https://fedoraproject.org/wiki/Changes/DeprecateOpensslCompat
This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee.
== Summary == We are going to deprecate openssl1.1 package, stop shipping the corresponding devel package, and stop respecting crypto policies in openssl1.1 package itself.
== Owner == * Name: [[User:DmitryBelyavskiy| Dmitry Belyavskiy]] * Email: dbelyavs@redhat.com
== Detailed Description == In Fedora 36 we switched to OpenSSL 3.0 branch. This is a brand new version with new architecture. We left the openssl1.1 package for the applications that were unable to switch to the new API/architecture, 3rd-party applications, etc. As openssl 1.1 has a predictable EOL, we want to ensure that no new products relying on it will appear in Fedora.
== Benefit to Fedora == This proposal ensures than no new packages in Fedora will rely on the deprecated OpenSSL version that will cause an overall increase of security/stability, and will reduce the amount of old packages relying on OpenSSL 1.1 series.
It will also reduce the maintenance burden for the OpenSSL maintainers, especially when new CVEs are published.
== Scope == * Proposal owners: ** Remove devel package ** eliminate crypto policy support from the main package ** provide assistance in migration to other developers
* Other developers: ** Patch their packages to work with OpenSSL 3.0 ** Fedora/RHEL distributions provide some syntax sugar related to https://fedoraproject.org/wiki/Packaging:CryptoPolicies. For the packages still relying to openssl1.1 the syntax provided by crypto policies will no longer be supported. The changes implemented according to https://fedoraproject.org/wiki/Packaging:CryptoPolicies (e.g. using "PROFILE=SYSTEM" as default TLS ciphersuites configuration) should be removed.
* Release engineering: This feature doesn't require coordination with release engineering. * Policies and guidelines: N/A (not needed for this Change) * Trademark approval: N/A (not needed for this Change)
== Upgrade/compatibility impact == As Crypto Policy support is removed from openssl1.1, applications will need to adjust the configuration files if they contain the line "PROFILE=SYSTEM" according to https://fedoraproject.org/wiki/Packaging:CryptoPolicies
== How To Test == Regular application tests should catch the regressions caught by these changes.
== Dependencies == No packages should depend on openssl1.1-devel packages that is eliminated.
== Contingency Plan == Revert the shipped configuration Contingency deadline: TBD
== Documentation == TBW
== Release Notes == TBW
On 6/22/22 15:05, Vipul Siddharth wrote:
== Benefit to Fedora == This proposal ensures than no new packages in Fedora will rely on the deprecated OpenSSL version that will cause an overall increase of security/stability, and will reduce the amount of old packages relying on OpenSSL 1.1 series.
This sentence is too long, and as a result I don't think readers will understand it the way it was intended. I suggest simplifying to:
---
This proposal ensures that no new packages in Fedora will rely on the deprecated OpenSSL version. That change will cause an overall increase in security/stability, and will reduce the amount of old packages relying on OpenSSL 1.1 series.
---
In addition to the wording changes, do you mean 'package-versions' here where you say 'packages'? Is a new version of OpenSSH, for example, considered a 'new package' for the purposes of this proposal?
Kevin P. Fleming wrote:
On 6/22/22 15:05, Vipul Siddharth wrote:
== Benefit to Fedora == This proposal ensures than no new packages in Fedora will rely on the deprecated OpenSSL version that will cause an overall increase of security/stability, and will reduce the amount of old packages relying on OpenSSL 1.1 series.
This sentence is too long, and as a result I don't think readers will understand it the way it was intended. I suggest simplifying to:
This proposal ensures that no new packages in Fedora will rely on the deprecated OpenSSL version. That change will cause an overall increase in security/stability, and will reduce the amount of old packages relying on OpenSSL 1.1 series.
In addition to the wording changes, do you mean 'package-versions' here where you say 'packages'? Is a new version of OpenSSH, for example, considered a 'new package' for the purposes of this proposal?
As I read this the plan is to drop the devel package from the shipping repos but it is still available in the buildroot.
But then there is this:
== Dependencies == No packages should depend on openssl1.1-devel packages that is eliminated.
But if the devel package is eliminate then doesn't this mean completely dropping OpenSSL 1.x?
I assume it's a nuanced thing. Can you clarify this?
What about a plan to drop OpenSSL 1.x support entirely. Should that be included in this or is it out-of-scope. Maybe a look-ahead (e.g " in the F38-39 series we'll look to kill it entirely.")
What does this mean for reproducible builds if the devel package is not shipped?
rob
On 22. 06. 22 21:05, Vipul Siddharth wrote:
We are going to deprecate openssl1.1 package, stop shipping the corresponding devel package, and stop respecting crypto policies in openssl1.1 package itself.
+1 to deprecating it
-1 to stop shipping the devel package, this would mean we cannot build at least:
- Python 2.7 despite our long term efforts, many things still need that, e.g. gimp, firefox (some builds do, then some don't), thunderbird etc., see https://fedora.portingdb.xyz/
Or Python 3.6 (shipped for developers targeting RHEL 7/8).
As long as OpenSSL 1.1 gets security fixes in RHEL 8, could we please leave the devel package?
On Wed, Jun 22, 2022 at 11:02 PM Miro Hrončok mhroncok@redhat.com wrote:
On 22. 06. 22 21:05, Vipul Siddharth wrote:
We are going to deprecate openssl1.1 package, stop shipping the corresponding devel package, and stop respecting crypto policies in openssl1.1 package itself.
+1 to deprecating it
Great!
-1 to stop shipping the devel package, this would mean we cannot build at
least:
- Python 2.7 despite our long term efforts, many things still need that, e.g. gimp,
firefox (some builds do, then some don't), thunderbird etc., see https://fedora.portingdb.xyz/
Or Python 3.6 (shipped for developers targeting RHEL 7/8).
As long as OpenSSL 1.1 gets security fixes in RHEL 8, could we please leave the devel package?
I'm not sure that if we don't remove the devel package, we will provide strong enough motivation to get rid of the deprecating packages.
On 24. 06. 22 11:13, Dmitry Belyavskiy wrote:
On Wed, Jun 22, 2022 at 11:02 PM Miro Hrončok <mhroncok@redhat.com mailto:mhroncok@redhat.com> wrote:
On 22. 06. 22 21:05, Vipul Siddharth wrote: > We are going to deprecate openssl1.1 package, stop shipping the > corresponding devel package, and stop respecting crypto policies in > openssl1.1 package itself. +1 to deprecating it
Great!
-1 to stop shipping the devel package, this would mean we cannot build at least: - Python 2.7 despite our long term efforts, many things still need that, e.g. gimp, firefox (some builds do, then some don't), thunderbird etc., see https://fedora.portingdb.xyz/ <https://fedora.portingdb.xyz/> Or Python 3.6 (shipped for developers targeting RHEL 7/8). As long as OpenSSL 1.1 gets security fixes in RHEL 8, could we please leave the devel package?
I'm not sure that if we don't remove the devel package, we will provide strong enough motivation to get rid of the deprecating packages.
You probably won't. But by breaking it intentionally, you are just shifting the problem somewhere else.
Am 24.06.22 um 11:13 schrieb Dmitry Belyavskiy:
I'm not sure that if we don't remove the devel package, we will provide strong enough motivation to get rid of the deprecating packages.
imho removing the devel packages is basically the same as removing openssl1.1 entirely. To me the idea of "deprecation" is to warn users that something is going away WITHOUT removing functionality immediately.
And yes, Python 2.7 might be a pain point for packagers but fact is that important packages still rely on it. Removing openssl just shifts the burden to (many more) packagers who just need Python 2.7 for their packages.
Are these Python 2.7 dependencies only used at build time? In that case Fedora could maybe announce that openssl1.1 might not get the full security suport so the burden for openssl1.1 packagers is lower without removing the functionality?
Felix
* Felix Schwarz:
Are these Python 2.7 dependencies only used at build time? In that case Fedora could maybe announce that openssl1.1 might not get the full security suport so the burden for openssl1.1 packagers is lower without removing the functionality?
I'm pretty sure it's used for Python's own HTTPS implementation, among other things, so it's not really an optional feature (although Python can be built without it, I believe).
Thanks, Florian
On 24. 06. 22 11:27, Florian Weimer wrote:
- Felix Schwarz:
Are these Python 2.7 dependencies only used at build time? In that case Fedora could maybe announce that openssl1.1 might not get the full security suport so the burden for openssl1.1 packagers is lower without removing the functionality?
I'm pretty sure it's used for Python's own HTTPS implementation, among other things, so it's not really an optional feature (although Python can be built without it, I believe).
It is possible to build Python 2 without the ssl module. HTTPS would indeed not work and hence pip would not work. In return, the package would be useless for Python developers using virtualenv to test their code that still needs to support Python 2.
If openssl1.1-devel goes away, we would likely need to either bundle openssl entirely (which is worse than having openssl1.1-devel in Fedora IMHO), or just bundle the headers somehow, which just creates a room for breakage with every openssl 1.1 update for no added benefit.
Am 24.06.22 um 11:27 schrieb Florian Weimer:
- Felix Schwarz:
Are these Python 2.7 dependencies only used at build time? In that case Fedora could maybe announce that openssl1.1 might not get the full security suport so the burden for openssl1.1 packagers is lower without removing the functionality?
I'm pretty sure it's used for Python's own HTTPS implementation, among other things, so it's not really an optional feature (although Python can be built without it, I believe).
What I meant is: Is Python 2.7 only used as a build dependency? If so, I think we might be able to state that Python 2.7 + openssl might get reduced security support. At build time we don't have any network access anyway.
I guess it is clear that removing openssl1.1 is not really feasible unless we remove Python 2.7.
Felix
Felix Schwarz fschwarz@fedoraproject.org writes:
imho removing the devel packages is basically the same as removing openssl1.1 entirely. To me the idea of "deprecation" is to warn users that something is going away WITHOUT removing functionality immediately.
I just wanted to note, since I haven't noticed it elsewhere in this thread, that "deprecation" for a Fedora package has a specific meaning as described in https://docs.fedoraproject.org/en-US/packaging-guidelines/deprecating-packag...
When a package is deprecated, the intent is that no new dependencies on any deprecated package would appear in the distribution, either by new packages or from existing packages adding dependencies. Of course, I don't know what actually checks this; it's not particularly common to deprecate packages.
- J<
Jun 24, 2022 1:59:40 PM Jason Tibbitts j@tib.bs:
When a package is deprecated, the intent is that no new dependencies on any deprecated package would appear in the distribution, either by new packages or from existing packages adding dependencies. Of course, I don't know what actually checks this; it's not particularly common to deprecate packages.
FedoraReview checks for deprecated dependencies. I don't think there's any process to make sure that existing packages don't start depending on deprecated packages. -- Thanks,
Maxwell G (@gotmax23) Pronouns: He/Him/His
On Fri, Jun 24, 2022 at 11:13:13AM +0200, Dmitry Belyavskiy wrote:
On Wed, Jun 22, 2022 at 11:02 PM Miro Hrončok mhroncok@redhat.com wrote:
On 22. 06. 22 21:05, Vipul Siddharth wrote:
We are going to deprecate openssl1.1 package, stop shipping the corresponding devel package, and stop respecting crypto policies in openssl1.1 package itself.
+1 to deprecating it
Great!
-1 to stop shipping the devel package, this would mean we cannot build at
least:
- Python 2.7 despite our long term efforts, many things still need that, e.g. gimp,
firefox (some builds do, then some don't), thunderbird etc., see https://fedora.portingdb.xyz/
Or Python 3.6 (shipped for developers targeting RHEL 7/8).
As long as OpenSSL 1.1 gets security fixes in RHEL 8, could we please leave the devel package?
I'm not sure that if we don't remove the devel package, we will provide strong enough motivation to get rid of the deprecating packages.
If the openssl maintainers really strongly want to remove the devel pacakge, then don't call this deprecation because that is misleading. Call this purging openssl1.1 from the entire distro, such that it can only be used by 3rd party apps who have previously compiled against older Fedora openssl-devel. Be open about fact that this will cause FTBFS for any Fedora packages that stil uses openssl1 and their removal from the distro if they can't port to openssl3 very quickly.
With regards, Daniel
On Fri, Jun 24, 2022 at 11:20 AM Daniel P. Berrangé berrange@redhat.com wrote:
On Fri, Jun 24, 2022 at 11:13:13AM +0200, Dmitry Belyavskiy wrote:
On Wed, Jun 22, 2022 at 11:02 PM Miro Hrončok mhroncok@redhat.com
wrote:
On 22. 06. 22 21:05, Vipul Siddharth wrote:
We are going to deprecate openssl1.1 package, stop shipping the corresponding devel package, and stop respecting crypto policies in openssl1.1 package itself.
+1 to deprecating it
Great!
-1 to stop shipping the devel package, this would mean we cannot build at
least:
- Python 2.7 despite our long term efforts, many things still need that, e.g.
gimp,
firefox (some builds do, then some don't), thunderbird etc., see https://fedora.portingdb.xyz/
Or Python 3.6 (shipped for developers targeting RHEL 7/8).
As long as OpenSSL 1.1 gets security fixes in RHEL 8, could we please leave the devel package?
I'm not sure that if we don't remove the devel package, we will provide strong enough motivation to get rid of the deprecating packages.
If the openssl maintainers really strongly want to remove the devel pacakge, then don't call this deprecation because that is misleading. Call this purging openssl1.1 from the entire distro, such that it can only be used by 3rd party apps who have previously compiled against older Fedora openssl-devel. Be open about fact that this will cause FTBFS for any Fedora packages that stil uses openssl1 and their removal from the distro if they can't port to openssl3 very quickly.
Do I correctly understand that the situation with Python is the most
problematic? Are we able to solve it somehow?
What I'm afraid of is that if we just declare the deprecation, we will stay with this package forever.
Am 24.06.22 um 11:23 schrieb Dmitry Belyavskiy:
What I'm afraid of is that if we just declare the deprecation, we will stay with this package forever.
Well, RHEL 7 maintenance support 2 phase ends in June 2024. I'd expect that we should be able to drop Python 2.7 from Fedora at that point at least (probably even before).
And yes, I think removing really important packages like OpenSSL 1 or Python 2.7 is not an easy task for a general-purpose Linux distribution.
Felix
On 24. 06. 22 11:23, Dmitry Belyavskiy wrote:
On Fri, Jun 24, 2022 at 11:20 AM Daniel P. Berrangé <berrange@redhat.com mailto:berrange@redhat.com> wrote:
On Fri, Jun 24, 2022 at 11:13:13AM +0200, Dmitry Belyavskiy wrote: > On Wed, Jun 22, 2022 at 11:02 PM Miro Hrončok <mhroncok@redhat.com <mailto:mhroncok@redhat.com>> wrote: > > > On 22. 06. 22 21:05, Vipul Siddharth wrote: > > > We are going to deprecate openssl1.1 package, stop shipping the > > > corresponding devel package, and stop respecting crypto policies in > > > openssl1.1 package itself. > > > > +1 to deprecating it > > > > Great! > > -1 to stop shipping the devel package, this would mean we cannot build at > > least: > > > > - Python 2.7 > > despite our long term efforts, many things still need that, e.g. gimp, > > firefox (some builds do, then some don't), thunderbird etc., see > > https://fedora.portingdb.xyz/ <https://fedora.portingdb.xyz/> > > > > Or Python 3.6 (shipped for developers targeting RHEL 7/8). > > > > As long as OpenSSL 1.1 gets security fixes in RHEL 8, could we please > > leave the > > devel package? > > > > I'm not sure that if we don't remove the devel package, we will provide > strong enough motivation to get rid of the deprecating packages. If the openssl maintainers really strongly want to remove the devel pacakge, then don't call this deprecation because that is misleading. Call this purging openssl1.1 from the entire distro, such that it can only be used by 3rd party apps who have previously compiled against older Fedora openssl-devel. Be open about fact that this will cause FTBFS for any Fedora packages that stil uses openssl1 and their removal from the distro if they can't port to openssl3 very quickly.
Do I correctly understand that the situation with Python is the most problematic? Are we able to solve it somehow?
What I'm afraid of is that if we just declare the deprecation, we will stay with this package forever.
Not forever, just until Python 2.7 is removed :D
Seriously thou, my proposal is:
- deprecate it now - announce it goes away when RHEL 8 maintenance support ends
Following the guidelines for deprecated packages: https://docs.fedoraproject.org/en-US/packaging-guidelines/deprecating-packag...
# This is when RHEL 8 maintenance support is expected to end # https://access.redhat.com/support/policy/updates/errata # The life-cycle time spans and dates are subject to adjustment Provides: deprecated() = 20290531
You are going to support OpenSSL 1.1 in RHEL 8 until that day anyway.
This is also when we plan to remove Python 3.6: https://lists.fedoraproject.org/archives/list/python-devel@lists.fedoraproje...
And if Python 2.7 isn't removed by then, we can rip it out together with OpenSSL 1.1 in Fedora 50.
On Fri, 2022-06-24 at 11:42 +0200, Miro Hrončok wrote:
On 24. 06. 22 11:23, Dmitry Belyavskiy wrote:
On Fri, Jun 24, 2022 at 11:20 AM Daniel P. Berrangé <berrange@redhat.com mailto:berrange@redhat.com> wrote:
On Fri, Jun 24, 2022 at 11:13:13AM +0200, Dmitry Belyavskiy wrote: > On Wed, Jun 22, 2022 at 11:02 PM Miro Hrončok <mhroncok@redhat.com <mailto:mhroncok@redhat.com>> wrote: > > > On 22. 06. 22 21:05, Vipul Siddharth wrote: > > > We are going to deprecate openssl1.1 package, stop shipping the > > > corresponding devel package, and stop respecting crypto policies in > > > openssl1.1 package itself. > > > > +1 to deprecating it > > > > Great! > > -1 to stop shipping the devel package, this would mean we cannot build at > > least: > > > > - Python 2.7 > > despite our long term efforts, many things still need that, e.g. gimp, > > firefox (some builds do, then some don't), thunderbird etc., see > > https://fedora.portingdb.xyz/ <https://fedora.portingdb.xyz/> > > > > Or Python 3.6 (shipped for developers targeting RHEL 7/8). > > > > As long as OpenSSL 1.1 gets security fixes in RHEL 8, could we please > > leave the > > devel package? > > > > I'm not sure that if we don't remove the devel package, we will provide > strong enough motivation to get rid of the deprecating packages. If the openssl maintainers really strongly want to remove the devel pacakge, then don't call this deprecation because that is misleading. Call this purging openssl1.1 from the entire distro, such that it can only be used by 3rd party apps who have previously compiled against older Fedora openssl-devel. Be open about fact that this will cause FTBFS for any Fedora packages that stil uses openssl1 and their removal from the distro if they can't port to openssl3 very quickly.
Do I correctly understand that the situation with Python is the most problematic? Are we able to solve it somehow?
What I'm afraid of is that if we just declare the deprecation, we will stay with this package forever.
Not forever, just until Python 2.7 is removed :D
Seriously thou, my proposal is:
- deprecate it now
- announce it goes away when RHEL 8 maintenance support ends
Following the guidelines for deprecated packages: https://docs.fedoraproject.org/en-US/packaging-guidelines/deprecating-packag...
# This is when RHEL 8 maintenance support is expected to end # https://access.redhat.com/support/policy/updates/errata # The life-cycle time spans and dates are subject to adjustment Provides: deprecated() = 20290531
You are going to support OpenSSL 1.1 in RHEL 8 until that day anyway.
This is also when we plan to remove Python 3.6: https://lists.fedoraproject.org/archives/list/python-devel@lists.fedoraproje...
And if Python 2.7 isn't removed by then, we can rip it out together with OpenSSL 1.1 in Fedora 50.
Are you going to maintain it till Fedora 50 in the meantime?
Simo.
-- Miro Hrončok -- Phone: +420777974800 IRC: mhroncok _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
On 24. 06. 22 17:39, Simo Sorce wrote:
Not forever, just until Python 2.7 is removed :D
Seriously thou, my proposal is:
- deprecate it now
- announce it goes away when RHEL 8 maintenance support ends
Following the guidelines for deprecated packages: https://docs.fedoraproject.org/en-US/packaging-guidelines/deprecating-packag...
# This is when RHEL 8 maintenance support is expected to end #https://access.redhat.com/support/policy/updates/errata # The life-cycle time spans and dates are subject to adjustment Provides: deprecated() = 20290531
You are going to support OpenSSL 1.1 in RHEL 8 until that day anyway.
This is also when we plan to remove Python 3.6: https://lists.fedoraproject.org/archives/list/python-devel@lists.fedoraproje...
And if Python 2.7 isn't removed by then, we can rip it out together with OpenSSL 1.1 in Fedora 50.
Are you going to maintain it till Fedora 50 in the meantime?
That is a very good question. No I won't. I am a member of a Red Hat team that maintains Python in RHEL and Fedora Linux, including a very old legacy Python version without upstream support. I merely expect the same treatment from the OpenSSL maintainers who proposed this change proposal (I assumed they are the RHEL OpenSSL maintainers, correct me if they are not).
I understand that I cannot *make* anybody maintain what they don't want. I am merely suggesting a solution that I consider good for the distro. I believe the RHEL OpenSSL maintainers who already need to maintain 1.1 at least until RHEL 8 goes EOL are much better equipped to maintain it in Fedora than I am.
But as said elsewhere, when it comes to that, we would be either forced to bundle OpenSSL 1.1 (and well, maintain it) or to get rid of Python 2.
I support deprecating openssl1.1. We definitely shouldn’t be adding any new packages that depend on it.
However, dropping the -devel package is almost as drastic as simply retiring the OpenSSL 1.1 package altogether. Grepping spec files for 'BuildRequires:.*openssl1' turns up the following packages that would immediately FTBFS:
- anope - baresip - botan2 - ceph - chatty - dotnet3.1 - dsniff - eggdrop - erlang - kf5-kdelibs4support - libasr - libqxt-qt5 - libre - libretls - lua-sec - nginx - nodejs - opensmtpd - partclone - pypy3.8 - pypy - python2.7 - python3.6 - python3.7 - python-uamqp - qt - radsecproxy - rpki-client - ssldump - tcltls - thc-ipv6 - unrealircd - w3m - znc
Some of these have pretty large trees of dependent packages. I don’t think we’re ready for all of these packages to go FTBFS, preventing them from rebuilding or providing updates, until somebody figures out how to port them to OpenSSL 3.0. In a lot of cases, the maintainers of these packages in Fedora won’t be able to develop the necessary patches alone, so dropping the -devel packages would be playing hardball with the wrong people.
I’m sympathetic to the importance of retaining momentum toward openssl1.1 retirement rather than letting the compatibility package linger indefinitely, but I think right now—nine months after OpenSSL 3.0 was released—this momentum should be in the form of *assisting* these maintainers and upstreams in porting their packages, rather than in the form of forcing them to figure out an emergency patch.
In general, omitting -devel packages as an intermediate step between deprecation and retirement is not a practice I would like to see proliferate in Fedora. Packages that can be used but not built from source are defects in an open distribution, and we should avoid creating them intentionally.
– Ben Beasley
On 6/24/22 05:19, Daniel P. Berrangé wrote:
On Fri, Jun 24, 2022 at 11:13:13AM +0200, Dmitry Belyavskiy wrote:
On Wed, Jun 22, 2022 at 11:02 PM Miro Hrončok mhroncok@redhat.com wrote:
On 22. 06. 22 21:05, Vipul Siddharth wrote:
We are going to deprecate openssl1.1 package, stop shipping the corresponding devel package, and stop respecting crypto policies in openssl1.1 package itself.
+1 to deprecating it
Great!
-1 to stop shipping the devel package, this would mean we cannot build at
least:
- Python 2.7 despite our long term efforts, many things still need that, e.g. gimp,
firefox (some builds do, then some don't), thunderbird etc., see https://fedora.portingdb.xyz/
Or Python 3.6 (shipped for developers targeting RHEL 7/8).
As long as OpenSSL 1.1 gets security fixes in RHEL 8, could we please leave the devel package?
I'm not sure that if we don't remove the devel package, we will provide strong enough motivation to get rid of the deprecating packages.
If the openssl maintainers really strongly want to remove the devel pacakge, then don't call this deprecation because that is misleading. Call this purging openssl1.1 from the entire distro, such that it can only be used by 3rd party apps who have previously compiled against older Fedora openssl-devel. Be open about fact that this will cause FTBFS for any Fedora packages that stil uses openssl1 and their removal from the distro if they can't port to openssl3 very quickly.
With regards, Daniel
Hi,
Ben Beasley code@musicinmybrain.net writes:
However, dropping the -devel package is almost as drastic as simply retiring the OpenSSL 1.1 package altogether. Grepping spec files for 'BuildRequires:.*openssl1' turns up the following packages that would immediately FTBFS: ...
- dotnet3.1
...
This package is already dropped from Rawhide. Upstream will drop all support for .NET Core 3.1 (dotnet3.1) at the end of this year [1]. The next version, .NET 6 (packaged as dotnet6.0), already builds and runs against OpenSSL 3.0 as well.
[1] https://dotnet.microsoft.com/en-us/platform/support/policy/dotnet-core#lifec...
Omair
-- PGP Key: B157A9F0 (http://pgp.mit.edu/) Fingerprint = 9DB5 2F0B FD3E C239 E108 E7BD DF99 7AF8 B157 A9F0
Ben Beasley code@musicinmybrain.net writes:
I support deprecating openssl1.1. We definitely shouldn’t be adding any new packages that depend on it.
However, dropping the -devel package is almost as drastic as simply retiring the OpenSSL 1.1 package altogether. Grepping spec files for 'BuildRequires:.*openssl1' turns up the following packages that would immediately FTBFS:
- anope
- baresip
- botan2
- ceph
- chatty
- dotnet3.1
- dsniff
- eggdrop
- erlang
- kf5-kdelibs4support
- libasr
- libqxt-qt5
- libre
- libretls
- lua-sec
- nginx
The openssl11-devel BuildRequires in ngnix is in a conditional and has been building with OpenSSL 3 for a while.
%if 0%{?fedora} || 0%{?rhel} >= 8 BuildRequires: openssl-devel %else BuildRequires: openssl11-devel %endif
- nodejs
Similarly for nodejs, openssl11 is conditional on building for RHEL.
On Fri, Jun 24, 2022 at 5:14 AM Dmitry Belyavskiy dbelyavs@redhat.com wrote:
On Wed, Jun 22, 2022 at 11:02 PM Miro Hrončok mhroncok@redhat.com wrote:
On 22. 06. 22 21:05, Vipul Siddharth wrote:
We are going to deprecate openssl1.1 package, stop shipping the corresponding devel package, and stop respecting crypto policies in openssl1.1 package itself.
+1 to deprecating it
Great!
