Bug 2494735 - ssl.PROTOCOL_TLSv1_2 no longer available
Summary: ssl.PROTOCOL_TLSv1_2 no longer available
Keywords:
Status: CLOSED UPSTREAM
Alias: None
Product: Fedora
Classification: Fedora
Component: python3.15
Version: 45
Hardware: Unspecified
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: Python Maintainers
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 2402319
TreeView+ depends on / blocked
 
Reported: 2026-06-29 22:30 UTC by Mads Kiilerich
Modified: 2026-07-01 12:41 UTC (History)
7 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2026-06-30 20:39:50 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github python cpython issues 152709 0 None open Outdated ssl documentstion wrt changes in OpenSSL 4 2026-06-30 20:39:50 UTC

Description Mads Kiilerich 2026-06-29 22:30:51 UTC
ssl.PROTOCOL_TLSv1_2 are no longer available, despite still being mentioned in the help:



Reproducible: Always

Actual Results:
With python3-3.15.0~b3-1.fc45.x86_64:
# python3.15 -c 'import ssl; print(ssl.PROTOCOL_TLSv1_2)'
Traceback (most recent call last):
  File "<string>", line 1, in <module>
    import ssl; print(ssl.PROTOCOL_TLSv1_2)
                      ^^^^^^^^^^^^^^^^^^^^
AttributeError: module 'ssl' has no attribute 'PROTOCOL_TLSv1_2'. Did you mean '.PROTOCOL_TLS' instead of '.PROTOCOL_TLSv1_2'?
# pydoc3.15 ssl | grep PROTOCOL_TLSv1_2
    PROTOCOL_TLSv1_2
#




Expected Results:
With python3.15-3.15.0~b3-1.fc44.x86_64:

mk@lone:~/hg$ python3.15 -c 'import ssl; print(ssl.PROTOCOL_TLSv1_2)'
5



Additional Information:
For some reason _ssl no longer has this ... but it has PROTO_TLSv1_2

Comment 1 Miro Hrončok 2026-06-30 09:46:25 UTC
This seems to be caused by https://fedoraproject.org/wiki/Changes/OpenSSL40


On Fedora 43 with python3.15-3.15.0~b3-1.fc43:

$ python3.15 -c 'import ssl; print(ssl.OPENSSL_VERSION); print(ssl.PROTOCOL_TLSv1_2)'
OpenSSL 3.5.7 9 Jun 2026
5


On rawhide with python3.15-3.15.0~b3-1.fc45:


$ python3.15 -c 'import ssl; print(ssl.OPENSSL_VERSION); print(ssl.PROTOCOL_TLSv1_2)'
OpenSSL 4.0.1 9 Jun 2026
Traceback (most recent call last):
  File "<string>", line 1, in <module>
    import ssl; print(ssl.OPENSSL_VERSION); print(ssl.PROTOCOL_TLSv1_2)
                                                  ^^^^^^^^^^^^^^^^^^^^
AttributeError: module 'ssl' has no attribute 'PROTOCOL_TLSv1_2'. Did you mean '.PROTOCOL_TLS' instead of '.PROTOCOL_TLSv1_2'?

Comment 2 Miro Hrončok 2026-06-30 09:56:24 UTC
https://openssl-library.org/post/2026-04-14-openssl-40-final-release/ does not seem to indicate TLS 1.2 support was removed, so perhaps something is wrong :/

Comment 3 Miro Hrončok 2026-06-30 10:00:28 UTC
https://github.com/python/cpython/commit/3364e7e62fa24d0e19133fb0f90b1c24ef1110c5 says:

OpenSSL 4.0.0 alpha1 no longer defines the symbols:

    SSLv3_method
    TLSv1_method
    TLSv1_1_method
    TLSv1_2_method


I'll check if this is still the case.

Comment 4 Miro Hrončok 2026-06-30 14:05:32 UTC
Trying to revert that leads to: undefined symbol: TLSv1_2_method, which indeed seems to have been removed from OpenSSL 4.

Comment 5 Victor Stinner 2026-06-30 16:14:17 UTC
Hi.

> ssl.PROTOCOL_TLSv1_2 are no longer available, despite still being mentioned in the help:

Ah right, there are still references to ssl.PROTOCOL_TLSv1_2 and other removed protocols in Lib/ssl.py. Well, don't trust the documentation on this point, the doc is outdated :-)

When Python 3.15 is built with OpenSSL 4, protocols older than TLSv1.3 are removed.

OpenSSL 4 removed multiple deprecated legacy protocols: SSLv3_method(), TLSv1_method(), TLSv1_1_method() and TLSv1_2_method() are documented in removed APIs (doc/man7/ossl-removed-api.pod). These removals are confirmed by the porting guide (doc/man7/ossl-guide-migration.pod in the "Removal of fixed (D)TLS version method functions" section).

ssl.PROTOCOL_TLS_CLIENT or ssl.PROTOCOL_TLS_SERVER should now be used instead.

Comment 6 Mads Kiilerich 2026-06-30 19:09:03 UTC
Ok, thanks. The drop of TLS 1.2 support came as a surprise to me, and it was not trivial to diagnose when pydoc and https://docs.python.org/3.15/library/ssl.html also still doesn't mention these OpenSSL 4.0 changes.

So the change is intentional, and now I know what is going on and can work around it. The only problem is the outdated documentation and the problems it might cause others. I don't know if that is worth tracking here.

FWIW, Mercurial will need some related changes.

Comment 7 Miro Hrončok 2026-06-30 20:39:50 UTC
I opened https://github.com/python/cpython/issues/152709

Comment 8 Miro Hrončok 2026-07-01 12:41:32 UTC
BTW We see this in python-urllib3 as well:

+ /usr/bin/pytest -v -rs -k 'not (TestHTTPProxyManager and test_tunneling_proxy_request_timeout[https-https])'
ImportError while loading conftest '/builddir/build/BUILD/python-urllib3-2.7.0-build/urllib3-2.7.0/test/conftest.py'.
test/__init__.py:42: in <module>
    import urllib3.contrib.pyopenssl as pyopenssl
../BUILDROOT/usr/lib/python3.15/site-packages/urllib3/contrib/pyopenssl.py:72: in <module>
    ssl.PROTOCOL_TLSv1: OpenSSL.SSL.TLSv1_METHOD,
    ^^^^^^^^^^^^^^^^^^
E   AttributeError: module 'ssl' has no attribute 'PROTOCOL_TLSv1'. Did you mean '.PROTOCOL_TLS' instead of '.PROTOCOL_TLSv1'?


Note You need to log in before you can comment on or make changes to this bug.