Message 388006 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	xnox
Recipients	brandtbucher, christian.heimes, gregory.p.smith, lukasz.langa, nascheme, ned.deily, xnox
Date	2021-03-03.08:59:14
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1614761955.11.0.441886705407.issue43382@roundup.psfhosted.org>
In-reply-to

Content
Ubuntu 20.04+ compile OpenSSL with default security level set to 2, and further customized security level 2 to prohibit TLS below v1.2 and DTLS below v1.2. You can export custom openssl configuration that sets security level back to 1, which is compatible across any openssl series. ``` export OPENSSL_CONF=`pwd`/openssl.cnf cat openssl.cnf openssl_conf = default_conf [default_conf] ssl_conf = ssl_sect [ssl_sect] system_default = system_default_sect [system_default_sect] CipherString = DEFAULT@SECLEVEL=1 ``` Or you can use native APIs to reset the security level to 1 in the test-suite. I.e. via the SSL_CTX_set_security_level api binding. This is documented behaviour in Ubuntu manpages of OpenSSL and on Ubuntu Discourse https://manpages.ubuntu.com/manpages/focal/en/man3/SSL_CTX_set_security_level.3ssl.html https://discourse.ubuntu.com/t/default-to-tls-v1-2-in-all-tls-libraries-in-20-04-lts/12464/8 OpenSSL upstream for 3.0.0 series are refusing to bump minimum required protocol versions to prohibit out of the box old version of TLS and also don't have a standard way to disable this. Hence implementation is different in Debian, Ubuntu and Fedora. Debian's implementation is buggy with respect to DTLS and default openssl.cnf breaks 1.0.2x series libssl. And as far as I know Fedora implementation requires use of crypto-policies package which is quite advanced and not trivial to integrate in smaller environments.

Ubuntu 20.04+ compile OpenSSL with default security level set to 2, and further customized security level 2 to prohibit TLS below v1.2 and DTLS below v1.2.

You can export custom openssl configuration that sets security level back to 1, which is compatible across any openssl series.

```
export OPENSSL_CONF=`pwd`/openssl.cnf
cat openssl.cnf
openssl_conf = default_conf
[default_conf]
ssl_conf = ssl_sect
[ssl_sect]
system_default = system_default_sect
[system_default_sect]
CipherString = DEFAULT@SECLEVEL=1
```

Or you can use native APIs to reset the security level to 1 in the test-suite. I.e. via the SSL_CTX_set_security_level api binding.

This is documented behaviour in Ubuntu manpages of OpenSSL and on Ubuntu Discourse

https://manpages.ubuntu.com/manpages/focal/en/man3/SSL_CTX_set_security_level.3ssl.html

https://discourse.ubuntu.com/t/default-to-tls-v1-2-in-all-tls-libraries-in-20-04-lts/12464/8

OpenSSL upstream for 3.0.0 series are refusing to bump minimum required protocol versions to prohibit out of the box old version of TLS and also don't have a standard way to disable this. Hence implementation is different in Debian, Ubuntu and Fedora. Debian's implementation is buggy with respect to DTLS and default openssl.cnf breaks 1.0.2x series libssl. And as far as I know Fedora implementation requires use of crypto-policies package which is quite advanced and not trivial to integrate in smaller environments.

History
Date	User	Action	Args
2021-03-03 08:59:15	xnox	set	recipients: + xnox, nascheme, gregory.p.smith, christian.heimes, ned.deily, lukasz.langa, brandtbucher
2021-03-03 08:59:15	xnox	set	messageid: <1614761955.11.0.441886705407.issue43382@roundup.psfhosted.org>
2021-03-03 08:59:15	xnox	link	issue43382 messages
2021-03-03 08:59:14	xnox	create