Please don't stop shipping the devel package while still shipping the old library package. RHEL has been doing that with python3-ldb-devel, and python3-talloc-devel, and used to do that with lmdb-devel, and it's been... infuriating, especially since Red Hat and CentOS kept them around for internal use in their build environments, they just neglected to include them in the published operating. It wasn't *exactly* a GPL violation, since they continued to provide SRPMs, but it was quite irksome.
On Thu, Jun 23, 2022 at 12:35:28AM +0530, Vipul Siddharth wrote:
https://fedoraproject.org/wiki/Changes/DeprecateOpensslCompat
This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee.
== Summary == We are going to deprecate openssl1.1 package, stop shipping the corresponding devel package, and stop respecting crypto policies in openssl1.1 package itself.
Not respecting crypto policies is needlessly introducing a significant regression. Deprecating something does not usually mean intentionally hobbling its features. I would expect functionality of openssl1.1 that exists today to remain unchanged, until such time as it can be removed from the distro entirely.
IOW, by all means we should stop introducing new packages using it, but if something is already using it, we shouldn't change its behaviour.
Is removing the -devel package the right approach ? It will certainly stop new packages using it, but when we come to do the next mass rebuild, it will break any existing usage too. What existing packages in the distro still use it, and are we willing to have those packages be dropped after the inevitible FTBFS due to missing -devel packages ?
== Owner ==
- Name: [[User:DmitryBelyavskiy| Dmitry Belyavskiy]]
- Email: dbelyavs@redhat.com
== Detailed Description == In Fedora 36 we switched to OpenSSL 3.0 branch. This is a brand new version with new architecture. We left the openssl1.1 package for the applications that were unable to switch to the new API/architecture, 3rd-party applications, etc. As openssl 1.1 has a predictable EOL, we want to ensure that no new products relying on it will appear in Fedora.
== Benefit to Fedora == This proposal ensures than no new packages in Fedora will rely on the deprecated OpenSSL version that will cause an overall increase of security/stability, and will reduce the amount of old packages relying on OpenSSL 1.1 series.
It will also reduce the maintenance burden for the OpenSSL maintainers, especially when new CVEs are published.
== Scope ==
- Proposal owners:
** Remove devel package ** eliminate crypto policy support from the main package ** provide assistance in migration to other developers
- Other developers:
** Patch their packages to work with OpenSSL 3.0 ** Fedora/RHEL distributions provide some syntax sugar related to https://fedoraproject.org/wiki/Packaging:CryptoPolicies. For the packages still relying to openssl1.1 the syntax provided by crypto policies will no longer be supported. The changes implemented according to https://fedoraproject.org/wiki/Packaging:CryptoPolicies (e.g. using "PROFILE=SYSTEM" as default TLS ciphersuites configuration) should be removed.
With regards, Daniel
On Thu, Jun 23, 2022 at 08:17:10AM +0100, Daniel P. Berrangé wrote:
Is removing the -devel package the right approach ? It will certainly stop new packages using it, but when we come to do the next mass rebuild, it will break any existing usage too. What existing packages in the distro still use it, and are we willing to have those packages be dropped after the inevitible FTBFS due to missing -devel packages ?
I think this is the correct incantation ...
# dnf repoquery --disablerepo=* --enablerepo=rawhide-source --arch=src --whatrequires openssl1.1-devel Last metadata expiration check: 0:01:31 ago on Thu 23 Jun 2022 10:37:46 BST. botan2-0:2.19.1-2.fc37.src chatty-0:0.6.3-1.fc37.src erlang-0:24.3.4.1-1.fc37.src pypy-0:7.3.9-1.fc37.src pypy3.7-0:7.3.9-1.3.7.fc37.src pypy3.8-0:7.3.9-1.3.8.fc37.src python-uamqp-0:1.5.3-2.fc37.src python2.7-0:2.7.18-22.fc37.src python3.6-0:3.6.15-9.fc37.src python3.7-0:3.7.13-2.fc37.src
As mentioned elsewhere in the thread a few important packages still depend on Python 2:
# dnf repoquery --disablerepo=* --enablerepo=rawhide-source --arch=src --whatrequires python2-devel Last metadata expiration check: 0:04:36 ago on Thu 23 Jun 2022 10:37:46 BST. NFStest-0:2.1.5-13.fc36.src email2trac-0:2.12.2-9.fc36.src gimp-2:2.10.30-1.fc37.2.src gimp-layer-via-copy-cut-0:1.6-21.fc36.src gimp-resynthesizer-0:2.0.3-8.20190428gitadfa25a.fc36.src kdissert-0:1.0.7-34.fc36.src mozjs68-0:68.12.0-5.fc37.src # spidermonkey, used by firefox pygtk2-0:2.24.0-36.fc36.src thunderbird-0:91.10.0-1.fc37.src
Rich.
On 23. 06. 22 11:43, Richard W.M. Jones wrote:
I think this is the correct incantation ...
# dnf repoquery --disablerepo=* --enablerepo=rawhide-source --arch=src --whatrequires openssl1.1-devel Last metadata expiration check: 0:01:31 ago on Thu 23 Jun 2022 10:37:46 BST. botan2-0:2.19.1-2.fc37.src chatty-0:0.6.3-1.fc37.src erlang-0:24.3.4.1-1.fc37.src pypy-0:7.3.9-1.fc37.src pypy3.7-0:7.3.9-1.3.7.fc37.src pypy3.8-0:7.3.9-1.3.8.fc37.src python-uamqp-0:1.5.3-2.fc37.src python2.7-0:2.7.18-22.fc37.src python3.6-0:3.6.15-9.fc37.src python3.7-0:3.7.13-2.fc37.src
Not quite the right incantation, because it leaves out anything that does not BuildRequire explicitly the string openssl1.1-devel but rather some of its virtual provides. Here you go:
$ repoquery -q --repo=rawhide{,-source} --whatrequires openssl1.1-devel | grep src$ GoldenCheetah-1:3.6-0.16.20220520gita5d6468.fc37.src R-websocket-0:1.4.0-5.fc36.src argyllcms-0:2.3.0-2.fc36.src axel-0:2.17.11-2.fc37.src bigloo-0:4.4c-4.4.fc37.src blender-1:3.2.0-3.fc37.src boinc-client-0:7.18.1-3.fc37.src botan2-0:2.19.1-2.fc37.src cairo-dock-plug-ins-0:3.4.1-41.20210730gitf24f769.fc37.3.src casync-0:2-17.gitb3337dd.fc36.src chatty-0:0.6.3-1.fc37.src cpprest-0:2.10.18-5.fc36.src cryfs-0:0.11.2-3.fc37.src ddnet-0:15.9.1-1.fc37.src dmg2img-0:1.6.7-14.20170502.git.f16f247.fc36.src efitools-0:1.9.2-7.fc36.src eiskaltdcpp-0:2.4.2-6.fc37.src erlang-0:24.3.4.1-1.fc37.src fragments-0:1.5-4.fc36.src freerdp-2:2.7.0-1.fc37.src fuse-encfs-0:1.9.5-13.fc37.src gnupg-pkcs11-scd-0:0.10.0-1.fc37.src grpc-0:1.46.3-7.fc37.src guacamole-server-0:1.4.0-3.fc37.src hexchat-0:2.16.0-5.fc37.src jimtcl-0:0.81-3.fc36.src kcov-0:39-3.fc36.src kde-runtime-0:17.08.3-24.fc36.src kf5-kitinerary-0:22.04.1-2.fc37.src lgogdownloader-0:3.8-4.fc37.src libdigidocpp-0:3.14.7-1.fc36.src libfido2-0:1.11.0-1.fc37.src liboauth2-0:1.4.4-1.fc36.src libpreludedb-0:5.2.0-9.fc37.src libquentier-0:0.5.0-11.fc36.src librepo-0:1.14.3-2.fc37.src librhsm-0:0.0.3-7.fc36.src libshout-0:2.4.3-6.fc36.src libvncserver-0:0.9.13-12.fc36.src libzypp-0:17.25.6-5.fc36.src megatools-0:1.11.0-6.fc37.src mtxclient-0:0.7.0-2.fc37.src mumble-0:1.3.4-8.fc36.src newsboat-0:2.27-2.fc37.src nheko-0:0.9.3-2.fc37.src normaliz-0:3.9.3-1.fc37.src openarc-0:1.0.0-0.13.Beta3.fc37.src openfortivpn-0:1.17.0-4.fc36.src opensips-0:3.2.6-2.fc37.src osslsigncode-0:2.3-2.fc37.src p11-remote-0:0.3-13.fc36.src perl-Crypt-OpenSSL-EC-0:1.32-9.fc37.src perl-Crypt-SSLeay-0:0.72-36.fc37.src pl-0:8.4.3-1.fc37.src psi-plus-1:1.5.1625-1.fc37.src pypy-0:7.3.9-1.fc37.src pypy3.7-0:7.3.9-1.3.7.fc37.src pypy3.8-0:7.3.9-1.3.8.fc37.src python-uamqp-0:1.5.3-2.fc37.src python2.7-0:2.7.18-22.fc37.src python3.6-0:3.6.15-9.fc37.src python3.7-0:3.7.13-2.fc37.src qca-0:2.3.4-2.fc36.src qca-qt4-0:2.2.1-18.fc37.src qdigidoc-0:4.2.9-2.fc36.src qt5-qtlocation-0:5.15.4-1.fc37.src qt6-qtpositioning-0:6.3.0-2.fc37.src quentier-0:0.5.0-6.fc35.src radare2-0:5.6.8-1.fc37.src retroarch-0:1.10.3-1.fc37.src rizin-0:0.3.4-1.fc36.1.src rstudio-0:2022.02.3+492-1.fc37.src rust-0:1.61.0-2.fc37.src rust-openssl-sys-0:0.9.72-2.fc36.src rust-zincati-0:0.0.24-4.fc37.src s3fs-fuse-0:1.91-1.fc37.src sagemath-0:9.6-1.fc37.src scribus-0:1.5.8-3.fc37.src seadrive-daemon-0:2.0.16-4.fc37.src seadrive-gui-0:2.0.16-2.fc36.src seafile-0:8.0.6-2.fc37.src seafile-client-0:8.0.6-1.fc37.src shairport-sync-0:3.3.9-2.fc36.src sipp-0:3.6.0-9.fc36.src sleef-0:3.5.1-16.fc36.src sqlcipher-0:4.4.3-4.fc36.src srain-0:1.4.0-2.fc37.src the_foundation-0:1.4.0-1.fc37.src tpm2-tools-0:5.2-2.fc36.src webextension-token-signing-0:1.1.5-1.fc36.src websocketpp-0:0.8.2-7.fc36.src wimlib-0:1.13.5-1.fc36.src xmlrpc-c-0:1.51.0-14.fc36.src xmlsec1-0:1.2.34-1.fc37.src xorg-x11-server-Xwayland-0:22.1.2-1.fc37.src xrdp-1:0.9.19-1.fc37.src zchunk-0:1.2.2-1.fc37.src
On Thu, Jun 23, 2022 at 6:52 AM Miro Hrončok mhroncok@redhat.com wrote:
Not quite the right incantation, because it leaves out anything that does not BuildRequire explicitly the string openssl1.1-devel but rather some of its virtual provides. Here you go:
$ repoquery -q --repo=rawhide{,-source} --whatrequires openssl1.1-devel | grep src$
[snip]
bigloo-0:4.4c-4.4.fc37.src
I was surprised to see this one on the list. (I maintain this package.) The spec file includes:
BuildRequires: pkgconfig(openssl)
and:
$ dnf --repo=rawhide repoquery --requires bigloo-libs [snip] libssl.so.3()(64bit) libssl.so.3(OPENSSL_3.0.0)(64bit)
The package really is built with openssl 3. Also:
$dnf --repo=rawhide repoquery --provides openssl1.1-devel openssl1.1-devel = 1:1.1.1o-1.fc37 openssl1.1-devel(x86-32) = 1:1.1.1o-1.fc37 openssl1.1-devel(x86-64) = 1:1.1.1o-1.fc37 pkgconfig(libcrypto) = 1.1.1o pkgconfig(libssl) = 1.1.1o pkgconfig(openssl) = 1.1.1o
Both openssl devel packages provide the pkgconfig names, but with different values, so this repoquery invocation shows too much.
On 23. 06. 22 16:37, Jerry James wrote:
On Thu, Jun 23, 2022 at 6:52 AM Miro Hrončok mhroncok@redhat.com wrote:
Not quite the right incantation, because it leaves out anything that does not BuildRequire explicitly the string openssl1.1-devel but rather some of its virtual provides. Here you go:
$ repoquery -q --repo=rawhide{,-source} --whatrequires openssl1.1-devel | grep src$
[snip]
bigloo-0:4.4c-4.4.fc37.src
I was surprised to see this one on the list. (I maintain this package.) The spec file includes:
BuildRequires: pkgconfig(openssl)
and:
$ dnf --repo=rawhide repoquery --requires bigloo-libs [snip] libssl.so.3()(64bit) libssl.so.3(OPENSSL_3.0.0)(64bit)
The package really is built with openssl 3. Also:
$dnf --repo=rawhide repoquery --provides openssl1.1-devel openssl1.1-devel = 1:1.1.1o-1.fc37 openssl1.1-devel(x86-32) = 1:1.1.1o-1.fc37 openssl1.1-devel(x86-64) = 1:1.1.1o-1.fc37 pkgconfig(libcrypto) = 1.1.1o pkgconfig(libssl) = 1.1.1o pkgconfig(openssl) = 1.1.1o
Both openssl devel packages provide the pkgconfig names, but with different values, so this repoquery invocation shows too much.
Alrighty, in that case:
$ comm -23 <(repoquery -q --repo=rawhide{,-source} --whatrequires openssl1.1-devel | grep src$ | sort) <(repoquery -q --repo=rawhide{,-source} --whatrequires openssl-devel | grep src$ | sort) botan2-0:2.19.1-2.fc37.src erlang-0:24.3.4.1-1.fc37.src chatty-0:0.6.3-1.fc37.src mumble-0:1.3.4-8.fc36.src pypy-0:7.3.9-1.fc37.src pypy3.7-0:7.3.9-1.3.7.fc37.src pypy3.8-0:7.3.9-1.3.8.fc37.src python-uamqp-0:1.5.3-2.fc37.src python2.7-0:2.7.18-22.fc37.src python3.6-0:3.6.15-9.fc37.src python3.7-0:3.7.13-2.fc37.src
Jun 23, 2022 12:14:26 PM Miro Hrončok mhroncok@redhat.com:
Alrighty, in that case:
$ comm -23 <(repoquery -q --repo=rawhide{,-source} --whatrequires openssl1.1-devel | grep src$ | sort) <(repoquery -q --repo=rawhide{,-source} --whatrequires openssl-devel | grep src$ | sort) botan2-0:2.19.1-2.fc37.src erlang-0:24.3.4.1-1.fc37.src chatty-0:0.6.3-1.fc37.src mumble-0:1.3.4-8.fc36.src pypy-0:7.3.9-1.fc37.src pypy3.7-0:7.3.9-1.3.7.fc37.src pypy3.8-0:7.3.9-1.3.8.fc37.src python-uamqp-0:1.5.3-2.fc37.src python2.7-0:2.7.18-22.fc37.src python3.6-0:3.6.15-9.fc37.src python3.7-0:3.7.13-2.fc37.src
Perhaps it makes sense to query recursively to get a fuller picture? All the recursive dependents would also break if their dependencies FTBFS and get retired. -- Thanks,
Maxwell G (@gotmax23) Pronouns: He/Him/His
On 23. 06. 22 19:58, Maxwell G wrote:
Jun 23, 2022 12:14:26 PM Miro Hrončok mhroncok@redhat.com:
Alrighty, in that case:
$ comm -23 <(repoquery -q --repo=rawhide{,-source} --whatrequires openssl1.1-devel | grep src$ | sort) <(repoquery -q --repo=rawhide{,-source} --whatrequires openssl-devel | grep src$ | sort) botan2-0:2.19.1-2.fc37.src erlang-0:24.3.4.1-1.fc37.src chatty-0:0.6.3-1.fc37.src mumble-0:1.3.4-8.fc36.src pypy-0:7.3.9-1.fc37.src pypy3.7-0:7.3.9-1.3.7.fc37.src pypy3.8-0:7.3.9-1.3.8.fc37.src python-uamqp-0:1.5.3-2.fc37.src python2.7-0:2.7.18-22.fc37.src python3.6-0:3.6.15-9.fc37.src python3.7-0:3.7.13-2.fc37.src
Perhaps it makes sense to query recursively to get a fuller picture? All the recursive dependents would also break if their dependencies FTBFS and get retired.
That's complicated. Those are source packages and they build various binary packages -- we would need to query those. Scripts and web applications are build around that, but the results are imperfect. This is the best I can get with a "simple" query:
$ repoquery -q --repo=rawhide{,-source} --whatrequires openssl1.1 --recursive ...2526 lines...
But that does not take BuildRequires of BuildRequires into account.
And I have verified openssl1.1 does not provide anything shared with openssl(-libs).
On Thu, Jun 23, 2022 at 6:09 PM Miro Hrončok mhroncok@redhat.com wrote:
That's complicated. .....
And, while I am sure it could be derived, it seems to me, as previously stated, that the python's turn into the most significant dependency chain.
I am all for deprecating openssl 1.1, and for package reviews rejecting any new packages that depend on it, and for (as needed/appropriate) working with upstream packages to update their codes for openssl 3.0, but removing openssl1.1 entirely for building/use with existing packages is just a bridge too far today, even as we do need to keep pushing towards that target.
On 23. 06. 22 19:13, Miro Hrončok wrote:
$ comm -23 <(repoquery -q --repo=rawhide{,-source} --whatrequires openssl1.1-devel | grep src$ | sort) <(repoquery -q --repo=rawhide{,-source} --whatrequires openssl-devel | grep src$ | sort) ... pypy-0:7.3.9-1.fc37.src
https://foss.heptapod.net/pypy/pypy/-/issues/3643 https://src.fedoraproject.org/rpms/pypy/pull-request/30
pypy3.7-0:7.3.9-1.3.7.fc37.src
https://src.fedoraproject.org/rpms/pypy3.7/pull-request/28
pypy3.8-0:7.3.9-1.3.8.fc37.src
https://src.fedoraproject.org/rpms/pypy3.8/pull-request/18
python-uamqp-0:1.5.3-2.fc37.src
https://src.fedoraproject.org/rpms/python-uamqp/pull-request/1
python2.7-0:2.7.18-22.fc37.src
https://src.fedoraproject.org/rpms/python2.7/pull-request/36
python3.6-0:3.6.15-9.fc37.src python3.7-0:3.7.13-2.fc37.src
TBD
On 6/23/22 08:51, Miro Hrončok wrote:
On 23. 06. 22 11:43, Richard W.M. Jones wrote:
I think this is the correct incantation ...
# dnf repoquery --disablerepo=* --enablerepo=rawhide-source --arch=src --whatrequires openssl1.1-devel Last metadata expiration check: 0:01:31 ago on Thu 23 Jun 2022 10:37:46 BST. botan2-0:2.19.1-2.fc37.src chatty-0:0.6.3-1.fc37.src erlang-0:24.3.4.1-1.fc37.src pypy-0:7.3.9-1.fc37.src pypy3.7-0:7.3.9-1.3.7.fc37.src pypy3.8-0:7.3.9-1.3.8.fc37.src python-uamqp-0:1.5.3-2.fc37.src python2.7-0:2.7.18-22.fc37.src python3.6-0:3.6.15-9.fc37.src python3.7-0:3.7.13-2.fc37.src
Not quite the right incantation, because it leaves out anything that does not BuildRequire explicitly the string openssl1.1-devel but rather some of its virtual provides. Here you go:
$ repoquery -q --repo=rawhide{,-source} --whatrequires openssl1.1-devel | grep src$ GoldenCheetah-1:3.6-0.16.20220520gita5d6468.fc37.src R-websocket-0:1.4.0-5.fc36.src argyllcms-0:2.3.0-2.fc36.src axel-0:2.17.11-2.fc37.src bigloo-0:4.4c-4.4.fc37.src blender-1:3.2.0-3.fc37.src boinc-client-0:7.18.1-3.fc37.src botan2-0:2.19.1-2.fc37.src cairo-dock-plug-ins-0:3.4.1-41.20210730gitf24f769.fc37.3.src casync-0:2-17.gitb3337dd.fc36.src chatty-0:0.6.3-1.fc37.src cpprest-0:2.10.18-5.fc36.src cryfs-0:0.11.2-3.fc37.src ddnet-0:15.9.1-1.fc37.src dmg2img-0:1.6.7-14.20170502.git.f16f247.fc36.src efitools-0:1.9.2-7.fc36.src eiskaltdcpp-0:2.4.2-6.fc37.src erlang-0:24.3.4.1-1.fc37.src fragments-0:1.5-4.fc36.src freerdp-2:2.7.0-1.fc37.src fuse-encfs-0:1.9.5-13.fc37.src gnupg-pkcs11-scd-0:0.10.0-1.fc37.src grpc-0:1.46.3-7.fc37.src guacamole-server-0:1.4.0-3.fc37.src hexchat-0:2.16.0-5.fc37.src jimtcl-0:0.81-3.fc36.src kcov-0:39-3.fc36.src kde-runtime-0:17.08.3-24.fc36.src kf5-kitinerary-0:22.04.1-2.fc37.src lgogdownloader-0:3.8-4.fc37.src libdigidocpp-0:3.14.7-1.fc36.src libfido2-0:1.11.0-1.fc37.src liboauth2-0:1.4.4-1.fc36.src libpreludedb-0:5.2.0-9.fc37.src libquentier-0:0.5.0-11.fc36.src librepo-0:1.14.3-2.fc37.src librhsm-0:0.0.3-7.fc36.src libshout-0:2.4.3-6.fc36.src libvncserver-0:0.9.13-12.fc36.src libzypp-0:17.25.6-5.fc36.src megatools-0:1.11.0-6.fc37.src mtxclient-0:0.7.0-2.fc37.src mumble-0:1.3.4-8.fc36.src newsboat-0:2.27-2.fc37.src nheko-0:0.9.3-2.fc37.src normaliz-0:3.9.3-1.fc37.src openarc-0:1.0.0-0.13.Beta3.fc37.src openfortivpn-0:1.17.0-4.fc36.src opensips-0:3.2.6-2.fc37.src osslsigncode-0:2.3-2.fc37.src p11-remote-0:0.3-13.fc36.src perl-Crypt-OpenSSL-EC-0:1.32-9.fc37.src perl-Crypt-SSLeay-0:0.72-36.fc37.src pl-0:8.4.3-1.fc37.src psi-plus-1:1.5.1625-1.fc37.src pypy-0:7.3.9-1.fc37.src pypy3.7-0:7.3.9-1.3.7.fc37.src pypy3.8-0:7.3.9-1.3.8.fc37.src python-uamqp-0:1.5.3-2.fc37.src python2.7-0:2.7.18-22.fc37.src python3.6-0:3.6.15-9.fc37.src python3.7-0:3.7.13-2.fc37.src qca-0:2.3.4-2.fc36.src qca-qt4-0:2.2.1-18.fc37.src qdigidoc-0:4.2.9-2.fc36.src qt5-qtlocation-0:5.15.4-1.fc37.src qt6-qtpositioning-0:6.3.0-2.fc37.src quentier-0:0.5.0-6.fc35.src radare2-0:5.6.8-1.fc37.src retroarch-0:1.10.3-1.fc37.src rizin-0:0.3.4-1.fc36.1.src rstudio-0:2022.02.3+492-1.fc37.src rust-0:1.61.0-2.fc37.src rust-openssl-sys-0:0.9.72-2.fc36.src rust-zincati-0:0.0.24-4.fc37.src s3fs-fuse-0:1.91-1.fc37.src sagemath-0:9.6-1.fc37.src scribus-0:1.5.8-3.fc37.src seadrive-daemon-0:2.0.16-4.fc37.src seadrive-gui-0:2.0.16-2.fc36.src seafile-0:8.0.6-2.fc37.src seafile-client-0:8.0.6-1.fc37.src shairport-sync-0:3.3.9-2.fc36.src sipp-0:3.6.0-9.fc36.src sleef-0:3.5.1-16.fc36.src sqlcipher-0:4.4.3-4.fc36.src srain-0:1.4.0-2.fc37.src the_foundation-0:1.4.0-1.fc37.src tpm2-tools-0:5.2-2.fc36.src webextension-token-signing-0:1.1.5-1.fc36.src websocketpp-0:0.8.2-7.fc36.src wimlib-0:1.13.5-1.fc36.src xmlrpc-c-0:1.51.0-14.fc36.src xmlsec1-0:1.2.34-1.fc37.src xorg-x11-server-Xwayland-0:22.1.2-1.fc37.src xrdp-1:0.9.19-1.fc37.src zchunk-0:1.2.2-1.fc37.src
PyPy at least is self-hosting and can be built using an existing PyPy installation instead of relying on CPython.
On Thu, Jun 23, 2022 at 10:43:45AM +0100, Richard W.M. Jones wrote:
python2.7-0:2.7.18-22.fc37.src
Vaguely seeing if it's feasible to backport the OpenSSL 3 support to Python 2.7. This branch gets quite far:
https://github.com/rwmjones/cpython/tree/python-2.7-openssl-3
Only one test fails, test_ssl (obviously), but it does only appear to fail where it tests obsolete ciphers. I looked into fixing the test, but the upstream version of this test has changed a great deal, with a whole mechanism for skipping unsupported ciphers.
Remaining test failures in detail below.
Rich.
----------------------------------------------------------------------
running build running build_ext warning: openssl 0x00000000 is too old for _hashlib building dbm using ndbm
Python build finished, but the necessary bits to build these modules were not found: _hashlib bsddb185 dl imageop sunaudiodev To find the necessary bits, look in setup.py in detect_modules() for the module's name.
running build_scripts find ./Lib -name '*.py[co]' -print | xargs rm -f ./python -Wd -3 -E -tt ./Lib/test/regrtest.py -v test_ssl == CPython 2.7.18 (tags/2.7-3-g1efbb6fd52:1efbb6fd52, Jun 24 2022, 12:05:45) [GCC 12.1.1 20220507 (Red Hat 12.1.1-1)] == Linux-5.14.0-0.rc4.20210804gitd5ad8ec3cfb5.36.fc35.x86_64-x86_64-with-fedora-37-Rawhide little-endian == /home/rjones/d/cpython-2.7/build/test_python_641493 == CPU count: 24 Run tests sequentially 0:00:00 load avg: 0.09 [1/1] test_ssl test_ssl: testing with 'OpenSSL 3.0.3 3 May 2022' (3, 0, 0, 3, 0) under Linux ('Fedora', '37', 'Rawhide') HAS_SNI = True OP_ALL = 0x80000050 OP_NO_TLSv1_1 = 0x10000000 test__create_stdlib_context (test.test_ssl.ContextTests) ... ok test__https_verify_certificates (test.test_ssl.ContextTests) ... ok test__https_verify_envvar (test.test_ssl.ContextTests) ... ok test_cert_store_stats (test.test_ssl.ContextTests) ... ok test_check_hostname (test.test_ssl.ContextTests) ... ok test_ciphers (test.test_ssl.ContextTests) ... ok test_constructor (test.test_ssl.ContextTests) ... ok test_create_default_context (test.test_ssl.ContextTests) ... ok test_get_ca_certs (test.test_ssl.ContextTests) ... ok test_load_cert_chain (test.test_ssl.ContextTests) ... ok test_load_default_certs (test.test_ssl.ContextTests) ... ok test_load_default_certs_env (test.test_ssl.ContextTests) ... ok test_load_default_certs_env_windows (test.test_ssl.ContextTests) ... skipped 'Windows specific' test_load_dh_params (test.test_ssl.ContextTests) ... ok test_load_verify_cadata (test.test_ssl.ContextTests) ... ERROR test_load_verify_locations (test.test_ssl.ContextTests) ... ok test_options (test.test_ssl.ContextTests) ... ok test_protocol (test.test_ssl.ContextTests) ... ok test_session_stats (test.test_ssl.ContextTests) ... ok test_set_default_verify_paths (test.test_ssl.ContextTests) ... ok test_set_ecdh_curve (test.test_ssl.ContextTests) ... ok test_sni_callback (test.test_ssl.ContextTests) ... ok test_sni_callback_refcycle (test.test_ssl.ContextTests) ... ok test_verify_flags (test.test_ssl.ContextTests) ... ok test_verify_mode (test.test_ssl.ContextTests) ... ok test_sslwrap_simple (test.test_ssl.BasicTests) ... ok test_DER_to_PEM (test.test_ssl.BasicSocketTests) ... ok test_asn1object (test.test_ssl.BasicSocketTests) ... ok test_cert_time_to_seconds (test.test_ssl.BasicSocketTests) ... ok test_cert_time_to_seconds_locale (test.test_ssl.BasicSocketTests) ... skipped 'locale-specific month name needs to be different from C locale' test_cert_time_to_seconds_timezone (test.test_ssl.BasicSocketTests) ... ok test_constants (test.test_ssl.BasicSocketTests) ... ok test_empty_cert (test.test_ssl.BasicSocketTests) Wrapping with an empty cert file ... ok test_enum_certificates (test.test_ssl.BasicSocketTests) ... skipped 'Windows specific' test_enum_crls (test.test_ssl.BasicSocketTests) ... skipped 'Windows specific' test_errors (test.test_ssl.BasicSocketTests) ... ok test_get_default_verify_paths (test.test_ssl.BasicSocketTests) ... ok test_malformed_cert (test.test_ssl.BasicSocketTests) Wrapping with a badly formatted certificate (syntax error) ... ok test_malformed_key (test.test_ssl.BasicSocketTests) Wrapping with a badly formatted key (syntax error) ... ok test_match_hostname (test.test_ssl.BasicSocketTests) ... ok test_openssl_version (test.test_ssl.BasicSocketTests) ... FAIL test_parse_all_sans (test.test_ssl.BasicSocketTests) ... ok test_parse_cert (test.test_ssl.BasicSocketTests) ... {'issuer': ((('countryName', u'XY'),), (('localityName', u'Castle Anthrax'),), (('organizationName', u'Python Software Foundation'),), (('commonName', u'localhost'),)), 'notAfter': 'Aug 26 14:23:15 2028 GMT', 'notBefore': u'Aug 29 14:23:15 2018 GMT', 'serialNumber': u'98A7CF88C74A32ED', 'subject': ((('countryName', u'XY'),), (('localityName', u'Castle Anthrax'),), (('organizationName', u'Python Software Foundation'),), (('commonName', u'localhost'),)), 'subjectAltName': (('DNS', 'localhost'),), 'version': 3L}
{'OCSP': (u'http://ocsp.verisign.com',), 'caIssuers': (u'http://SVRIntl-G3-aia.verisign.com/SVRIntlG3.cer',), 'crlDistributionPoints': (u'http://SVRIntl-G3-crl.verisign.com/SVRIntlG3.crl',), 'issuer': ((('countryName', u'US'),), (('organizationName', u'VeriSign, Inc.'),), (('organizationalUnitName', u'VeriSign Trust Network'),), (('organizationalUnitName', u'Terms of use at https://www.verisign.com/rpa (c)10'),), (('commonName', u'VeriSign Class 3 International Server CA - G3'),)), 'notAfter': 'Sep 20 23:59:59 2012 GMT', 'notBefore': u'Sep 21 00:00:00 2011 GMT', 'serialNumber': u'2EE6EA7640A075CEE5005F4D7C79549A', 'subject': ((('countryName', u'FI'),), (('stateOrProvinceName', u'Espoo'),), (('localityName', u'Espoo'),), (('organizationName', u'Nokia'),), (('organizationalUnitName', u'BI'),), (('commonName', u'projects.developer.nokia.com'),)), 'subjectAltName': (('DNS', 'projects.developer.nokia.com'), ('DNS', 'projects.forum.nokia.com')), 'version': 3L} ok test_parse_cert_CVE_2013_4238 (test.test_ssl.BasicSocketTests) ... {'issuer': ((('countryName', u'US'),), (('stateOrProvinceName', u'Oregon'),), (('localityName', u'Beaverton'),), (('organizationName', u'Python Software Foundation'),), (('organizationalUnitName', u'Python Core Development'),), (('commonName', u'null.python.org\x00example.org'),), (('emailAddress', u'python-dev@python.org'),)), 'notAfter': 'Aug 7 13:12:52 2013 GMT', 'notBefore': u'Aug 7 13:11:52 2013 GMT', 'serialNumber': u'00', 'subject': ((('countryName', u'US'),), (('stateOrProvinceName', u'Oregon'),), (('localityName', u'Beaverton'),), (('organizationName', u'Python Software Foundation'),), (('organizationalUnitName', u'Python Core Development'),), (('commonName', u'null.python.org\x00example.org'),), (('emailAddress', u'python-dev@python.org'),)), 'subjectAltName': (('DNS', 'altnull.python.org\x00example.com'), ('email', 'null@python.org\x00user@example.org'), ('URI', 'http://null.python.org%5Cx00http://example.org'), (u'IP Address', u'192.0.2.1'), (u'IP Address', u'2001:DB8:0:0:0:0:0:1')), 'version': 3L} ok test_parse_cert_CVE_2019_5010 (test.test_ssl.BasicSocketTests) ... {'issuer': ((('countryName', u'UK'),), (('commonName', u'cody-ca'),)), 'notAfter': 'Jun 14 18:00:58 2028 GMT', 'notBefore': u'Jun 18 18:00:58 2018 GMT', 'serialNumber': u'02', 'subject': ((('countryName', u'UK'),), (('commonName', u'codenomicon-vm-2.test.lal.cisco.com'),)), 'subjectAltName': (('DNS', 'codenomicon-vm-2.test.lal.cisco.com'),), 'version': 3L} ok test_purpose_enum (test.test_ssl.BasicSocketTests) ... ok test_random (test.test_ssl.BasicSocketTests) ... RAND_status is 1 (sufficient randomness) ok test_refcycle (test.test_ssl.BasicSocketTests) ... ok test_server_side (test.test_ssl.BasicSocketTests) ... ok test_timeout (test.test_ssl.BasicSocketTests) ... ok test_tls_unique_channel_binding (test.test_ssl.BasicSocketTests) ... ok test_unknown_channel_binding (test.test_ssl.BasicSocketTests) ... ok test_unsupported_dtls (test.test_ssl.BasicSocketTests) ... ok test_wrapped_unconnected (test.test_ssl.BasicSocketTests) ... ok test_lib_reason (test.test_ssl.SSLErrorTests) ... ok test_str (test.test_ssl.SSLErrorTests) ... ok test_subclass (test.test_ssl.SSLErrorTests) ... ok test_alpn_protocols (test.test_ssl.ThreadedTests) ... server: new connection from ('127.0.0.1', 36526) server: connection cipher is now ('ECDHE-RSA-AES256-GCM-SHA384', 'TLSv1.2', 256) server: selected protocol is now None client: sending 'FOO\n'... client: read 'foo\n' client: sending 'FOO\n'... client: read 'foo\n' client: sending 'FOO\n'... client: read 'foo\n' client: closing connection. server: new connection from ('127.0.0.1', 58156) server: connection cipher is now ('ECDHE-RSA-AES256-GCM-SHA384', 'TLSv1.2', 256) server: selected protocol is now None client: sending 'FOO\n'... client: read 'foo\n' client: sending 'FOO\n'... client: read 'foo\n' client: sending 'FOO\n'... client: read 'foo\n' client: closing connection. server: new connection from ('127.0.0.1', 41748) server: connection cipher is now ('ECDHE-RSA-AES256-GCM-SHA384', 'TLSv1.2', 256) server: selected protocol is now None client: sending 'FOO\n'... client: read 'foo\n' client: sending 'FOO\n'... client: read 'foo\n' client: sending 'FOO\n'... client: read 'foo\n' client: closing connection. server: new connection from ('127.0.0.1', 54770) client: sending 'FOO\n'... server: connection cipher is now ('ECDHE-RSA-AES256-GCM-SHA384', 'TLSv1.2', 256) server: selected protocol is now None client: read 'foo\n' client: sending 'FOO\n'... client: read 'foo\n' client: sending 'FOO\n'... client: read 'foo\n' client: closing connection. ok test_asyncore_server (test.test_ssl.ThreadedTests) Check the example asyncore integration. ... server: new connection from 127.0.0.1:38794 client: sending 'FOO\n'... server: read 'FOO\n' from client client: read 'foo\n' client: closing connection. client: connection closed. server: read 'over\n' from client cleanup: stopping server. cleanup: joining server thread. server: closed connection <ssl.SSLSocket object at 0x7f28dd23b0d0> server: read '' from client cleanup: successfully joined. ok test_check_hostname (test.test_ssl.ThreadedTests) ... server: new connection from ('127.0.0.1', 33176)
server: bad connection attempt from ('127.0.0.1', 33176): Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 1732, in wrap_conn self.sock, server_side=True) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 369, in wrap_socket _context=self) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 599, in __init__ self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: BAD_RSA_DECRYPT] no suitable signature algorithm (_ssl.c:727) ERROR test_compression (test.test_ssl.ThreadedTests) ... server: new connection from ('127.0.0.1', 39026)
server: bad connection attempt from ('127.0.0.1', 39026): Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 1732, in wrap_conn self.sock, server_side=True) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 369, in wrap_socket _context=self) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 599, in __init__ self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: BAD_RSA_DECRYPT] no suitable signature algorithm (_ssl.c:727) ERROR test_compression_disabled (test.test_ssl.ThreadedTests) ... server: new connection from ('127.0.0.1', 51970)
server: bad connection attempt from ('127.0.0.1', 51970): Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 1732, in wrap_conn self.sock, server_side=True) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 369, in wrap_socket _context=self) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 599, in __init__ self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: BAD_RSA_DECRYPT] no suitable signature algorithm (_ssl.c:727) ERROR test_crl_check (test.test_ssl.ThreadedTests) ... server: new connection from ('127.0.0.1', 49686)
server: bad connection attempt from ('127.0.0.1', 49686): Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 1732, in wrap_conn self.sock, server_side=True) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 369, in wrap_socket _context=self) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 599, in __init__ self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: BAD_RSA_DECRYPT] no suitable signature algorithm (_ssl.c:727) ERROR test_default_ecdh_curve (test.test_ssl.ThreadedTests) ... server: new connection from ('127.0.0.1', 50888) server: connection cipher is now ('ECDHE-RSA-AES256-GCM-SHA384', 'TLSv1.2', 256) server: selected protocol is now None ok test_dh_params (test.test_ssl.ThreadedTests) ... server: new connection from ('127.0.0.1', 39768)
server: bad connection attempt from ('127.0.0.1', 39768): Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 1732, in wrap_conn self.sock, server_side=True) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 369, in wrap_socket _context=self) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 599, in __init__ self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: BAD_RSA_DECRYPT] no suitable signature algorithm (_ssl.c:727) ERROR test_do_handshake_enotconn (test.test_ssl.ThreadedTests) ... ok test_echo (test.test_ssl.ThreadedTests) Basic test of an SSL client connecting to a server ... server: new connection from ('127.0.0.1', 51012) client: sending 'FOO\n'... server: connection cipher is now ('TLS_AES_256_GCM_SHA384', 'TLSv1.3', 256) server: selected protocol is now None client: read 'foo\n' client: sending 'FOO\n'... client: read 'foo\n' client: sending 'FOO\n'... client: read 'foo\n' client: closing connection. server: new connection from ('127.0.0.1', 60552)
server: bad connection attempt from ('127.0.0.1', 60552): Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 1732, in wrap_conn self.sock, server_side=True) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 369, in wrap_socket _context=self) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 599, in __init__ self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: BAD_RSA_DECRYPT] no suitable signature algorithm (_ssl.c:727) ERROR test_getpeercert (test.test_ssl.ThreadedTests) ... {'issuer': ((('countryName', u'XY'),), (('localityName', u'Castle Anthrax'),), (('organizationName', u'Python Software Foundation'),), (('commonName', u'localhost'),)), 'notAfter': 'Aug 26 14:23:15 2028 GMT', 'notBefore': u'Aug 29 14:23:15 2018 GMT', 'serialNumber': u'98A7CF88C74A32ED', 'subject': ((('countryName', u'XY'),), (('localityName', u'Castle Anthrax'),), (('organizationName', u'Python Software Foundation'),), (('commonName', u'localhost'),)), 'subjectAltName': (('DNS', 'localhost'),), 'version': 3L} Connection cipher is ('TLS_AES_256_GCM_SHA384', 'TLSv1.3', 256). ok test_getpeercert_enotconn (test.test_ssl.ThreadedTests) ... ok test_handshake_timeout (test.test_ssl.ThreadedTests) ... ok test_no_shared_ciphers (test.test_ssl.ThreadedTests) ... server: new connection from ('127.0.0.1', 44402)
server: bad connection attempt from ('127.0.0.1', 44402): Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 1732, in wrap_conn self.sock, server_side=True) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 369, in wrap_socket _context=self) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 599, in __init__ self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: NO_SHARED_CIPHER] no shared cipher (_ssl.c:727) ok test_npn_protocols (test.test_ssl.ThreadedTests) ... skipped 'NPN support needed for this test' test_protocol_sslv2 (test.test_ssl.ThreadedTests) Connecting to an SSLv2 server with various client options ... skipped 'OpenSSL is compiled without SSLv2 support' test_protocol_sslv23 (test.test_ssl.ThreadedTests) Connecting to an SSLv23 server with various client options ... PROTOCOL_TLS->PROTOCOL_TLS CERT_NONE PROTOCOL_TLSv1->PROTOCOL_TLS CERT_NONE ERROR test_protocol_sslv3 (test.test_ssl.ThreadedTests) Connecting to an SSLv3 server with various client options ... skipped 'OpenSSL is compiled without SSLv3 support' test_protocol_tlsv1 (test.test_ssl.ThreadedTests) Connecting to a TLSv1 server with various client options ... PROTOCOL_TLSv1->PROTOCOL_TLSv1 CERT_NONE ERROR test_protocol_tlsv1_1 (test.test_ssl.ThreadedTests) Connecting to a TLSv1.1 server with various client options. ... PROTOCOL_TLSv1_1->PROTOCOL_TLSv1_1 CERT_NONE ERROR test_protocol_tlsv1_2 (test.test_ssl.ThreadedTests) Connecting to a TLSv1.2 server with various client options. ... PROTOCOL_TLSv1_2->PROTOCOL_TLSv1_2 CERT_NONE {PROTOCOL_TLS->PROTOCOL_TLSv1_2} CERT_NONE PROTOCOL_TLSv1_2->PROTOCOL_TLS CERT_NONE {PROTOCOL_TLSv1->PROTOCOL_TLSv1_2} CERT_NONE {PROTOCOL_TLSv1_2->PROTOCOL_TLSv1} CERT_NONE {PROTOCOL_TLSv1_1->PROTOCOL_TLSv1_2} CERT_NONE {PROTOCOL_TLSv1_2->PROTOCOL_TLSv1_1} CERT_NONE ok test_read_write_after_close_raises_valuerror (test.test_ssl.ThreadedTests) ... ok test_recv_send (test.test_ssl.ThreadedTests) Test recv(), send() and friends. ... server: new connection from ('127.0.0.1', 59354)
server: bad connection attempt from ('127.0.0.1', 59354): Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 1732, in wrap_conn self.sock, server_side=True) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 369, in wrap_socket _context=self) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 599, in __init__ self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: BAD_RSA_DECRYPT] no suitable signature algorithm (_ssl.c:727) ERROR test_recv_zero (test.test_ssl.ThreadedTests) ... server: new connection from ('127.0.0.1', 36264) server: connection cipher is now ('TLS_AES_256_GCM_SHA384', 'TLSv1.3', 256) server: selected protocol is now None ok test_rude_shutdown (test.test_ssl.ThreadedTests) A brutal shutdown of an SSL server should raise an OSError ... ok test_selected_alpn_protocol (test.test_ssl.ThreadedTests) ... server: new connection from ('127.0.0.1', 59908)
server: bad connection attempt from ('127.0.0.1', 59908): Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 1732, in wrap_conn self.sock, server_side=True) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 369, in wrap_socket _context=self) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 599, in __init__ self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: BAD_RSA_DECRYPT] no suitable signature algorithm (_ssl.c:727) ERROR test_selected_alpn_protocol_if_server_uses_alpn (test.test_ssl.ThreadedTests) ... server: new connection from ('127.0.0.1', 57474)
server: bad connection attempt from ('127.0.0.1', 57474): Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 1732, in wrap_conn self.sock, server_side=True) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 369, in wrap_socket _context=self) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 599, in __init__ self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: BAD_RSA_DECRYPT] no suitable signature algorithm (_ssl.c:727) ERROR test_selected_npn_protocol (test.test_ssl.ThreadedTests) ... server: new connection from ('127.0.0.1', 33742)
server: bad connection attempt from ('127.0.0.1', 33742): Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 1732, in wrap_conn self.sock, server_side=True) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 369, in wrap_socket _context=self) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 599, in __init__ self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: BAD_RSA_DECRYPT] no suitable signature algorithm (_ssl.c:727) ERROR test_server_accept (test.test_ssl.ThreadedTests) ... ok test_sni_callback (test.test_ssl.ThreadedTests) ... server: new connection from ('127.0.0.1', 43762)
server: bad connection attempt from ('127.0.0.1', 43762): Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 1732, in wrap_conn self.sock, server_side=True) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 369, in wrap_socket _context=self) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 599, in __init__ self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: BAD_RSA_DECRYPT] no suitable signature algorithm (_ssl.c:727) ERROR test_sni_callback_alert (test.test_ssl.ThreadedTests) ... ok test_sni_callback_raising (test.test_ssl.ThreadedTests) ... ok test_sni_callback_wrong_return_type (test.test_ssl.ThreadedTests) ... ok test_socketserver (test.test_ssl.ThreadedTests) Using a SocketServer to create and manage SSL connections. ... server (('127.0.0.1', 32973):32973 ('TLS_AES_256_GCM_SHA384', 'TLSv1.3', 256)): [24/Jun/2022 12:09:22] "GET /keycert.pem HTTP/1.1" 200 - client: read 4058 bytes from remote server '<HTTPSServerThread <HTTPSServer localhost.localdomain:32973>>' stopping HTTPS server joining HTTPS thread ok test_starttls (test.test_ssl.ThreadedTests) Switching from clear text to encrypted and back again. ... client: sending 'msg 1'... server: new connection from ('127.0.0.1', 44848) server: read 'msg 1' (unencrypted), sending back 'msg 1' (unencrypted)... client: read 'msg 1' from server client: sending 'MSG 2'... server: read 'MSG 2' (unencrypted), sending back 'msg 2' (unencrypted)... client: read 'msg 2' from server client: sending 'STARTTLS'... server: read STARTTLS from client, sending OK... client: read 'ok' from server, starting TLS...
server: bad connection attempt from ('127.0.0.1', 44848): Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 1732, in wrap_conn self.sock, server_side=True) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 369, in wrap_socket _context=self) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 599, in __init__ self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: BAD_RSA_DECRYPT] no suitable signature algorithm (_ssl.c:727) ERROR test_tls1_3 (test.test_ssl.ThreadedTests) ... server: new connection from ('127.0.0.1', 47508) server: connection cipher is now ('TLS_AES_256_GCM_SHA384', 'TLSv1.3', 256) server: selected protocol is now None ok test_tls_unique_channel_binding (test.test_ssl.ThreadedTests) Test tls-unique channel binding. ... server: new connection from ('127.0.0.1', 58508)
server: bad connection attempt from ('127.0.0.1', 58508): Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 1732, in wrap_conn self.sock, server_side=True) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 369, in wrap_socket _context=self) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 599, in __init__ self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: BAD_RSA_DECRYPT] no suitable signature algorithm (_ssl.c:727) ERROR test_version_basic (test.test_ssl.ThreadedTests) ... ERROR test_wrong_cert (test.test_ssl.ThreadedTests) Connecting when the server rejects the client's certificate ... SSLError is SSLError(1, u'[SSL: TLSV1_ALERT_PROTOCOL_VERSION] tlsv1 alert protocol version (_ssl.c:727)') ok
====================================================================== ERROR: test_load_verify_cadata (test.test_ssl.ContextTests) ---------------------------------------------------------------------- Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 1033, in test_load_verify_cadata ctx.load_verify_locations(cadata=cacert_der) SSLError: unknown error (_ssl.c:2989)
====================================================================== ERROR: test_check_hostname (test.test_ssl.ThreadedTests) ---------------------------------------------------------------------- Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 2268, in test_check_hostname s.connect((HOST, server.port)) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 864, in connect self._real_connect(addr, False) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 855, in _real_connect self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error (_ssl.c:727)
====================================================================== ERROR: test_compression (test.test_ssl.ThreadedTests) ---------------------------------------------------------------------- Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 3000, in test_compression chatty=True, connectionchatty=True) File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 2064, in server_params_test s.connect((HOST, server.port)) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 864, in connect self._real_connect(addr, False) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 855, in _real_connect self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error (_ssl.c:727)
====================================================================== ERROR: test_compression_disabled (test.test_ssl.ThreadedTests) ---------------------------------------------------------------------- Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 3012, in test_compression_disabled chatty=True, connectionchatty=True) File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 2064, in server_params_test s.connect((HOST, server.port)) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 864, in connect self._real_connect(addr, False) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 855, in _real_connect self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error (_ssl.c:727)
====================================================================== ERROR: test_crl_check (test.test_ssl.ThreadedTests) ---------------------------------------------------------------------- Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 2227, in test_crl_check s.connect((HOST, server.port)) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 864, in connect self._real_connect(addr, False) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 855, in _real_connect self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error (_ssl.c:727)
====================================================================== ERROR: test_dh_params (test.test_ssl.ThreadedTests) ---------------------------------------------------------------------- Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 3022, in test_dh_params chatty=True, connectionchatty=True) File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 2064, in server_params_test s.connect((HOST, server.port)) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 864, in connect self._real_connect(addr, False) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 855, in _real_connect self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error (_ssl.c:727)
====================================================================== ERROR: test_echo (test.test_ssl.ThreadedTests) Basic test of an SSL client connecting to a server ---------------------------------------------------------------------- Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 2168, in test_echo chatty=True, connectionchatty=True) File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 2064, in server_params_test s.connect((HOST, server.port)) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 864, in connect self._real_connect(addr, False) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 855, in _real_connect self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error (_ssl.c:727)
====================================================================== ERROR: test_protocol_sslv23 (test.test_ssl.ThreadedTests) Connecting to an SSLv23 server with various client options ---------------------------------------------------------------------- Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 190, in f return func(*args, **kwargs) File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 2404, in test_protocol_sslv23 try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1, 'TLSv1') File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 2136, in try_protocol_combo chatty=False, connectionchatty=False) File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 2064, in server_params_test s.connect((HOST, server.port)) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 864, in connect self._real_connect(addr, False) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 855, in _real_connect self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: TLSV1_ALERT_PROTOCOL_VERSION] tlsv1 alert protocol version (_ssl.c:727)
====================================================================== ERROR: test_protocol_tlsv1 (test.test_ssl.ThreadedTests) Connecting to a TLSv1 server with various client options ---------------------------------------------------------------------- Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 2452, in test_protocol_tlsv1 try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1, 'TLSv1') File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 2136, in try_protocol_combo chatty=False, connectionchatty=False) File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 2064, in server_params_test s.connect((HOST, server.port)) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 864, in connect self._real_connect(addr, False) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 855, in _real_connect self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error (_ssl.c:727)
====================================================================== ERROR: test_protocol_tlsv1_1 (test.test_ssl.ThreadedTests) Connecting to a TLSv1.1 server with various client options. ---------------------------------------------------------------------- Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 190, in f return func(*args, **kwargs) File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 2471, in test_protocol_tlsv1_1 try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_TLSv1_1, 'TLSv1.1') File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 2136, in try_protocol_combo chatty=False, connectionchatty=False) File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 2064, in server_params_test s.connect((HOST, server.port)) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 864, in connect self._real_connect(addr, False) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 855, in _real_connect self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error (_ssl.c:727)
====================================================================== ERROR: test_recv_send (test.test_ssl.ThreadedTests) Test recv(), send() and friends. ---------------------------------------------------------------------- Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 2639, in test_recv_send s.connect((HOST, server.port)) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 864, in connect self._real_connect(addr, False) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 855, in _real_connect self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error (_ssl.c:727)
====================================================================== ERROR: test_selected_alpn_protocol (test.test_ssl.ThreadedTests) ---------------------------------------------------------------------- Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 3033, in test_selected_alpn_protocol chatty=True, connectionchatty=True) File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 2064, in server_params_test s.connect((HOST, server.port)) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 864, in connect self._real_connect(addr, False) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 855, in _real_connect self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error (_ssl.c:727)
====================================================================== ERROR: test_selected_alpn_protocol_if_server_uses_alpn (test.test_ssl.ThreadedTests) ---------------------------------------------------------------------- Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 3045, in test_selected_alpn_protocol_if_server_uses_alpn chatty=True, connectionchatty=True) File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 2064, in server_params_test s.connect((HOST, server.port)) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 864, in connect self._real_connect(addr, False) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 855, in _real_connect self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error (_ssl.c:727)
====================================================================== ERROR: test_selected_npn_protocol (test.test_ssl.ThreadedTests) ---------------------------------------------------------------------- Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 3095, in test_selected_npn_protocol chatty=True, connectionchatty=True) File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 2064, in server_params_test s.connect((HOST, server.port)) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 864, in connect self._real_connect(addr, False) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 855, in _real_connect self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error (_ssl.c:727)
====================================================================== ERROR: test_sni_callback (test.test_ssl.ThreadedTests) ---------------------------------------------------------------------- Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 3154, in test_sni_callback sni_name='supermessage') File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 2064, in server_params_test s.connect((HOST, server.port)) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 864, in connect self._real_connect(addr, False) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 855, in _real_connect self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error (_ssl.c:727)
====================================================================== ERROR: test_starttls (test.test_ssl.ThreadedTests) Switching from clear text to encrypted and back again. ---------------------------------------------------------------------- Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 2541, in test_starttls conn = ssl.wrap_socket(s, ssl_version=ssl.PROTOCOL_TLSv1) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 931, in wrap_socket ciphers=ciphers) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 599, in __init__ self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error (_ssl.c:727)
====================================================================== ERROR: test_tls_unique_channel_binding (test.test_ssl.ThreadedTests) Test tls-unique channel binding. ---------------------------------------------------------------------- Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 2956, in test_tls_unique_channel_binding s.connect((HOST, server.port)) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 864, in connect self._real_connect(addr, False) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 855, in _real_connect self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error (_ssl.c:727)
====================================================================== ERROR: test_version_basic (test.test_ssl.ThreadedTests) ---------------------------------------------------------------------- Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 2893, in test_version_basic s.connect((HOST, server.port)) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 864, in connect self._real_connect(addr, False) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 855, in _real_connect self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error (_ssl.c:727)
====================================================================== FAIL: test_openssl_version (test.test_ssl.BasicSocketTests) ---------------------------------------------------------------------- Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 382, in test_openssl_version (s, t)) AssertionError: ('OpenSSL 3.0.3 3 May 2022', (3, 0, 0, 3, 0))
-----------------------------------test test_ssl failed -- multiple errors occurred ----------------------------------- Ran 96 tests in 1.061s
FAILED (failures=1, errors=18, skipped=7)
== Tests result: FAILURE ==
1 test failed: test_ssl
Total duration: 1 sec 153 ms Tests result: FAILURE
Dear Richard,
If the only problem is legacy (and unsafe) ciphersuites, loading the legacy provider will solve this problem.
