This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Title: test_ssl.test_options does not correctly account for built-in ctx defaults with openssl 1.1.1
Type: Stage: resolved
Components: SSL, Tests Versions: Python 2.7
Status: closed Resolution: out of date
Dependencies: Superseder:
Assigned To: christian.heimes Nosy List: christian.heimes, cstratak, vstinner, xnox, zach.ware
Priority: normal Keywords: patch

Created on 2018-09-28 16:14 by xnox, last changed 2022-04-11 14:59 by admin. This issue is now closed.

Pull Requests
URL Status Linked Edit
PR 9624 closed xnox, 2018-09-28 16:18
Messages (3)
msg326642 - (view) Author: Dimitri John Ledkov (xnox) * Date: 2018-09-28 16:14
self.assertEqual(default, ctx.options) in test_options fails with openssl 1.1.1 as it does not correctly account for OP_ENABLE_MIDDLEBOX_COMPAT. It is not defined by the python2.7 ssl module either.

either ssl.OP_ENABLE_MIDDLEBOX_COMPAT needs to be backported, or the test case should just add that constant in when openssl version is >= 1.1.1
msg333976 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2019-01-18 15:19
Python 2.7 doesn't support properly OpenSSL 1.1.1 yet, see:

* PR 10607
* PR 10608

I would prefer to have _ssl.OP_ENABLE_MIDDLEBOX_COMPAT rather than have an hardcoded constant in test_ssl. In master, test_ssl has been fixed and the constant has been added by:

commit 05d9fe32a1245b9a798e49e0c1eb91f110935b69
Author: Christian Heimes <>
Date:   Tue Feb 27 08:55:39 2018 +0100

    bpo-32947: OpenSSL 1.1.1-pre1 / TLS 1.3 fixes (#5663)
    * bpo-32947: OpenSSL 1.1.1-pre1 / TLS 1.3 fixes
    Misc fixes and workarounds for compatibility with OpenSSL 1.1.1-pre1 and
    TLS 1.3 support. With OpenSSL 1.1.1, Python negotiates TLS 1.3 by
    default. Some test cases only apply to TLS 1.2. Other tests currently
    fail because the threaded or async test servers stop after failure.
    I'm going to address these issues when OpenSSL 1.1.1 reaches beta.
    OpenSSL 1.1.1 has added a new option OP_ENABLE_MIDDLEBOX_COMPAT for TLS
    1.3. The feature is enabled by default for maximum compatibility with
    broken middle boxes. Users should be able to disable the hack and CPython's test suite needs
    it to verify default options.
    Signed-off-by: Christian Heimes <>

diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst
index 7371024dce..5d5232eda3 100644
--- a/Doc/library/ssl.rst
+++ b/Doc/library/ssl.rst
@@ -831,6 +831,15 @@ Constants
    .. versionadded:: 3.3
+   Send dummy Change Cipher Spec (CCS) messages in TLS 1.3 handshake to make
+   a TLS 1.3 connection look more like a TLS 1.2 connection.
+   This option is only available with OpenSSL 1.1.1 and later.
+   .. versionadded:: 3.8
    Disable compression on the SSL channel.  This is useful if the application
msg360263 - (view) Author: Zachary Ware (zach.ware) * (Python committer) Date: 2020-01-19 18:14
As this issue appears to only affect 2.7 which recently reached end-of-life status, I'm going to go ahead and close it.
Date User Action Args
2022-04-11 14:59:06adminsetgithub: 79015
2020-01-19 18:14:28zach.waresetstatus: open -> closed

assignee: christian.heimes
components: + Tests, SSL

nosy: + zach.ware
messages: + msg360263
resolution: out of date
stage: patch review -> resolved
2019-01-18 15:19:32vstinnersetnosy: + vstinner
messages: + msg333976
2018-10-01 19:42:17cstrataksetnosy: + cstratak
2018-09-28 17:38:45xtreaksetnosy: + christian.heimes
2018-09-28 16:18:26xnoxsetkeywords: + patch
stage: patch review
pull_requests: + pull_request9022
2018-09-28 16:14:56xnoxcreate