classification
Title: test_ssl failures on Debian/Ubuntu
Type: Stage: needs patch
Components: Extension Modules Versions: Python 3.2, Python 3.3, Python 2.7
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: Nosy List: barry, eric.araujo, janssen, nadeem.vawda, pitrou, python-dev, vstinner
Priority: normal Keywords: patch

Created on 2011-10-19 12:30 by nadeem.vawda, last changed 2011-10-30 09:40 by nadeem.vawda. This issue is now closed.

Files
File name Uploaded Description Edit
test_ssl_broken_ubuntu.patch vstinner, 2011-10-19 13:45 review
issue13218.diff barry, 2011-10-25 16:23 review
issue13218-true.diff barry, 2011-10-25 16:24 review
Messages (26)
msg145902 - (view) Author: Nadeem Vawda (nadeem.vawda) * (Python committer) Date: 2011-10-19 12:30
Since upgrading to Ubuntu 11.10, I've been getting the following failures in test_ssl:

    ======================================================================
    FAIL: test_protocol_sslv3 (test.test_ssl.ThreadedTests)
    Connecting to an SSLv3 server with various client options
    ----------------------------------------------------------------------
    Traceback (most recent call last):
      File "/home/nadeem/code/src/cpython/def/Lib/test/test_ssl.py", line 1415, in test_protocol_sslv3
        try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv23, False)
      File "/home/nadeem/code/src/cpython/def/Lib/test/test_ssl.py", line 1232, in try_protocol_combo
        ssl.get_protocol_name(server_protocol)))
    AssertionError: Client protocol SSLv23 succeeded with server protocol SSLv3!

    ======================================================================
    FAIL: test_protocol_tlsv1 (test.test_ssl.ThreadedTests)
    Connecting to a TLSv1 server with various client options
    ----------------------------------------------------------------------
    Traceback (most recent call last):
      File "/home/nadeem/code/src/cpython/def/Lib/test/test_ssl.py", line 1433, in test_protocol_tlsv1
        try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_SSLv23, False)
      File "/home/nadeem/code/src/cpython/def/Lib/test/test_ssl.py", line 1232, in try_protocol_combo
        ssl.get_protocol_name(server_protocol)))
    AssertionError: Client protocol SSLv23 succeeded with server protocol TLSv1!

    ----------------------------------------------------------------------

and this (presumably related) failure in test_nntplib:

    ======================================================================
    ERROR: setUpClass (test.test_nntplib.NetworkedNNTP_SSLTests)
    ----------------------------------------------------------------------
    Traceback (most recent call last):
      File "/home/nadeem/code/src/cpython/def/Lib/test/test_nntplib.py", line 291, in setUpClass
        cls.server = cls.NNTP_CLASS(cls.NNTP_HOST, timeout=TIMEOUT, usenetrc=False)
      File "/home/nadeem/code/src/cpython/def/Lib/nntplib.py", line 1052, in __init__
        readermode=readermode, timeout=timeout)
      File "/home/nadeem/code/src/cpython/def/Lib/nntplib.py", line 344, in __init__
        self.getcapabilities()
      File "/home/nadeem/code/src/cpython/def/Lib/nntplib.py", line 380, in getcapabilities
        resp, caps = self.capabilities()
      File "/home/nadeem/code/src/cpython/def/Lib/nntplib.py", line 546, in capabilities
        resp, lines = self._longcmdstring("CAPABILITIES")
      File "/home/nadeem/code/src/cpython/def/Lib/nntplib.py", line 513, in _longcmdstring
        resp, list = self._getlongresp(file)
      File "/home/nadeem/code/src/cpython/def/Lib/nntplib.py", line 464, in _getlongresp
        resp = self._getresp()
      File "/home/nadeem/code/src/cpython/def/Lib/nntplib.py", line 437, in _getresp
        resp = self._getline()
      File "/home/nadeem/code/src/cpython/def/Lib/nntplib.py", line 425, in _getline
        if not line: raise EOFError
    EOFError

3.2 gives a different set of failures in test_ssl (with the same failure in test_nntplib):