On Fri, Jun 24, 2022 at 1:11 PM Richard W.M. Jones rjones@redhat.com wrote:
On Thu, Jun 23, 2022 at 10:43:45AM +0100, Richard W.M. Jones wrote:
python2.7-0:2.7.18-22.fc37.src
Vaguely seeing if it's feasible to backport the OpenSSL 3 support to Python 2.7. This branch gets quite far:
https://github.com/rwmjones/cpython/tree/python-2.7-openssl-3
Only one test fails, test_ssl (obviously), but it does only appear to fail where it tests obsolete ciphers. I looked into fixing the test, but the upstream version of this test has changed a great deal, with a whole mechanism for skipping unsupported ciphers.
Remaining test failures in detail below.
Rich.
running build running build_ext warning: openssl 0x00000000 is too old for _hashlib building dbm using ndbm
Python build finished, but the necessary bits to build these modules were not found: _hashlib bsddb185 dl imageop sunaudiodev To find the necessary bits, look in setup.py in detect_modules() for the module's name.
running build_scripts find ./Lib -name '*.py[co]' -print | xargs rm -f ./python -Wd -3 -E -tt ./Lib/test/regrtest.py -v test_ssl == CPython 2.7.18 (tags/2.7-3-g1efbb6fd52:1efbb6fd52, Jun 24 2022, 12:05:45) [GCC 12.1.1 20220507 (Red Hat 12.1.1-1)] == Linux-5.14.0-0.rc4.20210804gitd5ad8ec3cfb5.36.fc35.x86_64-x86_64-with-fedora-37-Rawhide little-endian == /home/rjones/d/cpython-2.7/build/test_python_641493 == CPU count: 24 Run tests sequentially 0:00:00 load avg: 0.09 [1/1] test_ssl test_ssl: testing with 'OpenSSL 3.0.3 3 May 2022' (3, 0, 0, 3, 0) under Linux ('Fedora', '37', 'Rawhide') HAS_SNI = True OP_ALL = 0x80000050 OP_NO_TLSv1_1 = 0x10000000 test__create_stdlib_context (test.test_ssl.ContextTests) ... ok test__https_verify_certificates (test.test_ssl.ContextTests) ... ok test__https_verify_envvar (test.test_ssl.ContextTests) ... ok test_cert_store_stats (test.test_ssl.ContextTests) ... ok test_check_hostname (test.test_ssl.ContextTests) ... ok test_ciphers (test.test_ssl.ContextTests) ... ok test_constructor (test.test_ssl.ContextTests) ... ok test_create_default_context (test.test_ssl.ContextTests) ... ok test_get_ca_certs (test.test_ssl.ContextTests) ... ok test_load_cert_chain (test.test_ssl.ContextTests) ... ok test_load_default_certs (test.test_ssl.ContextTests) ... ok test_load_default_certs_env (test.test_ssl.ContextTests) ... ok test_load_default_certs_env_windows (test.test_ssl.ContextTests) ... skipped 'Windows specific' test_load_dh_params (test.test_ssl.ContextTests) ... ok test_load_verify_cadata (test.test_ssl.ContextTests) ... ERROR test_load_verify_locations (test.test_ssl.ContextTests) ... ok test_options (test.test_ssl.ContextTests) ... ok test_protocol (test.test_ssl.ContextTests) ... ok test_session_stats (test.test_ssl.ContextTests) ... ok test_set_default_verify_paths (test.test_ssl.ContextTests) ... ok test_set_ecdh_curve (test.test_ssl.ContextTests) ... ok test_sni_callback (test.test_ssl.ContextTests) ... ok test_sni_callback_refcycle (test.test_ssl.ContextTests) ... ok test_verify_flags (test.test_ssl.ContextTests) ... ok test_verify_mode (test.test_ssl.ContextTests) ... ok test_sslwrap_simple (test.test_ssl.BasicTests) ... ok test_DER_to_PEM (test.test_ssl.BasicSocketTests) ... ok test_asn1object (test.test_ssl.BasicSocketTests) ... ok test_cert_time_to_seconds (test.test_ssl.BasicSocketTests) ... ok test_cert_time_to_seconds_locale (test.test_ssl.BasicSocketTests) ... skipped 'locale-specific month name needs to be different from C locale' test_cert_time_to_seconds_timezone (test.test_ssl.BasicSocketTests) ... ok test_constants (test.test_ssl.BasicSocketTests) ... ok test_empty_cert (test.test_ssl.BasicSocketTests) Wrapping with an empty cert file ... ok test_enum_certificates (test.test_ssl.BasicSocketTests) ... skipped 'Windows specific' test_enum_crls (test.test_ssl.BasicSocketTests) ... skipped 'Windows specific' test_errors (test.test_ssl.BasicSocketTests) ... ok test_get_default_verify_paths (test.test_ssl.BasicSocketTests) ... ok test_malformed_cert (test.test_ssl.BasicSocketTests) Wrapping with a badly formatted certificate (syntax error) ... ok test_malformed_key (test.test_ssl.BasicSocketTests) Wrapping with a badly formatted key (syntax error) ... ok test_match_hostname (test.test_ssl.BasicSocketTests) ... ok test_openssl_version (test.test_ssl.BasicSocketTests) ... FAIL test_parse_all_sans (test.test_ssl.BasicSocketTests) ... ok test_parse_cert (test.test_ssl.BasicSocketTests) ... {'issuer': ((('countryName', u'XY'),), (('localityName', u'Castle Anthrax'),), (('organizationName', u'Python Software Foundation'),), (('commonName', u'localhost'),)), 'notAfter': 'Aug 26 14:23:15 2028 GMT', 'notBefore': u'Aug 29 14:23:15 2018 GMT', 'serialNumber': u'98A7CF88C74A32ED', 'subject': ((('countryName', u'XY'),), (('localityName', u'Castle Anthrax'),), (('organizationName', u'Python Software Foundation'),), (('commonName', u'localhost'),)), 'subjectAltName': (('DNS', 'localhost'),), 'version': 3L}
{'OCSP': (u'http://ocsp.verisign.com',), 'caIssuers': (u'http://SVRIntl-G3-aia.verisign.com/SVRIntlG3.cer',), 'crlDistributionPoints': (u' http://SVRIntl-G3-crl.verisign.com/SVRIntlG3.crl',), 'issuer': ((('countryName', u'US'),), (('organizationName', u'VeriSign, Inc.'),), (('organizationalUnitName', u'VeriSign Trust Network'),), (('organizationalUnitName', u'Terms of use at https://www.verisign.com/rpa (c)10'),), (('commonName', u'VeriSign Class 3 International Server CA - G3'),)), 'notAfter': 'Sep 20 23:59:59 2012 GMT', 'notBefore': u'Sep 21 00:00:00 2011 GMT', 'serialNumber': u'2EE6EA7640A075CEE5005F4D7C79549A', 'subject': ((('countryName', u'FI'),), (('stateOrProvinceName', u'Espoo'),), (('localityName', u'Espoo'),), (('organizationName', u'Nokia'),), (('organizationalUnitName', u'BI'),), (('commonName', u'projects.developer.nokia.com'),)), 'subjectAltName': (('DNS', 'projects.developer.nokia.com'), ('DNS', 'projects.forum.nokia.com')), 'version': 3L} ok test_parse_cert_CVE_2013_4238 (test.test_ssl.BasicSocketTests) ... {'issuer': ((('countryName', u'US'),), (('stateOrProvinceName', u'Oregon'),), (('localityName', u'Beaverton'),), (('organizationName', u'Python Software Foundation'),), (('organizationalUnitName', u'Python Core Development'),), (('commonName', u'null.python.org\x00example.org'),), (('emailAddress', u'python-dev@python.org'),)), 'notAfter': 'Aug 7 13:12:52 2013 GMT', 'notBefore': u'Aug 7 13:11:52 2013 GMT', 'serialNumber': u'00', 'subject': ((('countryName', u'US'),), (('stateOrProvinceName', u'Oregon'),), (('localityName', u'Beaverton'),), (('organizationName', u'Python Software Foundation'),), (('organizationalUnitName', u'Python Core Development'),), (('commonName', u'null.python.org\x00example.org'),), (('emailAddress', u'python-dev@python.org'),)), 'subjectAltName': (('DNS', 'altnull.python.org\x00example.com'), ('email', 'null@python.org\x00user@example.org'), ('URI', 'http://null.python.org%5Cx00http://example.org '), (u'IP Address', u'192.0.2.1'), (u'IP Address', u'2001:DB8:0:0:0:0:0:1')), 'version': 3L} ok test_parse_cert_CVE_2019_5010 (test.test_ssl.BasicSocketTests) ... {'issuer': ((('countryName', u'UK'),), (('commonName', u'cody-ca'),)), 'notAfter': 'Jun 14 18:00:58 2028 GMT', 'notBefore': u'Jun 18 18:00:58 2018 GMT', 'serialNumber': u'02', 'subject': ((('countryName', u'UK'),), (('commonName', u'codenomicon-vm-2.test.lal.cisco.com'),)), 'subjectAltName': (('DNS', 'codenomicon-vm-2.test.lal.cisco.com'),), 'version': 3L} ok test_purpose_enum (test.test_ssl.BasicSocketTests) ... ok test_random (test.test_ssl.BasicSocketTests) ... RAND_status is 1 (sufficient randomness) ok test_refcycle (test.test_ssl.BasicSocketTests) ... ok test_server_side (test.test_ssl.BasicSocketTests) ... ok test_timeout (test.test_ssl.BasicSocketTests) ... ok test_tls_unique_channel_binding (test.test_ssl.BasicSocketTests) ... ok test_unknown_channel_binding (test.test_ssl.BasicSocketTests) ... ok test_unsupported_dtls (test.test_ssl.BasicSocketTests) ... ok test_wrapped_unconnected (test.test_ssl.BasicSocketTests) ... ok test_lib_reason (test.test_ssl.SSLErrorTests) ... ok test_str (test.test_ssl.SSLErrorTests) ... ok test_subclass (test.test_ssl.SSLErrorTests) ... ok test_alpn_protocols (test.test_ssl.ThreadedTests) ... server: new connection from ('127.0.0.1', 36526) server: connection cipher is now ('ECDHE-RSA-AES256-GCM-SHA384', 'TLSv1.2', 256) server: selected protocol is now None client: sending 'FOO\n'... client: read 'foo\n' client: sending 'FOO\n'... client: read 'foo\n' client: sending 'FOO\n'... client: read 'foo\n' client: closing connection. server: new connection from ('127.0.0.1', 58156) server: connection cipher is now ('ECDHE-RSA-AES256-GCM-SHA384', 'TLSv1.2', 256) server: selected protocol is now None client: sending 'FOO\n'... client: read 'foo\n' client: sending 'FOO\n'... client: read 'foo\n' client: sending 'FOO\n'... client: read 'foo\n' client: closing connection. server: new connection from ('127.0.0.1', 41748) server: connection cipher is now ('ECDHE-RSA-AES256-GCM-SHA384', 'TLSv1.2', 256) server: selected protocol is now None client: sending 'FOO\n'... client: read 'foo\n' client: sending 'FOO\n'... client: read 'foo\n' client: sending 'FOO\n'... client: read 'foo\n' client: closing connection. server: new connection from ('127.0.0.1', 54770) client: sending 'FOO\n'... server: connection cipher is now ('ECDHE-RSA-AES256-GCM-SHA384', 'TLSv1.2', 256) server: selected protocol is now None client: read 'foo\n' client: sending 'FOO\n'... client: read 'foo\n' client: sending 'FOO\n'... client: read 'foo\n' client: closing connection. ok test_asyncore_server (test.test_ssl.ThreadedTests) Check the example asyncore integration. ... server: new connection from 127.0.0.1:38794 client: sending 'FOO\n'... server: read 'FOO\n' from client client: read 'foo\n' client: closing connection. client: connection closed. server: read 'over\n' from client cleanup: stopping server. cleanup: joining server thread. server: closed connection <ssl.SSLSocket object at 0x7f28dd23b0d0> server: read '' from client cleanup: successfully joined. ok test_check_hostname (test.test_ssl.ThreadedTests) ... server: new connection from ('127.0.0.1', 33176)
server: bad connection attempt from ('127.0.0.1', 33176): Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 1732, in wrap_conn self.sock, server_side=True) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 369, in wrap_socket _context=self) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 599, in __init__ self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: BAD_RSA_DECRYPT] no suitable signature algorithm (_ssl.c:727) ERROR test_compression (test.test_ssl.ThreadedTests) ... server: new connection from ('127.0.0.1', 39026)
server: bad connection attempt from ('127.0.0.1', 39026): Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 1732, in wrap_conn self.sock, server_side=True) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 369, in wrap_socket _context=self) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 599, in __init__ self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: BAD_RSA_DECRYPT] no suitable signature algorithm (_ssl.c:727) ERROR test_compression_disabled (test.test_ssl.ThreadedTests) ... server: new connection from ('127.0.0.1', 51970)
server: bad connection attempt from ('127.0.0.1', 51970): Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 1732, in wrap_conn self.sock, server_side=True) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 369, in wrap_socket _context=self) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 599, in __init__ self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: BAD_RSA_DECRYPT] no suitable signature algorithm (_ssl.c:727) ERROR test_crl_check (test.test_ssl.ThreadedTests) ... server: new connection from ('127.0.0.1', 49686)
server: bad connection attempt from ('127.0.0.1', 49686): Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 1732, in wrap_conn self.sock, server_side=True) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 369, in wrap_socket _context=self) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 599, in __init__ self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: BAD_RSA_DECRYPT] no suitable signature algorithm (_ssl.c:727) ERROR test_default_ecdh_curve (test.test_ssl.ThreadedTests) ... server: new connection from ('127.0.0.1', 50888) server: connection cipher is now ('ECDHE-RSA-AES256-GCM-SHA384', 'TLSv1.2', 256) server: selected protocol is now None ok test_dh_params (test.test_ssl.ThreadedTests) ... server: new connection from ('127.0.0.1', 39768)
server: bad connection attempt from ('127.0.0.1', 39768): Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 1732, in wrap_conn self.sock, server_side=True) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 369, in wrap_socket _context=self) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 599, in __init__ self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: BAD_RSA_DECRYPT] no suitable signature algorithm (_ssl.c:727) ERROR test_do_handshake_enotconn (test.test_ssl.ThreadedTests) ... ok test_echo (test.test_ssl.ThreadedTests) Basic test of an SSL client connecting to a server ... server: new connection from ('127.0.0.1', 51012) client: sending 'FOO\n'... server: connection cipher is now ('TLS_AES_256_GCM_SHA384', 'TLSv1.3', 256) server: selected protocol is now None client: read 'foo\n' client: sending 'FOO\n'... client: read 'foo\n' client: sending 'FOO\n'... client: read 'foo\n' client: closing connection. server: new connection from ('127.0.0.1', 60552)
server: bad connection attempt from ('127.0.0.1', 60552): Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 1732, in wrap_conn self.sock, server_side=True) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 369, in wrap_socket _context=self) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 599, in __init__ self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: BAD_RSA_DECRYPT] no suitable signature algorithm (_ssl.c:727) ERROR test_getpeercert (test.test_ssl.ThreadedTests) ... {'issuer': ((('countryName', u'XY'),), (('localityName', u'Castle Anthrax'),), (('organizationName', u'Python Software Foundation'),), (('commonName', u'localhost'),)), 'notAfter': 'Aug 26 14:23:15 2028 GMT', 'notBefore': u'Aug 29 14:23:15 2018 GMT', 'serialNumber': u'98A7CF88C74A32ED', 'subject': ((('countryName', u'XY'),), (('localityName', u'Castle Anthrax'),), (('organizationName', u'Python Software Foundation'),), (('commonName', u'localhost'),)), 'subjectAltName': (('DNS', 'localhost'),), 'version': 3L} Connection cipher is ('TLS_AES_256_GCM_SHA384', 'TLSv1.3', 256). ok test_getpeercert_enotconn (test.test_ssl.ThreadedTests) ... ok test_handshake_timeout (test.test_ssl.ThreadedTests) ... ok test_no_shared_ciphers (test.test_ssl.ThreadedTests) ... server: new connection from ('127.0.0.1', 44402)
server: bad connection attempt from ('127.0.0.1', 44402): Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 1732, in wrap_conn self.sock, server_side=True) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 369, in wrap_socket _context=self) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 599, in __init__ self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: NO_SHARED_CIPHER] no shared cipher (_ssl.c:727) ok test_npn_protocols (test.test_ssl.ThreadedTests) ... skipped 'NPN support needed for this test' test_protocol_sslv2 (test.test_ssl.ThreadedTests) Connecting to an SSLv2 server with various client options ... skipped 'OpenSSL is compiled without SSLv2 support' test_protocol_sslv23 (test.test_ssl.ThreadedTests) Connecting to an SSLv23 server with various client options ... PROTOCOL_TLS->PROTOCOL_TLS CERT_NONE PROTOCOL_TLSv1->PROTOCOL_TLS CERT_NONE ERROR test_protocol_sslv3 (test.test_ssl.ThreadedTests) Connecting to an SSLv3 server with various client options ... skipped 'OpenSSL is compiled without SSLv3 support' test_protocol_tlsv1 (test.test_ssl.ThreadedTests) Connecting to a TLSv1 server with various client options ... PROTOCOL_TLSv1->PROTOCOL_TLSv1 CERT_NONE ERROR test_protocol_tlsv1_1 (test.test_ssl.ThreadedTests) Connecting to a TLSv1.1 server with various client options. ... PROTOCOL_TLSv1_1->PROTOCOL_TLSv1_1 CERT_NONE ERROR test_protocol_tlsv1_2 (test.test_ssl.ThreadedTests) Connecting to a TLSv1.2 server with various client options. ... PROTOCOL_TLSv1_2->PROTOCOL_TLSv1_2 CERT_NONE {PROTOCOL_TLS->PROTOCOL_TLSv1_2} CERT_NONE PROTOCOL_TLSv1_2->PROTOCOL_TLS CERT_NONE {PROTOCOL_TLSv1->PROTOCOL_TLSv1_2} CERT_NONE {PROTOCOL_TLSv1_2->PROTOCOL_TLSv1} CERT_NONE {PROTOCOL_TLSv1_1->PROTOCOL_TLSv1_2} CERT_NONE {PROTOCOL_TLSv1_2->PROTOCOL_TLSv1_1} CERT_NONE ok test_read_write_after_close_raises_valuerror (test.test_ssl.ThreadedTests) ... ok test_recv_send (test.test_ssl.ThreadedTests) Test recv(), send() and friends. ... server: new connection from ('127.0.0.1', 59354)
server: bad connection attempt from ('127.0.0.1', 59354): Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 1732, in wrap_conn self.sock, server_side=True) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 369, in wrap_socket _context=self) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 599, in __init__ self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: BAD_RSA_DECRYPT] no suitable signature algorithm (_ssl.c:727) ERROR test_recv_zero (test.test_ssl.ThreadedTests) ... server: new connection from ('127.0.0.1', 36264) server: connection cipher is now ('TLS_AES_256_GCM_SHA384', 'TLSv1.3', 256) server: selected protocol is now None ok test_rude_shutdown (test.test_ssl.ThreadedTests) A brutal shutdown of an SSL server should raise an OSError ... ok test_selected_alpn_protocol (test.test_ssl.ThreadedTests) ... server: new connection from ('127.0.0.1', 59908)
server: bad connection attempt from ('127.0.0.1', 59908): Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 1732, in wrap_conn self.sock, server_side=True) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 369, in wrap_socket _context=self) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 599, in __init__ self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: BAD_RSA_DECRYPT] no suitable signature algorithm (_ssl.c:727) ERROR test_selected_alpn_protocol_if_server_uses_alpn (test.test_ssl.ThreadedTests) ... server: new connection from ('127.0.0.1', 57474)
server: bad connection attempt from ('127.0.0.1', 57474): Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 1732, in wrap_conn self.sock, server_side=True) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 369, in wrap_socket _context=self) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 599, in __init__ self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: BAD_RSA_DECRYPT] no suitable signature algorithm (_ssl.c:727) ERROR test_selected_npn_protocol (test.test_ssl.ThreadedTests) ... server: new connection from ('127.0.0.1', 33742)
server: bad connection attempt from ('127.0.0.1', 33742): Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 1732, in wrap_conn self.sock, server_side=True) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 369, in wrap_socket _context=self) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 599, in __init__ self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: BAD_RSA_DECRYPT] no suitable signature algorithm (_ssl.c:727) ERROR test_server_accept (test.test_ssl.ThreadedTests) ... ok test_sni_callback (test.test_ssl.ThreadedTests) ... server: new connection from ('127.0.0.1', 43762)
server: bad connection attempt from ('127.0.0.1', 43762): Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 1732, in wrap_conn self.sock, server_side=True) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 369, in wrap_socket _context=self) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 599, in __init__ self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: BAD_RSA_DECRYPT] no suitable signature algorithm (_ssl.c:727) ERROR test_sni_callback_alert (test.test_ssl.ThreadedTests) ... ok test_sni_callback_raising (test.test_ssl.ThreadedTests) ... ok test_sni_callback_wrong_return_type (test.test_ssl.ThreadedTests) ... ok test_socketserver (test.test_ssl.ThreadedTests) Using a SocketServer to create and manage SSL connections. ... server (('127.0.0.1', 32973):32973 ('TLS_AES_256_GCM_SHA384', 'TLSv1.3', 256)): [24/Jun/2022 12:09:22] "GET /keycert.pem HTTP/1.1" 200 - client: read 4058 bytes from remote server '<HTTPSServerThread <HTTPSServer localhost.localdomain:32973>>' stopping HTTPS server joining HTTPS thread ok test_starttls (test.test_ssl.ThreadedTests) Switching from clear text to encrypted and back again. ... client: sending 'msg 1'... server: new connection from ('127.0.0.1', 44848) server: read 'msg 1' (unencrypted), sending back 'msg 1' (unencrypted)... client: read 'msg 1' from server client: sending 'MSG 2'... server: read 'MSG 2' (unencrypted), sending back 'msg 2' (unencrypted)... client: read 'msg 2' from server client: sending 'STARTTLS'... server: read STARTTLS from client, sending OK... client: read 'ok' from server, starting TLS...
server: bad connection attempt from ('127.0.0.1', 44848): Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 1732, in wrap_conn self.sock, server_side=True) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 369, in wrap_socket _context=self) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 599, in __init__ self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: BAD_RSA_DECRYPT] no suitable signature algorithm (_ssl.c:727) ERROR test_tls1_3 (test.test_ssl.ThreadedTests) ... server: new connection from ('127.0.0.1', 47508) server: connection cipher is now ('TLS_AES_256_GCM_SHA384', 'TLSv1.3', 256) server: selected protocol is now None ok test_tls_unique_channel_binding (test.test_ssl.ThreadedTests) Test tls-unique channel binding. ... server: new connection from ('127.0.0.1', 58508)
server: bad connection attempt from ('127.0.0.1', 58508): Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 1732, in wrap_conn self.sock, server_side=True) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 369, in wrap_socket _context=self) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 599, in __init__ self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: BAD_RSA_DECRYPT] no suitable signature algorithm (_ssl.c:727) ERROR test_version_basic (test.test_ssl.ThreadedTests) ... ERROR test_wrong_cert (test.test_ssl.ThreadedTests) Connecting when the server rejects the client's certificate ... SSLError is SSLError(1, u'[SSL: TLSV1_ALERT_PROTOCOL_VERSION] tlsv1 alert protocol version (_ssl.c:727)') ok
====================================================================== ERROR: test_load_verify_cadata (test.test_ssl.ContextTests)
Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 1033, in test_load_verify_cadata ctx.load_verify_locations(cadata=cacert_der) SSLError: unknown error (_ssl.c:2989)
====================================================================== ERROR: test_check_hostname (test.test_ssl.ThreadedTests)
Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 2268, in test_check_hostname s.connect((HOST, server.port)) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 864, in connect self._real_connect(addr, False) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 855, in _real_connect self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error (_ssl.c:727)
====================================================================== ERROR: test_compression (test.test_ssl.ThreadedTests)
Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 3000, in test_compression chatty=True, connectionchatty=True) File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 2064, in server_params_test s.connect((HOST, server.port)) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 864, in connect self._real_connect(addr, False) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 855, in _real_connect self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error (_ssl.c:727)
====================================================================== ERROR: test_compression_disabled (test.test_ssl.ThreadedTests)
Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 3012, in test_compression_disabled chatty=True, connectionchatty=True) File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 2064, in server_params_test s.connect((HOST, server.port)) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 864, in connect self._real_connect(addr, False) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 855, in _real_connect self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error (_ssl.c:727)
====================================================================== ERROR: test_crl_check (test.test_ssl.ThreadedTests)
Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 2227, in test_crl_check s.connect((HOST, server.port)) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 864, in connect self._real_connect(addr, False) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 855, in _real_connect self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error (_ssl.c:727)
====================================================================== ERROR: test_dh_params (test.test_ssl.ThreadedTests)
Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 3022, in test_dh_params chatty=True, connectionchatty=True) File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 2064, in server_params_test s.connect((HOST, server.port)) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 864, in connect self._real_connect(addr, False) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 855, in _real_connect self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error (_ssl.c:727)
====================================================================== ERROR: test_echo (test.test_ssl.ThreadedTests) Basic test of an SSL client connecting to a server
Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 2168, in test_echo chatty=True, connectionchatty=True) File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 2064, in server_params_test s.connect((HOST, server.port)) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 864, in connect self._real_connect(addr, False) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 855, in _real_connect self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error (_ssl.c:727)
====================================================================== ERROR: test_protocol_sslv23 (test.test_ssl.ThreadedTests) Connecting to an SSLv23 server with various client options
Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 190, in f return func(*args, **kwargs) File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 2404, in test_protocol_sslv23 try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1, 'TLSv1') File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 2136, in try_protocol_combo chatty=False, connectionchatty=False) File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 2064, in server_params_test s.connect((HOST, server.port)) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 864, in connect self._real_connect(addr, False) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 855, in _real_connect self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: TLSV1_ALERT_PROTOCOL_VERSION] tlsv1 alert protocol version (_ssl.c:727)
====================================================================== ERROR: test_protocol_tlsv1 (test.test_ssl.ThreadedTests) Connecting to a TLSv1 server with various client options
Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 2452, in test_protocol_tlsv1 try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1, 'TLSv1') File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 2136, in try_protocol_combo chatty=False, connectionchatty=False) File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 2064, in server_params_test s.connect((HOST, server.port)) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 864, in connect self._real_connect(addr, False) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 855, in _real_connect self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error (_ssl.c:727)
====================================================================== ERROR: test_protocol_tlsv1_1 (test.test_ssl.ThreadedTests) Connecting to a TLSv1.1 server with various client options.
Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 190, in f return func(*args, **kwargs) File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 2471, in test_protocol_tlsv1_1 try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_TLSv1_1, 'TLSv1.1') File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 2136, in try_protocol_combo chatty=False, connectionchatty=False) File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 2064, in server_params_test s.connect((HOST, server.port)) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 864, in connect self._real_connect(addr, False) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 855, in _real_connect self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error (_ssl.c:727)
====================================================================== ERROR: test_recv_send (test.test_ssl.ThreadedTests) Test recv(), send() and friends.
Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 2639, in test_recv_send s.connect((HOST, server.port)) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 864, in connect self._real_connect(addr, False) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 855, in _real_connect self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error (_ssl.c:727)
====================================================================== ERROR: test_selected_alpn_protocol (test.test_ssl.ThreadedTests)
Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 3033, in test_selected_alpn_protocol chatty=True, connectionchatty=True) File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 2064, in server_params_test s.connect((HOST, server.port)) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 864, in connect self._real_connect(addr, False) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 855, in _real_connect self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error (_ssl.c:727)
====================================================================== ERROR: test_selected_alpn_protocol_if_server_uses_alpn (test.test_ssl.ThreadedTests)
Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 3045, in test_selected_alpn_protocol_if_server_uses_alpn chatty=True, connectionchatty=True) File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 2064, in server_params_test s.connect((HOST, server.port)) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 864, in connect self._real_connect(addr, False) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 855, in _real_connect self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error (_ssl.c:727)
====================================================================== ERROR: test_selected_npn_protocol (test.test_ssl.ThreadedTests)
Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 3095, in test_selected_npn_protocol chatty=True, connectionchatty=True) File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 2064, in server_params_test s.connect((HOST, server.port)) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 864, in connect self._real_connect(addr, False) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 855, in _real_connect self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error (_ssl.c:727)
====================================================================== ERROR: test_sni_callback (test.test_ssl.ThreadedTests)
Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 3154, in test_sni_callback sni_name='supermessage') File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 2064, in server_params_test s.connect((HOST, server.port)) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 864, in connect self._real_connect(addr, False) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 855, in _real_connect self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error (_ssl.c:727)
====================================================================== ERROR: test_starttls (test.test_ssl.ThreadedTests) Switching from clear text to encrypted and back again.
Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 2541, in test_starttls conn = ssl.wrap_socket(s, ssl_version=ssl.PROTOCOL_TLSv1) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 931, in wrap_socket ciphers=ciphers) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 599, in __init__ self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error (_ssl.c:727)
====================================================================== ERROR: test_tls_unique_channel_binding (test.test_ssl.ThreadedTests) Test tls-unique channel binding.
Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 2956, in test_tls_unique_channel_binding s.connect((HOST, server.port)) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 864, in connect self._real_connect(addr, False) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 855, in _real_connect self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error (_ssl.c:727)
====================================================================== ERROR: test_version_basic (test.test_ssl.ThreadedTests)
Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 2893, in test_version_basic s.connect((HOST, server.port)) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 864, in connect self._real_connect(addr, False) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 855, in _real_connect self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error (_ssl.c:727)
====================================================================== FAIL: test_openssl_version (test.test_ssl.BasicSocketTests)
Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 382, in test_openssl_version (s, t)) AssertionError: ('OpenSSL 3.0.3 3 May 2022', (3, 0, 0, 3, 0))
-----------------------------------test test_ssl failed -- multiple errors occurred
Ran 96 tests in 1.061s
FAILED (failures=1, errors=18, skipped=7)
== Tests result: FAILURE ==
1 test failed: test_ssl
Total duration: 1 sec 153 ms Tests result: FAILURE
-- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming and virtualization blog: http://rwmj.wordpress.com nbdkit - Flexible, fast NBD server with plugins https://gitlab.com/nbdkit/nbdkit _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
On Fri, Jun 24, 2022 at 01:20:27PM +0200, Dmitry Belyavskiy wrote:
Dear Richard,
If the only problem is legacy (and unsafe) ciphersuites, loading the legacy provider will solve this problem.
Any clues on how to do that?
Rich.
On Fri, Jun 24, 2022 at 1:11 PM Richard W.M. Jones rjones@redhat.com wrote:
On Thu, Jun 23, 2022 at 10:43:45AM +0100, Richard W.M. Jones wrote: > python2.7-0:2.7.18-22.fc37.src Vaguely seeing if it's feasible to backport the OpenSSL 3 support to Python 2.7. This branch gets quite far: https://github.com/rwmjones/cpython/tree/python-2.7-openssl-3 Only one test fails, test_ssl (obviously), but it does only appear to fail where it tests obsolete ciphers. I looked into fixing the test, but the upstream version of this test has changed a great deal, with a whole mechanism for skipping unsupported ciphers. Remaining test failures in detail below. Rich. ---------------------------------------------------------------------- running build running build_ext warning: openssl 0x00000000 is too old for _hashlib building dbm using ndbm Python build finished, but the necessary bits to build these modules were not found: _hashlib bsddb185 dl imageop sunaudiodev To find the necessary bits, look in setup.py in detect_modules() for the module's name. running build_scripts find ./Lib -name '*.py[co]' -print | xargs rm -f ./python -Wd -3 -E -tt ./Lib/test/regrtest.py -v test_ssl == CPython 2.7.18 (tags/2.7-3-g1efbb6fd52:1efbb6fd52, Jun 24 2022, 12:05:45) [GCC 12.1.1 20220507 (Red Hat 12.1.1-1)] == Linux-5.14.0-0.rc4.20210804gitd5ad8ec3cfb5.36.fc35.x86_64-x86_64-with-fedora-37-Rawhide little-endian == /home/rjones/d/cpython-2.7/build/test_python_641493 == CPU count: 24 Run tests sequentially 0:00:00 load avg: 0.09 [1/1] test_ssl test_ssl: testing with 'OpenSSL 3.0.3 3 May 2022' (3, 0, 0, 3, 0) under Linux ('Fedora', '37', 'Rawhide') HAS_SNI = True OP_ALL = 0x80000050 OP_NO_TLSv1_1 = 0x10000000 test__create_stdlib_context (test.test_ssl.ContextTests) ... ok test__https_verify_certificates (test.test_ssl.ContextTests) ... ok test__https_verify_envvar (test.test_ssl.ContextTests) ... ok test_cert_store_stats (test.test_ssl.ContextTests) ... ok test_check_hostname (test.test_ssl.ContextTests) ... ok test_ciphers (test.test_ssl.ContextTests) ... ok test_constructor (test.test_ssl.ContextTests) ... ok test_create_default_context (test.test_ssl.ContextTests) ... ok test_get_ca_certs (test.test_ssl.ContextTests) ... ok test_load_cert_chain (test.test_ssl.ContextTests) ... ok test_load_default_certs (test.test_ssl.ContextTests) ... ok test_load_default_certs_env (test.test_ssl.ContextTests) ... ok test_load_default_certs_env_windows (test.test_ssl.ContextTests) ... skipped 'Windows specific' test_load_dh_params (test.test_ssl.ContextTests) ... ok test_load_verify_cadata (test.test_ssl.ContextTests) ... ERROR test_load_verify_locations (test.test_ssl.ContextTests) ... ok test_options (test.test_ssl.ContextTests) ... ok test_protocol (test.test_ssl.ContextTests) ... ok test_session_stats (test.test_ssl.ContextTests) ... ok test_set_default_verify_paths (test.test_ssl.ContextTests) ... ok test_set_ecdh_curve (test.test_ssl.ContextTests) ... ok test_sni_callback (test.test_ssl.ContextTests) ... ok test_sni_callback_refcycle (test.test_ssl.ContextTests) ... ok test_verify_flags (test.test_ssl.ContextTests) ... ok test_verify_mode (test.test_ssl.ContextTests) ... ok test_sslwrap_simple (test.test_ssl.BasicTests) ... ok test_DER_to_PEM (test.test_ssl.BasicSocketTests) ... ok test_asn1object (test.test_ssl.BasicSocketTests) ... ok test_cert_time_to_seconds (test.test_ssl.BasicSocketTests) ... ok test_cert_time_to_seconds_locale (test.test_ssl.BasicSocketTests) ... skipped 'locale-specific month name needs to be different from C locale' test_cert_time_to_seconds_timezone (test.test_ssl.BasicSocketTests) ... ok test_constants (test.test_ssl.BasicSocketTests) ... ok test_empty_cert (test.test_ssl.BasicSocketTests) Wrapping with an empty cert file ... ok test_enum_certificates (test.test_ssl.BasicSocketTests) ... skipped 'Windows specific' test_enum_crls (test.test_ssl.BasicSocketTests) ... skipped 'Windows specific' test_errors (test.test_ssl.BasicSocketTests) ... ok test_get_default_verify_paths (test.test_ssl.BasicSocketTests) ... ok test_malformed_cert (test.test_ssl.BasicSocketTests) Wrapping with a badly formatted certificate (syntax error) ... ok test_malformed_key (test.test_ssl.BasicSocketTests) Wrapping with a badly formatted key (syntax error) ... ok test_match_hostname (test.test_ssl.BasicSocketTests) ... ok test_openssl_version (test.test_ssl.BasicSocketTests) ... FAIL test_parse_all_sans (test.test_ssl.BasicSocketTests) ... ok test_parse_cert (test.test_ssl.BasicSocketTests) ... {'issuer': ((('countryName', u'XY'),), (('localityName', u'Castle Anthrax'),), (('organizationName', u'Python Software Foundation'),), (('commonName', u'localhost'),)), 'notAfter': 'Aug 26 14:23:15 2028 GMT', 'notBefore': u'Aug 29 14:23:15 2018 GMT', 'serialNumber': u'98A7CF88C74A32ED', 'subject': ((('countryName', u'XY'),), (('localityName', u'Castle Anthrax'),), (('organizationName', u'Python Software Foundation'),), (('commonName', u'localhost'),)), 'subjectAltName': (('DNS', 'localhost'),), 'version': 3L} {'OCSP': (u'http://ocsp.verisign.com',), 'caIssuers': (u'http://SVRIntl-G3-aia.verisign.com/SVRIntlG3.cer',), 'crlDistributionPoints': (u'http://SVRIntl-G3-crl.verisign.com/ SVRIntlG3.crl',), 'issuer': ((('countryName', u'US'),), (('organizationName', u'VeriSign, Inc.'),), (('organizationalUnitName', u'VeriSign Trust Network'),), (('organizationalUnitName', u'Terms of use at https://www.verisign.com/rpa (c)10'),), (('commonName', u'VeriSign Class 3 International Server CA - G3'),)), 'notAfter': 'Sep 20 23:59:59 2012 GMT', 'notBefore': u'Sep 21 00:00:00 2011 GMT', 'serialNumber': u'2EE6EA7640A075CEE5005F4D7C79549A', 'subject': ((('countryName', u'FI'),), (('stateOrProvinceName', u'Espoo'),), (('localityName', u'Espoo'),), (('organizationName', u'Nokia'),), (('organizationalUnitName', u'BI'),), (('commonName', u'projects.developer.nokia.com'),)), 'subjectAltName': (('DNS', 'projects.developer.nokia.com'), ('DNS', 'projects.forum.nokia.com')), 'version': 3L} ok test_parse_cert_CVE_2013_4238 (test.test_ssl.BasicSocketTests) ... {'issuer': ((('countryName', u'US'),), (('stateOrProvinceName', u'Oregon'),), (('localityName', u'Beaverton'),), (('organizationName', u'Python Software Foundation'),), (('organizationalUnitName', u'Python Core Development'),), (('commonName', u'null.python.org\x00example.org'),), (('emailAddress', u'python-dev@python.org'),)), 'notAfter': 'Aug 7 13:12:52 2013 GMT', 'notBefore': u'Aug 7 13:11:52 2013 GMT', 'serialNumber': u'00', 'subject': ((('countryName', u'US'),), (('stateOrProvinceName', u'Oregon'),), (('localityName', u'Beaverton'),), (('organizationName', u'Python Software Foundation'),), (('organizationalUnitName', u'Python Core Development'),), (('commonName', u'null.python.org\x00example.org'),), (('emailAddress', u'python-dev@python.org'),)), 'subjectAltName': (('DNS', 'altnull.python.org\x00example.com'), ('email', 'null@python.org\x00user@example.org'), ('URI', 'http://null.python.org\x00http://example.org '), (u'IP Address', u'192.0.2.1'), (u'IP Address', u'2001:DB8:0:0:0:0:0:1')), 'version': 3L} ok test_parse_cert_CVE_2019_5010 (test.test_ssl.BasicSocketTests) ... {'issuer': ((('countryName', u'UK'),), (('commonName', u'cody-ca'),)), 'notAfter': 'Jun 14 18:00:58 2028 GMT', 'notBefore': u'Jun 18 18:00:58 2018 GMT', 'serialNumber': u'02', 'subject': ((('countryName', u'UK'),), (('commonName', u'codenomicon-vm-2.test.lal.cisco.com'),)), 'subjectAltName': (('DNS', 'codenomicon-vm-2.test.lal.cisco.com'),), 'version': 3L} ok test_purpose_enum (test.test_ssl.BasicSocketTests) ... ok test_random (test.test_ssl.BasicSocketTests) ... RAND_status is 1 (sufficient randomness) ok test_refcycle (test.test_ssl.BasicSocketTests) ... ok test_server_side (test.test_ssl.BasicSocketTests) ... ok test_timeout (test.test_ssl.BasicSocketTests) ... ok test_tls_unique_channel_binding (test.test_ssl.BasicSocketTests) ... ok test_unknown_channel_binding (test.test_ssl.BasicSocketTests) ... ok test_unsupported_dtls (test.test_ssl.BasicSocketTests) ... ok test_wrapped_unconnected (test.test_ssl.BasicSocketTests) ... ok test_lib_reason (test.test_ssl.SSLErrorTests) ... ok test_str (test.test_ssl.SSLErrorTests) ... ok test_subclass (test.test_ssl.SSLErrorTests) ... ok test_alpn_protocols (test.test_ssl.ThreadedTests) ... server: new connection from ('127.0.0.1', 36526) server: connection cipher is now ('ECDHE-RSA-AES256-GCM-SHA384', 'TLSv1.2', 256) server: selected protocol is now None client: sending 'FOO\n'... client: read 'foo\n' client: sending 'FOO\n'... client: read 'foo\n' client: sending 'FOO\n'... client: read 'foo\n' client: closing connection. server: new connection from ('127.0.0.1', 58156) server: connection cipher is now ('ECDHE-RSA-AES256-GCM-SHA384', 'TLSv1.2', 256) server: selected protocol is now None client: sending 'FOO\n'... client: read 'foo\n' client: sending 'FOO\n'... client: read 'foo\n' client: sending 'FOO\n'... client: read 'foo\n' client: closing connection. server: new connection from ('127.0.0.1', 41748) server: connection cipher is now ('ECDHE-RSA-AES256-GCM-SHA384', 'TLSv1.2', 256) server: selected protocol is now None client: sending 'FOO\n'... client: read 'foo\n' client: sending 'FOO\n'... client: read 'foo\n' client: sending 'FOO\n'... client: read 'foo\n' client: closing connection. server: new connection from ('127.0.0.1', 54770) client: sending 'FOO\n'... server: connection cipher is now ('ECDHE-RSA-AES256-GCM-SHA384', 'TLSv1.2', 256) server: selected protocol is now None client: read 'foo\n' client: sending 'FOO\n'... client: read 'foo\n' client: sending 'FOO\n'... client: read 'foo\n' client: closing connection. ok test_asyncore_server (test.test_ssl.ThreadedTests) Check the example asyncore integration. ... server: new connection from 127.0.0.1:38794 client: sending 'FOO\n'... server: read 'FOO\n' from client client: read 'foo\n' client: closing connection. client: connection closed. server: read 'over\n' from client cleanup: stopping server. cleanup: joining server thread. server: closed connection <ssl.SSLSocket object at 0x7f28dd23b0d0> server: read '' from client cleanup: successfully joined. ok test_check_hostname (test.test_ssl.ThreadedTests) ... server: new connection from ('127.0.0.1', 33176) server: bad connection attempt from ('127.0.0.1', 33176): Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 1732, in wrap_conn self.sock, server_side=True) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 369, in wrap_socket _context=self) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 599, in __init__ self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: BAD_RSA_DECRYPT] no suitable signature algorithm (_ssl.c:727) ERROR test_compression (test.test_ssl.ThreadedTests) ... server: new connection from ('127.0.0.1', 39026) server: bad connection attempt from ('127.0.0.1', 39026): Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 1732, in wrap_conn self.sock, server_side=True) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 369, in wrap_socket _context=self) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 599, in __init__ self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: BAD_RSA_DECRYPT] no suitable signature algorithm (_ssl.c:727) ERROR test_compression_disabled (test.test_ssl.ThreadedTests) ... server: new connection from ('127.0.0.1', 51970) server: bad connection attempt from ('127.0.0.1', 51970): Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 1732, in wrap_conn self.sock, server_side=True) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 369, in wrap_socket _context=self) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 599, in __init__ self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: BAD_RSA_DECRYPT] no suitable signature algorithm (_ssl.c:727) ERROR test_crl_check (test.test_ssl.ThreadedTests) ... server: new connection from ('127.0.0.1', 49686) server: bad connection attempt from ('127.0.0.1', 49686): Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 1732, in wrap_conn self.sock, server_side=True) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 369, in wrap_socket _context=self) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 599, in __init__ self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: BAD_RSA_DECRYPT] no suitable signature algorithm (_ssl.c:727) ERROR test_default_ecdh_curve (test.test_ssl.ThreadedTests) ... server: new connection from ('127.0.0.1', 50888) server: connection cipher is now ('ECDHE-RSA-AES256-GCM-SHA384', 'TLSv1.2', 256) server: selected protocol is now None ok test_dh_params (test.test_ssl.ThreadedTests) ... server: new connection from ('127.0.0.1', 39768) server: bad connection attempt from ('127.0.0.1', 39768): Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 1732, in wrap_conn self.sock, server_side=True) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 369, in wrap_socket _context=self) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 599, in __init__ self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: BAD_RSA_DECRYPT] no suitable signature algorithm (_ssl.c:727) ERROR test_do_handshake_enotconn (test.test_ssl.ThreadedTests) ... ok test_echo (test.test_ssl.ThreadedTests) Basic test of an SSL client connecting to a server ... server: new connection from ('127.0.0.1', 51012) client: sending 'FOO\n'... server: connection cipher is now ('TLS_AES_256_GCM_SHA384', 'TLSv1.3', 256) server: selected protocol is now None client: read 'foo\n' client: sending 'FOO\n'... client: read 'foo\n' client: sending 'FOO\n'... client: read 'foo\n' client: closing connection. server: new connection from ('127.0.0.1', 60552) server: bad connection attempt from ('127.0.0.1', 60552): Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 1732, in wrap_conn self.sock, server_side=True) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 369, in wrap_socket _context=self) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 599, in __init__ self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: BAD_RSA_DECRYPT] no suitable signature algorithm (_ssl.c:727) ERROR test_getpeercert (test.test_ssl.ThreadedTests) ... {'issuer': ((('countryName', u'XY'),), (('localityName', u'Castle Anthrax'),), (('organizationName', u'Python Software Foundation'),), (('commonName', u'localhost'),)), 'notAfter': 'Aug 26 14:23:15 2028 GMT', 'notBefore': u'Aug 29 14:23:15 2018 GMT', 'serialNumber': u'98A7CF88C74A32ED', 'subject': ((('countryName', u'XY'),), (('localityName', u'Castle Anthrax'),), (('organizationName', u'Python Software Foundation'),), (('commonName', u'localhost'),)), 'subjectAltName': (('DNS', 'localhost'),), 'version': 3L} Connection cipher is ('TLS_AES_256_GCM_SHA384', 'TLSv1.3', 256). ok test_getpeercert_enotconn (test.test_ssl.ThreadedTests) ... ok test_handshake_timeout (test.test_ssl.ThreadedTests) ... ok test_no_shared_ciphers (test.test_ssl.ThreadedTests) ... server: new connection from ('127.0.0.1', 44402) server: bad connection attempt from ('127.0.0.1', 44402): Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 1732, in wrap_conn self.sock, server_side=True) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 369, in wrap_socket _context=self) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 599, in __init__ self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: NO_SHARED_CIPHER] no shared cipher (_ssl.c:727) ok test_npn_protocols (test.test_ssl.ThreadedTests) ... skipped 'NPN support needed for this test' test_protocol_sslv2 (test.test_ssl.ThreadedTests) Connecting to an SSLv2 server with various client options ... skipped 'OpenSSL is compiled without SSLv2 support' test_protocol_sslv23 (test.test_ssl.ThreadedTests) Connecting to an SSLv23 server with various client options ... PROTOCOL_TLS->PROTOCOL_TLS CERT_NONE PROTOCOL_TLSv1->PROTOCOL_TLS CERT_NONE ERROR test_protocol_sslv3 (test.test_ssl.ThreadedTests) Connecting to an SSLv3 server with various client options ... skipped 'OpenSSL is compiled without SSLv3 support' test_protocol_tlsv1 (test.test_ssl.ThreadedTests) Connecting to a TLSv1 server with various client options ... PROTOCOL_TLSv1->PROTOCOL_TLSv1 CERT_NONE ERROR test_protocol_tlsv1_1 (test.test_ssl.ThreadedTests) Connecting to a TLSv1.1 server with various client options. ... PROTOCOL_TLSv1_1->PROTOCOL_TLSv1_1 CERT_NONE ERROR test_protocol_tlsv1_2 (test.test_ssl.ThreadedTests) Connecting to a TLSv1.2 server with various client options. ... PROTOCOL_TLSv1_2->PROTOCOL_TLSv1_2 CERT_NONE {PROTOCOL_TLS->PROTOCOL_TLSv1_2} CERT_NONE PROTOCOL_TLSv1_2->PROTOCOL_TLS CERT_NONE {PROTOCOL_TLSv1->PROTOCOL_TLSv1_2} CERT_NONE {PROTOCOL_TLSv1_2->PROTOCOL_TLSv1} CERT_NONE {PROTOCOL_TLSv1_1->PROTOCOL_TLSv1_2} CERT_NONE {PROTOCOL_TLSv1_2->PROTOCOL_TLSv1_1} CERT_NONE ok test_read_write_after_close_raises_valuerror (test.test_ssl.ThreadedTests) ... ok test_recv_send (test.test_ssl.ThreadedTests) Test recv(), send() and friends. ... server: new connection from ('127.0.0.1', 59354) server: bad connection attempt from ('127.0.0.1', 59354): Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 1732, in wrap_conn self.sock, server_side=True) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 369, in wrap_socket _context=self) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 599, in __init__ self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: BAD_RSA_DECRYPT] no suitable signature algorithm (_ssl.c:727) ERROR test_recv_zero (test.test_ssl.ThreadedTests) ... server: new connection from ('127.0.0.1', 36264) server: connection cipher is now ('TLS_AES_256_GCM_SHA384', 'TLSv1.3', 256) server: selected protocol is now None ok test_rude_shutdown (test.test_ssl.ThreadedTests) A brutal shutdown of an SSL server should raise an OSError ... ok test_selected_alpn_protocol (test.test_ssl.ThreadedTests) ... server: new connection from ('127.0.0.1', 59908) server: bad connection attempt from ('127.0.0.1', 59908): Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 1732, in wrap_conn self.sock, server_side=True) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 369, in wrap_socket _context=self) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 599, in __init__ self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: BAD_RSA_DECRYPT] no suitable signature algorithm (_ssl.c:727) ERROR test_selected_alpn_protocol_if_server_uses_alpn (test.test_ssl.ThreadedTests) ... server: new connection from ('127.0.0.1', 57474) server: bad connection attempt from ('127.0.0.1', 57474): Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 1732, in wrap_conn self.sock, server_side=True) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 369, in wrap_socket _context=self) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 599, in __init__ self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: BAD_RSA_DECRYPT] no suitable signature algorithm (_ssl.c:727) ERROR test_selected_npn_protocol (test.test_ssl.ThreadedTests) ... server: new connection from ('127.0.0.1', 33742) server: bad connection attempt from ('127.0.0.1', 33742): Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 1732, in wrap_conn self.sock, server_side=True) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 369, in wrap_socket _context=self) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 599, in __init__ self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: BAD_RSA_DECRYPT] no suitable signature algorithm (_ssl.c:727) ERROR test_server_accept (test.test_ssl.ThreadedTests) ... ok test_sni_callback (test.test_ssl.ThreadedTests) ... server: new connection from ('127.0.0.1', 43762) server: bad connection attempt from ('127.0.0.1', 43762): Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 1732, in wrap_conn self.sock, server_side=True) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 369, in wrap_socket _context=self) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 599, in __init__ self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: BAD_RSA_DECRYPT] no suitable signature algorithm (_ssl.c:727) ERROR test_sni_callback_alert (test.test_ssl.ThreadedTests) ... ok test_sni_callback_raising (test.test_ssl.ThreadedTests) ... ok test_sni_callback_wrong_return_type (test.test_ssl.ThreadedTests) ... ok test_socketserver (test.test_ssl.ThreadedTests) Using a SocketServer to create and manage SSL connections. ... server (('127.0.0.1', 32973):32973 ('TLS_AES_256_GCM_SHA384', 'TLSv1.3', 256)): [24/Jun/2022 12:09:22] "GET /keycert.pem HTTP/1.1" 200 - client: read 4058 bytes from remote server '<HTTPSServerThread <HTTPSServer localhost.localdomain:32973>>' stopping HTTPS server joining HTTPS thread ok test_starttls (test.test_ssl.ThreadedTests) Switching from clear text to encrypted and back again. ... client: sending 'msg 1'... server: new connection from ('127.0.0.1', 44848) server: read 'msg 1' (unencrypted), sending back 'msg 1' (unencrypted)... client: read 'msg 1' from server client: sending 'MSG 2'... server: read 'MSG 2' (unencrypted), sending back 'msg 2' (unencrypted)... client: read 'msg 2' from server client: sending 'STARTTLS'... server: read STARTTLS from client, sending OK... client: read 'ok' from server, starting TLS... server: bad connection attempt from ('127.0.0.1', 44848): Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 1732, in wrap_conn self.sock, server_side=True) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 369, in wrap_socket _context=self) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 599, in __init__ self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: BAD_RSA_DECRYPT] no suitable signature algorithm (_ssl.c:727) ERROR test_tls1_3 (test.test_ssl.ThreadedTests) ... server: new connection from ('127.0.0.1', 47508) server: connection cipher is now ('TLS_AES_256_GCM_SHA384', 'TLSv1.3', 256) server: selected protocol is now None ok test_tls_unique_channel_binding (test.test_ssl.ThreadedTests) Test tls-unique channel binding. ... server: new connection from ('127.0.0.1', 58508) server: bad connection attempt from ('127.0.0.1', 58508): Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 1732, in wrap_conn self.sock, server_side=True) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 369, in wrap_socket _context=self) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 599, in __init__ self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: BAD_RSA_DECRYPT] no suitable signature algorithm (_ssl.c:727) ERROR test_version_basic (test.test_ssl.ThreadedTests) ... ERROR test_wrong_cert (test.test_ssl.ThreadedTests) Connecting when the server rejects the client's certificate ... SSLError is SSLError(1, u'[SSL: TLSV1_ALERT_PROTOCOL_VERSION] tlsv1 alert protocol version (_ssl.c:727)') ok ====================================================================== ERROR: test_load_verify_cadata (test.test_ssl.ContextTests) ---------------------------------------------------------------------- Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 1033, in test_load_verify_cadata ctx.load_verify_locations(cadata=cacert_der) SSLError: unknown error (_ssl.c:2989) ====================================================================== ERROR: test_check_hostname (test.test_ssl.ThreadedTests) ---------------------------------------------------------------------- Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 2268, in test_check_hostname s.connect((HOST, server.port)) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 864, in connect self._real_connect(addr, False) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 855, in _real_connect self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error (_ssl.c:727) ====================================================================== ERROR: test_compression (test.test_ssl.ThreadedTests) ---------------------------------------------------------------------- Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 3000, in test_compression