Bug 2494735

Summary: ssl.PROTOCOL_TLSv1_2 no longer available
Product: [Fedora] Fedora Reporter: Mads Kiilerich <mads>
Component: python3.15Assignee: Python Maintainers <python-maint>
Status: CLOSED UPSTREAM QA Contact:
Severity: high Docs Contact:
Priority: unspecified    
Version: 45CC: dbelyavs, ksurma, mads, mhroncok, python-maint, python-packagers-sig, vstinner
Target Milestone: ---Keywords: Regression
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2026-06-30 20:39:50 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2402319    

Description Mads Kiilerich 2026-06-29 22:30:51 UTC
ssl.PROTOCOL_TLSv1_2 are no longer available, despite still being mentioned in the help:



Reproducible: Always

Actual Results:
With python3-3.15.0~b3-1.fc45.x86_64:
# python3.15 -c 'import ssl; print(ssl.PROTOCOL_TLSv1_2)'
Traceback (most recent call last):
  File "<string>", line 1, in <module>
    import ssl; print(ssl.PROTOCOL_TLSv1_2)
                      ^^^^^^^^^^^^^^^^^^^^
AttributeError: module 'ssl' has no attribute 'PROTOCOL_TLSv1_2'. Did you mean '.PROTOCOL_TLS' instead of '.PROTOCOL_TLSv1_2'?
# pydoc3.15 ssl | grep PROTOCOL_TLSv1_2
    PROTOCOL_TLSv1_2
#




Expected Results:
With python3.15-3.15.0~b3-1.fc44.x86_64:

mk@lone:~/hg$ python3.15 -c 'import ssl; print(ssl.PROTOCOL_TLSv1_2)'
5



Additional Information:
For some reason _ssl no longer has this ... but it has PROTO_TLSv1_2

Comment 1 Miro Hrončok 2026-06-30 09:46:25 UTC
This seems to be caused by https://fedoraproject.org/wiki/Changes/OpenSSL40


On Fedora 43 with python3.15-3.15.0~b3-1.fc43:

$ python3.15 -c 'import ssl; print(ssl.OPENSSL_VERSION); print(ssl.PROTOCOL_TLSv1_2)'
OpenSSL 3.5.7 9 Jun 2026
5


On rawhide with python3.15-3.15.0~b3-1.fc45:


$ python3.15 -c 'import ssl; print(ssl.OPENSSL_VERSION); print(ssl.PROTOCOL_TLSv1_2)'
OpenSSL 4.0.1 9 Jun 2026
Traceback (most recent call last):
  File "<string>", line 1, in <module>
    import ssl; print(ssl.OPENSSL_VERSION); print(ssl.PROTOCOL_TLSv1_2)
                                                  ^^^^^^^^^^^^^^^^^^^^
AttributeError: module 'ssl' has no attribute 'PROTOCOL_TLSv1_2'. Did you mean '.PROTOCOL_TLS' instead of '.PROTOCOL_TLSv1_2'?

Comment 2 Miro Hrončok 2026-06-30 09:56:24 UTC
https://openssl-library.org/post/2026-04-14-openssl-40-final-release/ does not seem to indicate TLS 1.2 support was removed, so perhaps something is wrong :/

Comment 3 Miro Hrončok 2026-06-30 10:00:28 UTC
https://github.com/python/cpython/commit/3364e7e62fa24d0e19133fb0f90b1c24ef1110c5 says:

OpenSSL 4.0.0 alpha1 no longer defines the symbols:

    SSLv3_method
    TLSv1_method
    TLSv1_1_method
    TLSv1_2_method


I'll check if this is still the case.

Comment 4 Miro Hrončok 2026-06-30 14:05:32 UTC
Trying to revert that leads to: undefined symbol: TLSv1_2_method, which indeed seems to have been removed from OpenSSL 4.

Comment 5 Victor Stinner 2026-06-30 16:14:17 UTC
Hi.

> ssl.PROTOCOL_TLSv1_2 are no longer available, despite still being mentioned in the help:

Ah right, there are still references to ssl.PROTOCOL_TLSv1_2 and other removed protocols in Lib/ssl.py. Well, don't trust the documentation on this point, the doc is outdated :-)

When Python 3.15 is built with OpenSSL 4, protocols older than TLSv1.3 are removed.

OpenSSL 4 removed multiple deprecated legacy protocols: SSLv3_method(), TLSv1_method(), TLSv1_1_method() and TLSv1_2_method() are documented in removed APIs (doc/man7/ossl-removed-api.pod). These removals are confirmed by the porting guide (doc/man7/ossl-guide-migration.pod in the "Removal of fixed (D)TLS version method functions" section).

ssl.PROTOCOL_TLS_CLIENT or ssl.PROTOCOL_TLS_SERVER should now be used instead.

Comment 6 Mads Kiilerich 2026-06-30 19:09:03 UTC
Ok, thanks. The drop of TLS 1.2 support came as a surprise to me, and it was not trivial to diagnose when pydoc and https://docs.python.org/3.15/library/ssl.html also still doesn't mention these OpenSSL 4.0 changes.

So the change is intentional, and now I know what is going on and can work around it. The only problem is the outdated documentation and the problems it might cause others. I don't know if that is worth tracking here.

FWIW, Mercurial will need some related changes.

Comment 7 Miro Hrončok 2026-06-30 20:39:50 UTC
I opened https://github.com/python/cpython/issues/152709

Comment 8 Miro Hrončok 2026-07-01 12:41:32 UTC
BTW We see this in python-urllib3 as well:

+ /usr/bin/pytest -v -rs -k 'not (TestHTTPProxyManager and test_tunneling_proxy_request_timeout[https-https])'
ImportError while loading conftest '/builddir/build/BUILD/python-urllib3-2.7.0-build/urllib3-2.7.0/test/conftest.py'.
test/__init__.py:42: in <module>
    import urllib3.contrib.pyopenssl as pyopenssl
../BUILDROOT/usr/lib/python3.15/site-packages/urllib3/contrib/pyopenssl.py:72: in <module>
    ssl.PROTOCOL_TLSv1: OpenSSL.SSL.TLSv1_METHOD,
    ^^^^^^^^^^^^^^^^^^
E   AttributeError: module 'ssl' has no attribute 'PROTOCOL_TLSv1'. Did you mean '.PROTOCOL_TLS' instead of '.PROTOCOL_TLSv1'?