Issue35925
This issue tracker has been migrated to GitHub,
and is currently read-only.
For more information,
see the GitHub FAQs in the Python's Developer Guide.
Created on 2019-02-07 01:45 by pablogsal, last changed 2022-04-11 14:59 by admin. This issue is now closed.
Pull Requests | |||
---|---|---|---|
URL | Status | Linked | Edit |
PR 13124 | merged | gregory.p.smith, 2019-05-06 18:27 | |
PR 13139 | merged | miss-islington, 2019-05-06 21:54 | |
PR 13252 | merged | gregory.p.smith, 2019-05-11 18:44 | |
PR 13253 | merged | gregory.p.smith, 2019-05-11 20:44 |
Messages (29) | |||
---|---|---|---|
msg334996 - (view) | Author: Pablo Galindo Salgado (pablogsal) * ![]() |
Date: 2019-02-07 01:45 | |
Example failures https://buildbot.python.org/all/#/builders/117 https://buildbot.python.org/all/#/builders/106 ====================================================================== ERROR: test_networked_good_cert (test.test_httplib.HTTPSTest) ---------------------------------------------------------------------- Traceback (most recent call last): File "/ssd/buildbot/buildarea/3.x.gps-ubuntu-exynos5-armv7l/build/Lib/test/test_httplib.py", line 1629, in test_networked_good_cert h.request('GET', '/') File "/ssd/buildbot/buildarea/3.x.gps-ubuntu-exynos5-armv7l/build/Lib/http/client.py", line 1229, in request self._send_request(method, url, body, headers, encode_chunked) File "/ssd/buildbot/buildarea/3.x.gps-ubuntu-exynos5-armv7l/build/Lib/http/client.py", line 1275, in _send_request self.endheaders(body, encode_chunked=encode_chunked) File "/ssd/buildbot/buildarea/3.x.gps-ubuntu-exynos5-armv7l/build/Lib/http/client.py", line 1224, in endheaders self._send_output(message_body, encode_chunked=encode_chunked) File "/ssd/buildbot/buildarea/3.x.gps-ubuntu-exynos5-armv7l/build/Lib/http/client.py", line 1016, in _send_output self.send(msg) File "/ssd/buildbot/buildarea/3.x.gps-ubuntu-exynos5-armv7l/build/Lib/http/client.py", line 956, in send self.connect() File "/ssd/buildbot/buildarea/3.x.gps-ubuntu-exynos5-armv7l/build/Lib/http/client.py", line 1391, in connect self.sock = self._context.wrap_socket(self.sock, File "/ssd/buildbot/buildarea/3.x.gps-ubuntu-exynos5-armv7l/build/Lib/ssl.py", line 405, in wrap_socket return self.sslsocket_class._create( File "/ssd/buildbot/buildarea/3.x.gps-ubuntu-exynos5-armv7l/build/Lib/ssl.py", line 853, in _create self.do_handshake() File "/ssd/buildbot/buildarea/3.x.gps-ubuntu-exynos5-armv7l/build/Lib/ssl.py", line 1117, in do_handshake self._sslobj.do_handshake() ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: EE certificate key too weak (_ssl.c:1055) ---------------------------------------------------------------------- Ran 105 tests in 2.477s Got an error: [SSL: SSLV3_ALERT_BAD_CERTIFICATE] sslv3 alert bad certificate (_ssl.c:1055) Got an error: [SSL: SSLV3_ALERT_BAD_CERTIFICATE] sslv3 alert bad certificate (_ssl.c:1055) Got an error: [SSL: SSLV3_ALERT_BAD_CERTIFICATE] sslv3 alert bad certificate (_ssl.c:1055) test_local_bad_hostname (test.test_httplib.HTTPSTest) ... server (('127.0.0.1', 41921):41921 ('TLS_AES_256_GCM_SHA384', 'TLSv1.3', 256)): [06/Feb/2019 06:22:07] code 404, message File not found server (('127.0.0.1', 41921):41921 ('TLS_AES_256_GCM_SHA384', 'TLSv1.3', 256)): [06/Feb/2019 06:22:07] "GET /nonexistent HTTP/1.1" 404 - server (('127.0.0.1', 41921):41921 ('TLS_AES_256_GCM_SHA384', 'TLSv1.3', 256)): [06/Feb/2019 06:22:07] code 404, message File not found server (('127.0.0.1', 41921):41921 ('TLS_AES_256_GCM_SHA384', 'TLSv1.3', 256)): [06/Feb/2019 06:22:07] "GET /nonexistent HTTP/1.1" 404 - stopping HTTPS server joining HTTPS thread ok test_local_good_hostname (test.test_httplib.HTTPSTest) ... server (('127.0.0.1', 38877):38877 ('TLS_AES_256_GCM_SHA384', 'TLSv1.3', 256)): [06/Feb/2019 06:22:07] code 404, message File not found server (('127.0.0.1', 38877):38877 ('TLS_AES_256_GCM_SHA384', 'TLSv1.3', 256)): [06/Feb/2019 06:22:07] "GET /nonexistent HTTP/1.1" 404 - stopping HTTPS server joining HTTPS thread ok Got an error: [SSL: TLSV1_ALERT_UNKNOWN_CA] tlsv1 alert unknown ca (_ssl.c:1055) test_local_unknown_cert (test.test_httplib.HTTPSTest) ... stopping HTTPS server joining HTTPS thread ok Multiple SSL failures, also old commits that previously succeeded fail now. This seems something in the buildbot itself. Gregory, do you know if something SLL related was upgraded/modify in the gps-ubuntu-exynos5-armv7l worker? |
