OpenSSL version openssl-1.0.1k-6.fc22.x86_64
>>> ssl.OPENSSL_VERSION
'OpenSSL 1.0.1k-fips 8 Jan 2015'


======================================================================
ERROR: test_protocol_sslv23 (test.test_ssl.ThreadedTests)
Connecting to an SSLv23 server with various client options
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/home/kdas/code/python/cpython/Lib/test/test_ssl.py", line 119, in f
    return func(*args, **kwargs)
  File "/home/kdas/code/python/cpython/Lib/test/test_ssl.py", line 2454, in test_protocol_sslv23
    try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, 'SSLv3')
  File "/home/kdas/code/python/cpython/Lib/test/test_ssl.py", line 2203, in try_protocol_combo
    chatty=False, connectionchatty=False)
  File "/home/kdas/code/python/cpython/Lib/test/test_ssl.py", line 2130, in server_params_test
    s.connect((HOST, server.port))
  File "/home/kdas/code/python/cpython/Lib/ssl.py", line 1014, in connect
    self._real_connect(addr, False)
  File "/home/kdas/code/python/cpython/Lib/ssl.py", line 1005, in _real_connect
    self.do_handshake()
  File "/home/kdas/code/python/cpython/Lib/ssl.py", line 983, in do_handshake
    self._sslobj.do_handshake()
  File "/home/kdas/code/python/cpython/Lib/ssl.py", line 628, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:634)

======================================================================
ERROR: test_protocol_sslv3 (test.test_ssl.ThreadedTests)
Connecting to an SSLv3 server with various client options
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/home/kdas/code/python/cpython/Lib/test/test_ssl.py", line 119, in f
    return func(*args, **kwargs)
  File "/home/kdas/code/python/cpython/Lib/test/test_ssl.py", line 2497, in test_protocol_sslv3
    client_options=ssl.OP_NO_SSLv2)
  File "/home/kdas/code/python/cpython/Lib/test/test_ssl.py", line 2203, in try_protocol_combo
    chatty=False, connectionchatty=False)
  File "/home/kdas/code/python/cpython/Lib/test/test_ssl.py", line 2130, in server_params_test
    s.connect((HOST, server.port))
  File "/home/kdas/code/python/cpython/Lib/ssl.py", line 1014, in connect
    self._real_connect(addr, False)
  File "/home/kdas/code/python/cpython/Lib/ssl.py", line 1005, in _real_connect
    self.do_handshake()
  File "/home/kdas/code/python/cpython/Lib/ssl.py", line 983, in do_handshake
    self._sslobj.do_handshake()
  File "/home/kdas/code/python/cpython/Lib/ssl.py", line 628, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: UNSUPPORTED_PROTOCOL] unsupported protocol (_ssl.c:634)

======================================================================
FAIL: test_options (test.test_ssl.ContextTests)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/home/kdas/code/python/cpython/Lib/test/test_ssl.py", line 119, in f
    return func(*args, **kwargs)
  File "/home/kdas/code/python/cpython/Lib/test/test_ssl.py", line 789, in test_options
    ctx.options)
AssertionError: 2164261887 != 2197816319

----------------------------------------------------------------------

I suspect that the FIPS version of OpenSSL can't create a SSLv3 server anymore.

Digging into the test_options failure suggests Christian is right (although I think it has more to do with https://fedoraproject.org/wiki/Changes/CryptoPolicy than it does with FIPS):

>>> ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
>>> bin(ctx.options)
'0b10000011000000000000001111111111'
>>> bin(ssl.OP_ALL | ssl.OP_NO_SSLv2)
'0b10000001000000000000001111111111'
>>> bin(ssl.OP_ALL | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3)
'0b10000011000000000000001111111111'

The tests' assumptions about the default SSL configuration are out of date, so the tests have started failing on F22. We should like check the default options to see if they turn off SSLv3 when test_ssl is imported, and use that as a check to skip affected tests (as well as to adjust what test_options checks for as the default state)

I think I might have found a related/real world example.

