test_asyncio fails on RHEL8, or on Fedora using NEXT security policy #79533
Comments
|
When compiling python3 on RHEL8 and run the tests, test_asyncio fails with 8 failures (and more on older branches). openssl version is 1.1.1 Attaching the failures for the various branches. |
stratakis
mannequin
added
3.7 (EOL)
|
Seems that 3.8 and 3.7 get the same failures, while 3.6 gets 14 instead of 8. |
|
The strange thing is these tests are passed on our build bots. In logs I see only ConnectionResetError. Can it be related to your configuration? |
|
It seems I can reproduce it on Fedora as well by setting stronger crypto defaults through 'update-crypto-policies --set FUTURE'. Repo located here: https://gitlab.com/redhat-crypto/fedora-crypto-policies/tree/master The changes are many, but if I compare with RHEL8, the minimal changes that could affect it are: -# DH params size: >= 1023 -# TLS protocols: TLS >= 1.0 -@protocol_list = ('TLS1.3', 'TLS1.2', 'TLS1.1', 'TLS1.0', 'DTLS1.2', 'DTLS1.0'); - $min_tls_version = 'TLS1.0';
- min_dtls_version = 'DTLS1.0';
+ $min_tls_version = 'TLS1.2';
+ $min_dtls_version = 'DTLS1.2';# Parameter sizes
|
|
Maybe this is the reason. Maybe bumping used protocol version will help to pass tests on your box. |
|
I believe I figured out the issue, at least on the master branch. While checking the certificates used by asyncio tests within the test_asyncio folder I noticed they were quite outdated when compared to the more recent updated ones with the test/ folder, which take into account the stronger crypto defaults introduced in the latest openssl versions. And by looking at 6d8c1ab#diff-a8e7dbb528601706db0f01d01332bb76 it seems that those certs are just copied from test/ within test_asyncio/. So by copying over the old certs, the tests actually pass. The immediate workaround would be to just copy over the certs but a better approach would be to just reuse the certs within the test/ folder instead of relying on copying them over to test_asyncio/ |
RHEL8 has a very strict security policy by default. I'm not sure if any OS run on buildbot has a security policy as strict as RHEL8?
I tried to tune the SSLContext in many different ways but it doesn't work. The problem comes from the .pem files. I confirm that copying .pem files from Lib/test/ into Lib/test/test_asyncio/ does fix the issue.
In this case, I don't see the point of having two copies of the same files. PR 10826 does the right fix: remove .pem files from Lib/test/test_asyncio/ and reuse .pem files from Lib/test/. |
|
Also on Fedora the same set of security policies can be set as RHEL8 by utilizing 'update-crypto-policies --set NEXT' |
|
IIRC two copies exist from very early development times when asyncio was not a part of Python stdlib. |
Yeah, that was my guess as well. Maybe data_file() could be simplified or replaced by support.findfile(), but I chose the easy solution (minimize changes) :-) |
|
I leave the issue open until someone validates manually that the issue os fixed in all branches with stricter security (ex: RHEL8). |
|
I tested on Fedora 29 using: sudo update-crypto-policies --set NEXT With this config, I was able to reproduce the test_asyncio failure on 3.6, 3.7 and master branches. I confirm that the commits fixed test_asyncio in these 3 branches. Thanks Charalampos Stratakis! |
vstinner
changed the title
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: