-
Type: Bug
-
Resolution: Fixed
-
Priority: Major - P3
-
Affects Version/s: None
-
Component/s: None
-
None
The version of OpenSSL bundled with Python 2.6.6 (the last version binary Windows installers exist for) appears to be 0.9.8l. There is no way to tell from the ssl module itself in Python 2.6, but a note in the changelog mentions that version.
https://hg.python.org/cpython/raw-file/v2.6.9/Misc/NEWS
Attempting to test with requests fails with "tlsv1 alert protocol version":
./Python26/python -c "import requests; print(requests.get('https://www.howsmyssl.com/a/check', verify=False).json()['tls_version'])" C:\python\Python26\lib\site-packages\urllib3\util\ssl_.py:339: SNIMissingWarning: An HTTPS request has been made, but the SNI (Subject Name Indication) extension to TLS is not available on this platform. This may cause the server to present an incorrect TLS certificate, which can cause validation failures. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings SNIMissingWarning C:\python\Python26\lib\site-packages\urllib3\util\ssl_.py:137: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings InsecurePlatformWarning Traceback (most recent call last): File "<string>", line 1, in <module> File "C:\python\Python26\lib\site-packages\requests\api.py", line 72, in get return request('get', url, params=params, **kwargs) File "C:\python\Python26\lib\site-packages\requests\api.py", line 58, in request return session.request(method=method, url=url, **kwargs) File "C:\python\Python26\lib\site-packages\requests\sessions.py", line 508, in request resp = self.send(prep, **send_kwargs) File "C:\python\Python26\lib\site-packages\requests\sessions.py", line 618, in send r = adapter.send(request, **kwargs) File "C:\python\Python26\lib\site-packages\requests\adapters.py", line 506, in send raise SSLError(e, request=request) requests.exceptions.SSLError: HTTPSConnectionPool(host='www.howsmyssl.com', port=443): Max retries exceeded with url: /a/check (Caused by SSLError(SSLError(1, '_ssl.c:490: error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version'),))
The reason the failures have started with MongoDB 4.0 is that version disabled TLS 1.0 by default. OpenSSL didn't add support for TLS 1.1+ until version 1.0.1.
We have two options:
1. Don't test the combination of Python 2.6, TLS, Windows, and MongoDB 4.0+
2. Explicitly re-enable TLS 1.0 using the enableInsecureTLS1_0 command line option on MongoDB 4.0+