I didn't include a setter for security level on purpose, https://bugs.python.org/issue41195 . Most recent Python version only has a getter to query security level. I strongly believe that user application should not modify security level. Security level and TLS versions should be centrally managed by system administrators. Unfortunately Python's ssl module still has legacy support for TLS 1.0 and 1.1.
Even a check for seclevel == 2 or modification of the security level wouldn't address Python's test failures on Ubuntu. After all Ubuntu uses a custom policy that deviates from the seclevel 2 definition at https://www.openssl.org/docs/man1.1.0/man3/SSL_CTX_get_security_level.html Do you suggest that Python should check for Ubuntu in the test suite, so we can special case Ubuntu's custom policy? ** Bug watch added: Python Roundup #41195 http://bugs.python.org/issue41195 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1917625 Title: OpenSSL TLS 1.1 handshake fails internal error Status in openssl package in Ubuntu: Confirmed Status in openssl source package in Hirsute: Confirmed Bug description: OpenSSL's SSL_do_handshake() method fails with TLSV1_ALERT_INTERNAL_ERROR when client side has TLS 1.0 to 1.2 enabled but server side has only TLS 1.0 and 1.1 enabled. The issue breaks Python's test suite for test_ssl. It looks like the problem is caused by an Ubuntu downstream patch. Vanilla OpenSSL, Debian, and Fedora are not affected. A simple reproducer is: import ssl import socket from test.test_ssl import testing_context, ThreadedEchoServer, HOST client_context, server_context, hostname = testing_context() # client 1.0 to 1.2, server 1.0 to 1.1 client_context.minimum_version = ssl.TLSVersion.TLSv1 client_context.maximum_version = ssl.TLSVersion.TLSv1_2 server_context.minimum_version = ssl.TLSVersion.TLSv1 server_context.maximum_version = ssl.TLSVersion.TLSv1_1 with ThreadedEchoServer(context=server_context) as server: with client_context.wrap_socket(socket.socket(), server_hostname=hostname) as s: s.connect((HOST, server.port)) assert s.version() == 'TLSv1.1' On Ubuntu 20.04 the code fails with: Traceback (most recent call last): File "/internalerror.py", line 15, in <module> s.connect((HOST, server.port)) File "/usr/lib/python3.8/ssl.py", line 1342, in connect self._real_connect(addr, False) File "/usr/lib/python3.8/ssl.py", line 1333, in _real_connect self.do_handshake() File "/usr/lib/python3.8/ssl.py", line 1309, in do_handshake self._sslobj.do_handshake() ssl.SSLError: [SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error (_ssl.c:1123) On Debian testing and Fedora 33 the same test passes with out: server: new connection from ('127.0.0.1', 52346) server: connection cipher is now ('ECDHE-RSA-AES256-SHA', 'TLSv1.0', 256) server: selected protocol is now None You can find Dockerfiles with reproducers at https://github.com/tiran /distro-truststore/tree/main/tests/ubuntu-1899878 Also see: * https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1899878 * https://bugs.python.org/issue43382 * https://bugs.python.org/issue41561 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1917625/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
