https://apps.fedoraproject.org/koschei/build/5052601 I blame openssl update from 1:1.1.0h-5.fc29 to 1:1.1.1-0.pre8.fc29. Upstream issue for OpenSSL 1.1.1 support is at https://bugs.python.org/issue32947 yet it is supposed to work on 3.7. Test failure: Traceback (most recent call last): File "/builddir/build/BUILD/Python-3.7.0/Lib/threading.py", line 917, in _bootstrap_inner self.run() File "/builddir/build/BUILD/Python-3.7.0/Lib/test/test_poplib.py", line 228, in run asyncore.loop(timeout=0.1, count=1) File "/builddir/build/BUILD/Python-3.7.0/Lib/asyncore.py", line 207, in loop poll_fun(timeout, map) File "/builddir/build/BUILD/Python-3.7.0/Lib/asyncore.py", line 150, in poll read(obj) File "/builddir/build/BUILD/Python-3.7.0/Lib/asyncore.py", line 87, in read obj.handle_error() File "/builddir/build/BUILD/Python-3.7.0/Lib/asyncore.py", line 83, in read obj.handle_read_event() File "/builddir/build/BUILD/Python-3.7.0/Lib/asyncore.py", line 422, in handle_read_event self.handle_read() File "/builddir/build/BUILD/Python-3.7.0/Lib/test/test_poplib.py", line 193, in handle_read self._do_tls_handshake() File "/builddir/build/BUILD/Python-3.7.0/Lib/test/test_poplib.py", line 172, in _do_tls_handshake self.socket.do_handshake() File "/builddir/build/BUILD/Python-3.7.0/Lib/ssl.py", line 1108, in do_handshake self._sslobj.do_handshake() ssl.SSLError: [SSL] bad record type (_ssl.c:1045) Warning -- threading_cleanup() failed to cleanup 0 threads (count: 0, dangling: 2) Dangling thread: <_MainThread(MainThread, started 281473127377536)> Dangling thread: <test.test_poplib.DummyPOP3Server localhost:0 at 0xffff665e38e0> Warning -- threading._dangling was modified by test_poplib Before: <_weakrefset.WeakSet object at 0xffff6631a608> After: <_weakrefset.WeakSet object at 0xffff65aa2128> test test_poplib failed ok ====================================================================== ERROR: test_stls_context (test.test_poplib.TestPOP3Class) ---------------------------------------------------------------------- Traceback (most recent call last): File "/builddir/build/BUILD/Python-3.7.0/Lib/test/test_poplib.py", line 377, in test_stls_context self.client = poplib.POP3("localhost", self.server.port, timeout=3) File "/builddir/build/BUILD/Python-3.7.0/Lib/poplib.py", line 102, in __init__ self.sock = self._create_socket(timeout) File "/builddir/build/BUILD/Python-3.7.0/Lib/poplib.py", line 108, in _create_socket return socket.create_connection((self.host, self.port), timeout) File "/builddir/build/BUILD/Python-3.7.0/Lib/socket.py", line 727, in create_connection raise err File "/builddir/build/BUILD/Python-3.7.0/Lib/socket.py", line 716, in create_connection sock.connect(sa) ConnectionRefusedError: [Errno 111] Connection refused ====================================================================== ERROR: test_stls_context (test.test_poplib.TestPOP3Class) ---------------------------------------------------------------------- Traceback (most recent call last): File "/builddir/build/BUILD/Python-3.7.0/Lib/test/test_poplib.py", line 261, in tearDown self.client.close() File "/builddir/build/BUILD/Python-3.7.0/Lib/poplib.py", line 290, in close sock.shutdown(socket.SHUT_RDWR) OSError: [Errno 9] Bad file descriptor ---------------------------------------------------------------------- Ran 71 tests in 6.347s FAILED (errors=2) 2 tests failed again: test_ftplib test_poplib == Tests result: FAILURE then FAILURE == 392 tests OK. 10 slowest tests: - test_weakref: 7 min 9 sec - test_multiprocessing_spawn: 4 min 33 sec - test_asyncio: 4 min 20 sec - test_concurrent_futures: 3 min 28 sec - test_multiprocessing_forkserver: 3 min 16 sec - test_subprocess: 2 min 14 sec - test_gdb: 2 min 13 sec - test_lib2to3: 2 min 7 sec - test_multiprocessing_fork: 2 min 6 sec - test_io: 1 min 48 sec 2 tests failed: test_ftplib test_poplib 20 tests skipped: test_curses test_devpoll test_ioctl test_kqueue test_msilib test_ossaudiodev test_smtpnet test_socketserver test_startfile test_timeout test_tix test_tk test_ttk_guionly test_urllib2net test_urllibnet test_winconsoleio test_winreg test_winsound test_xmlrpc_net test_zipfile64 2 re-run tests: test_ftplib test_poplib Total duration: 1 hour 16 min Tests result: FAILURE then FAILURE
python36: https://apps.fedoraproject.org/koschei/build/5052600 Traceback (most recent call last): File "/builddir/build/BUILD/Python-3.6.6/Lib/test/test_ssl.py", line 1871, in wrap_conn self.sock, server_side=True) File "/builddir/build/BUILD/Python-3.6.6/Lib/ssl.py", line 365, in wrap_socket _context=self, _session=session) File "/builddir/build/BUILD/Python-3.6.6/Lib/ssl.py", line 770, in __init__ self.do_handshake() File "/builddir/build/BUILD/Python-3.6.6/Lib/ssl.py", line 1024, in do_handshake self._sslobj.do_handshake() File "/builddir/build/BUILD/Python-3.6.6/Lib/ssl.py", line 645, in do_handshake self._sslobj.do_handshake() BrokenPipeError: [Errno 32] Broken pipe FAIL test_tls_unique_channel_binding (test.test_ssl.ThreadedTests) Test tls-unique channel binding. ... server: new connection from ('127.0.0.1', 57400) server: connection cipher is now ('ECDHE-RSA-AES256-SHA', 'TLSv1.0', 256) server: selected protocol is now None got channel binding data: b'\x7fk\xf2uSO\xd4"v\x96\x93e' server: new connection from ('127.0.0.1', 57402) server: connection cipher is now ('ECDHE-RSA-AES256-SHA', 'TLSv1.0', 256) server: selected protocol is now None got another channel binding data: b'\xc5\x8b\xf6\xf7g\xca\xd5\xfdZ\xa6\x8a\x9d' ok test_version_basic (test.test_ssl.ThreadedTests) ... ok test_wrong_cert (test.test_ssl.ThreadedTests) Connecting when the server rejects the client's certificate ... Exception in thread Thread-3165: Traceback (most recent call last): File "/builddir/build/BUILD/Python-3.6.6/Lib/threading.py", line 916, in _bootstrap_inner self.run() File "/builddir/build/BUILD/Python-3.6.6/Lib/threading.py", line 864, in run self._target(*self._args, **self._kwargs) File "/builddir/build/BUILD/Python-3.6.6/Lib/test/test_ssl.py", line 3058, in serve remote, peer = server.accept() File "/builddir/build/BUILD/Python-3.6.6/Lib/ssl.py", line 1072, in accept server_side=True) File "/builddir/build/BUILD/Python-3.6.6/Lib/ssl.py", line 365, in wrap_socket _context=self, _session=session) File "/builddir/build/BUILD/Python-3.6.6/Lib/ssl.py", line 770, in __init__ self.do_handshake() File "/builddir/build/BUILD/Python-3.6.6/Lib/ssl.py", line 1024, in do_handshake self._sslobj.do_handshake() File "/builddir/build/BUILD/Python-3.6.6/Lib/ssl.py", line 645, in do_handshake self._sslobj.do_handshake() BrokenPipeError: [Errno 32] Broken pipe test test_ssl failed SSLError is SSLError(1, '[SSL: TLSV1_ALERT_UNKNOWN_CA] tlsv1 alert unknown ca (_ssl.c:866)') ok ====================================================================== ERROR: test_ciphers (test.test_ssl.SimpleBackgroundTests) ---------------------------------------------------------------------- Traceback (most recent call last): File "/builddir/build/BUILD/Python-3.6.6/Lib/test/test_ssl.py", line 1683, in test_ciphers s.connect(self.server_addr) File "/builddir/build/BUILD/Python-3.6.6/Lib/ssl.py", line 1056, in connect self._real_connect(addr, False) File "/builddir/build/BUILD/Python-3.6.6/Lib/ssl.py", line 1047, in _real_connect self.do_handshake() File "/builddir/build/BUILD/Python-3.6.6/Lib/ssl.py", line 1024, in do_handshake self._sslobj.do_handshake() File "/builddir/build/BUILD/Python-3.6.6/Lib/ssl.py", line 645, in do_handshake self._sslobj.do_handshake() ConnectionResetError: [Errno 104] Connection reset by peer ====================================================================== ERROR: test_connect (test.test_ssl.SimpleBackgroundTests) ---------------------------------------------------------------------- Traceback (most recent call last): File "/builddir/build/BUILD/Python-3.6.6/Lib/test/test_ssl.py", line 1508, in test_connect s.connect(self.server_addr) File "/builddir/build/BUILD/Python-3.6.6/Lib/ssl.py", line 1056, in connect self._real_connect(addr, False) File "/builddir/build/BUILD/Python-3.6.6/Lib/ssl.py", line 1043, in _real_connect socket.connect(self, addr) ConnectionRefusedError: [Errno 111] Connection refused ====================================================================== ERROR: test_connect_cadata (test.test_ssl.SimpleBackgroundTests) ---------------------------------------------------------------------- Traceback (most recent call last): File "/builddir/build/BUILD/Python-3.6.6/Lib/test/test_ssl.py", line 1625, in test_connect_cadata s.connect(self.server_addr) File "/builddir/build/BUILD/Python-3.6.6/Lib/ssl.py", line 1056, in connect self._real_connect(addr, False) File "/builddir/build/BUILD/Python-3.6.6/Lib/ssl.py", line 1043, in _real_connect socket.connect(self, addr) ConnectionRefusedError: [Errno 111] Connection refused ====================================================================== ERROR: test_connect_capath (test.test_ssl.SimpleBackgroundTests) ---------------------------------------------------------------------- Traceback (most recent call last): File "/builddir/build/BUILD/Python-3.6.6/Lib/test/test_ssl.py", line 1604, in test_connect_capath s.connect(self.server_addr) File "/builddir/build/BUILD/Python-3.6.6/Lib/ssl.py", line 1056, in connect self._real_connect(addr, False) File "/builddir/build/BUILD/Python-3.6.6/Lib/ssl.py", line 1043, in _real_connect socket.connect(self, addr) ConnectionRefusedError: [Errno 111] Connection refused ====================================================================== ERROR: test_connect_with_context (test.test_ssl.SimpleBackgroundTests) ---------------------------------------------------------------------- Traceback (most recent call last): File "/builddir/build/BUILD/Python-3.6.6/Lib/test/test_ssl.py", line 1566, in test_connect_with_context s.connect(self.server_addr) File "/builddir/build/BUILD/Python-3.6.6/Lib/ssl.py", line 1056, in connect self._real_connect(addr, False) File "/builddir/build/BUILD/Python-3.6.6/Lib/ssl.py", line 1047, in _real_connect self.do_handshake() File "/builddir/build/BUILD/Python-3.6.6/Lib/ssl.py", line 1024, in do_handshake self._sslobj.do_handshake() File "/builddir/build/BUILD/Python-3.6.6/Lib/ssl.py", line 645, in do_handshake self._sslobj.do_handshake() ConnectionResetError: [Errno 104] Connection reset by peer ====================================================================== ERROR: test_get_server_certificate (test.test_ssl.SimpleBackgroundTests) ---------------------------------------------------------------------- Traceback (most recent call last): File "/builddir/build/BUILD/Python-3.6.6/Lib/test/test_ssl.py", line 1670, in test_get_server_certificate _test_get_server_certificate(self, *self.server_addr, cert=SIGNING_CA) File "/builddir/build/BUILD/Python-3.6.6/Lib/test/test_ssl.py", line 1830, in _test_get_server_certificate pem = ssl.get_server_certificate((host, port), ca_certs=cert) File "/builddir/build/BUILD/Python-3.6.6/Lib/ssl.py", line 1178, in get_server_certificate with create_connection(addr) as sock: File "/builddir/build/BUILD/Python-3.6.6/Lib/socket.py", line 724, in create_connection raise err File "/builddir/build/BUILD/Python-3.6.6/Lib/socket.py", line 713, in create_connection sock.connect(sa) ConnectionRefusedError: [Errno 111] Connection refused ====================================================================== ERROR: test_server_accept (test.test_ssl.ThreadedTests) ---------------------------------------------------------------------- Traceback (most recent call last): File "/builddir/build/BUILD/Python-3.6.6/Lib/test/test_ssl.py", line 3070, in test_server_accept remote.close() AttributeError: 'NoneType' object has no attribute 'close' ====================================================================== FAIL: test_options (test.test_ssl.ContextTests) ---------------------------------------------------------------------- Traceback (most recent call last): File "/builddir/build/BUILD/Python-3.6.6/Lib/test/test_ssl.py", line 922, in test_options self.assertEqual(default, ctx.options) AssertionError: <Opti[26 chars]CIPHER_SERVER_PREFERENCE|OP_NO_COMPRESSION: 2185363540> != <Opti[26 chars]CIPHER_SERVER_PREFERENCE|1048576|OP_NO_COMPRESSION: 2186412116> ====================================================================== FAIL: test_default_ciphers (test.test_ssl.ThreadedTests) ---------------------------------------------------------------------- Traceback (most recent call last): File "/builddir/build/BUILD/Python-3.6.6/Lib/test/test_ssl.py", line 3102, in test_default_ciphers s.connect((HOST, server.port)) AssertionError: OSError not raised ====================================================================== FAIL: test_shared_ciphers (test.test_ssl.ThreadedTests) ---------------------------------------------------------------------- Traceback (most recent call last): File "/builddir/build/BUILD/Python-3.6.6/Lib/test/test_ssl.py", line 3474, in test_shared_ciphers self.fail(name) AssertionError: TLS_AES_256_GCM_SHA384 ====================================================================== FAIL: test_tls1_3 (test.test_ssl.ThreadedTests) ---------------------------------------------------------------------- Traceback (most recent call last): File "/builddir/build/BUILD/Python-3.6.6/Lib/test/test_ssl.py", line 3135, in test_tls1_3 'TLS13-AES-128-GCM-SHA256', AssertionError: 'TLS_AES_256_GCM_SHA384' not found in ['TLS13-AES-256-GCM-SHA384', 'TLS13-CHACHA20-POLY1305-SHA256', 'TLS13-AES-128-GCM-SHA256'] ---------------------------------------------------------------------- Ran 126 tests in 2.038s FAILED (failures=4, errors=7, skipped=8) 3 tests failed again: test_asyncio test_ftplib test_ssl == Tests result: FAILURE then FAILURE == 383 tests OK. 10 slowest tests: - test_multiprocessing_spawn: 1 min 31 sec - test_multiprocessing_forkserver: 1 min 16 sec - test_multiprocessing_fork: 1 min 14 sec - test_concurrent_futures: 1 min 4 sec - test_subprocess: 1 min 1 sec - test_io: 38 sec - test_socket: 25 sec - test_signal: 22 sec - test_faulthandler: 20 sec - test_logging: 19 sec 3 tests failed: test_asyncio test_ftplib test_ssl 20 tests skipped: test_curses test_devpoll test_ioctl test_kqueue test_msilib test_ossaudiodev test_smtpnet test_socketserver test_startfile test_timeout test_tix test_tk test_ttk_guionly test_urllib2net test_urllibnet test_winconsoleio test_winreg test_winsound test_xmlrpc_net test_zipfile64 3 re-run tests: test_asyncio test_ftplib test_ssl Total duration: 18 min 31 sec Tests result: FAILURE then FAILURE python35: https://apps.fedoraproject.org/koschei/build/5050991 python2: https://apps.fedoraproject.org/koschei/build/5054975 python34 and python26 use compat-openssl10-devel
The python3 koschei entry is deleted, corresponding task is https://koji.fedoraproject.org/koji/taskinfo?taskID=28608653
https://github.com/openssl/openssl/issues/6933
This bug appears to have been reported against 'rawhide' during the Fedora 29 development cycle. Changing version to '29'.
I'm working on OpenSSL 1.1.1 compatibility for OpenSSL 1.1.1-pre9 (not yet released) and Python 3.7.1, 3.6.7, and 2.7.16 (not yet released). Related fixes are: https://github.com/python/cpython/pull/8760 https://github.com/python/cpython/pull/8761 https://github.com/python/cpython/pull/8762 https://github.com/openssl/openssl/pull/6340 https://github.com/openssl/openssl/pull/6938
https://github.com/python/cpython/pull/8787 fixes the last outstanding failing test.
https://github.com/python/cpython/pull/8787 fixes the test yet I'm unsure what else should be applied I've added https://github.com/python/cpython/pull/8762 as well and everything else seems to be part of 3.7 already, yet the tests fail anyway: https://koji.fedoraproject.org/koji/taskinfo?taskID=29119308
Fedora 29 sets TLSv1 as explicit minimum version. Python's test suite assumes that the minimum protocol version is set to a magic marker. You can fix the test problem by setting export OPENSSL_CONF=/non-existing-file The test_poplib error is new to me. I'm investigating now.
