classification
Title: OpenSSL 3.0.0: TLS 1.0 / 1.1 connections fail with TLSV1_ALERT_INTERNAL_ERROR
Type: behavior Stage: patch review
Components: SSL Versions: Python 3.10, Python 3.9, Python 3.8
process
Status: open Resolution:
Dependencies: Superseder:
Assigned To: christian.heimes Nosy List: christian.heimes, miss-islington
Priority: normal Keywords: patch

Created on 2021-04-09 13:08 by christian.heimes, last changed 2021-04-09 14:02 by miss-islington.

Pull Requests
URL Status Linked Edit
PR 25307 merged miss-islington, 2021-04-09 13:44
PR 25308 merged miss-islington, 2021-04-09 13:44
Messages (3)
msg390618 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2021-04-09 13:08
With OpenSSL 3.0.0-alpha14 several tests for TLS 1.0 and 1.1 connections are failing handshake with "[SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error". OpenSSL is configured with default security level "1". Tests are only passing with @SECLEVEL=0.

I think the security default callback refuses NID_sha1 and NID_sha1_md5 SSL_SECOP_SIGALG_SUPPORTED because their security bits are lower than minimum of 80 bits.

ssl_security_default_callback (s=0x7fffdc001840, ctx=0x0, op=327691, bits=67, nid=114, other=0x7fffe8ab194a, ex=0x0) at ssl/ssl_cert.c:969
ssl_security_default_callback (s=0x7fffdc001840, ctx=0x0, op=327691, bits=64, nid=64, other=0x7fffe8ab188a, ex=0x0) at ssl/ssl_cert.c:969


#0  tls_choose_sigalg (s=0x7fffdc001840, fatalerrs=1) at ssl/t1_lib.c:3307
#1  0x00007fffe9cb00f4 in tls_post_process_client_hello (s=0x7fffdc001840, wst=WORK_MORE_B) at ssl/statem/statem_srvr.c:2223
#2  0x00007fffe9cad560 in ossl_statem_server_post_process_message (s=0x7fffdc001840, wst=WORK_MORE_A) at ssl/statem/statem_srvr.c:1236
#3  0x00007fffe9c97e3d in read_state_machine (s=0x7fffdc001840) at ssl/statem/statem.c:670
#4  0x00007fffe9c97723 in state_machine (s=0x7fffdc001840, server=1) at ssl/statem/statem.c:442
#5  0x00007fffe9c971db in ossl_statem_accept (s=0x7fffdc001840) at ssl/statem/statem.c:270
#6  0x00007fffe9c5f5ac in SSL_do_handshake (s=0x7fffdc001840) at ssl/ssl_lib.c:3852

            if ((lu = tls1_get_legacy_sigalg(s, -1)) == NULL) {
                if (!fatalerrs)
                    return 1;
                SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                         SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM);
                return 0;
            }
msg390623 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2021-04-09 13:47
https://github.com/python/cpython/pull/25304 is merged PR to master.
msg390629 - (view) Author: miss-islington (miss-islington) Date: 2021-04-09 14:02
New changeset 4e710d1c88cbebdb17578de00997457b3b26874d by Miss Islington (bot) in branch '3.8':
[3.8] bpo-43791: Skip TLS 1.0/1.1 tests under OpenSSL 3.0.0 (GH-25304) (GH-25308)
https://github.com/python/cpython/commit/4e710d1c88cbebdb17578de00997457b3b26874d
History
Date User Action Args
2021-04-09 14:02:12miss-islingtonsetmessages: + msg390629
2021-04-09 13:47:20christian.heimessetmessages: + msg390623
2021-04-09 13:44:32miss-islingtonsetpull_requests: + pull_request24043
2021-04-09 13:44:25miss-islingtonsetkeywords: + patch
nosy: + miss-islington

pull_requests: + pull_request24042
stage: patch review
2021-04-09 13:28:23christian.heimeslinkissue38820 dependencies
2021-04-09 13:08:57christian.heimescreate