New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
test_ssl fails in Ubuntu 20.04: test_min_max_version_mismatch #85733
Comments
FAIL: test_min_max_version_mismatch (test.test_ssl.ThreadedTests) Traceback (most recent call last):
File "/home/vbk/Downloads/Python-3.8.5/Lib/test/test_ssl.py", line 217, in wrapper
return func(*args, **kw)
File "/home/vbk/Downloads/Python-3.8.5/Lib/test/test_ssl.py", line 3841, in test_min_max_version_mismatch
self.assertIn("alert", str(e.exception))
AssertionError: 'alert' not found in '[SSL: NO_PROTOCOLS_AVAILABLE] no protocols available (_ssl.c:1123)' |
Has any progress been made on the Ubuntu 20.04 test_ssl failures? Is there any consensus about it being a Python or Ubuntu problem? |
This skips the breaking tests (but doesn't actually fix anything). |
I don't know if it matters, but I started having this problem when I switched from Ubuntu 18.04 (native python3.7) to 20.04 (native python3.8.2). I specify --prefix to a folder in my home directory, but while running make test Ubuntu gives a system error which refers to Ubuntu's python. I don't know exactly at what test it happens, approximately in the middle, but it should not happen at all because the tests should only call the python compiled by me. |
This will help to solve it https://stackoverflow.com/questions/61568215/openssl-v1-1-1-ubuntu-20-tlsv1-no-protocols-available But in my case I've defined: |
@Vladyslav.Bondar I can't tell where you are suggesting MinProtocol should be set. I don't see that particular string in any .c, .h or .py file in the Python source. |
This is about openssl configuration in Ubuntu. In the latest Ubuntu, they disabled TLS 1.0/1.1. So to enable it back there is a workaround (taken from StackOverflow): You should modify openssl config: /etc/ssl/openssl.cnf You need to add this to the beginning of your config file: openssl_conf = default_conf And then this to the end: [ default_conf ] ssl_conf = ssl_sect [ssl_sect] system_default = ssl_default_sect [ssl_default_sect] |
bpo-38815 also reported similar issue in test_min_max_version_mismatch. |
I followed Vladyslav Bondar's 2020-09-11 09:10:30 recommendations and it worked: Thank you. It is not clear though how Canonical built its python-3.8.2 which comes with Ubuntu-20.04. Does anyone know someone at Canonical to ask this question? |
Can test_ssl script determine which TLS versions are enabled in a particular Linux distribution and run tests only for enabled versions? |
It sounds like a Debian/Ubuntu patch is breaking an assumption. Did somebody report the bug with Debian/Ubuntu maintainers of OpenSSL already? Fedora also configures OpenSSL with minimum protocol version of TLS 1.2. The distribution does it in a slightly different way that makes the restriction discoverable and that is compatible with Python's test suite. |
I started by asking a question at https://askubuntu.com/questions/1281942/pythons-test-ssl-fails-starting-from-ubuntu-20-04-i-need-to-find-a-person-at-c |
I got an advice and posted the question at https://answers.launchpad.net/ubuntu/+source/openssl/+question/693423 |
I reported a bug at https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1899878 |
Christian, I don't see any open PRs to be commit reviewed. |
Downstream has asked me to file a separate bug for internal error during handshake. The problem is tracked at https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1917625 . |
I have discussed the problem with downstream engineers on the two issues
The gist of the issue is: Canonical has taken a different approach than Debian and other distros to set minimum TLS version. Most distros use an openssl.cnf file to set "MinProtocol = TLSv1.2". The config file approach allows application to override the setting with SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION) and to detect the current minimum version with SSL_CTX_get_min_proto_version(ctx) == TLS1_VERSION. Ubuntu doesn't set "MinProtocol = TLSv1.2". Instead the distro has patched OpenSSL source code and modified the meaning of security level "2". Security level is a new OpenSSL API to set various security related settings. On Ubuntu SECLEVEL=2 prevents TLS 1.0 and 1.1 connection. Further SSL_CTX_get_min_proto_version(ctx) returns 0 (dummy value for minimum supported version). SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION) does not fail although TLS 1.0 is prohibited. https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_security_level.html https://manpages.ubuntu.com/manpages/focal/man3/SSL_CTX_set_security_level.3ssl.html The combination of "Ubuntu changed the meaning of security level policy" and "SSL_CTX_get_min_proto_version(ctx) does not report minimum version" breaks our tests. OpenSSL doesn't provide an easy way to check if a SSL_CTX has a sane configuration. There is a way to check if a security policy allows a TLS version. I'm not sure if we should include the check in CPython and where to best put the check: void *sec_ex = SSL_CTX_get0_security_ex_data(ctx);
sec_cb = SSL_CTX_get_security_callback(ctx);
int result = sec_cb(NULL, ctx, SSL_SECOP_VERSION, 0, TLS1_VERSION, NULL, sec_ex);
if (result && (SSL_CTX_get_min_proto_version(ctx) >= TLS1_VERSION)) ... |
Dimitri John Ledkov from Canonical has opened a feature request for a context validation feature on the OpenSSL issue tracker, openssl/openssl#14607 |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: