Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

test_ssl handshake failure #65445

Closed
ddventoucaredu mannequin opened this issue Apr 15, 2014 · 6 comments
Closed

test_ssl handshake failure #65445

ddventoucaredu mannequin opened this issue Apr 15, 2014 · 6 comments

Comments

@ddventoucaredu
Copy link
Mannequin

ddventoucaredu mannequin commented Apr 15, 2014

BPO 21246
Nosy @pitrou, @benjaminp
Superseder
  • bpo-20896: test_ssl.test_get_server_certificate() should use PROTOCOL_SSLv23, not PROTOCOL_SSLv3
    		•

    Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

    Show more details

    GitHub fields:

    assignee = None
closed_at = <Date 2014-04-16.16:50:21.171>
created_at = <Date 2014-04-15.20:22:28.889>
labels = []
title = 'test_ssl handshake failure'
updated_at = <Date 2014-04-16.18:07:32.798>
user = 'https://bugs.python.org/ddventoucaredu'

    bugs.python.org fields:

    activity = <Date 2014-04-16.18:07:32.798>
actor = 'ddvento@ucar.edu'
assignee = 'none'
closed = True
closed_date = <Date 2014-04-16.16:50:21.171>
closer = 'pitrou'
components = []
creation = <Date 2014-04-15.20:22:28.889>
creator = 'ddvento@ucar.edu'
dependencies = []
files = []
hgrepos = []
issue_num = 21246
keywords = []
message_count = 6.0
messages = ['216380', '216423', '216475', '216477', '216498', '216535']
nosy_count = 3.0
nosy_names = ['pitrou', 'benjamin.peterson', 'ddvento@ucar.edu']
pr_nums = []
priority = 'normal'
resolution = 'duplicate'
stage = None
status = 'closed'
superseder = '20896'
type = None
url = 'https://bugs.python.org/issue21246'
versions = ['Python 2.7']
    @ddventoucaredu
    Copy link
    Mannequin Author

    ddventoucaredu mannequin commented Apr 15, 2014

    Not sure if this is related with issue bpo-13626 which is the only thing that Google knows about these handshake failures. In case it matters:

    $ openssl version
OpenSSL 1.0.1f 6 Jan 2014

    == CPython 2.7.6 (default, Apr 14 2014, 15:12:21) [GCC 4.8.2]
    == Linux-2.6.32-358.el6.x86_64-x86_64-with-redhat-6.4-Santiago little-endian
    == /glade/scratch/ddvento/build/Python-2.7.6/build/test_python_18521
    Testing with flags: sys.flags(debug=0, py3k_warning=0, division_warning=0, division_new=0, inspect=0, interactive=0, optimize=0, dont_write_bytecode=0, no_user_site=0, no_site=0, ignore_environment=0, tabcheck=0, verbose=0, unicode=0, bytes_warning=0, hash_randomization=0)
    test_ssl
    test_sslwrap_simple (test.test_ssl.BasicTests) ... ok
    test_DER_to_PEM (test.test_ssl.BasicSocketTests) ... ok
    test_ciphers (test.test_ssl.BasicSocketTests) ... ok
    test_constants (test.test_ssl.BasicSocketTests) ... ok
    test_openssl_version (test.test_ssl.BasicSocketTests) ... ok
    test_parse_cert (test.test_ssl.BasicSocketTests) ...
    {'notAfter': 'Oct 5 23:01:56 2020 GMT',
    'subject': ((('countryName', u'XY'),),
    (('localityName', u'Castle Anthrax'),),
    (('organizationName', u'Python Software Foundation'),),
    (('commonName', u'localhost'),)),
    'subjectAltName': (('DNS', 'localhost'),)}