I'm on a mac with OSX-10.10.3 and "test_ssl" passes, but when I try to install jupyter_notebook it attempts to download some css, and gives what looks like an identical error to the first one, in the initial report (test_protocol_sslv23). The download works fine in 2.7 and 3.4:

>>> sys.version
'3.5.0a4 (v3.5.0a4:413e0e0004f4, Apr 19 2015, 14:19:25) \n[GCC 4.2.1 (Apple Inc. build 5666) (dot 3)]'

>>> ssl.OPENSSL_VERSION
'OpenSSL 0.9.8zd 8 Jan 2015'

>>> urllib.request.urlopen("https://cdn.jupyter.org/notebook/4.0.0-dev/style/style.min.css")

Traceback (most recent call last):
  File "/Library/Frameworks/Python.framework/Versions/3.5/lib/python3.5/urllib/request.py", line 1239, in do_open
    h.request(req.get_method(), req.selector, req.data, headers)
  File "/Library/Frameworks/Python.framework/Versions/3.5/lib/python3.5/http/client.py", line 1083, in request
    self._send_request(method, url, body, headers)
  File "/Library/Frameworks/Python.framework/Versions/3.5/lib/python3.5/http/client.py", line 1128, in _send_request
    self.endheaders(body)
  File "/Library/Frameworks/Python.framework/Versions/3.5/lib/python3.5/http/client.py", line 1079, in endheaders
    self._send_output(message_body)
  File "/Library/Frameworks/Python.framework/Versions/3.5/lib/python3.5/http/client.py", line 911, in _send_output
    self.send(msg)
  File "/Library/Frameworks/Python.framework/Versions/3.5/lib/python3.5/http/client.py", line 854, in send
    self.connect()
  File "/Library/Frameworks/Python.framework/Versions/3.5/lib/python3.5/http/client.py", line 1237, in connect
    server_hostname=server_hostname)
  File "/Library/Frameworks/Python.framework/Versions/3.5/lib/python3.5/ssl.py", line 376, in wrap_socket
    _context=self)
  File "/Library/Frameworks/Python.framework/Versions/3.5/lib/python3.5/ssl.py", line 747, in __init__
    self.do_handshake()
  File "/Library/Frameworks/Python.framework/Versions/3.5/lib/python3.5/ssl.py", line 983, in do_handshake
    self._sslobj.do_handshake()
  File "/Library/Frameworks/Python.framework/Versions/3.5/lib/python3.5/ssl.py", line 628, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:634)

(@suki, I assume this is the issue reported here:  https://github.com/jupyter/notebook/issues/111 ?)

I've attached the patch for my initial attempt at addressing this, but I think my results show I went down completely the wrong path.

Specifically, the three new tests are "failing":

FAIL: test_protocol_sslv23_not_available (test.test_ssl.ThreadedTests)
----------------------------------------------------------------------
AssertionError: Client protocol PROTOCOL_SSLv23 succeeded with server protocol PROTOCOL_SSLv23!

FAIL: test_protocol_sslv2_not_available (test.test_ssl.ThreadedTests)
----------------------------------------------------------------------
AssertionError: Client protocol SSLv2 succeeded with server protocol SSLv2!

FAIL: test_protocol_sslv3_not_available (test.test_ssl.ThreadedTests)
----------------------------------------------------------------------
AssertionError: Client protocol PROTOCOL_SSLv3 succeeded with server protocol PROTOCOL_SSLv3!

So I'm going to revert this attempt entirely, and instead start by introducing some appropriate use of subtests to get more info out of the failing examples.

As Christian, I suspect that SSLv3 is progressively getting disabled in distro builds of OpenSSL.

Yeah, I belatedly realised I was overcomplicating things, and the test failures really are just due the change in the context options to disallow SSLv3 peers by default.

I have an idea for how to fix that, and I think it will make the handling of the NO_SSLv2 flag in the SSL tests easier to follow as well.

It's also worth noting that https://www.rfc-editor.org/info/rfc7568 was published recently to start deprecating SSL 3.0 entirely, so setting that flag by default is indeed going to become the norm at the distro layer.

The attached patch creates a TLSv1 context at test_ssl import time to see if SSLv2 and SSLv3 peers are disallowed by default.

The test expectations for context options, SSLv23 and SSLv3 are then adjusted accordingly.

The context options tests are also updated to compare binary strings rather than comparing integers directly, as the diff is much nicer with the strings.

Creating the TLSv1 context at import time could be avoided easily enough by moving the options flag check into the individual tests, so I'm open to doing that if folks would prefer it.

Patch looks fine to me, assuming the tests don't fail, of course.

test_ssl is still failing on Fedora 22. I updated Nick's patch (I worked on the default branch). With the patch, test_ssl pass. I didn't try it on other platforms.

As I already said, patch looks fine assuming you've checked it doesn't break mainstream platforms :)

I suspect the patches here are out of date considering SSL v3 has been disabled by default in Python via Issue 25613, revision 56f64ec9259f. Is there any bits of the patches worth resurrecting (for cleaner logic, future-proofing or something)? Or is this completely out of date now?

Sorry bug disabling v3 by default is Issue 25530

This is working fine on Fedora 23, so yeah, I think the change to always disallow SSLv3 by default resolved it.