+@@ -1003,7 +991,7 @@
+ neuronio_der = ssl.PEM_cert_to_DER_cert(neuronio_pem)
+
+ # test PEM
+- ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
++ ctx = ssl.SSLContext(ssl.PROTOCOL_TLS)
+ self.assertEqual(ctx.cert_store_stats()["x509_ca"], 0)
+ ctx.load_verify_locations(cadata=cacert_pem)
+ self.assertEqual(ctx.cert_store_stats()["x509_ca"], 1)
+@@ -1014,20 +1002,20 @@
+ self.assertEqual(ctx.cert_store_stats()["x509_ca"], 2)
+
+ # combined
+- ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
++ ctx = ssl.SSLContext(ssl.PROTOCOL_TLS)
+ combined = "\n".join((cacert_pem, neuronio_pem))
+ ctx.load_verify_locations(cadata=combined)
+ self.assertEqual(ctx.cert_store_stats()["x509_ca"], 2)
+
+ # with junk around the certs
+- ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
++ ctx = ssl.SSLContext(ssl.PROTOCOL_TLS)
+ combined = ["head", cacert_pem, "other", neuronio_pem, "again",
+ neuronio_pem, "tail"]
+ ctx.load_verify_locations(cadata="\n".join(combined))
+ self.assertEqual(ctx.cert_store_stats()["x509_ca"], 2)
+
+ # test DER
+- ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
++ ctx = ssl.SSLContext(ssl.PROTOCOL_TLS)
+ ctx.load_verify_locations(cadata=cacert_der)
+ ctx.load_verify_locations(cadata=neuronio_der)
+ self.assertEqual(ctx.cert_store_stats()["x509_ca"], 2)
+@@ -1036,13 +1024,13 @@
+ self.assertEqual(ctx.cert_store_stats()["x509_ca"], 2)
+
+ # combined
+- ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
++ ctx = ssl.SSLContext(ssl.PROTOCOL_TLS)
+ combined = b"".join((cacert_der, neuronio_der))
+ ctx.load_verify_locations(cadata=combined)
+ self.assertEqual(ctx.cert_store_stats()["x509_ca"], 2)
+
+ # error cases
+- ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
++ ctx = ssl.SSLContext(ssl.PROTOCOL_TLS)
+ self.assertRaises(TypeError, ctx.load_verify_locations, cadata=object)
+
+ with self.assertRaisesRegexp(ssl.SSLError, "no start line"):
+@@ -1111,7 +1099,7 @@
+
+ @needs_sni
+ def test_sni_callback(self):
+- ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
++ ctx = ssl.SSLContext(ssl.PROTOCOL_TLS)
+
+ # set_servername_callback expects a callable, or None
+ self.assertRaises(TypeError, ctx.set_servername_callback)
+@@ -1128,7 +1116,7 @@
+ def test_sni_callback_refcycle(self):
+ # Reference cycles through the servername callback are detected
+ # and cleared.
+- ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
++ ctx = ssl.SSLContext(ssl.PROTOCOL_TLS)
+ def dummycallback(sock, servername, ctx, cycle=ctx):
+ pass
+ ctx.set_servername_callback(dummycallback)
+@@ -1332,7 +1320,7 @@
+ assert_python_ok("-c", https_is_verified, **extra_env)
+
+ def test_check_hostname(self):
+- ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
++ ctx = ssl.SSLContext(ssl.PROTOCOL_TLS)
+ self.assertFalse(ctx.check_hostname)
+
+ # Requires CERT_REQUIRED or CERT_OPTIONAL
+@@ -2160,6 +2148,8 @@
+ if support.verbose:
+ sys.stdout.write("\n")
+ for protocol in PROTOCOLS:
++ if (protocol == ssl.PROTOCOL_TLSv1 or protocol == ssl.PROTOCOL_TLSv1_1):
++ continue
+ context = ssl.SSLContext(protocol)
+ context.load_cert_chain(CERTFILE)
+ server_params_test(context, context,
+@@ -2209,10 +2199,10 @@
+ if support.verbose:
+ sys.stdout.write("\n")
+
+- server_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
++ server_context = ssl.SSLContext(ssl.PROTOCOL_TLS)
+ server_context.load_cert_chain(SIGNED_CERTFILE)
+
+- context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
++ context = ssl.SSLContext(ssl.PROTOCOL_TLS)
+ context.verify_mode = ssl.CERT_REQUIRED
+ context.load_verify_locations(SIGNING_CA)
+ tf = getattr(ssl, "VERIFY_X509_TRUSTED_FIRST", 0)
+@@ -2250,10 +2240,10 @@
+ if support.verbose:
+ sys.stdout.write("\n")
+
+- server_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
++ server_context = ssl.SSLContext(ssl.PROTOCOL_TLS)
+ server_context.load_cert_chain(SIGNED_CERTFILE)
+
+- context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
++ context = ssl.SSLContext(ssl.PROTOCOL_TLS)
+ context.verify_mode = ssl.CERT_REQUIRED
+ context.check_hostname = True
+ context.load_verify_locations(SIGNING_CA)
+@@ -2443,43 +2433,6 @@
+ False, client_options=ssl.OP_NO_SSLv2)
+
+ @skip_if_broken_ubuntu_ssl
+- def test_protocol_tlsv1(self):
+- """Connecting to a TLSv1 server with various client options"""
+- if support.verbose:
+- sys.stdout.write("\n")
+- try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1, 'TLSv1')
+- try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1, 'TLSv1', ssl.CERT_OPTIONAL)
+- try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1, 'TLSv1', ssl.CERT_REQUIRED)
+- if hasattr(ssl, 'PROTOCOL_SSLv2'):
+- try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_SSLv2, False)
+- if hasattr(ssl, 'PROTOCOL_SSLv3'):
+- try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_SSLv3, False)
+- try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_SSLv23, False,
+- client_options=ssl.OP_NO_TLSv1)
+-
+- @skip_if_broken_ubuntu_ssl
+- @unittest.skipUnless(hasattr(ssl, "PROTOCOL_TLSv1_1"),
+- "TLS version 1.1 not supported.")
