Python install test fails - OpenSSL - "dh key too small"

[nagle]

BPO	24985
Nosy	@vadmium
Superseder	bpo-23844: test_ssl: fails on recent libressl version with BAD_DH_P_LENGTH

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = None
closed_at = <Date 2016-01-21.22:45:02.405>
created_at = <Date 2015-09-02.19:58:15.720>
labels = ['tests']
title = 'Python install test fails - OpenSSL - "dh key too small"'
updated_at = <Date 2016-01-21.22:45:02.397>
user = 'https://bugs.python.org/nagle'

bugs.python.org fields:

activity = <Date 2016-01-21.22:45:02.397>
actor = 'martin.panter'
assignee = 'none'
closed = True
closed_date = <Date 2016-01-21.22:45:02.405>
closer = 'martin.panter'
components = ['Tests']
creation = <Date 2015-09-02.19:58:15.720>
creator = 'nagle'
dependencies = []
files = []
hgrepos = []
issue_num = 24985
keywords = []
message_count = 2.0
messages = ['249566', '258777']
nosy_count = 2.0
nosy_names = ['nagle', 'martin.panter']
pr_nums = []
priority = 'normal'
resolution = 'duplicate'
stage = 'resolved'
status = 'closed'
superseder = '23844'
type = None
url = 'https://bugs.python.org/issue24985'
versions = ['Python 3.4']

[nagle]

Installing Python 3.4.3 on a new CentOS Linux release 7.1.1503 server.
Started with source tarball, did usual ./configure; make; make test
SSL test fails with "dh key too small". See below.

OpenSSL has recently been modified to reject short keys, due to a security vulnerability. See
http://www.ubuntu.com/usn/usn-2639-1/
and see here for an analysis of the issue on a Python install:
http://www.alexrhino.net/jekyll/update/2015/07/14/dh-params-test-fail.html

Apparently the "dh512.pem" file in the test suite is now obsolete, because the minimum length dh key is now 768.

The question is, does this break anything else? Google for "dh key too small" and various other projects report problems.

======================================================================
ERROR: test_dh_params (test.test_ssl.ThreadedTests)
----------------------------------------------------------------------

Traceback (most recent call last):
  File "/home/sitetruth/private/downloads/python/Python-3.4.3/Lib/test/test_ssl.       py", line 2728, in test_dh_params
    chatty=True, connectionchatty=True)
  File "/home/sitetruth/private/downloads/python/Python-3.4.3/Lib/test/test_ssl.       py", line 1866, in server_params_test
    s.connect((HOST, server.port))
  File "/home/sitetruth/private/downloads/python/Python-3.4.3/Lib/ssl.py", line        846, in connect
    self._real_connect(addr, False)
  File "/home/sitetruth/private/downloads/python/Python-3.4.3/Lib/ssl.py", line        837, in _real_connect
    self.do_handshake()
  File "/home/sitetruth/private/downloads/python/Python-3.4.3/Lib/ssl.py", line        810, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: SSL_NEGATIVE_LENGTH] dh key too small (_ssl.c:600)

---

Ran 99 tests in 12.012s

FAILED (errors=1, skipped=4)
test test_ssl failed
make: *** [test] Error 1

======================================================================

[vadmium]

I suspect this is fixed in 3.4.4. The 512-bit file was replaced by a 1024-bit (or 2014-bit if you believe the commit message :) one in bpo-23844, revision 1ad7c0253abe.