New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
test_ssl fails on RHEL8 strict OpenSSL configuration #80218
Comments
RHEL8 uses a strict crypto policy by default. For example, SSLContext uses TLS 1.2 as the minimum version by default. Attached PR fix test_ssl for RHEL8. The PR is not specific to RHEL8. It should also fix test_ssl on Debian: see bpo-35925 and bpo-36005. test_ssl failures on RHEL8: ====================================================================== Traceback (most recent call last):
File "/root/cpython-master/Lib/test/test_ssl.py", line 3079, in test_PROTOCOL_TLS
try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLSv1, 'TLSv1')
File "/root/cpython-master/Lib/test/test_ssl.py", line 2623, in try_protocol_combo
stats = server_params_test(client_context, server_context,
File "/root/cpython-master/Lib/test/test_ssl.py", line 2549, in server_params_test
s.connect((HOST, server.port))
File "/root/cpython-master/Lib/ssl.py", line 1150, in connect
self._real_connect(addr, False)
File "/root/cpython-master/Lib/ssl.py", line 1141, in _real_connect
self.do_handshake()
File "/root/cpython-master/Lib/ssl.py", line 1117, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: TLSV1_ALERT_PROTOCOL_VERSION] tlsv1 alert protocol version (_ssl.c:1055) ====================================================================== Traceback (most recent call last):
File "/root/cpython-master/Lib/test/test_ssl.py", line 3150, in test_protocol_tlsv1_1
try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLSv1_1, 'TLSv1.1')
File "/root/cpython-master/Lib/test/test_ssl.py", line 2623, in try_protocol_combo
stats = server_params_test(client_context, server_context,
File "/root/cpython-master/Lib/test/test_ssl.py", line 2549, in server_params_test
s.connect((HOST, server.port))
File "/root/cpython-master/Lib/ssl.py", line 1150, in connect
self._real_connect(addr, False)
File "/root/cpython-master/Lib/ssl.py", line 1141, in _real_connect
self.do_handshake()
File "/root/cpython-master/Lib/ssl.py", line 1117, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: TLSV1_ALERT_PROTOCOL_VERSION] tlsv1 alert protocol version (_ssl.c:1055) ====================================================================== Traceback (most recent call last):
File "/root/cpython-master/Lib/test/test_ssl.py", line 1093, in test_min_max_version
self.assertIn(
AssertionError: <TLSVersion.TLSv1_2: 771> not found in {<TLSVersion.TLSv1: 769>, <TLSVersion.MINIMUM_SUPPORTED: -2>} Ran 150 tests in 3.318s FAILED (failures=1, errors=2, skipped=9) |
On Python 2.7.16rc, similar tests are failing on RHEL8: ERROR: test_protocol_sslv23 (test.test_ssl.ThreadedTests) ... But right now, Python 2.7 doesn't give access to minimum_version/maximum_version :-( Not even to read these versions. So I'm not sure how to skip or fix these tests, without backporting code for these attributes. |
Ah, I forgot to mention that a workaround is to use OPENSSL_CONF=/ environment variable to ignore RHEL crypto policy (don't load system OpenSSL configuration). |
Python 2.7 and 3.6 have no SSLContext.minimum_version attribute (even with OpenSSL 1.1.1). I think that we will workaround this issue in Fedora and RHEL8 spec file (recipe to build RPM packages) using "export OPENSSL_CONF=/non-existing-file". |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: