diff --git a/0001-Fixed-4380-do-not-assume-TLSv1-is-available-in-OpenS.patch b/0001-Fixed-4380-do-not-assume-TLSv1-is-available-in-OpenS.patch new file mode 100644 index 0000000..288d3fb --- /dev/null +++ b/0001-Fixed-4380-do-not-assume-TLSv1-is-available-in-OpenS.patch @@ -0,0 +1,66 @@ +From 2716cd2fa55cc867656a3e797797f5a1386afd69 Mon Sep 17 00:00:00 2001 +From: Alex Gaynor +Date: Sun, 12 Aug 2018 15:48:24 -0400 +Subject: [PATCH] Fixed #4380 -- do not assume TLSv1 is available in OpenSSL + (#4389) + +* Fixed #4380 -- do not assume TLSv1 is available in OpenSSL + +Hallelujah! It's starting to become the case that some OpenSSLs are disabling it. + +* cover this file as well +--- + tests/hazmat/backends/test_openssl.py | 2 +- + tests/hazmat/bindings/test_openssl.py | 9 ++++++--- + 2 files changed, 7 insertions(+), 4 deletions(-) + +diff --git a/tests/hazmat/backends/test_openssl.py b/tests/hazmat/backends/test_openssl.py +index 31b34cd0..e77f5dc3 100644 +--- a/tests/hazmat/backends/test_openssl.py ++++ b/tests/hazmat/backends/test_openssl.py +@@ -115,7 +115,7 @@ class TestOpenSSL(object): + assert len(errors) == 10 + + def test_ssl_ciphers_registered(self): +- meth = backend._lib.TLSv1_method() ++ meth = backend._lib.SSLv23_method() + ctx = backend._lib.SSL_CTX_new(meth) + assert ctx != backend._ffi.NULL + backend._lib.SSL_CTX_free(ctx) +diff --git a/tests/hazmat/bindings/test_openssl.py b/tests/hazmat/bindings/test_openssl.py +index 488f64e1..f317f07f 100644 +--- a/tests/hazmat/bindings/test_openssl.py ++++ b/tests/hazmat/bindings/test_openssl.py +@@ -37,7 +37,8 @@ class TestOpenSSL(object): + # Test that we're properly handling 32-bit unsigned on all platforms. + b = Binding() + assert b.lib.SSL_OP_ALL > 0 +- ctx = b.lib.SSL_CTX_new(b.lib.TLSv1_method()) ++ ctx = b.lib.SSL_CTX_new(b.lib.SSLv23_method()) ++ assert ctx != b.ffi.NULL + ctx = b.ffi.gc(ctx, b.lib.SSL_CTX_free) + current_options = b.lib.SSL_CTX_get_options(ctx) + resp = b.lib.SSL_CTX_set_options(ctx, b.lib.SSL_OP_ALL) +@@ -49,7 +50,8 @@ class TestOpenSSL(object): + # Test that we're properly handling 32-bit unsigned on all platforms. + b = Binding() + assert b.lib.SSL_OP_ALL > 0 +- ctx = b.lib.SSL_CTX_new(b.lib.TLSv1_method()) ++ ctx = b.lib.SSL_CTX_new(b.lib.SSLv23_method()) ++ assert ctx != b.ffi.NULL + ctx = b.ffi.gc(ctx, b.lib.SSL_CTX_free) + ssl = b.lib.SSL_new(ctx) + ssl = b.ffi.gc(ssl, b.lib.SSL_free) +@@ -63,7 +65,8 @@ class TestOpenSSL(object): + # Test that we're properly handling 32-bit unsigned on all platforms. + b = Binding() + assert b.lib.SSL_OP_ALL > 0 +- ctx = b.lib.SSL_CTX_new(b.lib.TLSv1_method()) ++ ctx = b.lib.SSL_CTX_new(b.lib.SSLv23_method()) ++ assert ctx != b.ffi.NULL + ctx = b.ffi.gc(ctx, b.lib.SSL_CTX_free) + ssl = b.lib.SSL_new(ctx) + ssl = b.ffi.gc(ssl, b.lib.SSL_free) +-- +2.17.1 + diff --git a/python-cryptography.spec b/python-cryptography.spec index 312adbb..098c1d1 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -11,7 +11,7 @@ Name: python-%{srcname} Version: 2.3 -Release: 1%{?dist} +Release: 2%{?dist} Summary: PyCA's cryptography library Group: Development/Libraries @@ -19,6 +19,8 @@ License: ASL 2.0 or BSD URL: https://cryptography.io/en/latest/ Source0: https://pypi.io/packages/source/c/%{srcname}/%{srcname}-%{version}.tar.gz +Patch0001: 0001-Fixed-4380-do-not-assume-TLSv1-is-available-in-OpenS.patch + BuildRequires: openssl-devel BuildRequires: gcc @@ -161,6 +163,9 @@ popd %changelog +* Mon Aug 13 2018 Christian Heimes - 2.3-2 +- Use TLSv1.2 in test as workaround for RHBZ#1615143 + * Wed Jul 18 2018 Christian Heimes - 2.3-1 - New upstream release 2.3 - Fix AEAD tag truncation bug, RHBZ#1602752