|||
msg335001 - (view) | Author: Gregory P. Smith (gregory.p.smith) * ![]() |
Date: 2019-02-07 04:16 | |
FYI - the name of this bot is misleading. It is now Debian testing as of 18 hours ago instead of obsolete Ubuntu 14.04. I finally upgraded it. Opens version says 1.1.1a. -- blame half the typos on my phone. On Wed, Feb 6, 2019, 5:45 PM Pablo Galindo Salgado <report@bugs.python.org wrote: > > New submission from Pablo Galindo Salgado <pablogsal@gmail.com>: > > Example failures > > https://buildbot.python.org/all/#/builders/117 > https://buildbot.python.org/all/#/builders/106 > > ====================================================================== > ERROR: test_networked_good_cert (test.test_httplib.HTTPSTest) > ---------------------------------------------------------------------- > Traceback (most recent call last): > File > "/ssd/buildbot/buildarea/3.x.gps-ubuntu-exynos5-armv7l/build/Lib/test/test_httplib.py", > line 1629, in test_networked_good_cert > h.request('GET', '/') > File > "/ssd/buildbot/buildarea/3.x.gps-ubuntu-exynos5-armv7l/build/Lib/http/client.py", > line 1229, in request > self._send_request(method, url, body, headers, encode_chunked) > File > "/ssd/buildbot/buildarea/3.x.gps-ubuntu-exynos5-armv7l/build/Lib/http/client.py", > line 1275, in _send_request > self.endheaders(body, encode_chunked=encode_chunked) > File > "/ssd/buildbot/buildarea/3.x.gps-ubuntu-exynos5-armv7l/build/Lib/http/client.py", > line 1224, in endheaders > self._send_output(message_body, encode_chunked=encode_chunked) > File > "/ssd/buildbot/buildarea/3.x.gps-ubuntu-exynos5-armv7l/build/Lib/http/client.py", > line 1016, in _send_output > self.send(msg) > File > "/ssd/buildbot/buildarea/3.x.gps-ubuntu-exynos5-armv7l/build/Lib/http/client.py", > line 956, in send > self.connect() > File > "/ssd/buildbot/buildarea/3.x.gps-ubuntu-exynos5-armv7l/build/Lib/http/client.py", > line 1391, in connect > self.sock = self._context.wrap_socket(self.sock, > File > "/ssd/buildbot/buildarea/3.x.gps-ubuntu-exynos5-armv7l/build/Lib/ssl.py", > line 405, in wrap_socket > return self.sslsocket_class._create( > File > "/ssd/buildbot/buildarea/3.x.gps-ubuntu-exynos5-armv7l/build/Lib/ssl.py", > line 853, in _create > self.do_handshake() > File > "/ssd/buildbot/buildarea/3.x.gps-ubuntu-exynos5-armv7l/build/Lib/ssl.py", > line 1117, in do_handshake > self._sslobj.do_handshake() > ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate > verify failed: EE certificate key too weak (_ssl.c:1055) > ---------------------------------------------------------------------- > Ran 105 tests in 2.477s > > Got an error: > [SSL: SSLV3_ALERT_BAD_CERTIFICATE] sslv3 alert bad certificate > (_ssl.c:1055) > Got an error: > [SSL: SSLV3_ALERT_BAD_CERTIFICATE] sslv3 alert bad certificate > (_ssl.c:1055) > Got an error: > [SSL: SSLV3_ALERT_BAD_CERTIFICATE] sslv3 alert bad certificate > (_ssl.c:1055) > test_local_bad_hostname (test.test_httplib.HTTPSTest) ... server > (('127.0.0.1', 41921):41921 ('TLS_AES_256_GCM_SHA384', 'TLSv1.3', 256)): > [06/Feb/2019 06:22:07] code 404, message File not found > server (('127.0.0.1', 41921):41921 ('TLS_AES_256_GCM_SHA384', 'TLSv1.3', > 256)): > [06/Feb/2019 06:22:07] "GET /nonexistent HTTP/1.1" 404 - > server (('127.0.0.1', 41921):41921 ('TLS_AES_256_GCM_SHA384', 'TLSv1.3', > 256)): > [06/Feb/2019 06:22:07] code 404, message File not found > server (('127.0.0.1', 41921):41921 ('TLS_AES_256_GCM_SHA384', 'TLSv1.3', > 256)): > [06/Feb/2019 06:22:07] "GET /nonexistent HTTP/1.1" 404 - > stopping HTTPS server > joining HTTPS thread > ok > test_local_good_hostname (test.test_httplib.HTTPSTest) ... server > (('127.0.0.1', 38877):38877 ('TLS_AES_256_GCM_SHA384', 'TLSv1.3', 256)): > [06/Feb/2019 06:22:07] code 404, message File not found > server (('127.0.0.1', 38877):38877 ('TLS_AES_256_GCM_SHA384', 'TLSv1.3', > 