Actually, I don't want to enable TLS 1.0 and 1.1 when these versions are
disabled by crypto policy or openssl.cnf. It's totally ok that these
versions are disabled and don't work any more! I just need a reliable
way to *detect* that the versions are disabled at runtime.
The feature detection logic boils down to this pseudo code:
min_version = SSL_CTX_get_min_proto_version(ctx)
if not defined(TLS1_VERSION) or defined(OPENSSL_NO_TLS1):
return False
elif min_version == 0 or min_version >= TLS1_VERSION:
return True
else:
return False
On Debian, SSL_CTX_get_min_proto_version() returns TLS1_2_VERSION and
Python considers TLS 1.0 and 1.1 as disabled by system policy. All test
cases for TLS 1.0 and TLS 1.1 are skipped.
Ubuntu has TLS1_VERSION defined, OPENSSL_NO_TLS1 not defined, and
SSL_CTX_get_min_proto_version() returns 0. So Python assumes that TLS
1.0 is compiled in, supported, and enabled. But it's actually disabled
and tests are failing.
I completely agree with your comment 13: 0 is not a good return value.
Could you modify Ubuntu's patch so that
SSL_CTX_get_min_proto_version(ctx) returns TLS1_2_VERSION and
SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION) returns an error? This
would fix Python's problem.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1899878
Title:
Python's test_ssl fails starting from Ubuntu 20.04
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1899878/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
