-
-
Notifications
You must be signed in to change notification settings - Fork 30.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
test_asyncio fails on RHEL8, or on Fedora using NEXT security policy #79533
Comments
When compiling python3 on RHEL8 and run the tests, test_asyncio fails with 8 failures (and more on older branches). openssl version is 1.1.1 Attaching the failures for the various branches. |
Seems that 3.8 and 3.7 get the same failures, while 3.6 gets 14 instead of 8. |
The strange thing is these tests are passed on our build bots. In logs I see only ConnectionResetError. Can it be related to your configuration? |
It seems I can reproduce it on Fedora as well by setting stronger crypto defaults through 'update-crypto-policies --set FUTURE'. Repo located here: https://gitlab.com/redhat-crypto/fedora-crypto-policies/tree/master The changes are many, but if I compare with RHEL8, the minimal changes that could affect it are: -# DH params size: >= 1023 -# TLS protocols: TLS >= 1.0 -@protocol_list = ('TLS1.3', 'TLS1.2', 'TLS1.1', 'TLS1.0', 'DTLS1.2', 'DTLS1.0'); - $min_tls_version = 'TLS1.0';
- min_dtls_version = 'DTLS1.0';
+ $min_tls_version = 'TLS1.2';
+ $min_dtls_version = 'DTLS1.2'; # Parameter sizes
|
Maybe this is the reason. Maybe bumping used protocol version will help to pass tests on your box. |
I believe I figured out the issue, at least on the master branch. While checking the certificates used by asyncio tests within the test_asyncio folder I noticed they were quite outdated when compared to the more recent updated ones with the test/ folder, which take into account the stronger crypto defaults introduced in the latest openssl versions. And by looking at 6d8c1ab#diff-a8e7dbb528601706db0f01d01332bb76 it seems that those certs are just copied from test/ within test_asyncio/. So by copying over the old certs, the tests actually pass. The immediate workaround would be to just copy over the certs but a better approach would be to just reuse the certs within the test/ folder instead of relying on copying them over to test_asyncio/ |
RHEL8 has a very strict security policy by default. I'm not sure if any OS run on buildbot has a security policy as strict as RHEL8?
I tried to tune the SSLContext in many different ways but it doesn't work. The problem comes from the .pem files. I confirm that copying .pem files from Lib/test/ into Lib/test/test_asyncio/ does fix the issue.
In this case, I don't see the point of having two copies of the same files. PR 10826 does the right fix: remove .pem files from Lib/test/test_asyncio/ and reuse .pem files from Lib/test/. |
Also on Fedora the same set of security policies can be set as RHEL8 by utilizing 'update-crypto-policies --set NEXT' |
IIRC two copies exist from very early development times when asyncio was not a part of Python stdlib. |
Yeah, that was my guess as well. Maybe data_file() could be simplified or replaced by support.findfile(), but I chose the easy solution (minimize changes) :-) |
I leave the issue open until someone validates manually that the issue os fixed in all branches with stricter security (ex: RHEL8). |
I tested on Fedora 29 using: sudo update-crypto-policies --set NEXT With this config, I was able to reproduce the test_asyncio failure on 3.6, 3.7 and master branches. I confirm that the commits fixed test_asyncio in these 3 branches. Thanks Charalampos Stratakis! |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: