Recert to fix test failures with newer Python versions #210
Conversation
|
That min_tls_version is giving me nightmares. |
|
Well, I'm open to ideas. For the record, the test failure I get now is: ________________________________________________________ test_min_tls_version _________________________________________________________
tests/test_https.py:109: in test_min_tls_version
http.request(uri)
.tox/py39/lib/python3.9/site-packages/httplib2/__init__.py:1725: in request
(response, content) = self._request(
.tox/py39/lib/python3.9/site-packages/httplib2/__init__.py:1441: in _request
(response, content) = self._conn_request(conn, request_uri, method, body, headers)
.tox/py39/lib/python3.9/site-packages/httplib2/__init__.py:1363: in _conn_request
conn.connect()
.tox/py39/lib/python3.9/site-packages/httplib2/__init__.py:1155: in connect
self.sock = self._context.wrap_socket(sock, server_hostname=self.host)
/usr/lib/python3.9/ssl.py:500: in wrap_socket
return self.sslsocket_class._create(
/usr/lib/python3.9/ssl.py:1040: in _create
self.do_handshake()
/usr/lib/python3.9/ssl.py:1309: in do_handshake
self._sslobj.do_handshake()
E ssl.SSLError: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:1145)
During handling of the above exception, another exception occurred:
tests/test_https.py:112: in test_min_tls_version
assert e.reason in ("UNSUPPORTED_PROTOCOL", "VERSION_TOO_LOW")
E AssertionError: assert 'SSLV3_ALERT_HANDSHAKE_FAILURE' in ('UNSUPPORTED_PROTOCOL', 'VERSION_TOO_LOW')
E + where 'SSLV3_ALERT_HANDSHAKE_FAILURE' = SSLError(1, '[SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:1145)').reason |
|
(I'm sorry, I've accidentally pasted pypy3 version instead of CPython 3.9 as intended) |
|
My best result was either it fails with all combantions of min/max check in tests or it passes without the fix applied. So I thought maybe the correct testing approach should be special Python+openssl build that allows all versions only to find that |
|
Hmm, I think you should be actually able to override allowed SSL/TLS versions at runtime. I'm going to try if I can make it work via that. |
|
Nope, sorry, no idea how to make it work. FWICS Python just issues |
|
Yup. We have this code that looks like it calls Python stdlib properly and it's manually verified. Will rely on shoulders of upstream. |
|
Do you want me to update the PR somehow or will you take it from here? |
|
@mgorny i found another recert in CI fixing branch, it has additional step to automation in extracting serial. If you don't mind and this version works for you (tests pass on my pc)? |
| if x509 is None: | ||
| raise Exception("x509_serial requires package cryptography installed") |
There was a problem hiding this comment.
I'm not sure if I follow the logic here but it seems that:
- on Python 3.6+, missing cryptography will cause an
ImportErrorabove - on older versions of Python, cryptography won't be loaded at all and this will unconditionally cause the relevant tests to fail
There was a problem hiding this comment.
cryptography was added to requirements-test so will be installed during test
for older versions there is if x509 condition with fallback to hardcoded cert serial that will go away after dropping py2
Newer Python versions have stronger TLS defaults, and therefore reject
the certificates currently used by the test suite. Regenerate them
to fix most of the test failures.
This also requires bumping the protocol versions used to test min/max
version attributes, as Python no longer allows TLS<1.2.
Unfortunately, test_min_tls_version still fails and I wasn't able to
figure out a way to fix it.
Issue #192