classification
Title: [2.7] test_ssl failures on ARMv7 Ubuntu 2.7 with OpenSSL 1.1.1a
Type: security Stage: resolved
Components: Tests Versions: Python 2.7
process
Status: closed Resolution: duplicate
Dependencies: Superseder: test_httplib test_nntplib test_ssl fail on ARMv7 Debian buster bot (OpenSSL 1.1.1a)
View: 35925
Assigned To: Nosy List: cstratak, gregory.p.smith, vstinner
Priority: normal Keywords:

Created on 2019-02-15 16:29 by vstinner, last changed 2019-02-15 17:48 by gregory.p.smith. This issue is now closed.

Messages (4)
msg335619 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2019-02-15 16:29
Extract of pythoninfo:

ssl.HAS_SNI: True
ssl.OPENSSL_VERSION: OpenSSL 1.1.1a  20 Nov 2018
ssl.OPENSSL_VERSION_INFO: (1, 1, 1, 1, 15)
ssl.OP_ALL: -0x7fffffac
ssl.OP_NO_TLSv1_1: 0x10000000

https://buildbot.python.org/all/#/builders/92/builds/325

Many tests with TLS errors. A few examples:

ERROR: test_connect (test.test_ssl.NetworkedTests)
...
SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:727)

ERROR: test_protocol_sslv23 (test.test_ssl.ThreadedTests)
Connecting to an SSLv23 server with various client options
----------------------------------------------------------------------
...
    self._sslobj.do_handshake()
SSLError: [SSL: TLSV1_ALERT_PROTOCOL_VERSION] tlsv1 alert protocol version (_ssl.c:727)

ERROR: test_networked_good_cert (test.test_httplib.HTTPSTest)
...
SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:727)

ERROR: test_context_argument (test.test_urllibnet.urlopen_HttpsTests)
...
IOError: [Errno socket error] [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:727)

--

There are other failures which may be unrelated:

ERROR: test_fileno (test.test_urllib2net.OtherNetworkTests)
...
HTTPError: HTTP Error 404: Not Found



This buildbot build contains 5 changes:

    [2.7] bpo-33570: TLS 1.3 ciphers for OpenSSL 1.1.1 (GH-6976) (GH-8760) (GH-10607)(3 hours ago)
    bpo-35746: Credit Colin Read and Nicolas Edet (GH-11866)(5 hours ago)
    Doc sidebar: 3.6 has moved to security-fix mode. (GH-11810)(5 days ago)
    [2.7] Fix url to core-mentorship mailing list (GH-11775). (GH-11778)(9 days ago)
    bpo-25592: Improve documentation of distutils data_files (GH-9767) (GH-11734)(13 days ago)

I bet that it's a regression caused by:

https://github.com/python/cpython/commit/c49f63c1761ce03df7850b9e0b31a18c432dac64
msg335621 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2019-02-15 16:42
It seems like this worker was offline for 1 month: build 324 was 1 month ago, whereas build 325 was 3 hours ago.
msg335627 - (view) Author: Gregory P. Smith (gregory.p.smith) * (Python committer) Date: 2019-02-15 17:47
The buildbot was only offline for a few days while I upgraded the OS.  do not look at the _delta_ between builds in the buildbot to determine a failure across that change as it went from ubuntu 14.04 to debian buster.

2.7 doesn't change often.
msg335628 - (view) Author: Gregory P. Smith (gregory.p.smith) * (Python committer) Date: 2019-02-15 17:48
i duped this to the existing issue that was filed after the OS upgrade under the assumption it is the same thing.
History
Date User Action Args
2019-02-15 17:48:55gregory.p.smithsetmessages: + msg335628
2019-02-15 17:47:02gregory.p.smithsetmessages: + msg335627
2019-02-15 17:45:37gregory.p.smithsetstatus: open -> closed
resolution: duplicate
stage: resolved
2019-02-15 17:45:20gregory.p.smithsetsuperseder: test_httplib test_nntplib test_ssl fail on ARMv7 Debian buster bot (OpenSSL 1.1.1a)
2019-02-15 16:42:41vstinnersetnosy: + gregory.p.smith, cstratak
2019-02-15 16:42:21vstinnersetmessages: + msg335621
2019-02-15 16:29:43vstinnercreate