classification
Title: test_ssl (test_algorithms) failures on bolen-ubuntu slaves: sha256.tbs-internet.com unknown host
Type: behavior Stage: resolved
Components: SSL, Tests Versions: Python 3.7, Python 3.6, Python 2.7
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: christian.heimes Nosy List: alex, christian.heimes, db3l, dstufft, giampaolo.rodola, janssen, pitrou, zach.ware
Priority: low Keywords: buildbot

Created on 2015-11-19 21:54 by db3l, last changed 2017-09-04 21:11 by christian.heimes. This issue is now closed.

Pull Requests
URL Status Linked Edit
PR 3297 merged christian.heimes, 2017-09-04 20:06
PR 3300 merged christian.heimes, 2017-09-04 20:27
PR 3301 merged christian.heimes, 2017-09-04 20:31
Messages (8)
msg254938 - (view) Author: David Bolen (db3l) Date: 2015-11-19 21:54
It appears that the test host (sha256.tbs-internet.com) used by test_algorithms in test_ssl.py no longer exists.

It was showing up as a certificate failure in the test because it ended up falling back to a resolv.conf search path which yielded a host that did do SSL but obviously with the wrong certificate.

db3l@buildbot-ubuntu:~$ host sha256.tbs-internet.com
Host sha256.tbs-internet.com not found: 3(NXDOMAIN)

db3l@buildbot-ubuntu:~/tmp/python3.x/Lib/test$ dig +short ns tbs-internet.com
NS1.tbs-internet.com.
maj.pitux.com.
ns2.atdynet.com.
nsc.pitux.com.
db3l@buildbot-ubuntu:~/tmp/python3.x/Lib/test$ dig @ns1.tbs-internet.com sha256.tbs-internet.com

; <<>> DiG 9.9.5-3ubuntu0.5-Ubuntu <<>> @ns1.tbs-internet.com sha256.tbs-internet.com
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 25154
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;sha256.tbs-internet.com.	IN	A

;; AUTHORITY SECTION:
tbs-internet.com.	3600	IN	SOA	ovh12.tbs-internet.com. hostmaster.tbs-internet.com. 2015110705 21600 3600 2419200 3600

;; Query time: 93 msec
;; SERVER: 2001:41d0:8:380d::1#53(2001:41d0:8:380d::1)
;; WHEN: Thu Nov 19 16:51:58 EST 2015
;; MSG SIZE  rcvd: 105


What I can't yet understand is why this is not causing issues on other slaves.  I suppose some might be skipping the test if SNI was not supported, but surely not all of them?
msg254941 - (view) Author: David Bolen (db3l) Date: 2015-11-19 22:43
Ah, it appears that the transient_internet context manager in the test causes it to be skipped if the host is unknown.  So mine was just "lucky" in that it fell back to connecting somewhere else.

I've removed my resolver search path on bolen-ubuntu which will resolve the test failures on that slave, but I presume test_algorithms is never being run by anyone at this point.
msg254942 - (view) Author: Zachary Ware (zach.ware) * (Python committer) Date: 2015-11-19 22:47
So the mystery of that buildbot is solved, but I think that test needs some work.
msg301250 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2017-09-04 19:59
The sha256.tbs-internet.com has been down for a while and the DNS record is no longer available. Alex and I agreed that the test no longer makes sense, too. RSA certs with SHA-256 signatures are de-facto standard and supported by OpenSSL for a long time. We test SHA-256 certs with several other tests that talk to remote servers.

I'm going to remove the test and sha256 cert.
msg301254 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2017-09-04 20:26
New changeset 002d64039b60c1a9289f981fe73a5cf91d082136 by Christian Heimes in branch 'master':
bpo-25674: remove sha256.tbs-internet.com ssl test (#3297)
https://github.com/python/cpython/commit/002d64039b60c1a9289f981fe73a5cf91d082136
msg301258 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2017-09-04 20:54
New changeset 4bc8ef0eeed191f9398a90e748f732cfba67546d by Christian Heimes in branch '3.6':
[3.6] bpo-25674: remove sha256.tbs-internet.com ssl test (GH-3297) (#3300)
https://github.com/python/cpython/commit/4bc8ef0eeed191f9398a90e748f732cfba67546d
msg301261 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2017-09-04 21:08
New changeset 57d963b0b559078ca419811d0d25fea27d42f30c by Christian Heimes in branch '2.7':
[2.7] bpo-25674: remove sha256.tbs-internet.com ssl test (GH-3297) (#3301)
https://github.com/python/cpython/commit/57d963b0b559078ca419811d0d25fea27d42f30c
msg301262 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2017-09-04 21:10
I've removed the sha256.tbs-internet.com from 2.7, 3.6, and master. 3.5 and previous versions are in security fix-only mode.
History
Date User Action Args
2017-09-04 21:11:01christian.heimessetstatus: open -> closed
resolution: fixed
stage: needs patch -> resolved
2017-09-04 21:10:34christian.heimessetmessages: + msg301262
2017-09-04 21:08:38christian.heimessetmessages: + msg301261
2017-09-04 20:54:49christian.heimessetmessages: + msg301258
2017-09-04 20:31:48christian.heimessetpull_requests: + pull_request3333
2017-09-04 20:27:09christian.heimessetpull_requests: + pull_request3332
2017-09-04 20:26:02christian.heimessetmessages: + msg301254
2017-09-04 20:06:30christian.heimessetpull_requests: + pull_request3331
2017-09-04 19:59:04christian.heimessetmessages: + msg301250
versions: - Python 3.5
2016-09-15 07:53:36christian.heimessetassignee: christian.heimes
components: + SSL
2016-09-08 15:33:53christian.heimessetpriority: normal -> low
versions: + Python 3.7, - Python 3.4
2015-11-19 22:47:36zach.waresetnosy: + janssen, pitrou, giampaolo.rodola, christian.heimes, alex, dstufft
messages: + msg254942

keywords: + buildbot
stage: needs patch
2015-11-19 22:43:00db3lsetmessages: + msg254941
2015-11-19 21:54:38db3lcreate