    {'issuer': ((('countryName', u'US'),),
            (('organizationName', u'VeriSign, Inc.'),),
            (('organizationalUnitName', u'VeriSign Trust Network'),),
            (('organizationalUnitName',
              u'Terms of use at https://www.verisign.com/rpa (c)10'),),
            (('commonName',
              u'VeriSign Class 3 International Server CA - G3'),)),
 'notAfter': 'Sep 20 23:59:59 2012 GMT',
 'notBefore': 'Sep 21 00:00:00 2011 GMT',
 'serialNumber': '2EE6EA7640A075CEE5005F4D7C79549A',
 'subject': ((('countryName', u'FI'),),
             (('stateOrProvinceName', u'Espoo'),),
             (('localityName', u'Espoo'),),
             (('organizationName', u'Nokia'),),
             (('organizationalUnitName', u'BI'),),
             (('commonName', u'projects.developer.nokia.com'),)),
 'subjectAltName': (('DNS', 'projects.developer.nokia.com'),
                    ('DNS', 'projects.forum.nokia.com')),
 'version': 3}
ok
test_parse_cert_CVE_2013_4238 (test.test_ssl.BasicSocketTests) ... 
{'issuer': ((('countryName', u'US'),),
            (('stateOrProvinceName', u'Oregon'),),
            (('localityName', u'Beaverton'),),
            (('organizationName', u'Python Software Foundation'),),
            (('organizationalUnitName', u'Python Core Development'),),
            (('commonName', u'null.python.org\x00example.org'),),
            (('emailAddress', u'python-dev@python.org'),)),
 'notAfter': 'Aug  7 13:12:52 2013 GMT',
 'notBefore': 'Aug  7 13:11:52 2013 GMT',
 'serialNumber': '00',
 'subject': ((('countryName', u'US'),),
             (('stateOrProvinceName', u'Oregon'),),
             (('localityName', u'Beaverton'),),
             (('organizationName', u'Python Software Foundation'),),
             (('organizationalUnitName', u'Python Core Development'),),
             (('commonName', u'null.python.org\x00example.org'),),
             (('emailAddress', u'python-dev@python.org'),)),
 'subjectAltName': (('DNS', 'altnull.python.org\x00example.com'),
                    ('email', 'null@python.org\x00user@example.org'),
                    ('URI', 'http://null.python.org\x00http://example.org'),
                    ('IP Address', '192.0.2.1'),
                    ('IP Address', '2001:DB8:0:0:0:0:0:1\n')),
 'version': 3}
ok
test_random (test.test_ssl.BasicSocketTests) ... 
 RAND_status is 1 (sufficient randomness)
ok
test_refcycle (test.test_ssl.BasicSocketTests) ... ok
test_wrapped_unconnected (test.test_ssl.BasicSocketTests) ... ok
test_algorithms (test.test_ssl.NetworkedTests) ... skipped 'remote host needs SNI, only available on Python 3.2+'
test_connect (test.test_ssl.NetworkedTests) ... ok
test_connect_ex (test.test_ssl.NetworkedTests) ... ok
test_connect_ex_error (test.test_ssl.NetworkedTests) ... ok
test_get_server_certificate (test.test_ssl.NetworkedTests) ... ERROR
test_makefile_close (test.test_ssl.NetworkedTests) ... ok
test_non_blocking_connect_ex (test.test_ssl.NetworkedTests) ... ok
test_non_blocking_handshake (test.test_ssl.NetworkedTests) ... 
Needed 3 calls to do_handshake() to establish session.
ok
test_timeout_connect_ex (test.test_ssl.NetworkedTests) ... ok
test_asyncore_server (test.test_ssl.ThreadedTests)
Check the example asyncore integration. ... 
 server:  new connection from 127.0.0.1:48912
 client:  sending 'TEST MESSAGE of mixed case\n'...
 client:  read 'test message of mixed case\n'
 client:  closing connection.
 cleanup: stopping server.
 cleanup: joining server thread.
 server:  closed connection <ssl.SSLSocket object at 0x2399140>
 cleanup: successfully joined.
ok
test_default_ciphers (test.test_ssl.ThreadedTests) ... ok
test_echo (test.test_ssl.ThreadedTests)
Basic test of an SSL client connecting to a server ... 
 server:  new connection from ('127.0.0.1', 43993)
 server: connection cipher is now ('AES256-SHA', 'TLSv1/SSLv3', 256)
 client:  sending 'FOO\n'...
 server: read 'FOO\n' (encrypted), sending back 'foo\n' (encrypted)...
 client:  read 'foo\n'
 client:  sending bytearray(b'FOO\n')...
 server: read 'FOO\n' (encrypted), sending back 'foo\n' (encrypted)...
 client:  read 'foo\n'
 client:  sending <memory at 0x237f510>...
 server: read 'FOO\n' (encrypted), sending back 'foo\n' (encrypted)...
 client:  read 'foo\n'
 client:  closing connection.
 server: client closed connection
ok
test_empty_cert (test.test_ssl.ThreadedTests)
Connecting with an empty cert file ... 
SSLError is _ssl.c:354: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib
ok
test_getpeercert (test.test_ssl.ThreadedTests) ... 
{'notAfter': 'Oct  5 23:01:56 2020 GMT',
 'subject': ((('countryName', u'XY'),),
             (('localityName', u'Castle Anthrax'),),
             (('organizationName', u'Python Software Foundation'),),
             (('commonName', u'localhost'),)),
 'subjectAltName': (('DNS', 'localhost'),)}
Connection cipher is ('AES256-GCM-SHA384', 'TLSv1/SSLv3', 256).
ok
test_handshake_timeout (test.test_ssl.ThreadedTests) ... ok
test_malformed_cert (test.test_ssl.ThreadedTests)
Connecting with a badly formatted certificate (syntax error) ... 
SSLError is _ssl.c:368: error:140DC009:SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib
ok
test_malformed_key (test.test_ssl.ThreadedTests)
Connecting with a badly formatted key (syntax error) ... 
SSLError is _ssl.c:354: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib
ok
test_nonexisting_cert (test.test_ssl.ThreadedTests)
Connecting with a non-existing cert file ... 
SSLError is _ssl.c:507: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
ok
test_protocol_sslv2 (test.test_ssl.ThreadedTests)
Connecting to an SSLv2 server with various client options ... 
 SSLv2->SSLv2 CERT_NONE
 SSLv2->SSLv2 CERT_OPTIONAL
 SSLv2->SSLv2 CERT_REQUIRED
 SSLv23->SSLv2 CERT_NONE
 {SSLv3->SSLv2} CERT_NONE
 {TLSv1->SSLv2} CERT_NONE
ok
test_protocol_sslv23 (test.test_ssl.ThreadedTests)
Connecting to an SSLv23 server with various client options ... 
 SSLv3->SSLv23 CERT_NONE
 SSLv23->SSLv23 CERT_NONE
 TLSv1->SSLv23 CERT_NONE
 SSLv3->SSLv23 CERT_OPTIONAL
 SSLv23->SSLv23 CERT_OPTIONAL
 TLSv1->SSLv23 CERT_OPTIONAL
 SSLv3->SSLv23 CERT_REQUIRED
 SSLv23->SSLv23 CERT_REQUIRED
 TLSv1->SSLv23 CERT_REQUIRED
ok
test_protocol_sslv3 (test.test_ssl.ThreadedTests)
Connecting to an SSLv3 server with various client options ... 
 SSLv3->SSLv3 CERT_NONE
 SSLv3->SSLv3 CERT_OPTIONAL
 SSLv3->SSLv3 CERT_REQUIRED
 {SSLv2->SSLv3} CERT_NONE
 {TLSv1->SSLv3} CERT_NONE
ok
test_protocol_tlsv1 (test.test_ssl.ThreadedTests)
Connecting to a TLSv1 server with various client options ... 
 TLSv1->TLSv1 CERT_NONE
 TLSv1->TLSv1 CERT_OPTIONAL
 TLSv1->TLSv1 CERT_REQUIRED
 {SSLv2->TLSv1} CERT_NONE
 {SSLv3->TLSv1} CERT_NONE
ok
test_recv_send (test.test_ssl.ThreadedTests)
Test recv(), send() and friends. ... 
 server:  new connection from ('127.0.0.1', 56710)
 server: connection cipher is now ('AES256-SHA', 'TLSv1/SSLv3', 256)
ok
test_rude_shutdown (test.test_ssl.ThreadedTests)
A brutal shutdown of an SSL server should raise an IOError ... ok
test_socketserver (test.test_ssl.ThreadedTests)
Using a SocketServer to create and manage SSL connections. ... 
 server (('127.0.0.1', 42188):42188 ('AES256-GCM-SHA384', 'TLSv1/SSLv3', 256)):
   [15/Apr/2014 14:14:53] "GET /keycert.pem HTTP/1.0" 200 -
 client: read 1783 bytes from remote server '<SocketServerHTTPSServer <HTTPSServer localhost.localdomain:42188>>'
ok
test_starttls (test.test_ssl.ThreadedTests)
Switching from clear text to encrypted and back again. ... 
 client:  sending 'msg 1'...
 server:  new connection from ('127.0.0.1', 50624)
 server: read 'msg 1' (unencrypted), sending back 'msg 1' (unencrypted)...
 client:  read 'msg 1' from server
 client:  sending 'MSG 2'...
 server: read 'MSG 2' (unencrypted), sending back 'msg 2' (unencrypted)...
 client:  read 'msg 2' from server
 client:  sending 'STARTTLS'...
 server: read STARTTLS from client, sending OK...
 client:  read 'OK\n' from server, starting TLS...
 client:  sending 'MSG 3'...
 server: read 'MSG 3' (encrypted), sending back 'msg 3' (encrypted)...
 client:  read 'msg 3' from server
 client:  sending 'msg 4'...
 server: read 'msg 4' (encrypted), sending back 'msg 4' (encrypted)...
 client:  read 'msg 4' from server
 client:  sending 'ENDTLS'...
 server: read ENDTLS from client, sending OK...
 client:  read 'OK\n' from server, ending TLS...
 server: connection is now unencrypted...
 client:  sending 'msg 5'...
 server: read 'msg 5' (unencrypted), sending back 'msg 5' (unencrypted)...
 client:  read 'msg 5' from server
 client:  sending 'msg 6'...
 server: read 'msg 6' (unencrypted), sending back 'msg 6' (unencrypted)...
 client:  read 'msg 6' from server
 client:  closing connection.
 server: client closed connection
ok
test_wrapped_accept (test.test_ssl.ThreadedTests)
Check the accept() method on SSL sockets. ... test test_ssl failed -- Traceback (most recent call last):
  File "/glade/scratch/ddvento/build/Python-2.7.6/Lib/test/test_ssl.py", line 387, in test_get_server_certificate
    pem = ssl.get_server_certificate(("svn.python.org", 443))
  File "/glade/scratch/ddvento/build/Python-2.7.6/Lib/ssl.py", line 448, in get_server_certificate
    s.connect(addr)
  File "/glade/scratch/ddvento/build/Python-2.7.6/Lib/ssl.py", line 333, in connect
    self._real_connect(addr, False)
  File "/glade/scratch/ddvento/build/Python-2.7.6/Lib/ssl.py", line 323, in _real_connect
    self.do_handshake()
  File "/glade/scratch/ddvento/build/Python-2.7.6/Lib/ssl.py", line 305, in do_handshake
    self._sslobj.do_handshake()
SSLError: [Errno 1] _ssl.c:507: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure

    server: wrapped server socket as <ssl.SSLSocket object at 0x2399140>
    client: sending 'FOO\n'...
    server: new connection from ('127.0.0.1', 40291)
    client cert is {'notAfter': 'Oct 5 23:01:56 2020 GMT',
    'subject': ((('countryName', u'XY'),),
    (('localityName', u'Castle Anthrax'),),
    (('organizationName', u'Python Software Foundation'),),
    (('commonName', u'localhost'),)),
    'subjectAltName': (('DNS', 'localhost'),)}
    cert binary is 600 bytes
    server: connection cipher is now ('AES256-GCM-SHA384', 'TLSv1/SSLv3', 256)
    server: read 'FOO\n' (encrypted), sending back 'foo\n' (encrypted)...
    client: read 'foo\n'
    client: sending bytearray(b'FOO\n')...
    server: read 'FOO\n' (encrypted), sending back 'foo\n' (encrypted)...
    client: read 'foo\n'
    client: sending <memory at 0x240ecc8>...
    server: read 'FOO\n' (encrypted), sending back 'foo\n' (encrypted)...
    client: read 'foo\n'
    client: closing connection.
    server: client closed connection
    ok

    ======================================================================
    ERROR: test_get_server_certificate (test.test_ssl.NetworkedTests)
    ----------------------------------------------------------------------

