bpo-41561: Add workaround for Ubuntu's custom security level (GH-24915)

author Christian Heimes <christian@python.org>

Thu, 18 Mar 2021 22:06:50 +0000 (23:06 +0100)

committer GitHub <noreply@github.com>

Thu, 18 Mar 2021 22:06:50 +0000 (15:06 -0700)
author Christian Heimes <christian@python.org>
Thu, 18 Mar 2021 22:06:50 +0000 (23:06 +0100)
committer GitHub <noreply@github.com>
Thu, 18 Mar 2021 22:06:50 +0000 (15:06 -0700)
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml

index ef54865ed964c7b4e106d9274370c64876162964..d6be2b68642660ef790804c12c73a1244c4ba0f4 100644 (file)
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -127,7 +127,7 @@ jobs:
  
    build_ubuntu:
      name: 'Ubuntu'
-    runs-on: ubuntu-18.04
+    runs-on: ubuntu-20.04
      needs: check_source
      if: needs.check_source.outputs.run_tests == 'true'
      env:
diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py

index 1710dda4389a04dd9a191f93a7420661eae19c9e..ade7ef529e81221b8edd79c288f4fbbb47a1ff73 100644 (file)
--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
@@ -151,6 +151,27 @@ OP_SINGLE_ECDH_USE = getattr(ssl, "OP_SINGLE_ECDH_USE", 0)
  OP_CIPHER_SERVER_PREFERENCE = getattr(ssl, "OP_CIPHER_SERVER_PREFERENCE", 0)
  OP_ENABLE_MIDDLEBOX_COMPAT = getattr(ssl, "OP_ENABLE_MIDDLEBOX_COMPAT", 0)
  
+# Ubuntu has patched OpenSSL and changed behavior of security level 2
+# see https://bugs.python.org/issue41561#msg389003
+def is_ubuntu():
+    try:
+        # Assume that any references of "ubuntu" implies Ubuntu-like distro
+        # The workaround is not required for 18.04, but doesn't hurt either.
+        with open("/etc/os-release", encoding="utf-8") as f:
+            return "ubuntu" in f.read()
+    except FileNotFoundError:
+        return False
+
+if is_ubuntu():
+    def seclevel_workaround(*ctxs):
+        """"Lower security level to '1' and allow all ciphers for TLS 1.0/1"""
+        for ctx in ctxs:
+            if ctx.minimum_version <= ssl.TLSVersion.TLSv1_1:
+                ctx.set_ciphers("@SECLEVEL=1:ALL")
+else:
+    def seclevel_workaround(*ctxs):
+        pass
+
  
  def has_tls_protocol(protocol):
      """Check if a TLS protocol is available and enabled
@@ -2802,6 +2823,8 @@ def try_protocol_combo(server_protocol, client_protocol, expect_success,
      if client_context.protocol == ssl.PROTOCOL_TLS:
          client_context.set_ciphers("ALL")
  
+    seclevel_workaround(server_context, client_context)
+
      for ctx in (client_context, server_context):
          ctx.verify_mode = certsreqs
          ctx.load_cert_chain(SIGNED_CERTFILE)
@@ -2843,6 +2866,7 @@ class ThreadedTests(unittest.TestCase):
              with self.subTest(protocol=ssl._PROTOCOL_NAMES[protocol]):
                  context = ssl.SSLContext(protocol)
                  context.load_cert_chain(CERTFILE)
+                seclevel_workaround(context)
                  server_params_test(context, context,
                                     chatty=True, connectionchatty=True)
  
@@ -3847,6 +3871,7 @@ class ThreadedTests(unittest.TestCase):
          client_context.maximum_version = ssl.TLSVersion.TLSv1_2
          server_context.minimum_version = ssl.TLSVersion.TLSv1
          server_context.maximum_version = ssl.TLSVersion.TLSv1_1
+        seclevel_workaround(client_context, server_context)
  
          with ThreadedEchoServer(context=server_context) as server:
              with client_context.wrap_socket(socket.socket(),
@@ -3864,6 +3889,8 @@ class ThreadedTests(unittest.TestCase):
          server_context.minimum_version = ssl.TLSVersion.TLSv1_2
          client_context.maximum_version = ssl.TLSVersion.TLSv1
          client_context.minimum_version = ssl.TLSVersion.TLSv1
+        seclevel_workaround(client_context, server_context)
+
          with ThreadedEchoServer(context=server_context) as server:
              with client_context.wrap_socket(socket.socket(),
                                              server_hostname=hostname) as s:
@@ -3878,6 +3905,8 @@ class ThreadedTests(unittest.TestCase):
          server_context.minimum_version = ssl.TLSVersion.SSLv3
          client_context.minimum_version = ssl.TLSVersion.SSLv3
          client_context.maximum_version = ssl.TLSVersion.SSLv3
+        seclevel_workaround(client_context, server_context)
+
          with ThreadedEchoServer(context=server_context) as server:
              with client_context.wrap_socket(socket.socket(),
                                              server_hostname=hostname) as s:
diff --git a/Misc/NEWS.d/next/Tests/2021-03-18-10-34-42.bpo-41561.pDg4w-.rst b/Misc/NEWS.d/next/Tests/2021-03-18-10-34-42.bpo-41561.pDg4w-.rst

new file mode 100644 (file)

index 0000000..2143507
--- /dev/null
+++ b/Misc/NEWS.d/next/Tests/2021-03-18-10-34-42.bpo-41561.pDg4w-.rst
@@ -0,0 +1 @@
+Add workaround for Ubuntu's custom OpenSSL security level policy.
author	Christian Heimes <christian@python.org>
	Thu, 18 Mar 2021 22:06:50 +0000 (23:06 +0100)
committer	GitHub <noreply@github.com>
	Thu, 18 Mar 2021 22:06:50 +0000 (15:06 -0700)
.github/workflows/build.yml		patch \| blob \| blame \| history
Lib/test/test_ssl.py		patch \| blob \| blame \| history
Misc/NEWS.d/next/Tests/2021-03-18-10-34-42.bpo-41561.pDg4w-.rst	[new file with mode: 0644]	patch \| blob