Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

test_ssl fails on RHEL8 strict OpenSSL configuration #80218

Closed
vstinner opened this issue Feb 19, 2019 · 7 comments
Closed

test_ssl fails on RHEL8 strict OpenSSL configuration #80218

vstinner opened this issue Feb 19, 2019 · 7 comments
Assignees
@tiran
Labels
3.7 (EOL) end of life 3.8 only security fixes tests Tests in the Lib/test dir topic-SSL

Comments

@vstinner
Copy link
Member

BPO 36037
Nosy @gpshead, @vstinner, @tiran, @stratakis, @miss-islington
PRs
  • bpo-36037: Fix test_ssl for strict OpenSSL policy #11940
  • [3.7] bpo-36037: Fix test_ssl for strict OpenSSL policy (GH-11940) #11942
    		•

    Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

    Show more details

    GitHub fields:

    assignee = 'https://github.com/tiran'
closed_at = <Date 2019-02-19.17:29:16.474>
created_at = <Date 2019-02-19.14:19:42.035>
labels = ['expert-SSL', '3.8', '3.7', 'tests']
title = 'test_ssl fails on RHEL8 strict OpenSSL configuration'
updated_at = <Date 2019-02-19.17:29:16.473>
user = 'https://github.com/vstinner'

    bugs.python.org fields:

    activity = <Date 2019-02-19.17:29:16.473>
actor = 'vstinner'
assignee = 'christian.heimes'
closed = True
closed_date = <Date 2019-02-19.17:29:16.474>
closer = 'vstinner'
components = ['Tests', 'SSL']
creation = <Date 2019-02-19.14:19:42.035>
creator = 'vstinner'
dependencies = []
files = []
hgrepos = []
issue_num = 36037
keywords = ['patch']
message_count = 7.0
messages = ['335950', '335951', '335955', '335964', '335980', '335986', '335988']
nosy_count = 5.0
nosy_names = ['gregory.p.smith', 'vstinner', 'christian.heimes', 'cstratak', 'miss-islington']
pr_nums = ['11940', '11942']
priority = 'normal'
resolution = 'fixed'
stage = 'resolved'
status = 'closed'
superseder = None
type = None
url = 'https://bugs.python.org/issue36037'
versions = ['Python 3.7', 'Python 3.8']
    @vstinner
    Copy link
    Member Author

    RHEL8 uses a strict crypto policy by default. For example, SSLContext uses TLS 1.2 as the minimum version by default.

    Attached PR fix test_ssl for RHEL8. The PR is not specific to RHEL8. It should also fix test_ssl on Debian: see bpo-35925 and bpo-36005.

    test_ssl failures on RHEL8:

    ======================================================================
    ERROR: test_PROTOCOL_TLS (test.test_ssl.ThreadedTests)
    Connecting to an SSLv23 server with various client options
    ----------------------------------------------------------------------

    Traceback (most recent call last):
  File "/root/cpython-master/Lib/test/test_ssl.py", line 3079, in test_PROTOCOL_TLS
    try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLSv1, 'TLSv1')
  File "/root/cpython-master/Lib/test/test_ssl.py", line 2623, in try_protocol_combo
    stats = server_params_test(client_context, server_context,
  File "/root/cpython-master/Lib/test/test_ssl.py", line 2549, in server_params_test
    s.connect((HOST, server.port))
  File "/root/cpython-master/Lib/ssl.py", line 1150, in connect
    self._real_connect(addr, False)
  File "/root/cpython-master/Lib/ssl.py", line 1141, in _real_connect
    self.do_handshake()
  File "/root/cpython-master/Lib/ssl.py", line 1117, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: TLSV1_ALERT_PROTOCOL_VERSION] tlsv1 alert protocol version (_ssl.c:1055)

    ======================================================================
    ERROR: test_protocol_tlsv1_1 (test.test_ssl.ThreadedTests)
    Connecting to a TLSv1.1 server with various client options.
    ----------------------------------------------------------------------