    ======================================================================
    ERROR: test_constructor (test.test_ssl.ContextTests)
    ----------------------------------------------------------------------
    Traceback (most recent call last):
      File "/home/nadeem/code/src/cpython/3.2/Lib/test/test_ssl.py", line 82, in f
        return func(*args, **kwargs)
      File "/home/nadeem/code/src/cpython/3.2/Lib/test/test_ssl.py", line 345, in test_constructor
        ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv2)
      File "/home/nadeem/code/src/cpython/3.2/Lib/ssl.py", line 168, in __new__
        return _SSLContext.__new__(cls, protocol)
    ssl.SSLError: failed to allocate SSL context

    ======================================================================
    ERROR: test_protocol (test.test_ssl.ContextTests)
    ----------------------------------------------------------------------
    Traceback (most recent call last):
      File "/home/nadeem/code/src/cpython/3.2/Lib/test/test_ssl.py", line 82, in f
        return func(*args, **kwargs)
      File "/home/nadeem/code/src/cpython/3.2/Lib/test/test_ssl.py", line 356, in test_protocol
        ctx = ssl.SSLContext(proto)
      File "/home/nadeem/code/src/cpython/3.2/Lib/ssl.py", line 168, in __new__
        return _SSLContext.__new__(cls, protocol)
    ssl.SSLError: failed to allocate SSL context

    ======================================================================
    ERROR: test_session_stats (test.test_ssl.ContextTests)
    ----------------------------------------------------------------------
    Traceback (most recent call last):
      File "/home/nadeem/code/src/cpython/3.2/Lib/test/test_ssl.py", line 82, in f
        return func(*args, **kwargs)
      File "/home/nadeem/code/src/cpython/3.2/Lib/test/test_ssl.py", line 453, in test_session_stats
        ctx = ssl.SSLContext(proto)
      File "/home/nadeem/code/src/cpython/3.2/Lib/ssl.py", line 168, in __new__
        return _SSLContext.__new__(cls, protocol)
    ssl.SSLError: failed to allocate SSL context

    ======================================================================
    ERROR: test_echo (test.test_ssl.ThreadedTests)
    Basic test of an SSL client connecting to a server
    ----------------------------------------------------------------------
    Traceback (most recent call last):
      File "/home/nadeem/code/src/cpython/3.2/Lib/test/test_ssl.py", line 82, in f
        return func(*args, **kwargs)
      File "/home/nadeem/code/src/cpython/3.2/Lib/test/test_ssl.py", line 1147, in test_echo
        context = ssl.SSLContext(protocol)
      File "/home/nadeem/code/src/cpython/3.2/Lib/ssl.py", line 168, in __new__
        return _SSLContext.__new__(cls, protocol)
    ssl.SSLError: failed to allocate SSL context

    ======================================================================
    ERROR: test_protocol_sslv2 (test.test_ssl.ThreadedTests)
    Connecting to an SSLv2 server with various client options
    ----------------------------------------------------------------------
    Traceback (most recent call last):
      File "/home/nadeem/code/src/cpython/3.2/Lib/test/test_ssl.py", line 82, in f
        return func(*args, **kwargs)
      File "/home/nadeem/code/src/cpython/3.2/Lib/test/test_ssl.py", line 1256, in test_protocol_sslv2
        try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv2, True)
      File "/home/nadeem/code/src/cpython/3.2/Lib/test/test_ssl.py", line 1108, in try_protocol_combo
        client_context = ssl.SSLContext(client_protocol)
      File "/home/nadeem/code/src/cpython/3.2/Lib/ssl.py", line 168, in __new__
        return _SSLContext.__new__(cls, protocol)
    ssl.SSLError: failed to allocate SSL context

