Title: test_ssl.test_options does not correctly account for built-in ctx defaults with openssl 1.1.1
Type: Stage: patch review
Components: Versions: Python 2.7
Status: open Resolution:
Dependencies: Superseder:
Assigned To: Nosy List: christian.heimes, cstratak, vstinner, xnox
Priority: normal Keywords: patch

Created on 2018-09-28 16:14 by xnox, last changed 2019-01-18 15:19 by vstinner.

Pull Requests
URL Status Linked Edit
PR 9624 open xnox, 2018-09-28 16:18
Messages (2)
msg326642 - (view) Author: Dimitri John Ledkov (xnox) * Date: 2018-09-28 16:14
self.assertEqual(default, ctx.options) in test_options fails with openssl 1.1.1 as it does not correctly account for OP_ENABLE_MIDDLEBOX_COMPAT. It is not defined by the python2.7 ssl module either.

either ssl.OP_ENABLE_MIDDLEBOX_COMPAT needs to be backported, or the test case should just add that constant in when openssl version is >= 1.1.1
msg333976 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2019-01-18 15:19
Python 2.7 doesn't support properly OpenSSL 1.1.1 yet, see:

* PR 10607
* PR 10608

I would prefer to have _ssl.OP_ENABLE_MIDDLEBOX_COMPAT rather than have an hardcoded constant in test_ssl. In master, test_ssl has been fixed and the constant has been added by:

commit 05d9fe32a1245b9a798e49e0c1eb91f110935b69
Author: Christian Heimes <>
Date:   Tue Feb 27 08:55:39 2018 +0100

    bpo-32947: OpenSSL 1.1.1-pre1 / TLS 1.3 fixes (#5663)
    * bpo-32947: OpenSSL 1.1.1-pre1 / TLS 1.3 fixes
    Misc fixes and workarounds for compatibility with OpenSSL 1.1.1-pre1 and
    TLS 1.3 support. With OpenSSL 1.1.1, Python negotiates TLS 1.3 by
    default. Some test cases only apply to TLS 1.2. Other tests currently
    fail because the threaded or async test servers stop after failure.
    I'm going to address these issues when OpenSSL 1.1.1 reaches beta.
    OpenSSL 1.1.1 has added a new option OP_ENABLE_MIDDLEBOX_COMPAT for TLS
    1.3. The feature is enabled by default for maximum compatibility with
    broken middle boxes. Users should be able to disable the hack and CPython's test suite needs
    it to verify default options.
    Signed-off-by: Christian Heimes <>

diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst
index 7371024dce..5d5232eda3 100644
--- a/Doc/library/ssl.rst
+++ b/Doc/library/ssl.rst
@@ -831,6 +831,15 @@ Constants
    .. versionadded:: 3.3
+   Send dummy Change Cipher Spec (CCS) messages in TLS 1.3 handshake to make
+   a TLS 1.3 connection look more like a TLS 1.2 connection.
+   This option is only available with OpenSSL 1.1.1 and later.
+   .. versionadded:: 3.8
    Disable compression on the SSL channel.  This is useful if the application
Date User Action Args
2019-01-18 15:19:32vstinnersetnosy: + vstinner
messages: + msg333976
2018-10-01 19:42:17cstrataksetnosy: + cstratak
2018-09-28 17:38:45xtreaksetnosy: + christian.heimes
2018-09-28 16:18:26xnoxsetkeywords: + patch
stage: patch review
pull_requests: + pull_request9022
2018-09-28 16:14:56xnoxcreate