Bug 1609291 - pythons FTBFS on F29+ due to OpenSSL 1.1.1
Summary: pythons FTBFS on F29+ due to OpenSSL 1.1.1
Status: CLOSED WORKSFORME
Alias: None
Product: Fedora
Classification: Fedora
Component: python3   
(Show other bugs)
Version: 29
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Christian Heimes
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-07-27 13:19 UTC by Miro Hrončok
Modified: 2019-03-14 13:28 UTC (History)
13 users (show)

Fixed In Version: python3-3.7.0-8.fc30, python3-3.7.0-8.fc29
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2019-03-14 13:28:02 UTC
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Miro Hrončok 2018-07-27 13:19:39 UTC
https://apps.fedoraproject.org/koschei/build/5052601

I blame openssl update from 1:1.1.0h-5.fc29 to 1:1.1.1-0.pre8.fc29.

Upstream issue for OpenSSL 1.1.1 support is at https://bugs.python.org/issue32947 yet it is supposed to work on 3.7.

Test failure:

Traceback (most recent call last):
  File "/builddir/build/BUILD/Python-3.7.0/Lib/threading.py", line 917, in _bootstrap_inner
    self.run()
  File "/builddir/build/BUILD/Python-3.7.0/Lib/test/test_poplib.py", line 228, in run
    asyncore.loop(timeout=0.1, count=1)
  File "/builddir/build/BUILD/Python-3.7.0/Lib/asyncore.py", line 207, in loop
    poll_fun(timeout, map)
  File "/builddir/build/BUILD/Python-3.7.0/Lib/asyncore.py", line 150, in poll
    read(obj)
  File "/builddir/build/BUILD/Python-3.7.0/Lib/asyncore.py", line 87, in read
    obj.handle_error()
  File "/builddir/build/BUILD/Python-3.7.0/Lib/asyncore.py", line 83, in read
    obj.handle_read_event()
  File "/builddir/build/BUILD/Python-3.7.0/Lib/asyncore.py", line 422, in handle_read_event
    self.handle_read()
  File "/builddir/build/BUILD/Python-3.7.0/Lib/test/test_poplib.py", line 193, in handle_read
    self._do_tls_handshake()
  File "/builddir/build/BUILD/Python-3.7.0/Lib/test/test_poplib.py", line 172, in _do_tls_handshake
    self.socket.do_handshake()
  File "/builddir/build/BUILD/Python-3.7.0/Lib/ssl.py", line 1108, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL] bad record type (_ssl.c:1045)
Warning -- threading_cleanup() failed to cleanup 0 threads (count: 0, dangling: 2)
Dangling thread: <_MainThread(MainThread, started 281473127377536)>
Dangling thread: <test.test_poplib.DummyPOP3Server localhost:0 at 0xffff665e38e0>
Warning -- threading._dangling was modified by test_poplib
  Before: <_weakrefset.WeakSet object at 0xffff6631a608>
  After:  <_weakrefset.WeakSet object at 0xffff65aa2128> 
test test_poplib failed
ok
======================================================================
ERROR: test_stls_context (test.test_poplib.TestPOP3Class)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/builddir/build/BUILD/Python-3.7.0/Lib/test/test_poplib.py", line 377, in test_stls_context
    self.client = poplib.POP3("localhost", self.server.port, timeout=3)
  File "/builddir/build/BUILD/Python-3.7.0/Lib/poplib.py", line 102, in __init__
    self.sock = self._create_socket(timeout)
  File "/builddir/build/BUILD/Python-3.7.0/Lib/poplib.py", line 108, in _create_socket
    return socket.create_connection((self.host, self.port), timeout)
  File "/builddir/build/BUILD/Python-3.7.0/Lib/socket.py", line 727, in create_connection
    raise err
  File "/builddir/build/BUILD/Python-3.7.0/Lib/socket.py", line 716, in create_connection
    sock.connect(sa)
ConnectionRefusedError: [Errno 111] Connection refused
======================================================================
ERROR: test_stls_context (test.test_poplib.TestPOP3Class)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/builddir/build/BUILD/Python-3.7.0/Lib/test/test_poplib.py", line 261, in tearDown
    self.client.close()
  File "/builddir/build/BUILD/Python-3.7.0/Lib/poplib.py", line 290, in close
    sock.shutdown(socket.SHUT_RDWR)
OSError: [Errno 9] Bad file descriptor
----------------------------------------------------------------------
Ran 71 tests in 6.347s
FAILED (errors=2)
2 tests failed again:
    test_ftplib test_poplib
== Tests result: FAILURE then FAILURE ==
392 tests OK.
10 slowest tests:
- test_weakref: 7 min 9 sec
- test_multiprocessing_spawn: 4 min 33 sec
- test_asyncio: 4 min 20 sec
- test_concurrent_futures: 3 min 28 sec
- test_multiprocessing_forkserver: 3 min 16 sec
- test_subprocess: 2 min 14 sec
- test_gdb: 2 min 13 sec
- test_lib2to3: 2 min 7 sec
- test_multiprocessing_fork: 2 min 6 sec
- test_io: 1 min 48 sec
2 tests failed:
    test_ftplib test_poplib
20 tests skipped:
    test_curses test_devpoll test_ioctl test_kqueue test_msilib
    test_ossaudiodev test_smtpnet test_socketserver test_startfile
    test_timeout test_tix test_tk test_ttk_guionly test_urllib2net
    test_urllibnet test_winconsoleio test_winreg test_winsound
    test_xmlrpc_net test_zipfile64
2 re-run tests:
    test_ftplib test_poplib
Total duration: 1 hour 16 min
Tests result: FAILURE then FAILURE

Comment 1 Miro Hrončok 2018-07-27 13:23:36 UTC
python36: https://apps.fedoraproject.org/koschei/build/5052600