    ======================================================================
    ERROR: test_protocol_sslv3 (test.test_ssl.ThreadedTests)
    Connecting to an SSLv3 server with various client options
    ----------------------------------------------------------------------
    Traceback (most recent call last):
      File "/home/nadeem/code/src/cpython/3.2/Lib/test/test_ssl.py", line 82, in f
        return func(*args, **kwargs)
      File "/home/nadeem/code/src/cpython/3.2/Lib/test/test_ssl.py", line 1317, in test_protocol_sslv3
        try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv2, False)
      File "/home/nadeem/code/src/cpython/3.2/Lib/test/test_ssl.py", line 1108, in try_protocol_combo
        client_context = ssl.SSLContext(client_protocol)
      File "/home/nadeem/code/src/cpython/3.2/Lib/ssl.py", line 168, in __new__
        return _SSLContext.__new__(cls, protocol)
    ssl.SSLError: failed to allocate SSL context

    ======================================================================
    ERROR: test_protocol_tlsv1 (test.test_ssl.ThreadedTests)
    Connecting to a TLSv1 server with various client options
    ----------------------------------------------------------------------
    Traceback (most recent call last):
      File "/home/nadeem/code/src/cpython/3.2/Lib/test/test_ssl.py", line 82, in f
        return func(*args, **kwargs)
      File "/home/nadeem/code/src/cpython/3.2/Lib/test/test_ssl.py", line 1334, in test_protocol_tlsv1
        try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_SSLv2, False)
      File "/home/nadeem/code/src/cpython/3.2/Lib/test/test_ssl.py", line 1108, in try_protocol_combo
        client_context = ssl.SSLContext(client_protocol)
      File "/home/nadeem/code/src/cpython/3.2/Lib/ssl.py", line 168, in __new__
        return _SSLContext.__new__(cls, protocol)
    ssl.SSLError: failed to allocate SSL context

    ======================================================================
    FAIL: test_options (test.test_ssl.ContextTests)
    ----------------------------------------------------------------------
    Traceback (most recent call last):
      File "/home/nadeem/code/src/cpython/3.2/Lib/test/test_ssl.py", line 82, in f
        return func(*args, **kwargs)
      File "/home/nadeem/code/src/cpython/3.2/Lib/test/test_ssl.py", line 370, in test_options
        self.assertEqual(ssl.OP_ALL, ctx.options)
    AssertionError: 4095 != 16781311

    ----------------------------------------------------------------------

On 2.7, the failures are again different:

    ======================================================================
    ERROR: test_protocol_sslv2 (test.test_ssl.ThreadedTests)
    Connecting to an SSLv2 server with various client options
    ----------------------------------------------------------------------
    Traceback (most recent call last):
      File "/home/nadeem/code/src/cpython/2.7/Lib/test/test_ssl.py", line 75, in f
        return func(*args, **kwargs)
      File "/home/nadeem/code/src/cpython/2.7/Lib/test/test_ssl.py", line 986, in test_protocol_sslv2
        try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv2, True)
      File "/home/nadeem/code/src/cpython/2.7/Lib/test/test_ssl.py", line 856, in try_protocol_combo
        ciphers="ALL", chatty=False)
      File "/home/nadeem/code/src/cpython/2.7/Lib/test/test_ssl.py", line 808, in server_params_test
        s.connect((HOST, server.port))
      File "/home/nadeem/code/src/cpython/2.7/Lib/ssl.py", line 322, in connect
        self._real_connect(addr, False)
      File "/home/nadeem/code/src/cpython/2.7/Lib/ssl.py", line 305, in _real_connect
        self.ca_certs, self.ciphers)
    SSLError: _ssl.c:316: Invalid SSL protocol variant specified.

    ======================================================================
    FAIL: test_protocol_sslv3 (test.test_ssl.ThreadedTests)
    Connecting to an SSLv3 server with various client options
    ----------------------------------------------------------------------
    Traceback (most recent call last):
      File "/home/nadeem/code/src/cpython/2.7/Lib/test/test_ssl.py", line 75, in f
        return func(*args, **kwargs)
      File "/home/nadeem/code/src/cpython/2.7/Lib/test/test_ssl.py", line 1028, in test_protocol_sslv3
        try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv23, False)
      File "/home/nadeem/code/src/cpython/2.7/Lib/test/test_ssl.py", line 870, in try_protocol_combo
        ssl.get_protocol_name(server_protocol)))
    AssertionError: Client protocol SSLv23 succeeded with server protocol SSLv3!

