classification
Title: ftplib, urllib2, poplib, httplib, urllib2_localnet use ssl.PROTOCOL_TLSv1 unconditionally
Type: behavior Stage: resolved
Components: SSL Versions: Python 3.7, Python 3.6, Python 2.7
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: christian.heimes Nosy List: christian.heimes, doko
Priority: normal Keywords: patch

Created on 2017-09-19 13:35 by doko, last changed 2018-02-24 23:46 by christian.heimes. This issue is now closed.

Pull Requests
URL Status Linked Edit
PR 3660 merged christian.heimes, 2017-09-19 18:55
PR 3661 merged christian.heimes, 2017-09-19 18:56
Messages (8)
msg302524 - (view) Author: Matthias Klose (doko) * (Python committer) Date: 2017-09-19 13:35
Debian's OpenSSL now disables TLS 1.0 and 1.1, letting some of the python tests fail.  Please make them use a newer protocol version, or make the use of the older versions conditional.
msg302526 - (view) Author: Matthias Klose (doko) * (Python committer) Date: 2017-09-19 13:39
failing tests:

https://ci.debian.net/data/packages/unstable/amd64/p/python3.6/latest-autopkgtest/log.gz
msg302527 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2017-09-19 13:43
3.7 does no longer use PROTOCOL_TLSv1 except for test_ssl.py, see #31346

By the way Debian Sid/Buster broke support for SSL and TLS < 1.2. see #31453. There is no way to enable the protocols from Python.
msg302531 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2017-09-19 15:00
Two tests are failing in 3.7 branch:

======================================================================
ERROR: test_PROTOCOL_TLS (test.test_ssl.ThreadedTests)
Connecting to an SSLv23 server with various client options
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/home/heimes/dev/python/cpython/Lib/test/test_ssl.py", line 2660, in test_PROTOCOL_TLS
    try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLSv1, 'TLSv1')
  File "/home/heimes/dev/python/cpython/Lib/test/test_ssl.py", line 2343, in try_protocol_combo
    chatty=False, connectionchatty=False)
  File "/home/heimes/dev/python/cpython/Lib/test/test_ssl.py", line 2268, in server_params_test
    s.connect((HOST, server.port))
  File "/home/heimes/dev/python/cpython/Lib/ssl.py", line 1108, in connect
    self._real_connect(addr, False)
  File "/home/heimes/dev/python/cpython/Lib/ssl.py", line 1099, in _real_connect
    self.do_handshake()
  File "/home/heimes/dev/python/cpython/Lib/ssl.py", line 1076, in do_handshake
    self._sslobj.do_handshake()
  File "/home/heimes/dev/python/cpython/Lib/ssl.py", line 697, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: TLSV1_ALERT_PROTOCOL_VERSION] tlsv1 alert protocol version (_ssl.c:864)

======================================================================
ERROR: test_protocol_tlsv1_1 (test.test_ssl.ThreadedTests)
Connecting to a TLSv1.1 server with various client options.
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/home/heimes/dev/python/cpython/Lib/test/test_ssl.py", line 2734, in test_protocol_tlsv1_1
    try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLSv1_1, 'TLSv1.1')
  File "/home/heimes/dev/python/cpython/Lib/test/test_ssl.py", line 2343, in try_protocol_combo
    chatty=False, connectionchatty=False)
  File "/home/heimes/dev/python/cpython/Lib/test/test_ssl.py", line 2268, in server_params_test
    s.connect((HOST, server.port))
  File "/home/heimes/dev/python/cpython/Lib/ssl.py", line 1108, in connect
    self._real_connect(addr, False)
  File "/home/heimes/dev/python/cpython/Lib/ssl.py", line 1099, in _real_connect
    self.do_handshake()
  File "/home/heimes/dev/python/cpython/Lib/ssl.py", line 1076, in do_handshake
    self._sslobj.do_handshake()
  File "/home/heimes/dev/python/cpython/Lib/ssl.py", line 697, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: TLSV1_ALERT_PROTOCOL_VERSION] tlsv1 alert protocol version (_ssl.c:864)

----------------------------------------------------------------------

Matthias,
is there any way to detect Debian's modifications of OpenSSL from header files or with an API call? Otherwise we have no way to reliable detect and correctly skip the test. At the moment there is no way to retrieve the minimum protocol from OpenSSL SSL_CTX. I landed an OpenSSL patch just a couple of days ago to add SSL_CTX_get_min_proto_version(), https://github.com/openssl/openssl/pull/4364
msg302558 - (view) Author: Matthias Klose (doko) * (Python committer) Date: 2017-09-19 19:02
Christian, I assume you'd like to see a test which can be done at *runtime*, not *buildtime*.  Assuming you have that openssl upstream patch available in your build dependency, would that help with the detection?  If yes, I'll talk to Debian's and Ubuntu's openssl maintainers to backport it, so the _ssl module could use it depending on a configure check.
msg302562 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2017-09-19 19:24
PR 3660 and PR 3661 address most of the failing tests. The two failures in msg302531 are discussed in issue #31453.
msg312766 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2018-02-24 23:45
New changeset aab225840360719516eca55a7a69cfee45aee2af by Christian Heimes in branch '3.6':
bpo-31518: Change TLS protocol for Debian (#3660)
https://github.com/python/cpython/commit/aab225840360719516eca55a7a69cfee45aee2af
msg312767 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2018-02-24 23:45
New changeset 8d4d17399fb82801eaaca5beeb97a19908b40222 by Christian Heimes in branch '2.7':
bpo-31518: Change TLS protocol for Debian (#3661)
https://github.com/python/cpython/commit/8d4d17399fb82801eaaca5beeb97a19908b40222
History
Date User Action Args
2018-02-24 23:46:23christian.heimessetstatus: open -> closed
type: behavior
resolution: fixed
stage: patch review -> resolved
2018-02-24 23:45:56christian.heimessetmessages: + msg312767
2018-02-24 23:45:26christian.heimessetmessages: + msg312766
2017-09-19 19:24:40christian.heimessetmessages: + msg302562
2017-09-19 19:02:16dokosetmessages: + msg302558
2017-09-19 18:56:55christian.heimessetpull_requests: + pull_request3650
2017-09-19 18:55:42christian.heimessetkeywords: + patch
stage: patch review
pull_requests: + pull_request3649
2017-09-19 15:00:43christian.heimessetmessages: + msg302531
versions: + Python 3.7
2017-09-19 13:43:32christian.heimessetmessages: + msg302527
versions: - Python 3.7
2017-09-19 13:39:42dokosetmessages: + msg302526
2017-09-19 13:35:27dokocreate