Traceback (most recent call last):
   File "/builddir/build/BUILD/Python-3.6.6/Lib/test/test_ssl.py", line 1871, in wrap_conn
    self.sock, server_side=True)
   File "/builddir/build/BUILD/Python-3.6.6/Lib/ssl.py", line 365, in wrap_socket
    _context=self, _session=session)
   File "/builddir/build/BUILD/Python-3.6.6/Lib/ssl.py", line 770, in __init__
    self.do_handshake()
   File "/builddir/build/BUILD/Python-3.6.6/Lib/ssl.py", line 1024, in do_handshake
    self._sslobj.do_handshake()
   File "/builddir/build/BUILD/Python-3.6.6/Lib/ssl.py", line 645, in do_handshake
    self._sslobj.do_handshake()
 BrokenPipeError: [Errno 32] Broken pipe
FAIL
test_tls_unique_channel_binding (test.test_ssl.ThreadedTests)
Test tls-unique channel binding. ... 
 server:  new connection from ('127.0.0.1', 57400)
 server: connection cipher is now ('ECDHE-RSA-AES256-SHA', 'TLSv1.0', 256)
 server: selected protocol is now None
 got channel binding data: b'\x7fk\xf2uSO\xd4"v\x96\x93e'
 server:  new connection from ('127.0.0.1', 57402)
 server: connection cipher is now ('ECDHE-RSA-AES256-SHA', 'TLSv1.0', 256)
 server: selected protocol is now None
 got another channel binding data: b'\xc5\x8b\xf6\xf7g\xca\xd5\xfdZ\xa6\x8a\x9d'
ok
test_version_basic (test.test_ssl.ThreadedTests) ... ok
test_wrong_cert (test.test_ssl.ThreadedTests)
Connecting when the server rejects the client's certificate ... Exception in thread Thread-3165:
Traceback (most recent call last):
  File "/builddir/build/BUILD/Python-3.6.6/Lib/threading.py", line 916, in _bootstrap_inner
    self.run()
  File "/builddir/build/BUILD/Python-3.6.6/Lib/threading.py", line 864, in run
    self._target(*self._args, **self._kwargs)
  File "/builddir/build/BUILD/Python-3.6.6/Lib/test/test_ssl.py", line 3058, in serve
    remote, peer = server.accept()
  File "/builddir/build/BUILD/Python-3.6.6/Lib/ssl.py", line 1072, in accept
    server_side=True)
  File "/builddir/build/BUILD/Python-3.6.6/Lib/ssl.py", line 365, in wrap_socket
    _context=self, _session=session)
  File "/builddir/build/BUILD/Python-3.6.6/Lib/ssl.py", line 770, in __init__
    self.do_handshake()
  File "/builddir/build/BUILD/Python-3.6.6/Lib/ssl.py", line 1024, in do_handshake
    self._sslobj.do_handshake()
  File "/builddir/build/BUILD/Python-3.6.6/Lib/ssl.py", line 645, in do_handshake
    self._sslobj.do_handshake()
BrokenPipeError: [Errno 32] Broken pipe
test test_ssl failed
SSLError is SSLError(1, '[SSL: TLSV1_ALERT_UNKNOWN_CA] tlsv1 alert unknown ca (_ssl.c:866)')
ok
======================================================================
ERROR: test_ciphers (test.test_ssl.SimpleBackgroundTests)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/builddir/build/BUILD/Python-3.6.6/Lib/test/test_ssl.py", line 1683, in test_ciphers
    s.connect(self.server_addr)
  File "/builddir/build/BUILD/Python-3.6.6/Lib/ssl.py", line 1056, in connect
    self._real_connect(addr, False)
  File "/builddir/build/BUILD/Python-3.6.6/Lib/ssl.py", line 1047, in _real_connect
    self.do_handshake()
  File "/builddir/build/BUILD/Python-3.6.6/Lib/ssl.py", line 1024, in do_handshake
    self._sslobj.do_handshake()
  File "/builddir/build/BUILD/Python-3.6.6/Lib/ssl.py", line 645, in do_handshake
    self._sslobj.do_handshake()
ConnectionResetError: [Errno 104] Connection reset by peer
======================================================================
ERROR: test_connect (test.test_ssl.SimpleBackgroundTests)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/builddir/build/BUILD/Python-3.6.6/Lib/test/test_ssl.py", line 1508, in test_connect
    s.connect(self.server_addr)
  File "/builddir/build/BUILD/Python-3.6.6/Lib/ssl.py", line 1056, in connect
    self._real_connect(addr, False)
  File "/builddir/build/BUILD/Python-3.6.6/Lib/ssl.py", line 1043, in _real_connect
    socket.connect(self, addr)
ConnectionRefusedError: [Errno 111] Connection refused
======================================================================
ERROR: test_connect_cadata (test.test_ssl.SimpleBackgroundTests)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/builddir/build/BUILD/Python-3.6.6/Lib/test/test_ssl.py", line 1625, in test_connect_cadata
    s.connect(self.server_addr)
  File "/builddir/build/BUILD/Python-3.6.6/Lib/ssl.py", line 1056, in connect
    self._real_connect(addr, False)
  File "/builddir/build/BUILD/Python-3.6.6/Lib/ssl.py", line 1043, in _real_connect
    socket.connect(self, addr)
ConnectionRefusedError: [Errno 111] Connection refused
======================================================================
ERROR: test_connect_capath (test.test_ssl.SimpleBackgroundTests)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/builddir/build/BUILD/Python-3.6.6/Lib/test/test_ssl.py", line 1604, in test_connect_capath
    s.connect(self.server_addr)
  File "/builddir/build/BUILD/Python-3.6.6/Lib/ssl.py", line 1056, in connect
    self._real_connect(addr, False)
  File "/builddir/build/BUILD/Python-3.6.6/Lib/ssl.py", line 1043, in _real_connect
    socket.connect(self, addr)
ConnectionRefusedError: [Errno 111] Connection refused
======================================================================
ERROR: test_connect_with_context (test.test_ssl.SimpleBackgroundTests)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/builddir/build/BUILD/Python-3.6.6/Lib/test/test_ssl.py", line 1566, in test_connect_with_context
    s.connect(self.server_addr)
  File "/builddir/build/BUILD/Python-3.6.6/Lib/ssl.py", line 1056, in connect
    self._real_connect(addr, False)
  File "/builddir/build/BUILD/Python-3.6.6/Lib/ssl.py", line 1047, in _real_connect
    self.do_handshake()
  File "/builddir/build/BUILD/Python-3.6.6/Lib/ssl.py", line 1024, in do_handshake
    self._sslobj.do_handshake()
  File "/builddir/build/BUILD/Python-3.6.6/Lib/ssl.py", line 645, in do_handshake
    self._sslobj.do_handshake()
ConnectionResetError: [Errno 104] Connection reset by peer
======================================================================
ERROR: test_get_server_certificate (test.test_ssl.SimpleBackgroundTests)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/builddir/build/BUILD/Python-3.6.6/Lib/test/test_ssl.py", line 1670, in test_get_server_certificate
    _test_get_server_certificate(self, *self.server_addr, cert=SIGNING_CA)
  File "/builddir/build/BUILD/Python-3.6.6/Lib/test/test_ssl.py", line 1830, in _test_get_server_certificate
    pem = ssl.get_server_certificate((host, port), ca_certs=cert)
  File "/builddir/build/BUILD/Python-3.6.6/Lib/ssl.py", line 1178, in get_server_certificate
    with  create_connection(addr) as sock:
  File "/builddir/build/BUILD/Python-3.6.6/Lib/socket.py", line 724, in create_connection
    raise err
  File "/builddir/build/BUILD/Python-3.6.6/Lib/socket.py", line 713, in create_connection
    sock.connect(sa)
ConnectionRefusedError: [Errno 111] Connection refused
======================================================================
ERROR: test_server_accept (test.test_ssl.ThreadedTests)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/builddir/build/BUILD/Python-3.6.6/Lib/test/test_ssl.py", line 3070, in test_server_accept
    remote.close()
AttributeError: 'NoneType' object has no attribute 'close'
======================================================================
FAIL: test_options (test.test_ssl.ContextTests)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/builddir/build/BUILD/Python-3.6.6/Lib/test/test_ssl.py", line 922, in test_options
    self.assertEqual(default, ctx.options)
AssertionError: <Opti[26 chars]CIPHER_SERVER_PREFERENCE|OP_NO_COMPRESSION: 2185363540> != <Opti[26 chars]CIPHER_SERVER_PREFERENCE|1048576|OP_NO_COMPRESSION: 2186412116>
======================================================================
FAIL: test_default_ciphers (test.test_ssl.ThreadedTests)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/builddir/build/BUILD/Python-3.6.6/Lib/test/test_ssl.py", line 3102, in test_default_ciphers
    s.connect((HOST, server.port))
AssertionError: OSError not raised
======================================================================
FAIL: test_shared_ciphers (test.test_ssl.ThreadedTests)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/builddir/build/BUILD/Python-3.6.6/Lib/test/test_ssl.py", line 3474, in test_shared_ciphers
    self.fail(name)
AssertionError: TLS_AES_256_GCM_SHA384
======================================================================
FAIL: test_tls1_3 (test.test_ssl.ThreadedTests)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/builddir/build/BUILD/Python-3.6.6/Lib/test/test_ssl.py", line 3135, in test_tls1_3
    'TLS13-AES-128-GCM-SHA256',
AssertionError: 'TLS_AES_256_GCM_SHA384' not found in ['TLS13-AES-256-GCM-SHA384', 'TLS13-CHACHA20-POLY1305-SHA256', 'TLS13-AES-128-GCM-SHA256']
----------------------------------------------------------------------
Ran 126 tests in 2.038s
FAILED (failures=4, errors=7, skipped=8)
3 tests failed again:
    test_asyncio test_ftplib test_ssl
== Tests result: FAILURE then FAILURE ==
383 tests OK.
10 slowest tests:
- test_multiprocessing_spawn: 1 min 31 sec
- test_multiprocessing_forkserver: 1 min 16 sec
- test_multiprocessing_fork: 1 min 14 sec
- test_concurrent_futures: 1 min 4 sec
- test_subprocess: 1 min 1 sec
- test_io: 38 sec
- test_socket: 25 sec
- test_signal: 22 sec
- test_faulthandler: 20 sec
- test_logging: 19 sec
3 tests failed:
    test_asyncio test_ftplib test_ssl
20 tests skipped:
    test_curses test_devpoll test_ioctl test_kqueue test_msilib
    test_ossaudiodev test_smtpnet test_socketserver test_startfile
    test_timeout test_tix test_tk test_ttk_guionly test_urllib2net
    test_urllibnet test_winconsoleio test_winreg test_winsound
    test_xmlrpc_net test_zipfile64
3 re-run tests:
    test_asyncio test_ftplib test_ssl
Total duration: 18 min 31 sec
Tests result: FAILURE then FAILURE

