classification
Title: test_ssl fails on RHEL8 strict OpenSSL configuration
Type: Stage: resolved
Components: SSL, Tests Versions: Python 3.8, Python 3.7
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: christian.heimes Nosy List: christian.heimes, cstratak, gregory.p.smith, miss-islington, vstinner
Priority: normal Keywords: patch

Created on 2019-02-19 14:19 by vstinner, last changed 2019-02-19 17:29 by vstinner. This issue is now closed.

Pull Requests
URL Status Linked Edit
PR 11940 merged vstinner, 2019-02-19 14:23
PR 11942 merged miss-islington, 2019-02-19 17:06
Messages (7)
msg335950 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2019-02-19 14:19
RHEL8 uses a strict crypto policy by default. For example, SSLContext uses TLS 1.2 as the minimum version by default.

Attached PR fix test_ssl for RHEL8. The PR is not specific to RHEL8. It should also fix test_ssl on Debian: see bpo-35925 and bpo-36005.

test_ssl failures on RHEL8:

======================================================================
ERROR: test_PROTOCOL_TLS (test.test_ssl.ThreadedTests)
Connecting to an SSLv23 server with various client options
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/root/cpython-master/Lib/test/test_ssl.py", line 3079, in test_PROTOCOL_TLS
    try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLSv1, 'TLSv1')
  File "/root/cpython-master/Lib/test/test_ssl.py", line 2623, in try_protocol_combo
    stats = server_params_test(client_context, server_context,
  File "/root/cpython-master/Lib/test/test_ssl.py", line 2549, in server_params_test
    s.connect((HOST, server.port))
  File "/root/cpython-master/Lib/ssl.py", line 1150, in connect
    self._real_connect(addr, False)
  File "/root/cpython-master/Lib/ssl.py", line 1141, in _real_connect
    self.do_handshake()
  File "/root/cpython-master/Lib/ssl.py", line 1117, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: TLSV1_ALERT_PROTOCOL_VERSION] tlsv1 alert protocol version (_ssl.c:1055)

======================================================================
ERROR: test_protocol_tlsv1_1 (test.test_ssl.ThreadedTests)
Connecting to a TLSv1.1 server with various client options.
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/root/cpython-master/Lib/test/test_ssl.py", line 3150, in test_protocol_tlsv1_1
    try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLSv1_1, 'TLSv1.1')
  File "/root/cpython-master/Lib/test/test_ssl.py", line 2623, in try_protocol_combo
    stats = server_params_test(client_context, server_context,
  File "/root/cpython-master/Lib/test/test_ssl.py", line 2549, in server_params_test
    s.connect((HOST, server.port))
  File "/root/cpython-master/Lib/ssl.py", line 1150, in connect
    self._real_connect(addr, False)
  File "/root/cpython-master/Lib/ssl.py", line 1141, in _real_connect
    self.do_handshake()
  File "/root/cpython-master/Lib/ssl.py", line 1117, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: TLSV1_ALERT_PROTOCOL_VERSION] tlsv1 alert protocol version (_ssl.c:1055)

======================================================================
FAIL: test_min_max_version (test.test_ssl.ContextTests)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/root/cpython-master/Lib/test/test_ssl.py", line 1093, in test_min_max_version
    self.assertIn(
AssertionError: <TLSVersion.TLSv1_2: 771> not found in {<TLSVersion.TLSv1: 769>, <TLSVersion.MINIMUM_SUPPORTED: -2>}

----------------------------------------------------------------------

Ran 150 tests in 3.318s

FAILED (failures=1, errors=2, skipped=9)
msg335951 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2019-02-19 14:32
On Python 2.7.16rc, similar tests are failing on RHEL8:

ERROR: test_protocol_sslv23 (test.test_ssl.ThreadedTests)
ERROR: test_protocol_tlsv1_1 (test.test_ssl.ThreadedTests)

... But right now, Python 2.7 doesn't give access to minimum_version/maximum_version :-( Not even to read these versions. So I'm not sure how to skip or fix these tests, without backporting code for these attributes.
msg335955 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2019-02-19 14:58
> RHEL8 uses a strict crypto policy by default. For example, SSLContext uses TLS 1.2 as the minimum version by default.

Ah, I forgot to mention that a workaround is to use OPENSSL_CONF=/ environment variable to ignore RHEL crypto policy (don't load system OpenSSL configuration).
msg335964 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2019-02-19 16:16
Python 2.7 and 3.6 have no SSLContext.minimum_version attribute (even with OpenSSL 1.1.1). I think that we will workaround this issue in Fedora and RHEL8 spec file (recipe to build RPM packages) using "export OPENSSL_CONF=/non-existing-file".
msg335980 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2019-02-19 17:06
New changeset 3ef6344ee53f59ee86831ec36ed2c6f93a56229d by Victor Stinner in branch 'master':
bpo-36037: Fix test_ssl for strict OpenSSL policy (GH-11940)
https://github.com/python/cpython/commit/3ef6344ee53f59ee86831ec36ed2c6f93a56229d
msg335986 - (view) Author: miss-islington (miss-islington) Date: 2019-02-19 17:24
New changeset e8bf04de4ba045029aa8964126d8cdd2d7c282a6 by Miss Islington (bot) in branch '3.7':
bpo-36037: Fix test_ssl for strict OpenSSL policy (GH-11940)
https://github.com/python/cpython/commit/e8bf04de4ba045029aa8964126d8cdd2d7c282a6
msg335988 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2019-02-19 17:29
Ok, Python 3.7 and 3.8 (master) have been fixed.

See bpo-35925 (and bpo-36005) for discussions on Python 2.7 and 3.6.
History
Date User Action Args
2019-02-19 17:29:16vstinnersetstatus: open -> closed
versions: + Python 3.7
messages: + msg335988

resolution: fixed
stage: patch review -> resolved
2019-02-19 17:24:20miss-islingtonsetnosy: + miss-islington
messages: + msg335986
2019-02-19 17:06:40miss-islingtonsetpull_requests: + pull_request11966
2019-02-19 17:06:13vstinnersetmessages: + msg335980
2019-02-19 16:16:32vstinnersetmessages: + msg335964
2019-02-19 14:58:49vstinnersetmessages: + msg335955
2019-02-19 14:33:18vstinnersetnosy: + gregory.p.smith, cstratak
2019-02-19 14:32:04vstinnersetmessages: + msg335951
2019-02-19 14:23:17vstinnersetkeywords: + patch
stage: patch review
pull_requests: + pull_request11964
2019-02-19 14:19:42vstinnercreate