After updating openssl in Fedora 26 from 1.1.0e to 1.1.0f the test_alpn_protocols from test_ssl started failing:

======================================================================
FAIL: test_alpn_protocols (test.test_ssl.ThreadedTests)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/builddir/build/BUILD/Python-3.6.1/Lib/test/test_ssl.py", line 3261, in test_alpn_protocols
    self.assertIsInstance(stats, ssl.SSLError)
AssertionError: {'compression': None, 'cipher': ('ECDHE-RSA-AES256-GCM-SHA384', 'TLSv1.2', 256), 'peercert': {}, 'client_alpn_protocol': None, 'client_npn_protocol': None, 'version': 'TLSv1.2', 'session_reused': False, 'session': <_ssl.Session object at 0x7f846ed97740>, 'server_alpn_protocols': [None], 'server_npn_protocols': [None], 'server_shared_ciphers': [[('ECDHE-ECDSA-AES256-GCM-SHA384', 'TLSv1.2', 256), ('ECDHE-RSA-AES256-GCM-SHA384', 'TLSv1.2', 256), ('ECDHE-ECDSA-AES128-GCM-SHA256', 'TLSv1.2', 128), ('ECDHE-RSA-AES128-GCM-SHA256', 'TLSv1.2', 128), ('ECDHE-ECDSA-CHACHA20-POLY1305', 'TLSv1.2', 256), ('ECDHE-RSA-CHACHA20-POLY1305', 'TLSv1.2', 256), ('DHE-DSS-AES256-GCM-SHA384', 'TLSv1.2', 256), ('DHE-RSA-AES256-GCM-SHA384', 'TLSv1.2', 256), ('DHE-DSS-AES128-GCM-SHA256', 'TLSv1.2', 128), ('DHE-RSA-AES128-GCM-SHA256', 'TLSv1.2', 128), ('DHE-RSA-CHACHA20-POLY1305', 'TLSv1.2', 256), ('ECDHE-ECDSA-AES256-CCM8', 'TLSv1.2', 256), ('ECDHE-ECDSA-AES256-CCM', 'TLSv1.2', 256), ('ECDHE-ECDSA-AES256-SHA384', 'TLSv1.2', 256), ('ECDHE-RSA-AES256-SHA384', 'TLSv1.2', 256), ('ECDHE-ECDSA-AES256-SHA', 'TLSv1.0', 256), ('ECDHE-RSA-AES256-SHA', 'TLSv1.0', 256), ('DHE-RSA-AES256-CCM8', 'TLSv1.2', 256), ('DHE-RSA-AES256-CCM', 'TLSv1.2', 256), ('DHE-RSA-AES256-SHA256', 'TLSv1.2', 256), ('DHE-DSS-AES256-SHA256', 'TLSv1.2', 256), ('DHE-RSA-AES256-SHA', 'SSLv3', 256), ('DHE-DSS-AES256-SHA', 'SSLv3', 256), ('ECDHE-ECDSA-AES128-CCM8', 'TLSv1.2', 128), ('ECDHE-ECDSA-AES128-CCM', 'TLSv1.2', 128), ('ECDHE-ECDSA-AES128-SHA256', 'TLSv1.2', 128), ('ECDHE-RSA-AES128-SHA256', 'TLSv1.2', 128), ('ECDHE-ECDSA-AES128-SHA', 'TLSv1.0', 128), ('ECDHE-RSA-AES128-SHA', 'TLSv1.0', 128), ('DHE-RSA-AES128-CCM8', 'TLSv1.2', 128), ('DHE-RSA-AES128-CCM', 'TLSv1.2', 128), ('DHE-RSA-AES128-SHA256', 'TLSv1.2', 128), ('DHE-DSS-AES128-SHA256', 'TLSv1.2', 128), ('DHE-RSA-AES128-SHA', 'SSLv3', 128), ('DHE-DSS-AES128-SHA', 'SSLv3', 128), ('ECDHE-ECDSA-CAMELLIA256-SHA384', 'TLSv1.2', 256), ('ECDHE-RSA-CAMELLIA256-SHA384', 'TLSv1.2', 256), ('ECDHE-ECDSA-CAMELLIA128-SHA256', 'TLSv1.2', 128), ('ECDHE-RSA-CAMELLIA128-SHA256', 'TLSv1.2', 128), ('DHE-RSA-CAMELLIA256-SHA256', 'TLSv1.2', 256), ('DHE-DSS-CAMELLIA256-SHA256', 'TLSv1.2', 256), ('DHE-RSA-CAMELLIA128-SHA256', 'TLSv1.2', 128), ('DHE-DSS-CAMELLIA128-SHA256', 'TLSv1.2', 128), ('DHE-RSA-CAMELLIA256-SHA', 'SSLv3', 256), ('DHE-DSS-CAMELLIA256-SHA', 'SSLv3', 256), ('DHE-RSA-CAMELLIA128-SHA', 'SSLv3', 128), ('DHE-DSS-CAMELLIA128-SHA', 'SSLv3', 128), ('AES256-GCM-SHA384', 'TLSv1.2', 256), ('AES128-GCM-SHA256', 'TLSv1.2', 128), ('AES256-CCM8', 'TLSv1.2', 256), ('AES256-CCM', 'TLSv1.2', 256), ('AES128-CCM8', 'TLSv1.2', 128), ('AES128-CCM', 'TLSv1.2', 128), ('AES256-SHA256', 'TLSv1.2', 256), ('AES128-SHA256', 'TLSv1.2', 128), ('AES256-SHA', 'SSLv3', 256), ('AES128-SHA', 'SSLv3', 128), ('CAMELLIA256-SHA256', 'TLSv1.2', 256), ('CAMELLIA128-SHA256', 'TLSv1.2', 128), ('CAMELLIA256-SHA', 'SSLv3', 256), ('CAMELLIA128-SHA', 'SSLv3', 128)]]} is not an instance of <class 'ssl.SSLError'>