python35: https://apps.fedoraproject.org/koschei/build/5050991
python2: https://apps.fedoraproject.org/koschei/build/5054975

python34 and python26 use compat-openssl10-devel

Comment 2 Miro Hrončok 2018-07-30 12:09:30 UTC
The python3 koschei entry is deleted, corresponding task is
https://koji.fedoraproject.org/koji/taskinfo?taskID=28608653

Comment 3 Miro Hrončok 2018-08-13 09:39:41 UTC
https://github.com/openssl/openssl/issues/6933

Comment 4 Jan Kurik 2018-08-14 08:40:35 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 29 development cycle.
Changing version to '29'.

Comment 5 Christian Heimes 2018-08-14 08:52:50 UTC
I'm working on OpenSSL 1.1.1 compatibility for OpenSSL 1.1.1-pre9 (not yet released) and Python 3.7.1, 3.6.7, and 2.7.16 (not yet released). Related fixes are:

https://github.com/python/cpython/pull/8760
https://github.com/python/cpython/pull/8761
https://github.com/python/cpython/pull/8762
https://github.com/openssl/openssl/pull/6340
https://github.com/openssl/openssl/pull/6938

Comment 6 Christian Heimes 2018-08-16 16:53:27 UTC
https://github.com/python/cpython/pull/8787 fixes the last outstanding failing test.

Comment 7 Miro Hrončok 2018-08-16 19:21:19 UTC
https://github.com/python/cpython/pull/8787 fixes the test yet I'm unsure what else should be applied

I've added https://github.com/python/cpython/pull/8762 as well and everything else seems to be part of 3.7 already, yet the tests fail anyway:

https://koji.fedoraproject.org/koji/taskinfo?taskID=29119308

Comment 8 Christian Heimes 2018-08-17 07:15:45 UTC
Fedora 29 sets TLSv1 as explicit minimum version. Python's test suite assumes that the minimum protocol version is set to a magic marker. You can fix the test problem by setting

    export OPENSSL_CONF=/non-existing-file

The test_poplib error is new to me. I'm investigating now.

Comment 9 Christian Heimes 2018-08-17 07:55:48 UTC
I can reproduce the failing test_poplib test with OpenSSL 1.1.1-pre8 but not with latest git. The problem was addressed in OpenSSL, but I'm not sure which commit fixed it. Several commits address handshake, WANT_READ, and TLS alerts.

Wireshark shows an unencrypted TLS Alert of type 42 (bad certificate). I think the patch:

From de9e884b2f43c59834c2b1c3cfde35fa2c797f2b Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Tue, 7 Aug 2018 12:40:08 +0100
Subject: [PATCH 243/263] Tolerate encrypted or plaintext alerts

should fix that issue.

The test scenario is:

* client connects to server
* handshake fails on client side, because certificate hostname does not match
* client hard-kills TCP connection
* server side fails in "do_handshake" with error "ssl.SSLError: [SSL] bad record type (_ssl.c:1044)"

Comment 11 Miro Hrončok 2018-08-17 09:23:46 UTC
Tomáš, can we get that into openssl package please?

Comment 12 Christian Heimes 2018-08-17 10:06:17 UTC
Workaround for test_poplib until openssl package is rebased to 1.1.1-pre9:


diff --git a/Lib/test/test_poplib.py b/Lib/test/test_poplib.py
index 20d4eeac12..a0c683bbcf 100644
--- a/Lib/test/test_poplib.py
+++ b/Lib/test/test_poplib.py
@@ -178,7 +178,8 @@ class DummyPOP3Handler(asynchat.async_chat):
                     return self.handle_close()
                 # TODO: SSLError does not expose alert information
                 elif ("SSLV3_ALERT_BAD_CERTIFICATE" in err.args[1] or
-                      "SSLV3_ALERT_CERTIFICATE_UNKNOWN" in err.args[1]):
+                      "SSLV3_ALERT_CERTIFICATE_UNKNOWN" in err.args[1] or
+                      "bad record type" in err.args[1]):
                     return self.handle_close()
                 raise
             except OSError as err:

Comment 13 Miro Hrončok 2018-08-29 09:57:44 UTC
Current status:

 * python3 buuilds

 * everything else switched to compat-openssl10-devel

Comment 14 Tomas Mraz 2018-08-29 11:19:13 UTC
(In reply to Miro Hrončok from comment #13)
> Current status:
> 
>  * everything else switched to compat-openssl10-devel

What is "everything else"? Nothing should use compat-openssl10-devel except legacy applications (no libraries!) that do not have support for OpenSSL-1.1 API.

