Tests assume cipher availability

[QuLogic]

These tests seem to assume the availability of a certain number of ciphers, but that does not appear portable:

_____________________________ test_connection_args _____________________________

    def test_connection_args():
        def basic_checks(ctx):
            assert ctx.verify_mode == ssl.CERT_REQUIRED
            assert ctx.check_hostname is False
    
        def many_ciphers(ctx):
            if sys.version_info >= (3, 6):
                assert len(ctx.get_ciphers()) > 2  # Most likely
    
        c = {
            'tls': {
                'ca-file': ca_file,
                'scheduler': {
                    'key': key1,
                    'cert': cert1,
                },
                'worker': {
                    'cert': keycert1,
                },
            },
        }
        with new_config(c):
            sec = Security()
    
        d = sec.get_connection_args('scheduler')
        assert not d['require_encryption']
        ctx = d['ssl_context']
        basic_checks(ctx)
        many_ciphers(ctx)
    
        d = sec.get_connection_args('worker')
        ctx = d['ssl_context']
        basic_checks(ctx)
        many_ciphers(ctx)
    
        # No cert defined => no TLS
        d = sec.get_connection_args('client')
        assert d.get('ssl_context') is None
    
        # With more settings
        c['tls']['ciphers'] = FORCED_CIPHER
        c['require-encryption'] = True
    
        with new_config(c):
            sec = Security()
    
        d = sec.get_listen_args('scheduler')
        assert d['require_encryption']
        ctx = d['ssl_context']
        basic_checks(ctx)
        if sys.version_info >= (3, 6):
            supported_ciphers = ctx.get_ciphers()
            tls_12_ciphers = [c for c in supported_ciphers if c['protocol'] == 'TLSv1.2']
            assert len(tls_12_ciphers) == 1
            tls_13_ciphers = [c for c in supported_ciphers if c['protocol'] == 'TLSv1.3']
            if len(tls_13_ciphers):
>               assert len(tls_13_ciphers) == 3
E               AssertionError: assert 4 == 3
E                +  where 4 = len([{'aead': True, 'alg_bits': 256, 'auth': 'auth-any', 'description': 'TLS_AES_256_GCM_SHA384  TLSv1.3 Kx=any      Au=an...auth': 'auth-any', 'description': 'TLS_AES_128_CCM_SHA256  TLSv1.3 Kx=any      Au=any  Enc=AESCCM(128) Mac=AEAD', ...}])

distributed/tests/test_security.py:217: AssertionError

_______________________________ test_listen_args _______________________________

    def test_listen_args():
        def basic_checks(ctx):
            assert ctx.verify_mode == ssl.CERT_REQUIRED
            assert ctx.check_hostname is False
    
        def many_ciphers(ctx):
            if sys.version_info >= (3, 6):
                assert len(ctx.get_ciphers()) > 2  # Most likely
    
        c = {
            'tls': {
                'ca-file': ca_file,
                'scheduler': {
                    'key': key1,
                    'cert': cert1,
                },
                'worker': {
                    'cert': keycert1,
                },
            },
        }
        with new_config(c):
            sec = Security()
    
        d = sec.get_listen_args('scheduler')
        assert not d['require_encryption']
        ctx = d['ssl_context']
        basic_checks(ctx)
        many_ciphers(ctx)
    
        d = sec.get_listen_args('worker')
        ctx = d['ssl_context']
        basic_checks(ctx)
        many_ciphers(ctx)
    
        # No cert defined => no TLS
        d = sec.get_listen_args('client')
        assert d.get('ssl_context') is None
    
        # With more settings
        c['tls']['ciphers'] = FORCED_CIPHER
        c['require-encryption'] = True
    
        with new_config(c):
            sec = Security()
    
        d = sec.get_listen_args('scheduler')
        assert d['require_encryption']
        ctx = d['ssl_context']
        basic_checks(ctx)
        if sys.version_info >= (3, 6):
            supported_ciphers = ctx.get_ciphers()
            tls_12_ciphers = [c for c in supported_ciphers if c['protocol'] == 'TLSv1.2']
            assert len(tls_12_ciphers) == 1
            tls_13_ciphers = [c for c in supported_ciphers if c['protocol'] == 'TLSv1.3']
            if len(tls_13_ciphers):
>               assert len(tls_13_ciphers) == 3
E               AssertionError: assert 4 == 3
E                +  where 4 = len([{'aead': True, 'alg_bits': 256, 'auth': 'auth-any', 'description': 'TLS_AES_256_GCM_SHA384  TLSv1.3 Kx=any      Au=an...auth': 'auth-any', 'description': 'TLS_AES_128_CCM_SHA256  TLSv1.3 Kx=any      Au=any  Enc=AESCCM(128) Mac=AEAD', ...}])

distributed/tests/test_security.py:276: AssertionError
--------------------------- Captured stderr teardown ---------------------------
distributed.comm.tcp - WARNING - Closing dangling stream in <TCP local=tcp://127.0.0.1:56680 remote=tcp://127.0.0.1:36091>