+- @skip_if_openssl_cnf_minprotocol_gt_tls1
+- def test_protocol_tlsv1_1(self):
+- """Connecting to a TLSv1.1 server with various client options.
+- Testing against older TLS versions."""
+- if support.verbose:
+- sys.stdout.write("\n")
+- try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_TLSv1_1, 'TLSv1.1')
+- if hasattr(ssl, 'PROTOCOL_SSLv2'):
+- try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_SSLv2, False)
+- if hasattr(ssl, 'PROTOCOL_SSLv3'):
+- try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_SSLv3, False)
+- try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_SSLv23, False,
+- client_options=ssl.OP_NO_TLSv1_1)
+-
+- try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1_1, 'TLSv1.1')
+- try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_TLSv1, False)
+- try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1_1, False)
+-
+-
+- @skip_if_broken_ubuntu_ssl
+ @unittest.skipUnless(hasattr(ssl, "PROTOCOL_TLSv1_2"),
+ "TLS version 1.2 not supported.")
+ def test_protocol_tlsv1_2(self):
+@@ -2508,7 +2461,7 @@
+ msgs = (b"msg 1", b"MSG 2", b"STARTTLS", b"MSG 3", b"msg 4", b"ENDTLS", b"msg 5", b"msg 6")
+
+ server = ThreadedEchoServer(CERTFILE,
+- ssl_version=ssl.PROTOCOL_TLSv1,
++ ssl_version=ssl.PROTOCOL_TLS,
+ starttls_server=True,
+ chatty=True,
+ connectionchatty=True)
+@@ -2536,7 +2489,7 @@
+ sys.stdout.write(
+ " client: read %r from server, starting TLS...\n"
+ % msg)
+- conn = ssl.wrap_socket(s, ssl_version=ssl.PROTOCOL_TLSv1)
++ conn = ssl.wrap_socket(s, ssl_version=ssl.PROTOCOL_TLS)
+ wrapped = True
+ elif indata == b"ENDTLS" and msg.startswith(b"ok"):
+ # ENDTLS ok, switch back to clear text
+@@ -2623,7 +2576,7 @@
+
+ server = ThreadedEchoServer(CERTFILE,
+ certreqs=ssl.CERT_NONE,
+- ssl_version=ssl.PROTOCOL_TLSv1,
++ ssl_version=ssl.PROTOCOL_TLS,
+ cacerts=CERTFILE,
+ chatty=True,
+ connectionchatty=False)
+@@ -2633,7 +2586,7 @@
+ certfile=CERTFILE,
+ ca_certs=CERTFILE,
+ cert_reqs=ssl.CERT_NONE,
+- ssl_version=ssl.PROTOCOL_TLSv1)
++ ssl_version=ssl.PROTOCOL_TLS)
+ s.connect((HOST, server.port))
+ # helper methods for standardising recv* method signatures
+ def _recv_into():
+@@ -2882,14 +2835,14 @@
+ Basic tests for SSLSocket.version().
+ More tests are done in the test_protocol_*() methods.
