From 6afc2ff1f853da2b195af10118ede45305af0ace Mon Sep 17 00:00:00 2001
From: Robert Kuska <rkuska@redhat.com>
Date: Dec 11 2014 13:39:08 +0000
Subject: Update tests to reflect latest changes in OpenSSL SSLv23 method


---

diff --git a/00199-alter-tests-to-reflect-sslv3-disabled.patch b/00199-alter-tests-to-reflect-sslv3-disabled.patch
new file mode 100644
index 0000000..f35eff9
--- /dev/null
+++ b/00199-alter-tests-to-reflect-sslv3-disabled.patch
@@ -0,0 +1,49 @@
+diff -up Python-3.4.2/Lib/test/test_ssl.py.ssl Python-3.4.2/Lib/test/test_ssl.py
+--- Python-3.4.2/Lib/test/test_ssl.py.ssl	2014-12-11 12:25:21.886928225 +0100
++++ Python-3.4.2/Lib/test/test_ssl.py	2014-12-11 12:25:00.284746529 +0100
+@@ -674,10 +674,7 @@ class ContextTests(unittest.TestCase):
+     @skip_if_broken_ubuntu_ssl
+     def test_options(self):
+         ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
+-        # OP_ALL | OP_NO_SSLv2 is the default value
+-        self.assertEqual(ssl.OP_ALL | ssl.OP_NO_SSLv2,
+-                         ctx.options)
+-        ctx.options |= ssl.OP_NO_SSLv3
++        # OP_ALL | OP_NO_SSLv2 | OP_NO_SSLv3 is the default value
+         self.assertEqual(ssl.OP_ALL | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3,
+                          ctx.options)
+         if can_clear_options():
+@@ -2149,21 +2146,18 @@ else:
+                         sys.stdout.write(
+                             " SSL2 client to SSL23 server test unexpectedly failed:\n %s\n"
+                             % str(x))
+-            try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, True)
++            try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, False)
+             try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv23, True)
+             try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1, True)
+ 
+-            try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, True, ssl.CERT_OPTIONAL)
++            try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, False, ssl.CERT_OPTIONAL)
+             try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv23, True, ssl.CERT_OPTIONAL)
+             try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1, True, ssl.CERT_OPTIONAL)
+ 
+-            try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, True, ssl.CERT_REQUIRED)
++            try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, False, ssl.CERT_REQUIRED)
+             try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv23, True, ssl.CERT_REQUIRED)
+             try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1, True, ssl.CERT_REQUIRED)
+ 
+-            # Server with specific SSL options
+-            try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, False,
+-                               server_options=ssl.OP_NO_SSLv3)
+             # Will choose TLSv1
+             try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv23, True,
+                                server_options=ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3)
+@@ -2186,7 +2180,7 @@ else:
+             try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_TLSv1, False)
+             if no_sslv2_implies_sslv3_hello():
+                 # No SSLv2 => client will use an SSLv3 hello on recent OpenSSLs
+-                try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv23, True,
++                try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv23, False,
+                                    client_options=ssl.OP_NO_SSLv2)
+ 
+         @skip_if_broken_ubuntu_ssl
diff --git a/python3.spec b/python3.spec
index bfe1482..916bc6c 100644
--- a/python3.spec
+++ b/python3.spec
@@ -140,7 +140,7 @@
 Summary: Version 3 of the Python programming language aka Python 3000
 Name: python3
 Version: %{pybasever}.2
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: Python
 Group: Development/Languages
 
@@ -699,6 +699,11 @@ Patch196: 00196-test-gdb-match-addr-before-builtin.patch
 # FIXED UPSTREAM
 # Patch197: 00197-fix-CVE-2014-4650.patch
 
+# OpenSSL disabled SSLv3 in SSLv23 method
+# This patch alters python tests to reflect this change
+# Issue: http://bugs.python.org/issue22638 Upstream discussion about SSLv3 in Python
+Patch199: 00199-alter-tests-to-reflect-sslv3-disabled.patch
+
 
 # (New patches go here ^^^)
 #
@@ -978,6 +983,7 @@ done
 # 00195: upstream as of Python 3.4.2
 %patch196 -p1
 # 00197: upstream as of Python 3.4.2
+%patch199 -p1
 
 # Currently (2010-01-15), http://docs.python.org/library is for 2.6, and there
 # are many differences between 2.6 and the Python 3 library.
@@ -1866,6 +1872,9 @@ rm -fr %{buildroot}
 # ======================================================
 
 %changelog
+* Thu Dec 11 2014 Robert Kuska <rkuska@redhat.com> - 3.4.2-2
+- OpenSSL disabled SSLv3 in SSLv23 method
+
 * Thu Nov 13 2014 Matej Stuchlik <mstuchli@redhat.com> - 3.4.2-1
 - Update to 3.4.2
 - Refreshed patches: 156 (gdb autoload)