With OpenSSL 3.0.0-alpha14 several tests for TLS 1.0 and 1.1 connections are failing handshake with "[SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error". OpenSSL is configured with default security level "1". Tests are only passing with @SECLEVEL=0. I think the security default callback refuses NID_sha1 and NID_sha1_md5 SSL_SECOP_SIGALG_SUPPORTED because their security bits are lower than minimum of 80 bits. ssl_security_default_callback (s=0x7fffdc001840, ctx=0x0, op=327691, bits=67, nid=114, other=0x7fffe8ab194a, ex=0x0) at ssl/ssl_cert.c:969 ssl_security_default_callback (s=0x7fffdc001840, ctx=0x0, op=327691, bits=64, nid=64, other=0x7fffe8ab188a, ex=0x0) at ssl/ssl_cert.c:969 #0 tls_choose_sigalg (s=0x7fffdc001840, fatalerrs=1) at ssl/t1_lib.c:3307 #1 0x00007fffe9cb00f4 in tls_post_process_client_hello (s=0x7fffdc001840, wst=WORK_MORE_B) at ssl/statem/statem_srvr.c:2223 #2 0x00007fffe9cad560 in ossl_statem_server_post_process_message (s=0x7fffdc001840, wst=WORK_MORE_A) at ssl/statem/statem_srvr.c:1236 #3 0x00007fffe9c97e3d in read_state_machine (s=0x7fffdc001840) at ssl/statem/statem.c:670 #4 0x00007fffe9c97723 in state_machine (s=0x7fffdc001840, server=1) at ssl/statem/statem.c:442 #5 0x00007fffe9c971db in ossl_statem_accept (s=0x7fffdc001840) at ssl/statem/statem.c:270 #6 0x00007fffe9c5f5ac in SSL_do_handshake (s=0x7fffdc001840) at ssl/ssl_lib.c:3852 if ((lu = tls1_get_legacy_sigalg(s, -1)) == NULL) { if (!fatalerrs) return 1; SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM); return 0; }

https://github.com/python/cpython/pull/25304 is merged PR to master.

 New changeset 4e710d1c88cbebdb17578de00997457b3b26874d by Miss Islington (bot) in branch '3.8': [3.8] bpo-43791: Skip TLS 1.0/1.1 tests under OpenSSL 3.0.0 (GH-25304) (GH-25308) https://github.com/python/cpython/commit/4e710d1c88cbebdb17578de00997457b3b26874d