    ======================================================================
    FAIL: test_protocol_tlsv1 (test.test_ssl.ThreadedTests)
    Connecting to a TLSv1 server with various client options
    ----------------------------------------------------------------------
    Traceback (most recent call last):
      File "/home/nadeem/code/src/cpython/2.7/Lib/test/test_ssl.py", line 75, in f
        return func(*args, **kwargs)
      File "/home/nadeem/code/src/cpython/2.7/Lib/test/test_ssl.py", line 1042, in test_protocol_tlsv1
        try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_SSLv23, False)
      File "/home/nadeem/code/src/cpython/2.7/Lib/test/test_ssl.py", line 870, in try_protocol_combo
        ssl.get_protocol_name(server_protocol)))
    AssertionError: Client protocol SSLv23 succeeded with server protocol TLSv1!

    ----------------------------------------------------------------------

The failures were probably caused by Ubuntu upgrading from openssl-0.9.8 to
openssl-1.0.0 in 11.10 -- I've reproduced the failures on three different
Ubuntu 11.10 machines, and none of the buildbots are having this problem.

For reference, the list of changes between 0.9.8 and 1.0.0 (look for the section
"Changes between 0.9.8n and 1.0.0 [29 Mar 2010]"):

    http://www.openssl.org/news/changelog.html
msg145903 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2011-10-19 12:33
All the tests work fine with OpenSSL 1.0.0d under Mageia. Could you look into Ubuntu-specific patches to OpenSSL? They have known to add disruptive changes (we already have some Ubuntu-specific code in test_ssl).

Also, how about the system Python? Does it show the same test failures?
msg145904 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2011-10-19 12:41
Actually, I think you may just have to fix skip_if_broken_ubuntu_ssl() in test_ssl.py. Could you give it a try?
msg145905 - (view) Author: Nadeem Vawda (nadeem.vawda) * (Python committer) Date: 2011-10-19 13:02
> Also, how about the system Python? Does it show the same test failures?

Unfortunately, it seems that the system Python package doesn't install the
test suite; if you try to run "python -m test.regrtest", it complains that
it can't find the test modules.

> Actually, I think you may just have to fix skip_if_broken_ubuntu_ssl() in test_ssl.py. Could you give it a try?

I'll take a look over the weekend.
msg145906 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2011-10-19 13:45
Attached patch updates skip_if_broken_ubuntu_ssl(): OpenSSL in Ubuntu is still broken :-( OpenSSL package version is 1.0.0e-2ubuntu4 but in Python, ssl.OPENSSL_VERSION_INFO is still (0, 9, 8, 15, 15) !?
msg145907 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2011-10-19 14:00
> Attached patch updates skip_if_broken_ubuntu_ssl(): OpenSSL in Ubuntu
> is still broken :-( OpenSSL package version is 1.0.0e-2ubuntu4 but in
> Python, ssl.OPENSSL_VERSION_INFO is still (0, 9, 8, 15, 15) !?

Are you sure? Did you rebuild?
msg145908 - (view) Author: Nadeem Vawda (nadeem.vawda) * (Python committer) Date: 2011-10-19 14:05
I get (1, 0, 0, 5, 15) for ssl.OPENSSL_VERSION_INFO. A trivial modification
of Victor's patch doesn't seem to fix the failures for me, though :/
msg145909 - (view) Author: Nadeem Vawda (nadeem.vawda) * (Python committer) Date: 2011-10-19 14:08
Sorry, that wasn't very coherent. What I meant to say is that I tried this:

    if ((ssl.OPENSSL_VERSION_INFO, platform.linux_distribution()) in
        [((0, 9, 8, 15, 15), ('debian', 'squeeze/sid', '')),
         ((1, 0, 0,  5, 15), ('debian',  'wheezy/sid', ''))]):
        raise unittest.SkipTest("Patched Ubuntu OpenSSL breaks behaviour")

on the default branch, and I'm still getting the same failures.
msg145910 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2011-10-19 14:09
> ssl.OPENSSL_VERSION_INFO is still (0, 9, 8, 15, 15)

After a recompilation, I get (1, 0, 0, 5, 15) and ssl doesn't has PROTOCOL_SSLv2. test_ssl is failing with:


======================================================================
FAIL: test_protocol_sslv3 (test.test_ssl.ThreadedTests)
Connecting to an SSLv3 server with various client options
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/home/vstinner/prog/python/default/Lib/test/test_ssl.py", line 1415, in test_protocol_sslv3
    try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv23, False)
  File "/home/vstinner/prog/python/default/Lib/test/test_ssl.py", line 1232, in try_protocol_combo
    ssl.get_protocol_name(server_protocol)))
AssertionError: Client protocol SSLv23 succeeded with server protocol SSLv3!

======================================================================
FAIL: test_protocol_tlsv1 (test.test_ssl.ThreadedTests)
Connecting to a TLSv1 server with various client options
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/home/vstinner/prog/python/default/Lib/test/test_ssl.py", line 1433, in test_protocol_tlsv1
    try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_SSLv23, False)
  File "/home/vstinner/prog/python/default/Lib/test/test_ssl.py", line 1232, in try_protocol_combo
    ssl.get_protocol_name(server_protocol)))
AssertionError: Client protocol SSLv23 succeeded with server protocol TLSv1!
msg145912 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2011-10-19 14:22
> AssertionError: Client protocol SSLv23 succeeded with server protocol SSLv3!
> AssertionError: Client protocol SSLv23 succeeded with server protocol TLSv1!

Hmm... I guess Ubuntu may have aliased SSLv23 to SSLv3. Can someone take
a look at Ubuntu patches to OpenSSL?
I also think we could relax these tests. After all, they're testing
OpenSSL's functionality, not really our own code.

Regardless, I really don't like the way Ubuntu change semantics of a
*library* they're packaging...
msg145914 - (view) Author: Nadeem Vawda (nadeem.vawda) * (Python committer) Date: 2011-10-19 15:31
> Hmm... I guess Ubuntu may have aliased SSLv23 to SSLv3. Can someone take
> a look at Ubuntu patches to OpenSSL?

I don't know enough about OpenSSL to make sense of the actual headers on my
system without spending more time on it, but it seems like Debian have disabled
SSLv2 altogether <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=589706>.
Could this be the source of the problem?
msg146017 - (view) Author: Nadeem Vawda (nadeem.vawda) * (Python committer) Date: 2011-10-20 13:41
> none of the buildbots are having this problem.

Actually, it turns out the Ubuntu ARM builder is hitting the same failures.
First failure for each branch was on 14 October (the day after 11.10 came out):

    http://www.python.org/dev/buildbot/all/builders/ARM%20Ubuntu%203.x/builds/16
    http://www.python.org/dev/buildbot/all/builders/ARM%20Ubuntu%203.2/builds/9
    http://www.python.org/dev/buildbot/all/builders/ARM%20Ubuntu%202.7/builds/8
msg146186 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2011-10-22 19:45
Barry, perhaps you could try to know what in Ubuntu's OpenSSL build can lead to such failures?
msg146316 - (view) Author: Barry A. Warsaw (barry) * (Python committer) Date: 2011-10-24 18:50
Still investigating, but FTR, this isn't technically an Ubuntu issue as much as it is a Debian issue (and thus inherited by Ubuntu).  I can reproduce the failure in Python 3.3 on Debian Wheezy.
msg146337 - (view) Author: Barry A. Warsaw (barry) * (Python committer) Date: 2011-10-24 23:17
TL;DR: Let's rip out the false assumption that an SSLv23 client cannot connect to an SSLv3/TLSv1 server.

I now believe this is simply an erroneous assumption on the part of the Python test suite, namely that SSLv23 method clients cannot connect to SSLv3 or TLSv1 servers.  Here is an excerpt from openssl's CHANGES file:


 Changes between 0.9.7g and 0.9.7h  [11 Oct 2005]
...