Also please note that openssl was already updated to 1.1.1-pre9 in F29+

Comment 15 Miro Hrončok 2018-08-29 11:43:07 UTC
"Everything else" is Pythons: 2.6, 2.7, 3.4, 3.5, 3.6.

If this breaking change would have been communicated better and there was time, we could have fixed at least 3.6 and 2.7. But as for now, we could not have afforded having FTBFSes so close to Beta freeze and Bodhi activation point. It blocked other bugfixes.

Feel free to send Pull Requests that switch away from compat-openssl10-devel.

Comment 16 Tomas Mraz 2018-08-29 11:55:04 UTC
OK, but then I put hands off of any problem reports with having compat-openssl10 used by these Python versions.

Also the compat-openssl10 will be orphaned soon in Rawhide and unless someone steps up to maintain it, it will be retired. (It would not be particularly good idea to have it in Fedora past 2019-12-31 anyway but that date is still quite far from the Fedora POV.)

Comment 17 Miro Hrončok 2018-08-29 12:06:57 UTC
Please do not put hands off problems introduced by this unannounced breaking bump of the openssl package.

There is no openssl breaking update mentioned in https://fedoraproject.org/wiki/Releases/29/ChangeSet

Anything slightly related I see is https://fedoraproject.org/wiki/Changes/GnuTLS-TLS1.3 yet that one says "That change should have no impact on upgrade or compatibility. The TLS 1.3 protocol is designed in a way that does not cause incompatibility issues with existing (and even broken) implementations."

We don't have resources to fix this properly in F29 time frame.

----

If you retire compat-openssl10 we might very well need to retire python2 and watch the fireworks :D


Now, seriously:

2.6, 3.4, 3.5, 3.6 are used for developers only and if there are problems with openssl, we don't really care much. However we'll need compat-openssl10-devel for them to build. (Chances are, upstream changes will be done in 3.6 for us to backport (or even get in 3.6.7).)


The story is much different for 2.7, because half of infra tools and the entire QA runs on it. If running on compat-openssl10 is dangerous, by extension running anything on python2 is dangerous as well.

Comment 18 Tomas Mraz 2018-08-29 13:37:50 UTC
The proper fix is to disable TLS-1.3 support when building legacy software against the new openssl-1.1.1 as I said previously. There are multiple ways how to do that but of course it requires patching the code (fairly trivially). If something already built against openssl-1.1.0, switching it to build against compat-openssl10 is a regression.

Comment 19 Miro Hrončok 2018-08-29 13:54:40 UTC
> There are multiple ways how to do that but of course it requires patching the code (fairly trivially)

Please help. It might be trivial for you, it is not for me.

> If something already built against openssl-1.1.0, switching it to build against compat-openssl10 is a regression.

It built in Fedora 28. It doesn't for Fedora 29.

Comment 20 Tomas Mraz 2018-08-29 14:15:31 UTC
I think I already mentioned it elsewhere.

When calling SSL_CTX_new() just call SSL_CTX_set_option(ctx, SSL_OP_NO_TLSv1_3); on the returned ctx.

Comment 21 Miro Hrončok 2018-08-29 14:25:16 UTC
Thank you. Will try.

Comment 22 Miro Hrončok 2018-08-29 15:58:42 UTC
Note: the trivial change breaks the tests.

Trying to fight that with -DOPENSSL_NO_TLS1_3 and also OPENSSL_CONF=/non-existing-file.

Comment 23 Miro Hrončok 2018-08-29 16:03:07 UTC
So much for trivial changes:



