@@ -151,6 +151,27 @@ def data_file(*name):
151151OP_CIPHER_SERVER_PREFERENCE = getattr (ssl , "OP_CIPHER_SERVER_PREFERENCE" , 0 )
152152OP_ENABLE_MIDDLEBOX_COMPAT = getattr (ssl , "OP_ENABLE_MIDDLEBOX_COMPAT" , 0 )
153153
154+ # Ubuntu has patched OpenSSL and changed behavior of security level 2
155+ # see https://bugs.python.org/issue41561#msg389003
156+ def is_ubuntu ():
157+ try :
158+ # Assume that any references of "ubuntu" implies Ubuntu-like distro
159+ # The workaround is not required for 18.04, but doesn't hurt either.
160+ with open ("/etc/os-release" , encoding = "utf-8" ) as f :
161+ return "ubuntu" in f .read ()
162+ except FileNotFoundError :
163+ return False
164+
165+ if is_ubuntu ():
166+ def seclevel_workaround (* ctxs ):
167+ """"Lower security level to '1' and allow all ciphers for TLS 1.0/1"""
168+ for ctx in ctxs :
169+ if ctx .minimum_version <= ssl .TLSVersion .TLSv1_1 :
170+ ctx .set_ciphers ("@SECLEVEL=1:ALL" )
171+ else :
172+ def seclevel_workaround (* ctxs ):
173+ pass
174+
154175
155176def has_tls_protocol (protocol ):
156177 """Check if a TLS protocol is available and enabled
@@ -2802,6 +2823,8 @@ def try_protocol_combo(server_protocol, client_protocol, expect_success,
28022823 if client_context .protocol == ssl .PROTOCOL_TLS :
28032824 client_context .set_ciphers ("ALL" )
28042825
2826+ seclevel_workaround (server_context , client_context )
2827+
28052828 for ctx in (client_context , server_context ):
28062829 ctx .verify_mode = certsreqs
28072830 ctx .load_cert_chain (SIGNED_CERTFILE )
@@ -2843,6 +2866,7 @@ def test_echo(self):
28432866 with self .subTest (protocol = ssl ._PROTOCOL_NAMES [protocol ]):
28442867 context = ssl .SSLContext (protocol )
28452868 context .load_cert_chain (CERTFILE )
2869+ seclevel_workaround (context )
28462870 server_params_test (context , context ,
28472871 chatty = True , connectionchatty = True )
28482872
@@ -3847,6 +3871,7 @@ def test_min_max_version_tlsv1_1(self):
38473871 client_context .maximum_version = ssl .TLSVersion .TLSv1_2
38483872 server_context .minimum_version = ssl .TLSVersion .TLSv1
38493873 server_context .maximum_version = ssl .TLSVersion .TLSv1_1
3874+ seclevel_workaround (client_context , server_context )
38503875
38513876 with ThreadedEchoServer (context = server_context ) as server :
38523877 with client_context .wrap_socket (socket .socket (),
@@ -3864,6 +3889,8 @@ def test_min_max_version_mismatch(self):
38643889 server_context .minimum_version = ssl .TLSVersion .TLSv1_2
38653890 client_context .maximum_version = ssl .TLSVersion .TLSv1
38663891 client_context .minimum_version = ssl .TLSVersion .TLSv1
3892+ seclevel_workaround (client_context , server_context )
3893+
38673894 with ThreadedEchoServer (context = server_context ) as server :
38683895 with client_context .wrap_socket (socket .socket (),
38693896 server_hostname = hostname ) as s :
@@ -3878,6 +3905,8 @@ def test_min_max_version_sslv3(self):
38783905 server_context .minimum_version = ssl .TLSVersion .SSLv3
38793906 client_context .minimum_version = ssl .TLSVersion .SSLv3
38803907 client_context .maximum_version = ssl .TLSVersion .SSLv3
3908+ seclevel_workaround (client_context , server_context )
3909+
38813910 with ThreadedEchoServer (context = server_context ) as server :
38823911 with client_context .wrap_socket (socket .socket (),
38833912 server_hostname = hostname ) as s :
0 commit comments