256)): > [06/Feb/2019 06:22:07] "GET /nonexistent HTTP/1.1" 404 - > stopping HTTPS server > joining HTTPS thread > ok > Got an error: > [SSL: TLSV1_ALERT_UNKNOWN_CA] tlsv1 alert unknown ca (_ssl.c:1055) > test_local_unknown_cert (test.test_httplib.HTTPSTest) ... stopping HTTPS > server > joining HTTPS thread > ok > > Multiple SSL failures, also old commits that previously succeeded fail > now. This seems something in the buildbot itself. Gregory, do you know if > something SLL related was upgraded/modify in the gps-ubuntu-exynos5-armv7l > worker? > > ---------- > components: Tests > messages: 334996 > nosy: gregory.p.smith, pablogsal > priority: normal > severity: normal > status: open > title: test_httplib test_nntplib test_ssl fail on ARMv7 Ubuntu 3.7 and > ARMv7 Ubuntu 3.x buildbots > versions: Python 3.7, Python 3.8 > > _______________________________________ > Python tracker <report@bugs.python.org> > <https://bugs.python.org/issue35925> > _______________________________________ > |
|||
msg335047 - (view) | Author: Gregory P. Smith (gregory.p.smith) * ![]() |
Date: 2019-02-07 23:30 | |
I had emailed Christian around the same time you filed this. """ The problem likely not related to your hardware. I guess it's caused by tightened crypto polices. OpenSSL 1.1.1 has disabled some weak crypto. Some platforms like Debian and RHEL require even larger key sizes or have disable some algorithms. Does the test also fail with the env var OPENSSL_CONF set to a non-existing path? """ - christian.heimes testing that theory... setting OPENSSL_CONF=/invalid-path does indeed "fix" (work around) the failures. Presumably by relaxing the default system constraints. I could have that env var set for this buildbot and eliminate the failure. But do we _want_ to do that? Anyone who compiles CPython and tries to run the test suite on a modern system with such an OpenSSL configuration is going to see similar failures and likely come to us first asking about them. It seems like we'd be better off adjusting our test suite to work around the constraints or disable them only for the duration of a test intentionally violating them? |
|||
msg335630 - (view) | Author: STINNER Victor (vstinner) * ![]() |
Date: 2019-02-15 18:00 | |
Does test_ssl pass on the master branch? |
|||
msg335639 - (view) | Author: Gregory P. Smith (gregory.p.smith) * ![]() |
Date: 2019-02-15 19:10 | |
Not on this debian buster bot. look back a couple comments, there is a workaround. it seems to be an OpenSSL configuration issue / test expectations issue. I think we should ultimately get our test suite so that it passes in default OS distro OpenSSL configs. That could mean any of an altered environment for some tests, or skipping some tests in such an environment, or changing some tests to fit within modern OpenSSL desired ciphersuite/protocol setting constrains constraints - or a mix of all three. |
|||
msg335640 - (view) | Author: Gregory P. Smith (gregory.p.smith) * ![]() |
Date: 2019-02-15 19:18 | |
release managers are free to defer this blocker. i'm just marking it as such for the purposes of making sure it is a conscious decision. The problem is more likely with our test suite vs the environment than it is with CPython itself. |
|||
msg335642 - (view) | Author: Gregory P. Smith (gregory.p.smith) * ![]() |
Date: 2019-02-15 19:22 | |
FWIW I've just manually confirmed that running Python 2.7's test_ssl with OPENSSL_CONF=/invalid-path set passes on the debian buster buildbot host. |
|||
msg335709 - (view) | Author: Benjamin Peterson (benjamin.peterson) * ![]() |
Date: 2019-02-16 18:44 | |
I agree that we need to be more resistant to system configuration, but it doesn't seem worth holding 2.7 up for. |
|||
msg335949 - (view) | Author: Charalampos Stratakis (cstratak) * | Date: 2019-02-19 14:17 | |
