diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst
index a0aa45e9008a1b..7b1c80b725a5d1 100644
--- a/Doc/library/ssl.rst
+++ b/Doc/library/ssl.rst
@@ -918,6 +918,13 @@ Constants
.. versionadded:: 3.10
+.. data:: OP_LEGACY_SERVER_CONNECT
+
+ Allow legacy insecure renegotiation between OpenSSL and unpatched servers
+ only.
+
+ .. versionadded:: 3.11.2
+
.. data:: HAS_ALPN
Whether the OpenSSL library has built-in support for the *Application-Layer
diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
index 3b3b869bb53acd..7e0b7a5518eb57 100644
--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
@@ -1702,6 +1702,8 @@ def _assert_context_options(self, ctx):
if OP_CIPHER_SERVER_PREFERENCE != 0:
self.assertEqual(ctx.options & OP_CIPHER_SERVER_PREFERENCE,
OP_CIPHER_SERVER_PREFERENCE)
+ self.assertEqual(ctx.options & ssl.OP_LEGACY_SERVER_CONNECT,
+ 0 if IS_OPENSSL_3_0_0 else ssl.OP_LEGACY_SERVER_CONNECT)
def test_create_default_context(self):
ctx = ssl.create_default_context()
@@ -4094,6 +4096,20 @@ def test_compression_disabled(self):
sni_name=hostname)
self.assertIs(stats['compression'], None)
+ def test_legacy_server_connect(self):
+ client_context, server_context, hostname = testing_context()
+ client_context.options |= ssl.OP_LEGACY_SERVER_CONNECT
+ server_params_test(client_context, server_context,
+ chatty=True, connectionchatty=True,
+ sni_name=hostname)
+
+ def test_no_legacy_server_connect(self):
+ client_context, server_context, hostname = testing_context()
+ client_context.options &= ~ssl.OP_LEGACY_SERVER_CONNECT
+ server_params_test(client_context, server_context,
+ chatty=True, connectionchatty=True,
+ sni_name=hostname)
+
@unittest.skipIf(Py_DEBUG_WIN32, "Avoid mixing debug/release CRT on Windows")
def test_dh_params(self):
# Check we can get a connection with ephemeral Diffie-Hellman
diff --git a/Misc/NEWS.d/next/Core and Builtins/2022-06-17-08-00-34.gh-issue-89051.yP4Na0.rst b/Misc/NEWS.d/next/Core and Builtins/2022-06-17-08-00-34.gh-issue-89051.yP4Na0.rst
new file mode 100644
index 00000000000000..5c8164863b8192
--- /dev/null
+++ b/Misc/NEWS.d/next/Core and Builtins/2022-06-17-08-00-34.gh-issue-89051.yP4Na0.rst
@@ -0,0 +1 @@
+Add :data:`ssl.OP_LEGACY_SERVER_CONNECT`
diff --git a/Modules/_ssl.c b/Modules/_ssl.c
index 6071202104fa78..3ea5e1550543b2 100644
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -5888,6 +5888,8 @@ sslmodule_init_constants(PyObject *m)
SSL_OP_CIPHER_SERVER_PREFERENCE);
PyModule_AddIntConstant(m, "OP_SINGLE_DH_USE", SSL_OP_SINGLE_DH_USE);
PyModule_AddIntConstant(m, "OP_NO_TICKET", SSL_OP_NO_TICKET);
+ PyModule_AddIntConstant(m, "OP_LEGACY_SERVER_CONNECT",
+ SSL_OP_LEGACY_SERVER_CONNECT);
#ifdef SSL_OP_SINGLE_ECDH_USE
PyModule_AddIntConstant(m, "OP_SINGLE_ECDH_USE", SSL_OP_SINGLE_ECDH_USE);
#endif
pFad - Phonifier reborn
Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.
Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.
Alternative Proxies:
Alternative Proxy
pFad Proxy
pFad v3 Proxy
pFad v4 Proxy