New submission from Alan Huang <[email protected]>:
LibreSSL has a function called `ssl_clamp_version_range` that is called before
attempting to set the minimum and maximum protocol versions in
`ssl_version_set_{min,max}`. The function disallows setting ranges that are
invalid (i.e., where minimum_version > maximum_version). OpenSSL does not
disallow this behavior.
As a result, attempting to set a minimum_version greater than a maximum_version
results in a ValueError when Python is built with LibreSSL.
There are two things that might need fixing here:
1. Replace the ValueError "Unsupported protocol version 0x%x" message with a
more generic one. The assumption that the only way the operation can fail is if
the underlying library does not support the protocol version is incorrect.
This can be done by either making the message more generic or by introducing
another error message to handle this case.
2. Change test_min_max_version lines 3575-3576 to set the maximum_version
before the minimum_version.
Here's some Python code to reproduce the above-mentioned error:
```
import ssl
ctx = ssl.SSLContext()
ctx.maximum_version = ssl.TLSVersion.TLSv1_1
ctx.minimum_version = ssl.TLSVersion.TLSv1_2
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/home/alan/src/cpython/Lib/ssl.py", line 491, in minimum_version
super(SSLContext, SSLContext).minimum_version.__set__(self, value)
ValueError: Unsupported protocol version 0x303
```
Here's some example C code:
```
#include <openssl/ssl.h>
#include <openssl/ossl_typ.h>
#include <stdio.h>
int main(){
SSL_CTX *ctx = NULL;
ctx = SSL_CTX_new(TLS_method());
printf("setting max to TLSv1.1: ");
if(SSL_CTX_set_max_proto_version(ctx, TLS1_1_VERSION)){
printf("success\n");
}
else{
printf("failure\n");
}
printf("setting min to TLSv1.2: ");
if(SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION)){
printf("success\n");
}
else{
printf("failure\n");
}
printf("min ver: %d\n", SSL_CTX_get_min_proto_version(ctx));
printf("max ver: %d\n", SSL_CTX_get_max_proto_version(ctx));
return 0;
}
```
Under LibreSSL 2.7.4, this produces:
```
setting max to TLSv1.1: success
setting min to TLSv1.2: failure
min ver: 769
max ver: 770
```
Under OpenSSL 1.1.0g, this produces:
```
setting max to TLSv1.1: success
setting min to TLSv1.2: success
min ver: 771
max ver: 770
```
The test that failed:
======================================================================
ERROR: test_min_max_version (test.test_ssl.ThreadedTests)
----------------------------------------------------------------------
Traceback (most recent call last):
File "/home/alan/src/cpython/Lib/test/test_ssl.py", line 3575, in
test_min_max_version
server_context.minimum_version = ssl.TLSVersion.TLSv1_2
File "/home/alan/src/cpython/Lib/ssl.py", line 491, in minimum_version
super(SSLContext, SSLContext).minimum_version.__set__(self, value)
ValueError: Unsupported protocol version 0x303
----------
assignee: christian.heimes
components: SSL, Tests
messages: 320722
nosy: Alan.Huang, alex, christian.heimes, dstufft, janssen
priority: normal
severity: normal
status: open
title: LibreSSL does not tolerate setting minimum_version greater than
maximum_version
type: behavior
versions: Python 3.7, Python 3.8
_______________________________________
Python tracker <[email protected]>
<https://bugs.python.org/issue34001>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