Full build log attached

Note: Python version is 3.6.1

The ALPN test expects an error on OpenSSL >= 1.1, and an error on older OpenSSL versions.

Note: I don't know what is ALPN :-) I found:
https://en.wikipedia.org/wiki/Application-Layer_Protocol_Negotiation

I can confirm that OpenSSL has changed behavior of ALPN hook between 1.1.0e and 1.1.0f. The change was probably introduced by https://github.com/openssl/openssl/pull/3158/commits/b3159f23b293c3d1870ab7b816e4e07386efbe53 I need to investigate further.

Ned, I like to address this issue for 3.6.2. The fix only affects one test and documentation.

Sorry for the delay.  It's clear this needs to get fixed so there's no need to wait to merge PRs into 3.6, 3.5, and 2.7.  If the PR gets merged into 3.6 soon, I'll pull it into 3.6.2 as well.

Sorry, this didn't make it in time for 3.6.2.  There is still at least a couple of weeks to get it into 3.5.4 and 2.7.14.

The test now fails on AMD64 Debian PGO 3.x:

http://buildbot.python.org/all/builders/AMD64%20Debian%20PGO%203.x/builds/985/steps/test/logs/stdio

FAIL: test_alpn_protocols (test.test_ssl.ThreadedTests)

I updated to PGO buildbot from Debian 8 "jessie" to Debian 9 "stretch" which revealed the failures.

I don't see how a fix for a *test* can be considered a *release blocker*.  The PR literally doesn't change Python's behavior; it only modifies two text files and a test.  There is no crash or exploitable security hole being addressed here.

Quoting from the Python Dev Guide:

"As a guideline, critical and above are usually reserved for crashes, serious regressions or breakage of very important APIs. Whether a bug is a release blocker is a decision better left to the release manager so, in any doubt, add him or her to the nosy list."

Test still fails. Failure on AMD64 Debian PGO 2.7:

http://buildbot.python.org/all/builders/AMD64%20Debian%20PGO%202.7/builds/243/steps/test/logs/stdio

======================================================================
FAIL: test_alpn_protocols (test.test_ssl.ThreadedTests)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/var/lib/buildbot/slaves/enable-optimizations-bot/2.7.gps-debian-profile-opt.nondebug/build/Lib/test/test_ssl.py", line 2971, in test_alpn_protocols
    self.assertIsInstance(stats, ssl.SSLError)
AssertionError: {'compression': None, 'client_npn_protocol': None, 'cipher': ('ECDHE-RSA-AES256-GCM-SHA384', 'TLSv1.2', 256), 'peercert': {}, 'server_npn_protocols': [None], 'client_alpn_protocol': None, 'version': u'TLSv1.2', 'server_alpn_protocols': [None]} is not an instance of <class 'ssl.SSLError'>

Well, the reason one *might* consider a test failure as a release blocker (and I'm not saying you should, I'm just explaining the possible logic) is that distros would understandably like the test suite to pass before they include a release in their distribution.

Naturally up to the release managers.  If I were one, I'd consider it just because not addressing the failure one way or another will lead to people finding us and asking a question about why it is failing.  Adding a SkipTest when the relevant library version is found counts as addressing _that_ level of problem. :)

Dear Christian, ....

Have you found a solution for this issue ?

New changeset 7b40cb7293cb14e5c7c8ed123efaf9acb33edae2 by Christian Heimes in branch 'master':
bpo-30714: ALPN changes for OpenSSL 1.1.0f (#2305)
https://github.com/python/cpython/commit/7b40cb7293cb14e5c7c8ed123efaf9acb33edae2

New changeset 7f6a13bd562ff6a265fc63a991327feaecb07a77 by Christian Heimes in branch '3.6':
[3.6] bpo-30714: ALPN changes for OpenSSL 1.1.0f (#3093)
https://github.com/python/cpython/commit/7f6a13bd562ff6a265fc63a991327feaecb07a77

New changeset 05b7d9c6675b71d17f5fcf379b3888fba431f14e by Christian Heimes in branch '2.7':
[2.7] bpo-30714: ALPN changes for OpenSSL 1.1.0f (#3094)
https://github.com/python/cpython/commit/05b7d9c6675b71d17f5fcf379b3888fba431f14e

2.7, 3.6 and master are fixed.