Issue 31518: ftplib, urllib2, poplib, httplib, urllib2_localnet use ssl.PROTOCOL_TLSv1 unconditionally (original) (raw)

Two tests are failing in 3.7 branch:

====================================================================== ERROR: test_PROTOCOL_TLS (test.test_ssl.ThreadedTests) Connecting to an SSLv23 server with various client options

Traceback (most recent call last): File "/home/heimes/dev/python/cpython/Lib/test/test_ssl.py", line 2660, in test_PROTOCOL_TLS try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLSv1, 'TLSv1') File "/home/heimes/dev/python/cpython/Lib/test/test_ssl.py", line 2343, in try_protocol_combo chatty=False, connectionchatty=False) File "/home/heimes/dev/python/cpython/Lib/test/test_ssl.py", line 2268, in server_params_test s.connect((HOST, server.port)) File "/home/heimes/dev/python/cpython/Lib/ssl.py", line 1108, in connect self._real_connect(addr, False) File "/home/heimes/dev/python/cpython/Lib/ssl.py", line 1099, in _real_connect self.do_handshake() File "/home/heimes/dev/python/cpython/Lib/ssl.py", line 1076, in do_handshake self._sslobj.do_handshake() File "/home/heimes/dev/python/cpython/Lib/ssl.py", line 697, in do_handshake self._sslobj.do_handshake() ssl.SSLError: [SSL: TLSV1_ALERT_PROTOCOL_VERSION] tlsv1 alert protocol version (_ssl.c:864)

====================================================================== ERROR: test_protocol_tlsv1_1 (test.test_ssl.ThreadedTests) Connecting to a TLSv1.1 server with various client options.

Traceback (most recent call last): File "/home/heimes/dev/python/cpython/Lib/test/test_ssl.py", line 2734, in test_protocol_tlsv1_1 try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLSv1_1, 'TLSv1.1') File "/home/heimes/dev/python/cpython/Lib/test/test_ssl.py", line 2343, in try_protocol_combo chatty=False, connectionchatty=False) File "/home/heimes/dev/python/cpython/Lib/test/test_ssl.py", line 2268, in server_params_test s.connect((HOST, server.port)) File "/home/heimes/dev/python/cpython/Lib/ssl.py", line 1108, in connect self._real_connect(addr, False) File "/home/heimes/dev/python/cpython/Lib/ssl.py", line 1099, in _real_connect self.do_handshake() File "/home/heimes/dev/python/cpython/Lib/ssl.py", line 1076, in do_handshake self._sslobj.do_handshake() File "/home/heimes/dev/python/cpython/Lib/ssl.py", line 697, in do_handshake self._sslobj.do_handshake() ssl.SSLError: [SSL: TLSV1_ALERT_PROTOCOL_VERSION] tlsv1 alert protocol version (_ssl.c:864)

Matthias, is there any way to detect Debian's modifications of OpenSSL from header files or with an API call? Otherwise we have no way to reliable detect and correctly skip the test. At the moment there is no way to retrieve the minimum protocol from OpenSSL SSL_CTX. I landed an OpenSSL patch just a couple of days ago to add SSL_CTX_get_min_proto_version(), https://github.com/openssl/openssl/pull/4364

Christian, I assume you'd like to see a test which can be done at runtime, not buildtime. Assuming you have that openssl upstream patch available in your build dependency, would that help with the detection? If yes, I'll talk to Debian's and Ubuntu's openssl maintainers to backport it, so the _ssl module could use it depending on a configure check.