Issue21246
This issue tracker has been migrated to GitHub,
and is currently read-only.
For more information,
see the GitHub FAQs in the Python's Developer Guide.
Created on 2014-04-15 20:22 by ddvento@ucar.edu, last changed 2022-04-11 14:58 by admin. This issue is now closed.
Messages (6) | |||
---|---|---|---|
msg216380 - (view) | Author: (ddvento@ucar.edu) | Date: 2014-04-15 20:22 | |
Not sure if this is related with issue #13626 which is the only thing that Google knows about these handshake failures. In case it matters: $ openssl version OpenSSL 1.0.1f 6 Jan 2014 == CPython 2.7.6 (default, Apr 14 2014, 15:12:21) [GCC 4.8.2] == Linux-2.6.32-358.el6.x86_64-x86_64-with-redhat-6.4-Santiago little-endian == /glade/scratch/ddvento/build/Python-2.7.6/build/test_python_18521 Testing with flags: sys.flags(debug=0, py3k_warning=0, division_warning=0, division_new=0, inspect=0, interactive=0, optimize=0, dont_write_bytecode=0, no_user_site=0, no_site=0, ignore_environment=0, tabcheck=0, verbose=0, unicode=0, bytes_warning=0, hash_randomization=0) test_ssl test_sslwrap_simple (test.test_ssl.BasicTests) ... ok test_DER_to_PEM (test.test_ssl.BasicSocketTests) ... ok test_ciphers (test.test_ssl.BasicSocketTests) ... ok test_constants (test.test_ssl.BasicSocketTests) ... ok test_openssl_version (test.test_ssl.BasicSocketTests) ... ok test_parse_cert (test.test_ssl.BasicSocketTests) ... {'notAfter': 'Oct 5 23:01:56 2020 GMT', 'subject': ((('countryName', u'XY'),), (('localityName', u'Castle Anthrax'),), (('organizationName', u'Python Software Foundation'),), (('commonName', u'localhost'),)), 'subjectAltName': (('DNS', 'localhost'),)} {'issuer': ((('countryName', u'US'),), (('organizationName', u'VeriSign, Inc.'),), (('organizationalUnitName', u'VeriSign Trust Network'),), (('organizationalUnitName', u'Terms of use at https://www.verisign.com/rpa (c)10'),), (('commonName', u'VeriSign Class 3 International Server CA - G3'),)), 'notAfter': 'Sep 20 23:59:59 2012 GMT', 'notBefore': 'Sep 21 00:00:00 2011 GMT', 'serialNumber': '2EE6EA7640A075CEE5005F4D7C79549A', 'subject': ((('countryName', u'FI'),), (('stateOrProvinceName', u'Espoo'),), (('localityName', u'Espoo'),), (('organizationName', u'Nokia'),), (('organizationalUnitName', u'BI'),), (('commonName', u'projects.developer.nokia.com'),)), 'subjectAltName': (('DNS', 'projects.developer.nokia.com'), ('DNS', 'projects.forum.nokia.com')), 'version': 3} ok test_parse_cert_CVE_2013_4238 (test.test_ssl.BasicSocketTests) ... {'issuer': ((('countryName', u'US'),), (('stateOrProvinceName', u'Oregon'),), (('localityName', u'Beaverton'),), (('organizationName', u'Python Software Foundation'),), (('organizationalUnitName', u'Python Core Development'),), (('commonName', u'null.python.org\x00example.org'),), (('emailAddress', u'python-dev@python.org'),)), 'notAfter': 'Aug 7 13:12:52 2013 GMT', 'notBefore': 'Aug 7 13:11:52 2013 GMT', 'serialNumber': '00', 'subject': ((('countryName', u'US'),), (('stateOrProvinceName', u'Oregon'),), (('localityName', u'Beaverton'),), (('organizationName', u'Python Software Foundation'),), (('organizationalUnitName', u'Python Core Development'),), (('commonName', u'null.python.org\x00example.org'),), (('emailAddress', u'python-dev@python.org'),)), 'subjectAltName': (('DNS', 'altnull.python.org\x00example.com'), ('email', 'null@python.org\x00user@example.org'), ('URI', 'http://null.python.org\x00http://example.org'), ('IP Address', '192.0.2.1'), ('IP Address', '2001:DB8:0:0:0:0:0:1\n')), 'version': 3} ok test_random (test.test_ssl.BasicSocketTests) ... RAND_status is 1 (sufficient randomness) ok test_refcycle (test.test_ssl.BasicSocketTests) ... ok test_wrapped_unconnected (test.test_ssl.BasicSocketTests) ... ok