[Bug 1899878] Re: Python's test_ssl fails starting from Ubuntu 20.04

Kurt Roeckx 1899878 at bugs.launchpad.net
Wed Mar 10 16:47:30 UTC 2021 

2) and 3) would never return 0, which is what the upstream OpenSSL
version returns now.

2) would make it return TLS1_VERSION for the minimum and TLS1_3_VERSION
for the maximum with default build options. If you enable SSlv3 support
at compile time, the minimum would return SSL3_VERSION. Note that there
is a TLS_MAX_VERSION define that's equal to TLS1_3_VERSION, but no such
define for the minimum.

1) would just return what is set, which is 0 upstream and for Ubuntu for
both minimum and maximum, where 0 is defined as no limit set. Debian
sets the minimum to TLS1_2_VERSION, and so returns that value. But maybe
if no limit is set (and so the value is 0), it can instead return the
minimum/maximum version that's supported at compile time.

3) Would have as effect that upstream in 1.1.1 returns TLS1_VERSION and
TLS1_3_VERSION, but TLS1_2_VERSION and TLS1_3_VERSION in 3.0. For Ubuntu
and Debian it would return TLS1_2_VERSION and TLS1_3_VERISON, since that
is what they do using a different method.

Setting the default minimum to TLS1_2_VERSION (at compile time) will
clearly fix your problem. But I think you're going to run in the same
problem with 3.0, and we should probably add a new API in 3.0 for it.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1899878

Title:
  Python's test_ssl fails starting from Ubuntu 20.04

Status in openssl package in Ubuntu:
  Incomplete

Bug description:
  Please take a look at https://bugs.python.org/issue41561. Developers
  who work on Python think that the issue is due to a change in Ubuntu
  20.04 that is best described by
  https://bugs.python.org/issue41561#msg378089:

  "It sounds like a Debian/Ubuntu patch is breaking an assumption. Did
  somebody report the bug with Debian/Ubuntu maintainers of OpenSSL
  already? Fedora also configures OpenSSL with minimum protocol version
  of TLS 1.2. The distribution does it in a slightly different way that
  makes the restriction discoverable and that is compatible with
  Python's test suite."

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1899878/+subscriptions

More information about the foundations-bugs mailing list