classification
Title: self-signed.pythontest.net TLS certificate key is too weak
Type: behavior Stage: patch review
Components: SSL, Tests Versions: Python 3.8, Python 3.7, Python 3.6, Python 3.5, Python 2.7
process
Status: open Resolution: remind
Dependencies: Superseder:
Assigned To: gregory.p.smith Nosy List: EWDurbin, Michael.Felt, gregory.p.smith, miss-islington, ned.deily, yan12125
Priority: normal Keywords: patch

Created on 2019-05-06 18:05 by gregory.p.smith, last changed 2019-05-21 12:12 by yan12125.

Pull Requests
URL Status Linked Edit
PR 13124 merged gregory.p.smith, 2019-05-06 18:31
PR 13192 merged gregory.p.smith, 2019-05-08 15:45
PR 13197 merged gregory.p.smith, 2019-05-08 16:51
PR 13198 merged gregory.p.smith, 2019-05-08 17:20
PR 13199 merged gregory.p.smith, 2019-05-08 17:27
PR 13200 open gregory.p.smith, 2019-05-08 17:29
Messages (13)
msg341579 - (view) Author: Gregory P. Smith (gregory.p.smith) * (Python committer) Date: 2019-05-06 18:05
test_httplib uses self-signed.pythontest.net in it's test_networked_good_cert test.

On modern Linux distros (current Debian testing sid), the certificate it currently uses is rightfully rejected as being too weak:

ERROR: test_networked_good_cert (test.test_httplib.HTTPSTest)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/home/greg/oss/cpython/Lib/test/test_httplib.py", line 1628, in test_networked_good_cert
    h.request('GET', '/')
  File "/home/greg/oss/cpython/Lib/http/client.py", line 1221, in request
    self._send_request(method, url, body, headers, encode_chunked)
  File "/home/greg/oss/cpython/Lib/http/client.py", line 1267, in _send_request
    self.endheaders(body, encode_chunked=encode_chunked)
  File "/home/greg/oss/cpython/Lib/http/client.py", line 1216, in endheaders
    self._send_output(message_body, encode_chunked=encode_chunked)
  File "/home/greg/oss/cpython/Lib/http/client.py", line 1004, in _send_output
    self.send(msg)
  File "/home/greg/oss/cpython/Lib/http/client.py", line 944, in send
    self.connect()
  File "/home/greg/oss/cpython/Lib/http/client.py", line 1383, in connect
    self.sock = self._context.wrap_socket(self.sock,
  File "/home/greg/oss/cpython/Lib/ssl.py", line 405, in wrap_socket
    return self.sslsocket_class._create(
  File "/home/greg/oss/cpython/Lib/ssl.py", line 853, in _create
    self.do_handshake()
  File "/home/greg/oss/cpython/Lib/ssl.py", line 1117, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: EE certificate key too weak (_ssl.c:1055)

The TLS certificate on the server needs to be updated to something modern.  I _believe_ this can be done by someone with infrastructure access via an update to https://github.com/python/pythontestdotnet/tree/master/tls

Assigning to EWDurbin for triage and redirection to someone else infrastructury if he's not the right person.

How to know if it has been fixed?  Monitor the test_networked_good_cert test on any "Debian buster" builtbot(s) such as https://buildbot.python.org/all/#/workers/23 to make sure it is not skipped.  (the test _currently_ fails, I am going to have it be _skipped_ on this specific key too small error for the time being to get that stable buildbot green again)
msg341590 - (view) Author: Gregory P. Smith (gregory.p.smith) * (Python committer) Date: 2019-05-06 18:36
EWDurbin says I can just open a PR with new certs in the repo and it'll go from there. :)
msg341843 - (view) Author: Gregory P. Smith (gregory.p.smith) * (Python committer) Date: 2019-05-08 01:27
Updated cert+key committed to pythontestdotnet.  reassigning to EWDurbin to see that they're deployed.

https://github.com/python/pythontestdotnet/commit/2d121419796dad6d4285bf5aefd464aff0f47a91
msg341865 - (view) Author: Ernest W. Durbin III (EWDurbin) * (Python triager) Date: 2019-05-08 11:18
Cert updated, reassigning back to gregory.p.smith to verify and close this out.
msg341866 - (view) Author: Chih-Hsuan Yen (yan12125) * Date: 2019-05-08 11:53
Lib/test/selfsigned_pythontestdotnet.pem in the cpython repository needs to be updated to match https://github.com/python/pythontestdotnet/blob/master/tls/self-signed-cert.pem, or the test fails :)

