hugovk
diff --git a/Collapse file
‎Doc/library/ssl.rst‎
Copy file name to clipboardExpand all lines: Doc/library/ssl.rst
+7Lines changed: 7 additions & 0 deletions
Display the source diff
Display the rich diff b/Collapse file
‎Doc/library/ssl.rst‎
Copy file name to clipboardExpand all lines: Doc/library/ssl.rst
+7Lines changed: 7 additions & 0 deletions
Display the source diff
Display the rich diff
diff --git a/Collapse file
‎Lib/test/test_ssl.py‎
Copy file name to clipboardExpand all lines: Lib/test/test_ssl.py
+16Lines changed: 16 additions & 0 deletions b/Collapse file
‎Lib/test/test_ssl.py‎
Copy file name to clipboardExpand all lines: Lib/test/test_ssl.py
+16Lines changed: 16 additions & 0 deletions
diff --git a/Collapse file
‎Misc/NEWS.d/next/Core and Builtins/2022-06-17-08-00-34.gh-issue-89051.yP4Na0.rst‎
Copy file name to clipboard
+1Lines changed: 1 addition & 0 deletions
Display the source diff
Display the rich diff b/Collapse file
‎Misc/NEWS.d/next/Core and Builtins/2022-06-17-08-00-34.gh-issue-89051.yP4Na0.rst‎
Copy file name to clipboard
+1Lines changed: 1 addition & 0 deletions
Display the source diff
Display the rich diff
diff --git a/Collapse file
‎Modules/_ssl.c‎
Copy file name to clipboardExpand all lines: Modules/_ssl.c
+2Lines changed: 2 additions & 0 deletions b/Collapse file
‎Modules/_ssl.c‎
Copy file name to clipboardExpand all lines: Modules/_ssl.c
+2Lines changed: 2 additions & 0 deletions
@@ -823,6 +823,13 @@ Constants
 
    .. versionadded:: 3.12
 
+.. data:: OP_LEGACY_SERVER_CONNECT
+
+   Allow legacy insecure renegotiation between OpenSSL and unpatched servers
+   only.
+
+   .. versionadded:: 3.12
+
 .. data:: HAS_ALPN
 
    Whether the OpenSSL library has built-in support for the *Application-Layer
 
@@ -1461,6 +1461,8 @@ def _assert_context_options(self, ctx):
         if OP_CIPHER_SERVER_PREFERENCE != 0:
             self.assertEqual(ctx.options & OP_CIPHER_SERVER_PREFERENCE,
                              OP_CIPHER_SERVER_PREFERENCE)
+        self.assertEqual(ctx.options & ssl.OP_LEGACY_SERVER_CONNECT,
+                         0 if IS_OPENSSL_3_0_0 else ssl.OP_LEGACY_SERVER_CONNECT)
 
     def test_create_default_context(self):
         ctx = ssl.create_default_context()
@@ -3815,6 +3817,20 @@ def test_compression_disabled(self):
                                    sni_name=hostname)
         self.assertIs(stats['compression'], None)
 
+    def test_legacy_server_connect(self):
+        client_context, server_context, hostname = testing_context()
+        client_context.options |= ssl.OP_LEGACY_SERVER_CONNECT
+        server_params_test(client_context, server_context,
+                                   chatty=True, connectionchatty=True,
+                                   sni_name=hostname)
+
+    def test_no_legacy_server_connect(self):
+        client_context, server_context, hostname = testing_context()
+        client_context.options &= ~ssl.OP_LEGACY_SERVER_CONNECT
+        server_params_test(client_context, server_context,
+                                   chatty=True, connectionchatty=True,
+                                   sni_name=hostname)
+
     @unittest.skipIf(Py_DEBUG_WIN32, "Avoid mixing debug/release CRT on Windows")
     def test_dh_params(self):
         # Check we can get a connection with ephemeral Diffie-Hellman
 
@@ -0,0 +1 @@
+Add :data:`ssl.OP_LEGACY_SERVER_CONNECT`
@@ -5845,6 +5845,8 @@ sslmodule_init_constants(PyObject *m)
                             SSL_OP_CIPHER_SERVER_PREFERENCE);
     PyModule_AddIntConstant(m, "OP_SINGLE_DH_USE", SSL_OP_SINGLE_DH_USE);
     PyModule_AddIntConstant(m, "OP_NO_TICKET", SSL_OP_NO_TICKET);
+    PyModule_AddIntConstant(m, "OP_LEGACY_SERVER_CONNECT",
+                            SSL_OP_LEGACY_SERVER_CONNECT);
 #ifdef SSL_OP_SINGLE_ECDH_USE
     PyModule_AddIntConstant(m, "OP_SINGLE_ECDH_USE", SSL_OP_SINGLE_ECDH_USE);
 #endif