test_ssl: testing with 'OpenSSL 1.1.1-pre9 (beta) FIPS 21 Aug 2018' (1, 1, 1, 0, 15)
          under Linux ('Fedora', '29', 'Rawhide')
          HAS_SNI = True
          OP_ALL = 0x80000054
          OP_NO_TLSv1_1 = 0x10000000
test__create_stdlib_context (test.test_ssl.ContextTests) ... ok
test_cert_store_stats (test.test_ssl.ContextTests) ... ok
test_check_hostname (test.test_ssl.ContextTests) ... ok
test_ciphers (test.test_ssl.ContextTests) ... ok
test_constructor (test.test_ssl.ContextTests) ... ok
test_context_client_server (test.test_ssl.ContextTests) ... ok
test_create_default_context (test.test_ssl.ContextTests) ... ok
test_get_ca_certs (test.test_ssl.ContextTests) ... ok
test_get_ciphers (test.test_ssl.ContextTests) ... ok
test_load_cert_chain (test.test_ssl.ContextTests) ... ok
test_load_default_certs (test.test_ssl.ContextTests) ... ok
test_load_default_certs_env (test.test_ssl.ContextTests) ... ok
test_load_default_certs_env_windows (test.test_ssl.ContextTests) ... skipped 'Windows specific'
test_load_dh_params (test.test_ssl.ContextTests) ... ok
test_load_verify_cadata (test.test_ssl.ContextTests) ... ok
test_load_verify_locations (test.test_ssl.ContextTests) ... ok
test_options (test.test_ssl.ContextTests) ... FAIL
test_protocol (test.test_ssl.ContextTests) ... ok
test_python_ciphers (test.test_ssl.ContextTests) ... skipped 'Test applies only to Python default ciphers'
test_session_stats (test.test_ssl.ContextTests) ... ok
test_set_default_verify_paths (test.test_ssl.ContextTests) ... ok
test_set_ecdh_curve (test.test_ssl.ContextTests) ... ok
test_sni_callback (test.test_ssl.ContextTests) ... ok
test_sni_callback_refcycle (test.test_ssl.ContextTests) ... ok
test_verify_flags (test.test_ssl.ContextTests) ... ok
test_verify_mode (test.test_ssl.ContextTests) ... ok
test_DER_to_PEM (test.test_ssl.BasicSocketTests) ... ok
test_asn1object (test.test_ssl.BasicSocketTests) ... ok
test_cert_time_to_seconds (test.test_ssl.BasicSocketTests) ... ok
test_cert_time_to_seconds_locale (test.test_ssl.BasicSocketTests) ... skipped 'locale-specific month name needs to be different from C locale'
test_cert_time_to_seconds_timezone (test.test_ssl.BasicSocketTests) ... ok
test_connect_ex_error (test.test_ssl.BasicSocketTests) ... ok
test_constants (test.test_ssl.BasicSocketTests) ... ok
test_dealloc_warn (test.test_ssl.BasicSocketTests) ... ok
test_empty_cert (test.test_ssl.BasicSocketTests)
Wrapping with an empty cert file ... ok
test_enum_certificates (test.test_ssl.BasicSocketTests) ... skipped 'Windows specific'
test_enum_crls (test.test_ssl.BasicSocketTests) ... skipped 'Windows specific'
test_errors_sslwrap (test.test_ssl.BasicSocketTests) ... ok
test_get_default_verify_paths (test.test_ssl.BasicSocketTests) ... ok
test_malformed_cert (test.test_ssl.BasicSocketTests)
Wrapping with a badly formatted certificate (syntax error) ... ok
test_malformed_key (test.test_ssl.BasicSocketTests)
Wrapping with a badly formatted key (syntax error) ... ok
test_match_hostname (test.test_ssl.BasicSocketTests) ... ok
test_openssl_version (test.test_ssl.BasicSocketTests) ... ok
test_parse_all_sans (test.test_ssl.BasicSocketTests) ... ok
test_parse_cert (test.test_ssl.BasicSocketTests) ... 
{'issuer': ((('countryName', 'XY'),),
            (('localityName', 'Castle Anthrax'),),
            (('organizationName', 'Python Software Foundation'),),
            (('commonName', 'localhost'),)),
 'notAfter': 'Oct  5 23:01:56 2020 GMT',
 'notBefore': 'Oct  8 23:01:56 2010 GMT',
 'serialNumber': 'D7C7381919AFC24E',
 'subject': ((('countryName', 'XY'),),
             (('localityName', 'Castle Anthrax'),),
             (('organizationName', 'Python Software Foundation'),),
             (('commonName', 'localhost'),)),
 'subjectAltName': (('DNS', 'localhost'),),
 'version': 3}
{'OCSP': ('http://ocsp.verisign.com',),
 'caIssuers': ('http://SVRIntl-G3-aia.verisign.com/SVRIntlG3.cer',),
 'crlDistributionPoints': ('http://SVRIntl-G3-crl.verisign.com/SVRIntlG3.crl',),
 'issuer': ((('countryName', 'US'),),
            (('organizationName', 'VeriSign, Inc.'),),
            (('organizationalUnitName', 'VeriSign Trust Network'),),
            (('organizationalUnitName',
              'Terms of use at https://www.verisign.com/rpa (c)10'),),
            (('commonName', 'VeriSign Class 3 International Server CA - G3'),)),
 'notAfter': 'Sep 20 23:59:59 2012 GMT',
 'notBefore': 'Sep 21 00:00:00 2011 GMT',
 'serialNumber': '2EE6EA7640A075CEE5005F4D7C79549A',
 'subject': ((('countryName', 'FI'),),
             (('stateOrProvinceName', 'Espoo'),),
             (('localityName', 'Espoo'),),
             (('organizationName', 'Nokia'),),
             (('organizationalUnitName', 'BI'),),
             (('commonName', 'projects.developer.nokia.com'),)),
 'subjectAltName': (('DNS', 'projects.developer.nokia.com'),
                    ('DNS', 'projects.forum.nokia.com')),
 'version': 3}
ok
test_parse_cert_CVE_2013_4238 (test.test_ssl.BasicSocketTests) ... 
{'issuer': ((('countryName', 'US'),),
            (('stateOrProvinceName', 'Oregon'),),
            (('localityName', 'Beaverton'),),
            (('organizationName', 'Python Software Foundation'),),
            (('organizationalUnitName', 'Python Core Development'),),
            (('commonName', 'null.python.org\x00example.org'),),
            (('emailAddress', 'python-dev@python.org'),)),
 'notAfter': 'Aug  7 13:12:52 2013 GMT',
 'notBefore': 'Aug  7 13:11:52 2013 GMT',
 'serialNumber': '00',
 'subject': ((('countryName', 'US'),),
             (('stateOrProvinceName', 'Oregon'),),
             (('localityName', 'Beaverton'),),
             (('organizationName', 'Python Software Foundation'),),
             (('organizationalUnitName', 'Python Core Development'),),
             (('commonName', 'null.python.org\x00example.org'),),
             (('emailAddress', 'python-dev@python.org'),)),
 'subjectAltName': (('DNS', 'altnull.python.org\x00example.com'),
                    ('email', 'null@python.org\x00user@example.org'),
                    ('URI', 'http://null.python.org\x00http://example.org'),
                    ('IP Address', '192.0.2.1'),
                    ('IP Address', '2001:DB8:0:0:0:0:0:1\n')),
 'version': 3}
ok
test_purpose_enum (test.test_ssl.BasicSocketTests) ... ok
test_random (test.test_ssl.BasicSocketTests) ... 
 RAND_status is 1 (sufficient randomness)