======================================================================
ERROR: test_networked_good_cert (test.test_httplib.HTTPSTest)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/home/yen/tmp/cpython/Lib/test/test_httplib.py", line 1632, in test_networked_good_cert
    h.request('GET', '/')
  File "/home/yen/tmp/cpython/Lib/http/client.py", line 1221, in request
    self._send_request(method, url, body, headers, encode_chunked)
  File "/home/yen/tmp/cpython/Lib/http/client.py", line 1267, in _send_request
    self.endheaders(body, encode_chunked=encode_chunked)
  File "/home/yen/tmp/cpython/Lib/http/client.py", line 1216, in endheaders
    self._send_output(message_body, encode_chunked=encode_chunked)
  File "/home/yen/tmp/cpython/Lib/http/client.py", line 1004, in _send_output
    self.send(msg)
  File "/home/yen/tmp/cpython/Lib/http/client.py", line 944, in send
    self.connect()
  File "/home/yen/tmp/cpython/Lib/http/client.py", line 1383, in connect
    self.sock = self._context.wrap_socket(self.sock,
  File "/home/yen/tmp/cpython/Lib/ssl.py", line 405, in wrap_socket
    return self.sslsocket_class._create(
  File "/home/yen/tmp/cpython/Lib/ssl.py", line 853, in _create
    self.do_handshake()
  File "/home/yen/tmp/cpython/Lib/ssl.py", line 1117, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:1055)
msg341908 - (view) Author: miss-islington (miss-islington) Date: 2019-05-08 16:35
New changeset 6bd81734de0b73f1431880d6a75fb71bcbc65fa1 by Miss Islington (bot) (Gregory P. Smith) in branch 'master':
bpo-36816: Update the self-signed.pythontest.net cert (GH-13192)
https://github.com/python/cpython/commit/6bd81734de0b73f1431880d6a75fb71bcbc65fa1
msg341931 - (view) Author: Ned Deily (ned.deily) * (Python committer) Date: 2019-05-08 19:21
New changeset 2b9d7abdbd4b41e2c624858f5bc80da59d8a681d by Ned Deily (Gregory P. Smith) in branch '3.6':
[3.6] bpo-36816: Update the self-signed.pythontest.net cert (GH-13192) (GH-13198)
https://github.com/python/cpython/commit/2b9d7abdbd4b41e2c624858f5bc80da59d8a681d
msg341946 - (view) Author: miss-islington (miss-islington) Date: 2019-05-08 21:13
New changeset 6daaf3f7de78eec2c80eaa8e94e4cca54f758a30 by Miss Islington (bot) (Gregory P. Smith) in branch '3.7':
[3.7] bpo-36816: Update the self-signed.pythontest.net cert (GH-13192) (GH-13197)
https://github.com/python/cpython/commit/6daaf3f7de78eec2c80eaa8e94e4cca54f758a30
msg341950 - (view) Author: Gregory P. Smith (gregory.p.smith) * (Python committer) Date: 2019-05-09 00:53
New changeset 7b5dca8345f4a909367836a3a2c3c7ac6e4e2c0c by Gregory P. Smith in branch '2.7':
[2.7] bpo-36816: Update the self-signed.pythontest.net cert (GH-13192) (GH-13199)
https://github.com/python/cpython/commit/7b5dca8345f4a909367836a3a2c3c7ac6e4e2c0c
msg342988 - (view) Author: Michael Felt (Michael.Felt) * Date: 2019-05-21 09:09
I am not an OpenSSL expert - and I am conscious of OpenSSL changes with regard to 'acceptance' of anything self-signed.

And, what it looks like you are trying to do with an updated 'signing" .pem is to remove the 'self-signed' charasteric.

On AIX - atm - I get, as did Chih-Hsuan Yen (yan12125),

======================================================================
ERROR: test_networked_good_cert (test.test_httplib.HTTPSTest)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/home/buildbot/python-master/Lib/test/test_httplib.py", line 1632, in test_networked_good_cert
    h.request('GET', '/')
  File "/home/buildbot/python-master/Lib/http/client.py", line 1221, in request
    self._send_request(method, url, body, headers, encode_chunked)
  File "/home/buildbot/python-master/Lib/http/client.py", line 1267, in _send_request
    self.endheaders(body, encode_chunked=encode_chunked)
  File "/home/buildbot/python-master/Lib/http/client.py", line 1216, in endheaders
    self._send_output(message_body, encode_chunked=encode_chunked)
  File "/home/buildbot/python-master/Lib/http/client.py", line 1004, in _send_output
    self.send(msg)
  File "/home/buildbot/python-master/Lib/http/client.py", line 944, in send
    self.connect()
  File "/home/buildbot/python-master/Lib/http/client.py", line 1383, in connect
    self.sock = self._context.wrap_socket(self.sock,
  File "/home/buildbot/python-master/Lib/ssl.py", line 405, in wrap_socket
    return self.sslsocket_class._create(
  File "/home/buildbot/python-master/Lib/ssl.py", line 853, in _create
    self.do_handshake()
  File "/home/buildbot/python-master/Lib/ssl.py", line 1117, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:1055)

And I see why now:
test_networked_good_cert (test.test_httplib.HTTPSTest) ... skipped "Use of the 'network' resource not enabled"

Digging a bit:

buildbot@x064:[/home/buildbot/python-master]openssl s_client -connect self-signed.pythontest.net:443
CONNECTED(00000003)
depth=0 C = XY, ST = Castle Anthrax, L = Argument Clinic, O = Python Software Foundation, CN = self-signed.pythontest.net
verify error:num=18:self signed certificate
verify return:1
depth=0 C = XY, ST = Castle Anthrax, L = Argument Clinic, O = Python Software Foundation, CN = self-signed.pythontest.net
verify return:1
---
Certificate chain
 0 s:/C=XY/ST=Castle Anthrax/L=Argument Clinic/O=Python Software Foundation/CN=self-signed.pythontest.net

   i:/C=XY/ST=Castle Anthrax/L=Argument Clinic/O=Python Software Foundation/CN=self-signed.pythontest.net

And while this:
How to know if it has been fixed?  Monitor the test_networked_good_cert test on any "Debian buster" builtbot(s) such as https://buildbot.python.org/all/#/workers/23 to make sure it is not skipped.  (the test _currently_ fails, I am going to have it be _skipped_ on this specific key too small error for the time being to get that stable buildbot green again)

is nice for some, it is not nice for all!

Perhaps the test should be switched to 'warn' on failure, rather than error on failure, until fixed!
msg342997 - (view) Author: Michael Felt (Michael.Felt) * Date: 2019-05-21 10:08
p.s. On Centos I could not even get a python3 (at least not easily).

On debian (on POWER) I get the same error (message) as on AIX - although the line number did change.

ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:1056)

so, not a message about "key too small error" - pure, this is self-signed, so error.
msg343020 - (view) Author: Michael Felt (Michael.Felt) * Date: 2019-05-21 12:00
On 21/05/2019 12:08, Michael Felt wrote:
> Michael Felt <aixtools@felt.demon.nl> added the comment:
>
> p.s. On Centos I could not even get a python3 (at least not easily).
>
> On debian (on POWER) I get the same error (message) as on AIX - although the line number did change.
>
> ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:1056)
>
> so, not a message about "key too small error" - pure, this is self-signed, so error.
>
> ----------
p.s. blush: seems I was testing against the wrong fork - seems to be
cleared in 'master'. My apologies for the noise.
> _______________________________________
> Python tracker <report@bugs.python.org>
> <https://bugs.python.org/issue36816>
> _______________________________________
>
msg343027 - (view) Author: Chih-Hsuan Yen (yan12125) * Date: 2019-05-21 12:12
Hi Michael Felt,

> And, what it looks like you are trying to do with an updated 'signing" .pem is to remove the 'self-signed' charasteric.

If I understand it correctly, the new certificate is indeed still self-signed. It's updated to match the certificate deployed at https://self-signed.pythontest.net/. Under the hood load_verify_locations() at line 1628 is used to make the test accept any valid certificate signed with the given certificate.

As a record, with CPython e7cb23bf2079087068a08502f96fdf20b317d69c and OpenSSL 1.1.1b on Arch Linux x86_64, the test is green:

test_networked_good_cert (test.test_httplib.HTTPSTest) ... ok

By the way, I believe the "key too weak" workaround can be removed now and then this issue can be closed.
History
Date User Action Args
2019-05-21 12:12:20yan12125setmessages: + msg343027
2019-05-21 12:00:14Michael.Feltsetmessages: + msg343020
2019-05-21 10:08:30Michael.Feltsetmessages: + msg342997
2019-05-21 09:09:52Michael.Feltsetnosy: + Michael.Felt
messages: + msg342988
2019-05-09 00:53:25gregory.p.smithsetmessages: + msg341950
2019-05-08 21:13:13miss-islingtonsetmessages: + msg341946
2019-05-08 19:21:04ned.deilysetnosy: + ned.deily
messages: + msg341931
2019-05-08 17:29:49gregory.p.smithsetpull_requests: + pull_request13111
2019-05-08 17:27:59gregory.p.smithsetpull_requests: + pull_request13110
2019-05-08 17:20:30gregory.p.smithsetpull_requests: + pull_request13109
2019-05-08 16:51:36gregory.p.smithsetpull_requests: + pull_request13108
2019-05-08 16:35:13miss-islingtonsetnosy: + miss-islington
messages: + msg341908
2019-05-08 15:45:48gregory.p.smithsetstage: commit review -> patch review
pull_requests: + pull_request13104
2019-05-08 11:53:47yan12125setmessages: + msg341866
2019-05-08 11:18:49EWDurbinsetassignee: EWDurbin -> gregory.p.smith
messages: + msg341865
2019-05-08 03:46:04yan12125setnosy: + yan12125
2019-05-08 01:27:02gregory.p.smithsetassignee: gregory.p.smith -> EWDurbin
resolution: remind
messages: + msg341843
stage: patch review -> commit review
2019-05-06 18:36:31gregory.p.smithsetassignee: EWDurbin -> gregory.p.smith
messages: + msg341590
2019-05-06 18:31:29gregory.p.smithsetkeywords: + patch
stage: needs patch -> patch review
pull_requests: + pull_request13037
2019-05-06 18:05:40gregory.p.smithcreate