Disallow setting an empty list for NPN in CPython 3.9 and earlier

[sethmlarson]

Bug report

Bug description:

OpenSSL prior to 3.3.2 had a defect in SSL_select_next_proto where invalid values (such as an empty list) would cause a buffer overread (see CVE-2024-5535). The issue can be fixed in CPython by not calling SSL_select_next_proto with an invalid value.

This is a low severity vulnerability in CPython and is tracked separately in CVE-2024-5642. CPython 3.10 and beyond removed support for NPN and thus aren't affected by this issue.

CPython versions tested on:

3.8, 3.9

Operating systems tested on:

No response

[AdrianBunk]

CPython 3.7 to 3.9 are only affected when using OpenSSL < 1.1.1, since CPython >= 3.7 did already drop NPN support with OpenSSL >= 1.1.1 (by accident? see 29eab55 and 9617741).

CPython 3.8 was released a year after OpenSSL 1.1.1, which makes it unlikely that the vulnerable combination of CPython >= 3.8 and OpenSSL < 1.1.1 would be common.

For Python3 < 3.7 in Debian ELTS I did the big hammer

-# define HAVE_NPN 1
+# define HAVE_NPN 0

which might also be a reasonable approach for you for the rare affected setups with 3.8 or 3.9?