[Bug 1899878] Re: Python's test_ssl fails starting from Ubuntu 20.04

Wed, 03 Mar 2021 04:01:15 -0800 

(Short answer, I'm in meetings for the rest of the day)

Python's ssl module doesn't support TLS over UDP. DTLS is not an issue
for CPython. I have limited experience with DTLS and cannot contribute
much to that part of the discussion. Python's test suite uses its own
set of certificates for testing. We don't rely on system's CA store. All
certs and DH parameters are chosen to work on security level 2. (I've
been bitten by old settings when I made Python core and tests FIPS
compliant.)

Does Ubuntu's OpenSSL 1.0.x compat package use the same config file as
OpenSSL 1.1.1? I can see how that can cause trouble. Fedora's compat-
openssl10 package works around incompatible config files by using
openssl10.cnf instead of openssl.cnf with patch
https://src.fedoraproject.org/rpms/compat-
openssl10/blob/f33/f/openssl-1.0.2o-conf-10.patch.

If you get SSL_CTX_get_min_proto_version() to return TLS1_2_VERSION,
then we can detect the minimum version in Python. The macro currently
returns "0" on Ubuntu. Python then falls back to "#if
defined(TLS1_VERSION) && !defined(OPENSSL_NO_TLS1)" to detect if TLS 1.0
is available.
https://github.com/python/cpython/blob/b04f1cb9df7ad93366ef0ef7d8088effc576c5ae/Lib/test/test_ssl.py#L155-L210

>>> import ssl
>>> ctx = ssl.create_default_context()
>>> ctx.minimum_version
<TLSVersion.MINIMUM_SUPPORTED: -2>


A reproducer for the "internal error" during handshake is:

    def test_min_max_version_tlsv1_1(self):
        client_context, server_context, hostname = testing_context()
        # client 1.0 to 1.2, server 1.0 to 1.1
        client_context.minimum_version = ssl.TLSVersion.TLSv1
        client_context.maximum_version = ssl.TLSVersion.TLSv1_2
        server_context.minimum_version = ssl.TLSVersion.TLSv1
        server_context.maximum_version = ssl.TLSVersion.TLSv1_1

        with ThreadedEchoServer(context=server_context) as server:
            with client_context.wrap_socket(socket.socket(),
                                            server_hostname=hostname) as s:
                s.connect((HOST, server.port))
                self.assertEqual(s.version(), 'TLSv1.1')

I'll try to find some time to create a new report.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1899878

Title:
  Python's test_ssl fails starting from Ubuntu 20.04

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1899878/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to