test_asyncio fails on RHEL8, or on Fedora using NEXT security policy #79533
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
assignee = None closed_at = <Date 2018-11-30.22:00:19.755> created_at = <Date 2018-11-29.16:13:50.599> labels = ['3.8', '3.7', 'tests', 'expert-asyncio'] title = 'test_asyncio fails on RHEL8, or on Fedora using NEXT security policy' updated_at = <Date 2018-11-30.22:00:19.753> user = 'https://github.com/stratakis'
activity = <Date 2018-11-30.22:00:19.753> actor = 'vstinner' assignee = 'none' closed = True closed_date = <Date 2018-11-30.22:00:19.755> closer = 'vstinner' components = ['Tests', 'asyncio'] creation = <Date 2018-11-29.16:13:50.599> creator = 'cstratak' dependencies =  files = ['47955', '47956', '47957'] hgrepos =  issue_num = 35352 keywords = ['patch'] message_count = 16.0 messages = ['330698', '330699', '330767', '330787', '330788', '330790', '330803', '330804', '330808', '330812', '330813', '330814', '330818', '330819', '330820', '330828'] nosy_count = 4.0 nosy_names = ['vstinner', 'asvetlov', 'yselivanov', 'cstratak'] pr_nums = ['10826', '10830', '10831', '10832', '10834'] priority = 'normal' resolution = 'fixed' stage = 'resolved' status = 'closed' superseder = None type = None url = 'https://bugs.python.org/issue35352' versions = ['Python 3.6', 'Python 3.7', 'Python 3.8']
The text was updated successfully, but these errors were encountered:
It seems I can reproduce it on Fedora as well by setting stronger crypto defaults through 'update-crypto-policies --set FUTURE'.
Repo located here: https://gitlab.com/redhat-crypto/fedora-crypto-policies/tree/master
The changes are many, but if I compare with RHEL8, the minimal changes that could affect it are:
-# DH params size: >= 1023
-# TLS protocols: TLS >= 1.0
-@protocol_list = ('TLS1.3', 'TLS1.2', 'TLS1.1', 'TLS1.0', 'DTLS1.2', 'DTLS1.0');
- $min_tls_version = 'TLS1.0'; - min_dtls_version = 'DTLS1.0'; + $min_tls_version = 'TLS1.2'; + $min_dtls_version = 'DTLS1.2';
# Parameter sizes
Maybe this is the reason.
Maybe bumping used protocol version will help to pass tests on your box.
I believe I figured out the issue, at least on the master branch.
While checking the certificates used by asyncio tests within the test_asyncio folder I noticed they were quite outdated when compared to the more recent updated ones with the test/ folder, which take into account the stronger crypto defaults introduced in the latest openssl versions.
And by looking at 6d8c1ab#diff-a8e7dbb528601706db0f01d01332bb76 it seems that those certs are just copied from test/ within test_asyncio/. So by copying over the old certs, the tests actually pass.
The immediate workaround would be to just copy over the certs but a better approach would be to just reuse the certs within the test/ folder instead of relying on copying them over to test_asyncio/
RHEL8 has a very strict security policy by default. I'm not sure if any OS run on buildbot has a security policy as strict as RHEL8?
I tried to tune the SSLContext in many different ways but it doesn't work. The problem comes from the .pem files.
In this case, I don't see the point of having two copies of the same files.
I tested on Fedora 29 using:
sudo update-crypto-policies --set NEXT
With this config, I was able to reproduce the test_asyncio failure on 3.6, 3.7 and master branches.
I confirm that the commits fixed test_asyncio in these 3 branches. Thanks Charalampos Stratakis!