Issue36037
Created on 2019-02-19 14:19 by vstinner, last changed 2022-04-11 14:59 by admin. This issue is now closed.
| Pull Requests | |||
|---|---|---|---|
| URL | Status | Linked | Edit |
| PR 11940 | merged | vstinner, 2019-02-19 14:23 | |
| PR 11942 | merged | miss-islington, 2019-02-19 17:06 | |
| Messages (7) | |||
|---|---|---|---|
| msg335950 - (view) | Author: STINNER Victor (vstinner) *  |
Date: 2019-02-19 14:19 | |
RHEL8 uses a strict crypto policy by default. For example, SSLContext uses TLS 1.2 as the minimum version by default. Attached PR fix test_ssl for RHEL8. The PR is not specific to RHEL8. It should also fix test_ssl on Debian: see bpo-35925 and bpo-36005. test_ssl failures on RHEL8: ====================================================================== ERROR: test_PROTOCOL_TLS (test.test_ssl.ThreadedTests) Connecting to an SSLv23 server with various client options ---------------------------------------------------------------------- Traceback (most recent call last): File "/root/cpython-master/Lib/test/test_ssl.py", line 3079, in test_PROTOCOL_TLS try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLSv1, 'TLSv1') File "/root/cpython-master/Lib/test/test_ssl.py", line 2623, in try_protocol_combo stats = server_params_test(client_context, server_context, File "/root/cpython-master/Lib/test/test_ssl.py", line 2549, in server_params_test s.connect((HOST, server.port)) File "/root/cpython-master/Lib/ssl.py", line 1150, in connect self._real_connect(addr, False) File "/root/cpython-master/Lib/ssl.py", line 1141, in _real_connect self.do_handshake() File "/root/cpython-master/Lib/ssl.py", line 1117, in do_handshake self._sslobj.do_handshake() ssl.SSLError: [SSL: TLSV1_ALERT_PROTOCOL_VERSION] tlsv1 alert protocol version (_ssl.c:1055) ====================================================================== ERROR: test_protocol_tlsv1_1 (test.test_ssl.ThreadedTests) Connecting to a TLSv1.1 server with various client options. ---------------------------------------------------------------------- Traceback (most recent call last): File "/root/cpython-master/Lib/test/test_ssl.py", line 3150, in test_protocol_tlsv1_1 try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLSv1_1, 'TLSv1.1') File "/root/cpython-master/Lib/test/test_ssl.py", line 2623, in try_protocol_combo stats = server_params_test(client_context, server_context, File "/root/cpython-master/Lib/test/test_ssl.py", line 2549, in server_params_test s.connect((HOST, server.port)) File "/root/cpython-master/Lib/ssl.py", line 1150, in connect self._real_connect(addr, False) File "/root/cpython-master/Lib/ssl.py", line 1141, in _real_connect self.do_handshake() File "/root/cpython-master/Lib/ssl.py", line 1117, in do_handshake self._sslobj.do_handshake() ssl.SSLError: [SSL: TLSV1_ALERT_PROTOCOL_VERSION] tlsv1 alert protocol version (_ssl.c:1055) ====================================================================== FAIL: test_min_max_version (test.test_ssl.ContextTests) ---------------------------------------------------------------------- Traceback (most recent call last): File "/root/cpython-master/Lib/test/test_ssl.py", line 1093, in test_min_max_version self.assertIn( AssertionError: <TLSVersion.TLSv1_2: 771> not found in {<TLSVersion.TLSv1: 769>, <TLSVersion.MINIMUM_SUPPORTED: -2>} ---------------------------------------------------------------------- Ran 150 tests in 3.318s FAILED (failures=1, errors=2, skipped=9) |
|||
| msg335951 - (view) | Author: STINNER Victor (vstinner) * |
Date: 2019-02-19 14:32 | |
On Python 2.7.16rc, similar tests are failing on RHEL8: ERROR: test_protocol_sslv23 (test.test_ssl.ThreadedTests) ERROR: test_protocol_tlsv1_1 (test.test_ssl.ThreadedTests) ... But right now, Python 2.7 doesn't give access to minimum_version/maximum_version :-( Not even to read these versions. So I'm not sure how to skip or fix these tests, without backporting code for these attributes. |
|||
| msg335955 - (view) | Author: STINNER Victor (vstinner) * |
Date: 2019-02-19 14:58 | |
> RHEL8 uses a strict crypto policy by default. For example, SSLContext uses TLS 1.2 as the minimum version by default. Ah, I forgot to mention that a workaround is to use OPENSSL_CONF=/ environment variable to ignore RHEL crypto policy (don't load system OpenSSL configuration). |
|||
| msg335964 - (view) | Author: STINNER Victor (vstinner) * |
Date: 2019-02-19 16:16 | |
Python 2.7 and 3.6 have no SSLContext.minimum_version attribute (even with OpenSSL 1.1.1). I think that we will workaround this issue in Fedora and RHEL8 spec file (recipe to build RPM packages) using "export OPENSSL_CONF=/non-existing-file". |
|||
| msg335980 - (view) | Author: STINNER Victor (vstinner) * |
Date: 2019-02-19 17:06 | |
New changeset 3ef6344ee53f59ee86831ec36ed2c6f93a56229d by Victor Stinner in branch 'master': bpo-36037: Fix test_ssl for strict OpenSSL policy (GH-11940) https://github.com/python/cpython/commit/3ef6344ee53f59ee86831ec36ed2c6f93a56229d |
|||
| msg335986 - (view) | Author: miss-islington (miss-islington) | Date: 2019-02-19 17:24 | |
New changeset e8bf04de4ba045029aa8964126d8cdd2d7c282a6 by Miss Islington (bot) in branch '3.7': bpo-36037: Fix test_ssl for strict OpenSSL policy (GH-11940) https://github.com/python/cpython/commit/e8bf04de4ba045029aa8964126d8cdd2d7c282a6 |
|||
| msg335988 - (view) | Author: STINNER Victor (vstinner) * |
Date: 2019-02-19 17:29 | |
Ok, Python 3.7 and 3.8 (master) have been fixed. See bpo-35925 (and bpo-36005) for discussions on Python 2.7 and 3.6. |
|||
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2022-04-11 14:59:11 | admin | set | github: 80218 |
| 2019-02-19 17:29:16 | vstinner | set | status: open -> closed versions: + Python 3.7 messages: + msg335988 resolution: fixed |
| 2019-02-19 17:24:20 | miss-islington | set | nosy:
+ miss-islington messages: + msg335986 |
| 2019-02-19 17:06:40 | miss-islington | set | pull_requests: + pull_request11966 |
| 2019-02-19 17:06:13 | vstinner | set | messages: + msg335980 |
| 2019-02-19 16:16:32 | vstinner | set | messages: + msg335964 |
| 2019-02-19 14:58:49 | vstinner | set | messages: + msg335955 |
| 2019-02-19 14:33:18 | vstinner | set | nosy:
+ gregory.p.smith, cstratak |
| 2019-02-19 14:32:04 | vstinner | set | messages: + msg335951 |
| 2019-02-19 14:23:17 | vstinner | set | keywords:
+ patch stage: patch review pull_requests: + pull_request11964 |
| 2019-02-19 14:19:42 | vstinner | create | |