Blame SOURCES/00318-fixes-for-tls-13.patch

b7e076
From 412ccf4c6f8c417006c0a93392a8274a425074c0 Mon Sep 17 00:00:00 2001
b7e076
From: Victor Stinner <vstinner@redhat.com>
b7e076
Date: Wed, 29 May 2019 04:04:54 +0200
b7e076
Subject: [PATCH 1/5] bpo-32947: test_ssl fixes for TLS 1.3 and OpenSSL 1.1.1
b7e076
 (GH-11612)
b7e076
b7e076
Backport partially commit 529525fb5a8fd9b96ab4021311a598c77588b918:
b7e076
complete the previous partial backport (commit
b7e076
2a4ee8aa01d61b6a9c8e9c65c211e61bdb471826.
b7e076
b7e076
Co-Authored-By: Christian Heimes <christian@python.org>
b7e076
---
b7e076
 Lib/test/test_ssl.py                              | 15 +++++++++++++++
b7e076
 .../2019-01-18-17-46-10.bpo-32947.Hk0KnM.rst      |  1 +
b7e076
 2 files changed, 16 insertions(+)
b7e076
 create mode 100644 Misc/NEWS.d/next/Tests/2019-01-18-17-46-10.bpo-32947.Hk0KnM.rst
b7e076
b7e076
diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
b7e076
index cb0acda..639109f 100644
b7e076
--- a/Lib/test/test_ssl.py
b7e076
+++ b/Lib/test/test_ssl.py
b7e076
@@ -2043,6 +2043,16 @@ if _have_threads:
b7e076
                                 sys.stdout.write(" server: read %r (%s), sending back %r (%s)...\n"
b7e076
                                                  % (msg, ctype, msg.lower(), ctype))
b7e076
                             self.write(msg.lower())
b7e076
+                    except ConnectionResetError:
b7e076
+                        # XXX: OpenSSL 1.1.1 sometimes raises ConnectionResetError
b7e076
+                        # when connection is not shut down gracefully.
b7e076
+                        if self.server.chatty and support.verbose:
b7e076
+                            sys.stdout.write(
b7e076
+                                " Connection reset by peer: {}\n".format(
b7e076
+                                    self.addr)
b7e076
+                            )
b7e076
+                        self.close()
b7e076
+                        self.running = False
b7e076
                     except OSError:
b7e076
                         if self.server.chatty:
b7e076
                             handle_error("Test server failure:\n")
b7e076
@@ -2122,6 +2132,11 @@ if _have_threads:
b7e076
                     pass
b7e076
                 except KeyboardInterrupt:
b7e076
                     self.stop()
b7e076
+                except BaseException as e:
b7e076
+                    if support.verbose and self.chatty:
b7e076
+                        sys.stdout.write(
b7e076
+                            ' connection handling failed: ' + repr(e) + '\n')
b7e076
+
b7e076
             self.sock.close()
b7e076
 
