Message 388009 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	christian.heimes
Recipients	brandtbucher, christian.heimes, gregory.p.smith, lukasz.langa, nascheme, ned.deily, xnox
Date	2021-03-03.09:23:40
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1614763421.21.0.612976619052.issue43382@roundup.psfhosted.org>
In-reply-to

Content
Dimitri, thanks for your feedback. I'm very well aware of the crypto policy settings and security level settings. The problem is not the fact that Ubuntu sets a higher security level and disables insecure TLS versions. The problem is the way how Ubuntu has implemented the policy to enforce the crypto settings. Other Linux distributions like Debian and Fedora also raise the security level and disable TLS 1.0 and 1.1. Python's test suite introspects OpenSSL settings and skips tests accordingly. test_ssl is passing fine on Debian testing (updated 15 minutes ago) and Fedora 33 with similar crypto policies. Since the tests are working fine on Debian, Fedora, RHEL/CentOS, vanilla OpenSSL, our OpenSSL builds on macOS and Windows, and other Linux distros, the issue is likely caused by a downstream discrepancy in Ubuntu. # Python main branch on Fedora 33 $ ./python Python 3.10.0a5+ (heads/master:cd80f430daa, Feb 24 2021, 19:44:57) [GCC 10.2.1 20201125 (Red Hat 10.2.1-9)] on linux Type "help", "copyright", "credits" or "license" for more information. >>> import ssl >>> ctx = ssl.create_default_context() >>> ctx.minimum_version <TLSVersion.TLSv1_2: 771> >>> ctx.security_level 2 # Python main branch on Debian testing $ ./python Python 3.10.0a6+ (heads/master:94894dd45e, Mar 3 2021, 09:11:22) [GCC 10.2.1 20210110] on linux Type "help", "copyright", "credits" or "license" for more information. >>> import ssl >>> ctx = ssl.create_default_context() >>> ctx.minimum_version <TLSVersion.TLSv1_2: 771> >>> ctx.security_level 2 $ ./python -m test test_ssl 0:00:00 load avg: 0.89 Run tests sequentially 0:00:00 load avg: 0.89 [1/1] test_ssl == Tests result: SUCCESS == 1 test OK. Total duration: 2.6 sec Tests result: SUCCESS # dpkg -l openssl Desired=Unknown/Install/Remove/Purge/Hold \| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend \|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) \|\|/ Name Version Architecture Description +++-==============-============-============-==================================================== ii openssl 1.1.1j-1 amd64 Secure Sockets Layer toolkit - cryptographic utility

Dimitri, thanks for your feedback.

I'm very well aware of the crypto policy settings and security level settings. The problem is not the fact that Ubuntu sets a higher security level and disables insecure TLS versions. The problem is the way how Ubuntu has implemented the policy to enforce the crypto settings.

Other Linux distributions like Debian and Fedora also raise the security level and disable TLS 1.0 and 1.1. Python's test suite introspects OpenSSL settings and skips tests accordingly. test_ssl is passing fine on Debian testing (updated 15 minutes ago) and Fedora 33 with similar crypto policies. Since the tests are working fine on Debian, Fedora, RHEL/CentOS, vanilla OpenSSL, our OpenSSL builds on macOS and Windows, and other Linux distros, the issue is likely caused by a downstream discrepancy in Ubuntu.

# Python main branch on Fedora 33
$ ./python 
Python 3.10.0a5+ (heads/master:cd80f430daa, Feb 24 2021, 19:44:57) 
[GCC 10.2.1 20201125 (Red Hat 10.2.1-9)] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import ssl
>>> ctx = ssl.create_default_context()
>>> ctx.minimum_version
<TLSVersion.TLSv1_2: 771>
>>> ctx.security_level
2

# Python main branch on Debian testing
$ ./python 
Python 3.10.0a6+ (heads/master:94894dd45e, Mar  3 2021, 09:11:22) [GCC 10.2.1 20210110] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import ssl
>>> ctx = ssl.create_default_context()
>>> ctx.minimum_version
<TLSVersion.TLSv1_2: 771>
>>> ctx.security_level
2

$ ./python -m test test_ssl
0:00:00 load avg: 0.89 Run tests sequentially
0:00:00 load avg: 0.89 [1/1] test_ssl

== Tests result: SUCCESS ==

1 test OK.

Total duration: 2.6 sec
Tests result: SUCCESS

# dpkg -l openssl
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name           Version      Architecture Description
+++-==============-============-============-====================================================
ii  openssl        1.1.1j-1     amd64        Secure Sockets Layer toolkit - cryptographic utility

History
Date	User	Action	Args
2021-03-03 09:23:41	christian.heimes	set	recipients: + christian.heimes, nascheme, gregory.p.smith, ned.deily, lukasz.langa, xnox, brandtbucher
2021-03-03 09:23:41	christian.heimes	set	messageid: <1614763421.21.0.612976619052.issue43382@roundup.psfhosted.org>
2021-03-03 09:23:41	christian.heimes	link	issue43382 messages
2021-03-03 09:23:40	christian.heimes	create