From 936612fbf345ab1ba44bd1613e2f0ebf7b1464d7 Mon Sep 17 00:00:00 2001 From: Victor Stinner Date: Tue, 19 Feb 2019 15:16:26 +0100 Subject: [PATCH 1/2] bpo-36037: Fix min ver in test_ssl for strict policy Fix test_ssl for strict OpenSSL configuration like RHEL8 strict crypto policy. Use older TLS version for minimum TLS version of the server SSL context if needed, to test TLS version older than default minimum TLS version. --- Lib/test/test_ssl.py | 27 ++++++++++++++++++- .../2019-02-19-15-21-14.bpo-36037.75wG9_.rst | 3 +++ 2 files changed, 29 insertions(+), 1 deletion(-) create mode 100644 Misc/NEWS.d/next/Tests/2019-02-19-15-21-14.bpo-36037.75wG9_.rst diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py index 9e571cc78e4b07..58a6d5968dc915 100644 --- a/Lib/test/test_ssl.py +++ b/Lib/test/test_ssl.py @@ -33,6 +33,19 @@ IS_OPENSSL_1_1_1 = not IS_LIBRESSL and ssl.OPENSSL_VERSION_INFO >= (1, 1, 1) PY_SSL_DEFAULT_CIPHERS = sysconfig.get_config_var('PY_SSL_DEFAULT_CIPHERS') +PROTOCOL_TO_TLS_VERSION = {} +for proto, ver in ( + ("PROTOCOL_SSLv23", "SSLv3"), + ("PROTOCOL_TLSv1", "TLSv1"), + ("PROTOCOL_TLSv1_1", "TLSv1_1"), +): + try: + proto = getattr(ssl, proto) + ver = getattr(ssl.TLSVersion, ver) + except AttributeError: + continue + PROTOCOL_TO_TLS_VERSION[proto] = ver + def data_file(*name): return os.path.join(os.path.dirname(__file__), *name) @@ -1092,7 +1105,11 @@ def test_min_max_version(self): # Fedora override the setting to TLS 1.0. self.assertIn( ctx.minimum_version, - {ssl.TLSVersion.MINIMUM_SUPPORTED, ssl.TLSVersion.TLSv1} + {ssl.TLSVersion.MINIMUM_SUPPORTED, + # Fedora 29 uses TLS 1.0 by default + ssl.TLSVersion.TLSv1, + # RHEL 8 uses TLS 1.2 by default + ssl.TLSVersion.TLSv1_2} ) self.assertEqual( ctx.maximum_version, ssl.TLSVersion.MAXIMUM_SUPPORTED @@ -2609,6 +2626,14 @@ def try_protocol_combo(server_protocol, client_protocol, expect_success, server_context = ssl.SSLContext(server_protocol) server_context.options |= server_options + min_version = PROTOCOL_TO_TLS_VERSION.get(client_protocol, None) + if (min_version is not None + and server_protocol == ssl.PROTOCOL_TLS + and server_context.minimum_version > min_version): + # If OpenSSL configuration is strict and requires more recent TLS + # version, we have to change the minimum to test old TLS versions. + server_context.minimum_version = min_version + # NOTE: we must enable "ALL" ciphers on the client, otherwise an # SSLv23 client will send an SSLv3 hello (rather than SSLv2) # starting from OpenSSL 1.0.0 (see issue #8322). diff --git a/Misc/NEWS.d/next/Tests/2019-02-19-15-21-14.bpo-36037.75wG9_.rst b/Misc/NEWS.d/next/Tests/2019-02-19-15-21-14.bpo-36037.75wG9_.rst new file mode 100644 index 00000000000000..dbc0fa256e027f --- /dev/null +++ b/Misc/NEWS.d/next/Tests/2019-02-19-15-21-14.bpo-36037.75wG9_.rst @@ -0,0 +1,3 @@ +Fix test_ssl for strict OpenSSL configuration like RHEL8 strict crypto policy. +Use older TLS version for minimum TLS version of the server SSL context if +needed, to test TLS version older than default minimum TLS version. From ef2ec0e5d7b5e77873c621d76ca1e58e14646523 Mon Sep 17 00:00:00 2001 From: Victor Stinner Date: Tue, 19 Feb 2019 16:59:30 +0100 Subject: [PATCH 2/2] Fix for OpenSSL older than 1.1.1 --- Lib/test/test_ssl.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py index 58a6d5968dc915..55718220d88de6 100644 --- a/Lib/test/test_ssl.py +++ b/Lib/test/test_ssl.py @@ -2628,6 +2628,9 @@ def try_protocol_combo(server_protocol, client_protocol, expect_success, min_version = PROTOCOL_TO_TLS_VERSION.get(client_protocol, None) if (min_version is not None + # SSLContext.minimum_version is only available on recent OpenSSL + # (setter added in OpenSSL 1.1.0, getter added in OpenSSL 1.1.1) + and hasattr(server_context, 'minimum_version') and server_protocol == ssl.PROTOCOL_TLS and server_context.minimum_version > min_version): # If OpenSSL configuration is strict and requires more recent TLS