  *) Change the client implementation for SSLv23_method() and
     SSLv23_client_method() so that is uses the SSL 3.0/TLS 1.0
     Client Hello message format if the SSL_OP_NO_SSLv2 option is set.
     (Previously, the SSL 2.0 backwards compatible Client Hello
     message format would be used even with SSL_OP_NO_SSLv2.)
     [Bodo Moeller]

It looks like it's been this way for a long time too.  What may have changed recently on Debian/Ubuntu though is that, as of Ubuntu version 1.0.0d-2ubuntu1 (in Ubuntu 11.04), we now use the no-ssl configuration option to disable SSLv2.  My guess is that "the SSL_OP_NO_SSLv2 option" gets set by this configuration option, which is what switches the client hello to use SSLv3/TLSv1 format, thus enabling such connections.  I'm not entirely sure which Debian version of the package this got changed in, but it certainly works the same way on Wheezy as it does in Oneiric.

It's probably too difficult, and not really Python's responsibility, to determine whether SSL_OP_NO_SSLv2 is set.  Rather, I think the test is simply bogus and should be disabled or removed.  Antoine implies as such in 

http://bugs.python.org/issue13218#msg145912

A couple of other things: it is not true that Ubuntu (or Debian for that matter) is changing the semantics of a library here.  It's simply using a supported upstream configuration option to disable SSLv2, and the openssl library itself changes the semantics of client/server connection success based on that.

Also, I think @skip_if_broken_ubuntu_ssl is both a misnomer (since all that behavior is inherited from Debian) and besides, it's useless now since on Debian/Ubuntu, ssl.PROTOCOL_SSLv2 will never be defined, at least with modernish versions of both OS's.  But I guess ripping that out is a task for a different bug.
msg146352 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2011-10-25 09:56
> It looks like it's been this way for a long time too.

But tests have always passed here using OpenSSL 1.0.0.

> It's probably too difficult, and not really Python's responsibility,
> to determine whether SSL_OP_NO_SSLv2 is set.

See http://docs.python.org/dev/library/ssl.html#ssl.SSLContext.options

> Rather, I think the test is simply bogus and should be disabled or
> removed.

I think it would be good to keep a simplified/minimal (and, of course,
working :-)) version of these tests.
Patches welcome, anyway. I can't really test with Debian's OpenSSL.
msg146358 - (view) Author: Barry A. Warsaw (barry) * (Python committer) Date: 2011-10-25 11:31
On Oct 25, 2011, at 09:56 AM, Antoine Pitrou wrote:

>
>Antoine Pitrou <pitrou@free.fr> added the comment:
>
>> It looks like it's been this way for a long time too.
>
>But tests have always passed here using OpenSSL 1.0.0.

Right, sorry, what I meant was this particular behavior (switching to SSLv3
client hello when SSLv2 is disabled) appears to have been in upstream openssl
since about 2005.  What's changed recently is that instead of patching openssl
to disable SSLv2 (and thereby not triggering the client hello switch), Debian
has started to use the no-ssl Configure option, which is what probably started
allowing this test to unexpectedly succeed.

>> It's probably too difficult, and not really Python's responsibility,
>> to determine whether SSL_OP_NO_SSLv2 is set.
>
>See http://docs.python.org/dev/library/ssl.html#ssl.SSLContext.options

Interesting, thanks for the pointer.

>> Rather, I think the test is simply bogus and should be disabled or
>> removed.
>
>I think it would be good to keep a simplified/minimal (and, of course,
>working :-)) version of these tests.
>Patches welcome, anyway. I can't really test with Debian's OpenSSL.

I'll work up a patch.

-Barry
msg146380 - (view) Author: Barry A. Warsaw (barry) * (Python committer) Date: 2011-10-25 16:23
I'm not sure I particularly like this patch, and I can't test it on anything other than Debian/Ubuntu right now, but it does "fix" the test (defined as: making it pass :).

AFAICT, there's no way to tell openssl to revert back to trying SSLv2 client hello when the library has been compiled with no-ssl, but still setting OP_NO_SSLv2 or OP_NO_TLSv1 kind of seems like keeping a couple of tests that can't possibly succeed (because neither v2 nor v3, nor tlsv1 will be tried).

