Issue #8813: X509_VERIFY_PARAM is only available on OpenSSL 0.9.8+

The patch removes the verify_flags feature on Mac OS X 10.4 with OpenSSL 0.9.7l 28 Sep 2006.

Issue #8813: X509_VERIFY_PARAM is only available on OpenSSL 0.9.8+
The patch removes the verify_flags feature on Mac OS X 10.4 with OpenSSL 0.9.7l 28 Sep 2006.
97b19214 · Christian Heimes · bfaa6333 · 97b19214 · 97b19214 · 97b19214
Commit 97b19214 authored Nov 23, 2013 by Christian Heimes
Hide whitespace changes
Inline Side-by-side

Showing with 18 additions and 0 deletions

Doc/library/ssl.rst Doc/library/ssl.rst +1 -0

Lib/test/test_ssl.py Lib/test/test_ssl.py +8 -0

Modules/_ssl.c Modules/_ssl.c +9 -0

No files found.
--- a/Doc/library/ssl.rst
+++ b/Doc/library/ssl.rst
@@ -1126,6 +1126,7 @@ to speed up repeated connections from the same clients.
   The flags for certificate verification operations. You can set flags like
   :data:`VERIFY_CRL_CHECK_LEAF` by ORing them together. By default OpenSSL
   does neither require nor verify certificate revocation lists (CRLs).
+   Available only with openssl version 0.9.8+.
   .. versionadded:: 3.4

--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
@@ -82,6 +82,10 @@ def no_sslv2_implies_sslv3_hello():
    # 0.9.7h or higher
    return ssl.OPENSSL_VERSION_INFO >= (0, 9, 7, 8, 15)
+def have_verify_flags():
+    # 0.9.8 or higher
+    return ssl.OPENSSL_VERSION_INFO >= (0, 9, 8, 0, 15)
 def asn1time(cert_time):
    # Some versions of OpenSSL ignore seconds, see #18207
    # 0.9.8.i
@@ -667,6 +671,8 @@ class ContextTests(unittest.TestCase):
        with self.assertRaises(ValueError):
            ctx.verify_mode = 42
+    @unittest.skipUnless(have_verify_flags(),
+                         "verify_flags need OpenSSL > 0.9.8")
    def test_verify_flags(self):
        ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
        # default value by OpenSSL
@@ -1809,6 +1815,8 @@ else:
                self.assertLess(before, after)
                s.close()
+        @unittest.skipUnless(have_verify_flags(),
+                            "verify_flags need OpenSSL > 0.9.8")
        def test_crl_check(self):
            if support.verbose:
                sys.stdout.write("\n")

--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -198,6 +198,11 @@ static unsigned int _ssl_locks_count = 0;
 # define OPENSSL_NO_COMP
 #endif
+/* X509_VERIFY_PARAM got added to OpenSSL in 0.9.8 */
+#if OPENSSL_VERSION_NUMBER >= 0x0090800fL
+# define HAVE_OPENSSL_VERIFY_PARAM
+#endif
 typedef struct {
    PyObject_HEAD
@@ -2230,6 +2235,7 @@ set_verify_mode(PySSLContext *self, PyObject *arg, void *c)
    return 0;
 }
+#ifdef HAVE_OPENSSL_VERIFY_PARAM
 static PyObject *
 get_verify_flags(PySSLContext *self, void *c)
 {
@@ -2267,6 +2273,7 @@ set_verify_flags(PySSLContext *self, PyObject *arg, void *c)
    }
    return 0;
 }
+#endif
 static PyObject *
 get_options(PySSLContext *self, void *c)
@@ -3088,8 +3095,10 @@ get_ca_certs(PySSLContext *self, PyObject *args, PyObject *kwds)
 static PyGetSetDef context_getsetlist[] = {
    {"options", (getter) get_options,
                (setter) set_options, NULL},
+#ifdef HAVE_OPENSSL_VERIFY_PARAM
    {"verify_flags", (getter) get_verify_flags,
                     (setter) set_verify_flags, NULL},
+#endif
    {"verify_mode", (getter) get_verify_mode,
                    (setter) set_verify_mode, NULL},
    {NULL},            /* sentinel */