[Bug 1899878] Re: Python's test_ssl fails starting from Ubuntu 20.04

Christian Heimes 1899878 at bugs.launchpad.net
Wed Mar 3 11:52:30 UTC 2021 

(Short answer, I'm in meetings for the rest of the day)

Python's ssl module doesn't support TLS over UDP. DTLS is not an issue
for CPython. I have limited experience with DTLS and cannot contribute
much to that part of the discussion. Python's test suite uses its own
set of certificates for testing. We don't rely on system's CA store. All
certs and DH parameters are chosen to work on security level 2. (I've
been bitten by old settings when I made Python core and tests FIPS
compliant.)

Does Ubuntu's OpenSSL 1.0.x compat package use the same config file as
OpenSSL 1.1.1? I can see how that can cause trouble. Fedora's compat-
openssl10 package works around incompatible config files by using
openssl10.cnf instead of openssl.cnf with patch
https://src.fedoraproject.org/rpms/compat-
openssl10/blob/f33/f/openssl-1.0.2o-conf-10.patch.

If you get SSL_CTX_get_min_proto_version() to return TLS1_2_VERSION,
then we can detect the minimum version in Python. The macro currently
returns "0" on Ubuntu. Python then falls back to "#if
defined(TLS1_VERSION) && !defined(OPENSSL_NO_TLS1)" to detect if TLS 1.0
is available.
https://github.com/python/cpython/blob/b04f1cb9df7ad93366ef0ef7d8088effc576c5ae/Lib/test/test_ssl.py#L155-L210

>>> import ssl
>>> ctx = ssl.create_default_context()
>>> ctx.minimum_version
<TLSVersion.MINIMUM_SUPPORTED: -2>


A reproducer for the "internal error" during handshake is:

    def test_min_max_version_tlsv1_1(self):
        client_context, server_context, hostname = testing_context()
        # client 1.0 to 1.2, server 1.0 to 1.1
        client_context.minimum_version = ssl.TLSVersion.TLSv1
        client_context.maximum_version = ssl.TLSVersion.TLSv1_2
        server_context.minimum_version = ssl.TLSVersion.TLSv1
        server_context.maximum_version = ssl.TLSVersion.TLSv1_1

        with ThreadedEchoServer(context=server_context) as server:
            with client_context.wrap_socket(socket.socket(),
                                            server_hostname=hostname) as s:
                s.connect((HOST, server.port))
                self.assertEqual(s.version(), 'TLSv1.1')

I'll try to find some time to create a new report.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1899878

Title:
  Python's test_ssl fails starting from Ubuntu 20.04

Status in openssl package in Ubuntu:
  Incomplete

Bug description:
  Please take a look at https://bugs.python.org/issue41561. Developers
  who work on Python think that the issue is due to a change in Ubuntu
  20.04 that is best described by
  https://bugs.python.org/issue41561#msg378089:

  "It sounds like a Debian/Ubuntu patch is breaking an assumption. Did
  somebody report the bug with Debian/Ubuntu maintainers of OpenSSL
  already? Fedora also configures OpenSSL with minimum protocol version
  of TLS 1.2. The distribution does it in a slightly different way that
  makes the restriction discoverable and that is compatible with
  Python's test suite."

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1899878/+subscriptions

More information about the foundations-bugs mailing list