b7e076
         def stop(self):
b7e076
diff --git a/Misc/NEWS.d/next/Tests/2019-01-18-17-46-10.bpo-32947.Hk0KnM.rst b/Misc/NEWS.d/next/Tests/2019-01-18-17-46-10.bpo-32947.Hk0KnM.rst
b7e076
new file mode 100644
b7e076
index 0000000..f508504
b7e076
--- /dev/null
b7e076
+++ b/Misc/NEWS.d/next/Tests/2019-01-18-17-46-10.bpo-32947.Hk0KnM.rst
b7e076
@@ -0,0 +1 @@
b7e076
+test_ssl fixes for TLS 1.3 and OpenSSL 1.1.1.
b7e076
-- 
b7e076
2.21.0
b7e076
b7e076
b7e076
From 6b728ec778067849dd1f0d9b73cf1ac47dafa270 Mon Sep 17 00:00:00 2001
b7e076
From: "Miss Islington (bot)"
b7e076
 <31488909+miss-islington@users.noreply.github.com>
b7e076
Date: Wed, 25 Sep 2019 09:12:59 -0700
b7e076
Subject: [PATCH 2/5] bpo-38271: encrypt private key test files with AES256
b7e076
 (GH-16385)
b7e076
b7e076
The private keys for test_ssl were encrypted with 3DES in traditional
b7e076
PKCSGH-5 format. 3DES and the digest algorithm of PKCSGH-5 are blocked by
b7e076
some strict crypto policies. Use PKCSGH-8 format with AES256 encryption
b7e076
instead.
b7e076
b7e076
Signed-off-by: Christian Heimes <christian@python.org>
b7e076
b7e076
https://bugs.python.org/issue38271
b7e076
b7e076
Automerge-Triggered-By: @tiran
b7e076
(cherry picked from commit bfd0c963d88f3df69489ee250655e2b8f3d235bd)
b7e076
b7e076
Co-authored-by: Christian Heimes <christian@python.org>
b7e076
---
b7e076
 Lib/test/keycert.passwd.pem                   | 85 ++++++++++---------
b7e076
 Lib/test/make_ssl_certs.py                    |  4 +-
b7e076
 Lib/test/ssl_key.passwd.pem                   | 84 +++++++++---------
b7e076
 .../2019-09-25-13-11-29.bpo-38271.iHXNIg.rst  |  4 +
b7e076
 4 files changed, 91 insertions(+), 86 deletions(-)
b7e076
 create mode 100644 Misc/NEWS.d/next/Tests/2019-09-25-13-11-29.bpo-38271.iHXNIg.rst
b7e076
b7e076
diff --git a/Lib/test/keycert.passwd.pem b/Lib/test/keycert.passwd.pem
b7e076
index cbb3c3b..c330c36 100644
b7e076
--- a/Lib/test/keycert.passwd.pem
b7e076
+++ b/Lib/test/keycert.passwd.pem
b7e076
@@ -1,45 +1,45 @@
b7e076
------BEGIN RSA PRIVATE KEY-----
b7e076
-Proc-Type: 4,ENCRYPTED
b7e076
-DEK-Info: DES-EDE3-CBC,D134E931C96D9DEC
b7e076
-
b7e076
-nuGFEej7vIjkYWSMz5OJeVTNntDRQi6ZM4DBm3g8T7i/0odr3WFqGMMKZcIhLYQf
b7e076
-rgRq7RSKtrJ1y5taVucMV+EuCjyfzDo0TsYt+ZrXv/D08eZhjRmkhoHnGVF0TqQm
b7e076
-nQEXM/ERT4J2RM78dnG+homMkI76qOqxgGbRqQqJo6AiVRcAZ45y8s96bru2TAB8
b7e076
-+pWjO/v0Je7AFVdwSU52N8OOY6uoSAygW+0UY1WVxbVGJF2XfRsNpPX+YQHYl6e+
b7e076
-3xM5XBVCgr6kmdAyub5qUJ38X3TpdVGoR0i+CVS9GTr2pSRib1zURAeeHnlqiUZM
b7e076
-4m0Gn9s72nJevU1wxED8pwOhR8fnHEmMKGD2HPhKoOCbzDhwwBZO27TNa1uWeM3f
b7e076
-M5oixKDi2PqMn3y2cDx1NjJtP661688EcJ5a2Ih9BgO9xpnhSyzBWEKcAn0tJB0H
b7e076
-/56M0FW6cdOOIzMveGGL7sHW5E+iOdI1n5e7C6KJUzew78Y9qJnhS53EdI6qTz9R
b7e076
-wsIsj1i070Fk6RbPo6zpLlF6w7Zj8GlZaZA7OZZv9wo5VEV/0ST8gmiiBOBc4C6Y
b7e076
-u9hyLIIu4dFEBKyQHRvBnQSLNpKx6or1OGFDVBay2In9Yh2BHh1+vOj/OIz/wq48
b7e076
-EHOIV27fRJxLu4jeK5LIGDhuPnMJ8AJYQ0bQOUP6fd7p+TxWkAQZPB/Dx/cs3hxr
b7e076
-nFEdzx+eO+IAsObx/b1EGZyEJyETBslu4GwYX7/KK3HsJhDJ1bdZ//28jOCaoir6
b7e076
-ZOMT72GRwmVoQTJ0XpccfjHfKJDRLT7C1xvzo4Eibth0hpTZkA75IUYUp6qK/PuJ
b7e076
-kH/qdiC7QIkRKtsrawW4vEDna3YtxIYhQqz9+KwO6u/0gzooZtv1RU4U3ifMDB5u
b7e076
-5P5GAzACRqlY8QYBkM869lvWqzQPHvybC4ak9Yx6/heMO9ddjdIW9BaK8BLxvN/6
b7e076
-UCD936Y4fWltt09jHZIoxWFykouBwmd7bXooNYXmDRNmjTdVhKJuOEOQw8hDzx7e
b7e076
-pWFJ9Z/V4Qm1tvXbCD7QFqMCDoY3qFvVG8DBqXpmxe1yPfz21FWrT7IuqDXAD3ns
b7e076
-vxfN/2a+Cy04U9FBNVCvWqWIs5AgNpdCMJC2FlXKTy+H3/7rIjNyFyvbX0vxIXtK
b7e076
-liOVNXiyVM++KZXqktqMUDlsJENmIHV9B046luqbgW018fHkyEYlL3iRZGbYegwr
b7e076
-XO9VVIKVPw1BEvJ8VNdGFGuZGepd8qX2ezfYADrNR+4t85HDm8inbjTobSjWuljs
b7e076
-ftUNkOeCHqAvWCFQTLCfdykvV08EJfVY79y7yFPtfRV2gxYokXFifjo3su9sVQr1
b7e076
-UiIS5ZAsIC1hBXWeXoBN7QVTkFi7Yto6E1q2k10LiT3obpUUUQ/oclhrJOCJVjrS
b7e076
-oRcj2QBy8OT4T9slJr5maTWdgd7Lt6+I6cGQXPaDvjGOJl0eBYM14vhx4rRQWytJ
b7e076
-k07hhHFO4+9CGCuHS8AAy2gR6acYFWt2ZiiNZ0z/iPIHNK4YEyy9aLf6uZH/KQjE
b7e076
-jmHToo7XD6QvCAEC5qTHby3o3LfHIhyZi/4L+AhS4FKUHF6M0peeyYt4z3HaK2d2
b7e076
-N6mHLPdjwNjra7GOmcns4gzcrdfoF+R293KpPal4PjknvR3dZL4kKP/ougTAM5zv
b7e076
-qDIvRbkHzjP8ChTpoLcJsNVXykNcNkjcSi0GHtIpYjh6QX6P2uvR/S4+Bbb9p9rn
b7e076
-hIy/ovu9tWN2hiPxGPe6torF6BulAxsTYlDercC204AyzsrdA0pr6HBgJH9C6ML1
b7e076
-TchwodbFJqn9rSv91i1liusAGoOvE81AGBdrXY7LxfSNhYY1IK6yR/POJPTd53sA
b7e076
-uX2/j6Rtoksd/2BHPM6AUnI/2B9slhuzWX2aCtWLeuwvXDS6rYuTigaQmLkzTRfM
b7e076
-dlMI3s9KLXxgi5YVumUZleJWXwBNP7KiKajd+VTSD+7WAhyhM5FIG5wVOaxmy4G2
b7e076
-TyqZ/Ax9d2VEjTQHWvQlLPQ4Mp0EIz0aEl94K/S8CK8bJRH6+PRkar+dJi1xqlL+
b7e076
-BYb42At9mEJ8odLlFikvNi1+t7jqXk5jRi5C0xFKx3nTtzoH2zNUeuA3R6vSocVK
b7e076
-45jnze9IkKmxMlJ4loR5sgszdpDCD3kXqjtCcbMTmcrGyzJek3HSOTpiEORoTFOe
