@@ -151,6 +151,26 @@ def data_file(*name):
151151OP_CIPHER_SERVER_PREFERENCE = getattr (ssl , "OP_CIPHER_SERVER_PREFERENCE" , 0 )
152152OP_ENABLE_MIDDLEBOX_COMPAT = getattr (ssl , "OP_ENABLE_MIDDLEBOX_COMPAT" , 0 )
153153
154+ # Ubuntu has patched OpenSSL and changed behavior of security level 2
155+ # see https://bugs.python.org/issue41561#msg389003
156+ def is_ubuntu ():
157+ try :
158+ # assume that any references of "ubuntu" implies Ubuntu-like distro
159+ with open ("/etc/os-release" ) as f :
160+ return "ubuntu" in f .read ()
161+ except FileNotFoundError :
162+ return False
163+
164+ if is_ubuntu ():
165+ def seclevel_workaround (* ctxs ):
166+ """"Lower security level to '1' and allow all ciphers for TLS 1.0/1"""
167+ for ctx in ctxs :
168+ if ctx .minimum_version <= ssl .TLSVersion .TLSv1_1 :
169+ ctx .set_ciphers ("@SECLEVEL=1:ALL" )
170+ else :
171+ def seclevel_workaround (* ctxs ):
172+ pass
173+
154174
155175def has_tls_protocol (protocol ):
156176 """Check if a TLS protocol is available and enabled
@@ -2802,6 +2822,8 @@ def try_protocol_combo(server_protocol, client_protocol, expect_success,
28022822 if client_context .protocol == ssl .PROTOCOL_TLS :
28032823 client_context .set_ciphers ("ALL" )
28042824
2825+ seclevel_workaround (server_context , client_context )
2826+
28052827 for ctx in (client_context , server_context ):
28062828 ctx .verify_mode = certsreqs
28072829 ctx .load_cert_chain (SIGNED_CERTFILE )
@@ -2843,6 +2865,7 @@ def test_echo(self):
28432865 with self .subTest (protocol = ssl ._PROTOCOL_NAMES [protocol ]):
28442866 context = ssl .SSLContext (protocol )
28452867 context .load_cert_chain (CERTFILE )
2868+ seclevel_workaround (context )
28462869 server_params_test (context , context ,
28472870 chatty = True , connectionchatty = True )
28482871
@@ -3847,6 +3870,7 @@ def test_min_max_version_tlsv1_1(self):
38473870 client_context .maximum_version = ssl .TLSVersion .TLSv1_2
38483871 server_context .minimum_version = ssl .TLSVersion .TLSv1
38493872 server_context .maximum_version = ssl .TLSVersion .TLSv1_1
3873+ seclevel_workaround (client_context , server_context )
38503874
38513875 with ThreadedEchoServer (context = server_context ) as server :
38523876 with client_context .wrap_socket (socket .socket (),
@@ -3864,6 +3888,8 @@ def test_min_max_version_mismatch(self):
38643888 server_context .minimum_version = ssl .TLSVersion .TLSv1_2
38653889 client_context .maximum_version = ssl .TLSVersion .TLSv1
38663890 client_context .minimum_version = ssl .TLSVersion .TLSv1
3891+ seclevel_workaround (client_context , server_context )
3892+
38673893 with ThreadedEchoServer (context = server_context ) as server :
38683894 with client_context .wrap_socket (socket .socket (),
38693895 server_hostname = hostname ) as s :
@@ -3878,6 +3904,8 @@ def test_min_max_version_sslv3(self):
38783904 server_context .minimum_version = ssl .TLSVersion .SSLv3
38793905 client_context .minimum_version = ssl .TLSVersion .SSLv3
38803906 client_context .maximum_version = ssl .TLSVersion .SSLv3
3907+ seclevel_workaround (client_context , server_context )
3908+
38813909 with ThreadedEchoServer (context = server_context ) as server :
38823910 with client_context .wrap_socket (socket .socket (),
38833911 server_hostname = hostname ) as s :
0 commit comments