ok
test_random_fork (test.test_ssl.BasicSocketTests) ... ok
test_refcycle (test.test_ssl.BasicSocketTests) ... ok
test_server_side (test.test_ssl.BasicSocketTests) ... ok
test_str_for_enums (test.test_ssl.BasicSocketTests) ... ok
test_timeout (test.test_ssl.BasicSocketTests) ... ok
test_tls_unique_channel_binding (test.test_ssl.BasicSocketTests) ... ok
test_unknown_channel_binding (test.test_ssl.BasicSocketTests) ... ok
test_unsupported_dtls (test.test_ssl.BasicSocketTests) ... ok
test_wrapped_unconnected (test.test_ssl.BasicSocketTests) ... ok
test_lib_reason (test.test_ssl.SSLErrorTests) ... ok
test_str (test.test_ssl.SSLErrorTests) ... ok
test_subclass (test.test_ssl.SSLErrorTests) ... ok
test_buffer_types (test.test_ssl.MemoryBIOTests) ... ok
test_eof (test.test_ssl.MemoryBIOTests) ... ok
test_error_types (test.test_ssl.MemoryBIOTests) ... ok
test_pending (test.test_ssl.MemoryBIOTests) ... ok
test_read_write (test.test_ssl.MemoryBIOTests) ... ok
test_bio_handshake (test.test_ssl.SimpleBackgroundTests) ...  server:  new connection from ('127.0.0.1', 37726)
 server: connection cipher is now ('ECDHE-RSA-AES256-GCM-SHA384', 'TLSv1.2', 256)
 server: selected protocol is now None
Needed 3 calls to complete do_handshake().
Needed 2 calls to complete unwrap().
ok
test_bio_read_write_data (test.test_ssl.SimpleBackgroundTests) ...  server:  new connection from ('127.0.0.1', 34980)
 server: connection cipher is now ('ECDHE-RSA-AES256-GCM-SHA384', 'TLSv1.2', 256)
 server: selected protocol is now None
Needed 3 calls to complete do_handshake().
Needed 1 calls to complete write().
Needed 2 calls to complete read().
Needed 2 calls to complete unwrap().
ok
test_ciphers (test.test_ssl.SimpleBackgroundTests) ...  server:  new connection from ('127.0.0.1', 36846)
 server: connection cipher is now ('ECDHE-RSA-AES256-GCM-SHA384', 'TLSv1.2', 256)
 server: selected protocol is now None
 server:  new connection from ('127.0.0.1', 36848)
 server: connection cipher is now ('ECDHE-RSA-AES256-GCM-SHA384', 'TLSv1.2', 256)
 server: selected protocol is now None
ok
test_connect (test.test_ssl.SimpleBackgroundTests) ...  server:  new connection from ('127.0.0.1', 49512)
 server: connection cipher is now ('ECDHE-RSA-AES256-GCM-SHA384', 'TLSv1.2', 256)
 server: selected protocol is now None
 server:  new connection from ('127.0.0.1', 49514)
 server: connection cipher is now ('ECDHE-RSA-AES256-GCM-SHA384', 'TLSv1.2', 256)
 server: selected protocol is now None
ok
test_connect_cadata (test.test_ssl.SimpleBackgroundTests) ...  server:  new connection from ('127.0.0.1', 37166)
 server: connection cipher is now ('ECDHE-RSA-AES256-GCM-SHA384', 'TLSv1.2', 256)
 server: selected protocol is now None
 server:  new connection from ('127.0.0.1', 37168)
 server: connection cipher is now ('ECDHE-RSA-AES256-GCM-SHA384', 'TLSv1.2', 256)
 server: selected protocol is now None
ok
test_connect_capath (test.test_ssl.SimpleBackgroundTests) ...  server:  new connection from ('127.0.0.1', 57348)
 server: connection cipher is now ('ECDHE-RSA-AES256-GCM-SHA384', 'TLSv1.2', 256)
 server: selected protocol is now None
 server:  new connection from ('127.0.0.1', 57350)
 server: connection cipher is now ('ECDHE-RSA-AES256-GCM-SHA384', 'TLSv1.2', 256)
 server: selected protocol is now None
ok
test_connect_ex (test.test_ssl.SimpleBackgroundTests) ...  server:  new connection from ('127.0.0.1', 60036)
 server: connection cipher is now ('ECDHE-RSA-AES256-GCM-SHA384', 'TLSv1.2', 256)
 server: selected protocol is now None
ok
test_connect_fail (test.test_ssl.SimpleBackgroundTests) ...  server:  new connection from ('127.0.0.1', 55312)
 server:  bad connection attempt from ('127.0.0.1', 55312):
Traceback (most recent call last):
   File "/builddir/build/BUILD/Python-3.6.6/Lib/test/test_ssl.py", line 1871, in wrap_conn
    self.sock, server_side=True)
   File "/builddir/build/BUILD/Python-3.6.6/Lib/ssl.py", line 365, in wrap_socket
    _context=self, _session=session)
   File "/builddir/build/BUILD/Python-3.6.6/Lib/ssl.py", line 770, in __init__
    self.do_handshake()
   File "/builddir/build/BUILD/Python-3.6.6/Lib/ssl.py", line 1024, in do_handshake
    self._sslobj.do_handshake()
   File "/builddir/build/BUILD/Python-3.6.6/Lib/ssl.py", line 645, in do_handshake
    self._sslobj.do_handshake()
 ssl.SSLError: [SSL: TLSV1_ALERT_UNKNOWN_CA] tlsv1 alert unknown ca (_ssl.c:866)
ok
test_connect_with_context (test.test_ssl.SimpleBackgroundTests) ...  server:  new connection from ('127.0.0.1', 36260)
 server: connection cipher is now ('ECDHE-RSA-AES256-GCM-SHA384', 'TLSv1.2', 256)
 server: selected protocol is now None
 server:  new connection from ('127.0.0.1', 36262)
 server: connection cipher is now ('ECDHE-RSA-AES256-GCM-SHA384', 'TLSv1.2', 256)
 server: selected protocol is now None
 server:  new connection from ('127.0.0.1', 36264)
 server: connection cipher is now ('ECDHE-RSA-AES256-GCM-SHA384', 'TLSv1.2', 256)
 server: selected protocol is now None
ok
test_connect_with_context_fail (test.test_ssl.SimpleBackgroundTests) ...  server:  new connection from ('127.0.0.1', 35080)
 server:  bad connection attempt from ('127.0.0.1', 35080):
Traceback (most recent call last):
   File "/builddir/build/BUILD/Python-3.6.6/Lib/test/test_ssl.py", line 1871, in wrap_conn
    self.sock, server_side=True)
   File "/builddir/build/BUILD/Python-3.6.6/Lib/ssl.py", line 365, in wrap_socket
    _context=self, _session=session)
   File "/builddir/build/BUILD/Python-3.6.6/Lib/ssl.py", line 770, in __init__
    self.do_handshake()
   File "/builddir/build/BUILD/Python-3.6.6/Lib/ssl.py", line 1024, in do_handshake
    self._sslobj.do_handshake()
   File "/builddir/build/BUILD/Python-3.6.6/Lib/ssl.py", line 645, in do_handshake
    self._sslobj.do_handshake()
 ssl.SSLError: [SSL: TLSV1_ALERT_UNKNOWN_CA] tlsv1 alert unknown ca (_ssl.c:866)
ok
test_context_setget (test.test_ssl.SimpleBackgroundTests) ...  server:  new connection from ('127.0.0.1', 38236)
 server: connection cipher is now ('ECDHE-RSA-AES256-GCM-SHA384', 'TLSv1.2', 256)
 server: selected protocol is now None
ok
test_get_ca_certs_capath (test.test_ssl.SimpleBackgroundTests) ...  server:  new connection from ('127.0.0.1', 34314)
 server: connection cipher is now ('ECDHE-RSA-AES256-GCM-SHA384', 'TLSv1.2', 256)
 server: selected protocol is now None
ok