b7e076
-Rhg6jH5lm+QcC263oipojS0qEQcnsWJP2CylNYMYHR9O/9NQxT3o2lsRHqZTMELV
b7e076
-uQa/SFH+paQNbZOj8MRwPSqqiIxJFuLswKte1R+W7LKn1yBSM7Pp39lNbzGvJD2E
b7e076
-YRfnCwFpJ54voVAuQ4jXJvigCW2qeCjXlxeD6K2j4eGJEEOmIjIW1wjubyBY6OI3
b7e076
------END RSA PRIVATE KEY-----
b7e076
+-----BEGIN ENCRYPTED PRIVATE KEY-----
b7e076
+MIIHbTBXBgkqhkiG9w0BBQ0wSjApBgkqhkiG9w0BBQwwHAQIhD+rJdxqb6ECAggA
b7e076
+MAwGCCqGSIb3DQIJBQAwHQYJYIZIAWUDBAEqBBDTdyjCP3riOSUfxix4aXEvBIIH
b7e076
+ECGkbsFabrcFMZcplw5jHMaOlG7rYjUzwDJ80JM8uzbv2Jb8SvNlns2+xmnEvH/M
b7e076
+mNvRmnXmplbVjH3XBMK8o2Psnr2V/a0j7/pgqpRxHykG+koOY4gzdt3MAg8JPbS2
b7e076
+hymSl+Y5EpciO3xLfz4aFL1ZNqspQbO/TD13Ij7DUIy7xIRBMp4taoZCrP0cEBAZ
b7e076
++wgu9m23I4dh3E8RUBzWyFFNic2MVVHrui6JbHc4dIHfyKLtXJDhUcS0vIC9PvcV
b7e076
+jhorh3UZC4lM+/jjXV5AhzQ0VrJ2tXAUX2dA144XHzkSH2QmwfnajPsci7BL2CGC
b7e076
+rjyTy4NfB/lDwU+55dqJZQSKXMxAapJMrtgw7LD5CKQcN6zmfhXGssJ7HQUXKkaX
b7e076
+I1YOFzuUD7oo56BVCnVswv0jX9RxrE5QYNreMlOP9cS+kIYH65N+PAhlURuQC14K
b7e076
+PgDkHn5knSa2UQA5tc5f7zdHOZhGRUfcjLP+KAWA3nh+/2OKw/X3zuPx75YT/FKe
b7e076
+tACPw5hjEpl62m9Xa0eWepZXwqkIOkzHMmCyNCsbC0mmRoEjmvfnslfsmnh4Dg/c
b7e076
+4YsTYMOLLIeCa+WIc38aA5W2lNO9lW0LwLhX1rP+GRVPv+TVHXlfoyaI+jp0iXrJ
b7e076
+t3xxT0gaiIR/VznyS7Py68QV/zB7VdqbsNzS7LdquHK1k8+7OYiWjY3gqyU40Iu2
b7e076
+d1eSnIoDvQJwyYp7XYXbOlXNLY+s1Qb7yxcW3vXm0Bg3gKT8r1XHWJ9rj+CxAn5r
b7e076
+ysfkPs1JsesxzzQjwTiDNvHnBnZnwxuxfBr26ektEHmuAXSl8V6dzLN/aaPjpTj4
b7e076
+CkE7KyqX3U9bLkp+ztl4xWKEmW44nskzm0+iqrtrxMyTfvvID4QrABjZL4zmWIqc
b7e076
+e3ZfA3AYk9VDIegk/YKGC5VZ8YS7ZXQ0ASK652XqJ7QlMKTxxV7zda6Fp4uW6/qN
b7e076
+ezt5wgbGGhZQXj2wDQmWNQYyG/juIgYTpCUA54U5XBIjuR6pg+Ytm0UrvNjsUoAC
b7e076
+wGelyqaLDq8U8jdIFYVTJy9aJjQOYXjsUJ0dZN2aGHSlju0ZGIZc49cTIVQ9BTC5
b7e076
+Yc0Vlwzpl+LuA25DzKZNSb/ci0lO/cQGJ2uXQQgaNgdsHlu8nukENGJhnIzx4fzK
b7e076
+wEh3yHxhTRCzPPwDfXmx0IHXrPqJhSpAgaXBVIm8OjvmMxO+W75W4uLfNY/B7e2H
b7e076
+3cjklGuvkofOf7sEOrGUYf4cb6Obg8FpvHgpKo5Twwmoh/qvEKckBFqNhZXDDl88
b7e076
+GbGlSEgyaAV1Ig8s1NJKBolWFa0juyPAwJ8vT1T4iwW7kQ7KXKt2UNn96K/HxkLu
b7e076
+pikvukz8oRHMlfVHa0R48UB1fFHwZLzPmwkpu6ancIxk3uO3yfhf6iDk3bmnyMlz
b7e076
+g3k/b6MrLYaOVByRxay85jH3Vvgqfgn6wa6BJ7xQ81eZ8B45gFuTH0J5JtLL7SH8
b7e076
+darRPLCYfA+Ums9/H6pU5EXfd3yfjMIbvhCXHkJrrljkZ+th3p8dyto6wmYqIY6I
b7e076
+qR9sU+o6DhRaiP8tCICuhHxQpXylUM6WeJkJwduTJ8KWIvzsj4mReIKOl/oC2jSd
b7e076
+gIdKhb9Q3zj9ce4N5m6v66tyvjxGZ+xf3BvUPDD+LwZeXgf7OBsNVbXzQbzto594
b7e076
+nbCzPocFi3gERE50ru4K70eQCy08TPG5NpOz+DDdO5vpAuMLYEuI7O3L+3GjW40Q
b7e076
+G5bu7H5/i7o/RWR67qhG/7p9kPw3nkUtYgnvnWaPMIuTfb4c2d069kjlfgWjIbbI
b7e076
+tpSKmm5DHlqTE4/ECAbIEDtSaw9dXHCdL3nh5+n428xDdGbjN4lT86tfu17EYKzl
b7e076
+ydH1RJ1LX3o3TEj9UkmDPt7LnftvwybMFEcP7hM2xD4lC++wKQs7Alg6dTkBnJV4
b7e076
+5xU78WRntJkJTU7kFkpPKA0QfyCuSF1fAMoukDBkqUdOj6jE0BlJQlHk5iwgnJlt
b7e076
+uEdkTjHZEjIUxWC6llPcAzaPNlmnD45AgfEW+Jn21IvutmJiQAz5lm9Z9PXaR0C8
b7e076
+hXB6owRY67C0YKQwXhoNf6xQun2xGBGYy5rPEEezX1S1tUH5GR/KW1Lh+FzFqHXI
b7e076
+ZEb5avfDqHKehGAjPON+Br7akuQ125M9LLjKuSyPaQzeeCAy356Xd7XzVwbPddbm
b7e076
+9S9WSPqzaPgh10chIHoNoC8HMd33dB5j9/Q6jrbU/oPlptu/GlorWblvJdcTuBGI
b7e076
+IVn45RFnkG8hCz0GJSNzW7+70YdESQbfJW79vssWMaiSjFE0pMyFXrFR5lBywBTx
b7e076
+PiGEUWtvrKG94X1TMlGUzDzDJOQNZ9dT94bonNe9pVmP5BP4/DzwwiWh6qrzWk6p
b7e076
+j8OE4cfCSh2WvHnhJbH7/N0v+JKjtxeIeJ16jx/K2oK5
b7e076
+-----END ENCRYPTED PRIVATE KEY-----
b7e076
 -----BEGIN CERTIFICATE-----
b7e076
 MIIEWTCCAsGgAwIBAgIJAJinz4jHSjLtMA0GCSqGSIb3DQEBCwUAMF8xCzAJBgNV
b7e076
 BAYTAlhZMRcwFQYDVQQHDA5DYXN0bGUgQW50aHJheDEjMCEGA1UECgwaUHl0aG9u
b7e076
@@ -66,3 +66,4 @@ jMqTFlmO7kpf/jpCSmamp3/JSEE1BJKHwQ6Ql4nzRA2N1mnvWH7Zxcv043gkHeAu
b7e076
 9Wc2uXpw9xF8itV4Uvcdr3dwqByvIqn7iI/gB+4l41e0u8OmH2MKOx4Nxlly5TNW
b7e076
 HcVKQHyOeyvnINuBAQ==
b7e076
 -----END CERTIFICATE-----
b7e076
+
b7e076
diff --git a/Lib/test/make_ssl_certs.py b/Lib/test/make_ssl_certs.py
b7e076
index 3622765..41b5f46 100644
b7e076
--- a/Lib/test/make_ssl_certs.py
b7e076
+++ b/Lib/test/make_ssl_certs.py
b7e076
@@ -206,8 +206,8 @@ if __name__ == '__main__':
b7e076
     with open('ssl_key.pem', 'w') as f:
b7e076
         f.write(key)
b7e076
     print("password protecting ssl_key.pem in ssl_key.passwd.pem")
b7e076
-    check_call(['openssl','rsa','-in','ssl_key.pem','-out','ssl_key.passwd.pem','-des3','-passout','pass:somepass'])
b7e076
-    check_call(['openssl','rsa','-in','ssl_key.pem','-out','keycert.passwd.pem','-des3','-passout','pass:somepass'])
b7e076
+    check_call(['openssl','pkey','-in','ssl_key.pem','-out','ssl_key.passwd.pem','-aes256','-passout','pass:somepass'])
b7e076
+    check_call(['openssl','pkey','-in','ssl_key.pem','-out','keycert.passwd.pem','-aes256','-passout','pass:somepass'])
b7e076
 
