@@ -143,6 +143,27 @@ def data_file(*name):
143143OP_CIPHER_SERVER_PREFERENCE = getattr (ssl , "OP_CIPHER_SERVER_PREFERENCE" , 0 )
144144OP_ENABLE_MIDDLEBOX_COMPAT = getattr (ssl , "OP_ENABLE_MIDDLEBOX_COMPAT" , 0 )
145145
146+ # Ubuntu has patched OpenSSL and changed behavior of security level 2
147+ # see https://bugs.python.org/issue41561#msg389003
148+ def is_ubuntu ():
149+ try :
150+ # Assume that any references of "ubuntu" implies Ubuntu-like distro
151+ # The workaround is not required for 18.04, but doesn't hurt either.
152+ with open ("/etc/os-release" , encoding = "utf-8" ) as f :
153+ return "ubuntu" in f .read ()
154+ except FileNotFoundError :
155+ return False
156+
157+ if is_ubuntu ():
158+ def seclevel_workaround (* ctxs ):
159+ """"Lower security level to '1' and allow all ciphers for TLS 1.0/1"""
160+ for ctx in ctxs :
161+ if ctx .minimum_version <= ssl .TLSVersion .TLSv1_1 :
162+ ctx .set_ciphers ("@SECLEVEL=1:ALL" )
163+ else :
164+ def seclevel_workaround (* ctxs ):
165+ pass
166+
146167
147168def has_tls_protocol (protocol ):
148169 """Check if a TLS protocol is available and enabled
@@ -2772,6 +2793,8 @@ def try_protocol_combo(server_protocol, client_protocol, expect_success,
27722793 if client_context .protocol == ssl .PROTOCOL_TLS :
27732794 client_context .set_ciphers ("ALL" )
27742795
2796+ seclevel_workaround (server_context , client_context )
2797+
27752798 for ctx in (client_context , server_context ):
27762799 ctx .verify_mode = certsreqs
27772800 ctx .load_cert_chain (SIGNED_CERTFILE )
@@ -2813,6 +2836,7 @@ def test_echo(self):
28132836 with self .subTest (protocol = ssl ._PROTOCOL_NAMES [protocol ]):
28142837 context = ssl .SSLContext (protocol )
28152838 context .load_cert_chain (CERTFILE )
2839+ seclevel_workaround (context )
28162840 server_params_test (context , context ,
28172841 chatty = True , connectionchatty = True )
28182842
@@ -3817,6 +3841,7 @@ def test_min_max_version_tlsv1_1(self):
38173841 client_context .maximum_version = ssl .TLSVersion .TLSv1_2
38183842 server_context .minimum_version = ssl .TLSVersion .TLSv1
38193843 server_context .maximum_version = ssl .TLSVersion .TLSv1_1
3844+ seclevel_workaround (client_context , server_context )
38203845
38213846 with ThreadedEchoServer (context = server_context ) as server :
38223847 with client_context .wrap_socket (socket .socket (),
@@ -3834,6 +3859,8 @@ def test_min_max_version_mismatch(self):
38343859 server_context .minimum_version = ssl .TLSVersion .TLSv1_2
38353860 client_context .maximum_version = ssl .TLSVersion .TLSv1
38363861 client_context .minimum_version = ssl .TLSVersion .TLSv1
3862+ seclevel_workaround (client_context , server_context )
3863+
38373864 with ThreadedEchoServer (context = server_context ) as server :
38383865 with client_context .wrap_socket (socket .socket (),
38393866 server_hostname = hostname ) as s :
@@ -3848,6 +3875,8 @@ def test_min_max_version_sslv3(self):
38483875 server_context .minimum_version = ssl .TLSVersion .SSLv3
38493876 client_context .minimum_version = ssl .TLSVersion .SSLv3
38503877 client_context .maximum_version = ssl .TLSVersion .SSLv3
3878+ seclevel_workaround (client_context , server_context )
3879+
38513880 with ThreadedEchoServer (context = server_context ) as server :
38523881 with client_context .wrap_socket (socket .socket (),
38533882 server_hostname = hostname ) as s :
0 commit comments