[issue31518] ftplib, urllib2, poplib, httplib, urllib2_localnet use ssl.PROTOCOL_TLSv1 unconditionally

Christian Heimes report at bugs.python.org
Tue Sep 19 11:00:43 EDT 2017 

Christian Heimes added the comment:

Two tests are failing in 3.7 branch:

======================================================================
ERROR: test_PROTOCOL_TLS (test.test_ssl.ThreadedTests)
Connecting to an SSLv23 server with various client options
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/home/heimes/dev/python/cpython/Lib/test/test_ssl.py", line 2660, in test_PROTOCOL_TLS
    try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLSv1, 'TLSv1')
  File "/home/heimes/dev/python/cpython/Lib/test/test_ssl.py", line 2343, in try_protocol_combo
    chatty=False, connectionchatty=False)
  File "/home/heimes/dev/python/cpython/Lib/test/test_ssl.py", line 2268, in server_params_test
    s.connect((HOST, server.port))
  File "/home/heimes/dev/python/cpython/Lib/ssl.py", line 1108, in connect
    self._real_connect(addr, False)
  File "/home/heimes/dev/python/cpython/Lib/ssl.py", line 1099, in _real_connect
    self.do_handshake()
  File "/home/heimes/dev/python/cpython/Lib/ssl.py", line 1076, in do_handshake
    self._sslobj.do_handshake()
  File "/home/heimes/dev/python/cpython/Lib/ssl.py", line 697, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: TLSV1_ALERT_PROTOCOL_VERSION] tlsv1 alert protocol version (_ssl.c:864)

======================================================================
ERROR: test_protocol_tlsv1_1 (test.test_ssl.ThreadedTests)
Connecting to a TLSv1.1 server with various client options.
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/home/heimes/dev/python/cpython/Lib/test/test_ssl.py", line 2734, in test_protocol_tlsv1_1
    try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLSv1_1, 'TLSv1.1')
  File "/home/heimes/dev/python/cpython/Lib/test/test_ssl.py", line 2343, in try_protocol_combo
    chatty=False, connectionchatty=False)
  File "/home/heimes/dev/python/cpython/Lib/test/test_ssl.py", line 2268, in server_params_test
    s.connect((HOST, server.port))
  File "/home/heimes/dev/python/cpython/Lib/ssl.py", line 1108, in connect
    self._real_connect(addr, False)
  File "/home/heimes/dev/python/cpython/Lib/ssl.py", line 1099, in _real_connect
    self.do_handshake()
  File "/home/heimes/dev/python/cpython/Lib/ssl.py", line 1076, in do_handshake
    self._sslobj.do_handshake()
  File "/home/heimes/dev/python/cpython/Lib/ssl.py", line 697, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: TLSV1_ALERT_PROTOCOL_VERSION] tlsv1 alert protocol version (_ssl.c:864)

----------------------------------------------------------------------

Matthias,
is there any way to detect Debian's modifications of OpenSSL from header files or with an API call? Otherwise we have no way to reliable detect and correctly skip the test. At the moment there is no way to retrieve the minimum protocol from OpenSSL SSL_CTX. I landed an OpenSSL patch just a couple of days ago to add SSL_CTX_get_min_proto_version(), https://github.com/openssl/openssl/pull/4364

----------
versions: +Python 3.7

_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue31518>
_______________________________________

More information about the Python-bugs-list mailing list