test_get_server_certificate (test.test_ssl.SimpleBackgroundTests) ...  server:  new connection from ('127.0.0.1', 59070)
 server: connection cipher is now ('ECDHE-RSA-AES256-GCM-SHA384', 'TLSv1.2', 256)
 server: selected protocol is now None
 server:  new connection from ('127.0.0.1', 59072)
 server: connection cipher is now ('ECDHE-RSA-AES256-GCM-SHA384', 'TLSv1.2', 256)
 server: selected protocol is now None
Verified certificate for 127.0.0.1:57177 is
-----BEGIN CERTIFICATE-----
MIICpDCCAYwCCQCwkmSx8toh0TANBgkqhkiG9w0BAQUFADBNMQswCQYDVQQGEwJY
WTEmMCQGA1UECgwdUHl0aG9uIFNvZnR3YXJlIEZvdW5kYXRpb24gQ0ExFjAUBgNV
BAMMDW91ci1jYS1zZXJ2ZXIwHhcNMTMwMTA0MTk0NzA3WhcNMjIxMTEzMTk0NzA3
WjBfMQswCQYDVQQGEwJYWTEXMBUGA1UEBxMOQ2FzdGxlIEFudGhyYXgxIzAhBgNV
BAoTGlB5dGhvbiBTb2Z0d2FyZSBGb3VuZGF0aW9uMRIwEAYDVQQDEwlsb2NhbGhv
c3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMLgD0kAKDb5cFyPjbwNfR5C
tewdXC+kMXAWD8DLxiTTvhMW7qVnlwOm36mZlszHKvsRf05lT4pegiFM9z2j1Ola
N+ci/X7NU22TNN6crYSiN77FjYJP464j876ndSxyD+rzys386T+1r1aZaggEdkj1
TsSsv1zWIYKlPIjlvhuxAgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAC9CX6MJLPpR
iMc3f+oOY/CimuVa4sgg8D9gvMgPtsZ2ztuDk/WjM2cBjgTNAJpz/fM1hvrXE+JG
xp3AKVPUqZC4d0vmg3bkktacUM9D0MYBd2Ga3ptw93LNWQAxadm0ygacbcPHgIxo
5rWi+O8duxafd3fvh2Iim01ppDoa8SFejDKskv0VaxjCfxUNmDDKdY8acd/aHbLv
mugtLgL9SjyqlgsGXTWzPSSHS+CwWGAvRawuSIqwmRBlJ//Msdj9vSZruQwFKvRF
YzVRB+2Dhf5vacu7QKiutjtWSi2k7W0RLE3tFyT9R7zTQaLTBv4MkNjYlCbE/8yh
2EJ36/yplHE=
-----END CERTIFICATE-----
ok
test_get_server_certificate_fail (test.test_ssl.SimpleBackgroundTests) ...  server:  new connection from ('127.0.0.1', 44892)
[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:866)
 server:  bad connection attempt from ('127.0.0.1', 44892):
Traceback (most recent call last):
   File "/builddir/build/BUILD/Python-3.6.6/Lib/test/test_ssl.py", line 1871, in wrap_conn
    self.sock, server_side=True)
   File "/builddir/build/BUILD/Python-3.6.6/Lib/ssl.py", line 365, in wrap_socket
    _context=self, _session=session)
   File "/builddir/build/BUILD/Python-3.6.6/Lib/ssl.py", line 770, in __init__
    self.do_handshake()
   File "/builddir/build/BUILD/Python-3.6.6/Lib/ssl.py", line 1024, in do_handshake
    self._sslobj.do_handshake()
   File "/builddir/build/BUILD/Python-3.6.6/Lib/ssl.py", line 645, in do_handshake
    self._sslobj.do_handshake()
 ssl.SSLError: [SSL: TLSV1_ALERT_UNKNOWN_CA] tlsv1 alert unknown ca (_ssl.c:866)
ok
test_makefile_close (test.test_ssl.SimpleBackgroundTests) ...  server:  new connection from ('127.0.0.1', 46576)
 server: connection cipher is now ('ECDHE-RSA-AES256-GCM-SHA384', 'TLSv1.2', 256)
 server: selected protocol is now None
ok
test_non_blocking_connect_ex (test.test_ssl.SimpleBackgroundTests) ...  server:  new connection from ('127.0.0.1', 54272)
 server: connection cipher is now ('ECDHE-RSA-AES256-GCM-SHA384', 'TLSv1.2', 256)
 server: selected protocol is now None
ok
test_non_blocking_handshake (test.test_ssl.SimpleBackgroundTests) ...  server:  new connection from ('127.0.0.1', 50644)
 server: connection cipher is now ('ECDHE-RSA-AES256-GCM-SHA384', 'TLSv1.2', 256)
 server: selected protocol is now None
Needed 3 calls to do_handshake() to establish session.
ok
test_alpn_protocols (test.test_ssl.ThreadedTests) ...  server:  new connection from ('127.0.0.1', 55330)
 server: connection cipher is now ('ECDHE-RSA-AES256-GCM-SHA384', 'TLSv1.2', 256)
 server: selected protocol is now None
 client:  sending b'FOO\n'...
 client:  read b'foo\n'
 client:  sending b'FOO\n'...
 client:  read b'foo\n'
 client:  sending b'FOO\n'...
 client:  read b'foo\n'
 client:  closing connection.
 server:  new connection from ('127.0.0.1', 47982)
 server: connection cipher is now ('ECDHE-RSA-AES256-GCM-SHA384', 'TLSv1.2', 256)
 server: selected protocol is now None
 client:  sending b'FOO\n'...
 client:  read b'foo\n'
 client:  sending b'FOO\n'...
 client:  read b'foo\n'
 client:  sending b'FOO\n'...
 client:  read b'foo\n'
 client:  closing connection.
 server:  new connection from ('127.0.0.1', 47744)
 server: connection cipher is now ('ECDHE-RSA-AES256-GCM-SHA384', 'TLSv1.2', 256)
 server: selected protocol is now None
 client:  sending b'FOO\n'...
 client:  read b'foo\n'
 client:  sending b'FOO\n'...
 client:  read b'foo\n'
 client:  sending b'FOO\n'...
 client:  read b'foo\n'
 client:  closing connection.
 server:  new connection from ('127.0.0.1', 42942)
 server: connection cipher is now ('ECDHE-RSA-AES256-GCM-SHA384', 'TLSv1.2', 256)
 server: selected protocol is now None
 client:  sending b'FOO\n'...
 client:  read b'foo\n'
 client:  sending b'FOO\n'...
 client:  read b'foo\n'
 client:  sending b'FOO\n'...
 client:  read b'foo\n'
 client:  closing connection.
ok
test_asyncore_server (test.test_ssl.ThreadedTests)
Check the example asyncore integration. ... 
 server:  new connection from 127.0.0.1:55780
 client:  sending b'FOO\n'...
 server:  read b'FOO\n' from client
 client:  read b'foo\n'
 client:  closing connection.
 client:  connection closed.
 cleanup: stopping server.
 server:  read b'over\n' from client
 cleanup: joining server thread.
 server:  closed connection <ssl.SSLSocket [closed] fd=-1, family=AddressFamily.AF_INET, type=2049, proto=0>
 server:  read b'' from client
 cleanup: successfully joined.
ok
test_check_hostname (test.test_ssl.ThreadedTests) ... 
 server:  new connection from ('127.0.0.1', 41266)
 server: connection cipher is now ('ECDHE-RSA-AES256-SHA', 'TLSv1.0', 256)
 server: selected protocol is now None
 server:  new connection from ('127.0.0.1', 59992)
 server: connection cipher is now ('ECDHE-RSA-AES256-SHA', 'TLSv1.0', 256)
 server: selected protocol is now None
ok
test_compression (test.test_ssl.ThreadedTests) ...  server:  new connection from ('127.0.0.1', 38696)
 server: connection cipher is now ('ECDHE-RSA-AES256-SHA', 'TLSv1.0', 256)
 server: selected protocol is now None
 client:  sending b'FOO\n'...
 client:  read b'foo\n'
 client:  sending b'FOO\n'...
 client:  read b'foo\n'
 client:  sending b'FOO\n'...
 client:  read b'foo\n'
 client:  closing connection.
 got compression: None
ok
test_compression_disabled (test.test_ssl.ThreadedTests) ...  server:  new connection from ('127.0.0.1', 45864)
 server: connection cipher is now ('ECDHE-RSA-AES256-SHA', 'TLSv1.0', 256)
 server: selected protocol is now None
 client:  sending b'FOO\n'...
 client:  read b'foo\n'
 client:  sending b'FOO\n'...
