Temporarily (!) disable TLS v1.3 in our test suite

It's currently a mess because of how openssl v1.1.1 handles session tickets. There isn't consensus yet about whether this is an openssl bug or what: python-trio#819 openssl/openssl#7948 openssl/openssl#7967
njsmith · Jan 7, 2019 · b1ebbef · b1ebbef
1 parent e5927e9
commit b1ebbef
Showing 1 changed file with 9 additions and 1 deletion.
diff --git a/trio/tests/test_ssl.py b/trio/tests/test_ssl.py
@@ -57,6 +57,14 @@
 CLIENT_CTX = stdlib_ssl.create_default_context()
 TRIO_TEST_CA.configure_trust(CLIENT_CTX)
 
+# Temporarily disable TLSv1.3, until the issue with openssl's session
+# ticket handling is sorted out one way or another:
+#     https://github.com/python-trio/trio/issues/819
+#     https://github.com/openssl/openssl/issues/7948
+#     https://github.com/openssl/openssl/issues/7967
+if hasattr(stdlib_ssl, "OP_NO_TLSv1_3"):
+    CLIENT_CTX.options |= stdlib_ssl.OP_NO_TLSv1_3
+
 
 # The blocking socket server.
 def ssl_echo_serve_sync(sock, *, expect_fail=False):
@@ -142,7 +150,7 @@ def __init__(self, sleeper=None):
         # TLSv1_2_METHOD.
         #
         # Discussion: https://github.com/pyca/pyopenssl/issues/624
-        if hasattr(SSL, "OP_NO_TLSv1_3"):  # pragma: no cover
+        if hasattr(SSL, "OP_NO_TLSv1_3"):
             ctx.set_options(SSL.OP_NO_TLSv1_3)
         # Unfortunately there's currently no way to say "use 1.3 or worse", we
         # can only disable specific versions. And if the two sides start