classification
Title: Python install test fails - OpenSSL - "dh key too small"
Type: Stage: resolved
Components: Tests Versions: Python 3.4
process
Status: closed Resolution: duplicate
Dependencies: Superseder: test_ssl: fails on recent libressl version with BAD_DH_P_LENGTH
View: 23844
Assigned To: Nosy List: martin.panter, nagle
Priority: normal Keywords:

Created on 2015-09-02 19:58 by nagle, last changed 2016-01-21 22:45 by martin.panter. This issue is now closed.

Messages (2)
msg249566 - (view) Author: John Nagle (nagle) Date: 2015-09-02 19:58
Installing Python 3.4.3 on a new CentOS Linux release 7.1.1503 server.
Started with source tarball, did usual ./configure; make; make test
SSL test fails with "dh key too small".  See below.

OpenSSL has recently been modified to reject short keys, due to a security vulnerability. See
  http://www.ubuntu.com/usn/usn-2639-1/
and see here for an analysis of the issue on a Python install:
  http://www.alexrhino.net/jekyll/update/2015/07/14/dh-params-test-fail.html

Apparently the "dh512.pem" file in the test suite is now obsolete, because the minimum length dh key is now 768.

The question is, does this break anything else?  Google for "dh key too small" and various other projects report problems. 


======================================================================
ERROR: test_dh_params (test.test_ssl.ThreadedTests)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/home/sitetruth/private/downloads/python/Python-3.4.3/Lib/test/test_ssl.       py", line 2728, in test_dh_params
    chatty=True, connectionchatty=True)
  File "/home/sitetruth/private/downloads/python/Python-3.4.3/Lib/test/test_ssl.       py", line 1866, in server_params_test
    s.connect((HOST, server.port))
  File "/home/sitetruth/private/downloads/python/Python-3.4.3/Lib/ssl.py", line        846, in connect
    self._real_connect(addr, False)
  File "/home/sitetruth/private/downloads/python/Python-3.4.3/Lib/ssl.py", line        837, in _real_connect
    self.do_handshake()
  File "/home/sitetruth/private/downloads/python/Python-3.4.3/Lib/ssl.py", line        810, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: SSL_NEGATIVE_LENGTH] dh key too small (_ssl.c:600)

----------------------------------------------------------------------
Ran 99 tests in 12.012s

FAILED (errors=1, skipped=4)
test test_ssl failed
make: *** [test] Error 1

======================================================================
msg258777 - (view) Author: Martin Panter (martin.panter) * (Python committer) Date: 2016-01-21 22:45
I suspect this is fixed in 3.4.4. The 512-bit file was replaced by a 1024-bit (or 2014-bit if you believe the commit message :) one in Issue 23844, revision 1ad7c0253abe.
History
Date User Action Args
2016-01-21 22:45:02martin.pantersetstatus: open -> closed

superseder: test_ssl: fails on recent libressl version with BAD_DH_P_LENGTH
components: + Tests, - Installation

nosy: + martin.panter
messages: + msg258777
resolution: duplicate
stage: resolved
2016-01-21 22:35:30martin.panterlinkissue24761 superseder
2015-09-02 19:58:15naglecreate