[Bug 1899878] Re: Python's test_ssl fails starting from Ubuntu 20.04

Christian Heimes 1899878 at bugs.launchpad.net
Tue Mar 9 17:12:24 UTC 2021 

Actually, I don't want to enable TLS 1.0 and 1.1 when these versions are
disabled by crypto policy or openssl.cnf. It's totally ok that these
versions are disabled and don't work any more! I just need a reliable
way to *detect* that the versions are disabled at runtime.

The feature detection logic boils down to this pseudo code:

    min_version = SSL_CTX_get_min_proto_version(ctx)
    if not defined(TLS1_VERSION) or defined(OPENSSL_NO_TLS1):
        return False
    elif min_version == 0 or min_version >= TLS1_VERSION:
        return True
    else:
        return False

On Debian, SSL_CTX_get_min_proto_version() returns TLS1_2_VERSION and
Python considers TLS 1.0 and 1.1 as disabled by system policy. All test
cases for TLS 1.0 and TLS 1.1 are skipped.

Ubuntu has TLS1_VERSION defined, OPENSSL_NO_TLS1 not defined, and
SSL_CTX_get_min_proto_version() returns 0. So Python assumes that TLS
1.0 is compiled in, supported, and enabled. But it's actually disabled
and tests are failing.

I completely agree with your comment 13: 0 is not a good return value.
Could you modify Ubuntu's patch so that
SSL_CTX_get_min_proto_version(ctx) returns TLS1_2_VERSION and
SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION) returns an error? This
would fix Python's problem.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1899878

Title:
  Python's test_ssl fails starting from Ubuntu 20.04

Status in openssl package in Ubuntu:
  Incomplete

Bug description:
  Please take a look at https://bugs.python.org/issue41561. Developers
  who work on Python think that the issue is due to a change in Ubuntu
  20.04 that is best described by
  https://bugs.python.org/issue41561#msg378089:

  "It sounds like a Debian/Ubuntu patch is breaking an assumption. Did
  somebody report the bug with Debian/Ubuntu maintainers of OpenSSL
  already? Fedora also configures OpenSSL with minimum protocol version
  of TLS 1.2. The distribution does it in a slightly different way that
  makes the restriction discoverable and that is compatible with
  Python's test suite."

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1899878/+subscriptions

More information about the foundations-bugs mailing list