bpo-41561: Add workaround for Ubuntu's custom security level #24915
Conversation
tiran
force-pushed
the
bpo-41561-ubuntu-ssl
branch
2 times, most recently
from
c5881ef to
23ee4b1
Compare
Ubuntu 20.04 comes with a patched OpenSSL 1.1.1. Default security level 2 blocks TLS 1.0 and 1.1 connections. Regular OpenSSL 1.1.1 builds allow TLS 1.0 and 1.1 on security level 2. See: https://bugs.python.org/issue43382 See: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1899878 See: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1917625 Signed-off-by: Christian Heimes <christian@python.org>
tiran
force-pushed
the
bpo-41561-ubuntu-ssl
branch
from
23ee4b1 to
6a96b30
Compare
Lib/test/test_ssl.py
Outdated
| def is_ubuntu(): | ||
| try: | ||
| # assume that any references of "ubuntu" implies Ubuntu-like distro | ||
| with open("/etc/os-release") as f: |
There was a problem hiding this comment.
I'm deliberately not using platform.freedesktop_os_release() here. The function is 3.10-only and I want to backport the fix to 3.7 to 3.9.
There was a problem hiding this comment.
I noticed that platform.freedesktop_os_release() opens with encoding="utf-8" and also checks /usr/lib/os-release. Are either of those steps necessary here?
There was a problem hiding this comment.
shouldn't we be more specific than "is_ubuntu"? which particular versions. 20.04 yes. but what about others? do they still do this in 20.10 and (soon to be replaced by) 21.04? what about 18.04? have we heard back on the upstream ubuntu issues about the future of their apparently uncommon implementation choice?
There was a problem hiding this comment.
I'll add encoding="utf-8". The check for /usr/lib/os-release is not necessary on Ubuntu. /etc/os-release always exists.
I don't want to spend more time on this issue than necessary. I have already spent way to much time on a platform that I don't even use. The approach isn't perfect but good enough to fix testing on Ubuntu.
20.04, 20.10, and 21.04 are definitely affected. The man page https://manpages.ubuntu.com/manpages/hirsute/man3/SSL_CTX_set_security_level.3ssl.html is a good indicator. If you see On Ubuntu, TLS versions below 1.2 are not permitted. then the custom policy applies.
|
Thanks @gpshead and @brandtbucher |
|
Thanks @tiran for the PR 🌮🎉.. I'm working now to backport this PR to: 3.7, 3.8, 3.9. |
…H-24915) Ubuntu 20.04 comes with a patched OpenSSL 1.1.1. Default security level 2 blocks TLS 1.0 and 1.1 connections. Regular OpenSSL 1.1.1 builds allow TLS 1.0 and 1.1 on security level 2. See: See: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1899878 See: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1917625 Signed-off-by: Christian Heimes <christian@python.org> (cherry picked from commit f6c6b58) Co-authored-by: Christian Heimes <christian@python.org>
|
GH-24925 is a backport of this pull request to the 3.9 branch. |
…H-24915) Ubuntu 20.04 comes with a patched OpenSSL 1.1.1. Default security level 2 blocks TLS 1.0 and 1.1 connections. Regular OpenSSL 1.1.1 builds allow TLS 1.0 and 1.1 on security level 2. See: See: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1899878 See: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1917625 Signed-off-by: Christian Heimes <christian@python.org> (cherry picked from commit f6c6b58) Co-authored-by: Christian Heimes <christian@python.org>
|
GH-24926 is a backport of this pull request to the 3.8 branch. |
|
Sorry, @tiran, I could not cleanly backport this to |
Ubuntu 20.04 comes with a patched OpenSSL 1.1.1. Default security level 2 blocks TLS 1.0 and 1.1 connections. Regular OpenSSL 1.1.1 builds allow TLS 1.0 and 1.1 on security level 2. See: See: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1899878 See: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1917625 Signed-off-by: Christian Heimes <christian@python.org> (cherry picked from commit f6c6b58) Co-authored-by: Christian Heimes <christian@python.org>
Ubuntu 20.04 comes with a patched OpenSSL 1.1.1. Default security level 2 blocks TLS 1.0 and 1.1 connections. Regular OpenSSL 1.1.1 builds allow TLS 1.0 and 1.1 on security level 2. See: See: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1899878 See: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1917625 Signed-off-by: Christian Heimes <christian@python.org> (cherry picked from commit f6c6b58) Co-authored-by: Christian Heimes <christian@python.org>
…ythonGH-24915) Ubuntu 20.04 comes with a patched OpenSSL 1.1.1. Default security level 2 blocks TLS 1.0 and 1.1 connections. Regular OpenSSL 1.1.1 builds allow TLS 1.0 and 1.1 on security level 2. See: See: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1899878 See: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1917625 Signed-off-by: Christian Heimes <christian@python.org>. (cherry picked from commit f6c6b58) Co-authored-by: Christian Heimes <christian@python.org>
|
GH-24928 is a backport of this pull request to the 3.7 branch. |
* master: (129 commits) bpo-43452: Micro-optimizations to PyType_Lookup (pythonGH-24804) bpo-43517: Fix false positive in detection of circular imports (python#24895) bpo-43494: Make some minor changes to lnotab notes (pythonGH-24861) Mention that code.co_lnotab is deprecated in what's new for 3.10. (python#24902) bpo-43244: Remove symtable.h header file (pythonGH-24910) bpo-43466: Add --with-openssl-rpath configure option (pythonGH-24820) Fix a typo in c-analyzer (pythonGH-24468) bpo-41561: Add workaround for Ubuntu's custom security level (pythonGH-24915) bpo-43521: Allow ast.unparse with empty sets and NaN (pythonGH-24897) bpo-43244: Remove the PyAST_Validate() function (pythonGH-24911) bpo-43541: Fix PyEval_EvalCodeEx() regression (pythonGH-24918) bpo-43244: Fix test_peg_generators on Windows (pythonGH-24913) bpo-39342: Expose X509_V_FLAG_ALLOW_PROXY_CERTS in ssl module (pythonGH-18011) bpo-43244: Fix test_peg_generator for PyAST_Validate() (pythonGH-24912) bpo-42128: Add 'missing :' syntax error message to match statements (pythonGH-24733) bpo-43244: Add pycore_ast.h header file (pythonGH-24908) bpo-43244: Rename pycore_ast.h to pycore_ast_state.h (pythonGH-24907) Remove unnecessary imports in the grammar parser (pythonGH-24904) bpo-35883: Py_DecodeLocale() escapes invalid Unicode characters (pythonGH-24843) Add PEP 626 to what's new in 3.10. (python#24892) ...
…H-24915) (GH-24928) Ubuntu 20.04 comes with a patched OpenSSL 1.1.1. Default security level 2 blocks TLS 1.0 and 1.1 connections. Regular OpenSSL 1.1.1 builds allow TLS 1.0 and 1.1 on security level 2. See: See: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1899878 See: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1917625 Signed-off-by: Christian Heimes <christian@python.org>. (cherry picked from commit f6c6b58) Co-authored-by: Christian Heimes <christian@python.org>
Ubuntu 20.04 comes with a patched OpenSSL 1.1.1. Default security level
2 blocks TLS 1.0 and 1.1 connections. Regular OpenSSL 1.1.1 builds allow
TLS 1.0 and 1.1 on security level 2.
See: https://bugs.python.org/issue43382
See: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1899878
See: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1917625
Signed-off-by: Christian Heimes christian@python.org
https://bugs.python.org/issue41561
Automerge-Triggered-By: GH:tiran