Getting those failures on RHEL8 as well, which can be worked around by setting the env OPENSSL_CONF=/non-existing-file ====================================================================== ERROR: test_protocol_sslv23 (test.test_ssl.ThreadedTests) Connecting to an SSLv23 server with various client options ---------------------------------------------------------------------- Traceback (most recent call last): File "/root/cpython/_install/lib/python2.7/test/test_ssl.py", line 2370, in test_protocol_sslv23 try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1, 'TLSv1') File "/root/cpython/_install/lib/python2.7/test/test_ssl.py", line 2103, in try_protocol_combo chatty=False, connectionchatty=False) File "/root/cpython/_install/lib/python2.7/test/test_ssl.py", line 2031, in server_params_test s.connect((HOST, server.port)) File "/root/cpython/_install/lib/python2.7/ssl.py", line 864, in connect self._real_connect(addr, False) File "/root/cpython/_install/lib/python2.7/ssl.py", line 855, in _real_connect self.do_handshake() File "/root/cpython/_install/lib/python2.7/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: TLSV1_ALERT_PROTOCOL_VERSION] tlsv1 alert protocol version (_ssl.c:727) ====================================================================== ERROR: test_protocol_tlsv1_1 (test.test_ssl.ThreadedTests) Connecting to a TLSv1.1 server with various client options. ---------------------------------------------------------------------- Traceback (most recent call last): File "/root/cpython/_install/lib/python2.7/test/test_ssl.py", line 2444, in test_protocol_tlsv1_1 try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1_1, 'TLSv1.1') File "/root/cpython/_install/lib/python2.7/test/test_ssl.py", line 2103, in try_protocol_combo chatty=False, connectionchatty=False) File "/root/cpython/_install/lib/python2.7/test/test_ssl.py", line 2031, in server_params_test s.connect((HOST, server.port)) File "/root/cpython/_install/lib/python2.7/ssl.py", line 864, in connect self._real_connect(addr, False) File "/root/cpython/_install/lib/python2.7/ssl.py", line 855, in _real_connect self.do_handshake() File "/root/cpython/_install/lib/python2.7/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: TLSV1_ALERT_PROTOCOL_VERSION] tlsv1 alert protocol version (_ssl.c:727) |
|||
msg335968 - (view) | Author: STINNER Victor (vstinner) * ![]() |
Date: 2019-02-19 16:28 | |
I wrote a fix for bpo-36037 "test_ssl fails on RHEL8 strict OpenSSL configuration" which should fix test_ssl on Debian as well, but my change doesn't apply to Python 2.7 nor 3.6 since these Python versions lack SSLContext.minimum_version attribute (introduced in Python 3.7). https://docs.python.org/dev/library/ssl.html#ssl.SSLContext.minimum_version For Python 2.7 and 3.6, "export OPENSSL_CONF=/non-existing-file" is a workaround. Benjamin: > I agree that we need to be more resistant to system configuration, but it doesn't seem worth holding 2.7 up for. My fix requires SSLContext.minimum_version, but I'm not sure that it's ok to backport the attribute to Python 2.7 since Python 3.6 doesn't have it. IMHO "export OPENSSL_CONF=/non-existing-file" workaround is acceptable. |
|||
msg336038 - (view) | Author: Benjamin Peterson (benjamin.peterson) * ![]() |
Date: 2019-02-20 05:06 | |
It's okay with me if you want to backport minimum_version (and I suppose maximum_version). |
|||
msg336056 - (view) | Author: Charalampos Stratakis (cstratak) * | Date: 2019-02-20 10:30 | |
SSLContext.minimum_version is added here on the master branch: https://github.com/python/cpython/commit/698dde16f60729d9e3f53c23a4ddb8e5ffe818bf But I'd be also reluctant to partially backport a new feature to fix the test suite. |
|||
msg336212 - (view) | Author: STINNER Victor (vstinner) * ![]() |
Date: 2019-02-21 12:09 | |
After my change: commit 3ef6344ee53f59ee86831ec36ed2c6f93a56229d Author: Victor Stinner <vstinner@redhat.com> Date: Tue Feb 19 18:06:03 2019 +0100 bpo-36037: Fix test_ssl for strict OpenSSL policy (GH-11940) Two tests are still failing on the Debian buildbot worker: ERROR: test_networked_good_cert (test.test_httplib.HTTPSTest) ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: EE certificate key too weak (_ssl.c:1055) ERROR: setUpClass (test.test_nntplib.NetworkedNNTP_SSLTests) ssl.SSLError: [SSL: DH_KEY_TOO_SMALL] dh key too small (_ssl.c:1055) We should use different servers or contact admins of these servers to update their TLS configuration and/or certificate. |