b7e076
     with open('keycert.pem', 'w') as f:
b7e076
         f.write(key)
b7e076
diff --git a/Lib/test/ssl_key.passwd.pem b/Lib/test/ssl_key.passwd.pem
b7e076
index e4f1370..46de61a 100644
b7e076
--- a/Lib/test/ssl_key.passwd.pem
b7e076
+++ b/Lib/test/ssl_key.passwd.pem
b7e076
@@ -1,42 +1,42 @@
b7e076
------BEGIN RSA PRIVATE KEY-----
b7e076
-Proc-Type: 4,ENCRYPTED
b7e076
-DEK-Info: DES-EDE3-CBC,8064BE1494B24B13
b7e076
-
b7e076
-KJrffOMbo8M0I3PzcYxRZGMpKD1yB3Ii4+bT5XoanxjIJ+4fdx6LfZ0Rsx+riyzs
b7e076
-tymsQu/iYY9j+4rCvN9+eetsL1X6iZpiimKsLexcid9M3fb0vxED5Sgw0dvunCUA
b7e076
-xhqjLIKR92MKbODHf6KrDKCpsiPbjq4gZ7P+uCGXAMHL3MXIJSC0hW9rK7Ce6oyO
b7e076
-CjpIcgB8x+GUWZZZhAFdlzIHMZrteNP2P5HK6QcaT71P034Dz1hhqoj4Q0t+Fta2
b7e076
-4tfsM/bnTR/l6hwlhPa1e3Uj322tDTDWBScgWANn5+sEWldLmozMaWhZsn22pfk2
b7e076
-KjRMGXG024JVheV882nbdOBvG7oq+lxkZ/ZP+vvqJqnvYtf7WtM8UivzYpe5Hz5b
b7e076
-kVvWzPjBLUSZ9whM9rDLqSSqMPyPvDTuEmLkuq+xm7pYJmsLqIMP2klZLqRxLX6K
b7e076
-uqwplb8UG440qauxgnQ905PId1l2fJEnRtV+7vXprA0L0QotgXLVHBhLmTFM+3PH
b7e076
-9H3onf31dionUAPrn3nfVE36HhvVgRyvDBnBzJSIMighgq21Qx/d1dk0DRYi1hUI
b7e076
-nCHl0YJPXheVcXR7JiSF2XQCAaFuS1Mr7NCXfWZOZQC/0dkvmHnl9DUAhuqq9BNZ
b7e076
-1cKhZXcKHadg2/r0Zup/oDzmHPUEfTAXT0xbqoWlhkdwbF2veWQ96A/ncx3ISTb4
b7e076
-PkXBlX9rdia8nmtyQDQRn4NuvchbaGkj4WKFC8pF8Hn7naHqwjpHaDUimBc0CoQW
b7e076
-edNJqruKWwtSVLuwKHCC2gZFX9AXSKJXJz/QRSUlhFGOhuF/J6yKaXj6n5lxWNiQ
b7e076
-54J+OP/hz2aS95CD2+Zf1SKpxdWiLZSIQqESpmmUrXROixNJZ/Z7gI74Dd9dSJOH
b7e076
-W+3AU03vrrFZVrJVZhjcINHoH1Skh6JKscH18L6x4U868nSr4SrRLX8BhHllOQyD
b7e076
-bmU+PZAjF8ZBIaCtTGulDXD29F73MeAZeTSsgQjFu0iKLj1wPiphbx8i/SUtR4YP
b7e076
-X6PVA04g66r1NBw+3RQASVorZ3g1MSFvITHXcbKkBDeJH2z1+c6t/VVyTONnQhM5
b7e076
-lLgRSk6HCbetvT9PKxWrWutA12pdBYEHdZhMHVf2+xclky7l09w8hg2/qqcdGRGe
b7e076
-oAOZ72t0l5ObNyaruDKUS6f4AjOyWq/Xj5xuFtf1n3tQHyslSyCTPcAbQhDfTHUx
b7e076
-vixb/V9qvYPt7OCn8py7v1M69NH42QVFAvwveDIFjZdqfIKBoJK2V4qPoevJI6uj
b7e076
-Q5ByMt8OXOjSXNpHXpYQWUiWeCwOEBXJX8rzCHdMtg37jJ0zCmeErR1NTdg+EujM
b7e076
-TWYgd06jlT67tURST0aB2kg4ijKgUJefD313LW1zC6gVsTbjSZxYyRbPfSP6flQB
b7e076
-yCi1C19E2OsgleqbkBVC5GlYUzaJT7SGjCRmGx1eqtbrALu+LVH24Wceexlpjydl
b7e076
-+s2nf/DZlKun/tlPh6YioifPCJjByZMQOCEfIox6BkemZETz8uYA4TTWimG13Z03
b7e076
-gyDGC2jdpEW414J2qcQDvrdUgJ+HlhrAAHaWpMQDbXYxBGoZ+3+ORvQV4kAsCwL8
b7e076
-k3EIrVpePdik+1xgOWsyLj6QxFXlTMvL6Wc5pnArFPORsgHEolJvxSPTf9aAHNPn
b7e076
-V2WBvxiLBtYpGrujAUM40Syx/aN2RPtcXYPAusHUBw+S8/p+/8Kg8GZmnIXG3F89
b7e076
-45Eepl2quZYIrou7a1fwIpIIZ0hFiBQ1mlHVMFtxwVHS1bQb3SU2GeO+JcGjdVXc
b7e076
-04qeGuQ5M164eQ5C0T7ZQ1ULiUlFWKD30m+cjqmZzt3d7Q0mKpMKuESIuZJo/wpD
b7e076
-Nas432aLKUhcNx/pOYLkKJRpGZKOupQoD5iUj/j44o8JoFkDK33v2S57XB5QGz28
b7e076
-9Zuhx49b3W8mbM6EBanlQKLWJGCxXqc/jhYhFWn+b0MhidynFgA0oeWvf6ZDyt6H
b7e076
-Yi5Etxsar09xp0Do3NxtQXLuSUu0ji2pQzSIKuoqQWKqldm6VrpwojiqJhy4WQBQ
b7e076
-aVVyFeWBC7G3Zj76dO+yp2sfJ0itJUQ8AIB9Cg0f34rEZu+r9luPmqBoUeL95Tk7
b7e076
-YvCOU3Jl8Iqysv8aNpVXT8sa8rrSbruWCByEePZ37RIdHLMVBwVY0eVaFQjrjU7E
b7e076
-mXmM9eaoYLfXOllsQ+M2+qPFUITr/GU3Qig13DhK/+yC1R6V2a0l0WRhMltIPYKW
b7e076
-Ztvvr4hK5LcYCeS113BLiMbDIMMZZYGDZGMdC8DnnVbT2loF0Rfmp80Af31KmMQ4
b7e076
-6XvMatW9UDjBoY5a/YMpdm7SRwm+MgV2KNPpc2kST87/yi9oprGAb8qiarHiHTM0
b7e076
------END RSA PRIVATE KEY-----
b7e076
+-----BEGIN ENCRYPTED PRIVATE KEY-----
b7e076
+MIIHbTBXBgkqhkiG9w0BBQ0wSjApBgkqhkiG9w0BBQwwHAQI072N7W+PDDMCAggA
b7e076
+MAwGCCqGSIb3DQIJBQAwHQYJYIZIAWUDBAEqBBA/AuaRNi4vE4KGqI4In+70BIIH
b7e076
+ENGS5Vex5NID873frmd1UZEHZ+O/Bd0wDb+NUpIqesHkRYf7kKi6Gnr+nKQ/oVVn
b7e076
+Lm3JjE7c8ECP0OkOOXmiXuWL1SkzBBWqCI4stSGUPvBiHsGwNnvJAaGjUffgMlcC
b7e076
+aJOA2+dnejLkzblq4CB2LQdm06N3Xoe9tyqtQaUHxfzJAf5Ydd8uj7vpKN2MMhY7
b7e076
+icIPJwSyh0N7S6XWVtHEokr9Kp4y2hS5a+BgCWV1/1z0aF7agnSVndmT1VR+nWmc
b7e076
+lM14k+lethmHMB+fsNSjnqeJ7XOPlOTHqhiZ9bBSTgF/xr5Bck/NiKRzHjdovBox
b7e076
+TKg+xchaBhpRh7wBPBIlNJeHmIjv+8obOKjKU98Ig/7R9+IryZaNcKAH0PuOT+Sw
b7e076
+QHXiCGQbOiYHB9UyhDTWiB7YVjd8KHefOFxfHzOQb/iBhbv1x3bTl3DgepvRN6VO
b7e076
+dIsPLoIZe42sdf9GeMsk8mGJyZUQ6AzsfhWk3grb/XscizPSvrNsJ2VL1R7YTyT3
b7e076
+3WA4ZXR1EqvXnWL7N/raemQjy62iOG6t7fcF5IdP9CMbWP+Plpsz4cQW7FtesCTq
b7e076
+a5ZXraochQz361ODFNIeBEGU+0qqXUtZDlmos/EySkZykSeU/L0bImS62VGE3afo
b7e076
+YXBmznTTT9kkFkqv7H0MerfJsrE/wF8puP3GM01DW2JRgXRpSWlvbPV/2LnMtRuD
b7e076
+II7iH4rWDtTjCN6BWKAgDOnPkc9sZ4XulqT32lcUeV6LTdMBfq8kMEc8eDij1vUT
b7e076
+maVCRpuwaq8EIT3lVgNLufHiG96ojlyYtj3orzw22IjkgC/9ee8UDik9CqbMVmFf
b7e076
+fVHhsw8LNSg8Q4bmwm5Eg2w2it2gtI68+mwr75oCxuJ/8OMjW21Prj8XDh5reie2
b7e076
+c0lDKQOFZ9UnLU1bXR/6qUM+JFKR4DMq+fOCuoQSVoyVUEOsJpvBOYnYZN9cxsZm
b7e076
+vh9dKafMEcKZ8flsbr+gOmOw7+Py2ifSlf25E/Frb1W4gtbTb0LQVHb6+drutrZj
b7e076
+8HEu4CnHYFCD4ZnOJb26XlZCb8GFBddW86yJYyUqMMV6Q1aJfAOAglsTo1LjIMOZ
b7e076
+byo0BTAmwUevU/iuOXQ4qRBXXcoidDcTCrxfUSPG9wdt9l+m5SdQpWqfQ+fx5O7m
b7e076
+SLlrHyZCiPSFMtC9DxqjIklHjf5W3wslGLgaD30YXa4VDYkRihf3CNsxGQ+tVvef
b7e076
+l0ZjoAitF7Gaua06IESmKnpHe23dkr1cjYq+u2IV+xGH8LeExdwsQ9kpuTeXPnQs
b7e076
+JOA99SsFx1ct32RrwjxnDDsiNkaViTKo9GDkV3jQTfoFgAVqfSgg9wGXpqUqhNG7
b7e076
+TiSIHCowllLny2zn4XrXCy2niD3VDt0skb3l/PaegHE2z7S5YY85nQtYwpLiwB9M
b7e076
+SQ08DYKxPBZYKtS2iZ/fsA1gjSRQDPg/SIxMhUC3M3qH8iWny1Lzl25F2Uq7VVEX
b7e076
+LdTUtaby49jRTT3CQGr5n6z7bMbUegiY7h8WmOekuThGDH+4xZp6+rDP4GFk4FeK
b7e076
+JcF70vMQYIjQZhadic6olv+9VtUP42ltGG/yP9a3eWRkzfAf2eCh6B1rYdgEWwE8
b7e076
+rlcZzwM+y6eUmeNF2FVWB8iWtTMQHy+dYNPM+Jtus1KQKxiiq/yCRs7nWvzWRFWA
b7e076
+HRyqV0J6/lqgm4FvfktFt1T0W+mDoLJOR2/zIwMy2lgL5zeHuR3SaMJnCikJbqKS
b7e076
+HB3UvrhAWUcZqdH29+FhVWeM7ybyF1Wccmf+IIC/ePLa6gjtqPV8lG/5kbpcpnB6
b7e076
+UQY8WWaKMxyr3jJ9bAX5QKshchp04cDecOLZrpFGNNQngR8RxSEkiIgAqNxWunIu
b7e076
+KrdBDrupv/XAgEOclmgToY3iywLJSV5gHAyHWDUhRH4cFCLiGPl4XIcnXOuTze3H
b7e076
+3j+EYSiS3v3DhHjp33YU2pXlJDjiYsKzAXejEh66++Y8qaQdCAad3ruWRCzW3kgk
b7e076
+Md0A1VGzntTnQsewvExQEMZH2LtYIsPv3KCYGeSAuLabX4tbGk79PswjnjLLEOr0
b7e076
+Ghf6RF6qf5/iFyJoG4vrbKT8kx6ywh0InILCdjUunuDskIBxX6tEcr9XwajoIvb2
b7e076
+kcmGdjam5kKLS7QOWQTl8/r/cuFes0dj34cX5Qpq+Gd7tRq/D+b0207926Cxvftv
b7e076
+qQ1cVn8HiLxKkZzd3tpf2xnoV1zkTL0oHrNg+qzxoxXUTUcwtIf1d/HRbYEAhi/d
b7e076
+bBBoFeftEHWNq+sJgS9bH+XNzo/yK4u04B5miOq8v4CSkJdzu+ZdF22d4cjiGmtQ
b7e076
+8BTmcn0Unzm+u5H0+QSZe54QBHJGNXXOIKMTkgnOdW27g4DbI1y7fCqJiSMbRW6L
b7e076
+oHmMfbdB3GWqGbsUkhY8i6h9op0MU6WOX7ea2Rxyt4t6
b7e076
+-----END ENCRYPTED PRIVATE KEY-----
b7e076
diff --git a/Misc/NEWS.d/next/Tests/2019-09-25-13-11-29.bpo-38271.iHXNIg.rst b/Misc/NEWS.d/next/Tests/2019-09-25-13-11-29.bpo-38271.iHXNIg.rst
b7e076
new file mode 100644
b7e076
index 0000000..8f43d32
b7e076
--- /dev/null
b7e076
+++ b/Misc/NEWS.d/next/Tests/2019-09-25-13-11-29.bpo-38271.iHXNIg.rst
b7e076
@@ -0,0 +1,4 @@
b7e076
+The private keys for test_ssl were encrypted with 3DES in traditional
b7e076
+PKCS#5 format. 3DES and the digest algorithm of PKCS#5 are blocked by
b7e076
+some strict crypto policies. Use PKCS#8 format with AES256 encryption
b7e076
+instead.
b7e076
-- 
b7e076
2.21.0
b7e076
b7e076
b7e076
From d8584f9bb3fb841a1b21ed25abc2237ea8bbc206 Mon Sep 17 00:00:00 2001
b7e076
From: Charalampos Stratakis <cstratak@redhat.com>
b7e076
Date: Tue, 26 Nov 2019 23:57:21 +0100
b7e076
Subject: [PATCH 3/5] Use PROTOCOL_TLS_CLIENT/SERVER
b7e076
b7e076
Replaces PROTOCOL_TLSv* and PROTOCOL_SSLv23 with PROTOCOL_TLS_CLIENT and
b7e076
PROTOCOL_TLS_SERVER.
b7e076
b7e076
Partially backports a170fa162dc03f0a014373349e548954fff2e567
b7e076
---
b7e076
 Lib/ssl.py               |   7 +-
b7e076
 Lib/test/test_logging.py |   2 +-
b7e076
 Lib/test/test_ssl.py     | 169 +++++++++++++++++++--------------------
b7e076
 3 files changed, 87 insertions(+), 91 deletions(-)
b7e076
b7e076
diff --git a/Lib/ssl.py b/Lib/ssl.py
b7e076
index 0114387..c5c5529 100644
b7e076
--- a/Lib/ssl.py
b7e076
+++ b/Lib/ssl.py
b7e076
@@ -473,7 +473,7 @@ def create_default_context(purpose=Purpose.SERVER_AUTH, *, cafile=None,
b7e076
         context.load_default_certs(purpose)
b7e076
     return context
b7e076
 
