From 9b3d0d6d7e6fc353fb419345bbeb06e75e0e2eeb Mon Sep 17 00:00:00 2001 From: Dan Callaghan Date: Sun, 30 Aug 2020 13:28:29 +1000 Subject: [PATCH 1/3] Use TLSv1.2 for fake servers in tests Some Linux distros have begun disabling TLSv1.0 and TLSv1.1 by default for security reasons, for example in Fedora 33 onwards: https://fedoraproject.org/wiki/Changes/StrongCryptoSettings2 Use TLSv1.2 for the fake TLS servers created in the test suite, to avoid failures due to OpenSSL disallowing TLSv1.0: Signed-off-by: Dan Callaghan --- changelog.d/8208.misc | 1 + tests/http/__init__.py | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) create mode 100644 changelog.d/8208.misc diff --git a/changelog.d/8208.misc b/changelog.d/8208.misc new file mode 100644 index 000000000000..01a00c651f6d --- /dev/null +++ b/changelog.d/8208.misc @@ -0,0 +1 @@ +Fix tests on distros which disable TLSv1.0. diff --git a/tests/http/__init__.py b/tests/http/__init__.py index 2096ba3c9115..7486d092b80c 100644 --- a/tests/http/__init__.py +++ b/tests/http/__init__.py @@ -145,7 +145,7 @@ def __init__(self, sanlist): self._cert_file = create_test_cert_file(sanlist) def serverConnectionForTLS(self, tlsProtocol): - ctx = SSL.Context(SSL.TLSv1_METHOD) + ctx = SSL.Context(SSL.TLSv1_2_METHOD) ctx.use_certificate_file(self._cert_file) ctx.use_privatekey_file(get_test_key_file()) return Connection(ctx, None) From 98b8869381deab3da99db0e1bfc58dfbaef60c2a Mon Sep 17 00:00:00 2001 From: Dan Callaghan Date: Thu, 10 Sep 2020 18:47:51 +1000 Subject: [PATCH 2/3] Use any TLS version for fake servers in tests In spite of its name, the OpenSSL constant SSLv23_METHOD actually means "use any mutually acceptable version". This avoids specifying any particular TLS version at all. Signed-off-by: Dan Callaghan --- tests/http/__init__.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/http/__init__.py b/tests/http/__init__.py index 7486d092b80c..53cab2385692 100644 --- a/tests/http/__init__.py +++ b/tests/http/__init__.py @@ -145,7 +145,7 @@ def __init__(self, sanlist): self._cert_file = create_test_cert_file(sanlist) def serverConnectionForTLS(self, tlsProtocol): - ctx = SSL.Context(SSL.TLSv1_2_METHOD) + ctx = SSL.Context(SSL.SSLv23_METHOD) ctx.use_certificate_file(self._cert_file) ctx.use_privatekey_file(get_test_key_file()) return Connection(ctx, None) From 68e35118e0d3526f6274ac9c9b1e159c06dce69a Mon Sep 17 00:00:00 2001 From: Richard van der Hoff <1389908+richvdh@users.noreply.github.com> Date: Thu, 10 Sep 2020 19:48:16 +0100 Subject: [PATCH 3/3] Update changelog.d/8208.misc --- changelog.d/8208.misc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/changelog.d/8208.misc b/changelog.d/8208.misc index 01a00c651f6d..e65da88c4643 100644 --- a/changelog.d/8208.misc +++ b/changelog.d/8208.misc @@ -1 +1 @@ -Fix tests on distros which disable TLSv1.0. +Fix tests on distros which disable TLSv1.0. Contributed by @danc86.