[mrocklin]

cc @mariusvniekerk if you're still comfortable as Dask's TLS Czar

[mrocklin]

cc @quasiben or @jcrist , perhaps the new TLS oligarchs?

[mariusvniekerk]

I'm guessing this is an openssl 1.x vs 1.1 thing

[mariusvniekerk]

@QuLogic do you still have some information what system you ran these tests on?

[QuLogic]

I don't have specifics, but it would have been whatever was in Fedora Rawhide at the time. I can try running again to get you more information, but 1.1 is generally what's in Fedora.

[QuLogic]

Ping?

I don't understand what the benefit is of a test asserting an exact number of ciphers when that is determined by externally managed libraries/tools.

[QuLogic]

Ping, again?

These are the only tests that fail on Fedora now.

[mrocklin]

cc @jcrist (although he is on paternal leave)

Maybe cc @marcosmoyano ?

[marcosmoyano]

@QuLogic do you know what supported_ciphers is in Fedora? Not sure why the check is against the exact number though.

[QuLogic]

Here are the locals in test_connection_args:

basic_checks = <function test_connection_args.<locals>.basic_checks at 0x7ff50fb3a160>
c          = {'distributed.comm.require-encryption': True,
 'distributed.comm.tls.ca-file': '/builddir/build/BUILD/distributed-2021.07.2/distributed/tests/tls-ca-cert.pem',
 'distributed.comm.tls.ciphers': 'ECDHE-RSA-AES128-GCM-SHA256',
 'distributed.comm.tls.scheduler.cert': '/builddir/build/BUILD/distributed-2021.07.2/distributed/tests/tls-cert.pem',
 'distributed.comm.tls.scheduler.key': '/builddir/build/BUILD/distributed-2021.07.2/distributed/tests/tls-key.pem',
 'distributed.comm.tls.worker.cert': '/builddir/build/BUILD/distributed-2021.07.2/distributed/tests/tls-key-cert.pem'}
ctx        = <ssl.SSLContext object at 0x7ff4dde29440>
d          = {'require_encryption': True,
 'ssl_context': <ssl.SSLContext object at 0x7ff4dde29440>}
sec        = Security(require_encryption=True, tls_ca_file='/builddir/build/BUILD/distributed-2021.07.2/distributed/tests/tls-ca-cert.pem', tls_ciphers='ECDHE-RSA-AES128-GCM-SHA256', tls_scheduler_cert='/builddir/build/BUILD/distributed-2021.07.2/distributed/tests/tls-cert.pem', tls_scheduler_key='/builddir/build/BUILD/distributed-2021.07.2/distributed/tests/tls-key.pem', tls_worker_cert='/builddir/build/BUILD/distributed-2021.07.2/distributed/tests/tls-key-cert.pem')

