dev-lang/python/files/ssl.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

Neuter security level things until LibreSSL supports them.

Index: Modules/_ssl.c
--- Modules/_ssl.c.orig
+++ Modules/_ssl.c
@@ -169,7 +169,7 @@ extern const SSL_METHOD *TLSv1_2_method(void);
  * Based on Hynek's excellent blog post (update 2021-02-11)
  * https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
  */
-  #define PY_SSL_DEFAULT_CIPHER_STRING "@SECLEVEL=2:ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES:DHE+AES:!aNULL:!eNULL:!aDSS:!SHA1:!AESCCM"
+  #define PY_SSL_DEFAULT_CIPHER_STRING "ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES:DHE+AES:!aNULL:!eNULL:!aDSS:!SHA1:!AESCCM"
   #ifndef PY_SSL_MIN_PROTOCOL
     #define PY_SSL_MIN_PROTOCOL TLS1_2_VERSION
   #endif
@@ -3579,6 +3579,12 @@ set_num_tickets(PySSLContext *self, PyObject *arg, voi
 PyDoc_STRVAR(PySSLContext_num_tickets_doc,
 "Control the number of TLSv1.3 session tickets");
 #endif /* TLS1_3_VERSION */
+
+int
+SSL_CTX_get_security_level(const SSL_CTX *ctx)
+{
+    return 1;
+}
 
 static PyObject *
 get_security_level(PySSLContext *self, void *c)