Message 357794 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	koobs
Recipients	christian.heimes, koobs, miss-islington, pablogsal, vstinner
Date	2019-12-04.11:34:40
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1575459280.8.0.192643104988.issue38815@roundup.psfhosted.org>
In-reply-to

Content
In case it's relevant, I note the following: The ssl module is built with -I/usr/local/include in the compile line. Leaving aside: - the warts of the build system, and - the lack of specific --with-foo=<path> semantics to allow providing well(narrowly)-scoped include/library paths - how and whether the default python build using -I/usr/local/include is 'good' or not ... it means that the build is finding openssl111 on FreeBSD provided by ports, not base (base also includes openssl 1.1.1 @ /usr/include\|lib) More specifically, our openssl111 port happens to have many options that allow enabling/disabling various software features, including encryption algorithms and protocol versions The current (installed) build of openssl111 on the buildbot worker that is failing, has the following options set/unset: OPTIONS_FILE_UNSET+=CT OPTIONS_FILE_UNSET+=MAN3 OPTIONS_FILE_UNSET+=RFC3779 OPTIONS_FILE_SET+=SHARED OPTIONS_FILE_UNSET+=ZLIB OPTIONS_FILE_UNSET+=ARIA OPTIONS_FILE_UNSET+=DES OPTIONS_FILE_UNSET+=GOST OPTIONS_FILE_UNSET+=IDEA OPTIONS_FILE_UNSET+=SM2 OPTIONS_FILE_UNSET+=SM3 OPTIONS_FILE_UNSET+=SM4 OPTIONS_FILE_UNSET+=RC2 OPTIONS_FILE_UNSET+=RC4 OPTIONS_FILE_UNSET+=RC5 OPTIONS_FILE_UNSET+=MD2 OPTIONS_FILE_UNSET+=MD4 OPTIONS_FILE_UNSET+=MDC2 OPTIONS_FILE_UNSET+=RMD160 OPTIONS_FILE_SET+=ASM OPTIONS_FILE_SET+=SSE2 OPTIONS_FILE_SET+=THREADS OPTIONS_FILE_SET+=EC OPTIONS_FILE_SET+=NEXTPROTONEG OPTIONS_FILE_UNSET+=SCTP OPTIONS_FILE_UNSET+=SSL3 OPTIONS_FILE_UNSET+=TLS1 OPTIONS_FILE_UNSET+=TLS1_1 OPTIONS_FILE_SET+=TLS1_2 In summary, this build only has TLS 1.2 and TLS 1.3 enabled (but with other various things disabled, not the defaults of the upstream openssl build), and may be indicated in this test failure, possibly only one example of many other similar issues of the same class, something like "tests assume certain features" Relatedly, this method of disabling various default options in openssl, is how a number [1] of issues in the Python cryptography package were found: https://github.com/pyca/cryptography/issues/5065 * Another issue is a build failure with NPN disabled, yet to be reported

In case it's relevant, I note the following:

The ssl module is built with -I/usr/local/include in the compile line.

Leaving aside:

 - the warts of the build system, and 
 - the lack of specific --with-foo=<path> semantics to allow providing well(narrowly)-scoped include/library paths
 - how and whether the default python build using -I/usr/local/include is 'good' or not ...

it means that the build is finding openssl111 on FreeBSD provided by ports, not base (base also includes openssl 1.1.1 @ /usr/include|lib)

More specifically, our openssl111 port happens to have many options that allow enabling/disabling various software features, including encryption algorithms and protocol versions

The current (installed) build of openssl111 on the buildbot worker that is failing, has the following options set/unset:

OPTIONS_FILE_UNSET+=CT
OPTIONS_FILE_UNSET+=MAN3
OPTIONS_FILE_UNSET+=RFC3779
OPTIONS_FILE_SET+=SHARED
OPTIONS_FILE_UNSET+=ZLIB
OPTIONS_FILE_UNSET+=ARIA
OPTIONS_FILE_UNSET+=DES
OPTIONS_FILE_UNSET+=GOST
OPTIONS_FILE_UNSET+=IDEA
OPTIONS_FILE_UNSET+=SM2
OPTIONS_FILE_UNSET+=SM3
OPTIONS_FILE_UNSET+=SM4
OPTIONS_FILE_UNSET+=RC2
OPTIONS_FILE_UNSET+=RC4
OPTIONS_FILE_UNSET+=RC5
OPTIONS_FILE_UNSET+=MD2
OPTIONS_FILE_UNSET+=MD4
OPTIONS_FILE_UNSET+=MDC2
OPTIONS_FILE_UNSET+=RMD160
OPTIONS_FILE_SET+=ASM
OPTIONS_FILE_SET+=SSE2
OPTIONS_FILE_SET+=THREADS
OPTIONS_FILE_SET+=EC
OPTIONS_FILE_SET+=NEXTPROTONEG
OPTIONS_FILE_UNSET+=SCTP
OPTIONS_FILE_UNSET+=SSL3
OPTIONS_FILE_UNSET+=TLS1
OPTIONS_FILE_UNSET+=TLS1_1
OPTIONS_FILE_SET+=TLS1_2

In summary, this build only has TLS 1.2 and TLS 1.3 enabled (but with other various things disabled, not the defaults of the upstream openssl build), and may be indicated in this test failure, possibly only one example of many other similar issues of the same class, something like "tests assume certain features"

Relatedly, this method of disabling various default options in openssl, is how a number [1] of issues in the Python cryptography package were found:

https://github.com/pyca/cryptography/issues/5065

* Another issue is a build failure with NPN disabled, yet to be reported

History
Date	User	Action	Args
2019-12-04 11:34:40	koobs	set	recipients: + koobs, vstinner, christian.heimes, pablogsal, miss-islington
2019-12-04 11:34:40	koobs	set	messageid: <1575459280.8.0.192643104988.issue38815@roundup.psfhosted.org>
2019-12-04 11:34:40	koobs	link	issue38815 messages
2019-12-04 11:34:40	koobs	create