supported_ciphers = [{'aead': True,
  'alg_bits': 256,
  'auth': 'auth-any',
  'description': 'TLS_AES_256_GCM_SHA384  TLSv1.3 Kx=any      Au=any  '
                 'Enc=AESGCM(256) Mac=AEAD',
  'digest': None,
  'id': 50336514,
  'kea': 'kx-any',
  'name': 'TLS_AES_256_GCM_SHA384',
  'protocol': 'TLSv1.3',
  'strength_bits': 256,
  'symmetric': 'aes-256-gcm'},
 {'aead': True,
  'alg_bits': 256,
  'auth': 'auth-any',
  'description': 'TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any      Au=any  '
                 'Enc=CHACHA20/POLY1305(256) Mac=AEAD',
  'digest': None,
  'id': 50336515,
  'kea': 'kx-any',
  'name': 'TLS_CHACHA20_POLY1305_SHA256',
  'protocol': 'TLSv1.3',
  'strength_bits': 256,
  'symmetric': 'chacha20-poly1305'},
 {'aead': True,
  'alg_bits': 128,
  'auth': 'auth-any',
  'description': 'TLS_AES_128_GCM_SHA256  TLSv1.3 Kx=any      Au=any  '
                 'Enc=AESGCM(128) Mac=AEAD',
  'digest': None,
  'id': 50336513,
  'kea': 'kx-any',
  'name': 'TLS_AES_128_GCM_SHA256',
  'protocol': 'TLSv1.3',
  'strength_bits': 128,
  'symmetric': 'aes-128-gcm'},
 {'aead': True,
  'alg_bits': 128,
  'auth': 'auth-any',
  'description': 'TLS_AES_128_CCM_SHA256  TLSv1.3 Kx=any      Au=any  '
                 'Enc=AESCCM(128) Mac=AEAD',
  'digest': None,
  'id': 50336516,
  'kea': 'kx-any',
  'name': 'TLS_AES_128_CCM_SHA256',
  'protocol': 'TLSv1.3',
  'strength_bits': 128,
  'symmetric': 'aes-128-ccm'},
 {'aead': True,
  'alg_bits': 128,
  'auth': 'auth-rsa',
  'description': 'ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  '
                 'Enc=AESGCM(128) Mac=AEAD',
  'digest': None,
  'id': 50380847,
  'kea': 'kx-ecdhe',
  'name': 'ECDHE-RSA-AES128-GCM-SHA256',
  'protocol': 'TLSv1.2',
  'strength_bits': 128,
  'symmetric': 'aes-128-gcm'}]
tls_12_ciphers = [{'aead': True,
  'alg_bits': 128,
  'auth': 'auth-rsa',
  'description': 'ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  '
                 'Enc=AESGCM(128) Mac=AEAD',
  'digest': None,
  'id': 50380847,
  'kea': 'kx-ecdhe',
  'name': 'ECDHE-RSA-AES128-GCM-SHA256',
  'protocol': 'TLSv1.2',
  'strength_bits': 128,
  'symmetric': 'aes-128-gcm'}]

tls_13_ciphers = [{'aead': True,
  'alg_bits': 256,
  'auth': 'auth-any',
  'description': 'TLS_AES_256_GCM_SHA384  TLSv1.3 Kx=any      Au=any  '
                 'Enc=AESGCM(256) Mac=AEAD',
  'digest': None,
  'id': 50336514,
  'kea': 'kx-any',
  'name': 'TLS_AES_256_GCM_SHA384',
  'protocol': 'TLSv1.3',
  'strength_bits': 256,
  'symmetric': 'aes-256-gcm'},
 {'aead': True,
  'alg_bits': 256,
  'auth': 'auth-any',
  'description': 'TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any      Au=any  '
                 'Enc=CHACHA20/POLY1305(256) Mac=AEAD',
  'digest': None,
  'id': 50336515,
  'kea': 'kx-any',
  'name': 'TLS_CHACHA20_POLY1305_SHA256',
  'protocol': 'TLSv1.3',
  'strength_bits': 256,
  'symmetric': 'chacha20-poly1305'},
 {'aead': True,
  'alg_bits': 128,
  'auth': 'auth-any',
  'description': 'TLS_AES_128_GCM_SHA256  TLSv1.3 Kx=any      Au=any  '
                 'Enc=AESGCM(128) Mac=AEAD',
  'digest': None,
  'id': 50336513,
  'kea': 'kx-any',
  'name': 'TLS_AES_128_GCM_SHA256',
  'protocol': 'TLSv1.3',
  'strength_bits': 128,
  'symmetric': 'aes-128-gcm'},
 {'aead': True,
  'alg_bits': 128,
  'auth': 'auth-any',
  'description': 'TLS_AES_128_CCM_SHA256  TLSv1.3 Kx=any      Au=any  '
                 'Enc=AESCCM(128) Mac=AEAD',
  'digest': None,
  'id': 50336516,
  'kea': 'kx-any',
  'name': 'TLS_AES_128_CCM_SHA256',
  'protocol': 'TLSv1.3',
  'strength_bits': 128,
  'symmetric': 'aes-128-ccm'}]

[marcosmoyano]

Like I said before, I'm not sure why we check against the exact number of ciphers.
A simple change like this should fix the tests. It would still be checking the numbers but a little more permissive.

# from
assert len(tls_13_ciphers) in (0, 3)
# to
assert len(tls_13_ciphers) == 0 or len(tls_13_ciphers) >= 3