Christian Heimes <li...@cheimes.de> added the comment:
I have discussed the problem with downstream engineers on the two issues - https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1899878 - https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1917625 The gist of the issue is: Canonical has taken a different approach than Debian and other distros to set minimum TLS version. Most distros use an openssl.cnf file to set "MinProtocol = TLSv1.2". The config file approach allows application to override the setting with SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION) and to detect the current minimum version with SSL_CTX_get_min_proto_version(ctx) == TLS1_VERSION. Ubuntu doesn't set "MinProtocol = TLSv1.2". Instead the distro has patched OpenSSL source code and modified the meaning of security level "2". Security level is a new OpenSSL API to set various security related settings. On Ubuntu SECLEVEL=2 prevents TLS 1.0 and 1.1 connection. Further SSL_CTX_get_min_proto_version(ctx) returns 0 (dummy value for minimum supported version). SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION) does not fail although TLS 1.0 is prohibited. https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_security_level.html Level 2: SSL version 3 is also not allowed Level 4: TLS versions below 1.2 are not permitted. https://manpages.ubuntu.com/manpages/focal/man3/SSL_CTX_set_security_level.3ssl.html Level 2: On Ubuntu, TLS versions below 1.2 are not permitted The combination of "Ubuntu changed the meaning of security level policy" and "SSL_CTX_get_min_proto_version(ctx) does not report minimum version" breaks our tests. OpenSSL doesn't provide an easy way to check if a SSL_CTX has a sane configuration. There is a way to check if a security policy allows a TLS version. I'm not sure if we should include the check in CPython and where to best put the check: void *sec_ex = SSL_CTX_get0_security_ex_data(ctx); sec_cb = SSL_CTX_get_security_callback(ctx); int result = sec_cb(NULL, ctx, SSL_SECOP_VERSION, 0, TLS1_VERSION, NULL, sec_ex); if (result && (SSL_CTX_get_min_proto_version(ctx) >= TLS1_VERSION)) ... ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue41561> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
