@@ -147,6 +147,27 @@ def data_file(*name):
147147OP_CIPHER_SERVER_PREFERENCE = getattr (ssl , "OP_CIPHER_SERVER_PREFERENCE" , 0 )
148148OP_ENABLE_MIDDLEBOX_COMPAT = getattr (ssl , "OP_ENABLE_MIDDLEBOX_COMPAT" , 0 )
149149
150+ # Ubuntu has patched OpenSSL and changed behavior of security level 2
151+ # see https://bugs.python.org/issue41561#msg389003
152+ def is_ubuntu ():
153+ try :
154+ # Assume that any references of "ubuntu" implies Ubuntu-like distro
155+ # The workaround is not required for 18.04, but doesn't hurt either.
156+ with open ("/etc/os-release" , encoding = "utf-8" ) as f :
157+ return "ubuntu" in f .read ()
158+ except FileNotFoundError :
159+ return False
160+
161+ if is_ubuntu ():
162+ def seclevel_workaround (* ctxs ):
163+ """"Lower security level to '1' and allow all ciphers for TLS 1.0/1"""
164+ for ctx in ctxs :
165+ if ctx .minimum_version <= ssl .TLSVersion .TLSv1_1 :
166+ ctx .set_ciphers ("@SECLEVEL=1:ALL" )
167+ else :
168+ def seclevel_workaround (* ctxs ):
169+ pass
170+
150171
151172def has_tls_protocol (protocol ):
152173 """Check if a TLS protocol is available and enabled
@@ -2777,6 +2798,8 @@ def try_protocol_combo(server_protocol, client_protocol, expect_success,
27772798 if client_context .protocol == ssl .PROTOCOL_TLS :
27782799 client_context .set_ciphers ("ALL" )
27792800
2801+ seclevel_workaround (server_context , client_context )
2802+
27802803 for ctx in (client_context , server_context ):
27812804 ctx .verify_mode = certsreqs
27822805 ctx .load_cert_chain (SIGNED_CERTFILE )
@@ -2818,6 +2841,7 @@ def test_echo(self):
28182841 with self .subTest (protocol = ssl ._PROTOCOL_NAMES [protocol ]):
28192842 context = ssl .SSLContext (protocol )
28202843 context .load_cert_chain (CERTFILE )
2844+ seclevel_workaround (context )
28212845 server_params_test (context , context ,
28222846 chatty = True , connectionchatty = True )
28232847
@@ -3822,6 +3846,7 @@ def test_min_max_version_tlsv1_1(self):
38223846 client_context .maximum_version = ssl .TLSVersion .TLSv1_2
38233847 server_context .minimum_version = ssl .TLSVersion .TLSv1
38243848 server_context .maximum_version = ssl .TLSVersion .TLSv1_1
3849+ seclevel_workaround (client_context , server_context )
38253850
38263851 with ThreadedEchoServer (context = server_context ) as server :
38273852 with client_context .wrap_socket (socket .socket (),
@@ -3839,6 +3864,8 @@ def test_min_max_version_mismatch(self):
38393864 server_context .minimum_version = ssl .TLSVersion .TLSv1_2
38403865 client_context .maximum_version = ssl .TLSVersion .TLSv1
38413866 client_context .minimum_version = ssl .TLSVersion .TLSv1
3867+ seclevel_workaround (client_context , server_context )
3868+
38423869 with ThreadedEchoServer (context = server_context ) as server :
38433870 with client_context .wrap_socket (socket .socket (),
38443871 server_hostname = hostname ) as s :
@@ -3853,6 +3880,8 @@ def test_min_max_version_sslv3(self):
38533880 server_context .minimum_version = ssl .TLSVersion .SSLv3
38543881 client_context .minimum_version = ssl .TLSVersion .SSLv3
38553882 client_context .maximum_version = ssl .TLSVersion .SSLv3
3883+ seclevel_workaround (client_context , server_context )
3884+
38563885 with ThreadedEchoServer (context = server_context ) as server :
38573886 with client_context .wrap_socket (socket .socket (),
38583887 server_hostname = hostname ) as s :
0 commit comments