|||
msg336520 - (view) | Author: STINNER Victor (vstinner) * ![]() |
Date: 2019-02-25 14:06 | |
bpo-36104 has been marked as a duplicate of this issue. Copy of Lukasz's msg336511: The ARMv7 Ubuntu buildbot is consistently failing since build #2160: https://buildbot.python.org/all/#/builders/106/builds/2160 This looks like a testing environment issue to me rather than a code issue. But I'd like it fixed either way before we get to 3.8.0 beta1 since this is a stable builder. Greg, you can ask Inadasan about whether his dict/OrderedDict changes might have any effect on this failure: https://github.com/python/cpython/commit/c95404ff65dab1469dcd1dfec58ba54a8e7e7b3a That was the only relevant change I observed between the working and the broken build. The NNTP test failure looks like this: ====================================================================== ERROR: setUpClass (test.test_nntplib.NetworkedNNTP_SSLTests) ---------------------------------------------------------------------- Traceback (most recent call last): File "/ssd/buildbot/buildarea/3.x.gps-ubuntu-exynos5-armv7l/build/Lib/test/test_nntplib.py", line 295, in setUpClass cls.server = cls.NNTP_CLASS(cls.NNTP_HOST, timeout=TIMEOUT, File "/ssd/buildbot/buildarea/3.x.gps-ubuntu-exynos5-armv7l/build/Lib/nntplib.py", line 1077, in __init__ self.sock = _encrypt_on(self.sock, ssl_context, host) File "/ssd/buildbot/buildarea/3.x.gps-ubuntu-exynos5-armv7l/build/Lib/nntplib.py", line 292, in _encrypt_on return context.wrap_socket(sock, server_hostname=hostname) File "/ssd/buildbot/buildarea/3.x.gps-ubuntu-exynos5-armv7l/build/Lib/ssl.py", line 405, in wrap_socket return self.sslsocket_class._create( File "/ssd/buildbot/buildarea/3.x.gps-ubuntu-exynos5-armv7l/build/Lib/ssl.py", line 853, in _create self.do_handshake() File "/ssd/buildbot/buildarea/3.x.gps-ubuntu-exynos5-armv7l/build/Lib/ssl.py", line 1117, in do_handshake self._sslobj.do_handshake() ssl.SSLError: [SSL: DH_KEY_TOO_SMALL] dh key too small (_ssl.c:1055) The HTTP test failure looks like this: ====================================================================== ERROR: test_networked_good_cert (test.test_httplib.HTTPSTest) ---------------------------------------------------------------------- Traceback (most recent call last): File "/ssd/buildbot/buildarea/3.x.gps-ubuntu-exynos5-armv7l/build/Lib/test/test_httplib.py", line 1629, in test_networked_good_cert h.request('GET', '/') File "/ssd/buildbot/buildarea/3.x.gps-ubuntu-exynos5-armv7l/build/Lib/http/client.py", line 1229, in request self._send_request(method, url, body, headers, encode_chunked) File "/ssd/buildbot/buildarea/3.x.gps-ubuntu-exynos5-armv7l/build/Lib/http/client.py", line 1275, in _send_request self.endheaders(body, encode_chunked=encode_chunked) File "/ssd/buildbot/buildarea/3.x.gps-ubuntu-exynos5-armv7l/build/Lib/http/client.py", line 1224, in endheaders self._send_output(message_body, encode_chunked=encode_chunked) File "/ssd/buildbot/buildarea/3.x.gps-ubuntu-exynos5-armv7l/build/Lib/http/client.py", line 1016, in _send_output self.send(msg) File "/ssd/buildbot/buildarea/3.x.gps-ubuntu-exynos5-armv7l/build/Lib/http/client.py", line 956, in send self.connect() File "/ssd/buildbot/buildarea/3.x.gps-ubuntu-exynos5-armv7l/build/Lib/http/client.py", line 1391, in connect self.sock = self._context.wrap_socket(self.sock, File "/ssd/buildbot/buildarea/3.x.gps-ubuntu-exynos5-armv7l/build/Lib/ssl.py", line 405, in wrap_socket return self.sslsocket_class._create( File "/ssd/buildbot/buildarea/3.x.gps-ubuntu-exynos5-armv7l/build/Lib/ssl.py", line 853, in _create self.do_handshake() File "/ssd/buildbot/buildarea/3.x.gps-ubuntu-exynos5-armv7l/build/Lib/ssl.py", line 1117, in do_handshake self._sslobj.do_handshake() ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: EE certificate key too weak (_ssl.c:1055) |
|||
msg336521 - (view) | Author: STINNER Victor (vstinner) * ![]() |
Date: 2019-02-25 14:07 | |
Lukasz: this issue is that Debian Buster uses a strict OpenSSL policy. I guess that external public server used by tests are incompatible with this strict policy. |
