Author Michael.Felt
Recipients EWDurbin, Michael.Felt, gregory.p.smith, miss-islington, ned.deily, yan12125
Date 2019-05-21.09:09:51
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1558429792.69.0.241288602559.issue36816@roundup.psfhosted.org>
In-reply-to
Content
I am not an OpenSSL expert - and I am conscious of OpenSSL changes with regard to 'acceptance' of anything self-signed.

And, what it looks like you are trying to do with an updated 'signing" .pem is to remove the 'self-signed' charasteric.

On AIX - atm - I get, as did Chih-Hsuan Yen (yan12125),

======================================================================
ERROR: test_networked_good_cert (test.test_httplib.HTTPSTest)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/home/buildbot/python-master/Lib/test/test_httplib.py", line 1632, in test_networked_good_cert
    h.request('GET', '/')
  File "/home/buildbot/python-master/Lib/http/client.py", line 1221, in request
    self._send_request(method, url, body, headers, encode_chunked)
  File "/home/buildbot/python-master/Lib/http/client.py", line 1267, in _send_request
    self.endheaders(body, encode_chunked=encode_chunked)
  File "/home/buildbot/python-master/Lib/http/client.py", line 1216, in endheaders
    self._send_output(message_body, encode_chunked=encode_chunked)
  File "/home/buildbot/python-master/Lib/http/client.py", line 1004, in _send_output
    self.send(msg)
  File "/home/buildbot/python-master/Lib/http/client.py", line 944, in send
    self.connect()
  File "/home/buildbot/python-master/Lib/http/client.py", line 1383, in connect
    self.sock = self._context.wrap_socket(self.sock,
  File "/home/buildbot/python-master/Lib/ssl.py", line 405, in wrap_socket
    return self.sslsocket_class._create(
  File "/home/buildbot/python-master/Lib/ssl.py", line 853, in _create
    self.do_handshake()
  File "/home/buildbot/python-master/Lib/ssl.py", line 1117, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:1055)

And I see why now:
test_networked_good_cert (test.test_httplib.HTTPSTest) ... skipped "Use of the 'network' resource not enabled"

Digging a bit:

buildbot@x064:[/home/buildbot/python-master]openssl s_client -connect self-signed.pythontest.net:443
CONNECTED(00000003)
depth=0 C = XY, ST = Castle Anthrax, L = Argument Clinic, O = Python Software Foundation, CN = self-signed.pythontest.net
verify error:num=18:self signed certificate
verify return:1
depth=0 C = XY, ST = Castle Anthrax, L = Argument Clinic, O = Python Software Foundation, CN = self-signed.pythontest.net
verify return:1
---
Certificate chain
 0 s:/C=XY/ST=Castle Anthrax/L=Argument Clinic/O=Python Software Foundation/CN=self-signed.pythontest.net

   i:/C=XY/ST=Castle Anthrax/L=Argument Clinic/O=Python Software Foundation/CN=self-signed.pythontest.net

And while this:
How to know if it has been fixed?  Monitor the test_networked_good_cert test on any "Debian buster" builtbot(s) such as https://buildbot.python.org/all/#/workers/23 to make sure it is not skipped.  (the test _currently_ fails, I am going to have it be _skipped_ on this specific key too small error for the time being to get that stable buildbot green again)

is nice for some, it is not nice for all!

Perhaps the test should be switched to 'warn' on failure, rather than error on failure, until fixed!
History
Date User Action Args
2019-05-21 09:09:52Michael.Feltsetrecipients: + Michael.Felt, gregory.p.smith, ned.deily, yan12125, EWDurbin, miss-islington
2019-05-21 09:09:52Michael.Feltsetmessageid: <1558429792.69.0.241288602559.issue36816@roundup.psfhosted.org>
2019-05-21 09:09:52Michael.Feltlinkissue36816 messages
2019-05-21 09:09:51Michael.Feltcreate