New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
test_ssl: test_min_max_version() fails on FreeBSD and Fedora #82996
Comments
Fail with OpenSSL 1.1.1d 10 Sep 2019 on AMD64 FreeBSD Shared 3.x: ====================================================================== Traceback (most recent call last):
File "/usr/home/buildbot/python/3.x.koobs-freebsd-564d/build/Lib/test/test_ssl.py", line 1238, in test_min_max_version
self.assertIn(
AssertionError: <TLSVersion.TLSv1_2: 771> not found in {<TLSVersion.SSLv3: 768>, <TLSVersion.TLSv1: 769>} ====================================================================== Traceback (most recent call last):
File "/usr/home/buildbot/python/3.x.koobs-freebsd-564d/build/Lib/test/test_ssl.py", line 220, in wrapper
return func(*args, **kw)
File "/usr/home/buildbot/python/3.x.koobs-freebsd-564d/build/Lib/test/test_ssl.py", line 3840, in test_min_max_version_mismatch
self.assertIn("alert", str(e.exception))
AssertionError: 'alert' not found in '[SSL: NO_PROTOCOLS_AVAILABLE] no protocols available (_ssl.c:1108)' SSL infos from pythoninfo: ssl.HAS_SNI: True ssl.SSLContext.maximum_version: TLSVersion.MAXIMUM_SUPPORTED ssl.default_https_context.maximum_version: TLSVersion.MAXIMUM_SUPPORTED ssl.stdlib_context.maximum_version: TLSVersion.MAXIMUM_SUPPORTED |
Same failure on AMD64 FreeBSD Shared 3.8: FAIL: test_min_max_version (test.test_ssl.ContextTests) |
And the last one, AMD64 FreeBSD Shared 3.7: FAIL: test_min_max_version (test.test_ssl.ContextTests) |
Similar issue in Fedora: https://src.fedoraproject.org/rpms/python3/pull-request/155 |
Debian and Fedora are already using OPENSSL_CONF=/non-existing-file workaround. IMHO test_ssl should be fixed instead. test_ssl should not make assumptions on min/max TLS version. |
Previous attempt: Old Fedora issue, worked around in the Fedora buildbot configuration: bpo-35045. |
I marked bpo-38954 as duplicate of this issue. Copy of its message: test test_ssl failed Traceback (most recent call last):
File "/home/buildbot/buildarea/3.8.cstratak-fedora-rawhide-x86_64.lto-pgo/build/Lib/test/test_ssl.py", line 1207, in test_min_max_version
self.assertEqual(
AssertionError: <TLSVersion.TLSv1_3: 772> != <TLSVersion.MAXIMUM_SUPPORTED: -1> Ran 161 tests in 2.681s Example failure: |
Raising the priority to 'critical' as this is masking all other problems on a significant number of buildbots. Christian, could you take a look? |
Tomas Orsava is going to provide a PR within the next hour. |
Testing for the latest PR happening here: https://buildbot.python.org/all/#/builders?tags=%2Bstable&tags=%2Bcustom |
All Fedora tests are successful, so I will de-escalate the priority of the issue. Thank you very much Christian and Tomas Orsava! |
test_ssl still fails on FreeBSD: ====================================================================== Traceback (most recent call last):
File "/usr/home/buildbot/python/3.x.koobs-freebsd-564d/build/Lib/test/test_ssl.py", line 1244, in test_min_max_version
self.assertIn(
AssertionError: <TLSVersion.TLSv1_2: 771> not found in {<TLSVersion.SSLv3: 768>, <TLSVersion.TLSv1: 769>} ====================================================================== Traceback (most recent call last):
File "/usr/home/buildbot/python/3.x.koobs-freebsd-564d/build/Lib/test/test_ssl.py", line 220, in wrapper
return func(*args, **kw)
File "/usr/home/buildbot/python/3.x.koobs-freebsd-564d/build/Lib/test/test_ssl.py", line 3846, in test_min_max_version_mismatch
self.assertIn("alert", str(e.exception))
AssertionError: 'alert' not found in '[SSL: NO_PROTOCOLS_AVAILABLE] no protocols available (_ssl.c:1108)' |
In case it's relevant, I note the following: The ssl module is built with -I/usr/local/include in the compile line. Leaving aside:
it means that the build is finding openssl111 on FreeBSD provided by ports, not base (base also includes openssl 1.1.1 @ /usr/include|lib) More specifically, our openssl111 port happens to have many options that allow enabling/disabling various software features, including encryption algorithms and protocol versions The current (installed) build of openssl111 on the buildbot worker that is failing, has the following options set/unset: OPTIONS_FILE_UNSET+=CT In summary, this build only has TLS 1.2 and TLS 1.3 enabled (but with other various things disabled, not the defaults of the upstream openssl build), and may be indicated in this test failure, possibly only one example of many other similar issues of the same class, something like "tests assume certain features" Relatedly, this method of disabling various default options in openssl, is how a number [1] of issues in the Python cryptography package were found:
|
@koobs, FWIW, unlike for most other third-party libs, there now is a configure option to allow specifying the path to the desired OpenSSL version, actually two ways. Either use the --with-openssl= option to ./configure. Otherwise, if pkg-config info is availble, ./configure will try to use that for OpenSSL. |
I had to rebuild the openssl (1.1.x) port on the worker that had test_ssl failing in order to bring it back to green, so as not to hide new test failures. If/when someone is able to produce a fix for the failing test, I am happy to revert the openssl build to its prior (failing config) state at any time to verify the test fix. |
@christian As current assignee, are you able to produce a test that fixes the remaining issue (per msg357792)? I can rebuild OpenSSL on the worker at your direction at any time to make the test fail again or provide you with an SSH account to assist |
I'm not sure why, but test_ssl does not pass on FreeBSD and Fedora, so I close the issue. |
Please don't close tickets assigned to an owner without consent. |
Can you please elaborate why you reopened the issue? The initial "test_ssl: test_min_max_version() fails on FreeBSD and Fedora" issue is now fixed. For example, test_ssl pass on AMD64 Fedora Stable LTO 3.x buildbot and it no longer uses the OPENSSL_CONF=/non-existing-file workaround. Same for AMD64 FreeBSD Shared 3.x: If there are remaining new issues, I would prefer to open new issues. |
If you think that a ticket no longer apply, please use the pending status and give me a chance to verify the result. I haven't looked into the issue and I don't have time to do it right now. |
Ping? |
still getting this issue on Ubuntu 20.04 with the latest master checkout of cpython |
I haven't seen the problem in a while. |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: