mirrors/cpython
1
0
Fork 0
mirror of https://github.com/python/cpython.git synced 2025-09-26 18:29:57 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 10

bpo-41561: Add workaround for Ubuntu's custom security level (GH-24915)

Browse source 
Ubuntu 20.04 comes with a patched OpenSSL 1.1.1. Default security level
2 blocks TLS 1.0 and 1.1 connections. Regular OpenSSL 1.1.1 builds allow
TLS 1.0 and 1.1 on security level 2.

See: 
See: 1899878
See: 1917625
Signed-off-by: Christian Heimes <christian@python.org>
This commit is contained in:
Christian Heimes 2021-03-18 23:06:50 +01:00 committed by GitHub
parent 08ff4369af
commit f6c6b5821b
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 31 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

2
.github/workflows/build.yml vendored
View file

@ -127,7 +127,7 @@ jobs:
build_ubuntu: build_ubuntu:
name: 'Ubuntu' name: 'Ubuntu'
runs-on: ubuntu-18.04 runs-on: ubuntu-20.04
needs: check_source needs: check_source
if: needs.check_source.outputs.run_tests == 'true' if: needs.check_source.outputs.run_tests == 'true'
env: env:

29
Lib/test/test_ssl.py
View file

@ -151,6 +151,27 @@ OP_SINGLE_ECDH_USE = getattr(ssl, "OP_SINGLE_ECDH_USE", 0)
OP_CIPHER_SERVER_PREFERENCE = getattr(ssl, "OP_CIPHER_SERVER_PREFERENCE", 0) OP_CIPHER_SERVER_PREFERENCE = getattr(ssl, "OP_CIPHER_SERVER_PREFERENCE", 0)
OP_ENABLE_MIDDLEBOX_COMPAT = getattr(ssl, "OP_ENABLE_MIDDLEBOX_COMPAT", 0) OP_ENABLE_MIDDLEBOX_COMPAT = getattr(ssl, "OP_ENABLE_MIDDLEBOX_COMPAT", 0)
# Ubuntu has patched OpenSSL and changed behavior of security level 2
# see https://bugs.python.org/issue41561#msg389003
def is_ubuntu():
try:
# Assume that any references of "ubuntu" implies Ubuntu-like distro
# The workaround is not required for 18.04, but doesn't hurt either.
with open("/etc/os-release", encoding="utf-8") as f:
return "ubuntu" in f.read()
except FileNotFoundError:
return False
if is_ubuntu():
def seclevel_workaround(*ctxs):
""""Lower security level to '1' and allow all ciphers for TLS 1.0/1"""
for ctx in ctxs:
if ctx.minimum_version <= ssl.TLSVersion.TLSv1_1:
ctx.set_ciphers("@SECLEVEL=1:ALL")
else:
def seclevel_workaround(*ctxs):
pass
def has_tls_protocol(protocol): def has_tls_protocol(protocol):
"""Check if a TLS protocol is available and enabled """Check if a TLS protocol is available and enabled
@ -2802,6 +2823,8 @@ def try_protocol_combo(server_protocol, client_protocol, expect_success,
if client_context.protocol == ssl.PROTOCOL_TLS: if client_context.protocol == ssl.PROTOCOL_TLS:
client_context.set_ciphers("ALL") client_context.set_ciphers("ALL")
seclevel_workaround(server_context, client_context)
for ctx in (client_context, server_context): for ctx in (client_context, server_context):
ctx.verify_mode = certsreqs ctx.verify_mode = certsreqs
ctx.load_cert_chain(SIGNED_CERTFILE) ctx.load_cert_chain(SIGNED_CERTFILE)
@ -2843,6 +2866,7 @@ class ThreadedTests(unittest.TestCase):
with self.subTest(protocol=ssl._PROTOCOL_NAMES[protocol]): with self.subTest(protocol=ssl._PROTOCOL_NAMES[protocol]):
context = ssl.SSLContext(protocol) context = ssl.SSLContext(protocol)
context.load_cert_chain(CERTFILE) context.load_cert_chain(CERTFILE)
seclevel_workaround(context)
server_params_test(context, context, server_params_test(context, context,
chatty=True, connectionchatty=True) chatty=True, connectionchatty=True)
@ -3847,6 +3871,7 @@ class ThreadedTests(unittest.TestCase):
client_context.maximum_version = ssl.TLSVersion.TLSv1_2 client_context.maximum_version = ssl.TLSVersion.TLSv1_2
server_context.minimum_version = ssl.TLSVersion.TLSv1 server_context.minimum_version = ssl.TLSVersion.TLSv1
server_context.maximum_version = ssl.TLSVersion.TLSv1_1 server_context.maximum_version = ssl.TLSVersion.TLSv1_1
seclevel_workaround(client_context, server_context)
with ThreadedEchoServer(context=server_context) as server: with ThreadedEchoServer(context=server_context) as server:
with client_context.wrap_socket(socket.socket(), with client_context.wrap_socket(socket.socket(),
@ -3864,6 +3889,8 @@ class ThreadedTests(unittest.TestCase):
server_context.minimum_version = ssl.TLSVersion.TLSv1_2 server_context.minimum_version = ssl.TLSVersion.TLSv1_2
client_context.maximum_version = ssl.TLSVersion.TLSv1 client_context.maximum_version = ssl.TLSVersion.TLSv1
client_context.minimum_version = ssl.TLSVersion.TLSv1 client_context.minimum_version = ssl.TLSVersion.TLSv1
seclevel_workaround(client_context, server_context)
with ThreadedEchoServer(context=server_context) as server: with ThreadedEchoServer(context=server_context) as server:
with client_context.wrap_socket(socket.socket(), with client_context.wrap_socket(socket.socket(),
server_hostname=hostname) as s: server_hostname=hostname) as s:
@ -3878,6 +3905,8 @@ class ThreadedTests(unittest.TestCase):
server_context.minimum_version = ssl.TLSVersion.SSLv3 server_context.minimum_version = ssl.TLSVersion.SSLv3
client_context.minimum_version = ssl.TLSVersion.SSLv3 client_context.minimum_version = ssl.TLSVersion.SSLv3
client_context.maximum_version = ssl.TLSVersion.SSLv3 client_context.maximum_version = ssl.TLSVersion.SSLv3
seclevel_workaround(client_context, server_context)
with ThreadedEchoServer(context=server_context) as server: with ThreadedEchoServer(context=server_context) as server:
with client_context.wrap_socket(socket.socket(), with client_context.wrap_socket(socket.socket(),
server_hostname=hostname) as s: server_hostname=hostname) as s:

1
Misc/NEWS.d/next/Tests/2021-03-18-10-34-42.bpo-41561.pDg4w-.rst Normal file
View file

@ -0,0 +1 @@
Add workaround for Ubuntu's custom OpenSSL security level policy.