I can reproduce the failing test_poplib test with OpenSSL 1.1.1-pre8 but not with latest git. The problem was addressed in OpenSSL, but I'm not sure which commit fixed it. Several commits address handshake, WANT_READ, and TLS alerts. Wireshark shows an unencrypted TLS Alert of type 42 (bad certificate). I think the patch: From de9e884b2f43c59834c2b1c3cfde35fa2c797f2b Mon Sep 17 00:00:00 2001 From: Matt Caswell <matt> Date: Tue, 7 Aug 2018 12:40:08 +0100 Subject: [PATCH 243/263] Tolerate encrypted or plaintext alerts should fix that issue. The test scenario is: * client connects to server * handshake fails on client side, because certificate hostname does not match * client hard-kills TCP connection * server side fails in "do_handshake" with error "ssl.SSLError: [SSL] bad record type (_ssl.c:1044)"
https://github.com/openssl/openssl/commit/de9e884b2f43c59834c2b1c3cfde35fa2c797f2b
Tomáš, can we get that into openssl package please?
Workaround for test_poplib until openssl package is rebased to 1.1.1-pre9: diff --git a/Lib/test/test_poplib.py b/Lib/test/test_poplib.py index 20d4eeac12..a0c683bbcf 100644 --- a/Lib/test/test_poplib.py +++ b/Lib/test/test_poplib.py @@ -178,7 +178,8 @@ class DummyPOP3Handler(asynchat.async_chat): return self.handle_close() # TODO: SSLError does not expose alert information elif ("SSLV3_ALERT_BAD_CERTIFICATE" in err.args[1] or - "SSLV3_ALERT_CERTIFICATE_UNKNOWN" in err.args[1]): + "SSLV3_ALERT_CERTIFICATE_UNKNOWN" in err.args[1] or + "bad record type" in err.args[1]): return self.handle_close() raise except OSError as err:
Current status: * python3 buuilds * everything else switched to compat-openssl10-devel
(In reply to Miro Hrončok from comment #13) > Current status: > > * everything else switched to compat-openssl10-devel What is "everything else"? Nothing should use compat-openssl10-devel except legacy applications (no libraries!) that do not have support for OpenSSL-1.1 API. Also please note that openssl was already updated to 1.1.1-pre9 in F29+
"Everything else" is Pythons: 2.6, 2.7, 3.4, 3.5, 3.6. If this breaking change would have been communicated better and there was time, we could have fixed at least 3.6 and 2.7. But as for now, we could not have afforded having FTBFSes so close to Beta freeze and Bodhi activation point. It blocked other bugfixes. Feel free to send Pull Requests that switch away from compat-openssl10-devel.
OK, but then I put hands off of any problem reports with having compat-openssl10 used by these Python versions. Also the compat-openssl10 will be orphaned soon in Rawhide and unless someone steps up to maintain it, it will be retired. (It would not be particularly good idea to have it in Fedora past 2019-12-31 anyway but that date is still quite far from the Fedora POV.)
Please do not put hands off problems introduced by this unannounced breaking bump of the openssl package. There is no openssl breaking update mentioned in https://fedoraproject.org/wiki/Releases/29/ChangeSet Anything slightly related I see is https://fedoraproject.org/wiki/Changes/GnuTLS-TLS1.3 yet that one says "That change should have no impact on upgrade or compatibility. The TLS 1.3 protocol is designed in a way that does not cause incompatibility issues with existing (and even broken) implementations." We don't have resources to fix this properly in F29 time frame. ---- If you retire compat-openssl10 we might very well need to retire python2 and watch the fireworks :D Now, seriously: 2.6, 3.4, 3.5, 3.6 are used for developers only and if there are problems with openssl, we don't really care much. However we'll need compat-openssl10-devel for them to build. (Chances are, upstream changes will be done in 3.6 for us to backport (or even get in 3.6.7).) The story is much different for 2.7, because half of infra tools and the entire QA runs on it. If running on compat-openssl10 is dangerous, by extension running anything on python2 is dangerous as well.
The proper fix is to disable TLS-1.3 support when building legacy software against the new openssl-1.1.1 as I said previously. There are multiple ways how to do that but of course it requires patching the code (fairly trivially). If something already built against openssl-1.1.0, switching it to build against compat-openssl10 is a regression.
> There are multiple ways how to do that but of course it requires patching the code (fairly trivially) Please help. It might be trivial for you, it is not for me. > If something already built against openssl-1.1.0, switching it to build against compat-openssl10 is a regression. It built in Fedora 28. It doesn't for Fedora 29.
I think I already mentioned it elsewhere. When calling SSL_CTX_new() just call SSL_CTX_set_option(ctx, SSL_OP_NO_TLSv1_3); on the returned ctx.
Thank you. Will try.
Note: the trivial change breaks the tests. Trying to fight that with -DOPENSSL_NO_TLS1_3 and also OPENSSL_CONF=/non-existing-file.
So much for trivial changes: test_ssl: testing with 'OpenSSL 1.1.1-pre9 (beta) FIPS 21 Aug 2018' (1, 1, 1, 0, 15) under Linux ('Fedora', '29', 'Rawhide') HAS_SNI = True OP_ALL = 0x80000054 OP_NO_TLSv1_1 = 0x10000000 test__create_stdlib_context (test.test_ssl.ContextTests) ... ok test_cert_store_stats (test.test_ssl.ContextTests) ... ok test_check_hostname (test.test_ssl.ContextTests) ... ok test_ciphers (test.test_ssl.ContextTests) ... ok test_constructor (test.test_ssl.ContextTests) ... ok test_context_client_server (test.test_ssl.ContextTests) ... ok test_create_default_context (test.test_ssl.ContextTests) ... ok test_get_ca_certs (test.test_ssl.ContextTests) ... ok test_get_ciphers (test.test_ssl.ContextTests) ... ok test_load_cert_chain (test.test_ssl.ContextTests) ... ok test_load_default_certs (test.test_ssl.ContextTests) ... ok test_load_default_certs_env (test.test_ssl.ContextTests) ... ok test_load_default_certs_env_windows (test.test_ssl.ContextTests) ... skipped 'Windows specific' test_load_dh_params (test.test_ssl.ContextTests) ... ok test_load_verify_cadata (test.test_ssl.ContextTests) ... ok test_load_verify_locations (test.test_ssl.ContextTests) ... ok test_options (test.test_ssl.ContextTests) ... FAIL test_protocol (test.test_ssl.ContextTests) ... ok test_python_ciphers (test.test_ssl.ContextTests) ... skipped 'Test applies only to Python default ciphers' test_session_stats (test.test_ssl.ContextTests) ... ok test_set_default_verify_paths (test.test_ssl.ContextTests) ... ok test_set_ecdh_curve (test.test_ssl.ContextTests) ... ok test_sni_callback (test.test_ssl.ContextTests) ... ok test_sni_callback_refcycle (test.test_ssl.ContextTests) ... ok test_verify_flags (test.test_ssl.ContextTests) ... ok test_verify_mode (test.test_ssl.ContextTests) ... ok test_DER_to_PEM (test.test_ssl.BasicSocketTests) ... ok test_asn1object (test.test_ssl.BasicSocketTests) ... ok test_cert_time_to_seconds (test.test_ssl.BasicSocketTests) ... ok test_cert_time_to_seconds_locale (test.test_ssl.BasicSocketTests) ... skipped 'locale-specific month name needs to be different from C locale' test_cert_time_to_seconds_timezone (test.test_ssl.BasicSocketTests) ... ok test_connect_ex_error (test.test_ssl.BasicSocketTests) ... ok test_constants (test.test_ssl.BasicSocketTests) ... ok test_dealloc_warn (test.test_ssl.BasicSocketTests) ... ok test_empty_cert (test.test_ssl.BasicSocketTests) Wrapping with an empty cert file ... ok test_enum_certificates (test.test_ssl.BasicSocketTests) ... skipped 'Windows specific' test_enum_crls (test.test_ssl.BasicSocketTests) ... skipped 'Windows specific' test_errors_sslwrap (test.test_ssl.BasicSocketTests) ... ok test_get_default_verify_paths (test.test_ssl.BasicSocketTests) ... ok test_malformed_cert (test.test_ssl.BasicSocketTests) Wrapping with a badly formatted certificate (syntax error) ... ok test_malformed_key (test.test_ssl.BasicSocketTests) Wrapping with a badly formatted key (syntax error) ... ok test_match_hostname (test.test_ssl.BasicSocketTests) ... ok test_openssl_version (test.test_ssl.BasicSocketTests) ... ok test_parse_all_sans (test.test_ssl.BasicSocketTests) ... ok test_parse_cert (test.test_ssl.BasicSocketTests) ... {'issuer': ((('countryName', 'XY'),), (('localityName', 'Castle Anthrax'),), (('organizationName', 'Python Software Foundation'),), (('commonName', 'localhost'),)), 'notAfter': 'Oct 5 23:01:56 2020 GMT', 'notBefore': 'Oct 8 23:01:56 2010 GMT', 'serialNumber': 'D7C7381919AFC24E', 'subject': ((('countryName', 'XY'),), (('localityName', 'Castle Anthrax'),), (('organizationName', 'Python Software Foundation'),), (('commonName', 'localhost'),)), 'subjectAltName': (('DNS', 'localhost'),), 'version': 3} {'OCSP': ('http://ocsp.verisign.com',), 'caIssuers': ('http://SVRIntl-G3-aia.verisign.com/SVRIntlG3.cer',), 'crlDistributionPoints': ('http://SVRIntl-G3-crl.verisign.com/SVRIntlG3.crl',), 'issuer': ((('countryName', 'US'),), (('organizationName', 'VeriSign, Inc.'),), (('organizationalUnitName', 'VeriSign Trust Network'),), (('organizationalUnitName', 'Terms of use at https://www.verisign.com/rpa (c)10'),), (('commonName', 'VeriSign Class 3 International Server CA - G3'),)), 'notAfter': 'Sep 20 23:59:59 2012 GMT', 'notBefore': 'Sep 21 00:00:00 2011 GMT', 'serialNumber': '2EE6EA7640A075CEE5005F4D7C79549A', 'subject': ((('countryName', 'FI'),), (('stateOrProvinceName', 'Espoo'),), (('localityName', 'Espoo'),), (('organizationName', 'Nokia'),), (('organizationalUnitName', 'BI'),), (('commonName', 'projects.developer.nokia.com'),)), 'subjectAltName': (('DNS', 'projects.developer.nokia.com'), ('DNS', 'projects.forum.nokia.com')), 'version': 3} ok test_parse_cert_CVE_2013_4238 (test.test_ssl.BasicSocketTests) ... {'issuer': ((('countryName', 'US'),), (('stateOrProvinceName', 'Oregon'),), (('localityName', 'Beaverton'),), (('organizationName', 'Python Software Foundation'),), (('organizationalUnitName', 'Python Core Development'),), (('commonName', 'null.python.org\x00example.org'),), (('emailAddress', 'python-dev'),)), 'notAfter': 'Aug 7 13:12:52 2013 GMT', 'notBefore': 'Aug 7 13:11:52 2013 GMT', 'serialNumber': '00', 'subject': ((('countryName', 'US'),), (('stateOrProvinceName', 'Oregon'),), (('localityName', 'Beaverton'),), (('organizationName', 'Python Software Foundation'),), (('organizationalUnitName', 'Python Core Development'),), (('commonName', 'null.python.org\x00example.org'),), (('emailAddress', 'python-dev'),)), 'subjectAltName': (('DNS', 'altnull.python.org\x00example.com'), ('email', 'null\x00user'), ('URI', 'http://null.python.org\x00http://example.org'), ('IP Address', '192.0.2.1'), ('IP Address', '2001:DB8:0:0:0:0:0:1\n')), 'version': 3} ok test_purpose_enum (test.test_ssl.BasicSocketTests) ... ok test_random (test.test_ssl.BasicSocketTests) ... RAND_status is 1 (sufficient randomness) ok test_random_fork (test.test_ssl.BasicSocketTests) ... ok test_refcycle (test.test_ssl.BasicSocketTests) ... ok test_server_side (test.test_ssl.BasicSocketTests) ... ok test_str_for_enums (test.test_ssl.BasicSocketTests) ... ok test_timeout (test.test_ssl.BasicSocketTests) ... ok test_tls_unique_channel_binding (test.test_ssl.BasicSocketTests) ... ok test_unknown_channel_binding (test.test_ssl.BasicSocketTests) ... ok test_unsupported_dtls (test.test_ssl.BasicSocketTests) ... ok test_wrapped_unconnected (test.test_ssl.BasicSocketTests) ... ok test_lib_reason (test.test_ssl.SSLErrorTests) ... ok test_str (test.test_ssl.SSLErrorTests) ... ok test_subclass (test.test_ssl.SSLErrorTests) ... ok test_buffer_types (test.test_ssl.MemoryBIOTests) ... ok test_eof (test.test_ssl.MemoryBIOTests) ... ok test_error_types (test.test_ssl.MemoryBIOTests) ... ok test_pending (test.test_ssl.MemoryBIOTests) ... ok test_read_write (test.test_ssl.MemoryBIOTests) ... ok test_bio_handshake (test.test_ssl.SimpleBackgroundTests) ... server: new connection from ('127.0.0.1', 37726) server: connection cipher is now ('ECDHE-RSA-AES256-GCM-SHA384', 'TLSv1.2', 256) server: selected protocol is now None Needed 3 calls to complete do_handshake(). Needed 2 calls to complete unwrap(). ok test_bio_read_write_data (test.test_ssl.SimpleBackgroundTests) ... server: new connection from ('127.0.0.1', 34980) server: connection cipher is now ('ECDHE-RSA-AES256-GCM-SHA384', 'TLSv1.2', 256) server: selected protocol is now None Needed 3 calls to complete do_handshake(). Needed 1 calls to complete write(). Needed 2 calls to complete read(). Needed 2 calls to complete unwrap(). ok test_ciphers (test.test_ssl.SimpleBackgroundTests) ... server: new connection from ('127.0.0.1', 36846) server: connection cipher is now ('ECDHE-RSA-AES256-GCM-SHA384', 'TLSv1.2', 256) server: selected protocol is now None server: new connection from ('127.0.0.1', 36848) server: connection cipher is now ('ECDHE-RSA-AES256-GCM-SHA384', 'TLSv1.2', 256) server: selected protocol is now None ok test_connect (test.test_ssl.SimpleBackgroundTests) ... server: new connection from ('127.0.0.1', 49512) server: connection cipher is now ('ECDHE-RSA-AES256-GCM-SHA384', 'TLSv1.2', 256) server: selected protocol is now None server: new connection from ('127.0.0.1', 49514) server: connection cipher is now ('ECDHE-RSA-AES256-GCM-SHA384', 'TLSv1.2', 256) server: selected protocol is now None ok test_connect_cadata (test.test_ssl.SimpleBackgroundTests) ... server: new connection from ('127.0.0.1', 37166) server: connection cipher is now ('ECDHE-RSA-AES256-GCM-SHA384', 'TLSv1.2', 256) server: selected protocol is now None server: new connection from ('127.0.0.1', 37168) server: connection cipher is now ('ECDHE-RSA-AES256-GCM-SHA384', 'TLSv1.2', 256) server: selected protocol is now None ok test_connect_capath (test.test_ssl.SimpleBackgroundTests) ... server: new connection from ('127.0.0.1', 57348) server: connection cipher is now ('ECDHE-RSA-AES256-GCM-SHA384', 'TLSv1.2', 256) server: selected protocol is now None server: new connection from ('127.0.0.1', 57350) server: connection cipher is now ('ECDHE-RSA-AES256-GCM-SHA384', 'TLSv1.2', 256) server: selected protocol is now None ok test_connect_ex (test.test_ssl.SimpleBackgroundTests) ... server: new connection from ('127.0.0.1', 60036) server: connection cipher is now ('ECDHE-RSA-AES256-GCM-SHA384', 'TLSv1.2', 256) server: selected protocol is now None ok test_connect_fail (test.test_ssl.SimpleBackgroundTests) ... server: new connection from ('127.0.0.1', 