diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index ef54865ed964c7..d6be2b68642660 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -127,7 +127,7 @@ jobs:
build_ubuntu:
name: 'Ubuntu'
- runs-on: ubuntu-18.04
+ runs-on: ubuntu-20.04
needs: check_source
if: needs.check_source.outputs.run_tests == 'true'
env:
diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
index 1710dda4389a04..ade7ef529e8122 100644
--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
@@ -151,6 +151,27 @@ def data_file(*name):
OP_CIPHER_SERVER_PREFERENCE = getattr(ssl, "OP_CIPHER_SERVER_PREFERENCE", 0)
OP_ENABLE_MIDDLEBOX_COMPAT = getattr(ssl, "OP_ENABLE_MIDDLEBOX_COMPAT", 0)
+# Ubuntu has patched OpenSSL and changed behavior of security level 2
+# see https://bugs.python.org/issue41561#msg389003
+def is_ubuntu():
+ try:
+ # Assume that any references of "ubuntu" implies Ubuntu-like distro
+ # The workaround is not required for 18.04, but doesn't hurt either.
+ with open("/etc/os-release", encoding="utf-8") as f:
+ return "ubuntu" in f.read()
+ except FileNotFoundError:
+ return False
+
+if is_ubuntu():
+ def seclevel_workaround(*ctxs):
+ """"Lower security level to '1' and allow all ciphers for TLS 1.0/1"""
+ for ctx in ctxs:
+ if ctx.minimum_version <= ssl.TLSVersion.TLSv1_1:
+ ctx.set_ciphers("@SECLEVEL=1:ALL")
+else:
+ def seclevel_workaround(*ctxs):
+ pass
+
def has_tls_protocol(protocol):
"""Check if a TLS protocol is available and enabled
@@ -2802,6 +2823,8 @@ def try_protocol_combo(server_protocol, client_protocol, expect_success,
if client_context.protocol == ssl.PROTOCOL_TLS:
client_context.set_ciphers("ALL")
+ seclevel_workaround(server_context, client_context)
+
for ctx in (client_context, server_context):
ctx.verify_mode = certsreqs
ctx.load_cert_chain(SIGNED_CERTFILE)
@@ -2843,6 +2866,7 @@ def test_echo(self):
with self.subTest(protocol=ssl._PROTOCOL_NAMES[protocol]):
context = ssl.SSLContext(protocol)
context.load_cert_chain(CERTFILE)
+ seclevel_workaround(context)
server_params_test(context, context,
chatty=True, connectionchatty=True)
@@ -3847,6 +3871,7 @@ def test_min_max_version_tlsv1_1(self):
client_context.maximum_version = ssl.TLSVersion.TLSv1_2
server_context.minimum_version = ssl.TLSVersion.TLSv1
server_context.maximum_version = ssl.TLSVersion.TLSv1_1
+ seclevel_workaround(client_context, server_context)
with ThreadedEchoServer(context=server_context) as server:
with client_context.wrap_socket(socket.socket(),
@@ -3864,6 +3889,8 @@ def test_min_max_version_mismatch(self):
server_context.minimum_version = ssl.TLSVersion.TLSv1_2
client_context.maximum_version = ssl.TLSVersion.TLSv1
client_context.minimum_version = ssl.TLSVersion.TLSv1
+ seclevel_workaround(client_context, server_context)
+
with ThreadedEchoServer(context=server_context) as server:
with client_context.wrap_socket(socket.socket(),
server_hostname=hostname) as s:
@@ -3878,6 +3905,8 @@ def test_min_max_version_sslv3(self):
server_context.minimum_version = ssl.TLSVersion.SSLv3
client_context.minimum_version = ssl.TLSVersion.SSLv3
client_context.maximum_version = ssl.TLSVersion.SSLv3
+ seclevel_workaround(client_context, server_context)
+
with ThreadedEchoServer(context=server_context) as server:
with client_context.wrap_socket(socket.socket(),
server_hostname=hostname) as s:
diff --git a/Misc/NEWS.d/next/Tests/2021-03-18-10-34-42.bpo-41561.pDg4w-.rst b/Misc/NEWS.d/next/Tests/2021-03-18-10-34-42.bpo-41561.pDg4w-.rst
new file mode 100644
index 00000000000000..214350729bff6c
--- /dev/null
+++ b/Misc/NEWS.d/next/Tests/2021-03-18-10-34-42.bpo-41561.pDg4w-.rst
@@ -0,0 +1 @@
+Add workaround for Ubuntu's custom OpenSSL security level policy.
pFad - Phonifier reborn
Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.
Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.
Alternative Proxies:
Alternative Proxy
pFad Proxy
pFad v3 Proxy
pFad v4 Proxy