b7e076
-def _create_unverified_context(protocol=PROTOCOL_TLS, *, cert_reqs=None,
b7e076
+def _create_unverified_context(protocol=PROTOCOL_TLS, *, cert_reqs=CERT_NONE,
b7e076
                            check_hostname=False, purpose=Purpose.SERVER_AUTH,
b7e076
                            certfile=None, keyfile=None,
b7e076
                            cafile=None, capath=None, cadata=None):
b7e076
@@ -492,9 +492,12 @@ def _create_unverified_context(protocol=PROTOCOL_TLS, *, cert_reqs=None,
b7e076
     # by default.
b7e076
     context = SSLContext(protocol)
b7e076
 
b7e076
+    if not check_hostname:
b7e076
+        context.check_hostname = False
b7e076
     if cert_reqs is not None:
b7e076
         context.verify_mode = cert_reqs
b7e076
-    context.check_hostname = check_hostname
b7e076
+    if check_hostname:
b7e076
+        context.check_hostname = True
b7e076
 
b7e076
     if keyfile and not certfile:
b7e076
         raise ValueError("certfile must be specified")
b7e076
diff --git a/Lib/test/test_logging.py b/Lib/test/test_logging.py
b7e076
index 763a5d1..d5c63b4 100644
b7e076
--- a/Lib/test/test_logging.py
b7e076
+++ b/Lib/test/test_logging.py
b7e076
@@ -1830,7 +1830,7 @@ class HTTPHandlerTest(BaseTest):
b7e076
                 else:
b7e076
                     here = os.path.dirname(__file__)
b7e076
                     localhost_cert = os.path.join(here, "keycert.pem")
b7e076
-                    sslctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
b7e076
+                    sslctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
b7e076
                     sslctx.load_cert_chain(localhost_cert)
b7e076
 
b7e076
                     context = ssl.create_default_context(cafile=localhost_cert)
b7e076
diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
b7e076
index 639109f..a7bf2f7 100644
b7e076
--- a/Lib/test/test_ssl.py
b7e076
+++ b/Lib/test/test_ssl.py
b7e076
@@ -155,6 +155,8 @@ def test_wrap_socket(sock, ssl_version=ssl.PROTOCOL_TLS, *,
b7e076
                      **kwargs):
b7e076
     context = ssl.SSLContext(ssl_version)
b7e076
     if cert_reqs is not None:
b7e076
+        if cert_reqs == ssl.CERT_NONE:
b7e076
+            context.check_hostname = False
b7e076
         context.verify_mode = cert_reqs
b7e076
     if ca_certs is not None:
b7e076
         context.load_verify_locations(ca_certs)
b7e076
@@ -1377,7 +1379,7 @@ class ContextTests(unittest.TestCase):
b7e076
         self._assert_context_options(ctx)
b7e076
 
b7e076
     def test_check_hostname(self):
b7e076
-        ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
b7e076
+        ctx = ssl.SSLContext(ssl.PROTOCOL_TLS)
b7e076
         self.assertFalse(ctx.check_hostname)
b7e076
 
b7e076
         # Requires CERT_REQUIRED or CERT_OPTIONAL
b7e076
@@ -2386,17 +2388,13 @@ if _have_threads:
b7e076
                     server_params_test(context, context,
b7e076
                                        chatty=True, connectionchatty=True)
b7e076
 
b7e076
-            client_context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
b7e076
-            client_context.load_verify_locations(SIGNING_CA)
b7e076
-            server_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
b7e076
-            # server_context.load_verify_locations(SIGNING_CA)
b7e076
-            server_context.load_cert_chain(SIGNED_CERTFILE2)
b7e076
+            client_context, server_context, hostname = testing_context()
b7e076
 
b7e076
             with self.subTest(client=ssl.PROTOCOL_TLS_CLIENT, server=ssl.PROTOCOL_TLS_SERVER):
b7e076
                 server_params_test(client_context=client_context,
b7e076
                                    server_context=server_context,
b7e076
                                    chatty=True, connectionchatty=True,
b7e076
-                                   sni_name='fakehostname')
b7e076
+                                   sni_name='localhost')
b7e076
 
b7e076
             client_context.check_hostname = False
b7e076
             with self.subTest(client=ssl.PROTOCOL_TLS_SERVER, server=ssl.PROTOCOL_TLS_CLIENT):
b7e076
@@ -2404,7 +2402,7 @@ if _have_threads:
b7e076
                     server_params_test(client_context=server_context,
b7e076
                                        server_context=client_context,
b7e076
                                        chatty=True, connectionchatty=True,
b7e076
-                                       sni_name='fakehostname')
b7e076
+                                       sni_name='localhost')
b7e076
                 self.assertIn('called a function you should not call',
b7e076
                               str(e.exception))
b7e076
 
b7e076
@@ -2469,39 +2467,38 @@ if _have_threads:
b7e076
             if support.verbose:
b7e076
                 sys.stdout.write("\n")
b7e076
 
b7e076
-            server_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
b7e076
-            server_context.load_cert_chain(SIGNED_CERTFILE)
b7e076
+            client_context, server_context, hostname = testing_context()
b7e076
 
b7e076
-            context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
b7e076
-            context.verify_mode = ssl.CERT_REQUIRED
b7e076
-            context.load_verify_locations(SIGNING_CA)
b7e076
             tf = getattr(ssl, "VERIFY_X509_TRUSTED_FIRST", 0)
b7e076
-            self.assertEqual(context.verify_flags, ssl.VERIFY_DEFAULT | tf)
b7e076
+            self.assertEqual(client_context.verify_flags, ssl.VERIFY_DEFAULT | tf)
b7e076
 
b7e076
             # VERIFY_DEFAULT should pass
b7e076
             server = ThreadedEchoServer(context=server_context, chatty=True)
b7e076
             with server:
b7e076
-                with context.wrap_socket(socket.socket()) as s:
b7e076
+                with client_context.wrap_socket(socket.socket(),
b7e076
+                                                server_hostname=hostname) as s:
b7e076
                     s.connect((HOST, server.port))
b7e076
                     cert = s.getpeercert()
b7e076
                     self.assertTrue(cert, "Can't get peer certificate.")
b7e076
 
b7e076
             # VERIFY_CRL_CHECK_LEAF without a loaded CRL file fails
b7e076
-            context.verify_flags |= ssl.VERIFY_CRL_CHECK_LEAF
b7e076
+            client_context.verify_flags |= ssl.VERIFY_CRL_CHECK_LEAF
b7e076
 
b7e076
             server = ThreadedEchoServer(context=server_context, chatty=True)
b7e076
             with server:
b7e076
-                with context.wrap_socket(socket.socket()) as s:
b7e076
+                with client_context.wrap_socket(socket.socket(),
b7e076
+                                                server_hostname=hostname) as s:
b7e076
                     with self.assertRaisesRegex(ssl.SSLError,
b7e076
                                                 "certificate verify failed"):
b7e076
                         s.connect((HOST, server.port))
b7e076
 
b7e076
             # now load a CRL file. The CRL file is signed by the CA.
b7e076
-            context.load_verify_locations(CRLFILE)
b7e076
+            client_context.load_verify_locations(CRLFILE)
b7e076
 
b7e076
             server = ThreadedEchoServer(context=server_context, chatty=True)
b7e076
             with server:
b7e076
-                with context.wrap_socket(socket.socket()) as s:
b7e076
+                with client_context.wrap_socket(socket.socket(),
b7e076
+                                                server_hostname=hostname) as s:
b7e076
                     s.connect((HOST, server.port))
b7e076
                     cert = s.getpeercert()
b7e076
                     self.assertTrue(cert, "Can't get peer certificate.")
b7e076
@@ -2510,19 +2507,13 @@ if _have_threads:
b7e076
             if support.verbose:
b7e076
                 sys.stdout.write("\n")
b7e076
 
b7e076
-            server_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
b7e076
-            server_context.load_cert_chain(SIGNED_CERTFILE)
b7e076
-
b7e076
-            context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
b7e076
-            context.verify_mode = ssl.CERT_REQUIRED
b7e076
-            context.check_hostname = True
b7e076
-            context.load_verify_locations(SIGNING_CA)
b7e076
+            client_context, server_context, hostname = testing_context()
b7e076
 
b7e076
             # correct hostname should verify
b7e076
             server = ThreadedEchoServer(context=server_context, chatty=True)
b7e076
             with server:
b7e076
-                with context.wrap_socket(socket.socket(),
b7e076
-                                         server_hostname="localhost") as s:
b7e076
+                with client_context.wrap_socket(socket.socket(),
b7e076
+                                                 server_hostname=hostname) as s:
b7e076
                     s.connect((HOST, server.port))
b7e076
                     cert = s.getpeercert()
b7e076
                     self.assertTrue(cert, "Can't get peer certificate.")
b7e076
@@ -2530,7 +2521,7 @@ if _have_threads:
b7e076
             # incorrect hostname should raise an exception
b7e076
             server = ThreadedEchoServer(context=server_context, chatty=True)
b7e076
             with server:
b7e076
-                with context.wrap_socket(socket.socket(),
b7e076
+                with client_context.wrap_socket(socket.socket(),
b7e076
                                          server_hostname="invalid") as s:
b7e076
                     with self.assertRaisesRegex(ssl.CertificateError,
b7e076
                                                 "hostname 'invalid' doesn't match 'localhost'"):
b7e076
@@ -2542,7 +2533,7 @@ if _have_threads:
b7e076
                 with socket.socket() as s:
b7e076
                     with self.assertRaisesRegex(ValueError,
b7e076
                                                 "check_hostname requires server_hostname"):
b7e076
-                        context.wrap_socket(s)
b7e076
+                        client_context.wrap_socket(s)
b7e076
 
b7e076
         def test_wrong_cert(self):
b7e076
             """Connecting when the server rejects the client's certificate
b7e076
@@ -2767,7 +2758,6 @@ if _have_threads:
b7e076
             msgs = (b"msg 1", b"MSG 2", b"STARTTLS", b"MSG 3", b"msg 4", b"ENDTLS", b"msg 5", b"msg 6")
b7e076
 
b7e076
             server = ThreadedEchoServer(CERTFILE,
b7e076
-                                        ssl_version=ssl.PROTOCOL_TLSv1,
b7e076
                                         starttls_server=True,
b7e076
                                         chatty=True,
b7e076
                                         connectionchatty=True)
b7e076
@@ -2795,7 +2785,7 @@ if _have_threads:
b7e076
                             sys.stdout.write(
b7e076
                                 " client:  read %r from server, starting TLS...\n"
b7e076
                                 % msg)
b7e076
-                        conn = test_wrap_socket(s, ssl_version=ssl.PROTOCOL_TLSv1)
b7e076
+                        conn = test_wrap_socket(s)
b7e076
                         wrapped = True
b7e076
                     elif indata == b"ENDTLS" and msg.startswith(b"ok"):
b7e076
                         # ENDTLS ok, switch back to clear text
b7e076
@@ -2882,7 +2872,7 @@ if _have_threads:
b7e076
 
b7e076
             server = ThreadedEchoServer(CERTFILE,
b7e076
                                         certreqs=ssl.CERT_NONE,
b7e076
-                                        ssl_version=ssl.PROTOCOL_TLSv1,
b7e076
+                                        ssl_version=ssl.PROTOCOL_TLS_SERVER,
b7e076
                                         cacerts=CERTFILE,
b7e076
                                         chatty=True,
b7e076
                                         connectionchatty=False)
b7e076
@@ -2892,7 +2882,7 @@ if _have_threads:
b7e076
                                     certfile=CERTFILE,
b7e076
                                     ca_certs=CERTFILE,
b7e076
                                     cert_reqs=ssl.CERT_NONE,
b7e076
-                                    ssl_version=ssl.PROTOCOL_TLSv1)
b7e076
+                                    ssl_version=ssl.PROTOCOL_TLS_CLIENT)
b7e076
                 s.connect((HOST, server.port))
b7e076
                 # helper methods for standardising recv* method signatures
b7e076
                 def _recv_into():
b7e076
@@ -3034,7 +3024,7 @@ if _have_threads:
b7e076
         def test_nonblocking_send(self):
b7e076
             server = ThreadedEchoServer(CERTFILE,
b7e076
                                         certreqs=ssl.CERT_NONE,
b7e076
-                                        ssl_version=ssl.PROTOCOL_TLSv1,
b7e076
+                                        ssl_version=ssl.PROTOCOL_TLS_SERVER,
b7e076
                                         cacerts=CERTFILE,
b7e076
                                         chatty=True,
b7e076
                                         connectionchatty=False)
b7e076
@@ -3044,7 +3034,7 @@ if _have_threads:
b7e076
                                     certfile=CERTFILE,
b7e076
                                     ca_certs=CERTFILE,
b7e076
                                     cert_reqs=ssl.CERT_NONE,
b7e076
-                                    ssl_version=ssl.PROTOCOL_TLSv1)
b7e076
+                                    ssl_version=ssl.PROTOCOL_TLS_CLIENT)
b7e076
                 s.connect((HOST, server.port))
b7e076
                 s.setblocking(False)
b7e076
 
b7e076
@@ -3190,9 +3180,11 @@ if _have_threads:
b7e076
             Basic tests for SSLSocket.version().
b7e076
             More tests are done in the test_protocol_*() methods.
b7e076
             """
b7e076
-            context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
b7e076
+            context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
b7e076
+            context.check_hostname = False
b7e076
+            context.verify_mode = ssl.CERT_NONE
b7e076
             with ThreadedEchoServer(CERTFILE,
b7e076
-                                    ssl_version=ssl.PROTOCOL_TLSv1,
b7e076
+                                    ssl_version=ssl.PROTOCOL_TLS_SERVER,
b7e076
                                     chatty=False) as server:
b7e076
                 with context.wrap_socket(socket.socket()) as s:
b7e076
                     self.assertIs(s.version(), None)
b7e076
@@ -3247,7 +3239,7 @@ if _have_threads:
b7e076
 
b7e076
             server = ThreadedEchoServer(CERTFILE,
b7e076
                                         certreqs=ssl.CERT_NONE,
b7e076
-                                        ssl_version=ssl.PROTOCOL_TLSv1,
b7e076
+                                        ssl_version=ssl.PROTOCOL_TLS_SERVER,
b7e076
                                         cacerts=CERTFILE,
b7e076
                                         chatty=True,
b7e076
                                         connectionchatty=False)
b7e076
@@ -3257,7 +3249,7 @@ if _have_threads:
b7e076
                                     certfile=CERTFILE,
b7e076
                                     ca_certs=CERTFILE,
b7e076
                                     cert_reqs=ssl.CERT_NONE,
b7e076
-                                    ssl_version=ssl.PROTOCOL_TLSv1)
b7e076
+                                    ssl_version=ssl.PROTOCOL_TLS_CLIENT)
b7e076
                 s.connect((HOST, server.port))
b7e076
                 # get the data
b7e076
                 cb_data = s.get_channel_binding("tls-unique")
b7e076
@@ -3282,7 +3274,7 @@ if _have_threads:
b7e076
                                     certfile=CERTFILE,
b7e076
                                     ca_certs=CERTFILE,
b7e076
                                     cert_reqs=ssl.CERT_NONE,
b7e076
-                                    ssl_version=ssl.PROTOCOL_TLSv1)
b7e076
+                                    ssl_version=ssl.PROTOCOL_TLS_CLIENT)
b7e076
                 s.connect((HOST, server.port))
b7e076
                 new_cb_data = s.get_channel_binding("tls-unique")
b7e076
                 if support.verbose:
b7e076
@@ -3299,32 +3291,35 @@ if _have_threads:
b7e076
                 s.close()
b7e076
 
b7e076
         def test_compression(self):
b7e076
-            context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
b7e076
-            context.load_cert_chain(CERTFILE)
b7e076
-            stats = server_params_test(context, context,
b7e076
-                                       chatty=True, connectionchatty=True)
b7e076
+            client_context, server_context, hostname = testing_context()
b7e076
+            stats = server_params_test(client_context, server_context,
b7e076
+                                       chatty=True, connectionchatty=True,
b7e076
+                                       sni_name=hostname)
b7e076
             if support.verbose:
b7e076
                 sys.stdout.write(" got compression: {!r}\n".format(stats['compression']))
b7e076
             self.assertIn(stats['compression'], { None, 'ZLIB', 'RLE' })
b7e076
 
b7e076
+
b7e076
         @unittest.skipUnless(hasattr(ssl, 'OP_NO_COMPRESSION'),
b7e076
                              "ssl.OP_NO_COMPRESSION needed for this test")
b7e076
         def test_compression_disabled(self):
b7e076
-            context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
b7e076
-            context.load_cert_chain(CERTFILE)
b7e076
-            context.options |= ssl.OP_NO_COMPRESSION
b7e076
-            stats = server_params_test(context, context,
b7e076
-                                       chatty=True, connectionchatty=True)
b7e076
+            client_context, server_context, hostname = testing_context()
b7e076
+            client_context.options |= ssl.OP_NO_COMPRESSION
b7e076
+            server_context.options |= ssl.OP_NO_COMPRESSION
b7e076
+            stats = server_params_test(client_context, server_context,
b7e076
+                                       chatty=True, connectionchatty=True,
b7e076
+                                       sni_name=hostname)
b7e076
             self.assertIs(stats['compression'], None)
b7e076
 