The other thing is that testing the flags on the client context doesn't seem to work:


Python 3.2.2+ (3.2:03ef6108beae, Oct 25 2011, 10:57:32) 
[GCC 4.6.1] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import ssl
>>> cc = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
>>> cc.options & ssl.OP_NO_SSLv2
0

Now, the other way to go is to set OP_NO_SSLv2 on both tests and change the sense of it from False to True, so that we'd always expect the connection to succeed.  I'll attach that patch next, and it does seem a bit more sane.  Let me know what you think.
msg146381 - (view) Author: Barry A. Warsaw (barry) * (Python committer) Date: 2011-10-25 16:24
Here's the diff that disables SSLv2 and changes the expected sense of the connection results.  Again, I can't test this on other than Debian/Ubuntu atm, so feedback would be useful.
msg146515 - (view) Author: Barry A. Warsaw (barry) * (Python committer) Date: 2011-10-27 19:31
On further reflection, I don't much like my second patch either.  I don't think it'll be portable.  I suggest just removing this test.
msg146524 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2011-10-27 22:07
For the record, both patches work fine here (Mageia 1, OpenSSL 1.0.0d).
msg146526 - (view) Author: Barry A. Warsaw (barry) * (Python committer) Date: 2011-10-27 22:24
On Oct 27, 2011, at 10:08 PM, Antoine Pitrou wrote:

>Antoine Pitrou <pitrou@free.fr> added the comment:
>
>For the record, both patches work fine here (Mageia 1, OpenSSL 1.0.0d).

Cool.  I'll try to verify them on OS X 10.6 (and maybe 10.7).  If they work
there I'll figure out one of them to commit.
msg146538 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2011-10-28 08:46
"./python -m test -v -u all test_ssl" pass with issue13218.diff or issue13218-true.diff on Ubuntu 10.10.
msg146575 - (view) Author: Barry A. Warsaw (barry) * (Python committer) Date: 2011-10-28 19:33
I can't test this on OS X 10.7 because of issue 13241 but it works fine on OS X 10.6.

I'm going to go with the first diff (i.e. the non-sense changing version).  I can't say why I favor that version but since you've both verified it works on !Ubuntu, we'll go with that and let people scream if it starts failing for them.  I'll apply to 3.2 and 3.3, back port to 2.7, and then watch the buildbots.
msg146578 - (view) Author: Roundup Robot (python-dev) (Python triager) Date: 2011-10-28 21:08
New changeset 3c225f938dae by Barry Warsaw in branch '2.7':
- Issue #13218: Fix test_ssl failures on Debian/Ubuntu.
http://hg.python.org/cpython/rev/3c225f938dae

New changeset 415e2c998e18 by Barry Warsaw in branch '3.2':
- Issue #13218: Fix test_ssl failures on Debian/Ubuntu.
http://hg.python.org/cpython/rev/415e2c998e18

New changeset 7a241bc34dd7 by Barry Warsaw in branch '3.2':
- Issue #13218: Fix test_ssl failures on Debian/Ubuntu.
http://hg.python.org/cpython/rev/7a241bc34dd7

New changeset 472219ffa1d7 by Barry Warsaw in branch 'default':
- Issue #13218: Fix test_ssl failures on Debian/Ubuntu.
http://hg.python.org/cpython/rev/472219ffa1d7
msg146628 - (view) Author: Nadeem Vawda (nadeem.vawda) * (Python committer) Date: 2011-10-30 09:40
> New changeset 3c225f938dae by Barry Warsaw in branch '2.7':
> - Issue #13218: Fix test_ssl failures on Debian/Ubuntu.
> http://hg.python.org/cpython/rev/3c225f938dae

This changeset appears to have broken a number of the 2.7 Linux buildbots:

    http://www.python.org/dev/buildbot/all/builders/AMD64%20Gentoo%20Wide%202.7/builds/861
    http://www.python.org/dev/buildbot/all/builders/x86%20Gentoo%202.7/builds/287
    http://www.python.org/dev/buildbot/all/builders/x86%20Gentoo%20Non-Debug%202.7/builds/245
    http://www.python.org/dev/buildbot/all/builders/x86%20Ubuntu%20Shared%202.7/builds/1147
    http://www.python.org/dev/buildbot/all/builders/ARM%20Ubuntu%202.7/builds/24

