This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author christian.heimes
Recipients Vladyslav.Bondar, bugsrep, christian.heimes, miss-islington, skip.montanaro, taleinat, xtreak
Date 2021-03-18.09:15:20
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <>
I have discussed the problem with downstream engineers on the two issues


The gist of the issue is: Canonical has taken a different approach than Debian and other distros to set minimum TLS version.

Most distros use an openssl.cnf file to set "MinProtocol = TLSv1.2". The config file approach allows application to override the setting with SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION) and to detect the current minimum version with SSL_CTX_get_min_proto_version(ctx) == TLS1_VERSION.

Ubuntu doesn't set "MinProtocol = TLSv1.2". Instead the distro has patched OpenSSL source code and modified the meaning of security level "2". Security level is a new OpenSSL API to set various security related settings. On Ubuntu SECLEVEL=2 prevents TLS 1.0 and 1.1 connection. Further SSL_CTX_get_min_proto_version(ctx) returns 0 (dummy value for minimum supported version). SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION) does not fail although TLS 1.0 is prohibited.
    Level 2: SSL version 3 is also not allowed
    Level 4: TLS versions below 1.2 are not permitted.
    Level 2: On Ubuntu, TLS versions below 1.2 are not permitted

The combination of "Ubuntu changed the meaning of security level policy" and "SSL_CTX_get_min_proto_version(ctx) does not report minimum version" breaks our tests.

OpenSSL doesn't provide an easy way to check if a SSL_CTX has a sane configuration. There is a way to check if a security policy allows a TLS version. I'm not sure if we should include the check in CPython and where to best put the check:

    void *sec_ex = SSL_CTX_get0_security_ex_data(ctx);
    sec_cb = SSL_CTX_get_security_callback(ctx);
    int result = sec_cb(NULL, ctx, SSL_SECOP_VERSION, 0, TLS1_VERSION, NULL, sec_ex);
    if (result && (SSL_CTX_get_min_proto_version(ctx) >=  TLS1_VERSION)) ...
Date User Action Args
2021-03-18 09:15:21christian.heimessetrecipients: + christian.heimes, skip.montanaro, taleinat, Vladyslav.Bondar, miss-islington, xtreak, bugsrep
2021-03-18 09:15:20christian.heimessetmessageid: <>
2021-03-18 09:15:20christian.heimeslinkissue41561 messages
2021-03-18 09:15:20christian.heimescreate