b7e076
         def test_dh_params(self):
b7e076
             # Check we can get a connection with ephemeral Diffie-Hellman
b7e076
-            context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
b7e076
-            context.load_cert_chain(CERTFILE)
b7e076
-            context.load_dh_params(DHFILE)
b7e076
-            context.set_ciphers("kEDH")
b7e076
-            stats = server_params_test(context, context,
b7e076
-                                       chatty=True, connectionchatty=True)
b7e076
+            client_context, server_context, hostname = testing_context()
b7e076
+            server_context.load_dh_params(DHFILE)
b7e076
+            server_context.set_ciphers("kEDH")
b7e076
+            server_context.options |= ssl.OP_NO_TLSv1_3
b7e076
+            stats = server_params_test(client_context, server_context,
b7e076
+                                       chatty=True, connectionchatty=True,
b7e076
+                                       sni_name=hostname)
b7e076
             cipher = stats["cipher"][0]
b7e076
             parts = cipher.split("-")
b7e076
             if "ADH" not in parts and "EDH" not in parts and "DHE" not in parts:
b7e076
@@ -3332,22 +3327,20 @@ if _have_threads:
b7e076
 
b7e076
         def test_selected_alpn_protocol(self):
b7e076
             # selected_alpn_protocol() is None unless ALPN is used.
b7e076
-            context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
b7e076
-            context.load_cert_chain(CERTFILE)
b7e076
-            stats = server_params_test(context, context,
b7e076
-                                       chatty=True, connectionchatty=True)
b7e076
+            client_context, server_context, hostname = testing_context()
b7e076
+            stats = server_params_test(client_context, server_context,
b7e076
+                                       chatty=True, connectionchatty=True,
b7e076
+                                       sni_name=hostname)
b7e076
             self.assertIs(stats['client_alpn_protocol'], None)
b7e076
 
b7e076
         @unittest.skipUnless(ssl.HAS_ALPN, "ALPN support required")
b7e076
         def test_selected_alpn_protocol_if_server_uses_alpn(self):
b7e076
             # selected_alpn_protocol() is None unless ALPN is used by the client.
b7e076
-            client_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
b7e076
-            client_context.load_verify_locations(CERTFILE)
b7e076
-            server_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
b7e076
-            server_context.load_cert_chain(CERTFILE)
b7e076
+            client_context, server_context, hostname = testing_context()
b7e076
             server_context.set_alpn_protocols(['foo', 'bar'])
b7e076
             stats = server_params_test(client_context, server_context,
b7e076
-                                       chatty=True, connectionchatty=True)
b7e076
+                                       chatty=True, connectionchatty=True,
b7e076
+                                       sni_name=hostname)
b7e076
             self.assertIs(stats['client_alpn_protocol'], None)
b7e076
 
b7e076
         @unittest.skipUnless(ssl.HAS_ALPN, "ALPN support needed for this test")
b7e076
@@ -3394,10 +3387,10 @@ if _have_threads:
b7e076
 
b7e076
         def test_selected_npn_protocol(self):
b7e076
             # selected_npn_protocol() is None unless NPN is used
b7e076
-            context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
b7e076
-            context.load_cert_chain(CERTFILE)
b7e076
-            stats = server_params_test(context, context,
b7e076
-                                       chatty=True, connectionchatty=True)
b7e076
+            client_context, server_context, hostname = testing_context()
b7e076
+            stats = server_params_test(client_context, server_context,
b7e076
+                                       chatty=True, connectionchatty=True,
b7e076
+                                       sni_name=hostname)
b7e076
             self.assertIs(stats['client_npn_protocol'], None)
b7e076
 
b7e076
         @unittest.skipUnless(ssl.HAS_NPN, "NPN support needed for this test")
b7e076
@@ -3430,12 +3423,11 @@ if _have_threads:
b7e076
                 self.assertEqual(server_result, expected, msg % (server_result, "server"))
b7e076
 
b7e076
         def sni_contexts(self):
b7e076
-            server_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
b7e076
+            server_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
b7e076
             server_context.load_cert_chain(SIGNED_CERTFILE)
b7e076
-            other_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
b7e076
+            other_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
b7e076
             other_context.load_cert_chain(SIGNED_CERTFILE2)
b7e076
-            client_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
b7e076
-            client_context.verify_mode = ssl.CERT_REQUIRED
b7e076
+            client_context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
b7e076
             client_context.load_verify_locations(SIGNING_CA)
b7e076
             return server_context, other_context, client_context
b7e076
 
b7e076
@@ -3448,6 +3440,8 @@ if _have_threads:
b7e076
             calls = []
b7e076
             server_context, other_context, client_context = self.sni_contexts()
b7e076
 
b7e076
+            client_context.check_hostname = False
b7e076
+
b7e076
             def servername_cb(ssl_sock, server_name, initial_context):
b7e076
                 calls.append((server_name, initial_context))
b7e076
                 if server_name is not None:
b7e076
@@ -3533,11 +3527,7 @@ if _have_threads:
b7e076
             self.assertIn("TypeError", stderr.getvalue())
b7e076
 
b7e076
         def test_shared_ciphers(self):
b7e076
-            server_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
b7e076
-            server_context.load_cert_chain(SIGNED_CERTFILE)
b7e076
-            client_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
b7e076
-            client_context.verify_mode = ssl.CERT_REQUIRED
b7e076
-            client_context.load_verify_locations(SIGNING_CA)
b7e076
+            client_context, server_context, hostname = testing_context()
b7e076
             if ssl.OPENSSL_VERSION_INFO >= (1, 0, 2):
b7e076
                 client_context.set_ciphers("AES128:AES256")
b7e076
                 server_context.set_ciphers("AES256")
b7e076
@@ -3555,7 +3545,8 @@ if _have_threads:
b7e076
                 # TLS 1.3 ciphers are always enabled
b7e076
                 expected_algs.extend(["TLS_CHACHA20", "TLS_AES"])
b7e076
 
b7e076
-            stats = server_params_test(client_context, server_context)
b7e076
+            stats = server_params_test(client_context, server_context,
b7e076
+                                       sni_name=hostname)
b7e076
             ciphers = stats['server_shared_ciphers'][0]
b7e076
             self.assertGreater(len(ciphers), 0)
b7e076
             for name, tls_version, bits in ciphers:
b7e076
@@ -3595,14 +3586,13 @@ if _have_threads:
b7e076
                         self.assertEqual(s.recv(1024), TEST_DATA)
b7e076
 
b7e076
         def test_session(self):
b7e076
-            server_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
b7e076
-            server_context.load_cert_chain(SIGNED_CERTFILE)
b7e076
-            client_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
b7e076
-            client_context.verify_mode = ssl.CERT_REQUIRED
b7e076
-            client_context.load_verify_locations(SIGNING_CA)
b7e076
+            client_context, server_context, hostname = testing_context()
b7e076
+            # TODO: sessions aren't compatible with TLSv1.3 yet
b7e076
+            client_context.options |= ssl.OP_NO_TLSv1_3
b7e076
 
b7e076
             # first connection without session
b7e076
-            stats = server_params_test(client_context, server_context)
b7e076
+            stats = server_params_test(client_context, server_context,
b7e076
+                                       sni_name=hostname)
b7e076
             session = stats['session']
b7e076
             self.assertTrue(session.id)
b7e076
             self.assertGreater(session.time, 0)
b7e076
@@ -3616,7 +3606,8 @@ if _have_threads:
b7e076
             self.assertEqual(sess_stat['hits'], 0)
b7e076
 
b7e076
             # reuse session
b7e076
-            stats = server_params_test(client_context, server_context, session=session)
b7e076
+            stats = server_params_test(client_context, server_context,
b7e076
+                                       session=session, sni_name=hostname)
b7e076
             sess_stat = server_context.session_stats()
b7e076
             self.assertEqual(sess_stat['accept'], 2)
b7e076
             self.assertEqual(sess_stat['hits'], 1)
b7e076
@@ -3629,7 +3620,8 @@ if _have_threads:
b7e076
             self.assertGreaterEqual(session2.timeout, session.timeout)
b7e076
 
b7e076
             # another one without session
b7e076
-            stats = server_params_test(client_context, server_context)
b7e076
+            stats = server_params_test(client_context, server_context,
b7e076
+                                       sni_name=hostname)
b7e076
             self.assertFalse(stats['session_reused'])
b7e076
             session3 = stats['session']
b7e076
             self.assertNotEqual(session3.id, session.id)
b7e076
@@ -3639,7 +3631,8 @@ if _have_threads:
b7e076
             self.assertEqual(sess_stat['hits'], 1)
b7e076
 
b7e076
             # reuse session again
b7e076
-            stats = server_params_test(client_context, server_context, session=session)
b7e076
+            stats = server_params_test(client_context, server_context,
b7e076
+                                       session=session, sni_name=hostname)
b7e076
             self.assertTrue(stats['session_reused'])
b7e076
             session4 = stats['session']
b7e076
             self.assertEqual(session4.id, session.id)
b7e076
-- 
b7e076
2.21.0
b7e076
b7e076
b7e076
From 743c3e09b485092b51a982ab9859ffc79cbb7791 Mon Sep 17 00:00:00 2001
b7e076
From: Charalampos Stratakis <cstratak@redhat.com>
b7e076
Date: Wed, 27 Nov 2019 00:01:17 +0100
b7e076
Subject: [PATCH 4/5] Adjust some tests for TLS 1.3 compatibility
b7e076
b7e076
Partially backports some changes from 529525fb5a8fd9b96ab4021311a598c77588b918
b7e076
and 2614ed4c6e4b32eafb683f2378ed20e87d42976d
b7e076
---
b7e076
 Lib/test/test_ssl.py | 17 ++++++++++++++---
b7e076
 1 file changed, 14 insertions(+), 3 deletions(-)
b7e076
b7e076
diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
b7e076
index a7bf2f7..43c2dbc 100644
b7e076
--- a/Lib/test/test_ssl.py
b7e076
+++ b/Lib/test/test_ssl.py
b7e076
@@ -3189,7 +3189,12 @@ if _have_threads:
b7e076
                 with context.wrap_socket(socket.socket()) as s:
b7e076
                     self.assertIs(s.version(), None)
b7e076
                     s.connect((HOST, server.port))
b7e076
-                    self.assertEqual(s.version(), 'TLSv1')
b7e076
+                    if IS_OPENSSL_1_1:
b7e076
+                        self.assertEqual(s.version(), 'TLSv1.3')
b7e076
+                    elif ssl.OPENSSL_VERSION_INFO >= (1, 0, 2):
b7e076
+                        self.assertEqual(s.version(), 'TLSv1.2')
b7e076
+                    else:  # 0.9.8 to 1.0.1
b7e076
+                        self.assertIn(s.version(), ('TLSv1', 'TLSv1.2'))
b7e076
                 self.assertIs(s.version(), None)
b7e076
 
b7e076
         @unittest.skipUnless(ssl.HAS_TLSv1_3,
b7e076
@@ -3259,7 +3264,10 @@ if _have_threads:
b7e076
 
b7e076
                 # check if it is sane
b7e076
                 self.assertIsNotNone(cb_data)
b7e076
-                self.assertEqual(len(cb_data), 12) # True for TLSv1
b7e076
+                if s.version() == 'TLSv1.3':
b7e076
+                    self.assertEqual(len(cb_data), 48)
b7e076
+                else:
b7e076
+                    self.assertEqual(len(cb_data), 12)  # True for TLSv1
b7e076
 
b7e076
                 # and compare with the peers version
b7e076
                 s.write(b"CB tls-unique\n")
b7e076
@@ -3283,7 +3291,10 @@ if _have_threads:
b7e076
                 # is it really unique
b7e076
                 self.assertNotEqual(cb_data, new_cb_data)
b7e076
                 self.assertIsNotNone(cb_data)
b7e076
-                self.assertEqual(len(cb_data), 12) # True for TLSv1
b7e076
+                if s.version() == 'TLSv1.3':
b7e076
+                     self.assertEqual(len(cb_data), 48)
b7e076
+                else:
b7e076
+                     self.assertEqual(len(cb_data), 12) # True for TLSv1
b7e076
                 s.write(b"CB tls-unique\n")
b7e076
                 peer_data_repr = s.read().strip()
b7e076
                 self.assertEqual(peer_data_repr,
b7e076
-- 
b7e076
2.21.0
b7e076
b7e076
b7e076
From cd250c8a782f36c7a6f5ffabc922cb75744fa9c0 Mon Sep 17 00:00:00 2001
b7e076
From: Charalampos Stratakis <cstratak@redhat.com>
b7e076
Date: Tue, 26 Nov 2019 23:18:10 +0100
b7e076
Subject: [PATCH 5/5] Skip the ssl tests that rely on TLSv1 and TLSv1.1
b7e076
 availability
b7e076
b7e076
---
b7e076
 Lib/test/test_ssl.py | 32 +++++++++++++++++++++++---------
b7e076
 1 file changed, 23 insertions(+), 9 deletions(-)
b7e076
b7e076
diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
b7e076
index 43c2dbc..b35db25 100644
b7e076
--- a/Lib/test/test_ssl.py
b7e076
+++ b/Lib/test/test_ssl.py
b7e076
@@ -39,6 +39,13 @@ IS_LIBRESSL = ssl.OPENSSL_VERSION.startswith('LibreSSL')
b7e076
 IS_OPENSSL_1_1 = not IS_LIBRESSL and ssl.OPENSSL_VERSION_INFO >= (1, 1, 0)
b7e076
 PY_SSL_DEFAULT_CIPHERS = sysconfig.get_config_var('PY_SSL_DEFAULT_CIPHERS')
b7e076
 
b7e076
+# On RHEL8 openssl disables TLSv1 and TLSv1.1 on runtime.
b7e076
+# Since we don't have a good way to detect runtime changes
b7e076
+# on the allowed protocols, we hardcode the default config
b7e076
+# with those flags.
b7e076
+TLSv1_enabled = False
b7e076
+TLSv1_1_enabled = False
b7e076
+
b7e076
 def data_file(*name):
b7e076
     return os.path.join(os.path.dirname(__file__), *name)
b7e076
 
b7e076
@@ -2380,7 +2387,8 @@ if _have_threads:
b7e076
             if support.verbose:
b7e076
                 sys.stdout.write("\n")
b7e076
             for protocol in PROTOCOLS:
b7e076
-                if protocol in {ssl.PROTOCOL_TLS_CLIENT, ssl.PROTOCOL_TLS_SERVER}:
b7e076
+                if protocol in {ssl.PROTOCOL_TLS_CLIENT, ssl.PROTOCOL_TLS_SERVER,
b7e076
+                                ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1_1}:
b7e076
                     continue
b7e076
                 with self.subTest(protocol=ssl._PROTOCOL_NAMES[protocol]):
b7e076
                     context = ssl.SSLContext(protocol)
b7e076
@@ -2650,17 +2658,20 @@ if _have_threads:
b7e076
             if hasattr(ssl, 'PROTOCOL_SSLv3'):
b7e076
                 try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, False)
b7e076
             try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv23, True)
b7e076
-            try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1, 'TLSv1')
b7e076
+            if TLSv1_enabled:
b7e076
+                try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1, 'TLSv1')
b7e076
 
b7e076
             if hasattr(ssl, 'PROTOCOL_SSLv3'):
b7e076
                 try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, False, ssl.CERT_OPTIONAL)
b7e076
             try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv23, True, ssl.CERT_OPTIONAL)
b7e076
-            try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1, 'TLSv1', ssl.CERT_OPTIONAL)
b7e076
+            if TLSv1_enabled:
b7e076
+                try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1, 'TLSv1', ssl.CERT_OPTIONAL)
b7e076
 
b7e076
             if hasattr(ssl, 'PROTOCOL_SSLv3'):
b7e076
                 try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, False, ssl.CERT_REQUIRED)
b7e076
             try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv23, True, ssl.CERT_REQUIRED)
b7e076
-            try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1, 'TLSv1', ssl.CERT_REQUIRED)
b7e076
+            if TLSv1_enabled:
b7e076
+                try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1, 'TLSv1', ssl.CERT_REQUIRED)
b7e076
 
b7e076
             # Server with specific SSL options
b7e076
             if hasattr(ssl, 'PROTOCOL_SSLv3'):
b7e076
@@ -2698,9 +2709,10 @@ if _have_threads:
b7e076
             """Connecting to a TLSv1 server with various client options"""
b7e076
             if support.verbose:
b7e076
                 sys.stdout.write("\n")
b7e076
-            try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1, 'TLSv1')
b7e076
-            try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1, 'TLSv1', ssl.CERT_OPTIONAL)
b7e076
-            try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1, 'TLSv1', ssl.CERT_REQUIRED)
b7e076
+            if TLSv1_enabled:
b7e076
+                try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1, 'TLSv1')
b7e076
+                try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1, 'TLSv1', ssl.CERT_OPTIONAL)
b7e076
+                try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1, 'TLSv1', ssl.CERT_REQUIRED)
b7e076
             if hasattr(ssl, 'PROTOCOL_SSLv2'):
b7e076
                 try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_SSLv2, False)
b7e076
             if hasattr(ssl, 'PROTOCOL_SSLv3'):
b7e076
@@ -2716,7 +2728,8 @@ if _have_threads:
b7e076
                Testing against older TLS versions."""
b7e076
             if support.verbose:
b7e076
                 sys.stdout.write("\n")
b7e076
-            try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_TLSv1_1, 'TLSv1.1')
b7e076
+            if TLSv1_1_enabled:
b7e076
+                try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_TLSv1_1, 'TLSv1.1')
b7e076
             if hasattr(ssl, 'PROTOCOL_SSLv2'):
b7e076
                 try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_SSLv2, False)
b7e076
             if hasattr(ssl, 'PROTOCOL_SSLv3'):
b7e076
@@ -2724,7 +2737,8 @@ if _have_threads:
b7e076
             try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_SSLv23, False,
b7e076
                                client_options=ssl.OP_NO_TLSv1_1)
b7e076
 
b7e076
-            try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1_1, 'TLSv1.1')
b7e076
+            if TLSv1_1_enabled:
b7e076
+                try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1_1, 'TLSv1.1')
b7e076
             try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_TLSv1, False)
b7e076
             try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1_1, False)
b7e076
 
b7e076
-- 
b7e076
2.21.0
b7e076