Christian Heimes <li...@cheimes.de> added the comment:
Dimitri, thanks for your feedback. I'm very well aware of the crypto policy settings and security level settings. The problem is not the fact that Ubuntu sets a higher security level and disables insecure TLS versions. The problem is the way how Ubuntu has implemented the policy to enforce the crypto settings. Other Linux distributions like Debian and Fedora also raise the security level and disable TLS 1.0 and 1.1. Python's test suite introspects OpenSSL settings and skips tests accordingly. test_ssl is passing fine on Debian testing (updated 15 minutes ago) and Fedora 33 with similar crypto policies. Since the tests are working fine on Debian, Fedora, RHEL/CentOS, vanilla OpenSSL, our OpenSSL builds on macOS and Windows, and other Linux distros, the issue is likely caused by a downstream discrepancy in Ubuntu. # Python main branch on Fedora 33 $ ./python Python 3.10.0a5+ (heads/master:cd80f430daa, Feb 24 2021, 19:44:57) [GCC 10.2.1 20201125 (Red Hat 10.2.1-9)] on linux Type "help", "copyright", "credits" or "license" for more information. >>> import ssl >>> ctx = ssl.create_default_context() >>> ctx.minimum_version <TLSVersion.TLSv1_2: 771> >>> ctx.security_level 2 # Python main branch on Debian testing $ ./python Python 3.10.0a6+ (heads/master:94894dd45e, Mar 3 2021, 09:11:22) [GCC 10.2.1 20210110] on linux Type "help", "copyright", "credits" or "license" for more information. >>> import ssl >>> ctx = ssl.create_default_context() >>> ctx.minimum_version <TLSVersion.TLSv1_2: 771> >>> ctx.security_level 2 $ ./python -m test test_ssl 0:00:00 load avg: 0.89 Run tests sequentially 0:00:00 load avg: 0.89 [1/1] test_ssl == Tests result: SUCCESS == 1 test OK. Total duration: 2.6 sec Tests result: SUCCESS # dpkg -l openssl Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==============-============-============-==================================================== ii openssl 1.1.1j-1 amd64 Secure Sockets Layer toolkit - cryptographic utility ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue43382> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
