From f40ff1f075f5425711fddfa9e3a2c0748f3218dc Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Fri, 9 Apr 2021 15:15:01 +0200 Subject: [PATCH] bpo-4379: Skip TLS 1.0/1.1 tests under OpenSSL 3.0.0 Signed-off-by: Christian Heimes --- Lib/test/test_ssl.py | 16 ++++++++++ Misc/NEWS.d/next/Tests/2021-04-09-15-10-38.bpo-43791.4KxiXK.rst | 2 + 2 files changed, 18 insertions(+) create mode 100644 Misc/NEWS.d/next/Tests/2021-04-09-15-10-38.bpo-43791.4KxiXK.rst Index: Python-3.6.15/Lib/test/test_ssl.py =================================================================== --- Python-3.6.15.orig/Lib/test/test_ssl.py +++ Python-3.6.15/Lib/test/test_ssl.py @@ -41,6 +41,7 @@ HOST = support.HOST IS_LIBRESSL = ssl.OPENSSL_VERSION.startswith('LibreSSL') IS_OPENSSL_1_1 = not IS_LIBRESSL and ssl.OPENSSL_VERSION_INFO >= (1, 1, 0) IS_OPENSSL_1_1_1 = not IS_LIBRESSL and ssl.OPENSSL_VERSION_INFO >= (1, 1, 1) +IS_OPENSSL_3_0_0 = not IS_LIBRESSL and ssl.OPENSSL_VERSION_INFO >= (3, 0, 0) def data_file(*name): @@ -159,6 +160,17 @@ def skip_if_broken_ubuntu_ssl(func): else: return func +# Issue #4379: OpenSSL 3.0.0: TLS 1.0 / 1.1 connections fail with TLSV1_ALERT_INTERNAL_ERROR +def skip_if_OpenSSL30(func): + if IS_OPENSSL_3_0_0: + @functools.wraps(func) + def f(*args, **kwargs): + raise unittest.SkipTest("bpo43791: 3.0.0-alpha14 fails with TLSV1_ALERT_INTERNAL_ERROR") + return func(*args, **kwargs) + return f + else: + return func + def skip_if_openssl_cnf_minprotocol_gt_tls1(func): """Skip a test if the OpenSSL config MinProtocol is > TLSv1. @@ -191,6 +203,7 @@ def skip_if_openssl_cnf_minprotocol_gt_t return f + needs_sni = unittest.skipUnless(ssl.HAS_SNI, "SNI support needed for this test") @@ -3544,6 +3557,7 @@ if _have_threads: self.check_common_name(stats, 'localhost') self.assertEqual(calls, []) + @skip_if_OpenSSL30 @needs_sni def test_sni_callback_alert(self): # Returning a TLS alert is reflected to the connecting client @@ -3559,6 +3573,7 @@ if _have_threads: sni_name='supermessage') self.assertEqual(cm.exception.reason, 'TLSV1_ALERT_ACCESS_DENIED') + @skip_if_OpenSSL30 @needs_sni def test_sni_callback_raising(self): # Raising fails the connection with a TLS handshake failure alert. @@ -3576,6 +3591,7 @@ if _have_threads: self.assertEqual(cm.exception.reason, 'SSLV3_ALERT_HANDSHAKE_FAILURE') self.assertIn("ZeroDivisionError", stderr.getvalue()) + @skip_if_OpenSSL30 @needs_sni def test_sni_callback_wrong_return_type(self): # Returning the wrong return type terminates the TLS connection Index: Python-3.6.15/Misc/NEWS.d/next/Tests/2021-04-09-15-10-38.bpo-43791.4KxiXK.rst =================================================================== --- /dev/null +++ Python-3.6.15/Misc/NEWS.d/next/Tests/2021-04-09-15-10-38.bpo-43791.4KxiXK.rst @@ -0,0 +1,2 @@ +OpenSSL 3.0.0: Disable testing of legacy protocols TLS 1.0 and 1.1. Tests +are failing with TLSV1_ALERT_INTERNAL_ERROR.