55312) server: bad connection attempt from ('127.0.0.1', 55312): Traceback (most recent call last): File "/builddir/build/BUILD/Python-3.6.6/Lib/test/test_ssl.py", line 1871, in wrap_conn self.sock, server_side=True) File "/builddir/build/BUILD/Python-3.6.6/Lib/ssl.py", line 365, in wrap_socket _context=self, _session=session) File "/builddir/build/BUILD/Python-3.6.6/Lib/ssl.py", line 770, in __init__ self.do_handshake() File "/builddir/build/BUILD/Python-3.6.6/Lib/ssl.py", line 1024, in do_handshake self._sslobj.do_handshake() File "/builddir/build/BUILD/Python-3.6.6/Lib/ssl.py", line 645, in do_handshake self._sslobj.do_handshake() ssl.SSLError: [SSL: TLSV1_ALERT_UNKNOWN_CA] tlsv1 alert unknown ca (_ssl.c:866) ok test_connect_with_context (test.test_ssl.SimpleBackgroundTests) ... server: new connection from ('127.0.0.1', 36260) server: connection cipher is now ('ECDHE-RSA-AES256-GCM-SHA384', 'TLSv1.2', 256) server: selected protocol is now None server: new connection from ('127.0.0.1', 36262) server: connection cipher is now ('ECDHE-RSA-AES256-GCM-SHA384', 'TLSv1.2', 256) server: selected protocol is now None server: new connection from ('127.0.0.1', 36264) server: connection cipher is now ('ECDHE-RSA-AES256-GCM-SHA384', 'TLSv1.2', 256) server: selected protocol is now None ok test_connect_with_context_fail (test.test_ssl.SimpleBackgroundTests) ... server: new connection from ('127.0.0.1', 35080) server: bad connection attempt from ('127.0.0.1', 35080): Traceback (most recent call last): File "/builddir/build/BUILD/Python-3.6.6/Lib/test/test_ssl.py", line 1871, in wrap_conn self.sock, server_side=True) File "/builddir/build/BUILD/Python-3.6.6/Lib/ssl.py", line 365, in wrap_socket _context=self, _session=session) File "/builddir/build/BUILD/Python-3.6.6/Lib/ssl.py", line 770, in __init__ self.do_handshake() File "/builddir/build/BUILD/Python-3.6.6/Lib/ssl.py", line 1024, in do_handshake self._sslobj.do_handshake() File "/builddir/build/BUILD/Python-3.6.6/Lib/ssl.py", line 645, in do_handshake self._sslobj.do_handshake() ssl.SSLError: [SSL: TLSV1_ALERT_UNKNOWN_CA] tlsv1 alert unknown ca (_ssl.c:866) ok test_context_setget (test.test_ssl.SimpleBackgroundTests) ... server: new connection from ('127.0.0.1', 38236) server: connection cipher is now ('ECDHE-RSA-AES256-GCM-SHA384', 'TLSv1.2', 256) server: selected protocol is now None ok test_get_ca_certs_capath (test.test_ssl.SimpleBackgroundTests) ... server: new connection from ('127.0.0.1', 34314) server: connection cipher is now ('ECDHE-RSA-AES256-GCM-SHA384', 'TLSv1.2', 256) server: selected protocol is now None ok test_get_server_certificate (test.test_ssl.SimpleBackgroundTests) ... server: new connection from ('127.0.0.1', 59070) server: connection cipher is now ('ECDHE-RSA-AES256-GCM-SHA384', 'TLSv1.2', 256) server: selected protocol is now None server: new connection from ('127.0.0.1', 59072) server: connection cipher is now ('ECDHE-RSA-AES256-GCM-SHA384', 'TLSv1.2', 256) server: selected protocol is now None Verified certificate for 127.0.0.1:57177 is -----BEGIN CERTIFICATE----- MIICpDCCAYwCCQCwkmSx8toh0TANBgkqhkiG9w0BAQUFADBNMQswCQYDVQQGEwJY WTEmMCQGA1UECgwdUHl0aG9uIFNvZnR3YXJlIEZvdW5kYXRpb24gQ0ExFjAUBgNV BAMMDW91ci1jYS1zZXJ2ZXIwHhcNMTMwMTA0MTk0NzA3WhcNMjIxMTEzMTk0NzA3 WjBfMQswCQYDVQQGEwJYWTEXMBUGA1UEBxMOQ2FzdGxlIEFudGhyYXgxIzAhBgNV BAoTGlB5dGhvbiBTb2Z0d2FyZSBGb3VuZGF0aW9uMRIwEAYDVQQDEwlsb2NhbGhv c3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMLgD0kAKDb5cFyPjbwNfR5C tewdXC+kMXAWD8DLxiTTvhMW7qVnlwOm36mZlszHKvsRf05lT4pegiFM9z2j1Ola N+ci/X7NU22TNN6crYSiN77FjYJP464j876ndSxyD+rzys386T+1r1aZaggEdkj1 TsSsv1zWIYKlPIjlvhuxAgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAC9CX6MJLPpR iMc3f+oOY/CimuVa4sgg8D9gvMgPtsZ2ztuDk/WjM2cBjgTNAJpz/fM1hvrXE+JG xp3AKVPUqZC4d0vmg3bkktacUM9D0MYBd2Ga3ptw93LNWQAxadm0ygacbcPHgIxo 5rWi+O8duxafd3fvh2Iim01ppDoa8SFejDKskv0VaxjCfxUNmDDKdY8acd/aHbLv mugtLgL9SjyqlgsGXTWzPSSHS+CwWGAvRawuSIqwmRBlJ//Msdj9vSZruQwFKvRF YzVRB+2Dhf5vacu7QKiutjtWSi2k7W0RLE3tFyT9R7zTQaLTBv4MkNjYlCbE/8yh 2EJ36/yplHE= -----END CERTIFICATE----- ok test_get_server_certificate_fail (test.test_ssl.SimpleBackgroundTests) ... server: new connection from ('127.0.0.1', 44892) [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:866) server: bad connection attempt from ('127.0.0.1', 44892): Traceback (most recent call last): File "/builddir/build/BUILD/Python-3.6.6/Lib/test/test_ssl.py", line 1871, in wrap_conn self.sock, server_side=True) File "/builddir/build/BUILD/Python-3.6.6/Lib/ssl.py", line 365, in wrap_socket _context=self, _session=session) File "/builddir/build/BUILD/Python-3.6.6/Lib/ssl.py", line 770, in __init__ self.do_handshake() File "/builddir/build/BUILD/Python-3.6.6/Lib/ssl.py", line 1024, in do_handshake self._sslobj.do_handshake() File "/builddir/build/BUILD/Python-3.6.6/Lib/ssl.py", line 645, in do_handshake self._sslobj.do_handshake() ssl.SSLError: [SSL: TLSV1_ALERT_UNKNOWN_CA] tlsv1 alert unknown ca (_ssl.c:866) ok test_makefile_close (test.test_ssl.SimpleBackgroundTests) ... server: new connection from ('127.0.0.1', 46576) server: connection cipher is now ('ECDHE-RSA-AES256-GCM-SHA384', 'TLSv1.2', 256) server: selected protocol is now None ok test_non_blocking_connect_ex (test.test_ssl.SimpleBackgroundTests) ... server: new connection from ('127.0.0.1', 54272) server: connection cipher is now ('ECDHE-RSA-AES256-GCM-SHA384', 'TLSv1.2', 256) server: selected protocol is now None ok test_non_blocking_handshake (test.test_ssl.SimpleBackgroundTests) ... server: new connection from ('127.0.0.1', 50644) server: connection cipher is now ('ECDHE-RSA-AES256-GCM-SHA384', 'TLSv1.2', 256) server: selected protocol is now None Needed 3 calls to do_handshake() to establish session. ok test_alpn_protocols (test.test_ssl.ThreadedTests) ... server: new connection from ('127.0.0.1', 55330) server: connection cipher is now ('ECDHE-RSA-AES256-GCM-SHA384', 'TLSv1.2', 256) server: selected protocol is now None client: sending b'FOO\n'... client: read b'foo\n' client: sending b'FOO\n'... client: read b'foo\n' client: sending b'FOO\n'... client: read b'foo\n' client: closing connection. server: new connection from ('127.0.0.1', 47982) server: connection cipher is now ('ECDHE-RSA-AES256-GCM-SHA384', 'TLSv1.2', 256) server: selected protocol is now None client: sending b'FOO\n'... client: read b'foo\n' client: sending b'FOO\n'... client: read b'foo\n' client: sending b'FOO\n'... client: read b'foo\n' client: closing connection. server: new connection from ('127.0.0.1', 47744) server: connection cipher is now ('ECDHE-RSA-AES256-GCM-SHA384', 'TLSv1.2', 256) server: selected protocol is now None client: sending b'FOO\n'... client: read b'foo\n' client: sending b'FOO\n'... client: read b'foo\n' client: sending b'FOO\n'... client: read b'foo\n' client: closing connection. server: new connection from ('127.0.0.1', 42942) server: connection cipher is now ('ECDHE-RSA-AES256-GCM-SHA384', 'TLSv1.2', 256) server: selected protocol is now None client: sending b'FOO\n'... client: read b'foo\n' client: sending b'FOO\n'... client: read b'foo\n' client: sending b'FOO\n'... client: read b'foo\n' client: closing