(Short answer, I'm in meetings for the rest of the day) Python's ssl module doesn't support TLS over UDP. DTLS is not an issue for CPython. I have limited experience with DTLS and cannot contribute much to that part of the discussion. Python's test suite uses its own set of certificates for testing. We don't rely on system's CA store. All certs and DH parameters are chosen to work on security level 2. (I've been bitten by old settings when I made Python core and tests FIPS compliant.)
Does Ubuntu's OpenSSL 1.0.x compat package use the same config file as OpenSSL 1.1.1? I can see how that can cause trouble. Fedora's compat- openssl10 package works around incompatible config files by using openssl10.cnf instead of openssl.cnf with patch https://src.fedoraproject.org/rpms/compat- openssl10/blob/f33/f/openssl-1.0.2o-conf-10.patch. If you get SSL_CTX_get_min_proto_version() to return TLS1_2_VERSION, then we can detect the minimum version in Python. The macro currently returns "0" on Ubuntu. Python then falls back to "#if defined(TLS1_VERSION) && !defined(OPENSSL_NO_TLS1)" to detect if TLS 1.0 is available. https://github.com/python/cpython/blob/b04f1cb9df7ad93366ef0ef7d8088effc576c5ae/Lib/test/test_ssl.py#L155-L210 >>> import ssl >>> ctx = ssl.create_default_context() >>> ctx.minimum_version <TLSVersion.MINIMUM_SUPPORTED: -2> A reproducer for the "internal error" during handshake is: def test_min_max_version_tlsv1_1(self): client_context, server_context, hostname = testing_context() # client 1.0 to 1.2, server 1.0 to 1.1 client_context.minimum_version = ssl.TLSVersion.TLSv1 client_context.maximum_version = ssl.TLSVersion.TLSv1_2 server_context.minimum_version = ssl.TLSVersion.TLSv1 server_context.maximum_version = ssl.TLSVersion.TLSv1_1 with ThreadedEchoServer(context=server_context) as server: with client_context.wrap_socket(socket.socket(), server_hostname=hostname) as s: s.connect((HOST, server.port)) self.assertEqual(s.version(), 'TLSv1.1') I'll try to find some time to create a new report. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1899878 Title: Python's test_ssl fails starting from Ubuntu 20.04 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1899878/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs