Skip to content

Update ssl from v3.14.3 and add _ssl.HAS_PHA#7283

Merged
youknowone merged 4 commits intoRustPython:mainfrom
youknowone:ssl
Mar 1, 2026
Merged

Update ssl from v3.14.3 and add _ssl.HAS_PHA#7283
youknowone merged 4 commits intoRustPython:mainfrom
youknowone:ssl

Conversation

@youknowone
Copy link
Member

@youknowone youknowone commented Mar 1, 2026
edited
Loading

close #7219
fix #7228

Summary by CodeRabbit

  • New Features

    • Added a new constant to indicate Post-Handshake Authentication (PHA) support in the SSL module.

  • Bug Fixes

    • Improved error handling in SSL options configuration to provide clearer validation when invalid option values are supplied.

@coderabbitai
Copy link
Contributor

coderabbitai bot commented Mar 1, 2026
edited
Loading

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 919a146 and 3e3165b.

⛔ Files ignored due to path filters (23)
  • Lib/ssl.py is excluded by !Lib/**
  • Lib/test/certdata/allsans.pem is excluded by !**/*.pem, !Lib/**
  • Lib/test/certdata/capath/b1930218.0 is excluded by !Lib/**
  • Lib/test/certdata/capath/ceff1710.0 is excluded by !Lib/**
  • Lib/test/certdata/cert3.pem is excluded by !**/*.pem, !Lib/**
  • Lib/test/certdata/idnsans.pem is excluded by !**/*.pem, !Lib/**
  • Lib/test/certdata/keycert.passwd.pem is excluded by !**/*.pem, !Lib/**
  • Lib/test/certdata/keycert.pem is excluded by !**/*.pem, !Lib/**
  • Lib/test/certdata/keycert.pem.reference is excluded by !Lib/**
  • Lib/test/certdata/keycert2.pem is excluded by !**/*.pem, !Lib/**
  • Lib/test/certdata/keycert3.pem is excluded by !**/*.pem, !Lib/**
  • Lib/test/certdata/keycert4.pem is excluded by !**/*.pem, !Lib/**
  • Lib/test/certdata/keycertecc.pem is excluded by !**/*.pem, !Lib/**
  • Lib/test/certdata/make_ssl_certs.py is excluded by !Lib/**
  • Lib/test/certdata/nosan.pem is excluded by !**/*.pem, !Lib/**
  • Lib/test/certdata/pycacert.pem is excluded by !**/*.pem, !Lib/**
  • Lib/test/certdata/pycakey.pem is excluded by !**/*.pem, !Lib/**
  • Lib/test/certdata/revocation.crl is excluded by !Lib/**
  • Lib/test/certdata/ssl_cert.pem is excluded by !**/*.pem, !Lib/**
  • Lib/test/certdata/ssl_key.passwd.pem is excluded by !**/*.pem, !Lib/**
  • Lib/test/certdata/ssl_key.pem is excluded by !**/*.pem, !Lib/**
  • Lib/test/ssl_servers.py is excluded by !Lib/**
  • Lib/test/test_ssl.py is excluded by !Lib/**
📒 Files selected for processing (2)
  • crates/stdlib/src/openssl.rs
  • crates/stdlib/src/ssl.rs
📝 Walkthrough

Walkthrough

The changes add a new HAS_PHA (Post-Handshake Auth) constant to the _ssl module and refactor the PySslContext.set_options method to accept a signed integer with validation ensuring non-negative values, replacing the previous unsigned long parameter.

Changes

Cohort / File(s) Summary
HAS_PHA constant additions
crates/stdlib/src/openssl.rs, crates/stdlib/src/ssl.rs		 Added new public HAS_PHA boolean attribute to _ssl module. In openssl.rs, conditionally set to cfg!(ossl111) for OpenSSL 1.1.1+ support; in ssl.rs, set to false by default.
set_options method refactoring
crates/stdlib/src/openssl.rs, crates/stdlib/src/ssl.rs		 Updated PySslContext.set_options signature from (&self, libc::c_ulong) to (&self, i64, &VirtualMachine) -> PyResult<()> with added validation rejecting negative option values.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Possibly related PRs

  • Implement more SSL methods #6210: Adds OpenSSL 1.1.1–related feature flags and extends PySslContext functionality alongside HAS_PHA and set_options modifications in the same _ssl module surface.

