This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author gregory.p.smith
Recipients EWDurbin, gregory.p.smith
Date 2019-05-06.18:05:40
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <>
test_httplib uses in it's test_networked_good_cert test.

On modern Linux distros (current Debian testing sid), the certificate it currently uses is rightfully rejected as being too weak:

ERROR: test_networked_good_cert (test.test_httplib.HTTPSTest)
Traceback (most recent call last):
  File "/home/greg/oss/cpython/Lib/test/", line 1628, in test_networked_good_cert
    h.request('GET', '/')
  File "/home/greg/oss/cpython/Lib/http/", line 1221, in request
    self._send_request(method, url, body, headers, encode_chunked)
  File "/home/greg/oss/cpython/Lib/http/", line 1267, in _send_request
    self.endheaders(body, encode_chunked=encode_chunked)
  File "/home/greg/oss/cpython/Lib/http/", line 1216, in endheaders
    self._send_output(message_body, encode_chunked=encode_chunked)
  File "/home/greg/oss/cpython/Lib/http/", line 1004, in _send_output
  File "/home/greg/oss/cpython/Lib/http/", line 944, in send
  File "/home/greg/oss/cpython/Lib/http/", line 1383, in connect
    self.sock = self._context.wrap_socket(self.sock,
  File "/home/greg/oss/cpython/Lib/", line 405, in wrap_socket
    return self.sslsocket_class._create(
  File "/home/greg/oss/cpython/Lib/", line 853, in _create
  File "/home/greg/oss/cpython/Lib/", line 1117, in do_handshake
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: EE certificate key too weak (_ssl.c:1055)

The TLS certificate on the server needs to be updated to something modern.  I _believe_ this can be done by someone with infrastructure access via an update to

Assigning to EWDurbin for triage and redirection to someone else infrastructury if he's not the right person.

How to know if it has been fixed?  Monitor the test_networked_good_cert test on any "Debian buster" builtbot(s) such as to make sure it is not skipped.  (the test _currently_ fails, I am going to have it be _skipped_ on this specific key too small error for the time being to get that stable buildbot green again)
Date User Action Args
2019-05-06 18:05:40gregory.p.smithsetrecipients: + gregory.p.smith, EWDurbin
2019-05-06 18:05:40gregory.p.smithsetmessageid: <>
2019-05-06 18:05:40gregory.p.smithlinkissue36816 messages
2019-05-06 18:05:40gregory.p.smithcreate