    Traceback (most recent call last):
  File "/glade/scratch/ddvento/build/Python-2.7.6/Lib/test/test_ssl.py", line 387, in test_get_server_certificate
    pem = ssl.get_server_certificate(("svn.python.org", 443))
  File "/glade/scratch/ddvento/build/Python-2.7.6/Lib/ssl.py", line 448, in get_server_certificate
    s.connect(addr)
  File "/glade/scratch/ddvento/build/Python-2.7.6/Lib/ssl.py", line 333, in connect
    self._real_connect(addr, False)
  File "/glade/scratch/ddvento/build/Python-2.7.6/Lib/ssl.py", line 323, in _real_connect
    self.do_handshake()
  File "/glade/scratch/ddvento/build/Python-2.7.6/Lib/ssl.py", line 305, in do_handshake
    self._sslobj.do_handshake()
SSLError: [Errno 1] _ssl.c:507: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure

    Ran 37 tests in 4.950s

    FAILED (errors=1, skipped=1)
    1 test failed:
    test_ssl

    @benjaminp
    Copy link
    Contributor

    Very old version of openssl?

    @ddventoucaredu
    Copy link
    Mannequin Author

    ddventoucaredu mannequin commented Apr 16, 2014

    Despite this being Red Hat, this is not at all the case!

    OpenSSL 1.0.1f has been released on Jan 6th, 2014 at 15:39:19 -- see
    https://www.openssl.org/source/

    @ddventoucaredu
    Copy link
    Mannequin Author

    ddventoucaredu mannequin commented Apr 16, 2014

    Just to make sure I'm using the right version:

    Python 2.7.6 (default, Apr 14 2014, 15:12:21)
[GCC 4.8.2] on linux2
Type "help", "copyright", "credits" or "license" for more information.
 >>> import ssl
 >>> ssl.OPENSSL_VERSION
'OpenSSL 1.0.1f 6 Jan 2014'
 >>>

    On 04/16/2014 08:49 AM, Davide Del Vento wrote:

    ddvento@ucar.edu added the comment:

    Despite this being Red Hat, this is not at all the case!

    OpenSSL 1.0.1f has been released on Jan 6th, 2014 at 15:39:19 -- see
    https://www.openssl.org/source/

    ----------

    Python tracker <report@bugs.python.org>
    <http://bugs.python.org/issue21246\>

    @pitrou
    Copy link
    Member

    pitrou commented Apr 16, 2014

    This was fixed in bpo-20896 by a certain Benjamin Peterson.

    @pitrou pitrou closed this as completed Apr 16, 2014
    @ddventoucaredu
    Copy link
    Mannequin Author

    ddventoucaredu mannequin commented Apr 16, 2014

    Thanks. The reason why I overlook it is that bpo-20896 did not list 2.7 as
    an affected version. I changed bpo-20896 to prevent other people doing the
    same mistake

    @ezio-melotti ezio-melotti transferred this issue from another repository Apr 10, 2022
    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
    Assignees
    No one assigned
    Labels
    None yet
    Projects
    None yet
    Milestone
    No milestone
    Development

    No branches or pull requests
    2 participants
    @benjaminp @pitrou