-
-
Notifications
You must be signed in to change notification settings - Fork 30.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
test_ssl failures with OpenSSL 1.0.0 #52569
Comments
When I compile and link against a local build of OpenSSL 1.0.0 (vanilla), I get the following errors in test_ssl: ====================================================================== Traceback (most recent call last):
File "/home/antoine/cpython/newssl/Lib/test/test_ssl.py", line 869, in testProtocolSSL2
tryProtocolCombo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv23, True)
File "/home/antoine/cpython/newssl/Lib/test/test_ssl.py", line 736, in tryProtocolCombo
CERTFILE, CERTFILE, client_protocol, chatty=False)
File "/home/antoine/cpython/newssl/Lib/test/test_ssl.py", line 688, in serverParamsTest
raise test_support.TestFailed("Unexpected exception: " + str(x))
TestFailed: Unexpected exception: [Errno 104] Connection reset by peer ====================================================================== Traceback (most recent call last):
File "/home/antoine/cpython/newssl/Lib/test/test_ssl.py", line 903, in testProtocolSSL3
tryProtocolCombo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv23, False)
File "/home/antoine/cpython/newssl/Lib/test/test_ssl.py", line 745, in tryProtocolCombo
ssl.get_protocol_name(server_protocol)))
TestFailed: Client protocol SSLv23 succeeded with server protocol SSLv3! ====================================================================== Traceback (most recent call last):
File "/home/antoine/cpython/newssl/Lib/test/test_ssl.py", line 914, in testProtocolTLS1
tryProtocolCombo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_SSLv23, False)
File "/home/antoine/cpython/newssl/Lib/test/test_ssl.py", line 745, in tryProtocolCombo
ssl.get_protocol_name(server_protocol)))
TestFailed: Client protocol SSLv23 succeeded with server protocol TLSv1! |
Extract of SSL_CTX_new manual page: SSLv23_method(void), SSLv23_server_method(void), SSLv23_client_method(void) A TLS/SSL connection established with these methods will understand I don't think that "Client protocol SSLv23 succeeded with server protocol SSLv3" or "Client protocol SSLv23 succeeded with server protocol TLSv1" are errors. |
It begs the question of why the tests succeed with previous OpenSSL versions. *) If no SSLv2 ciphers are used don't use an SSLv2 compatible client hello: |
All errors concern SSLv23 at server side, and another protocol at client side (SSLv23 for client and server works as expected). |
After some investigation, the error does occur because of the aforementioned changelog entry (SSLv2 weak ciphers are now disabled by default). To check it I just added the following line to newPySSLObject():
Of course this isn't desirable: we shouldn't blindly enable weak ciphers. Instead we could simply add an argument to configure allowed ciphers, and use "ALL" in our tests. Or we could add a separate method to configure ciphers. (this begs the question of whether this is suitable post-beta1) What do you think? |
Antoine Pitrou wrote:
List of ciphers is application dependent and configure script can't Roumen |
I was obviously talking about a runtime argument to ssl.wrap_socket(). |
A set_ciphers() method turns out to be highly impractical, since the underlying SSL objects are created lazily when we actually connect the socket. |
New patch updating docs. |
Committed in r80151 (trunk), r80154 (py3k). |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: