP_NO_TLSv1_2", SSL_OP_NO_TLSv1_2);

/* More SSL option constants */
PyModule_AddIntConstant(module, "OP_MICROSOFT_SESS_ID_BUG", SSL_OP_MICROSOFT_SESS_ID_BUG);
--
1.7.12.4 (Apple Git-37)

Here is a patch file that should let PyOpenSSL use TLS v1.1 and v1.2:

From 2bf22122239ea5b3a0d059a546679121f6a1d346 Mon Sep 17 00:00:00 2001
From: Ben Summerton <bsummerton@enernoc.com>
Date: Fri, 9 Aug 2013 10:48:15 -0400
Subject: [PATCH] Added TLS 1.1 & 1.2 support.

---
 OpenSSL/ssl/context.c | 10 ++++++++--
 OpenSSL/ssl/context.h |  2 ++
 OpenSSL/ssl/ssl.c     |  4 ++++
 3 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/OpenSSL/ssl/context.c b/OpenSSL/ssl/context.c
index e971c0a..5268ecb 100644
--- a/OpenSSL/ssl/context.c
+++ b/OpenSSL/ssl/context.c
@@ -292,8 +292,8 @@ Context(method) -> Context instance\n\
 OpenSSL.SSL.Context instances define the parameters for setting up new SSL\n\
 connections.\n\
 \n\
-:param method: One of " SSLv2_METHOD_TEXT "SSLv3_METHOD, SSLv23_METHOD, or\n\
-               TLSv1_METHOD.\n\
+:param method: One of " SSLv2_METHOD_TEXT "SSLv3_METHOD, SSLv23_METHOD,\n\
+               TLSv1_METHOD, TLSv1_1_METHOD, OR TLSv1_2_METHOD.\n\
 ";
 
 #undef SSLv2_METHOD_TEXT
@@ -1262,6 +1262,12 @@ ssl_Context_init(ssl_ContextObj *self, int i_method) {
         case ssl_TLSv1_METHOD:
             method = TLSv1_method();
             break;
+        case ssl_TLSv1_1_METHOD:
+            method = TLSv1_1_method();
+            break;
+        case ssl_TLSv1_2_METHOD:
+            method = TLSv1_2_method();
+            break;
         default:
             PyErr_SetString(PyExc_ValueError, "No such protocol");
             return NULL;
diff --git a/OpenSSL/ssl/context.h b/OpenSSL/ssl/context.h
index 19b5e9e..989d8f1 100644
--- a/OpenSSL/ssl/context.h
+++ b/OpenSSL/ssl/context.h
@@ -38,6 +38,8 @@ typedef struct {
 #define ssl_SSLv3_METHOD      (2)
 #define ssl_SSLv23_METHOD     (3)
 #define ssl_TLSv1_METHOD      (4)
+#define ssl_TLSv1_1_METHOD    (5)
+#define ssl_TLSv1_2_METHOD    (6)
 
 
 #endif
diff --git a/OpenSSL/ssl/ssl.c b/OpenSSL/ssl/ssl.c
index 5725d5d..3ad0d96 100644
--- a/OpenSSL/ssl/ssl.c
+++ b/OpenSSL/ssl/ssl.c
@@ -185,6 +185,8 @@ do {                                                                    \
     PyModule_AddIntConstant(module, "SSLv3_METHOD",  ssl_SSLv3_METHOD);
     PyModule_AddIntConstant(module, "SSLv23_METHOD", ssl_SSLv23_METHOD);
     PyModule_AddIntConstant(module, "TLSv1_METHOD",  ssl_TLSv1_METHOD);
+    PyModule_AddIntConstant(module, "TLSv1_1_METHOD",  ssl_TLSv1_1_METHOD);
+    PyModule_AddIntConstant(module, "TLSv1_2_METHOD",  ssl_TLSv1_2_METHOD);
 
     /* Verify constants */
     PyModule_AddIntConstant(module, "VERIFY_NONE", SSL_VERIFY_NONE);
@@ -204,6 +206,8 @@ do {                                                                    \
     PyModule_AddIntConstant(module, "OP_NO_SSLv2", SSL_OP_NO_SSLv2);
     PyModule_AddIntConstant(module, "OP_NO_SSLv3", SSL_OP_NO_SSLv3);
     PyModule_AddIntConstant(module, "OP_NO_TLSv1", SSL_OP_NO_TLSv1);
+    PyModule_AddIntConstant(module, "OP_NO_TLSv1_1", SSL_OP_NO_TLSv1_1);
+    PyModule_AddIntConstant(module, "OP_NO_TLSv1_2", SSL_OP_NO_TLSv1_2);
 
     /* More SSL option constants */
     PyModule_AddIntConstant(module, "OP_MICROSOFT_SESS_ID_BUG", SSL_OP_MICROSOFT_SESS_ID_BUG);
-- 
1.7.12.4 (Apple Git-37)

Revision history for this message

Thom Nichols (tmnichols) wrote on 2013-09-03:

#5

I can confirm Ben's changes correctly support TLS v1.2 (assuming he generated the patch right!) I've built PyOpenSSL against OpenSSL v1.0.1e on Mac and Linux, and can exchange messages with a Java-based HTTP(s) server that enforces TLS1.2-only.

I've hosted Ben's fork @ https://github.com/EnerNOC/pyopenssl

Sorry it's not mercurial.

pyOpenSSL

Tls v1.2 support

Bug Description

Other bug subscribers

Related questions

Remote bug watches