|||
msg340086 - (view) | Author: Steve Dower (steve.dower) * ![]() |
Date: 2019-04-12 17:23 | |
This is still failing regularly - any progress? Do we need to skip tests? |
|||
msg340090 - (view) | Author: Gregory P. Smith (gregory.p.smith) * ![]() |
Date: 2019-04-12 17:53 | |
While altering the environment to not use the system default openssl config is an option to make this green again today very easily. That'd "solve" the red bot problem and nothing else. :/ Doing that just kicks the can down the road as all of us Linux users are going to face this problem when we start using modern OS distros to build and test CPython. A skipped test is an ignored test. Ideally I'd like to see the tests updated to comply with modern higher security openssl config constraints. |
|||
msg341584 - (view) | Author: Gregory P. Smith (gregory.p.smith) * ![]() |
Date: 2019-05-06 18:23 | |
PR coming |
|||
msg341650 - (view) | Author: Gregory P. Smith (gregory.p.smith) * ![]() |
Date: 2019-05-06 21:54 | |
New changeset 2cc0223f43a1ffd59c887a73e2b0ce5202f3be90 by Gregory P. Smith in branch 'master': bpo-35925: Skip SSL tests that fail due to weak external certs. (GH-13124) https://github.com/python/cpython/commit/2cc0223f43a1ffd59c887a73e2b0ce5202f3be90 |
|||
msg341678 - (view) | Author: miss-islington (miss-islington) | Date: 2019-05-07 03:51 | |
New changeset ffa29b5aca1aaeae46af2582c401ef0ed20d4153 by Miss Islington (bot) in branch '3.7': bpo-35925: Skip SSL tests that fail due to weak external certs. (GH-13124) https://github.com/python/cpython/commit/ffa29b5aca1aaeae46af2582c401ef0ed20d4153 |
|||
msg341679 - (view) | Author: Gregory P. Smith (gregory.p.smith) * ![]() |
Date: 2019-05-07 03:56 | |
The merged PR basically skips the specific failing unit test cases of the ssl key strength check error is detected during these network tests. It should probably be backported into 3.6 and 2.7 to ease maintenance and trust of the buildbots on those. Only people running regrtest -u all or at least -u networking to enable the live network connectivity tests would run into this when building their own CPython. |
|||
msg341902 - (view) | Author: Julien Palard (mdk) * ![]() |
Date: 2019-05-08 16:27 | |
I'm still seeing the issue on https://github.com/python/cpython/pull/12255 (freshly rebased to master to have 2cc0223f43a1ffd59c887a73e2b0ce5202f3be90. On this build: https://dev.azure.com/Python/cpython/_build/results?buildId=42065 ====================================================================== ERROR: test_networked_good_cert (test.test_httplib.HTTPSTest) ---------------------------------------------------------------------- Traceback (most recent call last): File "/home/vsts/work/1/s/Lib/test/test_httplib.py", line 1632, in test_networked_good_cert h.request('GET', '/') File "/home/vsts/work/1/s/Lib/http/client.py", line 1221, in request self._send_request(method, url, body, headers, encode_chunked) File "/home/vsts/work/1/s/Lib/http/client.py", line 1267, in _send_request self.endheaders(body, encode_chunked=encode_chunked) File "/home/vsts/work/1/s/Lib/http/client.py", line 1216, in endheaders self._send_output(message_body, encode_chunked=encode_chunked) File "/home/vsts/work/1/s/Lib/http/client.py", line 1004, in _send_output self.send(msg) File "/home/vsts/work/1/s/Lib/http/client.py", line 944, in send self.connect() File "/home/vsts/work/1/s/Lib/http/client.py", line 1383, in connect self.sock = self._context.wrap_socket(self.sock, File "/home/vsts/work/1/s/Lib/ssl.py", line 405, in wrap_socket return self.sslsocket_class._create( File "/home/vsts/work/1/s/Lib/ssl.py", line 853, in _create self.do_handshake() File "/home/vsts/work/1/s/Lib/ssl.py", line 1117, in do_handshake self._sslobj.do_handshake() ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:1055) which does not looks covered by 2cc0223f43a1ffd59c887a73e2b0ce5202f3be90 which only checks for key too weak. |
|||
msg341903 - (view) | Author: Gregory P. Smith (gregory.p.smith) * ![]() |
Date: 2019-05-08 16:29 | |
thats https://bugs.python.org/issue36816 (separate issue as our infrastructure is fixed to have a modern certificate). PR pending automerge post-CI. |
