[Bug 1899878] Re: Python's test_ssl fails starting from Ubuntu 20.04

Adrien Nader 1899878 at bugs.launchpad.net
Tue Aug 29 13:00:55 UTC 2023 

Hi, AFAIU the crux of the issue is that the behaviour on Ubuntu differs
from upstream and is not programmatically discoverable.

OpenSSL 3.2 (which is not released yet and will most likely not be used
in Ubuntu 24.04) switches to seclevel 2 and also has a different meaning
for it. It's (almost?) completely in line with what Ubuntu does. The
story is actually a bit more complicated because upstream wanted to
change this before 3.2 (not sure anymore if that was planned for 3.1 or
3.0) and some changes happened but not others, and it's difficult to
track that now.

Considering this bug is more than two years old and considering where
we're heading, I think I'm going to mark this bug as won't fix. Ubuntu
will continue to use 3.0 until the next openssl LTS release and the
behavior is not expected to change. When the next openssl LTS release
happens, Ubuntu will start using it soon after and the meaning of
seclevel should be unchanged from upstream again (no guarantee though
since I don't control openssl upstream).

The function mentioned by Dimitry also looks interesting if something
finer grained is needed.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1899878

Title:
  Python's test_ssl fails starting from Ubuntu 20.04

Status in openssl package in Ubuntu:
  Incomplete

Bug description:
  Please take a look at https://bugs.python.org/issue41561. Developers
  who work on Python think that the issue is due to a change in Ubuntu
  20.04 that is best described by
  https://bugs.python.org/issue41561#msg378089:

  "It sounds like a Debian/Ubuntu patch is breaking an assumption. Did
  somebody report the bug with Debian/Ubuntu maintainers of OpenSSL
  already? Fedora also configures OpenSSL with minimum protocol version
  of TLS 1.2. The distribution does it in a slightly different way that
  makes the restriction discoverable and that is compatible with
  Python's test suite."

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1899878/+subscriptions

More information about the foundations-bugs mailing list