Suggested reviewers

  • coolreader18
  • ShaharNaveh

Poem

🐰 A hop and a skip through SSL updates bright,
With HAS_PHA flags shining in the light,
Options now validated, no negatives allowed,
OpenSSL 1.1.1 support—we're quite proud! ✨

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the main changes: updating ssl library from CPython v3.14.3 and adding the _ssl.HAS_PHA constant, matching the PR objectives.
Linked Issues check ✅ Passed The PR addresses issue #7219 requirements: adds HAS_PHA constant, updates ssl to v3.14.3, and fixes set_options validation for negative values as intended.
Out of Scope Changes check ✅ Passed All changes relate directly to SSL module updates and HAS_PHA constant addition. No extraneous modifications detected outside the stated objectives.
Docstring Coverage ✅ Passed Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@github-actions
Copy link
Contributor

github-actions bot commented Mar 1, 2026
edited
Loading

📦 Library Dependencies

The following Lib/ modules were modified. Here are their dependencies:

[x] lib: cpython/Lib/ssl.py
[x] test: cpython/Lib/test/test_ssl.py (TODO: 14)

dependencies:

  • ssl

dependent tests: (49 tests)

  • ssl: test_asyncio test_ftplib test_httplib test_httpservers test_imaplib test_logging test_ssl test_urllib test_urllib2_localnet test_venv test_xmlrpc
    • asyncio.selector_events: test_asyncio
    • ftplib: test_urllib2
      • urllib.request: test_http_cookiejar test_pathlib test_pydoc test_sax test_site test_urllib2net test_urllibnet
    • http.client: test_docxmlrpc test_hashlib test_ucn test_unicodedata test_wsgiref
      • logging.handlers: test_concurrent_futures test_pkgutil
    • http.server: test_robotparser
      • pydoc: test_enum
    • smtplib: test_smtplib test_smtpnet
    • urllib.request:
      • pathlib: test_ast test_dbm_sqlite3 test_ensurepip test_importlib test_launcher test_pathlib test_runpy test_tarfile test_tempfile test_tomllib test_tools test_traceback test_unparse test_winapi test_zipapp test_zipfile test_zoneinfo test_zstd

[x] lib: cpython/Lib/hmac.py
[ ] test: cpython/Lib/test/test_hmac.py (TODO: 14)

dependencies:

  • hmac

dependent tests: (9 tests)

  • hmac: test_hmac test_smtplib
    • imaplib: test_imaplib
    • multiprocessing.connection:
      • concurrent.futures.process: test_compileall test_concurrent_futures
    • secrets: test_secrets
    • smtplib: test_smtpnet
      • logging.handlers: test_logging test_pkgutil

[x] lib: cpython/Lib/importlib
[ ] test: cpython/Lib/test/test_importlib (TODO: 16)

dependencies:

  • importlib

dependent tests: (111 tests)

  • importlib: test_bdb test_cmd_line_script test_codecs test_compileall test_ctypes test_doctest test_frozen test_hashlib test_importlib test_inspect test_linecache test_multiprocessing_main_handling test_pkgutil test_py_compile test_pyclbr test_pydoc test_reprlib test_runpy test_sundry test_support test_tomllib test_unittest test_zipfile test_zipimport test_zoneinfo
    • ctypes.util: test_ctypes
    • ensurepip: test_ensurepip test_venv
    • inspect: test_abc test_argparse test_asyncgen test_buffer test_builtin test_code test_collections test_coroutines test_decimal test_enum test_functools test_generators test_grammar test_monitoring test_ntpath test_operator test_patma test_posixpath test_signal test_sqlite3 test_traceback test_type_annotations test_types test_typing test_unittest test_yield_from
      • ast: test_ast test_compile test_compiler_codegen test_dis test_fstring test_future_stmt test_site test_ssl test_type_comments test_ucn test_unparse
      • asyncio: test_asyncio test_contextlib_async test_logging test_os test_sys_settrace test_unittest
      • cmd: test_cmd
      • dataclasses: test__colorize test_copy test_ctypes test_genericalias test_pprint test_regrtest
      • rlcompleter: test_rlcompleter
      • trace: test_trace
      • xmlrpc.server: test_docxmlrpc test_xmlrpc
    • py_compile: test_importlib
      • zipfile: test_shutil test_zipapp test_zipfile test_zipfile64
    • sysconfig: test_c_locale_coercion test_dtrace test_gc test_launcher test_osx_env test_posix test_pyexpat test_subprocess test_sys test_sysconfig test_time test_tools test_urllib2net
    • zipfile:
      • shutil: test_bz2 test_filecmp test_glob test_httpservers test_largefile test_sax test_string_literals test_tarfile test_tempfile test_unicode_file
    • zipimport: test_importlib

[ ] test: cpython/Lib/test/test_set.py (TODO: 5)

dependencies:

dependent tests: (no tests depend on set)

Legend:

  • [+] path exists in CPython
  • [x] up-to-date, [ ] outdated

@github-actions
Copy link
Contributor

github-actions bot commented Mar 1, 2026

Code has been automatically formatted

The code in this PR has been formatted using:

  • cargo fmt --all
    Please pull the latest changes before pushing again:
git pull origin ssl

@youknowone youknowone marked this pull request as ready for review March 1, 2026 04:22
@youknowone youknowone merged commit e4938cf into RustPython:main Mar 1, 2026
23 of 25 checks passed
@youknowone youknowone deleted the ssl branch March 1, 2026 05:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Upgrading ssl break pip

1 participant

@youknowone