chatty=True, connectionchatty=True) File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 2064, in server_params_test s.connect((HOST, server.port)) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 864, in connect self._real_connect(addr, False) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 855, in _real_connect self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error (_ssl.c:727) ====================================================================== ERROR: test_compression_disabled (test.test_ssl.ThreadedTests) ---------------------------------------------------------------------- Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 3012, in test_compression_disabled chatty=True, connectionchatty=True) File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 2064, in server_params_test s.connect((HOST, server.port)) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 864, in connect self._real_connect(addr, False) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 855, in _real_connect self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error (_ssl.c:727) ====================================================================== ERROR: test_crl_check (test.test_ssl.ThreadedTests) ---------------------------------------------------------------------- Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 2227, in test_crl_check s.connect((HOST, server.port)) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 864, in connect self._real_connect(addr, False) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 855, in _real_connect self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error (_ssl.c:727) ====================================================================== ERROR: test_dh_params (test.test_ssl.ThreadedTests) ---------------------------------------------------------------------- Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 3022, in test_dh_params chatty=True, connectionchatty=True) File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 2064, in server_params_test s.connect((HOST, server.port)) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 864, in connect self._real_connect(addr, False) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 855, in _real_connect self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error (_ssl.c:727) ====================================================================== ERROR: test_echo (test.test_ssl.ThreadedTests) Basic test of an SSL client connecting to a server ---------------------------------------------------------------------- Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 2168, in test_echo chatty=True, connectionchatty=True) File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 2064, in server_params_test s.connect((HOST, server.port)) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 864, in connect self._real_connect(addr, False) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 855, in _real_connect self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error (_ssl.c:727) ====================================================================== ERROR: test_protocol_sslv23 (test.test_ssl.ThreadedTests) Connecting to an SSLv23 server with various client options ---------------------------------------------------------------------- Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 190, in f return func(*args, **kwargs) File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 2404, in test_protocol_sslv23 try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1, 'TLSv1') File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 2136, in try_protocol_combo chatty=False, connectionchatty=False) File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 2064, in server_params_test s.connect((HOST, server.port)) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 864, in connect self._real_connect(addr, False) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 855, in _real_connect self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: TLSV1_ALERT_PROTOCOL_VERSION] tlsv1 alert protocol version (_ssl.c:727) ====================================================================== ERROR: test_protocol_tlsv1 (test.test_ssl.ThreadedTests) Connecting to a TLSv1 server with various client options ---------------------------------------------------------------------- Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 2452, in test_protocol_tlsv1 try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1, 'TLSv1') File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 2136, in try_protocol_combo chatty=False, connectionchatty=False) File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 2064, in server_params_test s.connect((HOST, server.port)) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 864, in connect self._real_connect(addr, False) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 855, in _real_connect self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error (_ssl.c:727) ====================================================================== ERROR: test_protocol_tlsv1_1 (test.test_ssl.ThreadedTests) Connecting to a TLSv1.1 server with various client options. ---------------------------------------------------------------------- Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 190, in f return func(*args, **kwargs) File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 2471, in test_protocol_tlsv1_1 try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_TLSv1_1, 'TLSv1.1') File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 2136, in try_protocol_combo chatty=False, connectionchatty=False) File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 2064, in server_params_test s.connect((HOST, server.port)) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 864, in connect self._real_connect(addr, False) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 855, in _real_connect self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error (_ssl.c:727) ====================================================================== ERROR: test_recv_send (test.test_ssl.ThreadedTests) Test recv(), send() and friends. ---------------------------------------------------------------------- Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 2639, in test_recv_send s.connect((HOST, server.port)) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 864, in connect self._real_connect(addr, False) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 855, in _real_connect self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error (_ssl.c:727) ====================================================================== ERROR: test_selected_alpn_protocol (test.test_ssl.ThreadedTests) ---------------------------------------------------------------------- Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 3033, in test_selected_alpn_protocol chatty=True, connectionchatty=True) File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 2064, in server_params_test s.connect((HOST, server.port)) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 864, in connect self._real_connect(addr, False) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 855, in _real_connect self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error (_ssl.c:727) ====================================================================== ERROR: test_selected_alpn_protocol_if_server_uses_alpn (test.test_ssl.ThreadedTests) ---------------------------------------------------------------------- Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 3045, in test_selected_alpn_protocol_if_server_uses_alpn chatty=True, connectionchatty=True) File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 2064, in server_params_test s.connect((HOST, server.port)) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 864, in connect self._real_connect(addr, False) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 855, in _real_connect self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error (_ssl.c:727) ====================================================================== ERROR: test_selected_npn_protocol (test.test_ssl.ThreadedTests) ---------------------------------------------------------------------- Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 3095, in test_selected_npn_protocol chatty=True, connectionchatty=True) File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 2064, in server_params_test s.connect((HOST, server.port)) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 864, in connect self._real_connect(addr, False) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 855, in _real_connect self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error (_ssl.c:727) ====================================================================== ERROR: test_sni_callback (test.test_ssl.ThreadedTests) ---------------------------------------------------------------------- Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 3154, in test_sni_callback sni_name='supermessage') File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 2064, in server_params_test s.connect((HOST, server.port)) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 864, in connect self._real_connect(addr, False) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 855, in _real_connect self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error (_ssl.c:727) ====================================================================== ERROR: test_starttls (test.test_ssl.ThreadedTests) Switching from clear text to encrypted and back again. ---------------------------------------------------------------------- Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 2541, in test_starttls conn = ssl.wrap_socket(s, ssl_version=ssl.PROTOCOL_TLSv1) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 931, in wrap_socket ciphers=ciphers) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 599, in __init__ self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error (_ssl.c:727) ====================================================================== ERROR: test_tls_unique_channel_binding (test.test_ssl.ThreadedTests) Test tls-unique channel binding. ---------------------------------------------------------------------- Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 2956, in test_tls_unique_channel_binding s.connect((HOST, server.port)) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 864, in connect self._real_connect(addr, False) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 855, in _real_connect self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error (_ssl.c:727) ====================================================================== ERROR: test_version_basic (test.test_ssl.ThreadedTests) ---------------------------------------------------------------------- Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 2893, in test_version_basic s.connect((HOST, server.port)) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 864, in connect self._real_connect(addr, False) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 855, in _real_connect self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error (_ssl.c:727) ====================================================================== FAIL: test_openssl_version (test.test_ssl.BasicSocketTests) ---------------------------------------------------------------------- Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 382, in test_openssl_version (s, t)) AssertionError: ('OpenSSL 3.0.3 3 May 2022', (3, 0, 0, 3, 0)) -----------------------------------test test_ssl failed -- multiple errors occurred ----------------------------------- Ran 96 tests in 1.061s FAILED (failures=1, errors=18, skipped=7) == Tests result: FAILURE == 1 test failed: test_ssl Total duration: 1 sec 153 ms Tests result: FAILURE -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/ ~rjones Read my programming and virtualization blog: http://rwmj.wordpress.com nbdkit - Flexible, fast NBD server with plugins https://gitlab.com/nbdkit/nbdkit _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/ code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/ devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/ fedora-infrastructure
-- Dmitry Belyavskiy
devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
On 27/06/2022 08:53, Richard W.M. Jones wrote:
On Fri, Jun 24, 2022 at 01:20:27PM +0200, Dmitry Belyavskiy wrote:
Dear Richard,
If the only problem is legacy (and unsafe) ciphersuites, loading the legacy provider will solve this problem.
Any clues on how to do that?
https://wiki.openssl.org/index.php/OpenSSL_3.0#Providers
Tom
On Mon, Jun 27, 2022 at 09:11:29AM +0100, Tom Hughes wrote:
On 27/06/2022 08:53, Richard W.M. Jones wrote:
On Fri, Jun 24, 2022 at 01:20:27PM +0200, Dmitry Belyavskiy wrote:
Dear Richard,
If the only problem is legacy (and unsafe) ciphersuites, loading the legacy provider will solve this problem.
Any clues on how to do that?
Results unclear. Loading legacy + default doesn't seem to give any errors, but I still see the same errors in the tests. I might be loading these providers in the wrong way however.
The code is here: https://github.com/rwmjones/cpython/commits/python-2.7-openssl-3
Rich.
On 27/06/2022 10:02, Richard W.M. Jones wrote:
On Mon, Jun 27, 2022 at 09:11:29AM +0100, Tom Hughes wrote:
On 27/06/2022 08:53, Richard W.M. Jones wrote:
On Fri, Jun 24, 2022 at 01:20:27PM +0200, Dmitry Belyavskiy wrote:
Dear Richard,
If the only problem is legacy (and unsafe) ciphersuites, loading the legacy provider will solve this problem.
Any clues on how to do that?
Results unclear. Loading legacy + default doesn't seem to give any errors, but I still see the same errors in the tests. I might be loading these providers in the wrong way however.
The code is here: https://github.com/rwmjones/cpython/commits/python-2.7-openssl-3
That looks about right, or at last it looks very similar to what I did elsewhere.
Tom
Hi,
Richard W.M. Jones rjones@redhat.com wrote:
On Mon, Jun 27, 2022 at 09:11:29AM +0100, Tom Hughes wrote:
On 27/06/2022 08:53, Richard W.M. Jones wrote:
On Fri, Jun 24, 2022 at 01:20:27PM +0200, Dmitry Belyavskiy wrote:
Dear Richard,
If the only problem is legacy (and unsafe) ciphersuites, loading the legacy provider will solve this problem.
Any clues on how to do that?
Results unclear. Loading legacy + default doesn't seem to give any errors, but I still see the same errors in the tests. I might be loading these providers in the wrong way however.
The code is here: https://github.com/rwmjones/cpython/commits/python-2.7-openssl-3
Two comments:
Most of your failures are "no suitable signature algorithm” and “no shared ciphers”. I suspect those might instead be caused by increased minimum TLS versions enforced by the crypto-policy. Did you try running those tests in the LEGACY crypto-policy? If that’s the issue, you don’t need to load the legacy provider, and doing so doesn’t actually help.
I know the OpenSSL upstream documentation says so, but please don’t load the legacy provider into the NULL OSSL_LIB_CTX. Doing so activates the legacy provider for all code in the same address space by default. This means, for example, that applications that embed a Python interpreter will inherit its use of the legacy provider, even if they don’t want to. See [1] for further discussion of this issue, and examples on how to avoid it.
[1] https://github.com/lsh123/xmlsec/issues/339
HTH, Clemens
On Mon, Jun 27, 2022 at 11:15:01AM +0200, Clemens Lang wrote:
Hi,
Richard W.M. Jones rjones@redhat.com wrote:
On Mon, Jun 27, 2022 at 09:11:29AM +0100, Tom Hughes wrote:
On 27/06/2022 08:53, Richard W.M. Jones wrote:
On Fri, Jun 24, 2022 at 01:20:27PM +0200, Dmitry Belyavskiy wrote:
Dear Richard,
If the only problem is legacy (and unsafe) ciphersuites, loading the legacy provider will solve this problem.
Any clues on how to do that?
Results unclear. Loading legacy + default doesn't seem to give any errors, but I still see the same errors in the tests. I might be loading these providers in the wrong way however.
The code is here: https://github.com/rwmjones/cpython/commits/python-2.7-openssl-3
Two comments:
Most of your failures are "no suitable signature algorithm” and “no shared ciphers”. I suspect those might instead be caused by increased minimum TLS versions enforced by the crypto-policy. Did you try running those tests in the LEGACY crypto-policy? If that’s the issue, you don’t need to load the legacy provider, and doing so doesn’t actually help.
I somehow thought that loading the legacy provider would be the same as the LEGACY crypto policy, except just for Python 2.7 rather than for the entire system.
Setting the whole system crypto-policy to LEGACY (and reverting the code for loading the legacy provider) fixes almost everything. The remaining errors are real, but minor problems with my patch series:
====================================================================== ERROR: test_load_verify_cadata (test.test_ssl.ContextTests) ---------------------------------------------------------------------- Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 1033, in test_load_verify_cadata ctx.load_verify_locations(cadata=cacert_der) SSLError: unknown error (_ssl.c:2989)
====================================================================== FAIL: test_openssl_version (test.test_ssl.BasicSocketTests) ---------------------------------------------------------------------- Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 382, in test_openssl_version (s, t)) AssertionError: ('OpenSSL 3.0.3 3 May 2022', (3, 0, 0, 3, 0))
Anyhow, I'm not really working on this, but it does seem possible that for someone who wants to fix this and cares about Python and OpenSSL it wouldn't be too difficult to do the backport.
I know the OpenSSL upstream documentation says so, but please don’t load the legacy provider into the NULL OSSL_LIB_CTX. Doing so activates the legacy provider for all code in the same address space by default. This means, for example, that applications that embed a Python interpreter will inherit its use of the legacy provider, even if they don’t want to. See [1] for further discussion of this issue, and examples on how to avoid it.
Rich.
Richard W.M. Jones rjones@redhat.com wrote:
I somehow thought that loading the legacy provider would be the same as the LEGACY crypto policy, except just for Python 2.7 rather than for the entire system.
It’s a common misconception. So common that I recently wrote a blog post to explain the difference:
https://www.redhat.com/en/blog/legacy-cryptography-fedora-36-and-red-hat-ent...
Setting the whole system crypto-policy to LEGACY (and reverting the code for loading the legacy provider) fixes almost everything.
Thanks for testing and confirming that. In that case, it’s really just a case of running the test with a separate OpenSSL configuration file that applies weaker defaults.
HTH, Clemens
On 27. 06. 22 13:27, Richard W.M. Jones wrote:
====================================================================== FAIL: test_openssl_version (test.test_ssl.BasicSocketTests)
Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 382, in test_openssl_version (s, t)) AssertionError: ('OpenSSL 3.0.3 3 May 2022', (3, 0, 0, 3, 0))
Might be https://github.com/python/cpython/issues/90272
Dear colleagues,
If I correctly follow the discussion, the biggest show-stopper is Python 2.*, which has some incomplete patches to deal with OpenSSL 3.0. If we assist you in moving these patches forward, can we get rid of the devel package and leave the compat package only for 3rd-party packages?
I don't think that the community really requires support for this package for 7 years after its upstream sunset.
Many thanks!
On Tue, Jun 28, 2022 at 4:06 PM Miro Hrončok mhroncok@redhat.com wrote:
On 27. 06. 22 13:27, Richard W.M. Jones wrote:
====================================================================== FAIL: test_openssl_version (test.test_ssl.BasicSocketTests)
Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 382, in
test_openssl_version
(s, t))
AssertionError: ('OpenSSL 3.0.3 3 May 2022', (3, 0, 0, 3, 0))
Might be https://github.com/python/cpython/issues/90272
-- Miro Hrončok -- Phone: +420777974800 IRC: mhroncok _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
On 29. 06. 22 17:11, Dmitry Belyavskiy wrote:
Dear colleagues,
If I correctly follow the discussion, the biggest show-stopper is Python 2.*, which has some incomplete patches to deal with OpenSSL 3.0.
We would also need it in for Python 3.6 and pypys.
If we assist you in moving these patches forward, can we get rid of the devel package and leave the compat package only for 3rd-party packages?
Please don't remove the devel package if you aim for deprecation. As other have said, removing the devel package is essentially retirement, not deprecation.
I don't think that the community really requires support for this package for 7 years after its upstream sunset.
OpenSSL 3 was introduced in Fedora 36, that has *just* been released this year. This is a change proposal for Fedora 37, that is half a year after, not 7 years :/
Dear Miro,
On Wed, Jun 29, 2022 at 5:27 PM Miro Hrončok mhroncok@redhat.com wrote:
On 29. 06. 22 17:11, Dmitry Belyavskiy wrote:
Dear colleagues,
If I correctly follow the discussion, the biggest show-stopper is Python
2.*,
which has some incomplete patches to deal with OpenSSL 3.0.
We would also need it in for Python 3.6 and pypys.
Are RHEL 9 patches for Python 3 series relevant in this case?
If we assist you in moving these patches forward, can we get rid of the devel
package and leave the compat package only for 3rd-party packages?
Please don't remove the devel package if you aim for deprecation. As other have said, removing the devel package is essentially retirement, not deprecation.
OK, it's not a problem to deprecate the package in the sense of https://docs.fedoraproject.org/en-US/packaging-guidelines/deprecating-packag... But we still want to get rid of it.
I don't think that the community really requires support for this package for 7
years after its upstream sunset.
OpenSSL 3 was introduced in Fedora 36, that has *just* been released this year. This is a change proposal for Fedora 37, that is half a year after, not 7 years :/
Well, speaking about 7 years, I mean the idea to support the compat package synchronously with RHEL 8. I'd like to retire this package not later than, well, a release after OpenSSL 1.1.1 EOL.
On Wed, Jun 29, 2022 at 5:46 PM Dmitry Belyavskiy dbelyavs@redhat.com wrote:
On Wed, Jun 29, 2022 at 5:27 PM Miro Hrončok mhroncok@redhat.com wrote:
Please don't remove the devel package if you aim for deprecation. As other have said, removing the devel package is essentially retirement, not deprecation.
OK, it's not a problem to deprecate the package in the sense of https://docs.fedoraproject.org/en-US/packaging-guidelines/deprecating-packag...
I agree with Miro.If you want to ensure no new packages start depending on openssl1.1, then adding "Provides: deprecated()" (to both the openssl1.1 and openssl1.1-devel packages) is exactly what you want. fedora-review includes a check that prints a warning when a package depends on something that has "Provides: deprecated()", so no new packages should ever be added to Fedora that depend on something that is deprecated.
Removing a (sub-)package is not a "deprecation", because it already breaks dependent packages, and *does not* give any advance warning to affected people, which a deprecation is supposed to provide.
But we still want to get rid of it.
I understand this goal, but starting with a deprecation means that this will be a two-step process:
1) deprecate openssl1.1 and openssl1.1 packages (adding "Provides: deprecated()" to them): this ensures no new packages depend on them (fine to do that for Fedora 37) 2) once no Fedora packages (only third-party binaries) depend on openssl1.1, you *can* drop openssl1.1-devel (too early in Fedora 37, target 38 or 39 instead?, see EOL dates listed below)
Dropping openssl1.1-devel (and keeping openssl1.1) *before* all official Fedora components have been ported to openssl 3 is essentially making them hang by the thinnest of threads - the packages will fail to build, but still be *installable* - if only for so long.
These packages will also start to fail to install after any soname bump (or another similar change) in their dependency trees - because they won't be able to be rebuilt for that (unrelated) change, because openssl1.1-devel is gone. It will also block any critical / security updates for affected packages, which is certainly not what we want.
So, please, don't remove the openssl1.1-devel package while there's still Fedora packages that depend on it. I assume openssl1.1 itself will be kept for some time, to provide support for third-party applications that require it? So keeping the -devel package around does not create any additional work for you, but it will make life for maintainers of dependent packages much easier, until they can switch their packages to OpenSSL 3.
I don't think that the community really requires support for this package for 7 years after its upstream sunset.
OpenSSL 3 was introduced in Fedora 36, that has *just* been released this year. This is a change proposal for Fedora 37, that is half a year after, not 7 years :/
Well, speaking about 7 years, I mean the idea to support the compat package synchronously with RHEL 8. I'd like to retire this package not later than, well, a release after OpenSSL 1.1.1 EOL.
According to the OpenSSL website (https://www.openssl.org/policies/releasestrat.html) OpenSSL 1.1.1 will be supported until 2023-09-11. Fedora 37 will be EOL at around 2023-11-14 (https://fedorapeople.org/groups/schedule/f-39/f-39-key-tasks.html), so OpenSSL 1.1.1 will still be officially supported for most of its lifecycle - I don't see why it already needs to be removed in Fedora 37.
This alignment of EOL dates make me wonder whether the removal of openssl1.1(-devel) should be targeted at Fedora 38 (more than half its supported lifetime is after OpenSSL 1.1.1 is EOL) or Fedora 39 (released after OpenSSL 1.1.1 is EOL) instead, but Fedora 37 seems too early for a *removal*, but officially deprecating it in Fedora 37 sounds very reasonable to me.
Fabop
I agree (vigorously and in detail) with Fabio’s message.
– Ben Beasley
On Wed, Jun 29, 2022, at 12:42 PM, Fabio Valentini wrote:
On Wed, Jun 29, 2022 at 5:46 PM Dmitry Belyavskiy dbelyavs@redhat.com wrote:
On Wed, Jun 29, 2022 at 5:27 PM Miro Hrončok mhroncok@redhat.com wrote:
Please don't remove the devel package if you aim for deprecation. As other have said, removing the devel package is essentially retirement, not deprecation.
OK, it's not a problem to deprecate the package in the sense of https://docs.fedoraproject.org/en-US/packaging-guidelines/deprecating-packag...
I agree with Miro.If you want to ensure no new packages start depending on openssl1.1, then adding "Provides: deprecated()" (to both the openssl1.1 and openssl1.1-devel packages) is exactly what you want. fedora-review includes a check that prints a warning when a package depends on something that has "Provides: deprecated()", so no new packages should ever be added to Fedora that depend on something that is deprecated.
Removing a (sub-)package is not a "deprecation", because it already breaks dependent packages, and *does not* give any advance warning to affected people, which a deprecation is supposed to provide.
But we still want to get rid of it.
I understand this goal, but starting with a deprecation means that this will be a two-step process:
- deprecate openssl1.1 and openssl1.1 packages (adding "Provides:
deprecated()" to them): this ensures no new packages depend on them (fine to do that for Fedora 37) 2) once no Fedora packages (only third-party binaries) depend on openssl1.1, you *can* drop openssl1.1-devel (too early in Fedora 37, target 38 or 39 instead?, see EOL dates listed below)
Dropping openssl1.1-devel (and keeping openssl1.1) *before* all official Fedora components have been ported to openssl 3 is essentially making them hang by the thinnest of threads - the packages will fail to build, but still be *installable* - if only for so long.
These packages will also start to fail to install after any soname bump (or another similar change) in their dependency trees - because they won't be able to be rebuilt for that (unrelated) change, because openssl1.1-devel is gone. It will also block any critical / security updates for affected packages, which is certainly not what we want.
So, please, don't remove the openssl1.1-devel package while there's still Fedora packages that depend on it. I assume openssl1.1 itself will be kept for some time, to provide support for third-party applications that require it? So keeping the -devel package around does not create any additional work for you, but it will make life for maintainers of dependent packages much easier, until they can switch their packages to OpenSSL 3.
I don't think that the community really requires support for this package for 7 years after its upstream sunset.
OpenSSL 3 was introduced in Fedora 36, that has *just* been released this year. This is a change proposal for Fedora 37, that is half a year after, not 7 years :/
Well, speaking about 7 years, I mean the idea to support the compat package synchronously with RHEL 8. I'd like to retire this package not later than, well, a release after OpenSSL 1.1.1 EOL.
According to the OpenSSL website (https://www.openssl.org/policies/releasestrat.html) OpenSSL 1.1.1 will be supported until 2023-09-11. Fedora 37 will be EOL at around 2023-11-14 (https://fedorapeople.org/groups/schedule/f-39/f-39-key-tasks.html), so OpenSSL 1.1.1 will still be officially supported for most of its lifecycle - I don't see why it already needs to be removed in Fedora 37.
This alignment of EOL dates make me wonder whether the removal of openssl1.1(-devel) should be targeted at Fedora 38 (more than half its supported lifetime is after OpenSSL 1.1.1 is EOL) or Fedora 39 (released after OpenSSL 1.1.1 is EOL) instead, but Fedora 37 seems too early for a *removal*, but officially deprecating it in Fedora 37 sounds very reasonable to me.