All of the errors look something like:

    ======================================================================
    ERROR: test_protocol_sslv3 (test.test_ssl.ThreadedTests)
    Connecting to an SSLv3 server with various client options
    ----------------------------------------------------------------------
    Traceback (most recent call last):
      File "/home/buildbot/buildarea/2.7.ochtman-gentoo-amd64/build/Lib/test/test_ssl.py", line 75, in f
        return func(*args, **kwargs)
      File "/home/buildbot/buildarea/2.7.ochtman-gentoo-amd64/build/Lib/test/test_ssl.py", line 1029, in test_protocol_sslv3
        client_options=ssl.OP_NO_SSLv3)
    AttributeError: 'module' object has no attribute 'OP_NO_SSLv3'

    ======================================================================
    ERROR: test_protocol_tlsv1 (test.test_ssl.ThreadedTests)
    Connecting to a TLSv1 server with various client options
    ----------------------------------------------------------------------
    Traceback (most recent call last):
      File "/home/buildbot/buildarea/2.7.ochtman-gentoo-amd64/build/Lib/test/test_ssl.py", line 75, in f
        return func(*args, **kwargs)
      File "/home/buildbot/buildarea/2.7.ochtman-gentoo-amd64/build/Lib/test/test_ssl.py", line 1044, in test_protocol_tlsv1
        client_options=ssl.OP_NO_TLSv1)
    AttributeError: 'module' object has no attribute 'OP_NO_TLSv1'

The ARM Ubuntu builder gets two additional errors, saying that
ssl.PROTOCOL_SSLv2 doesn't exist either.
History
Date User Action Args
2011-10-30 09:40:50nadeem.vawdasetmessages: + msg146628
2011-10-28 22:06:43barrysetstatus: open -> closed
resolution: fixed
2011-10-28 21:08:31python-devsetnosy: + python-dev
messages: + msg146578
2011-10-28 19:33:09barrysetmessages: + msg146575
2011-10-28 08:46:20vstinnersetmessages: + msg146538
2011-10-27 22:24:26barrysetmessages: + msg146526
2011-10-27 22:07:59pitrousetmessages: + msg146524
2011-10-27 19:31:09barrysetmessages: + msg146515
2011-10-25 16:24:35barrysetfiles: + issue13218-true.diff

messages: + msg146381
2011-10-25 16:23:18barrysetfiles: + issue13218.diff

messages: + msg146380
2011-10-25 11:31:02barrysetmessages: + msg146358
2011-10-25 09:56:56pitrousetmessages: + msg146352
2011-10-24 23:17:10barrysetmessages: + msg146337
2011-10-24 18:50:35barrysettitle: test_ssl failures on Ubuntu 11.10 -> test_ssl failures on Debian/Ubuntu
2011-10-24 18:50:19barrysetmessages: + msg146316
2011-10-22 19:45:02pitrousetnosy: + barry
messages: + msg146186
2011-10-20 13:41:36nadeem.vawdasetmessages: + msg146017
2011-10-19 17:44:23eric.araujosetnosy: + eric.araujo
2011-10-19 15:31:16nadeem.vawdasetmessages: + msg145914
2011-10-19 14:22:56pitrousetmessages: + msg145912
2011-10-19 14:09:31vstinnersetmessages: + msg145910
2011-10-19 14:08:10nadeem.vawdasetmessages: + msg145909
2011-10-19 14:05:39nadeem.vawdasetmessages: + msg145908
2011-10-19 14:00:12pitrousetmessages: + msg145907
2011-10-19 13:47:10giampaolo.rodolasetnosy: - giampaolo.rodola
2011-10-19 13:45:41vstinnersetfiles: + test_ssl_broken_ubuntu.patch

nosy: + vstinner
messages: + msg145906

keywords: + patch
2011-10-19 13:02:23nadeem.vawdasetmessages: + msg145905
2011-10-19 12:41:24pitrousetmessages: + msg145904
2011-10-19 12:33:57pitrousetmessages: + msg145903
2011-10-19 12:30:49nadeem.vawdacreate