Bug 1907429

Summary: Re-add NPN bindings for PyOpenSSL
Product: Red Hat Enterprise Linux 8 Reporter: Christian Heimes <cheimes>
Component: python-cryptographyAssignee: Christian Heimes <cheimes>
Status: CLOSED ERRATA QA Contact: Kaleem <ksiddiqu>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.4CC: asosedki, ssidhaye
Target Milestone: rcKeywords: TestCaseProvided, Triaged
Target Release: 8.4   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: python-cryptography-3.2.1-3.el8 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-05-18 14:52:08 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1873581    

Description Christian Heimes 2020-12-14 13:56:40 UTC 
Description of problem:
PyCA cryptography upstream removed NPN bindings in commit https://github.com/pyca/cryptography/commit/99bf4e4605cbe54bad597da1ebe4cc323909083c . The NPN bindings are used and tested by python3-pyOpenSSL-19.0.0-1.el8 beaker tests

Version-Release number of selected component (if applicable):
python-cryptography-3.2.1-2.el8

How reproducible:
always

Steps to Reproduce:
$ python3
>>> from cryptography.hazmat.bindings.openssl.binding import lib
>>> lib.Cryptography_HAS_NEXTPROTONEG

Actual results:
0 (means bindings are missing)

Expected results:
1 (means bindings are available)

Additional info:

PyOpenSSL tests are failing with errors like:

__________________ TestNextProtoNegotiation.test_npn_success ___________________

self = <tests.test_ssl.TestNextProtoNegotiation object at 0x7f29848d1b00>

    def test_npn_success(self):
        """
        Tests that clients and servers that agree on the negotiated next
        protocol can correct establish a connection, and that the agreed
        protocol is reported by the connections.
        """
        advertise_args = []
        select_args = []
    
        def advertise(conn):
            advertise_args.append((conn,))
            return [b'http/1.1', b'spdy/2']
    
        def select(conn, options):
            select_args.append((conn, options))
            return b'spdy/2'
    
        server_context = Context(TLSv1_METHOD)
>       server_context.set_npn_advertise_callback(advertise)

tests/test_ssl.py:1751: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

args = (<OpenSSL.SSL.Context object at 0x7f2984585278>, <function TestNextProtoNegotiation.test_npn_success.<locals>.advertise at 0x7f29840ac6a8>)
kwargs = {}

    @wraps(func)
    def explode(*args, **kwargs):
>       raise NotImplementedError(error)
E       NotImplementedError: NPN not available

/usr/lib/python3.6/site-packages/OpenSSL/SSL.py:645: NotImplementedError
Comment 11 Sumedh Sidhaye 2021-01-11 09:19:21 UTC 
Build used for initial verification:

Package:
[root@ci-vm-10-0-137-196 test]# rpm -q python3-cryptography
python3-cryptography-3.2.1-3.el8.x86_64


Test Repo:
[root@ci-vm-10-0-137-196 test]# grep -nr baseurl /etc/yum.repos.d/rhel84test.repo 
3:baseurl=http://artifacts.osci.redhat.com/comp/rhel-8.4.0-mbs/9328-1108-idm/BaseOS/x86_64/os/
9:baseurl=http://artifacts.osci.redhat.com/comp/rhel-8.4.0-mbs/9328-1108-idm/AppStream/x86_64/os/
[root@ci-vm-10-0-137-196 test]# 

Verification:

[root@ci-vm-10-0-137-196 test]# python3
Python 3.6.8 (default, Dec  7 2020, 09:56:35) 
[GCC 8.4.1 20200928 (Red Hat 8.4.1-1)] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from cryptography.hazmat.bindings.openssl.binding import lib
>>> lib.Cryptography_HAS_NEXTPROTONEG
1
>>> 
>>> 

-----------------------------------------

Reproducer:

[root@ci-vm-10-0-138-218 test]# dnf list python3-cryptography
Updating Subscription Management repositories.
Unable to read consumer identity

This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.

Last metadata expiration check: 0:08:00 ago on Monday 11 January 2021 03:17:00 AM EST.
Installed Packages
python3-cryptography.x86_64                                                   3.2.1-1.el8                                                    @rhel
[root@ci-vm-10-0-138-218 test]# python3
Python 3.6.8 (default, Dec  7 2020, 09:56:35) 
[GCC 8.4.1 20200928 (Red Hat 8.4.1-1)] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from cryptography.hazmat.bindings.openssl.binding import lib
>>> lib.Cryptography_HAS_NEXTPROTONEG
0
>>>
Comment 12 Sumedh Sidhaye 2021-01-13 09:05:09 UTC 
Build used for verification:

[root@ci-vm-10-0-139-212 ~]# rpm -q python3-cryptography
python3-cryptography-3.2.1-3.el8.x86_64


Compose ID:
RHEL-8.4.0-20210112.n.0

Repo:
http://download.eng.bos.redhat.com/rhel-8/nightly/RHEL-8/RHEL-8.4.0-20210112.n.0/compose/AppStream/x86_64/os/

Test Steps:

[root@ci-vm-10-0-139-212 ~]# python3
Python 3.6.8 (default, Dec  7 2020, 09:56:35) 
[GCC 8.4.1 20200928 (Red Hat 8.4.1-1)] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from cryptography.hazmat.bindings.openssl.binding import lib
>>> lib.Cryptography_HAS_NEXTPROTONEG
1
>>> 
[root@ci-vm-10-0-139-212 ~]# rpm -q python3-cryptography
python3-cryptography-3.2.1-3.el8.x86_64
[root@ci-vm-10-0-139-212 ~]# cat /etc/redhat-release 
Red Hat Enterprise Linux release 8.4 Beta (Ootpa)
[root@ci-vm-10-0-139-212 ~]#
Comment 14 errata-xmlrpc 2021-05-18 14:52:08 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: python-cryptography security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:1608