Author Alan.Huang
Recipients Alan.Huang, alex, christian.heimes, dstufft, janssen
Date 2018-06-29.16:09:13
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1530288553.74.0.56676864532.issue34001@psf.upfronthosting.co.za>
In-reply-to
Content
LibreSSL has a function called `ssl_clamp_version_range` that is called before attempting to set the minimum and maximum protocol versions in `ssl_version_set_{min,max}`. The function disallows setting ranges that are invalid (i.e., where minimum_version > maximum_version). OpenSSL does not disallow this behavior.

As a result, attempting to set a minimum_version greater than a maximum_version results in a ValueError when Python is built with LibreSSL.

There are two things that might need fixing here:
1. Replace the ValueError "Unsupported protocol version 0x%x" message with a more generic one. The assumption that the only way the operation can fail is if the underlying library does not support the protocol version is incorrect.
   This can be done by either making the message more generic or by introducing another error message to handle this case.
2. Change test_min_max_version lines 3575-3576 to set the maximum_version before the minimum_version.

Here's some Python code to reproduce the above-mentioned error:
```
import ssl

ctx = ssl.SSLContext()
ctx.maximum_version = ssl.TLSVersion.TLSv1_1
ctx.minimum_version = ssl.TLSVersion.TLSv1_2

Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/home/alan/src/cpython/Lib/ssl.py", line 491, in minimum_version
    super(SSLContext, SSLContext).minimum_version.__set__(self, value)
ValueError: Unsupported protocol version 0x303
```

Here's some example C code:
```
#include <openssl/ssl.h>
#include <openssl/ossl_typ.h>
#include <stdio.h>

int main(){
    SSL_CTX *ctx = NULL;
    ctx = SSL_CTX_new(TLS_method());

    printf("setting max to TLSv1.1: ");
    if(SSL_CTX_set_max_proto_version(ctx, TLS1_1_VERSION)){
        printf("success\n");
    }   
    else{
        printf("failure\n");
    }   
    printf("setting min to TLSv1.2: ");
    if(SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION)){
        printf("success\n");
    }   
    else{
        printf("failure\n");
    }   

    printf("min ver: %d\n", SSL_CTX_get_min_proto_version(ctx));
    printf("max ver: %d\n", SSL_CTX_get_max_proto_version(ctx));
    return 0;
}
```

Under LibreSSL 2.7.4, this produces:
```
setting max to TLSv1.1: success
setting min to TLSv1.2: failure
min ver: 769
max ver: 770
```

Under OpenSSL 1.1.0g, this produces:
```
setting max to TLSv1.1: success
setting min to TLSv1.2: success
min ver: 771
max ver: 770
```

The test that failed:
======================================================================
ERROR: test_min_max_version (test.test_ssl.ThreadedTests)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/home/alan/src/cpython/Lib/test/test_ssl.py", line 3575, in test_min_max_version
    server_context.minimum_version = ssl.TLSVersion.TLSv1_2
  File "/home/alan/src/cpython/Lib/ssl.py", line 491, in minimum_version
    super(SSLContext, SSLContext).minimum_version.__set__(self, value)
ValueError: Unsupported protocol version 0x303
History
Date User Action Args
2018-06-29 16:09:13Alan.Huangsetrecipients: + Alan.Huang, janssen, christian.heimes, alex, dstufft
2018-06-29 16:09:13Alan.Huangsetmessageid: <1530288553.74.0.56676864532.issue34001@psf.upfronthosting.co.za>
2018-06-29 16:09:13Alan.Huanglinkissue34001 messages
2018-06-29 16:09:13Alan.Huangcreate