Message341579
test_httplib uses self-signed.pythontest.net in it's test_networked_good_cert test.
On modern Linux distros (current Debian testing sid), the certificate it currently uses is rightfully rejected as being too weak:
ERROR: test_networked_good_cert (test.test_httplib.HTTPSTest)
----------------------------------------------------------------------
Traceback (most recent call last):
File "/home/greg/oss/cpython/Lib/test/test_httplib.py", line 1628, in test_networked_good_cert
h.request('GET', '/')
File "/home/greg/oss/cpython/Lib/http/client.py", line 1221, in request
self._send_request(method, url, body, headers, encode_chunked)
File "/home/greg/oss/cpython/Lib/http/client.py", line 1267, in _send_request
self.endheaders(body, encode_chunked=encode_chunked)
File "/home/greg/oss/cpython/Lib/http/client.py", line 1216, in endheaders
self._send_output(message_body, encode_chunked=encode_chunked)
File "/home/greg/oss/cpython/Lib/http/client.py", line 1004, in _send_output
self.send(msg)
File "/home/greg/oss/cpython/Lib/http/client.py", line 944, in send
self.connect()
File "/home/greg/oss/cpython/Lib/http/client.py", line 1383, in connect
self.sock = self._context.wrap_socket(self.sock,
File "/home/greg/oss/cpython/Lib/ssl.py", line 405, in wrap_socket
return self.sslsocket_class._create(
File "/home/greg/oss/cpython/Lib/ssl.py", line 853, in _create
self.do_handshake()
File "/home/greg/oss/cpython/Lib/ssl.py", line 1117, in do_handshake
self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: EE certificate key too weak (_ssl.c:1055)
The TLS certificate on the server needs to be updated to something modern. I _believe_ this can be done by someone with infrastructure access via an update to https://github.com/python/pythontestdotnet/tree/master/tls
Assigning to EWDurbin for triage and redirection to someone else infrastructury if he's not the right person.
How to know if it has been fixed? Monitor the test_networked_good_cert test on any "Debian buster" builtbot(s) such as https://buildbot.python.org/all/#/workers/23 to make sure it is not skipped. (the test _currently_ fails, I am going to have it be _skipped_ on this specific key too small error for the time being to get that stable buildbot green again) |
|
Date |
User |
Action |
Args |
2019-05-06 18:05:40 | gregory.p.smith | set | recipients:
+ gregory.p.smith, EWDurbin |
2019-05-06 18:05:40 | gregory.p.smith | set | messageid: <1557165940.63.0.800219956591.issue36816@roundup.psfhosted.org> |
2019-05-06 18:05:40 | gregory.p.smith | link | issue36816 messages |
2019-05-06 18:05:40 | gregory.p.smith | create | |
|