|||
msg341913 - (view) | Author: Julien Palard (mdk) * ![]() |
Date: 2019-05-08 17:12 | |
👍 |
|||
msg342172 - (view) | Author: Gregory P. Smith (gregory.p.smith) * ![]() |
Date: 2019-05-11 07:10 | |
In our 3.6 tree the test_ssl failure is now: ====================================================================== ERROR: test_protocol_sslv23 (test.test_ssl.ThreadedTests) Connecting to an SSLv23 server with various client options ---------------------------------------------------------------------- Traceback (most recent call last): File "/ssd/buildbot/buildarea/3.6.gps-ubuntu-exynos5-armv7l/build/Lib/test/test_ssl.py", line 2633, in test_protocol_sslv23 try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1, 'TLSv1') File "/ssd/buildbot/buildarea/3.6.gps-ubuntu-exynos5-armv7l/build/Lib/test/test_ssl.py", line 2323, in try_protocol_combo chatty=False, connectionchatty=False) File "/ssd/buildbot/buildarea/3.6.gps-ubuntu-exynos5-armv7l/build/Lib/test/test_ssl.py", line 2248, in server_params_test s.connect((HOST, server.port)) File "/ssd/buildbot/buildarea/3.6.gps-ubuntu-exynos5-armv7l/build/Lib/ssl.py", line 1109, in connect self._real_connect(addr, False) File "/ssd/buildbot/buildarea/3.6.gps-ubuntu-exynos5-armv7l/build/Lib/ssl.py", line 1100, in _real_connect self.do_handshake() File "/ssd/buildbot/buildarea/3.6.gps-ubuntu-exynos5-armv7l/build/Lib/ssl.py", line 1077, in do_handshake self._sslobj.do_handshake() File "/ssd/buildbot/buildarea/3.6.gps-ubuntu-exynos5-armv7l/build/Lib/ssl.py", line 689, in do_handshake self._sslobj.do_handshake() ssl.SSLError: [SSL: TLSV1_ALERT_PROTOCOL_VERSION] tlsv1 alert protocol version (_ssl.c:852) ====================================================================== ERROR: test_protocol_tlsv1_1 (test.test_ssl.ThreadedTests) Connecting to a TLSv1.1 server with various client options. ---------------------------------------------------------------------- Traceback (most recent call last): File "/ssd/buildbot/buildarea/3.6.gps-ubuntu-exynos5-armv7l/build/Lib/test/test_ssl.py", line 2707, in test_protocol_tlsv1_1 try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1_1, 'TLSv1.1') File "/ssd/buildbot/buildarea/3.6.gps-ubuntu-exynos5-armv7l/build/Lib/test/test_ssl.py", line 2323, in try_protocol_combo chatty=False, connectionchatty=False) File "/ssd/buildbot/buildarea/3.6.gps-ubuntu-exynos5-armv7l/build/Lib/test/test_ssl.py", line 2248, in server_params_test s.connect((HOST, server.port)) File "/ssd/buildbot/buildarea/3.6.gps-ubuntu-exynos5-armv7l/build/Lib/ssl.py", line 1109, in connect self._real_connect(addr, False) File "/ssd/buildbot/buildarea/3.6.gps-ubuntu-exynos5-armv7l/build/Lib/ssl.py", line 1100, in _real_connect self.do_handshake() File "/ssd/buildbot/buildarea/3.6.gps-ubuntu-exynos5-armv7l/build/Lib/ssl.py", line 1077, in do_handshake self._sslobj.do_handshake() File "/ssd/buildbot/buildarea/3.6.gps-ubuntu-exynos5-armv7l/build/Lib/ssl.py", line 689, in do_handshake self._sslobj.do_handshake() ssl.SSLError: [SSL: TLSV1_ALERT_PROTOCOL_VERSION] tlsv1 alert protocol version (_ssl.c:852) |
|||
msg342173 - (view) | Author: Gregory P. Smith (gregory.p.smith) * ![]() |
Date: 2019-05-11 07:11 | |
(same on 2.7) |
|||
msg342382 - (view) | Author: Gregory P. Smith (gregory.p.smith) * ![]() |
Date: 2019-05-13 20:16 | |
New changeset 7346a16ed584fd1e85359154820d286370b68648 by Gregory P. Smith in branch '2.7': [2.7] bpo-35925: Skip SSL tests that fail due to weak external certs or old TLS (GH-13124) (GH-13253) https://github.com/python/cpython/commit/7346a16ed584fd1e85359154820d286370b68648 |
|||
msg342384 - (view) | Author: Gregory P. Smith (gregory.p.smith) * ![]() |
Date: 2019-05-13 20:30 | |
3.6 (and 3.5 if larry wants) are the only remaining trees to apply this to, assigning to the 3.6 RM. |
|||
msg343855 - (view) | Author: Ned Deily (ned.deily) * ![]() |
Date: 2019-05-29 02:08 | |
New changeset 8ab624b17ba656e9af5a79be6af0cf2911a111ba by Ned Deily (Gregory P. Smith) in branch '3.6': [3.6] bpo-35925: Skip SSL tests that fail due to weak external certs or old TLS (GH-13124) (GH-13252) https://github.com/python/cpython/commit/8ab624b17ba656e9af5a79be6af0cf2911a111ba |
