Author gregory.p.smith
Recipients EWDurbin, gregory.p.smith
Date 2019-05-06.18:05:40
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1557165940.63.0.800219956591.issue36816@roundup.psfhosted.org>
In-reply-to
Content
test_httplib uses self-signed.pythontest.net in it's test_networked_good_cert test.

On modern Linux distros (current Debian testing sid), the certificate it currently uses is rightfully rejected as being too weak:

ERROR: test_networked_good_cert (test.test_httplib.HTTPSTest)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/home/greg/oss/cpython/Lib/test/test_httplib.py", line 1628, in test_networked_good_cert
    h.request('GET', '/')
  File "/home/greg/oss/cpython/Lib/http/client.py", line 1221, in request
    self._send_request(method, url, body, headers, encode_chunked)
  File "/home/greg/oss/cpython/Lib/http/client.py", line 1267, in _send_request
    self.endheaders(body, encode_chunked=encode_chunked)
  File "/home/greg/oss/cpython/Lib/http/client.py", line 1216, in endheaders
    self._send_output(message_body, encode_chunked=encode_chunked)
  File "/home/greg/oss/cpython/Lib/http/client.py", line 1004, in _send_output
    self.send(msg)
  File "/home/greg/oss/cpython/Lib/http/client.py", line 944, in send
    self.connect()
  File "/home/greg/oss/cpython/Lib/http/client.py", line 1383, in connect
    self.sock = self._context.wrap_socket(self.sock,
  File "/home/greg/oss/cpython/Lib/ssl.py", line 405, in wrap_socket
    return self.sslsocket_class._create(
  File "/home/greg/oss/cpython/Lib/ssl.py", line 853, in _create
    self.do_handshake()
  File "/home/greg/oss/cpython/Lib/ssl.py", line 1117, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: EE certificate key too weak (_ssl.c:1055)

The TLS certificate on the server needs to be updated to something modern.  I _believe_ this can be done by someone with infrastructure access via an update to https://github.com/python/pythontestdotnet/tree/master/tls

Assigning to EWDurbin for triage and redirection to someone else infrastructury if he's not the right person.

How to know if it has been fixed?  Monitor the test_networked_good_cert test on any "Debian buster" builtbot(s) such as https://buildbot.python.org/all/#/workers/23 to make sure it is not skipped.  (the test _currently_ fails, I am going to have it be _skipped_ on this specific key too small error for the time being to get that stable buildbot green again)
History
Date User Action Args
2019-05-06 18:05:40gregory.p.smithsetrecipients: + gregory.p.smith, EWDurbin
2019-05-06 18:05:40gregory.p.smithsetmessageid: <1557165940.63.0.800219956591.issue36816@roundup.psfhosted.org>
2019-05-06 18:05:40gregory.p.smithlinkissue36816 messages
2019-05-06 18:05:40gregory.p.smithcreate