test_algorithms (test.test_ssl.NetworkedTests) ... skipped 'remote host needs SNI, only available on Python 3.2+' test_connect (test.test_ssl.NetworkedTests) ... ok test_connect_ex (test.test_ssl.NetworkedTests) ... ok test_connect_ex_error (test.test_ssl.NetworkedTests) ... ok test_get_server_certificate (test.test_ssl.NetworkedTests) ... ERROR test_makefile_close (test.test_ssl.NetworkedTests) ... ok test_non_blocking_connect_ex (test.test_ssl.NetworkedTests) ... ok test_non_blocking_handshake (test.test_ssl.NetworkedTests) ... Needed 3 calls to do_handshake() to establish session. ok test_timeout_connect_ex (test.test_ssl.NetworkedTests) ... ok test_asyncore_server (test.test_ssl.ThreadedTests) Check the example asyncore integration. ... server: new connection from 127.0.0.1:48912 client: sending 'TEST MESSAGE of mixed case\n'... client: read 'test message of mixed case\n' client: closing connection. cleanup: stopping server. cleanup: joining server thread. server: closed connection <ssl.SSLSocket object at 0x2399140> cleanup: successfully joined. ok test_default_ciphers (test.test_ssl.ThreadedTests) ... ok test_echo (test.test_ssl.ThreadedTests) Basic test of an SSL client connecting to a server ... server: new connection from ('127.0.0.1', 43993) server: connection cipher is now ('AES256-SHA', 'TLSv1/SSLv3', 256) client: sending 'FOO\n'... server: read 'FOO\n' (encrypted), sending back 'foo\n' (encrypted)... client: read 'foo\n' client: sending bytearray(b'FOO\n')... server: read 'FOO\n' (encrypted), sending back 'foo\n' (encrypted)... client: read 'foo\n' client: sending <memory at 0x237f510>... server: read 'FOO\n' (encrypted), sending back 'foo\n' (encrypted)... client: read 'foo\n' client: closing connection. server: client closed connection ok test_empty_cert (test.test_ssl.ThreadedTests) Connecting with an empty cert file ... SSLError is _ssl.c:354: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib ok test_getpeercert (test.test_ssl.ThreadedTests) ... {'notAfter': 'Oct 5 23:01:56 2020 GMT', 'subject': ((('countryName', u'XY'),), (('localityName', u'Castle Anthrax'),), (('organizationName', u'Python Software Foundation'),), (('commonName', u'localhost'),)), 'subjectAltName': (('DNS', 'localhost'),)} Connection cipher is ('AES256-GCM-SHA384', 'TLSv1/SSLv3', 256). ok test_handshake_timeout (test.test_ssl.ThreadedTests) ... ok test_malformed_cert (test.test_ssl.ThreadedTests) Connecting with a badly formatted certificate (syntax error) ... SSLError is _ssl.c:368: error:140DC009:SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib ok test_malformed_key (test.test_ssl.ThreadedTests) Connecting with a badly formatted key (syntax error) ... SSLError is _ssl.c:354: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib ok test_nonexisting_cert (test.test_ssl.ThreadedTests) Connecting with a non-existing cert file ... SSLError is _ssl.c:507: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca ok test_protocol_sslv2 (test.test_ssl.ThreadedTests) Connecting to an SSLv2 server with various client options ... SSLv2->SSLv2 CERT_NONE SSLv2->SSLv2 CERT_OPTIONAL SSLv2->SSLv2 CERT_REQUIRED SSLv23->SSLv2 CERT_NONE {SSLv3->SSLv2} CERT_NONE {TLSv1->SSLv2} CERT_NONE ok test_protocol_sslv23 (test.test_ssl.ThreadedTests) Connecting to an SSLv23 server with various client options ... SSLv3->SSLv23 CERT_NONE SSLv23->SSLv23 CERT_NONE TLSv1->SSLv23 CERT_NONE SSLv3->SSLv23 CERT_OPTIONAL SSLv23->SSLv23 CERT_OPTIONAL TLSv1->SSLv23 CERT_OPTIONAL SSLv3->SSLv23 CERT_REQUIRED SSLv23->SSLv23 CERT_REQUIRED TLSv1->SSLv23 CERT_REQUIRED ok test_protocol_sslv3 (test.test_ssl.ThreadedTests) Connecting to an SSLv3 server with various client options ... SSLv3->SSLv3 