    Traceback (most recent call last):
  File "/root/cpython-master/Lib/test/test_ssl.py", line 3150, in test_protocol_tlsv1_1
    try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLSv1_1, 'TLSv1.1')
  File "/root/cpython-master/Lib/test/test_ssl.py", line 2623, in try_protocol_combo
    stats = server_params_test(client_context, server_context,
  File "/root/cpython-master/Lib/test/test_ssl.py", line 2549, in server_params_test
    s.connect((HOST, server.port))
  File "/root/cpython-master/Lib/ssl.py", line 1150, in connect
    self._real_connect(addr, False)
  File "/root/cpython-master/Lib/ssl.py", line 1141, in _real_connect
    self.do_handshake()
  File "/root/cpython-master/Lib/ssl.py", line 1117, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: TLSV1_ALERT_PROTOCOL_VERSION] tlsv1 alert protocol version (_ssl.c:1055)

    ======================================================================
    FAIL: test_min_max_version (test.test_ssl.ContextTests)
    ----------------------------------------------------------------------

    Traceback (most recent call last):
  File "/root/cpython-master/Lib/test/test_ssl.py", line 1093, in test_min_max_version
    self.assertIn(
AssertionError: <TLSVersion.TLSv1_2: 771> not found in {<TLSVersion.TLSv1: 769>, <TLSVersion.MINIMUM_SUPPORTED: -2>}

    Ran 150 tests in 3.318s

    FAILED (failures=1, errors=2, skipped=9)

    @vstinner vstinner added the 3.8 only security fixes label Feb 19, 2019
    @vstinner vstinner added tests Tests in the Lib/test dir topic-SSL labels Feb 19, 2019
    @vstinner
    Copy link
    Member Author

    On Python 2.7.16rc, similar tests are failing on RHEL8:

    ERROR: test_protocol_sslv23 (test.test_ssl.ThreadedTests)
    ERROR: test_protocol_tlsv1_1 (test.test_ssl.ThreadedTests)

    ... But right now, Python 2.7 doesn't give access to minimum_version/maximum_version :-( Not even to read these versions. So I'm not sure how to skip or fix these tests, without backporting code for these attributes.

    @vstinner
    Copy link
    Member Author

    RHEL8 uses a strict crypto policy by default. For example, SSLContext uses TLS 1.2 as the minimum version by default.

    Ah, I forgot to mention that a workaround is to use OPENSSL_CONF=/ environment variable to ignore RHEL crypto policy (don't load system OpenSSL configuration).

    @vstinner
    Copy link
    Member Author

    Python 2.7 and 3.6 have no SSLContext.minimum_version attribute (even with OpenSSL 1.1.1). I think that we will workaround this issue in Fedora and RHEL8 spec file (recipe to build RPM packages) using "export OPENSSL_CONF=/non-existing-file".

    @vstinner
    Copy link
    Member Author

    New changeset 3ef6344 by Victor Stinner in branch 'master':
    bpo-36037: Fix test_ssl for strict OpenSSL policy (GH-11940)
    3ef6344

    @miss-islington
    Copy link
    Contributor

    New changeset e8bf04d by Miss Islington (bot) in branch '3.7':
    bpo-36037: Fix test_ssl for strict OpenSSL policy (GH-11940)
    e8bf04d

    @vstinner
    Copy link
    Member Author

    Ok, Python 3.7 and 3.8 (master) have been fixed.

    See bpo-35925 (and bpo-36005) for discussions on Python 2.7 and 3.6.

    @vstinner vstinner added the 3.7 (EOL) end of life label Feb 19, 2019
    @ezio-melotti ezio-melotti transferred this issue from another repository Apr 10, 2022
    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
    Assignees

    @tiran tiran

    Labels
    3.7 (EOL) end of life 3.8 only security fixes tests Tests in the Lib/test dir topic-SSL
    Projects
    None yet
    Milestone
    No milestone
    Development

    No branches or pull requests
    3 participants
    @vstinner @tiran @miss-islington