+ """
+- context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
++ context = ssl.SSLContext(ssl.PROTOCOL_TLS)
+ with ThreadedEchoServer(CERTFILE,
+- ssl_version=ssl.PROTOCOL_TLSv1,
++ ssl_version=ssl.PROTOCOL_TLS,
+ chatty=False) as server:
+ with closing(context.wrap_socket(socket.socket())) as s:
+ self.assertIs(s.version(), None)
+ s.connect((HOST, server.port))
+- self.assertEqual(s.version(), 'TLSv1')
++ self.assertEqual(s.version(), 'TLSv1.3')
+ self.assertIs(s.version(), None)
+
+ @unittest.skipUnless(ssl.HAS_TLSv1_3,
+@@ -2940,7 +2893,7 @@
+
+ server = ThreadedEchoServer(CERTFILE,
+ certreqs=ssl.CERT_NONE,
+- ssl_version=ssl.PROTOCOL_TLSv1,
++ ssl_version=ssl.PROTOCOL_TLSv1_2,
+ cacerts=CERTFILE,
+ chatty=True,
+ connectionchatty=False)
+@@ -2950,7 +2903,7 @@
+ certfile=CERTFILE,
+ ca_certs=CERTFILE,
+ cert_reqs=ssl.CERT_NONE,
+- ssl_version=ssl.PROTOCOL_TLSv1)
++ ssl_version=ssl.PROTOCOL_TLSv1_2)
+ s.connect((HOST, server.port))
+ # get the data
+ cb_data = s.get_channel_binding("tls-unique")
+@@ -2975,7 +2928,7 @@
+ certfile=CERTFILE,
+ ca_certs=CERTFILE,
+ cert_reqs=ssl.CERT_NONE,
+- ssl_version=ssl.PROTOCOL_TLSv1)
++ ssl_version=ssl.PROTOCOL_TLSv1_2)
+ s.connect((HOST, server.port))
+ new_cb_data = s.get_channel_binding("tls-unique")
+ if support.verbose:
+@@ -2992,7 +2945,7 @@
+ s.close()
+
+ def test_compression(self):
+- context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
++ context = ssl.SSLContext(ssl.PROTOCOL_TLS)
+ context.load_cert_chain(CERTFILE)
+ stats = server_params_test(context, context,
+ chatty=True, connectionchatty=True)
+@@ -3003,7 +2956,7 @@
+ @unittest.skipUnless(hasattr(ssl, 'OP_NO_COMPRESSION'),
+ "ssl.OP_NO_COMPRESSION needed for this test")
+ def test_compression_disabled(self):
+- context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
++ context = ssl.SSLContext(ssl.PROTOCOL_TLS)
+ context.load_cert_chain(CERTFILE)
+ context.options |= ssl.OP_NO_COMPRESSION
+ stats = server_params_test(context, context,
+@@ -3012,7 +2965,8 @@
+
+ def test_dh_params(self):
+ # Check we can get a connection with ephemeral Diffie-Hellman
+- context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
++ context = ssl.SSLContext(ssl.PROTOCOL_TLS)
++ context.options |= ssl.OP_NO_TLSv1_3
+ context.load_cert_chain(CERTFILE)
+ context.load_dh_params(DHFILE)
+ context.set_ciphers("kEDH")
+@@ -3025,7 +2979,7 @@
+
+ def test_selected_alpn_protocol(self):
+ # selected_alpn_protocol() is None unless ALPN is used.
+- context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
++ context = ssl.SSLContext(ssl.PROTOCOL_TLS)
+ context.load_cert_chain(CERTFILE)
+ stats = server_params_test(context, context,
+ chatty=True, connectionchatty=True)
+@@ -3034,9 +2988,9 @@
+ @unittest.skipUnless(ssl.HAS_ALPN, "ALPN support required")
+ def test_selected_alpn_protocol_if_server_uses_alpn(self):
+ # selected_alpn_protocol() is None unless ALPN is used by the client.
+- client_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
++ client_context = ssl.SSLContext(ssl.PROTOCOL_TLS)
+ client_context.load_verify_locations(CERTFILE)
+- server_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
++ server_context = ssl.SSLContext(ssl.PROTOCOL_TLS)
+ server_context.load_cert_chain(CERTFILE)
+ server_context.set_alpn_protocols(['foo', 'bar'])
+ stats = server_params_test(client_context, server_context,
+@@ -3087,7 +3041,7 @@
+
+ def test_selected_npn_protocol(self):
+ # selected_npn_protocol() is None unless NPN is used
+- context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
++ context = ssl.SSLContext(ssl.PROTOCOL_TLS)
+ context.load_cert_chain(CERTFILE)
+ stats = server_params_test(context, context,
+ chatty=True, connectionchatty=True)
+@@ -3123,11 +3077,11 @@
+ self.assertEqual(server_result, expected, msg % (server_result, "server"))
+
+ def sni_contexts(self):
+- server_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
++ server_context = ssl.SSLContext(ssl.PROTOCOL_TLS)
+ server_context.load_cert_chain(SIGNED_CERTFILE)
+- other_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
++ other_context = ssl.SSLContext(ssl.PROTOCOL_TLS)
+ other_context.load_cert_chain(SIGNED_CERTFILE2)
+- client_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
++ client_context = ssl.SSLContext(ssl.PROTOCOL_TLS)
+ client_context.verify_mode = ssl.CERT_REQUIRED
+ client_context.load_verify_locations(SIGNING_CA)
+ return server_context, other_context, client_context
+diff -urN Python-2.7.18/Modules/_ssl.c Python-2.7.18.ssl3/Modules/_ssl.c