From 2393fb65af13a4f51f913afab12853201224b755 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Thu, 18 Mar 2021 23:06:50 +0100 Subject: [PATCH] bpo-41561: Add workaround for Ubuntu's custom security level (GH-24915) Ubuntu 20.04 comes with a patched OpenSSL 1.1.1. Default security level 2 blocks TLS 1.0 and 1.1 connections. Regular OpenSSL 1.1.1 builds allow TLS 1.0 and 1.1 on security level 2. See: See: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1899878 See: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1917625 Signed-off-by: Christian Heimes (cherry picked from commit f6c6b5821bff815bdc810de53992fd1fbdb2edd4) Co-authored-by: Christian Heimes --- .github/workflows/build.yml | 2 +- Lib/test/test_ssl.py | 29 +++++++++++++++++++ .../2021-03-18-10-34-42.bpo-41561.pDg4w-.rst | 1 + 3 files changed, 31 insertions(+), 1 deletion(-) create mode 100644 Misc/NEWS.d/next/Tests/2021-03-18-10-34-42.bpo-41561.pDg4w-.rst diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 01370954feaaed..9fa6033a9dc353 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -121,7 +121,7 @@ jobs: build_ubuntu: name: 'Ubuntu' - runs-on: ubuntu-18.04 + runs-on: ubuntu-20.04 needs: check_source if: needs.check_source.outputs.run_tests == 'true' env: diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py index 27cb884e072e05..e5b4b11d37fe62 100644 --- a/Lib/test/test_ssl.py +++ b/Lib/test/test_ssl.py @@ -147,6 +147,27 @@ def data_file(*name): OP_CIPHER_SERVER_PREFERENCE = getattr(ssl, "OP_CIPHER_SERVER_PREFERENCE", 0) OP_ENABLE_MIDDLEBOX_COMPAT = getattr(ssl, "OP_ENABLE_MIDDLEBOX_COMPAT", 0) +# Ubuntu has patched OpenSSL and changed behavior of security level 2 +# see https://bugs.python.org/issue41561#msg389003 +def is_ubuntu(): + try: + # Assume that any references of "ubuntu" implies Ubuntu-like distro + # The workaround is not required for 18.04, but doesn't hurt either. + with open("/etc/os-release", encoding="utf-8") as f: + return "ubuntu" in f.read() + except FileNotFoundError: + return False + +if is_ubuntu(): + def seclevel_workaround(*ctxs): + """"Lower security level to '1' and allow all ciphers for TLS 1.0/1""" + for ctx in ctxs: + if ctx.minimum_version <= ssl.TLSVersion.TLSv1_1: + ctx.set_ciphers("@SECLEVEL=1:ALL") +else: + def seclevel_workaround(*ctxs): + pass + def has_tls_protocol(protocol): """Check if a TLS protocol is available and enabled @@ -2777,6 +2798,8 @@ def try_protocol_combo(server_protocol, client_protocol, expect_success, if client_context.protocol == ssl.PROTOCOL_TLS: client_context.set_ciphers("ALL") + seclevel_workaround(server_context, client_context) + for ctx in (client_context, server_context): ctx.verify_mode = certsreqs ctx.load_cert_chain(SIGNED_CERTFILE) @@ -2818,6 +2841,7 @@ def test_echo(self): with self.subTest(protocol=ssl._PROTOCOL_NAMES[protocol]): context = ssl.SSLContext(protocol) context.load_cert_chain(CERTFILE) + seclevel_workaround(context) server_params_test(context, context, chatty=True, connectionchatty=True) @@ -3822,6 +3846,7 @@ def test_min_max_version_tlsv1_1(self): client_context.maximum_version = ssl.TLSVersion.TLSv1_2 server_context.minimum_version = ssl.TLSVersion.TLSv1 server_context.maximum_version = ssl.TLSVersion.TLSv1_1 + seclevel_workaround(client_context, server_context) with ThreadedEchoServer(context=server_context) as server: with client_context.wrap_socket(socket.socket(), @@ -3839,6 +3864,8 @@ def test_min_max_version_mismatch(self): server_context.minimum_version = ssl.TLSVersion.TLSv1_2 client_context.maximum_version = ssl.TLSVersion.TLSv1 client_context.minimum_version = ssl.TLSVersion.TLSv1 + seclevel_workaround(client_context, server_context) + with ThreadedEchoServer(context=server_context) as server: with client_context.wrap_socket(socket.socket(), server_hostname=hostname) as s: @@ -3853,6 +3880,8 @@ def test_min_max_version_sslv3(self): server_context.minimum_version = ssl.TLSVersion.SSLv3 client_context.minimum_version = ssl.TLSVersion.SSLv3 client_context.maximum_version = ssl.TLSVersion.SSLv3 + seclevel_workaround(client_context, server_context) + with ThreadedEchoServer(context=server_context) as server: with client_context.wrap_socket(socket.socket(), server_hostname=hostname) as s: diff --git a/Misc/NEWS.d/next/Tests/2021-03-18-10-34-42.bpo-41561.pDg4w-.rst b/Misc/NEWS.d/next/Tests/2021-03-18-10-34-42.bpo-41561.pDg4w-.rst new file mode 100644 index 00000000000000..214350729bff6c --- /dev/null +++ b/Misc/NEWS.d/next/Tests/2021-03-18-10-34-42.bpo-41561.pDg4w-.rst @@ -0,0 +1 @@ +Add workaround for Ubuntu's custom OpenSSL security level policy. pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy