Message 341579 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	gregory.p.smith
Recipients	EWDurbin, gregory.p.smith
Date	2019-05-06.18:05:40
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1557165940.63.0.800219956591.issue36816@roundup.psfhosted.org>
In-reply-to

Content
test_httplib uses self-signed.pythontest.net in it's test_networked_good_cert test. On modern Linux distros (current Debian testing sid), the certificate it currently uses is rightfully rejected as being too weak: ERROR: test_networked_good_cert (test.test_httplib.HTTPSTest) ---------------------------------------------------------------------- Traceback (most recent call last): File "/home/greg/oss/cpython/Lib/test/test_httplib.py", line 1628, in test_networked_good_cert h.request('GET', '/') File "/home/greg/oss/cpython/Lib/http/client.py", line 1221, in request self._send_request(method, url, body, headers, encode_chunked) File "/home/greg/oss/cpython/Lib/http/client.py", line 1267, in _send_request self.endheaders(body, encode_chunked=encode_chunked) File "/home/greg/oss/cpython/Lib/http/client.py", line 1216, in endheaders self._send_output(message_body, encode_chunked=encode_chunked) File "/home/greg/oss/cpython/Lib/http/client.py", line 1004, in _send_output self.send(msg) File "/home/greg/oss/cpython/Lib/http/client.py", line 944, in send self.connect() File "/home/greg/oss/cpython/Lib/http/client.py", line 1383, in connect self.sock = self._context.wrap_socket(self.sock, File "/home/greg/oss/cpython/Lib/ssl.py", line 405, in wrap_socket return self.sslsocket_class._create( File "/home/greg/oss/cpython/Lib/ssl.py", line 853, in _create self.do_handshake() File "/home/greg/oss/cpython/Lib/ssl.py", line 1117, in do_handshake self._sslobj.do_handshake() ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: EE certificate key too weak (_ssl.c:1055) The TLS certificate on the server needs to be updated to something modern. I _believe_ this can be done by someone with infrastructure access via an update to https://github.com/python/pythontestdotnet/tree/master/tls Assigning to EWDurbin for triage and redirection to someone else infrastructury if he's not the right person. How to know if it has been fixed? Monitor the test_networked_good_cert test on any "Debian buster" builtbot(s) such as https://buildbot.python.org/all/#/workers/23 to make sure it is not skipped. (the test _currently_ fails, I am going to have it be _skipped_ on this specific key too small error for the time being to get that stable buildbot green again)

test_httplib uses self-signed.pythontest.net in it's test_networked_good_cert test.

On modern Linux distros (current Debian testing sid), the certificate it currently uses is rightfully rejected as being too weak:

ERROR: test_networked_good_cert (test.test_httplib.HTTPSTest)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/home/greg/oss/cpython/Lib/test/test_httplib.py", line 1628, in test_networked_good_cert
    h.request('GET', '/')
  File "/home/greg/oss/cpython/Lib/http/client.py", line 1221, in request
    self._send_request(method, url, body, headers, encode_chunked)
  File "/home/greg/oss/cpython/Lib/http/client.py", line 1267, in _send_request
    self.endheaders(body, encode_chunked=encode_chunked)
  File "/home/greg/oss/cpython/Lib/http/client.py", line 1216, in endheaders
    self._send_output(message_body, encode_chunked=encode_chunked)
  File "/home/greg/oss/cpython/Lib/http/client.py", line 1004, in _send_output
    self.send(msg)
  File "/home/greg/oss/cpython/Lib/http/client.py", line 944, in send
    self.connect()
  File "/home/greg/oss/cpython/Lib/http/client.py", line 1383, in connect
    self.sock = self._context.wrap_socket(self.sock,
  File "/home/greg/oss/cpython/Lib/ssl.py", line 405, in wrap_socket
    return self.sslsocket_class._create(
  File "/home/greg/oss/cpython/Lib/ssl.py", line 853, in _create
    self.do_handshake()
  File "/home/greg/oss/cpython/Lib/ssl.py", line 1117, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: EE certificate key too weak (_ssl.c:1055)

The TLS certificate on the server needs to be updated to something modern.  I _believe_ this can be done by someone with infrastructure access via an update to https://github.com/python/pythontestdotnet/tree/master/tls

Assigning to EWDurbin for triage and redirection to someone else infrastructury if he's not the right person.

How to know if it has been fixed?  Monitor the test_networked_good_cert test on any "Debian buster" builtbot(s) such as https://buildbot.python.org/all/#/workers/23 to make sure it is not skipped.  (the test _currently_ fails, I am going to have it be _skipped_ on this specific key too small error for the time being to get that stable buildbot green again)

History
Date	User	Action	Args
2019-05-06 18:05:40	gregory.p.smith	set	recipients: + gregory.p.smith, EWDurbin
2019-05-06 18:05:40	gregory.p.smith	set	messageid: <1557165940.63.0.800219956591.issue36816@roundup.psfhosted.org>
2019-05-06 18:05:40	gregory.p.smith	link	issue36816 messages
2019-05-06 18:05:40	gregory.p.smith	create