OpenSSL 1.0.0 needs to change the cipher list for some test_ssl tests to succeed, but the cipher list can't be changed in 2.6/3.1 (maintenance branches). The solution is to skip these tests with the newer OpenSSLs.

This patch uses the "openssl" executable to fetch the OpenSSL version, but we could instead backport OPENSSL_VERSION_* from trunk, at least as  undocumented attributes. What do you think?

I don't think we should use the openssl binary for anything. It may belong to a different version, and it may not be available (in particular on Windows).

I don't understand the problem you are trying to solve. What exactly is it that will stop working on OpenSSL 1.0?

> I don't think we should use the openssl binary for anything. It may
> belong to a different version, and it may not be available (in
> particular on Windows).

Agreed.

> I don't understand the problem you are trying to solve. What exactly
> is it that will stop working on OpenSSL 1.0?

OpenSSL 1.0.0 disables SSLv2 by default, which means the protocol
combination tests give different results (for example, an SSLv23 client
will refuse talking to an SSLv2 server, because the client will attempt
an SSLv3 hello).

We need therefore to fix these tests, by differentiating their outcomes
depending on the OpenSSL version.

(trunk and py3k use a different approach: they manually enable SSLv2
ciphers in those tests, using the new "ciphers" argument, which makes
the behaviour consistent accross all OpenSSL versions)

> OpenSSL 1.0.0 disables SSLv2 by default, which means the protocol
> combination tests give different results (for example, an SSLv23 client
> will refuse talking to an SSLv2 server, because the client will attempt
> an SSLv3 hello).

I see. I think we should just remove that test, then, as it is not
longer a feature of the Python SSL support that we can maintain.

Notice that we should *not* test OpenSSL - hopefully, they have their
own test suites. Instead, we should only test the Python integration of
OpenSSL. Therefore, we should only write test cases that work
independent of the OpenSSL version (except when some API that we want to
test is not available in older OpenSSL versions, in which case a
testable way for that absence should be added when the API gets added).

In short: just remove the test cases whose outcome depend on the OpenSSL
version.

> Notice that we should *not* test OpenSSL - hopefully, they have their
> own test suites. Instead, we should only test the Python integration of
> OpenSSL. Therefore, we should only write test cases that work
> independent of the OpenSSL version (except when some API that we want to
> test is not available in older OpenSSL versions, in which case a
> testable way for that absence should be added when the API gets added).

I agree that these tests are more integration tests than unit tests;
however, they are useful in exercising the code and options we provide
(otherwise we wouldn't know whether e.g. PROTOCOL_TLSv1 really does what
it claims to do).

I think we can simply skip these tests in maintenance branches, where we
don't provide the necessary API to make them pass reliably.

> I agree that these tests are more integration tests than unit tests;
> however, they are useful in exercising the code and options we provide
> (otherwise we wouldn't know whether e.g. PROTOCOL_TLSv1 really does what
> it claims to do).

I don't think the test actually achieves that, as we are testing against
our own implementation (IIUC). To be sure that this really triggers the
right bytes on the wire, we would have to test against an independent
TLS implementation.

> I don't think the test actually achieves that, as we are testing against
> our own implementation (IIUC). To be sure that this really triggers the
> right bytes on the wire, we would have to test against an independent
> TLS implementation.

Yes, it's a best effort thing.

I've committed a patch which unconditionally skips those tests in 2.6 (r80867) and 3.1 (r80868). Thanks for your advice.