connection. ok test_asyncore_server (test.test_ssl.ThreadedTests) Check the example asyncore integration. ... server: new connection from 127.0.0.1:55780 client: sending b'FOO\n'... server: read b'FOO\n' from client client: read b'foo\n' client: closing connection. client: connection closed. cleanup: stopping server. server: read b'over\n' from client cleanup: joining server thread. server: closed connection <ssl.SSLSocket [closed] fd=-1, family=AddressFamily.AF_INET, type=2049, proto=0> server: read b'' from client cleanup: successfully joined. ok test_check_hostname (test.test_ssl.ThreadedTests) ... server: new connection from ('127.0.0.1', 41266) server: connection cipher is now ('ECDHE-RSA-AES256-SHA', 'TLSv1.0', 256) server: selected protocol is now None server: new connection from ('127.0.0.1', 59992) server: connection cipher is now ('ECDHE-RSA-AES256-SHA', 'TLSv1.0', 256) server: selected protocol is now None ok test_compression (test.test_ssl.ThreadedTests) ... server: new connection from ('127.0.0.1', 38696) server: connection cipher is now ('ECDHE-RSA-AES256-SHA', 'TLSv1.0', 256) server: selected protocol is now None client: sending b'FOO\n'... client: read b'foo\n' client: sending b'FOO\n'... client: read b'foo\n' client: sending b'FOO\n'... client: read b'foo\n' client: closing connection. got compression: None ok test_compression_disabled (test.test_ssl.ThreadedTests) ... server: new connection from ('127.0.0.1', 45864) server: connection cipher is now ('ECDHE-RSA-AES256-SHA', 'TLSv1.0', 256) server: selected protocol is now None client: sending b'FOO\n'... client: read b'foo\n' client: sending b'FOO\n'... client: read b'foo\n' client: sending b'FOO\n'... client: read b'foo\n' client: closing connection. ok test_crl_check (test.test_ssl.ThreadedTests) ... server: new connection from ('127.0.0.1', 54336) server: connection cipher is now ('ECDHE-RSA-AES256-SHA', 'TLSv1.0', 256) server: selected protocol is now None server: new connection from ('127.0.0.1', 48396) server: bad connection attempt from ('127.0.0.1', 48396): Traceback (most recent call last): File "/builddir/build/BUILD/Python-3.6.6/Lib/test/test_ssl.py", line 1871, in wrap_conn self.sock, server_side=True) File "/builddir/build/BUILD/Python-3.6.6/Lib/ssl.py", line 365, in wrap_socket _context=self, _session=session) File "/builddir/build/BUILD/Python-3.6.6/Lib/ssl.py", line 770, in __init__ self.do_handshake() File "/builddir/build/BUILD/Python-3.6.6/Lib/ssl.py", line 1024, in do_handshake self._sslobj.do_handshake() File "/builddir/build/BUILD/Python-3.6.6/Lib/ssl.py", line 645, in do_handshake self._sslobj.do_handshake() ssl.SSLError: [SSL: TLSV1_ALERT_UNKNOWN_CA] tlsv1 alert unknown ca (_ssl.c:866) server: new connection from ('127.0.0.1', 33078) server: connection cipher is now ('ECDHE-RSA-AES256-SHA', 'TLSv1.0', 256) server: selected protocol is now None ok test_default_ciphers (test.test_ssl.ThreadedTests) ... FAIL test_default_ecdh_curve (test.test_ssl.ThreadedTests) ... server: new connection from ('127.0.0.1', 43780) server: connection cipher is now ('ECDHE-RSA-AES256-GCM-SHA384', 'TLSv1.2', 256) server: selected protocol is now None ok test_dh_params (test.test_ssl.ThreadedTests) ... server: new connection from ('127.0.0.1', 50224) server: connection cipher is now ('DHE-RSA-AES256-SHA', 'SSLv3', 256) server: selected protocol is now None client: sending b'FOO\n'... client: read b'foo\n' client: sending b'FOO\n'... client: read b'foo\n' client: sending b'FOO\n'... client: read b'foo\n' client: closing connection. ok test_do_handshake_enotconn (test.test_ssl.ThreadedTests) ... ok test_echo (test.test_ssl.ThreadedTests) Basic test of an SSL client connecting to a server ... server: new connection from ('127.0.0.1', 35392) server: connection cipher is now ('AES256-SHA', 'SSLv3', 256) server: selected protocol is now None client: sending b'FOO\n'... client: read b'foo\n' client: sending b'FOO\n'... client: read b'foo\n' client: sending b'FOO\n'... client: read b'foo\n' client: closing connection. server: new connection from ('127.0.0.1', 39790) server: connection cipher is now ('ECDHE-RSA-AES256-GCM-SHA384', 'TLSv1.2', 256) server: selected protocol is now None client: sending b'FOO\n'... client: read b'foo\n' client: sending b'FOO\n'... client: read b'foo\n' client: sending b'FOO\n'... client: read b'foo\n' client: closing connection. server: new connection from ('127.0.0.1', 51066) server: connection cipher is now ('ECDHE-RSA-AES256-SHA', 'TLSv1.0', 256) server: selected protocol is now None client: sending b'FOO\n'... client: read b'foo\n' client: sending b'FOO\n'... client: read b'foo\n' client: sending b'FOO\n'... client: read b'foo\n' client: closing connection. server: new connection from ('127.0.0.1', 50090) server: connection cipher is now ('ECDHE-RSA-AES256-SHA', 'TLSv1.0', 256) server: selected protocol is now None client: sending b'FOO\n'... client: read b'foo\n' client: sending b'FOO\n'... client: read b'foo\n' client: sending b'FOO\n'... client: read b'foo\n' client: closing connection. server: new connection from ('127.0.0.1', 46550) server: connection cipher is now ('ECDHE-RSA-AES256-GCM-SHA384', 'TLSv1.2', 256) server: selected protocol is now None client: sending b'FOO\n'... client: read b'foo\n' client: sending b'FOO\n'... client: read b'foo\n' client: sending b'FOO\n'... client: read b'foo\n' client: closing connection. server: new connection from ('127.0.0.1', 36516) server: connection cipher is now ('ECDHE-RSA-AES256-GCM-SHA384', 'TLSv1.2', 256) server: selected protocol is now None client: sending b'FOO\n'... client: read b'foo\n' client: sending b'FOO\n'... client: read b'foo\n' client: sending b'FOO\n'... client: read b'foo\n' client: closing connection. server: new connection from ('127.0.0.1', 44636) server: bad connection attempt from ('127.0.0.1', 44636): Traceback (most recent call last): File "/builddir/build/BUILD/Python-3.6.6/Lib/test/test_ssl.py", line 1871, in wrap_conn self.sock, server_side=True) File "/builddir/build/BUILD/Python-3.6.6/Lib/ssl.py", line 365, in wrap_socket _context=self, _session=session) File "/builddir/build/BUILD/Python-3.6.6/Lib/ssl.py", line 770, in __init__ self.do_handshake() File "/builddir/build/BUILD/Python-3.6.6/Lib/ssl.py", line 1024, in do_handshake self._sslobj.do_handshake() File "/builddir/build/BUILD/Python-3.6.6/Lib/ssl.py", line 645, in do_handshake self._sslobj.do_handshake() ssl.SSLError: [SSL] called a function you should not call (_ssl.c:866) server: new connection from ('127.0.0.1', 58502) server: bad connection attempt from ('127.0.0.1', 58502): Traceback (most recent call last): File "/builddir/build/BUILD/Python-3.6.6/Lib/test/test_ssl.py", line 1871, in wrap_conn self.sock, server_side=True) File "/builddir/build/BUILD/Python-3.6.6/Lib/ssl.py", line 365, in wrap_socket _context=self, _session=session) File "/builddir/build/BUILD/Python-3.6.6/Lib/ssl.py", line 770, in __init__ self.do_handshake() File "/builddir/build/BUILD/Python-3.6.6/Lib/ssl.py", line 1024, in do_handshake self._sslobj.do_handshake() File "/builddir/build/BUILD/Python-3.6.6/Lib/ssl.py", line 645, in do_handshake