commit 8e836bb21ce73f0794fd769db5883c29680dfe47
author matthewhughes934 <34972397+matthewhughes934@users.noreply.github.com> Fri Jul 17 09:59:15 2020 +0100
committer GitHub <noreply@github.com> Fri Jul 17 01:59:15 2020 -0700
tree b19c7a0296b157bb6654f175ff608b61521a4910
parent 38d3864efe914fda64553e2ec75c9ec15574483f

bpo-41195: Add getter for Openssl security level (GH-21282)



Add an accessor under SSLContext.security_level as a wrapper around
SSL_CTX_get_security_level, see:
https://www.openssl.org/docs/manmaster/man3/SSL_CTX_get_security_level.html


------
This is my first time contributing, so please pull me up on all the things I missed or did incorrectly.

Automerge-Triggered-By: @tiran

Lib/test/test_ssl.py

diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
index ecb6049..de778d3 100644
--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
@@ -1270,6 +1270,25 @@
             ctx.maximum_version = ssl.TLSVersion.TLSv1
 
 
+    @unittest.skipUnless(
+        hasattr(ssl.SSLContext, 'security_level'),
+        "requires OpenSSL >= 1.1.0"
+    )
+    def test_security_level(self):
+        ctx = ssl.SSLContext()
+        # The default security callback allows for levels between 0-5
+        # with OpenSSL defaulting to 1, however some vendors override the
+        # default value (e.g. Debian defaults to 2)
+        security_level_range = {
+            0,
+            1, # OpenSSL default
+            2, # Debian
+            3,
+            4,
+            5,
+        }
+        self.assertIn(ctx.security_level, security_level_range)
+
     @unittest.skipUnless(have_verify_flags(),
                          "verify_flags need OpenSSL > 0.9.8")
     def test_verify_flags(self):