Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

certificate verify fails in 2020-01-01 #735

Closed
bmwiedemann opened this issue Feb 6, 2018 · 5 comments
Closed

certificate verify fails in 2020-01-01 #735

bmwiedemann opened this issue Feb 6, 2018 · 5 comments

Comments

@bmwiedemann
Copy link

For reproducible builds we need to test if software builds still produce the same result when building it later. However, for pyOpenSSL this is currently not possible, because parts of the testsuite fail with

Error: [('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')]

failing tests are
TestX509StoreContext.test_valid
TestX509StoreContext.test_reuse
TestX509StoreContext.test_modification_pre_verify
TestContext.test_add_extra_chain_cert
TestContext.test_use_certificate_chain_file_bytes
TestContext.test_use_certificate_chain_file_unicode

Also, independently of that, as a Linux distribution, we want to be able to ship updated versions of packages with added patches (even when upstream support expired) for up to 15 years.

possible approaches:

  • generate CA and other certs on demand so they will be valid at the time of test
  • check the current time and expect those tests to fail
  • check the current time and skip those tests
@bmwiedemann bmwiedemann mentioned this issue Feb 6, 2018
Closed
@daa
Copy link

daa commented Jun 21, 2018

Also it's possible to set time parameter of X509 store and context to use it to verify certificate instead of current time.

@bmwiedemann
Copy link
Author

TestContext.test_add_extra_chain_cert is already failing in 2020-01-01 (still works 2019-12-31)

I am testing with python-pyOpenSSL-18.0.0 on openSUSE Tumbleweed.

@bmwiedemann
Copy link
Author

same problem with 19.0.0

@reaperhulk
Copy link
Member

We would accept a patch to fix this.

@bmwiedemann bmwiedemann changed the title certificate verify fails in 2030 certificate verify fails in 2020 Feb 28, 2019
@bmwiedemann bmwiedemann changed the title certificate verify fails in 2020 certificate verify fails in 2020-01-01 Feb 28, 2019
bmwiedemann added a commit to bmwiedemann/pyopenssl that referenced this issue Apr 12, 2019
@bmwiedemann
Make tests pass after 2019
5c70fba 
Without this patch, TestX509StoreContext.test_valid and 5 other tests
would fail after 2020-01-01

Fixes pyca#735

This PR was done while working on reproducible builds for openSUSE.
@bmwiedemann bmwiedemann mentioned this issue Apr 12, 2019
Closed
bmwiedemann added a commit to bmwiedemann/pyopenssl that referenced this issue Jul 3, 2019
@bmwiedemann
Make tests pass after 2019
0d2fd1a 
Without this patch, TestX509StoreContext.test_valid and 5 other tests
would fail after 2020-01-01

Fixes pyca#735

This PR was done while working on reproducible builds for openSUSE.
@thefloweringash thefloweringash mentioned this issue Jan 4, 2020
Closed
@bmwiedemann
Copy link
Author

@alex fixed it in 675534c for #888

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Aug 15, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Make tests pass after 2019 bmwiedemann/pyopenssl
3 participants
@reaperhulk @daa @bmwiedemann