Bug 2494735
| Summary: | ssl.PROTOCOL_TLSv1_2 no longer available | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Mads Kiilerich <mads> |
| Component: | python3.15 | Assignee: | Python Maintainers <python-maint> |
| Status: | CLOSED UPSTREAM | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 45 | CC: | dbelyavs, ksurma, mads, mhroncok, python-maint, python-packagers-sig, vstinner |
| Target Milestone: | --- | Keywords: | Regression |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2026-06-30 20:39:50 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 2402319 | ||
This seems to be caused by https://fedoraproject.org/wiki/Changes/OpenSSL40 On Fedora 43 with python3.15-3.15.0~b3-1.fc43: $ python3.15 -c 'import ssl; print(ssl.OPENSSL_VERSION); print(ssl.PROTOCOL_TLSv1_2)' OpenSSL 3.5.7 9 Jun 2026 5 On rawhide with python3.15-3.15.0~b3-1.fc45: $ python3.15 -c 'import ssl; print(ssl.OPENSSL_VERSION); print(ssl.PROTOCOL_TLSv1_2)' OpenSSL 4.0.1 9 Jun 2026 Traceback (most recent call last): File "<string>", line 1, in <module> import ssl; print(ssl.OPENSSL_VERSION); print(ssl.PROTOCOL_TLSv1_2) ^^^^^^^^^^^^^^^^^^^^ AttributeError: module 'ssl' has no attribute 'PROTOCOL_TLSv1_2'. Did you mean '.PROTOCOL_TLS' instead of '.PROTOCOL_TLSv1_2'? https://openssl-library.org/post/2026-04-14-openssl-40-final-release/ does not seem to indicate TLS 1.2 support was removed, so perhaps something is wrong :/ https://github.com/python/cpython/commit/3364e7e62fa24d0e19133fb0f90b1c24ef1110c5 says: OpenSSL 4.0.0 alpha1 no longer defines the symbols: SSLv3_method TLSv1_method TLSv1_1_method TLSv1_2_method I'll check if this is still the case. Trying to revert that leads to: undefined symbol: TLSv1_2_method, which indeed seems to have been removed from OpenSSL 4. Hi.
> ssl.PROTOCOL_TLSv1_2 are no longer available, despite still being mentioned in the help:
Ah right, there are still references to ssl.PROTOCOL_TLSv1_2 and other removed protocols in Lib/ssl.py. Well, don't trust the documentation on this point, the doc is outdated :-)
When Python 3.15 is built with OpenSSL 4, protocols older than TLSv1.3 are removed.
OpenSSL 4 removed multiple deprecated legacy protocols: SSLv3_method(), TLSv1_method(), TLSv1_1_method() and TLSv1_2_method() are documented in removed APIs (doc/man7/ossl-removed-api.pod). These removals are confirmed by the porting guide (doc/man7/ossl-guide-migration.pod in the "Removal of fixed (D)TLS version method functions" section).
ssl.PROTOCOL_TLS_CLIENT or ssl.PROTOCOL_TLS_SERVER should now be used instead.
Ok, thanks. The drop of TLS 1.2 support came as a surprise to me, and it was not trivial to diagnose when pydoc and https://docs.python.org/3.15/library/ssl.html also still doesn't mention these OpenSSL 4.0 changes. So the change is intentional, and now I know what is going on and can work around it. The only problem is the outdated documentation and the problems it might cause others. I don't know if that is worth tracking here. FWIW, Mercurial will need some related changes. BTW We see this in python-urllib3 as well:
+ /usr/bin/pytest -v -rs -k 'not (TestHTTPProxyManager and test_tunneling_proxy_request_timeout[https-https])'
ImportError while loading conftest '/builddir/build/BUILD/python-urllib3-2.7.0-build/urllib3-2.7.0/test/conftest.py'.
test/__init__.py:42: in <module>
import urllib3.contrib.pyopenssl as pyopenssl
../BUILDROOT/usr/lib/python3.15/site-packages/urllib3/contrib/pyopenssl.py:72: in <module>
ssl.PROTOCOL_TLSv1: OpenSSL.SSL.TLSv1_METHOD,
^^^^^^^^^^^^^^^^^^
E AttributeError: module 'ssl' has no attribute 'PROTOCOL_TLSv1'. Did you mean '.PROTOCOL_TLS' instead of '.PROTOCOL_TLSv1'?
|
ssl.PROTOCOL_TLSv1_2 are no longer available, despite still being mentioned in the help: Reproducible: Always Actual Results: With python3-3.15.0~b3-1.fc45.x86_64: # python3.15 -c 'import ssl; print(ssl.PROTOCOL_TLSv1_2)' Traceback (most recent call last): File "<string>", line 1, in <module> import ssl; print(ssl.PROTOCOL_TLSv1_2) ^^^^^^^^^^^^^^^^^^^^ AttributeError: module 'ssl' has no attribute 'PROTOCOL_TLSv1_2'. Did you mean '.PROTOCOL_TLS' instead of '.PROTOCOL_TLSv1_2'? # pydoc3.15 ssl | grep PROTOCOL_TLSv1_2 PROTOCOL_TLSv1_2 # Expected Results: With python3.15-3.15.0~b3-1.fc44.x86_64: mk@lone:~/hg$ python3.15 -c 'import ssl; print(ssl.PROTOCOL_TLSv1_2)' 5 Additional Information: For some reason _ssl no longer has this ... but it has PROTO_TLSv1_2