testssl | Example of how to do ssl with pgjdbc | TLS library

As suggested by Joy and alexrait, the problem was not specifying the SSL context. Evidently, android doesn't try the best ones by default. :(

So, I added the code here:

This was caused by mixing an old Python OpenSSL package with a modern OpenSSL native library. Both provided by Ubuntu 18.04. The fix was to update the Python OpenSSL package, using PIP instead of a system package.

Why this fails:

• The OpenSSL native library enables TLS 1.3 by default.
• The old Python OpenSSL package does not expose the constants needed to turn TLS 1.3 off.
• The modern Twisted checks the OpenSSL Python package, sees that it does not expose the constants needed to turn TLS 1.3 off, and wrongly assumes that the OpenSSL native library does not support TLS 1.3. It doesn't provide any warnings about this.

If you go to the documentation for SSL_CTX_get_ciphers it states:

SSL_CTX_set_cipher_list() sets the list of available ciphers (TLSv1.2 and below)

and

This function does not impact TLSv1.3 ciphersuites. Use SSL_CTX_set_ciphersuites() to configure those.

So you need to go read the SSL_CTX_set_cipher_list API as the v1.3 cipher list is a lot different and much smaller than up to v1.2 cipher list.

I ended up adding my own self signed certificate to the project.

To generate the certificates I use the following openssl command :

My connection troubles seem to have been caused by some misconfiguration on my machine, as I was unable to reproduce the errors on other setups. So that settles the "how do I get this to work?"

In response to those three specific questions I answered.

1. The helpful folks on my grpc issue came to the conclusion that no, the mixing of TLS versions I mentioned is not a problem

2. I'm still not sure what is causing one client hello packet to be rejected and the other accepted, but again it seems to be something specific to my machine which is not a problem on fresh Windows server 2019 or windows 10 VMs I've created

3. Not sure about this one: I'm pretty sure that I'm setting that environment variable correctly but I'm not sure why openssl doesn't recognize that value. Also, I don't think GRPC_SSL_CIPHER_SUITES has any effect on windows

At the moment the max version of windows 10 is version 20H2(OS Build 19042.630). The TLS1.3 server works well only when TLS1.3 server is enabled in regedit. But TLS1.3 client does not work even TLS1.3 client is enabled in regedit. At the moment TLS1.3 client only works in Windows 10 Insider Preview Build 20170.

You could use SSL_CIPHER_find(), which

... returns a SSL_CIPHER structure which has the cipher ID stored in ptr. The ptr parameter is a two element array of char, which stores the two-byte TLS cipher ID (as allocated by IANA) in network byte order.

see https://www.openssl.org/docs/man1.1.1/man3/SSL_CIPHER_find.html

C Program

C code for your two examples could look like this:

If I understood that correctly now, you don't want to change the default sort order, except for the parametrized tests.
Here is a slightly more complicated adapted version that shall do this (I tried to add enough comments to explain it):

You can change the order of the items in the pytest_collection_modifyitems hook. If you put this in your conftest.py: