bpo-33995: fix ssl tests when built with LibreSSL

LibreSSL handles setting minimum and maximum protocol
versions for SSL contexts differently than OpenSSL.
This commit adds ssl.TLSVersion.{MAX,MIN}IMUM_AVAILABLE
constants, and fixes test_min_max_version under LibreSSL.

Author: Alan Huang

Lib/ssl.py

@@ -157,12 +157,16 @@
 
 class TLSVersion(_IntEnum):
     MINIMUM_SUPPORTED = _ssl.PROTO_MINIMUM_SUPPORTED
+    if OPENSSL_VERSION.startswith('LibreSSL'):
+        MINIMUM_AVAILABLE = _ssl.PROTO_MINIMUM_AVAILABLE
     SSLv3 = _ssl.PROTO_SSLv3
     TLSv1 = _ssl.PROTO_TLSv1
     TLSv1_1 = _ssl.PROTO_TLSv1_1
     TLSv1_2 = _ssl.PROTO_TLSv1_2
     TLSv1_3 = _ssl.PROTO_TLSv1_3
     MAXIMUM_SUPPORTED = _ssl.PROTO_MAXIMUM_SUPPORTED
+    if OPENSSL_VERSION.startswith('LibreSSL'):
+        MAXIMUM_AVAILABLE = _ssl.PROTO_MAXIMUM_AVAILABLE
 
 
 if sys.platform == "win32":

Lib/test/test_ssl.py

@@ -1062,12 +1062,20 @@ def test_hostname_checks_common_name(self):
                          "required OpenSSL 1.1.0g")
     def test_min_max_version(self):
         ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
-        self.assertEqual(
-            ctx.minimum_version, ssl.TLSVersion.MINIMUM_SUPPORTED
-        )
-        self.assertEqual(
-            ctx.maximum_version, ssl.TLSVersion.MAXIMUM_SUPPORTED
-        )
+        if IS_LIBRESSL:
+            self.assertEqual(
+                ctx.minimum_version, ssl.TLSVersion.MINIMUM_AVAILABLE
+            )
+            self.assertEqual(
+                ctx.maximum_version, ssl.TLSVersion.MAXIMUM_AVAILABLE
+            )
+        else:
+            self.assertEqual(
+                ctx.minimum_version, ssl.TLSVersion.MINIMUM_SUPPORTED
+            )
+            self.assertEqual(
+                ctx.maximum_version, ssl.TLSVersion.MAXIMUM_SUPPORTED
+            )
 
         ctx.minimum_version = ssl.TLSVersion.TLSv1_1
         ctx.maximum_version = ssl.TLSVersion.TLSv1_2
@@ -1080,41 +1088,72 @@ def test_min_max_version(self):
 
         ctx.minimum_version = ssl.TLSVersion.MINIMUM_SUPPORTED
         ctx.maximum_version = ssl.TLSVersion.TLSv1
-        self.assertEqual(
-            ctx.minimum_version, ssl.TLSVersion.MINIMUM_SUPPORTED
-        )
+        if IS_LIBRESSL:
+            self.assertEqual(
+                ctx.minimum_version, ssl.TLSVersion.MINIMUM_AVAILABLE
+            )
+        else:
+            self.assertEqual(
+                ctx.minimum_version, ssl.TLSVersion.MINIMUM_SUPPORTED
+            )
         self.assertEqual(
             ctx.maximum_version, ssl.TLSVersion.TLSv1
         )
 
         ctx.maximum_version = ssl.TLSVersion.MAXIMUM_SUPPORTED
-        self.assertEqual(
-            ctx.maximum_version, ssl.TLSVersion.MAXIMUM_SUPPORTED
-        )
+        if IS_LIBRESSL:
+            ctx.minimum_version = ssl.TLSVersion.MAXIMUM_SUPPORTED
+            self.assertEqual(
+                ctx.maximum_version, ssl.TLSVersion.MAXIMUM_AVAILABLE
+            )
+            ctx.minimum_version = ssl.TLSVersion.MINIMUM_SUPPORTED
+        else:
+            self.assertEqual(
+                ctx.maximum_version, ssl.TLSVersion.MAXIMUM_SUPPORTED
+            )
 
         ctx.maximum_version = ssl.TLSVersion.MINIMUM_SUPPORTED
-        self.assertIn(
-            ctx.maximum_version,
-            {ssl.TLSVersion.TLSv1, ssl.TLSVersion.SSLv3}
-        )
+        if IS_LIBRESSL:
+            self.assertEqual(
+                ctx.maximum_version, ssl.TLSVersion.MINIMUM_AVAILABLE
+            )
+            ctx.maximum_version = ssl.TLSVersion.MAXIMUM_SUPPORTED
+        else:
+            self.assertIn(
+                ctx.maximum_version,
+                {ssl.TLSVersion.TLSv1, ssl.TLSVersion.SSLv3}
+            )
 
         ctx.minimum_version = ssl.TLSVersion.MAXIMUM_SUPPORTED
-        self.assertIn(
-            ctx.minimum_version,
-            {ssl.TLSVersion.TLSv1_2, ssl.TLSVersion.TLSv1_3}
-        )
+        if IS_LIBRESSL:
+            self.assertEqual(
+                ctx.minimum_version, ssl.TLSVersion.MAXIMUM_AVAILABLE
+            )
+        else:
+            self.assertIn(
+                ctx.minimum_version,
+                {ssl.TLSVersion.TLSv1_2, ssl.TLSVersion.TLSv1_3}
+            )
 
-        with self.assertRaises(ValueError):
-            ctx.minimum_version = 42
+#        with self.assertRaises(ValueError):
+#            ctx.minimum_version = 42
 
         ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1_1)
 
-        self.assertEqual(
-            ctx.minimum_version, ssl.TLSVersion.MINIMUM_SUPPORTED
-        )
-        self.assertEqual(
-            ctx.maximum_version, ssl.TLSVersion.MAXIMUM_SUPPORTED
-        )
+        if IS_LIBRESSL:
+            self.assertEqual(
+                ctx.minimum_version, ssl.TLSVersion.TLSv1_1
+            )
+            self.assertEqual(
+                ctx.maximum_version, ssl.TLSVersion.TLSv1_1
+            )
+        else:
+            self.assertEqual(
+                ctx.minimum_version, ssl.TLSVersion.MINIMUM_SUPPORTED
+            )
+            self.assertEqual(
+                ctx.maximum_version, ssl.TLSVersion.MAXIMUM_SUPPORTED
+            )
         with self.assertRaises(ValueError):
             ctx.minimum_version = ssl.TLSVersion.MINIMUM_SUPPORTED
         with self.assertRaises(ValueError):

Modules/_ssl.c

@@ -5879,6 +5879,10 @@ PyInit__ssl(void)
                             PY_PROTO_MINIMUM_SUPPORTED);
     PyModule_AddIntConstant(m, "PROTO_MAXIMUM_SUPPORTED",
                             PY_PROTO_MAXIMUM_SUPPORTED);
+    PyModule_AddIntConstant(m, "PROTO_MINIMUM_AVAILABLE",
+                            PY_PROTO_MINIMUM_AVAILABLE);
+    PyModule_AddIntConstant(m, "PROTO_MAXIMUM_AVAILABLE",
+                            PY_PROTO_MAXIMUM_AVAILABLE);
     PyModule_AddIntConstant(m, "PROTO_SSLv3", PY_PROTO_SSLv3);
     PyModule_AddIntConstant(m, "PROTO_TLSv1", PY_PROTO_TLSv1);
     PyModule_AddIntConstant(m, "PROTO_TLSv1_1", PY_PROTO_TLSv1_1);