(Short answer, I'm in meetings for the rest of the day) Python's ssl module doesn't support TLS over UDP. DTLS is not an issue for CPython. I have limited experience with DTLS and cannot contribute much to that part of the discussion. Python's test suite uses its own set of certificates for testing. We don't rely on system's CA store. All certs and DH parameters are chosen to work on security level 2. (I've been bitten by old settings when I made Python core and tests FIPS compliant.)
Does Ubuntu's OpenSSL 1.0.x compat package use the same config file as OpenSSL 1.1.1? I can see how that can cause trouble. Fedora's compat- openssl10 package works around incompatible config files by using openssl10.cnf instead of openssl.cnf with patch https://src.fedoraproject.org/rpms/compat- openssl10/blob/f33/f/openssl-1.0.2o-conf-10.patch. If you get SSL_CTX_get_min_proto_version() to return TLS1_2_VERSION, then we can detect the minimum version in Python. The macro currently returns "0" on Ubuntu. Python then falls back to "#if defined(TLS1_VERSION) && !defined(OPENSSL_NO_TLS1)" to detect if TLS 1.0 is available. https://github.com/python/cpython/blob/b04f1cb9df7ad93366ef0ef7d8088effc576c5ae/Lib/test/test_ssl.py#L155-L210 >>> import ssl >>> ctx = ssl.create_default_context() >>> ctx.minimum_version <TLSVersion.MINIMUM_SUPPORTED: -2> A reproducer for the "internal error" during handshake is: def test_min_max_version_tlsv1_1(self): client_context, server_context, hostname = testing_context() # client 1.0 to 1.2, server 1.0 to 1.1 client_context.minimum_version = ssl.TLSVersion.TLSv1 client_context.maximum_version = ssl.TLSVersion.TLSv1_2 server_context.minimum_version = ssl.TLSVersion.TLSv1 server_context.maximum_version = ssl.TLSVersion.TLSv1_1 with ThreadedEchoServer(context=server_context) as server: with client_context.wrap_socket(socket.socket(), server_hostname=hostname) as s: s.connect((HOST, server.port)) self.assertEqual(s.version(), 'TLSv1.1') I'll try to find some time to create a new report. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1899878 Title: Python's test_ssl fails starting from Ubuntu 20.04 Status in openssl package in Ubuntu: Incomplete Bug description: Please take a look at https://bugs.python.org/issue41561. Developers who work on Python think that the issue is due to a change in Ubuntu 20.04 that is best described by https://bugs.python.org/issue41561#msg378089: "It sounds like a Debian/Ubuntu patch is breaking an assumption. Did somebody report the bug with Debian/Ubuntu maintainers of OpenSSL already? Fedora also configures OpenSSL with minimum protocol version of TLS 1.2. The distribution does it in a slightly different way that makes the restriction discoverable and that is compatible with Python's test suite." To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1899878/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
