Bug 1778357

Summary: python3: FTBFS with crypto-policies-20191002-1.gitc93dc99.fc32: ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER).maximum_version has changed
Product: [Fedora] Fedora Reporter: Miro Hrončok <mhroncok>
Component: python3Assignee: Python Maintainers <python-maint>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 32CC: cheimes, cstratak, dmalcolm, m.cyprian, mhroncok, pviktori, rkuska, shcherbina.iryna, slavek.kabrda, thrnciar, tmraz, tomspur, torsava, vstinner
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
URL: https://koschei.fedoraproject.org/package/python3
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-04-01 13:04:41 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1750908    

Description Miro Hrončok 2019-11-30 09:08:10 UTC 
Description of problem:
Package python3 fails to build from source in Fedora rawhide.

======================================================================
FAIL: test_min_max_version (test.test_ssl.ContextTests)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/builddir/build/BUILD/Python-3.8.0/Lib/test/test_ssl.py", line 1207, in test_min_max_version
    self.assertEqual(
AssertionError: <TLSVersion.TLSv1_3: 772> != <TLSVersion.MAXIMUM_SUPPORTED: -1>
----------------------------------------------------------------------

Version-Release number of selected component (if applicable):
3.8.0-2.fc32

Steps to Reproduce:
koji build --scratch f32 python3-3.8.0-2.fc32.src.rpm

Additional info:
This package is tracked by Koschei. See:
https://koschei.fedoraproject.org/build/7322718

Koschei says glibc was updated: https://src.fedoraproject.org/rpms/glibc/c/17391589c0dd9b92cf9c61efee9b0f12d7d3d030?branch=master

Is that possibly related?
Comment 1 Miro Hrončok 2019-12-01 20:56:26 UTC 
I get a consistent result with glibc 2.30.9000-20.fc32. That was a red herring.

-------

However, I've bisected the problem to crypto-policies-20191002-1.gitc93dc99.fc32

https://src.fedoraproject.org/rpms/crypto-policies/c/b7ce8f783ce01feb997c7aee323b8276a52777c4?branch=master

https://koschei.fedoraproject.org/affected-by/crypto-policies?epoch1=0&version1=20191002&release1=1.gitc93dc99.fc32&epoch2=0&version2=20191128&release2=1.gitcd267a5.fc32&collection=f32



$ rpm -q crypto-policies
crypto-policies-20191002-1.gitc93dc99.fc32.noarch

$ python3 -c 'import ssl; ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER); print(repr(ctx.maximum_version))'
<TLSVersion.MAXIMUM_SUPPORTED: -1>



$ dnf -qy update crypto-policies
$ rpm -q crypto-policies
crypto-policies-20191128-1.gitcd267a5.fc32.noarch

$ python3 -c 'import ssl; ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER); print(repr(ctx.maximum_version))'
<TLSVersion.TLSv1_3: 772>





Tomáš, has there been a deliberate change or is it a regression? I don't see anything related in the changelog.


Thanks.
Comment 2 Tomas Mraz 2019-12-02 07:25:46 UTC 
Yes, this was a deliberate change. It is related to the addition of OSPP subpolicy which requires setting the MaxProtocol to TLSv1.2. Ideally this test in Python should be written in a way that it would not depend on system-wide settings.
Comment 3 Tomas Mraz 2019-12-02 07:26:23 UTC 
This is coming to RHEL-8.2 as well.
Comment 4 Miro Hrončok 2019-12-02 11:11:47 UTC 
Thanks.

I think this can be workarounded by reintroducing https://src.fedoraproject.org/rpms/python3/c/b33b4a5162e2b5873c5846dcba882f3569ab76cd?branch=master
Comment 5 Miro Hrončok 2019-12-02 12:13:36 UTC 
Indeed:

$ python3 -c 'import ssl; ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER); print(repr(ctx.maximum_version))'
<TLSVersion.TLSv1_3: 772>

$ env OPENSSL_CONF=/non-existing-file python3 -c 'import ssl; ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER); print(repr(ctx.maximum_version))'
<TLSVersion.MAXIMUM_SUPPORTED: -1>
Comment 6 Miro Hrončok 2019-12-02 12:21:57 UTC 
First PR: https://src.fedoraproject.org/tests/python/pull-request/15
Comment 7 Miro Hrončok 2019-12-02 12:26:14 UTC 
Second PR: https://src.fedoraproject.org/rpms/python3/pull-request/155
Comment 8 Miro Hrončok 2019-12-03 17:58:10 UTC 
A workaround has been set. We keep this open until the fix is changed. It was done in upstream for the future versions of 3.9, 3.8 and 3.7.
Comment 9 Miro Hrončok 2019-12-03 17:59:45 UTC 
s/the fix is changed/the test is changed/
Comment 10 Ben Cotton 2020-02-11 17:42:21 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 32 development cycle.
Changing version to 32.
Comment 11 Petr Viktorin (pviktori) 2020-03-18 13:14:30 UTC 
We can probably drop the workaround now, someone needs to check & drop.
Comment 12 Tomáš Hrnčiar 2020-03-27 13:35:08 UTC 
PR to drop workaround, it works without it.
https://src.fedoraproject.org/rpms/python3/pull-request/180
https://src.fedoraproject.org/tests/python/pull-request/22