self._sslobj.do_handshake() OSError: [Errno 0] Error server: new connection from ('127.0.0.1', 40474) server: bad connection attempt from ('127.0.0.1', 40474): Traceback (most recent call last): File "/builddir/build/BUILD/Python-3.6.6/Lib/test/test_ssl.py", line 1871, in wrap_conn self.sock, server_side=True) File "/builddir/build/BUILD/Python-3.6.6/Lib/ssl.py", line 365, in wrap_socket _context=self, _session=session) File "/builddir/build/BUILD/Python-3.6.6/Lib/ssl.py", line 770, in __init__ self.do_handshake() File "/builddir/build/BUILD/Python-3.6.6/Lib/ssl.py", line 1024, in do_handshake self._sslobj.do_handshake() File "/builddir/build/BUILD/Python-3.6.6/Lib/ssl.py", line 645, in do_handshake self._sslobj.do_handshake() ssl.SSLError: [SSL] called a function you should not call (_ssl.c:866) ok test_getpeercert (test.test_ssl.ThreadedTests) ... {'issuer': ((('countryName', 'XY'),), (('localityName', 'Castle Anthrax'),), (('organizationName', 'Python Software Foundation'),), (('commonName', 'localhost'),)), 'notAfter': 'Oct 5 23:01:56 2020 GMT', 'notBefore': 'Oct 8 23:01:56 2010 GMT', 'serialNumber': 'D7C7381919AFC24E', 'subject': ((('countryName', 'XY'),), (('localityName', 'Castle Anthrax'),), (('organizationName', 'Python Software Foundation'),), (('commonName', 'localhost'),)), 'subjectAltName': (('DNS', 'localhost'),), 'version': 3} Connection cipher is ('ECDHE-RSA-AES256-GCM-SHA384', 'TLSv1.2', 256). ok test_getpeercert_enotconn (test.test_ssl.ThreadedTests) ... ok test_handshake_timeout (test.test_ssl.ThreadedTests) ... ok test_nonblocking_send (test.test_ssl.ThreadedTests) ... server: new connection from ('127.0.0.1', 45112) server: connection cipher is now ('ECDHE-RSA-AES256-SHA', 'TLSv1.0', 256) server: selected protocol is now None Test server failure: Traceback (most recent call last): File "/builddir/build/BUILD/Python-3.6.6/Lib/test/test_ssl.py", line 1984, in run self.write(msg.lower()) File "/builddir/build/BUILD/Python-3.6.6/Lib/test/test_ssl.py", line 1920, in write return self.sslconn.write(bytes) File "/builddir/build/BUILD/Python-3.6.6/Lib/ssl.py", line 844, in write return self._sslobj.write(data) File "/builddir/build/BUILD/Python-3.6.6/Lib/ssl.py", line 598, in write return self._sslobj.write(data) ConnectionResetError: [Errno 104] Connection reset by peer ok test_npn_protocols (test.test_ssl.ThreadedTests) ... skipped 'NPN support needed for this test' test_protocol_sslv2 (test.test_ssl.ThreadedTests) Connecting to an SSLv2 server with various client options ... skipped 'OpenSSL is compiled without SSLv2 support' test_protocol_sslv23 (test.test_ssl.ThreadedTests) Connecting to an SSLv23 server with various client options ... {PROTOCOL_SSLv3->PROTOCOL_TLS} CERT_NONE PROTOCOL_TLS->PROTOCOL_TLS CERT_NONE PROTOCOL_TLSv1->PROTOCOL_TLS CERT_NONE {PROTOCOL_SSLv3->PROTOCOL_TLS} CERT_OPTIONAL PROTOCOL_TLS->PROTOCOL_TLS CERT_OPTIONAL PROTOCOL_TLSv1->PROTOCOL_TLS CERT_OPTIONAL {PROTOCOL_SSLv3->PROTOCOL_TLS} CERT_REQUIRED PROTOCOL_TLS->PROTOCOL_TLS CERT_REQUIRED PROTOCOL_TLSv1->PROTOCOL_TLS CERT_REQUIRED {PROTOCOL_SSLv3->PROTOCOL_TLS} CERT_NONE PROTOCOL_TLS->PROTOCOL_TLS CERT_NONE {PROTOCOL_TLSv1->PROTOCOL_TLS} CERT_NONE ok test_protocol_sslv3 (test.test_ssl.ThreadedTests) Connecting to an SSLv3 server with various client options ... PROTOCOL_SSLv3->PROTOCOL_SSLv3 CERT_NONE PROTOCOL_SSLv3->PROTOCOL_SSLv3 CERT_OPTIONAL PROTOCOL_SSLv3->PROTOCOL_SSLv3 CERT_REQUIRED {PROTOCOL_TLS->PROTOCOL_SSLv3} CERT_NONE {PROTOCOL_TLSv1->PROTOCOL_SSLv3} CERT_NONE {PROTOCOL_TLS->PROTOCOL_SSLv3} CERT_NONE ok test_protocol_tlsv1 (test.test_ssl.ThreadedTests) Connecting to a TLSv1 server with various client options ... PROTOCOL_TLSv1->PROTOCOL_TLSv1 CERT_NONE PROTOCOL_TLSv1->PROTOCOL_TLSv1 CERT_OPTIONAL PROTOCOL_TLSv1->PROTOCOL_TLSv1 CERT_REQUIRED {PROTOCOL_SSLv3->PROTOCOL_TLSv1} CERT_NONE {PROTOCOL_TLS->PROTOCOL_TLSv1} CERT_NONE ok test_protocol_tlsv1_1 (test.test_ssl.ThreadedTests) Connecting to a TLSv1.1 server with various client options. ... PROTOCOL_TLSv1_1->PROTOCOL_TLSv1_1 CERT_NONE {PROTOCOL_SSLv3->PROTOCOL_TLSv1_1} CERT_NONE {PROTOCOL_TLS->PROTOCOL_TLSv1_1} CERT_NONE PROTOCOL_TLSv1_1->PROTOCOL_TLS CERT_NONE {PROTOCOL_TLSv1->PROTOCOL_TLSv1_1} CERT_NONE {PROTOCOL_TLSv1_1->PROTOCOL_TLSv1} CERT_NONE ok test_protocol_tlsv1_2 (test.test_ssl.ThreadedTests) Connecting to a TLSv1.2 server with various client options. ... PROTOCOL_TLSv1_2->PROTOCOL_TLSv1_2 CERT_NONE {PROTOCOL_SSLv3->PROTOCOL_TLSv1_2} CERT_NONE {PROTOCOL_TLS->PROTOCOL_TLSv1_2} CERT_NONE PROTOCOL_TLSv1_2->PROTOCOL_TLS CERT_NONE {PROTOCOL_TLSv1->PROTOCOL_TLSv1_2} CERT_NONE {PROTOCOL_TLSv1_2->PROTOCOL_TLSv1} CERT_NONE {PROTOCOL_TLSv1_1->PROTOCOL_TLSv1_2} CERT_NONE {PROTOCOL_TLSv1_2->PROTOCOL_TLSv1_1} CERT_NONE ok test_read_write_after_close_raises_valuerror (test.test_ssl.ThreadedTests) ... ok test_recv_send (test.test_ssl.ThreadedTests) Test recv(), send() and friends. ... server: new connection from ('127.0.0.1', 60616) server: connection cipher is now ('ECDHE-RSA-AES256-SHA', 'TLSv1.0', 256) server: selected protocol is now None ok test_recv_zero (test.test_ssl.ThreadedTests) ... server: new connection from ('127.0.0.1', 42492) server: connection cipher is now ('ECDHE-RSA-AES256-GCM-SHA384', 'TLSv1.2', 256) server: selected protocol is now None ok test_rude_shutdown (test.test_ssl.ThreadedTests) A brutal shutdown of an SSL server should raise an OSError ... ok test_selected_alpn_protocol (test.test_ssl.ThreadedTests) ... server: new connection from ('127.0.0.1', 33032) server: connection cipher is now ('ECDHE-RSA-AES256-SHA', 'TLSv1.0', 256) server: selected protocol is now None client: sending b'FOO\n'... client: read b'foo\n' client: sending b'FOO\n'... client: read b'foo\n' client: sending b'FOO\n'... client: read b'foo\n' client: closing connection. ok test_selected_alpn_protocol_if_server_uses_alpn (test.test_ssl.ThreadedTests) ... server: new connection from ('127.0.0.1', 34422) server: connection cipher is now ('ECDHE-RSA-AES256-SHA', 'TLSv1.0', 256) server: selected protocol is now None client: sending b'FOO\n'... client: read b'foo\n' client: sending b'FOO\n'... client: read b'foo\n' client: sending b'FOO\n'... client: read b'foo\n' client: closing connection. ok test_selected_npn_protocol (test.test_ssl.ThreadedTests) ... server: new connection from ('127.0.0.1', 59266) server: connection cipher is now ('ECDHE-RSA-AES256-SHA', 'TLSv1.0', 256) server: selected protocol is now None client: sending b'FOO\n'... client: read b'foo\n' client: sending b'FOO\n'... client: read b'foo\n' client: sending b'FOO\n'... client: read b'foo\n' client: closing connection. ok test_sendfile (test.test_ssl.ThreadedTests) ... ok test_server_accept (test.test_ssl.ThreadedTests) ... ok test_session (test.test_ssl.ThreadedTests) ... server: new connection from ('127.0.0.1', 58202) server: connection cipher is now ('ECDHE-RSA-AES256-SHA', 'TLSv1.0', 256) server: selected protocol is now None server: new connection from ('127.0.0.1', 58902) server: connection cipher is now ('ECDHE-RSA-AES256-SHA', 'TLSv1.0', 256) server: selected protocol is now None server: new connection from ('127.0.0.1', 34200) server: connection cipher is now ('ECDHE-RSA-AES256-SHA', 'TLSv1.0', 256) server: selected protocol is now None server: new connection from ('127.0.0.1', 57066) server: connection cipher is now ('ECDHE-RSA-AES256-SHA', 'TLSv1.0', 256) server: selected protocol is now None ok test_session_handling (test.test_ssl.ThreadedTests) ... ok test_shared_ciphers (test.test_ssl.ThreadedTests) ... server: new connection from ('127.0.0.1', 38936) server: connection cipher is now ('ECDHE-RSA-AES256-SHA', 'TLSv1.0', 256) server: selected protocol is now None FAIL test_sni_callback (test.test_ssl.ThreadedTests) ... server: new connection from ('127.0.0.1', 40226) server: connection cipher is now ('ECDHE-RSA-AES256-SHA', 'TLSv1.0', 256) server: selected protocol is now None server: new connection from ('127.0.0.1', 49618) server: connection cipher is now ('ECDHE-RSA-AES256-SHA', 'TLSv1.0', 256) server: selected protocol is now None server: new connection from ('127.0.0.1', 48184) server: connection cipher is now ('ECDHE-RSA-AES256-SHA', 'TLSv1.0', 256) server: selected protocol is now None ok test_sni_callback_alert (test.test_ssl.ThreadedTests) ... ok test_sni_callback_raising (test.test_ssl.ThreadedTests) ... ok test_sni_callback_wrong_return_type (test.test_ssl.ThreadedTests) ... ok test_socketserver (test.test_ssl.ThreadedTests) Using socketserver to create and manage SSL connections. ... server (('127.0.0.1', 42207):42207 ('ECDHE-RSA-AES256-GCM-SHA384', 'TLSv1.2', 256)): [29/Aug/2018 18:00:35] "GET /keycert.pem HTTP/1.1" 200 - client: read 1783 bytes from remote server '<HTTPSServerThread <HTTPSServer localhost.localdomain:42207>>' stopping HTTPS server joining HTTPS thread ok test_starttls (test.test_ssl.ThreadedTests) Switching from clear text to encrypted and back again. ... client: sending b'msg 1'... server: new connection from ('127.0.0.1', 56362) server: read b'msg 1' (unencrypted), sending back b'msg 1' (unencrypted)... client: read b'msg 1' from server client: sending b'MSG 2'... server: read b'MSG 2' (unencrypted), sending back b'msg 2' (unencrypted)... client: read b'msg 2' from server client: sending b'STARTTLS'... server: read STARTTLS from client, sending OK... client: read b'ok' from server, starting TLS... server: connection cipher is now ('ECDHE-RSA-AES256-SHA', 'TLSv1.0', 256) server: selected protocol is now None client: sending b'MSG 3'... server: read b'MSG 3' (encrypted), sending back b'msg 3' (encrypted)... client: read b'msg 3' from server client: sending b'msg 4'... server: read b'msg 4' (encrypted), sending back b'msg 4' (encrypted)... client: read b'msg 4' from server client: sending b'ENDTLS'... server: read ENDTLS from client, sending OK... client: read b'ok' from server, ending TLS... client: sending b'msg 5'... server: connection is now unencrypted... server: read b'msg 5' (unencrypted), sending back b'msg 5' (unencrypted)... client: read b'msg 5' from server client: sending b'msg 6'... server: read b'msg 6' (unencrypted), sending back b'msg 6' (unencrypted)... client: read b'msg 6' from server client: closing connection. server: client closed connection ok test_tls1_3 (test.test_ssl.ThreadedTests) ... skipped 'test requires TLSv1.3 enabled OpenSSL' test_tls_unique_channel_binding (test.test_ssl.ThreadedTests) Test tls-unique channel binding. ... server: new connection from ('127.0.0.1', 48684) server: connection cipher is now ('ECDHE-RSA-AES256-SHA', 'TLSv1.0', 256) server: selected protocol is now None got channel binding data: b'\xb5I\xb9\xe1\xaed7J\xb9\x9a\xefB' server: new connection from ('127.0.0.1', 48686) server: connection cipher is now ('ECDHE-RSA-AES256-SHA', 'TLSv1.0', 256) server: selected protocol is now None got another channel binding data: b'\xcc\xabD\xc9{\xfb\x8d\x91\x82\x1ec\xd2' ok test_version_basic (test.test_ssl.ThreadedTests) ... ok test_wrong_cert (test.test_ssl.ThreadedTests) Connecting when the server rejects the client's certificate ... SSLError is SSLError(1, '[SSL: TLSV1_ALERT_UNKNOWN_CA] tlsv1 alert unknown ca (_ssl.c:866)') ok ====================================================================== FAIL: test_options (test.test_ssl.ContextTests) ---------------------------------------------------------------------- Traceback (most recent call last): File "/builddir/build/BUILD/Python-3.6.6/Lib/test/test_ssl.py", line 922, in test_options self.assertEqual(default, ctx.options) AssertionError: <Options.OP_ALL|OP_NO_SSLv3|OP_CIPHER_SERVER_PREFERENCE|OP_NO_C[18 chars]3540> != <Options.OP_ALL|OP_NO_TLSv1_3|OP_NO_SSLv3|OP_CIPHER_SERVER_PREF[40 chars]3028> ====================================================================== FAIL: test_default_ciphers (test.test_ssl.ThreadedTests) ---------------------------------------------------------------------- Traceback (most recent call last): File "/builddir/build/BUILD/Python-3.6.6/Lib/test/test_ssl.py", line 3103, in test_default_ciphers self.assertIn("no shared cipher", server.conn_errors[0]) AssertionError: 'no shared cipher' not found in '[SSL: UNEXPECTED_MESSAGE] unexpected message (_ssl.c:866)' ====================================================================== FAIL: test_shared_ciphers (test.test_ssl.ThreadedTests) ---------------------------------------------------------------------- Traceback (most recent call last): File "/builddir/build/BUILD/Python-3.6.6/Lib/test/test_ssl.py", line 3474, in test_shared_ciphers self.fail(name) AssertionError: TLS_AES_256_GCM_SHA384 ---------------------------------------------------------------------- Ran 126 tests in 1.537s FAILED (failures=3, skipped=8) test test_ssl failed 0:13:12 load avg: 1.25 [306/406/2] test_startfile -- test_ssl failed test_startfile skipped -- object <module 'os' from '/builddir/build/BUILD/Python-3.6.6/Lib/os.py'> has no attribute 'startfile'
(In reply to Tomas Mraz from comment #18) > The proper fix is to disable TLS-1.3 support when building legacy software > against the new openssl-1.1.1 as I said previously. There are multiple ways > how to do that but of course it requires patching the code (fairly > trivially). If something already built against openssl-1.1.0, switching it > to build against compat-openssl10 is a regression. Unfortunately python is deeply intertwined with openssl (along with other things), and having many core parts of the distribution depend on python makes that a big problem. I'd like to request at least for future rebases of openssl, to create a system wide change as this clearly affects many things and there aren't many people with expertise on that domain.
(In reply to Charalampos Stratakis from comment #24) > I'd like to request at least for future rebases of openssl, to create a > system wide change as this clearly affects many things and there aren't many > people with expertise on that domain. I will do that next time.
Christian, any idea if 3.6.7 will be compatible with Fedora 29/30 openssl version?
2.7, 3.6, 3.7, 3.8 all build 3.4: https://bugzilla.redhat.com/show_bug.cgi?id=1685612 3.5: https://bugzilla.redhat.com/show_bug.cgi?id=1685609 I'm OK to retire 2.6 when it no longer builds. I'm closing this, I don't think anything else is needed from Christian.