From 7f864ff57fcccbb9c6aa8b5de0c750d54360bea2 Mon Sep 17 00:00:00 2001
From: Christian Heimes <christian@python.org>
Date: Tue, 19 Sep 2017 21:06:46 +0200
Subject: [PATCH] bpo-31453: Allow to change TLS protocols on Debian

Undo Debian Unstable's patching for SSL_CTX. Allow all protocols with
SSL_CTX_set_min_proto_version() again so they can be enabled and disabled
with SSL_CTX_set_options(). The set_min_proto_version is not supported by
Python, set_options is available as SSLContext.options.

Signed-off-by: Christian Heimes <christian@python.org>
---
 .../2017-09-19-21-06-23.bpo-31453.obElH-.rst  |  4 +++
 Modules/_ssl.c                                | 28 +++++++++++++++++++
 2 files changed, 32 insertions(+)
 create mode 100644 Misc/NEWS.d/next/Library/2017-09-19-21-06-23.bpo-31453.obElH-.rst

diff --git a/Misc/NEWS.d/next/Library/2017-09-19-21-06-23.bpo-31453.obElH-.rst b/Misc/NEWS.d/next/Library/2017-09-19-21-06-23.bpo-31453.obElH-.rst
new file mode 100644
index 00000000000000..ac402712aceafb
--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2017-09-19-21-06-23.bpo-31453.obElH-.rst
@@ -0,0 +1,4 @@
+Undo Debian Unstable's patching for SSL_CTX. Allow all protocols with
+SSL_CTX_set_min_proto_version() again so they can be enabled and disabled
+with SSL_CTX_set_options(). The set_min_proto_version is not supported by
+Python, set_options is available as SSLContext.options.
diff --git a/Modules/_ssl.c b/Modules/_ssl.c
index 73abad3dcf1c7c..0a79a30455a287 100644
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -2746,6 +2746,34 @@ _ssl__SSLContext_impl(PyTypeObject *type, int proto_version)
         return NULL;
     }
 
+#ifdef SSL_CTX_set_min_proto_version
+    /* Workaround for Debian's OpenSSL patch
+     *
+     * Debian disables SSL 3.0, TLS 1.0, and TLS 1.1 by default. Python
+     * does not expose the new OpenSSL 1.1 API that is required  to
+     * re-enable the old protocols. Documentation also promises that
+     * PROTOCOL_TLS has TLS 1.0 and 1.1 enabled and SSLv3 can be enabled
+     * by changing SSLContext.options.
+     */
+    if ((proto_version == PY_SSL_VERSION_TLS) ||
+            (proto_version == PY_SSL_VERSION_TLS_CLIENT) ||
+            (proto_version == PY_SSL_VERSION_TLS_SERVER)) {
+#if !defined(OPENSSL_NO_SSL3)
+        result = SSL_CTX_set_min_proto_version(ctx, SSL3_VERSION);
+#elif !defined(OPENSSL_NO_TLS1)
+        result = SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION);
+#elif !defined(OPENSSL_NO_TLS1_1)
+        result = SSL_CTX_set_min_proto_version(ctx, TLS1_1_VERSION);
+    #else
+        result = 1;
+    #endif
+        if (result == 0) {
+            _setSSLError(NULL, 0, __FILE__, __LINE__);
+            return NULL;
+        }
+    }
+#endif /* SSL_CTX_set_min_proto_version */
+
     assert(type != NULL && type->tp_alloc != NULL);
     self = (PySSLContext *) type->tp_alloc(type, 0);
     if (self == NULL) {