3 files changed, 129 insertions, 0 deletions

diff --git a/dev-python/boto/Manifest b/dev-python/boto/Manifest
index e1c5fc8cd639..572709726ccc 100644
--- a/dev-python/boto/Manifest
+++ b/dev-python/boto/Manifest
@@ -1,3 +1,5 @@
+AUX boto-try-to-add-SNI-support-v2.patch 4329 BLAKE2B 3be0a3a88bc252bf8cbf316d3198b58ca86ee61e991400ce1e27854433bcf3709718593c58ffc2e2ad16fa41630a54670a4b7d42efde572073adf5f5f95994e2 SHA512 48b1fa089138a22ca9749fe82a1d92abf7570edf87a6ffc48f9b2389baed8982092afc2cbf1e35bf0661f185e96ba2b2b6d21cb2c553d6d884e800805f013a9a
 DIST boto-2.49.0.tar.gz 1478498 BLAKE2B 6a897ea162f5f4bd34a2d488a3e3897f7f2f5b8707dd0922c01b6a0b90ea577223bf3e588b6685bda1f2bc0e92af426711fcba67a70377183465a530065c6c84 SHA512 2175cf30cd25bbc05812e83e5ade7668c3e21b1bb09aa1b43f0f0ac7d6967a646394fb52c9be673ebb65618c5b33a52d6f31f6da702f5cd1d6c9a18169476dd4
+EBUILD boto-2.49.0-r2.ebuild 883 BLAKE2B 128c3d8a978a9249a578bc2637fa0abe25ade76fe55dfe3e7c595df5e9ab9d4a172dff3d5059e02c96d1717bee75ab7f1f419b0047be207aec27a96f58e7aa48 SHA512 ddc5609597677dba4b882260a171160a93c9a9776758c6b9dd789ecbdb6fe2a643fa82e7871a4b65a0d4449ec2d93967831c264c532123d828c849df62a367f7
 EBUILD boto-2.49.0.ebuild 716 BLAKE2B e8ddc4cf764002fc0e9e86de50b5ea4a97d06b386525f7d54d9655ad2b32b7372c5ea74b7042004edb6e45e8ec56488da46e0ceed45f4f331f0f58669204dd40 SHA512 a939e1be7b3e0d6d57564d25161404c1c51efcde213606607cb5a7cf792ab12eb72cd25fa4113a01e908da8fd4b3e27eae5232570a6bbdb8d319056e88b3a24a
 MISC metadata.xml 419 BLAKE2B c6c19e4ba3ecc5a36b535267b75cdf3afb7317e577e8f0899d43a334632633d771b5e5216517537616cc99c7766a852d2b4c5b132e174f8481d86649253e0897 SHA512 ee5587224538b14f67c30eda60c161e4c07c801c4b4edb24bcb0350e17c4d655c4d9a6907ebe5913d7689e1b6078ef25f47b4fe0a7c655cfa8d5ea775b4d0329
diff --git a/dev-python/boto/boto-2.49.0-r2.ebuild b/dev-python/boto/boto-2.49.0-r2.ebuild
new file mode 100644
index 000000000000..4cb94d5afa65
--- /dev/null
+++ b/dev-python/boto/boto-2.49.0-r2.ebuild
@@ -0,0 +1,34 @@
+# Copyright 1999-2020 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+PYTHON_COMPAT=( python3_{6,7,8} )
+DISTUTILS_USE_SETUPTOOLS=bdepend
+inherit distutils-r1
+
+DESCRIPTION="Amazon Web Services API"
+HOMEPAGE="https://github.com/boto/boto https://pypi.org/project/boto/"
+SRC_URI="mirror://pypi/${PN:0:1}/${PN}/${P}.tar.gz"
+
+LICENSE="MIT"
+SLOT="0"
+KEYWORDS="~amd64 ~arm ~arm64 ~ppc ~sparc ~x86 ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos"
+IUSE="test"
+
+BDEPEND="
+	test? ( dev-python/nose[${PYTHON_USEDEP}] )
+"
+
+RESTRICT="!test? ( test )"
+
+# requires Amazon Web Services keys to pass some tests
+RESTRICT+=" test"
+
+PATCHES=(
+	# taken from https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=909545
+	"${FILESDIR}/boto-try-to-add-SNI-support-v2.patch"
+)
+
+python_test() {
+	"${PYTHON}" tests/test.py -v || die "Tests fail with ${EPYTHON}"
+}
diff --git a/dev-python/boto/files/boto-try-to-add-SNI-support-v2.patch b/dev-python/boto/files/boto-try-to-add-SNI-support-v2.patch
new file mode 100644
index 000000000000..76ae2cd3964b
--- /dev/null
+++ b/dev-python/boto/files/boto-try-to-add-SNI-support-v2.patch
@@ -0,0 +1,93 @@
+From f5e7f6c98b46ff622f60a4661ffc9ce07216d109 Mon Sep 17 00:00:00 2001
+From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
+Date: Sat, 29 Sep 2018 21:47:11 +0200
+Subject: [PATCH] boto: try to add SNI support
+
+Add SNI support. Newer OpenSSL (with TLS1.3) fail to connect if the
+hostname is missing.
