Issue #8484: Load all ciphers and digest algorithms when initializing

the _ssl extension, such that verification of some SSL certificates doesn't fail because of an "unknown algorithm".

Issue #8484: Load all ciphers and digest algorithms when initializing
the _ssl extension, such that verification of some SSL certificates doesn't fail because of an "unknown algorithm".
c715a9ed · Antoine Pitrou · 62e17ad2 · c715a9ed · c715a9ed · c715a9ed
Commit c715a9ed authored Apr 21, 2010 by Antoine Pitrou
Hide whitespace changes
Inline Side-by-side

Showing with 26 additions and 1 deletion

Lib/test/test_ssl.py Lib/test/test_ssl.py +20 -0

Misc/NEWS Misc/NEWS +4 -0

Modules/_ssl.c Modules/_ssl.c +2 -1

No files found.
--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
@@ -232,6 +232,26 @@ class NetworkedTests(unittest.TestCase):
        if test_support.verbose:
            sys.stdout.write("\nVerified certificate for svn.python.org:443 is\n%s\n" % pem)

+    def test_algorithms(self):
+        # Issue #8484: all algorithms should be available when verifying a
+        # certificate.
+        # NOTE: https://sha256.tbs-internet.com is another possible test host
+        remote = ("sha2.hboeck.de", 443)
+        sha256_cert = os.path.join(os.path.dirname(__file__), "sha256.pem")
+        s = ssl.wrap_socket(socket.socket(socket.AF_INET),
+                            cert_reqs=ssl.CERT_REQUIRED,
+                            ca_certs=sha256_cert,)
+        with test_support.transient_internet():
+            try:
+                s.connect(remote)
+                if test_support.verbose:
+                    sys.stdout.write("\nCipher with %r is %r\n" %
+                                     (remote, s.cipher()))
+                    sys.stdout.write("Certificate is:\n%s\n" %
+                                     pprint.pformat(s.getpeercert()))
+            finally:
+                s.close()
+

 try:
    import threading

--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -20,6 +20,10 @@ Core and Builtins
 Library
 -------

+- Issue #8484: Load all ciphers and digest algorithms when initializing
+  the _ssl extension, such that verification of some SSL certificates
+  doesn't fail because of an "unknown algorithm".
+
 - Issue #8437: Fix test_gdb failures, patch written by Dave Malcolm

 - Issue #4814: timeout parameter is now applied also for connections resulting

--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -1603,13 +1603,14 @@ init_ssl(void)

 	/* Init OpenSSL */
 	SSL_load_error_strings();
+	SSL_library_init();
 #ifdef WITH_THREAD
 	/* note that this will start threading if not already started */
 	if (!_setup_ssl_threads()) {
 		return;
 	}
 #endif
-	SSLeay_add_ssl_algorithms();
+	OpenSSL_add_all_algorithms();

 	/* Add symbols to module dict */
 	PySSLErrorObject = PyErr_NewException("ssl.SSLError",