CERT_NONE SSLv3->SSLv3 CERT_OPTIONAL SSLv3->SSLv3 CERT_REQUIRED {SSLv2->SSLv3} CERT_NONE {TLSv1->SSLv3} CERT_NONE ok test_protocol_tlsv1 (test.test_ssl.ThreadedTests) Connecting to a TLSv1 server with various client options ... TLSv1->TLSv1 CERT_NONE TLSv1->TLSv1 CERT_OPTIONAL TLSv1->TLSv1 CERT_REQUIRED {SSLv2->TLSv1} CERT_NONE {SSLv3->TLSv1} CERT_NONE ok test_recv_send (test.test_ssl.ThreadedTests) Test recv(), send() and friends. ... server: new connection from ('127.0.0.1', 56710) server: connection cipher is now ('AES256-SHA', 'TLSv1/SSLv3', 256) ok test_rude_shutdown (test.test_ssl.ThreadedTests) A brutal shutdown of an SSL server should raise an IOError ... ok test_socketserver (test.test_ssl.ThreadedTests) Using a SocketServer to create and manage SSL connections. ... server (('127.0.0.1', 42188):42188 ('AES256-GCM-SHA384', 'TLSv1/SSLv3', 256)): [15/Apr/2014 14:14:53] "GET /keycert.pem HTTP/1.0" 200 - client: read 1783 bytes from remote server '<SocketServerHTTPSServer <HTTPSServer localhost.localdomain:42188>>' ok test_starttls (test.test_ssl.ThreadedTests) Switching from clear text to encrypted and back again. ... client: sending 'msg 1'... server: new connection from ('127.0.0.1', 50624) server: read 'msg 1' (unencrypted), sending back 'msg 1' (unencrypted)... client: read 'msg 1' from server client: sending 'MSG 2'... server: read 'MSG 2' (unencrypted), sending back 'msg 2' (unencrypted)... client: read 'msg 2' from server client: sending 'STARTTLS'... server: read STARTTLS from client, sending OK... client: read 'OK\n' from server, starting TLS... client: sending 'MSG 3'... server: read 'MSG 3' (encrypted), sending back 'msg 3' (encrypted)... client: read 'msg 3' from server client: sending 'msg 4'... server: read 'msg 4' (encrypted), sending back 'msg 4' (encrypted)... client: read 'msg 4' from server client: sending 'ENDTLS'... server: read ENDTLS from client, sending OK... client: read 'OK\n' from server, ending TLS... server: connection is now unencrypted... client: sending 'msg 5'... server: read 'msg 5' (unencrypted), sending back 'msg 5' (unencrypted)... client: read 'msg 5' from server client: sending 'msg 6'... server: read 'msg 6' (unencrypted), sending back 'msg 6' (unencrypted)... client: read 'msg 6' from server client: closing connection. server: client closed connection ok test_wrapped_accept (test.test_ssl.ThreadedTests) Check the accept() method on SSL sockets. ... test test_ssl failed -- Traceback (most recent call last): File "/glade/scratch/ddvento/build/Python-2.7.6/Lib/test/test_ssl.py", line 387, in test_get_server_certificate pem = ssl.get_server_certificate(("svn.python.org", 443)) File "/glade/scratch/ddvento/build/Python-2.7.6/Lib/ssl.py", line 448, in get_server_certificate s.connect(addr) File "/glade/scratch/ddvento/build/Python-2.7.6/Lib/ssl.py", line 333, in connect self._real_connect(addr, False) File "/glade/scratch/ddvento/build/Python-2.7.6/Lib/ssl.py", line 323, in _real_connect self.do_handshake() File "/glade/scratch/ddvento/build/Python-2.7.6/Lib/ssl.py", line 305, in do_handshake self._sslobj.do_handshake() SSLError: [Errno 1] _ssl.c:507: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure server: wrapped server socket as <ssl.SSLSocket object at 0x2399140> client: sending 'FOO\n'... server: new connection from ('127.0.0.1', 40291) client cert is {'notAfter': 'Oct 5 23:01:56 2020 GMT', 'subject': ((('countryName', u'XY'),), (('localityName', u'Castle Anthrax'),), (('organizationName', u'Python Software Foundation'),), (('commonName', u'localhost'),)), 'subjectAltName': (('DNS', 'localhost'),)} cert binary is 600 bytes server: connection cipher is now ('AES256-GCM-SHA384', 'TLSv1/SSLv3', 256) server: read 'FOO\n' (encrypted), sending back 'foo\n' (encrypted)... client: read 'foo\n' client: sending bytearray(b'FOO\n')... server: read 'FOO\n' (encrypted), sending back 'foo\n' (encrypted)... client: read 'foo\n' client: sending <memory at 0x240ecc8>... server: read 'FOO\n' (encrypted), sending back 'foo\n' (encrypted)... client: read 'foo\n' client: closing connection. server: client closed connection ok ====================================================================== ERROR: test_get_server_certificate (test.test_ssl.NetworkedTests) ---------------------------------------------------------------------- Traceback (most recent call last): File "/glade/scratch/ddvento/build/Python-2.7.6/Lib/test/test_ssl.py", line 387, in test_get_server_certificate pem = ssl.get_server_certificate(("svn.python.org", 443)) File "/glade/scratch/ddvento/build/Python-2.7.6/Lib/ssl.py", line 448, in get_server_certificate s.connect(addr) File "/glade/scratch/ddvento/build/Python-2.7.6/Lib/ssl.py", line 333, in connect self._real_connect(addr, False) File "/glade/scratch/ddvento/build/Python-2.7.6/Lib/ssl.py", line 323, in _real_connect self.do_handshake() File "/glade/scratch/ddvento/build/Python-2.7.6/Lib/ssl.py", line 305, in do_handshake self._sslobj.do_handshake() SSLError: [Errno 1] _ssl.c:507: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure ---------------------------------------------------------------------- Ran 37 tests in 4.950s FAILED (errors=1, skipped=1) 1 test failed: test_ssl |
|||
msg216423 - (view) | Author: Benjamin Peterson (benjamin.peterson) * ![]() |
Date: 2014-04-16 02:41 | |
Very old version of openssl? |
|||
msg216475 - (view) | Author: (ddvento@ucar.edu) | Date: 2014-04-16 14:49 | |
Despite this being Red Hat, this is not at all the case! OpenSSL 1.0.1f has been released on Jan 6th, 2014 at 15:39:19 -- see https://www.openssl.org/source/ |
|||
msg216477 - (view) | Author: (ddvento@ucar.edu) | Date: 2014-04-16 15:15 | |
Just to make sure I'm using the right version: Python 2.7.6 (default, Apr 14 2014, 15:12:21) [GCC 4.8.2] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> import ssl >>> ssl.OPENSSL_VERSION 'OpenSSL 1.0.1f 6 Jan 2014' >>> On 04/16/2014 08:49 AM, Davide Del Vento wrote: > > ddvento@ucar.edu added the comment: > > Despite this being Red Hat, this is not at all the case! > > OpenSSL 1.0.1f has been released on Jan 6th, 2014 at 15:39:19 -- see > https://www.openssl.org/source/ > > ---------- > > _______________________________________ > Python tracker <report@bugs.python.org> > <http://bugs.python.org/issue21246> > _______________________________________ > |
|||
msg216498 - (view) | Author: Antoine Pitrou (pitrou) * ![]() |
Date: 2014-04-16 16:50 | |
This was fixed in #20896 by a certain Benjamin Peterson. |
|||
msg216535 - (view) | Author: (ddvento@ucar.edu) | Date: 2014-04-16 18:07 | |
Thanks. The reason why I overlook it is that #20896 did not list 2.7 as an affected version. I changed #20896 to prevent other people doing the same mistake |
History | |||
---|---|---|---|
Date | User | Action | Args |
2022-04-11 14:58:01 | admin | set | github: 65445 |
2014-04-16 18:07:32 | ddvento@ucar.edu | set | messages: + msg216535 |
2014-04-16 16:50:21 | pitrou | set | status: open -> closed nosy: + pitrou messages: + msg216498 superseder: test_ssl.test_get_server_certificate() should use PROTOCOL_SSLv23, not PROTOCOL_SSLv3 resolution: duplicate |
2014-04-16 15:15:06 | ddvento@ucar.edu | set | messages: + msg216477 |
2014-04-16 14:49:04 | ddvento@ucar.edu | set | messages: + msg216475 |
2014-04-16 02:41:59 | benjamin.peterson | set | nosy:
+ benjamin.peterson messages: + msg216423 |
2014-04-15 20:22:28 | ddvento@ucar.edu | create |