+
+Link: https://bugs.debian.org/bug=909545
+Tested-by: Witold Baryluk <witold.baryluk@gmail.com>
+Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
+---
+ boto/connection.py       | 19 ++++++++++---------
+ boto/https_connection.py | 22 +++++++++++-----------
+ 2 files changed, 21 insertions(+), 20 deletions(-)
+
+diff --git a/boto/connection.py b/boto/connection.py
+index 34b428f101df7..b4867a7657465 100644
+--- a/boto/connection.py
++++ b/boto/connection.py
+@@ -824,23 +824,24 @@ DEFAULT_CA_CERTS_FILE = os.path.join(os.path.dirname(os.path.abspath(boto.cacert
+         h = http_client.HTTPConnection(host)
+ 
+         if self.https_validate_certificates and HAVE_HTTPS_CONNECTION:
++            context = ssl.create_default_context()
++            context.verify_mode = ssl.CERT_REQUIRED
++            context.check_hostname = True
++
+             msg = "wrapping ssl socket for proxied connection; "
+             if self.ca_certificates_file:
+                 msg += "CA certificate file=%s" % self.ca_certificates_file
++                context.load_verify_locations(cafile=self.ca_certificates_file)
+             else:
+                 msg += "using system provided SSL certs"
++                context.load_default_certs()
+             boto.log.debug(msg)
+             key_file = self.http_connection_kwargs.get('key_file', None)
+             cert_file = self.http_connection_kwargs.get('cert_file', None)
+-            sslSock = ssl.wrap_socket(sock, keyfile=key_file,
+-                                      certfile=cert_file,
+-                                      cert_reqs=ssl.CERT_REQUIRED,
+-                                      ca_certs=self.ca_certificates_file)
+-            cert = sslSock.getpeercert()
+-            hostname = self.host.split(':', 0)[0]
+-            if not https_connection.ValidateCertificateHostname(cert, hostname):
+-                raise https_connection.InvalidCertificateException(
+-                    hostname, cert, 'hostname mismatch')
++            if key_file:
++                context.load_cert_chain(certfile=cert_file, keyfile=key_file)
++
++            sslSock = context.wrap_socket(sock, server_hostname=host)
+         else:
+             # Fallback for old Python without ssl.wrap_socket
+             if hasattr(http_client, 'ssl'):
+diff --git a/boto/https_connection.py b/boto/https_connection.py
+index ddc31a152292e..a5076f6f9b261 100644
+--- a/boto/https_connection.py
++++ b/boto/https_connection.py
+@@ -119,20 +119,20 @@ from boto.compat import six, http_client
+             sock = socket.create_connection((self.host, self.port), self.timeout)
+         else:
+             sock = socket.create_connection((self.host, self.port))
++
++        context = ssl.create_default_context()
++        context.verify_mode = ssl.CERT_REQUIRED
++        context.check_hostname = True
++        if self.key_file:
++            context.load_cert_chain(certfile=self.cert_file, keyfile=self.key_file)
++
+         msg = "wrapping ssl socket; "
+         if self.ca_certs:
+             msg += "CA certificate file=%s" % self.ca_certs
++            context.load_verify_locations(cafile=self.ca_certs)
+         else:
+             msg += "using system provided SSL certs"
++            context.load_default_certs()
+         boto.log.debug(msg)
+-        self.sock = ssl.wrap_socket(sock, keyfile=self.key_file,
+-                                    certfile=self.cert_file,
+-                                    cert_reqs=ssl.CERT_REQUIRED,
+-                                    ca_certs=self.ca_certs)
+-        cert = self.sock.getpeercert()
+-        hostname = self.host.split(':', 0)[0]
+-        if not ValidateCertificateHostname(cert, hostname):
+-            raise InvalidCertificateException(hostname,
+-                                              cert,
+-                                              'remote hostname "%s" does not match '
+-                                              'certificate' % hostname)
++
++        self.sock = context.wrap_socket(sock, server_hostname=self.host)
+-- 
+2.19.0
+