test_ssl fails in Ubuntu 20.04: test_min_max_version_mismatch #85733
Comments
|
FAIL: test_min_max_version_mismatch (test.test_ssl.ThreadedTests) Traceback (most recent call last):
File "/home/vbk/Downloads/Python-3.8.5/Lib/test/test_ssl.py", line 217, in wrapper
return func(*args, **kw)
File "/home/vbk/Downloads/Python-3.8.5/Lib/test/test_ssl.py", line 3841, in test_min_max_version_mismatch
self.assertIn("alert", str(e.exception))
AssertionError: 'alert' not found in '[SSL: NO_PROTOCOLS_AVAILABLE] no protocols available (_ssl.c:1123)' |
bugsrep
mannequin
added
build
|
Has any progress been made on the Ubuntu 20.04 test_ssl failures? Is there any consensus about it being a Python or Ubuntu problem? |
|
This skips the breaking tests (but doesn't actually fix anything). |
|
I don't know if it matters, but I started having this problem when I switched from Ubuntu 18.04 (native python3.7) to 20.04 (native python3.8.2). I specify --prefix to a folder in my home directory, but while running make test Ubuntu gives a system error which refers to Ubuntu's python. I don't know exactly at what test it happens, approximately in the middle, but it should not happen at all because the tests should only call the python compiled by me. |
|
This will help to solve it https://stackoverflow.com/questions/61568215/openssl-v1-1-1-ubuntu-20-tlsv1-no-protocols-available But in my case I've defined: |
|
@Vladyslav.Bondar I can't tell where you are suggesting MinProtocol should be set. I don't see that particular string in any .c, .h or .py file in the Python source. |
|
This is about openssl configuration in Ubuntu. In the latest Ubuntu, they disabled TLS 1.0/1.1. So to enable it back there is a workaround (taken from StackOverflow): You should modify openssl config: /etc/ssl/openssl.cnf You need to add this to the beginning of your config file: openssl_conf = default_confAnd then this to the end: [ default_conf ] ssl_conf = ssl_sect[ssl_sect] system_default = ssl_default_sect[ssl_default_sect] |
|
bpo-38815 also reported similar issue in test_min_max_version_mismatch. |
|
I followed Vladyslav Bondar's 2020-09-11 09:10:30 recommendations and it worked: Thank you. It is not clear though how Canonical built its python-3.8.2 which comes with Ubuntu-20.04. Does anyone know someone at Canonical to ask this question? |
bugsrep
mannequin
added
3.8
|
Can test_ssl script determine which TLS versions are enabled in a particular Linux distribution and run tests only for enabled versions? |
|
It sounds like a Debian/Ubuntu patch is breaking an assumption. Did somebody report the bug with Debian/Ubuntu maintainers of OpenSSL already? Fedora also configures OpenSSL with minimum protocol version of TLS 1.2. The distribution does it in a slightly different way that makes the restriction discoverable and that is compatible with Python's test suite. |
|
I started by asking a question at https://askubuntu.com/questions/1281942/pythons-test-ssl-fails-starting-from-ubuntu-20-04-i-need-to-find-a-person-at-c |
|
I got an advice and posted the question at https://answers.launchpad.net/ubuntu/+source/openssl/+question/693423 |
|
I reported a bug at https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1899878 |
|
Christian, I don't see any open PRs to be commit reviewed. |
|
Downstream has asked me to file a separate bug for internal error during handshake. The problem is tracked at https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1917625 . |
|
I have discussed the problem with downstream engineers on the two issues
The gist of the issue is: Canonical has taken a different approach than Debian and other distros to set minimum TLS version. Most distros use an openssl.cnf file to set "MinProtocol = TLSv1.2". The config file approach allows application to override the setting with SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION) and to detect the current minimum version with SSL_CTX_get_min_proto_version(ctx) == TLS1_VERSION. Ubuntu doesn't set "MinProtocol = TLSv1.2". Instead the distro has patched OpenSSL source code and modified the meaning of security level "2". Security level is a new OpenSSL API to set various security related settings. On Ubuntu SECLEVEL=2 prevents TLS 1.0 and 1.1 connection. Further SSL_CTX_get_min_proto_version(ctx) returns 0 (dummy value for minimum supported version). SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION) does not fail although TLS 1.0 is prohibited. https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_security_level.html https://manpages.ubuntu.com/manpages/focal/man3/SSL_CTX_set_security_level.3ssl.html The combination of "Ubuntu changed the meaning of security level policy" and "SSL_CTX_get_min_proto_version(ctx) does not report minimum version" breaks our tests. OpenSSL doesn't provide an easy way to check if a SSL_CTX has a sane configuration. There is a way to check if a security policy allows a TLS version. I'm not sure if we should include the check in CPython and where to best put the check: void *sec_ex = SSL_CTX_get0_security_ex_data(ctx);
sec_cb = SSL_CTX_get_security_callback(ctx);
int result = sec_cb(NULL, ctx, SSL_SECOP_VERSION, 0, TLS1_VERSION, NULL, sec_ex);
if (result && (SSL_CTX_get_min_proto_version(ctx) >= TLS1_VERSION)) ... |
|
Dimitri John Ledkov from Canonical has opened a feature request for a context validation feature on the OpenSSL issue tracker, openssl/openssl#14607 |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: