`test_ssl.test_min_max_version` fails when OpenSSL has TLS 1.0/1.1 disabled.

[colin-pm]

Bug report

Bug description:

The test_min_max_version test in test_ssl.py fails on systems where OpenSSL is compiled with no-tls1 and no-tls1_1 options. TLS 1.0 and 1.1 have been deprecated by the IETF since 2021. Disabling TLS v1 and v1.1 is a legitimate configuration used for security-hardened builds.

The following assertion in test_min_max_version expects ctx.maximum_version to be in the set {TLSv1, TLSv1_1, SSLv3} when set to MINIMUM_SUPPORTED. However, on systems where v1.0 and v1.1 are disabled, OpenSSL picks to the next available lowest version, which is TLS v1.2.

ctx.maximum_version = ssl.TLSVersion.MINIMUM_SUPPORTED
self.assertIn(
    ctx.maximum_version,
    {ssl.TLSVersion.TLSv1, ssl.TLSVersion.TLSv1_1, ssl.TLSVersion.SSLv3}
)

I was able to fix the test by adding ssl.TLSVersion.TLSv1_2 to the set. I can submit a pull request adding this option to the set if that's the best solution, but I'm also happy to discuss alternatives.

CPython versions tested on:

3.14

Operating systems tested on:

Linux

Linked PRs

• gh-144787: Allow TLS v1.2 to be minimum version #144790
• [3.14] gh-144787: [tests] Allow TLS v1.2 to be minimum version (GH-144790) #144791
• [3.13] gh-144787: [tests] Allow TLS v1.2 to be minimum version (GH-144790) #144792

[gpshead]

thanks! (also, neat to finally be in a world where a higher minimum is viable!)

[standaell1234-maker]

• [ ]