Do not send IP addresses in SNI TLS extension

00298-do-not-send-IP-in-SNI-TLS-extension.patch

@@ -0,0 +1,60 @@
+diff --git a/Modules/_ssl.c b/Modules/_ssl.c
+index df8c6a7d96d8..e8cffef14de0 100644
+--- a/Modules/_ssl.c
++++ b/Modules/_ssl.c
+@@ -55,6 +55,11 @@ static PySocketModule_APIObject PySocketModule;
+ #include <sys/poll.h>
+ #endif
+ 
++#ifndef MS_WINDOWS
++/* inet_pton */
++#include <arpa/inet.h>
++#endif
++
+ /* Don't warn about deprecated functions */
+ #ifdef __GNUC__
+ #pragma GCC diagnostic ignored "-Wdeprecated-declarations"
+@@ -667,8 +672,41 @@ newPySSLSocket(PySSLContext *sslctx, PySocketSockObject *sock,
+     SSL_set_mode(self->ssl, mode);
+ 
+ #if HAVE_SNI
+-    if (server_hostname != NULL)
+-        SSL_set_tlsext_host_name(self->ssl, server_hostname);
++    if (server_hostname != NULL) {
++/* Don't send SNI for IP addresses. We cannot simply use inet_aton() and
++ * inet_pton() here. inet_aton() may be linked weakly and inet_pton() isn't
++ * available on all platforms. Use OpenSSL's IP address parser. It's
++ * available since 1.0.2 and LibreSSL since at least 2.3.0. */
++        int send_sni = 1;
++#if OPENSSL_VERSION_NUMBER >= 0x10200000L
++        ASN1_OCTET_STRING *ip = a2i_IPADDRESS(server_hostname);
++        if (ip == NULL) {
++            send_sni = 1;
++            ERR_clear_error();
++        } else {
++            send_sni = 0;
++            ASN1_OCTET_STRING_free(ip);
++        }
++#elif defined(HAVE_INET_PTON)
++#ifdef ENABLE_IPV6
++        char packed[Py_MAX(sizeof(struct in_addr), sizeof(struct in6_addr))];
++#else
++        char packed[sizeof(struct in_addr)];
++#endif /* ENABLE_IPV6 */
++        if (inet_pton(AF_INET, server_hostname, packed)) {
++            send_sni = 0;
++#ifdef ENABLE_IPV6
++        } else if(inet_pton(AF_INET6, server_hostname, packed)) {
++            send_sni = 0;
++#endif /* ENABLE_IPV6 */
++        } else {
++            send_sni = 1;
++        }
++#endif /* HAVE_INET_PTON */
++        if (send_sni) {
++            SSL_set_tlsext_host_name(self->ssl, server_hostname);
++        }
++    }
+ #endif
+ 
+     /* If the socket is in non-blocking mode or timeout mode, set the BIO

python3.spec

@@ -14,7 +14,7 @@ URL: https://www.python.org/
 #  WARNING  When rebasing to a new Python version,
 #           remember to update the python3-docs package as well
 Version: %{pybasever}.4
-Release: 16%{?dist}
+Release: 17%{?dist}
 License: Python
 
 
@@ -387,6 +387,12 @@ Patch292: 00292-restore-PyExc_RecursionErrorInst-symbol.patch
 # See also: https://bugzilla.redhat.com/show_bug.cgi?id=1489816
 Patch294: 00294-define-TLS-cipher-suite-on-build-time.patch
 
+# 00298 #
+# The SSL module no longer sends IP addresses in SNI TLS extension on
+# platforms with OpenSSL 1.0.2+ or inet_pton.
+# Fixed upstream: https://bugs.python.org/issue32185
+Patch298: 00298-do-not-send-IP-in-SNI-TLS-extension.patch
+
 # (New patches go here ^^^)
 #
 # When adding new patches to "python" and "python3" in Fedora, EL, etc.,
@@ -686,6 +692,7 @@ sed -r -i s/'_PIP_VERSION = "[0-9.]+"'/'_PIP_VERSION = "%{pip_version}"'/ Lib/en
 %patch291 -p1
 %patch292 -p1
 %patch294 -p1
+%patch298 -p1
 
 
 # Remove files that should be generated by the build
@@ -1506,6 +1513,9 @@ CheckPython optimized
 # ======================================================
 
 %changelog
+* Tue Mar 13 2018 Charalampos Stratakis <cstratak@redhat.com> - 3.6.4-17
+- Do not send IP addresses in SNI TLS extension
+
 * Sat Feb 24 2018 Florian Weimer <fweimer@redhat.com> - 3.6.4-16
 - Rebuild with new LDFLAGS from redhat-rpm-config