Fabop _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
On 29. 06. 22 17:45, Dmitry Belyavskiy wrote:
Dear Miro,
On Wed, Jun 29, 2022 at 5:27 PM Miro Hrončok <mhroncok@redhat.com mailto:mhroncok@redhat.com> wrote:
On 29. 06. 22 17:11, Dmitry Belyavskiy wrote: > Dear colleagues, > > If I correctly follow the discussion, the biggest show-stopper is Python 2.*, > which has some incomplete patches to deal with OpenSSL 3.0. We would also need it in for Python 3.6 and pypys.
Are RHEL 9 patches for Python 3 series relevant in this case?
Not at all. RHEL 9 is python3.9 and that runs on OpenSSL 3 in both RHEL 9 and all supported Fedoras.
> If we assist you in moving these patches forward, can we get rid of the devel > package and leave the compat package only for 3rd-party packages? Please don't remove the devel package if you aim for deprecation. As other have said, removing the devel package is essentially retirement, not deprecation.
OK, it's not a problem to deprecate the package in the sense of https://docs.fedoraproject.org/en-US/packaging-guidelines/deprecating-packag... https://docs.fedoraproject.org/en-US/packaging-guidelines/deprecating-packages/ But we still want to get rid of it.
Right. But it makes sense to say:
Fedora 37: openssl1.1 is deprecated Fedora XY: openssl1.1 is retired
Now you are mixing the two kinda together in a weird way. The change is called "deprecation" but is in fact "incomplete retirement".
See e.g.:
Deprecation: https://fedoraproject.org/wiki/Changes/DeprecateNose Retirement: https://fedoraproject.org/wiki/Changes/RetirePython3.7
> I don't think that the community really requires support for this package for 7 > years after its upstream sunset. OpenSSL 3 was introduced in Fedora 36, that has *just* been released this year. This is a change proposal for Fedora 37, that is half a year after, not 7 years :/
Well, speaking about 7 years, I mean the idea to support the compat package synchronously with RHEL 8.
Now I understand what you mean but I still don't understand what is the biggest trouble. You do maintain this in RHEL 8, don't you?
I'd like to retire this package not later than, well, a release after OpenSSL 1.1.1 EOL.
Is that happening on some known schedule or is it an event that will eventually happen but we don't know when?
On Wednesday, June 29, 2022 11:49:07 AM CDT Miro Hrončok wrote:
Now you are mixing the two kinda together in a weird way. The change is called "deprecation" but is in fact "incomplete retirement".
I agree. There seems to be a recent trend of Changes confusing the difference between deprecations and removals. If something is being removed, even partially, it is a removal, not a deprecation. As other commenters have mentioned, in the Fedora context[1], deprecating a package entails adding `Provides: deprecated()` and submitting a Change proposal before doing so if it's not a leaf package.
[1]: https://docs.fedoraproject.org/en-US/packaging-guidelines/deprecating-packag...
On 29. 06. 22 17:45, Dmitry Belyavskiy wrote:
OK, it's not a problem to deprecate the package in the sense of https://docs.fedoraproject.org/en-US/packaging-guidelines/deprecating-packag... https://docs.fedoraproject.org/en-US/packaging-guidelines/deprecating-packages/ But we still want to get rid of it.
Consider also not allowing packages to use openss1.1-devel unless they have a FESCo exception.
See e.g. https://fedoraproject.org/wiki/Changes/RetirePython2#FESCo_exceptions
Unfortunately that effort is moot, it's really not possible to make python2.7 compatible with OpenSSL 3.0.0, I mean even the latest Python versions are not 100% compatible for various reasons.
In trying to make it compatible there are also ABI changes introduced, it's not only about having the tests pass. The ssl module is already complex enough in backporting changes from the master Python branch to previous 3.x versions, doing that for 2.7 without a full fledged effort from SSL and the Python C API experts guarantee there's gonna be regressions. And that's not even taking into account the security implications of randomly cherry-picking commits just to have the package compile.
On Wed, Jun 29, 2022 at 5:12 PM Dmitry Belyavskiy dbelyavs@redhat.com wrote:
Dear colleagues,
If I correctly follow the discussion, the biggest show-stopper is Python 2.*, which has some incomplete patches to deal with OpenSSL 3.0. If we assist you in moving these patches forward, can we get rid of the devel package and leave the compat package only for 3rd-party packages?
I don't think that the community really requires support for this package for 7 years after its upstream sunset.
Many thanks!
On Tue, Jun 28, 2022 at 4:06 PM Miro Hrončok mhroncok@redhat.com wrote:
On 27. 06. 22 13:27, Richard W.M. Jones wrote:
====================================================================== FAIL: test_openssl_version (test.test_ssl.BasicSocketTests)
Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 382, in
test_openssl_version
(s, t))
AssertionError: ('OpenSSL 3.0.3 3 May 2022', (3, 0, 0, 3, 0))
Might be https://github.com/python/cpython/issues/90272
-- Miro Hrončok -- Phone: +420777974800 IRC: mhroncok _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
-- Dmitry Belyavskiy _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
And I would very much prefer to remedy the issue of having packages still relying on python2 rather than thinking about removing OpenSSL 1.1.1 that's still supported upstream and many packages depend on it.
On Thu, Jun 30, 2022 at 3:29 PM Charalampos Stratakis cstratak@redhat.com wrote:
Unfortunately that effort is moot, it's really not possible to make python2.7 compatible with OpenSSL 3.0.0, I mean even the latest Python versions are not 100% compatible for various reasons.
In trying to make it compatible there are also ABI changes introduced, it's not only about having the tests pass. The ssl module is already complex enough in backporting changes from the master Python branch to previous 3.x versions, doing that for 2.7 without a full fledged effort from SSL and the Python C API experts guarantee there's gonna be regressions. And that's not even taking into account the security implications of randomly cherry-picking commits just to have the package compile.
On Wed, Jun 29, 2022 at 5:12 PM Dmitry Belyavskiy dbelyavs@redhat.com wrote:
Dear colleagues,
If I correctly follow the discussion, the biggest show-stopper is Python 2.*, which has some incomplete patches to deal with OpenSSL 3.0. If we assist you in moving these patches forward, can we get rid of the devel package and leave the compat package only for 3rd-party packages?
I don't think that the community really requires support for this package for 7 years after its upstream sunset.
Many thanks!
On Tue, Jun 28, 2022 at 4:06 PM Miro Hrončok mhroncok@redhat.com wrote:
On 27. 06. 22 13:27, Richard W.M. Jones wrote:
====================================================================== FAIL: test_openssl_version (test.test_ssl.BasicSocketTests)
Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 382,
in test_openssl_version
(s, t))
AssertionError: ('OpenSSL 3.0.3 3 May 2022', (3, 0, 0, 3, 0))
Might be https://github.com/python/cpython/issues/90272
-- Miro Hrončok -- Phone: +420777974800 IRC: mhroncok _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
-- Dmitry Belyavskiy _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
-- Regards,
Charalampos Stratakis Senior Software Engineer Python Maintenance Team, Red Hat
Charalampos Stratakis cstratak@redhat.com writes:
Unfortunately that effort is moot, it's really not possible to make python2.7 compatible with OpenSSL 3.0.0, I mean even the latest Python versions are not 100% compatible for various reasons.
In trying to make it compatible there are also ABI changes introduced, it's not only about having the tests pass. The ssl module is already complex enough in backporting changes from the master Python branch to previous 3.x versions, doing that for 2.7 without a full fledged effort from SSL and the Python C API experts guarantee there's gonna be regressions. And that's not even taking into account the security implications of randomly cherry-picking commits just to have the package compile.
I'm having trouble understanding this because Debian seems to have carried out what you're saying is impossible: in testing, they ship a python2.7 that appears to be using openssl 3, and do not ship openssl 1.1 at all. There are also a handful of clearly openssl 3-related patches in their tree https://salsa.debian.org/cpython-team/python2/-/tree/master/debian/patches
Have folks looked at how they do this, and whether we could adapt it to Fedora?
Be well, --Robbie
So I presume then that python2.7 in Debian works flawlessly with OpenSSL 3.0.0, no regressions, no security issues and no ABI problems right?
On Thu, Jun 30, 2022 at 5:13 PM Robbie Harwood rharwood@redhat.com wrote:
Charalampos Stratakis cstratak@redhat.com writes:
Unfortunately that effort is moot, it's really not possible to make python2.7 compatible with OpenSSL 3.0.0, I mean even the latest Python versions are not 100% compatible for various reasons.
In trying to make it compatible there are also ABI changes introduced, it's not only about having the tests pass. The ssl module is already complex enough in backporting changes from the master Python branch to previous 3.x versions, doing that for 2.7 without a full fledged effort from SSL and the Python C API experts guarantee there's gonna be regressions. And that's not even taking into account the security implications of randomly cherry-picking commits just to have the package compile.
I'm having trouble understanding this because Debian seems to have carried out what you're saying is impossible: in testing, they ship a python2.7 that appears to be using openssl 3, and do not ship openssl 1.1 at all. There are also a handful of clearly openssl 3-related patches in their tree https://salsa.debian.org/cpython-team/python2/-/tree/master/debian/patches
Have folks looked at how they do this, and whether we could adapt it to Fedora?
Be well, --Robbie
On 6/30/22 13:11, Charalampos Stratakis wrote:
So I presume then that python2.7 in Debian works flawlessly with OpenSSL 3.0.0, no regressions, no security issues and no ABI problems right?
What about stubbing out all networking in Python 2.7? I believe that the only users of Python 2.7 in Fedora are various build scripts, and those are all entirely offline. If so, nothing would break if the ssl module was replaced by a stub module that threw an exception when any of its functions was called. Using an EOL version of Python in a network-facing program is a bad idea anyway.
On Thu, Jun 30, 2022 at 01:52:34PM -0400, Demi Marie Obenour wrote:
On 6/30/22 13:11, Charalampos Stratakis wrote:
So I presume then that python2.7 in Debian works flawlessly with OpenSSL 3.0.0, no regressions, no security issues and no ABI problems right?
What about stubbing out all networking in Python 2.7? I believe that the only users of Python 2.7 in Fedora are various build scripts, and those are all entirely offline. If so, nothing would break if the ssl module was replaced by a stub module that threw an exception when any of its functions was called. Using an EOL version of Python in a network-facing program is a bad idea anyway.
This sounds like one of the better ideas to come out of this thread, and should be done regardless of the other stuff.
Rich.
Charalampos Stratakis cstratak@redhat.com writes:
So I presume then that python2.7 in Debian works flawlessly with OpenSSL 3.0.0, no regressions, no security issues and no ABI problems right?
I'm hearing hostility from you and I don't know why. From your sarcasm, I take it to mean that no, you haven't looked.
So my original question of "can we adapt this to Fedora" still stands. I'm confused that you're asking me to do this legwork for you, given I neither represent Debian in any way nor am I a Python developer, but since it's not hard to check...
https://bugs.debian.org/cgi-bin/pkgreport.cgi?repeatmerged=no&src=python... here is the Debian bugtracker for python2.7. The only openssl bug present there is https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=954418 (i.e., upstream https://bugs.python.org/issue40018 ) which, as it affects python3 versions as well, isn't relevant to this discussion.
https://salsa.debian.org/cpython-team/python2/-/tree/master/debian/patches here is the patches Debian carries for python2.7. All but one of them are backports from upstream, mostly by Christian Heimes christian@python.org. Commit logs say that the backport was performed by Stefano Rivera stefanor@debian.org, and applied by Matthias Klose doko@debian.org. If it were me in your shoes, I would ask them how things have gone and for any pointers in potentially applying the backport yourself.
Be well, --Robbie
On 24. 06. 22 13:11, Richard W.M. Jones wrote:
On Thu, Jun 23, 2022 at 10:43:45AM +0100, Richard W.M. Jones wrote:
python2.7-0:2.7.18-22.fc37.src
Vaguely seeing if it's feasible to backport the OpenSSL 3 support to Python 2.7. This branch gets quite far:
https://github.com/rwmjones/cpython/tree/python-2.7-openssl-3
Only one test fails, test_ssl (obviously), but it does only appear to fail where it tests obsolete ciphers. I looked into fixing the test, but the upstream version of this test has changed a great deal, with a whole mechanism for skipping unsupported ciphers.
Richard, have you seen the list of PRs and dependencies in https://github.com/python/cpython/issues/83001 ?
On Fri, Jun 24, 2022 at 01:37:16PM +0200, Miro Hrončok wrote:
On 24. 06. 22 13:11, Richard W.M. Jones wrote:
On Thu, Jun 23, 2022 at 10:43:45AM +0100, Richard W.M. Jones wrote:
python2.7-0:2.7.18-22.fc37.src
Vaguely seeing if it's feasible to backport the OpenSSL 3 support to Python 2.7. This branch gets quite far:
https://github.com/rwmjones/cpython/tree/python-2.7-openssl-3
Only one test fails, test_ssl (obviously), but it does only appear to fail where it tests obsolete ciphers. I looked into fixing the test, but the upstream version of this test has changed a great deal, with a whole mechanism for skipping unsupported ciphers.
Richard, have you seen the list of PRs and dependencies in https://github.com/python/cpython/issues/83001 ?
I did! It was very long so I went with cherry picking patches and hoping for the best, with mixed results ...
Rich.
Hi Richard, porting Python 2.7 to openssl 3.0 doesn't really make sense to me.
We ship Python 2.7 so that developers can test code that needs to work on Python 2.7 in various deployments like old CentOS/RHEL/etc. Fedora aims to be a developer-friendly distro and so we want to provide the tools to do that. Even if it's possible to port Python 2.7 to openssl 3.0 safely with reasonable effort, which I doubt, it would lead to a different Python 2.7, which would no longer work as a testing ground for people developing for old deployments.
Tomáš
On 6/24/22 13:11, Richard W.M. Jones wrote:
On Thu, Jun 23, 2022 at 10:43:45AM +0100, Richard W.M. Jones wrote:
python2.7-0:2.7.18-22.fc37.src
Vaguely seeing if it's feasible to backport the OpenSSL 3 support to Python 2.7. This branch gets quite far:
https://github.com/rwmjones/cpython/tree/python-2.7-openssl-3
Only one test fails, test_ssl (obviously), but it does only appear to fail where it tests obsolete ciphers. I looked into fixing the test, but the upstream version of this test has changed a great deal, with a whole mechanism for skipping unsupported ciphers.
Remaining test failures in detail below.
Rich.
running build running build_ext warning: openssl 0x00000000 is too old for _hashlib building dbm using ndbm
Python build finished, but the necessary bits to build these modules were not found: _hashlib bsddb185 dl imageop sunaudiodev To find the necessary bits, look in setup.py in detect_modules() for the module's name.
running build_scripts find ./Lib -name '*.py[co]' -print | xargs rm -f ./python -Wd -3 -E -tt ./Lib/test/regrtest.py -v test_ssl == CPython 2.7.18 (tags/2.7-3-g1efbb6fd52:1efbb6fd52, Jun 24 2022, 12:05:45) [GCC 12.1.1 20220507 (Red Hat 12.1.1-1)] == Linux-5.14.0-0.rc4.20210804gitd5ad8ec3cfb5.36.fc35.x86_64-x86_64-with-fedora-37-Rawhide little-endian == /home/rjones/d/cpython-2.7/build/test_python_641493 == CPU count: 24 Run tests sequentially 0:00:00 load avg: 0.09 [1/1] test_ssl test_ssl: testing with 'OpenSSL 3.0.3 3 May 2022' (3, 0, 0, 3, 0) under Linux ('Fedora', '37', 'Rawhide') HAS_SNI = True OP_ALL = 0x80000050 OP_NO_TLSv1_1 = 0x10000000 test__create_stdlib_context (test.test_ssl.ContextTests) ... ok test__https_verify_certificates (test.test_ssl.ContextTests) ... ok test__https_verify_envvar (test.test_ssl.ContextTests) ... ok test_cert_store_stats (test.test_ssl.ContextTests) ... ok test_check_hostname (test.test_ssl.ContextTests) ... ok test_ciphers (test.test_ssl.ContextTests) ... ok test_constructor (test.test_ssl.ContextTests) ... ok test_create_default_context (test.test_ssl.ContextTests) ... ok test_get_ca_certs (test.test_ssl.ContextTests) ... ok test_load_cert_chain (test.test_ssl.ContextTests) ... ok test_load_default_certs (test.test_ssl.ContextTests) ... ok test_load_default_certs_env (test.test_ssl.ContextTests) ... ok test_load_default_certs_env_windows (test.test_ssl.ContextTests) ... skipped 'Windows specific' test_load_dh_params (test.test_ssl.ContextTests) ... ok test_load_verify_cadata (test.test_ssl.ContextTests) ... ERROR test_load_verify_locations (test.test_ssl.ContextTests) ... ok test_options (test.test_ssl.ContextTests) ... ok test_protocol (test.test_ssl.ContextTests) ... ok test_session_stats (test.test_ssl.ContextTests) ... ok test_set_default_verify_paths (test.test_ssl.ContextTests) ... ok test_set_ecdh_curve (test.test_ssl.ContextTests) ... ok test_sni_callback (test.test_ssl.ContextTests) ... ok test_sni_callback_refcycle (test.test_ssl.ContextTests) ... ok test_verify_flags (test.test_ssl.ContextTests) ... ok test_verify_mode (test.test_ssl.ContextTests) ... ok test_sslwrap_simple (test.test_ssl.BasicTests) ... ok test_DER_to_PEM (test.test_ssl.BasicSocketTests) ... ok test_asn1object (test.test_ssl.BasicSocketTests) ... ok test_cert_time_to_seconds (test.test_ssl.BasicSocketTests) ... ok test_cert_time_to_seconds_locale (test.test_ssl.BasicSocketTests) ... skipped 'locale-specific month name needs to be different from C locale' test_cert_time_to_seconds_timezone (test.test_ssl.BasicSocketTests) ... ok test_constants (test.test_ssl.BasicSocketTests) ... ok test_empty_cert (test.test_ssl.BasicSocketTests) Wrapping with an empty cert file ... ok test_enum_certificates (test.test_ssl.BasicSocketTests) ... skipped 'Windows specific' test_enum_crls (test.test_ssl.BasicSocketTests) ... skipped 'Windows specific' test_errors (test.test_ssl.BasicSocketTests) ... ok test_get_default_verify_paths (test.test_ssl.BasicSocketTests) ... ok test_malformed_cert (test.test_ssl.BasicSocketTests) Wrapping with a badly formatted certificate (syntax error) ... ok test_malformed_key (test.test_ssl.BasicSocketTests) Wrapping with a badly formatted key (syntax error) ... ok test_match_hostname (test.test_ssl.BasicSocketTests) ... ok test_openssl_version (test.test_ssl.BasicSocketTests) ... FAIL test_parse_all_sans (test.test_ssl.BasicSocketTests) ... ok test_parse_cert (test.test_ssl.BasicSocketTests) ... {'issuer': ((('countryName', u'XY'),), (('localityName', u'Castle Anthrax'),), (('organizationName', u'Python Software Foundation'),), (('commonName', u'localhost'),)), 'notAfter': 'Aug 26 14:23:15 2028 GMT', 'notBefore': u'Aug 29 14:23:15 2018 GMT', 'serialNumber': u'98A7CF88C74A32ED', 'subject': ((('countryName', u'XY'),), (('localityName', u'Castle Anthrax'),), (('organizationName', u'Python Software Foundation'),), (('commonName', u'localhost'),)), 'subjectAltName': (('DNS', 'localhost'),), 'version': 3L}
{'OCSP': (u'http://ocsp.verisign.com',), 'caIssuers': (u'http://SVRIntl-G3-aia.verisign.com/SVRIntlG3.cer',), 'crlDistributionPoints': (u'http://SVRIntl-G3-crl.verisign.com/SVRIntlG3.crl',), 'issuer': ((('countryName', u'US'),), (('organizationName', u'VeriSign, Inc.'),), (('organizationalUnitName', u'VeriSign Trust Network'),), (('organizationalUnitName', u'Terms of use at https://www.verisign.com/rpa (c)10'),), (('commonName', u'VeriSign Class 3 International Server CA - G3'),)), 'notAfter': 'Sep 20 23:59:59 2012 GMT', 'notBefore': u'Sep 21 00:00:00 2011 GMT', 'serialNumber': u'2EE6EA7640A075CEE5005F4D7C79549A', 'subject': ((('countryName', u'FI'),), (('stateOrProvinceName', u'Espoo'),), (('localityName', u'Espoo'),), (('organizationName', u'Nokia'),), (('organizationalUnitName', u'BI'),), (('commonName', u'projects.developer.nokia.com'),)), 'subjectAltName': (('DNS', 'projects.developer.nokia.com'), ('DNS', 'projects.forum.nokia.com')), 'version': 3L} ok test_parse_cert_CVE_2013_4238 (test.test_ssl.BasicSocketTests) ... {'issuer': ((('countryName', u'US'),), (('stateOrProvinceName', u'Oregon'),), (('localityName', u'Beaverton'),), (('organizationName', u'Python Software Foundation'),), (('organizationalUnitName', u'Python Core Development'),), (('commonName', u'null.python.org\x00example.org'),), (('emailAddress', u'python-dev@python.org'),)), 'notAfter': 'Aug 7 13:12:52 2013 GMT', 'notBefore': u'Aug 7 13:11:52 2013 GMT', 'serialNumber': u'00', 'subject': ((('countryName', u'US'),), (('stateOrProvinceName', u'Oregon'),), (('localityName', u'Beaverton'),), (('organizationName', u'Python Software Foundation'),), (('organizationalUnitName', u'Python Core Development'),), (('commonName', u'null.python.org\x00example.org'),), (('emailAddress', u'python-dev@python.org'),)), 'subjectAltName': (('DNS', 'altnull.python.org\x00example.com'), ('email', 'null@python.org\x00user@example.org'), ('URI', 'http://null.python.org%5Cx00http://example.org'), (u'IP Address', u'192.0.2.1'), (u'IP Address', u'2001:DB8:0:0:0:0:0:1')), 'version': 3L} ok test_parse_cert_CVE_2019_5010 (test.test_ssl.BasicSocketTests) ... {'issuer': ((('countryName', u'UK'),), (('commonName', u'cody-ca'),)), 'notAfter': 'Jun 14 18:00:58 2028 GMT', 'notBefore': u'Jun 18 18:00:58 2018 GMT', 'serialNumber': u'02', 'subject': ((('countryName', u'UK'),), (('commonName', u'codenomicon-vm-2.test.lal.cisco.com'),)), 'subjectAltName': (('DNS', 'codenomicon-vm-2.test.lal.cisco.com'),), 'version': 3L} ok test_purpose_enum (test.test_ssl.BasicSocketTests) ... ok test_random (test.test_ssl.BasicSocketTests) ... RAND_status is 1 (sufficient randomness) ok test_refcycle (test.test_ssl.BasicSocketTests) ... ok test_server_side (test.test_ssl.BasicSocketTests) ... ok test_timeout (test.test_ssl.BasicSocketTests) ... ok test_tls_unique_channel_binding (test.test_ssl.BasicSocketTests) ... ok test_unknown_channel_binding (test.test_ssl.BasicSocketTests) ... ok test_unsupported_dtls (test.test_ssl.BasicSocketTests) ... ok test_wrapped_unconnected (test.test_ssl.BasicSocketTests) ... ok test_lib_reason (test.test_ssl.SSLErrorTests) ... ok test_str (test.test_ssl.SSLErrorTests) ... ok test_subclass (test.test_ssl.SSLErrorTests) ... ok test_alpn_protocols (test.test_ssl.ThreadedTests) ... server: new connection from ('127.0.0.1', 36526) server: connection cipher is now ('ECDHE-RSA-AES256-GCM-SHA384', 'TLSv1.2', 256) server: selected protocol is now None client: sending 'FOO\n'... client: read 'foo\n' client: sending 'FOO\n'... client: read 'foo\n' client: sending 'FOO\n'... client: read 'foo\n' client: closing connection. server: new connection from ('127.0.0.1', 58156) server: connection cipher is now ('ECDHE-RSA-AES256-GCM-SHA384', 'TLSv1.2', 256) server: selected protocol is now None client: sending 'FOO\n'... client: read 'foo\n' client: sending 'FOO\n'... client: read 'foo\n' client: sending 'FOO\n'... client: read 'foo\n' client: closing connection. server: new connection from ('127.0.0.1', 41748) server: connection cipher is now ('ECDHE-RSA-AES256-GCM-SHA384', 'TLSv1.2', 256) server: selected protocol is now None client: sending 'FOO\n'... client: read 'foo\n' client: sending 'FOO\n'... client: read 'foo\n' client: sending 'FOO\n'... client: read 'foo\n' client: closing connection. server: new connection from ('127.0.0.1', 54770) client: sending 'FOO\n'... server: connection cipher is now ('ECDHE-RSA-AES256-GCM-SHA384', 'TLSv1.2', 256) server: selected protocol is now None client: read 'foo\n' client: sending 'FOO\n'... client: read 'foo\n' client: sending 'FOO\n'... client: read 'foo\n' client: closing connection. ok test_asyncore_server (test.test_ssl.ThreadedTests) Check the example asyncore integration. ... server: new connection from 127.0.0.1:38794 client: sending 'FOO\n'... server: read 'FOO\n' from client client: read 'foo\n' client: closing connection. client: connection closed. server: read 'over\n' from client cleanup: stopping server. cleanup: joining server thread. server: closed connection <ssl.SSLSocket object at 0x7f28dd23b0d0> server: read '' from client cleanup: successfully joined. ok test_check_hostname (test.test_ssl.ThreadedTests) ... server: new connection from ('127.0.0.1', 33176)
server: bad connection attempt from ('127.0.0.1', 33176): Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 1732, in wrap_conn self.sock, server_side=True) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 369, in wrap_socket _context=self) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 599, in __init__ self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: BAD_RSA_DECRYPT] no suitable signature algorithm (_ssl.c:727) ERROR test_compression (test.test_ssl.ThreadedTests) ... server: new connection from ('127.0.0.1', 39026)
server: bad connection attempt from ('127.0.0.1', 39026): Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 1732, in wrap_conn self.sock, server_side=True) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 369, in wrap_socket _context=self) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 599, in __init__ self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: BAD_RSA_DECRYPT] no suitable signature algorithm (_ssl.c:727) ERROR test_compression_disabled (test.test_ssl.ThreadedTests) ... server: new connection from ('127.0.0.1', 51970)
server: bad connection attempt from ('127.0.0.1', 51970): Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 1732, in wrap_conn self.sock, server_side=True) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 369, in wrap_socket _context=self) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 599, in __init__ self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: BAD_RSA_DECRYPT] no suitable signature algorithm (_ssl.c:727) ERROR test_crl_check (test.test_ssl.ThreadedTests) ... server: new connection from ('127.0.0.1', 49686)
server: bad connection attempt from ('127.0.0.1', 49686): Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 1732, in wrap_conn self.sock, server_side=True) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 369, in wrap_socket _context=self) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 599, in __init__ self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: BAD_RSA_DECRYPT] no suitable signature algorithm (_ssl.c:727) ERROR test_default_ecdh_curve (test.test_ssl.ThreadedTests) ... server: new connection from ('127.0.0.1', 50888) server: connection cipher is now ('ECDHE-RSA-AES256-GCM-SHA384', 'TLSv1.2', 256) server: selected protocol is now None ok test_dh_params (test.test_ssl.ThreadedTests) ... server: new connection from ('127.0.0.1', 39768)
server: bad connection attempt from ('127.0.0.1', 39768): Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 1732, in wrap_conn self.sock, server_side=True) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 369, in wrap_socket _context=self) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 599, in __init__ self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: BAD_RSA_DECRYPT] no suitable signature algorithm (_ssl.c:727) ERROR test_do_handshake_enotconn (test.test_ssl.ThreadedTests) ... ok test_echo (test.test_ssl.ThreadedTests) Basic test of an SSL client connecting to a server ... server: new connection from ('127.0.0.1', 51012) client: sending 'FOO\n'... server: connection cipher is now ('TLS_AES_256_GCM_SHA384', 'TLSv1.3', 256) server: selected protocol is now None client: read 'foo\n' client: sending 'FOO\n'... client: read 'foo\n' client: sending 'FOO\n'... client: read 'foo\n' client: closing connection. server: new connection from ('127.0.0.1', 60552)