History | |||
---|---|---|---|
Date | User | Action | Args |
2022-04-11 14:59:11 | admin | set | github: 80106 |
2019-05-29 02:12:18 | ned.deily | set | status: open -> closed assignee: ned.deily -> stage: patch review -> resolved resolution: fixed versions: + Python 2.7, Python 3.7, Python 3.8 |
2019-05-29 02:08:31 | ned.deily | set | messages: + msg343855 |
2019-05-13 20:30:37 | gregory.p.smith | set | assignee: gregory.p.smith -> ned.deily messages: + msg342384 versions: - Python 2.7 |
2019-05-13 20:16:46 | gregory.p.smith | set | messages: + msg342382 |
2019-05-11 20:44:38 | gregory.p.smith | set | pull_requests: + pull_request13165 |
2019-05-11 18:44:00 | gregory.p.smith | set | stage: backport needed -> patch review pull_requests: + pull_request13163 |
2019-05-11 07:11:46 | gregory.p.smith | set | messages: + msg342173 |
2019-05-11 07:10:00 | gregory.p.smith | set | messages: + msg342172 |
2019-05-08 17:12:39 | mdk | set | messages: + msg341913 |
2019-05-08 16:29:46 | gregory.p.smith | set | messages: + msg341903 |
2019-05-08 16:27:00 | mdk | set | nosy:
+ mdk messages: + msg341902 |
2019-05-08 11:55:05 | yan12125 | set | nosy:
- yan12125 |
2019-05-08 03:46:19 | yan12125 | set | nosy:
+ yan12125 |
2019-05-07 03:56:09 | gregory.p.smith | set | stage: patch review -> backport needed messages: + msg341679 versions: + Python 3.6, - Python 3.7, Python 3.8 |
2019-05-07 03:51:31 | miss-islington | set | nosy:
+ miss-islington messages: + msg341678 |
2019-05-06 21:54:28 | gregory.p.smith | set | messages: + msg341650 |
2019-05-06 21:54:18 | miss-islington | set | pull_requests: + pull_request13052 |
2019-05-06 18:27:45 | gregory.p.smith | set | keywords:
+ patch stage: needs patch -> patch review pull_requests: + pull_request13036 |
2019-05-06 18:23:01 | gregory.p.smith | set | assignee: gregory.p.smith messages: + msg341584 |
2019-04-12 17:53:46 | gregory.p.smith | set | messages: + msg340090 |
2019-04-12 17:23:05 | steve.dower | set | nosy:
+ steve.dower messages: + msg340086 |
2019-02-25 14:07:12 | vstinner | set | nosy:
+ lukasz.langa messages: + msg336521 |
2019-02-25 14:06:18 | vstinner | set | messages: + msg336520 |
2019-02-25 14:05:33 | vstinner | link | issue36104 superseder |
2019-02-21 12:09:22 | vstinner | set | messages: + msg336212 |
2019-02-20 10:30:08 | cstratak | set | messages: + msg336056 |
2019-02-20 05:06:06 | benjamin.peterson | set | messages: + msg336038 |
2019-02-19 16:28:24 | vstinner | set | messages: + msg335968 |
2019-02-19 14:17:24 | cstratak | set | nosy:
+ cstratak messages: + msg335949 |
2019-02-16 18:44:11 | benjamin.peterson | set | priority: release blocker -> high messages: + msg335709 |
2019-02-15 19:22:35 | gregory.p.smith | set | messages: + msg335642 |
2019-02-15 19:18:54 | gregory.p.smith | set | messages: + msg335640 |
2019-02-15 19:17:44 | gregory.p.smith | set | title: test_httplib test_nntplib test_ssl fail on ARMv7 Debian buster buildbot -> test_httplib test_nntplib test_ssl fail on ARMv7 Debian buster bot (OpenSSL 1.1.1a) |
2019-02-15 19:17:27 | gregory.p.smith | set | priority: normal -> release blocker nosy: + ned.deily, benjamin.peterson type: behavior stage: needs patch |
2019-02-15 19:10:41 | gregory.p.smith | set | messages:
+ msg335639 versions: + Python 2.7 |
2019-02-15 18:00:30 | vstinner | set | nosy:
+ vstinner messages: + msg335630 |
2019-02-15 17:45:20 | gregory.p.smith | link | issue36005 superseder |
2019-02-07 23:32:56 | gregory.p.smith | set | title: test_httplib test_nntplib test_ssl fail on ARMv7 buster/sid buildbots -> test_httplib test_nntplib test_ssl fail on ARMv7 Debian buster buildbot |
2019-02-07 23:30:29 | gregory.p.smith | set | messages:
+ msg335047 title: test_httplib test_nntplib test_ssl fail on ARMv7 Ubuntu 3.7 and ARMv7 Ubuntu 3.x buildbots -> test_httplib test_nntplib test_ssl fail on ARMv7 buster/sid buildbots |
2019-02-07 04:19:04 | gregory.p.smith | set | nosy:
+ christian.heimes |
2019-02-07 04:16:50 | gregory.p.smith | set | messages: + msg335001 |
2019-02-07 01:45:26 | pablogsal | create |