Message389003
I have discussed the problem with downstream engineers on the two issues
- https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1899878
- https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1917625
The gist of the issue is: Canonical has taken a different approach than Debian and other distros to set minimum TLS version.
Most distros use an openssl.cnf file to set "MinProtocol = TLSv1.2". The config file approach allows application to override the setting with SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION) and to detect the current minimum version with SSL_CTX_get_min_proto_version(ctx) == TLS1_VERSION.
Ubuntu doesn't set "MinProtocol = TLSv1.2". Instead the distro has patched OpenSSL source code and modified the meaning of security level "2". Security level is a new OpenSSL API to set various security related settings. On Ubuntu SECLEVEL=2 prevents TLS 1.0 and 1.1 connection. Further SSL_CTX_get_min_proto_version(ctx) returns 0 (dummy value for minimum supported version). SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION) does not fail although TLS 1.0 is prohibited.
https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_security_level.html
Level 2: SSL version 3 is also not allowed
Level 4: TLS versions below 1.2 are not permitted.
https://manpages.ubuntu.com/manpages/focal/man3/SSL_CTX_set_security_level.3ssl.html
Level 2: On Ubuntu, TLS versions below 1.2 are not permitted
The combination of "Ubuntu changed the meaning of security level policy" and "SSL_CTX_get_min_proto_version(ctx) does not report minimum version" breaks our tests.
OpenSSL doesn't provide an easy way to check if a SSL_CTX has a sane configuration. There is a way to check if a security policy allows a TLS version. I'm not sure if we should include the check in CPython and where to best put the check:
void *sec_ex = SSL_CTX_get0_security_ex_data(ctx);
sec_cb = SSL_CTX_get_security_callback(ctx);
int result = sec_cb(NULL, ctx, SSL_SECOP_VERSION, 0, TLS1_VERSION, NULL, sec_ex);
if (result && (SSL_CTX_get_min_proto_version(ctx) >= TLS1_VERSION)) ... |
|
Date |
User |
Action |
Args |
2021-03-18 09:15:21 | christian.heimes | set | recipients:
+ christian.heimes, skip.montanaro, taleinat, Vladyslav.Bondar, miss-islington, xtreak, bugsrep |
2021-03-18 09:15:20 | christian.heimes | set | messageid: <1616058920.99.0.671629067162.issue41561@roundup.psfhosted.org> |
2021-03-18 09:15:20 | christian.heimes | link | issue41561 messages |
2021-03-18 09:15:20 | christian.heimes | create | |
|