server: bad connection attempt from ('127.0.0.1', 60552): Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 1732, in wrap_conn self.sock, server_side=True) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 369, in wrap_socket _context=self) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 599, in __init__ self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: BAD_RSA_DECRYPT] no suitable signature algorithm (_ssl.c:727) ERROR test_getpeercert (test.test_ssl.ThreadedTests) ... {'issuer': ((('countryName', u'XY'),), (('localityName', u'Castle Anthrax'),), (('organizationName', u'Python Software Foundation'),), (('commonName', u'localhost'),)), 'notAfter': 'Aug 26 14:23:15 2028 GMT', 'notBefore': u'Aug 29 14:23:15 2018 GMT', 'serialNumber': u'98A7CF88C74A32ED', 'subject': ((('countryName', u'XY'),), (('localityName', u'Castle Anthrax'),), (('organizationName', u'Python Software Foundation'),), (('commonName', u'localhost'),)), 'subjectAltName': (('DNS', 'localhost'),), 'version': 3L} Connection cipher is ('TLS_AES_256_GCM_SHA384', 'TLSv1.3', 256). ok test_getpeercert_enotconn (test.test_ssl.ThreadedTests) ... ok test_handshake_timeout (test.test_ssl.ThreadedTests) ... ok test_no_shared_ciphers (test.test_ssl.ThreadedTests) ... server: new connection from ('127.0.0.1', 44402)
server: bad connection attempt from ('127.0.0.1', 44402): Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 1732, in wrap_conn self.sock, server_side=True) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 369, in wrap_socket _context=self) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 599, in __init__ self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: NO_SHARED_CIPHER] no shared cipher (_ssl.c:727) ok test_npn_protocols (test.test_ssl.ThreadedTests) ... skipped 'NPN support needed for this test' test_protocol_sslv2 (test.test_ssl.ThreadedTests) Connecting to an SSLv2 server with various client options ... skipped 'OpenSSL is compiled without SSLv2 support' test_protocol_sslv23 (test.test_ssl.ThreadedTests) Connecting to an SSLv23 server with various client options ... PROTOCOL_TLS->PROTOCOL_TLS CERT_NONE PROTOCOL_TLSv1->PROTOCOL_TLS CERT_NONE ERROR test_protocol_sslv3 (test.test_ssl.ThreadedTests) Connecting to an SSLv3 server with various client options ... skipped 'OpenSSL is compiled without SSLv3 support' test_protocol_tlsv1 (test.test_ssl.ThreadedTests) Connecting to a TLSv1 server with various client options ... PROTOCOL_TLSv1->PROTOCOL_TLSv1 CERT_NONE ERROR test_protocol_tlsv1_1 (test.test_ssl.ThreadedTests) Connecting to a TLSv1.1 server with various client options. ... PROTOCOL_TLSv1_1->PROTOCOL_TLSv1_1 CERT_NONE ERROR test_protocol_tlsv1_2 (test.test_ssl.ThreadedTests) Connecting to a TLSv1.2 server with various client options. ... PROTOCOL_TLSv1_2->PROTOCOL_TLSv1_2 CERT_NONE {PROTOCOL_TLS->PROTOCOL_TLSv1_2} CERT_NONE PROTOCOL_TLSv1_2->PROTOCOL_TLS CERT_NONE {PROTOCOL_TLSv1->PROTOCOL_TLSv1_2} CERT_NONE {PROTOCOL_TLSv1_2->PROTOCOL_TLSv1} CERT_NONE {PROTOCOL_TLSv1_1->PROTOCOL_TLSv1_2} CERT_NONE {PROTOCOL_TLSv1_2->PROTOCOL_TLSv1_1} CERT_NONE ok test_read_write_after_close_raises_valuerror (test.test_ssl.ThreadedTests) ... ok test_recv_send (test.test_ssl.ThreadedTests) Test recv(), send() and friends. ... server: new connection from ('127.0.0.1', 59354)
server: bad connection attempt from ('127.0.0.1', 59354): Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 1732, in wrap_conn self.sock, server_side=True) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 369, in wrap_socket _context=self) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 599, in __init__ self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: BAD_RSA_DECRYPT] no suitable signature algorithm (_ssl.c:727) ERROR test_recv_zero (test.test_ssl.ThreadedTests) ... server: new connection from ('127.0.0.1', 36264) server: connection cipher is now ('TLS_AES_256_GCM_SHA384', 'TLSv1.3', 256) server: selected protocol is now None ok test_rude_shutdown (test.test_ssl.ThreadedTests) A brutal shutdown of an SSL server should raise an OSError ... ok test_selected_alpn_protocol (test.test_ssl.ThreadedTests) ... server: new connection from ('127.0.0.1', 59908)
server: bad connection attempt from ('127.0.0.1', 59908): Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 1732, in wrap_conn self.sock, server_side=True) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 369, in wrap_socket _context=self) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 599, in __init__ self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: BAD_RSA_DECRYPT] no suitable signature algorithm (_ssl.c:727) ERROR test_selected_alpn_protocol_if_server_uses_alpn (test.test_ssl.ThreadedTests) ... server: new connection from ('127.0.0.1', 57474)
server: bad connection attempt from ('127.0.0.1', 57474): Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 1732, in wrap_conn self.sock, server_side=True) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 369, in wrap_socket _context=self) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 599, in __init__ self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: BAD_RSA_DECRYPT] no suitable signature algorithm (_ssl.c:727) ERROR test_selected_npn_protocol (test.test_ssl.ThreadedTests) ... server: new connection from ('127.0.0.1', 33742)
server: bad connection attempt from ('127.0.0.1', 33742): Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 1732, in wrap_conn self.sock, server_side=True) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 369, in wrap_socket _context=self) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 599, in __init__ self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: BAD_RSA_DECRYPT] no suitable signature algorithm (_ssl.c:727) ERROR test_server_accept (test.test_ssl.ThreadedTests) ... ok test_sni_callback (test.test_ssl.ThreadedTests) ... server: new connection from ('127.0.0.1', 43762)
server: bad connection attempt from ('127.0.0.1', 43762): Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 1732, in wrap_conn self.sock, server_side=True) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 369, in wrap_socket _context=self) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 599, in __init__ self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: BAD_RSA_DECRYPT] no suitable signature algorithm (_ssl.c:727) ERROR test_sni_callback_alert (test.test_ssl.ThreadedTests) ... ok test_sni_callback_raising (test.test_ssl.ThreadedTests) ... ok test_sni_callback_wrong_return_type (test.test_ssl.ThreadedTests) ... ok test_socketserver (test.test_ssl.ThreadedTests) Using a SocketServer to create and manage SSL connections. ... server (('127.0.0.1', 32973):32973 ('TLS_AES_256_GCM_SHA384', 'TLSv1.3', 256)): [24/Jun/2022 12:09:22] "GET /keycert.pem HTTP/1.1" 200 - client: read 4058 bytes from remote server '<HTTPSServerThread <HTTPSServer localhost.localdomain:32973>>' stopping HTTPS server joining HTTPS thread ok test_starttls (test.test_ssl.ThreadedTests) Switching from clear text to encrypted and back again. ... client: sending 'msg 1'... server: new connection from ('127.0.0.1', 44848) server: read 'msg 1' (unencrypted), sending back 'msg 1' (unencrypted)... client: read 'msg 1' from server client: sending 'MSG 2'... server: read 'MSG 2' (unencrypted), sending back 'msg 2' (unencrypted)... client: read 'msg 2' from server client: sending 'STARTTLS'... server: read STARTTLS from client, sending OK... client: read 'ok' from server, starting TLS...
server: bad connection attempt from ('127.0.0.1', 44848): Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 1732, in wrap_conn self.sock, server_side=True) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 369, in wrap_socket _context=self) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 599, in __init__ self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: BAD_RSA_DECRYPT] no suitable signature algorithm (_ssl.c:727) ERROR test_tls1_3 (test.test_ssl.ThreadedTests) ... server: new connection from ('127.0.0.1', 47508) server: connection cipher is now ('TLS_AES_256_GCM_SHA384', 'TLSv1.3', 256) server: selected protocol is now None ok test_tls_unique_channel_binding (test.test_ssl.ThreadedTests) Test tls-unique channel binding. ... server: new connection from ('127.0.0.1', 58508)
server: bad connection attempt from ('127.0.0.1', 58508): Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 1732, in wrap_conn self.sock, server_side=True) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 369, in wrap_socket _context=self) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 599, in __init__ self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: BAD_RSA_DECRYPT] no suitable signature algorithm (_ssl.c:727) ERROR test_version_basic (test.test_ssl.ThreadedTests) ... ERROR test_wrong_cert (test.test_ssl.ThreadedTests) Connecting when the server rejects the client's certificate ... SSLError is SSLError(1, u'[SSL: TLSV1_ALERT_PROTOCOL_VERSION] tlsv1 alert protocol version (_ssl.c:727)') ok
====================================================================== ERROR: test_load_verify_cadata (test.test_ssl.ContextTests)
Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 1033, in test_load_verify_cadata ctx.load_verify_locations(cadata=cacert_der) SSLError: unknown error (_ssl.c:2989)
====================================================================== ERROR: test_check_hostname (test.test_ssl.ThreadedTests)
Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 2268, in test_check_hostname s.connect((HOST, server.port)) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 864, in connect self._real_connect(addr, False) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 855, in _real_connect self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error (_ssl.c:727)
====================================================================== ERROR: test_compression (test.test_ssl.ThreadedTests)
Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 3000, in test_compression chatty=True, connectionchatty=True) File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 2064, in server_params_test s.connect((HOST, server.port)) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 864, in connect self._real_connect(addr, False) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 855, in _real_connect self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error (_ssl.c:727)
====================================================================== ERROR: test_compression_disabled (test.test_ssl.ThreadedTests)
Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 3012, in test_compression_disabled chatty=True, connectionchatty=True) File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 2064, in server_params_test s.connect((HOST, server.port)) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 864, in connect self._real_connect(addr, False) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 855, in _real_connect self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error (_ssl.c:727)
====================================================================== ERROR: test_crl_check (test.test_ssl.ThreadedTests)
Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 2227, in test_crl_check s.connect((HOST, server.port)) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 864, in connect self._real_connect(addr, False) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 855, in _real_connect self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error (_ssl.c:727)
====================================================================== ERROR: test_dh_params (test.test_ssl.ThreadedTests)
Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 3022, in test_dh_params chatty=True, connectionchatty=True) File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 2064, in server_params_test s.connect((HOST, server.port)) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 864, in connect self._real_connect(addr, False) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 855, in _real_connect self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error (_ssl.c:727)
====================================================================== ERROR: test_echo (test.test_ssl.ThreadedTests) Basic test of an SSL client connecting to a server
Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 2168, in test_echo chatty=True, connectionchatty=True) File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 2064, in server_params_test s.connect((HOST, server.port)) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 864, in connect self._real_connect(addr, False) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 855, in _real_connect self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error (_ssl.c:727)
====================================================================== ERROR: test_protocol_sslv23 (test.test_ssl.ThreadedTests) Connecting to an SSLv23 server with various client options
Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 190, in f return func(*args, **kwargs) File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 2404, in test_protocol_sslv23 try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1, 'TLSv1') File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 2136, in try_protocol_combo chatty=False, connectionchatty=False) File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 2064, in server_params_test s.connect((HOST, server.port)) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 864, in connect self._real_connect(addr, False) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 855, in _real_connect self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: TLSV1_ALERT_PROTOCOL_VERSION] tlsv1 alert protocol version (_ssl.c:727)
====================================================================== ERROR: test_protocol_tlsv1 (test.test_ssl.ThreadedTests) Connecting to a TLSv1 server with various client options
Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 2452, in test_protocol_tlsv1 try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1, 'TLSv1') File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 2136, in try_protocol_combo chatty=False, connectionchatty=False) File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 2064, in server_params_test s.connect((HOST, server.port)) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 864, in connect self._real_connect(addr, False) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 855, in _real_connect self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error (_ssl.c:727)
====================================================================== ERROR: test_protocol_tlsv1_1 (test.test_ssl.ThreadedTests) Connecting to a TLSv1.1 server with various client options.
Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 190, in f return func(*args, **kwargs) File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 2471, in test_protocol_tlsv1_1 try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_TLSv1_1, 'TLSv1.1') File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 2136, in try_protocol_combo chatty=False, connectionchatty=False) File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 2064, in server_params_test s.connect((HOST, server.port)) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 864, in connect self._real_connect(addr, False) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 855, in _real_connect self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error (_ssl.c:727)
====================================================================== ERROR: test_recv_send (test.test_ssl.ThreadedTests) Test recv(), send() and friends.
Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 2639, in test_recv_send s.connect((HOST, server.port)) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 864, in connect self._real_connect(addr, False) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 855, in _real_connect self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error (_ssl.c:727)
====================================================================== ERROR: test_selected_alpn_protocol (test.test_ssl.ThreadedTests)
Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 3033, in test_selected_alpn_protocol chatty=True, connectionchatty=True) File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 2064, in server_params_test s.connect((HOST, server.port)) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 864, in connect self._real_connect(addr, False) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 855, in _real_connect self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error (_ssl.c:727)
====================================================================== ERROR: test_selected_alpn_protocol_if_server_uses_alpn (test.test_ssl.ThreadedTests)
Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 3045, in test_selected_alpn_protocol_if_server_uses_alpn chatty=True, connectionchatty=True) File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 2064, in server_params_test s.connect((HOST, server.port)) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 864, in connect self._real_connect(addr, False) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 855, in _real_connect self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error (_ssl.c:727)
====================================================================== ERROR: test_selected_npn_protocol (test.test_ssl.ThreadedTests)
Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 3095, in test_selected_npn_protocol chatty=True, connectionchatty=True) File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 2064, in server_params_test s.connect((HOST, server.port)) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 864, in connect self._real_connect(addr, False) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 855, in _real_connect self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error (_ssl.c:727)
====================================================================== ERROR: test_sni_callback (test.test_ssl.ThreadedTests)
Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 3154, in test_sni_callback sni_name='supermessage') File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 2064, in server_params_test s.connect((HOST, server.port)) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 864, in connect self._real_connect(addr, False) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 855, in _real_connect self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error (_ssl.c:727)
====================================================================== ERROR: test_starttls (test.test_ssl.ThreadedTests) Switching from clear text to encrypted and back again.
Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 2541, in test_starttls conn = ssl.wrap_socket(s, ssl_version=ssl.PROTOCOL_TLSv1) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 931, in wrap_socket ciphers=ciphers) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 599, in __init__ self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error (_ssl.c:727)
====================================================================== ERROR: test_tls_unique_channel_binding (test.test_ssl.ThreadedTests) Test tls-unique channel binding.
Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 2956, in test_tls_unique_channel_binding s.connect((HOST, server.port)) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 864, in connect self._real_connect(addr, False) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 855, in _real_connect self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error (_ssl.c:727)
====================================================================== ERROR: test_version_basic (test.test_ssl.ThreadedTests)
Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 2893, in test_version_basic s.connect((HOST, server.port)) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 864, in connect self._real_connect(addr, False) File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 855, in _real_connect self.do_handshake() File "/home/rjones/d/cpython-2.7/Lib/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() SSLError: [SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error (_ssl.c:727)
====================================================================== FAIL: test_openssl_version (test.test_ssl.BasicSocketTests)
Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 382, in test_openssl_version (s, t)) AssertionError: ('OpenSSL 3.0.3 3 May 2022', (3, 0, 0, 3, 0))
-----------------------------------test test_ssl failed -- multiple errors occurred
Ran 96 tests in 1.061s
FAILED (failures=1, errors=18, skipped=7)
== Tests result: FAILURE ==
1 test failed: test_ssl
Total duration: 1 sec 153 ms Tests result: FAILURE
On Fri, Jun 24, 2022 at 02:06:14PM +0200, Tomáš Orsava wrote:
Hi Richard, porting Python 2.7 to openssl 3.0 doesn't really make sense to me.
We ship Python 2.7 so that developers can test code that needs to work on Python 2.7 in various deployments like old CentOS/RHEL/etc. Fedora aims to be a developer-friendly distro and so we want to provide the tools to do that. Even if it's possible to port Python 2.7 to openssl 3.0 safely with reasonable effort, which I doubt, it would lead to a different Python 2.7, which would no longer work as a testing ground for people developing for old deployments.
IMHO that's not a very compelling use case. Python 2.7 on Fedora is already quite different from RHEL in terms of crypto, simply by virtue of Fedora having quite different crypto-policies applied.
If people want to test compatibility with older RHEL/CentOS from their Fedora dev machine, then containers are the answer and will give much higher confidence level. Containers already dominate in cases where people want to test software against different OS, without having the burden of maintaining a full VM.
With regards, Daniel
Hi Richard, porting Python 2.7 to openssl 3.0 doesn't really make sense to me.
We ship Python 2.7 so that developers can test code that needs to work on Python 2.7 in various deployments like old CentOS/RHEL/etc. Fedora aims to be a developer-friendly distro and so we want to provide the tools to do that. Even if it's possible to port Python 2.7 to openssl 3.0 safely with reasonable effort, which I doubt, it would lead to a different Python 2.7, which would no longer work as a testing ground for people developing for old deployments.
Hi Tomáš,
Charalampos pinged me and asked me to look into this thread. For those who are not familiar with me, I'm a CPython core developer and primary maintainer of the ssl and hashlib module. In the past I have ported Python to OpenSSL 1.1.0 and OpenSSL 3.0.
At first I also thought that it would be a lot of work to port Python 2.7 to OpenSSL 3.0. It turns out that most tests are actually passing. The Debian downstream patches address the remaining issue.
- https://salsa.debian.org/cpython-team/python2/-/blob/master/debian/patches/o... fixes version number comparison and a different representation of IPv6 addresses in 3.0. - https://salsa.debian.org/cpython-team/python2/-/blob/master/debian/patches/o... fixes error messages. OpenSSL 3.0 uses different error numbers than 1.1. - https://salsa.debian.org/cpython-team/python2/-/blob/master/debian/patches/o... fixes a problem with error handling when loading certs - https://salsa.debian.org/cpython-team/python2/-/blob/master/debian/patches/o... resolves another issue with version number formats
All four patches are originally written by me and covered by PSF license.
- https://salsa.debian.org/cpython-team/python2/-/blob/master/debian/patches/o... changes tests to use latest TLS version instead of TLS 1.0. The change is based on another upstream change by me.
You also have to disable openssl/opensslv.h parsing in setup.py. The code is not clever enough to understand OpenSSL 3.0's opensslv.h.
In my humble opinion this would make Python 2.7 work sufficient enough with OpenSSL 3.0. I wouldn't trust it with mission critical production code. But it's ok enough for CI. Yes, Python 2.7 with OpenSSL 3.0 will behave differently than Python 2.7 with OpenSSL 1.1.1, e.g. some old ciphers and TLS versions may not work. But that's ok. Nobody should use TLS 1.0 in 2022 any more.
Anyhow it is still too early to drop openssl1.1-devel in Fedora 37. I recommend to mark it as deprecated in F37 and drop it in a later release.
Christian
Here you are, have fun!
https://github.com/python/cpython/compare/2.7...tiran:cpython:2.7.18-openssl...
$ ./python -c "import sys; print sys.version" 2.7.18 (heads/2.7.18-openssl3:a2e3d7995ce, Jul 1 2022, 16:51:37) [GCC 12.1.1 20220507 (Red Hat 12.1.1-1)]
$ ./python Lib/test/ssltests.py OpenSSL 3.0.3 3 May 2022 Using random seed 4979488 Run tests sequentially 0:00:00 load avg: 1.64 [ 1/13] test_ensurepip 0:00:00 load avg: 1.64 [ 2/13] test_ssl 0:00:07 load avg: 2.33 [ 3/13] test_hmac 0:00:07 load avg: 2.33 [ 4/13] test_ftplib 0:00:08 load avg: 2.33 [ 5/13] test_urllib2_localnet 0:00:09 load avg: 2.33 [ 6/13] test_smtplib 0:00:09 load avg: 2.33 [ 7/13] test_smtpnet 0:00:10 load avg: 2.33 [ 8/13] test_hashlib 0:00:10 load avg: 2.33 [ 9/13] test_httplib 0:00:12 load avg: 2.14 [10/13] test_xmlrpc 0:00:15 load avg: 2.14 [11/13] test_imaplib Resource 'cyrus.andrew.cmu.edu' is not available Resource 'cyrus.andrew.cmu.edu' is not available Resource 'cyrus.andrew.cmu.edu' is not available Resource 'cyrus.andrew.cmu.edu' is not available Resource 'cyrus.andrew.cmu.edu' is not available Resource 'cyrus.andrew.cmu.edu' is not available 0:00:16 load avg: 2.13 [12/13] test_poplib 0:00:18 load avg: 2.13 [13/13] test_nntplib
== Tests result: SUCCESS ==
All 13 tests OK.
Total duration: 18 sec 495 ms Tests result: SUCCESS
On Fri, Jul 1, 2022 at 4:54 PM Christian Heimes cheimes@redhat.com wrote:
Here you are, have fun!
https://github.com/python/cpython/compare/2.7...tiran:cpython:2.7.18-openssl...
$ ./python -c "import sys; print sys.version" 2.7.18 (heads/2.7.18-openssl3:a2e3d7995ce, Jul 1 2022, 16:51:37) [GCC 12.1.1 20220507 (Red Hat 12.1.1-1)]
$ ./python Lib/test/ssltests.py OpenSSL 3.0.3 3 May 2022 Using random seed 4979488 Run tests sequentially 0:00:00 load avg: 1.64 [ 1/13] test_ensurepip 0:00:00 load avg: 1.64 [ 2/13] test_ssl 0:00:07 load avg: 2.33 [ 3/13] test_hmac 0:00:07 load avg: 2.33 [ 4/13] test_ftplib 0:00:08 load avg: 2.33 [ 5/13] test_urllib2_localnet 0:00:09 load avg: 2.33 [ 6/13] test_smtplib 0:00:09 load avg: 2.33 [ 7/13] test_smtpnet 0:00:10 load avg: 2.33 [ 8/13] test_hashlib 0:00:10 load avg: 2.33 [ 9/13] test_httplib 0:00:12 load avg: 2.14 [10/13] test_xmlrpc 0:00:15 load avg: 2.14 [11/13] test_imaplib Resource 'cyrus.andrew.cmu.edu' is not available Resource 'cyrus.andrew.cmu.edu' is not available Resource 'cyrus.andrew.cmu.edu' is not available Resource 'cyrus.andrew.cmu.edu' is not available Resource 'cyrus.andrew.cmu.edu' is not available Resource 'cyrus.andrew.cmu.edu' is not available 0:00:16 load avg: 2.13 [12/13] test_poplib 0:00:18 load avg: 2.13 [13/13] test_nntplib
== Tests result: SUCCESS ==
All 13 tests OK.
Total duration: 18 sec 495 ms Tests result: SUCCESS _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Will try it and do an impact check for the packages depending on python2.7.
On Fri, Jul 1, 2022 at 5:12 PM Charalampos Stratakis cstratak@redhat.com wrote:
On Fri, Jul 1, 2022 at 4:54 PM Christian Heimes cheimes@redhat.com wrote:
Here you are, have fun!
https://github.com/python/cpython/compare/2.7...tiran:cpython:2.7.18-openssl...
$ ./python -c "import sys; print sys.version" 2.7.18 (heads/2.7.18-openssl3:a2e3d7995ce, Jul 1 2022, 16:51:37) [GCC 12.1.1 20220507 (Red Hat 12.1.1-1)]
$ ./python Lib/test/ssltests.py OpenSSL 3.0.3 3 May 2022 Using random seed 4979488 Run tests sequentially 0:00:00 load avg: 1.64 [ 1/13] test_ensurepip 0:00:00 load avg: 1.64 [ 2/13] test_ssl 0:00:07 load avg: 2.33 [ 3/13] test_hmac 0:00:07 load avg: 2.33 [ 4/13] test_ftplib 0:00:08 load avg: 2.33 [ 5/13] test_urllib2_localnet 0:00:09 load avg: 2.33 [ 6/13] test_smtplib 0:00:09 load avg: 2.33 [ 7/13] test_smtpnet 0:00:10 load avg: 2.33 [ 8/13] test_hashlib 0:00:10 load avg: 2.33 [ 9/13] test_httplib 0:00:12 load avg: 2.14 [10/13] test_xmlrpc 0:00:15 load avg: 2.14 [11/13] test_imaplib Resource 'cyrus.andrew.cmu.edu' is not available Resource 'cyrus.andrew.cmu.edu' is not available Resource 'cyrus.andrew.cmu.edu' is not available Resource 'cyrus.andrew.cmu.edu' is not available Resource 'cyrus.andrew.cmu.edu' is not available Resource 'cyrus.andrew.cmu.edu' is not available 0:00:16 load avg: 2.13 [12/13] test_poplib 0:00:18 load avg: 2.13 [13/13] test_nntplib
== Tests result: SUCCESS ==
All 13 tests OK.
Total duration: 18 sec 495 ms Tests result: SUCCESS _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Will try it and do an impact check for the packages depending on python2.7.
-- Regards,
Charalampos Stratakis Senior Software Engineer Python Maintenance Team, Red Hat
Draft PR: https://src.fedoraproject.org/rpms/python2.7/pull-request/36
Copr impact check: https://copr.fedorainfracloud.org/coprs/cstratak/python2.7-openssl3/builds/
I won't have time to get back to it till late next week, however there are instructions in copr for getting the mock config for anyone who wants to experiment.
devel@lists.stg.fedoraproject.org