 client:  read b'foo\n'
 client:  sending b'FOO\n'...
 client:  read b'foo\n'
 client:  closing connection.
ok
test_crl_check (test.test_ssl.ThreadedTests) ... 
 server:  new connection from ('127.0.0.1', 54336)
 server: connection cipher is now ('ECDHE-RSA-AES256-SHA', 'TLSv1.0', 256)
 server: selected protocol is now None
 server:  new connection from ('127.0.0.1', 48396)
 server:  bad connection attempt from ('127.0.0.1', 48396):
Traceback (most recent call last):
   File "/builddir/build/BUILD/Python-3.6.6/Lib/test/test_ssl.py", line 1871, in wrap_conn
    self.sock, server_side=True)
   File "/builddir/build/BUILD/Python-3.6.6/Lib/ssl.py", line 365, in wrap_socket
    _context=self, _session=session)
   File "/builddir/build/BUILD/Python-3.6.6/Lib/ssl.py", line 770, in __init__
    self.do_handshake()
   File "/builddir/build/BUILD/Python-3.6.6/Lib/ssl.py", line 1024, in do_handshake
    self._sslobj.do_handshake()
   File "/builddir/build/BUILD/Python-3.6.6/Lib/ssl.py", line 645, in do_handshake
    self._sslobj.do_handshake()
 ssl.SSLError: [SSL: TLSV1_ALERT_UNKNOWN_CA] tlsv1 alert unknown ca (_ssl.c:866)
 server:  new connection from ('127.0.0.1', 33078)
 server: connection cipher is now ('ECDHE-RSA-AES256-SHA', 'TLSv1.0', 256)
 server: selected protocol is now None
ok
test_default_ciphers (test.test_ssl.ThreadedTests) ... FAIL
test_default_ecdh_curve (test.test_ssl.ThreadedTests) ...  server:  new connection from ('127.0.0.1', 43780)
 server: connection cipher is now ('ECDHE-RSA-AES256-GCM-SHA384', 'TLSv1.2', 256)
 server: selected protocol is now None
ok
test_dh_params (test.test_ssl.ThreadedTests) ...  server:  new connection from ('127.0.0.1', 50224)
 server: connection cipher is now ('DHE-RSA-AES256-SHA', 'SSLv3', 256)
 server: selected protocol is now None
 client:  sending b'FOO\n'...
 client:  read b'foo\n'
 client:  sending b'FOO\n'...
 client:  read b'foo\n'
 client:  sending b'FOO\n'...
 client:  read b'foo\n'
 client:  closing connection.
ok
test_do_handshake_enotconn (test.test_ssl.ThreadedTests) ... ok
test_echo (test.test_ssl.ThreadedTests)
Basic test of an SSL client connecting to a server ... 
 server:  new connection from ('127.0.0.1', 35392)
 server: connection cipher is now ('AES256-SHA', 'SSLv3', 256)
 server: selected protocol is now None
 client:  sending b'FOO\n'...
 client:  read b'foo\n'
 client:  sending b'FOO\n'...
 client:  read b'foo\n'
 client:  sending b'FOO\n'...
 client:  read b'foo\n'
 client:  closing connection.
 server:  new connection from ('127.0.0.1', 39790)
 server: connection cipher is now ('ECDHE-RSA-AES256-GCM-SHA384', 'TLSv1.2', 256)
 server: selected protocol is now None
 client:  sending b'FOO\n'...
 client:  read b'foo\n'
 client:  sending b'FOO\n'...
 client:  read b'foo\n'
 client:  sending b'FOO\n'...
 client:  read b'foo\n'
 client:  closing connection.
 server:  new connection from ('127.0.0.1', 51066)
 server: connection cipher is now ('ECDHE-RSA-AES256-SHA', 'TLSv1.0', 256)
 server: selected protocol is now None
 client:  sending b'FOO\n'...
 client:  read b'foo\n'
 client:  sending b'FOO\n'...
 client:  read b'foo\n'
 client:  sending b'FOO\n'...
 client:  read b'foo\n'
 client:  closing connection.
 server:  new connection from ('127.0.0.1', 50090)
 server: connection cipher is now ('ECDHE-RSA-AES256-SHA', 'TLSv1.0', 256)
 server: selected protocol is now None
 client:  sending b'FOO\n'...
 client:  read b'foo\n'
 client:  sending b'FOO\n'...
 client:  read b'foo\n'
 client:  sending b'FOO\n'...
 client:  read b'foo\n'
 client:  closing connection.
 server:  new connection from ('127.0.0.1', 46550)
 server: connection cipher is now ('ECDHE-RSA-AES256-GCM-SHA384', 'TLSv1.2', 256)
 server: selected protocol is now None
 client:  sending b'FOO\n'...
 client:  read b'foo\n'
 client:  sending b'FOO\n'...
 client:  read b'foo\n'
 client:  sending b'FOO\n'...
 client:  read b'foo\n'
 client:  closing connection.
 server:  new connection from ('127.0.0.1', 36516)
 server: connection cipher is now ('ECDHE-RSA-AES256-GCM-SHA384', 'TLSv1.2', 256)
 server: selected protocol is now None
 client:  sending b'FOO\n'...
 client:  read b'foo\n'
 client:  sending b'FOO\n'...
 client:  read b'foo\n'
 client:  sending b'FOO\n'...
 client:  read b'foo\n'
 client:  closing connection.
 server:  new connection from ('127.0.0.1', 44636)
 server:  bad connection attempt from ('127.0.0.1', 44636):
Traceback (most recent call last):
   File "/builddir/build/BUILD/Python-3.6.6/Lib/test/test_ssl.py", line 1871, in wrap_conn
    self.sock, server_side=True)
   File "/builddir/build/BUILD/Python-3.6.6/Lib/ssl.py", line 365, in wrap_socket
    _context=self, _session=session)
   File "/builddir/build/BUILD/Python-3.6.6/Lib/ssl.py", line 770, in __init__
    self.do_handshake()
   File "/builddir/build/BUILD/Python-3.6.6/Lib/ssl.py", line 1024, in do_handshake
    self._sslobj.do_handshake()
   File "/builddir/build/BUILD/Python-3.6.6/Lib/ssl.py", line 645, in do_handshake
    self._sslobj.do_handshake()
 ssl.SSLError: [SSL] called a function you should not call (_ssl.c:866)
 server:  new connection from ('127.0.0.1', 58502)
 server:  bad connection attempt from ('127.0.0.1', 58502):
Traceback (most recent call last):
   File "/builddir/build/BUILD/Python-3.6.6/Lib/test/test_ssl.py", line 1871, in wrap_conn
    self.sock, server_side=True)
   File "/builddir/build/BUILD/Python-3.6.6/Lib/ssl.py", line 365, in wrap_socket
    _context=self, _session=session)
   File "/builddir/build/BUILD/Python-3.6.6/Lib/ssl.py", line 770, in __init__
    self.do_handshake()
   File "/builddir/build/BUILD/Python-3.6.6/Lib/ssl.py", line 1024, in do_handshake
    self._sslobj.do_handshake()
   File "/builddir/build/BUILD/Python-3.6.6/Lib/ssl.py", line 645, in do_handshake
    self._sslobj.do_handshake()
 OSError: [Errno 0] Error
 server:  new connection from ('127.0.0.1', 40474)
 server:  bad connection attempt from ('127.0.0.1', 40474):
Traceback (most recent call last):
   File "/builddir/build/BUILD/Python-3.6.6/Lib/test/test_ssl.py", line 1871, in wrap_conn
    self.sock, server_side=True)
   File "/builddir/build/BUILD/Python-3.6.6/Lib/ssl.py", line 365, in wrap_socket
    _context=self, _session=session)
   File "/builddir/build/BUILD/Python-3.6.6/Lib/ssl.py", line 770, in __init__
    self.do_handshake()
   File "/builddir/build/BUILD/Python-3.6.6/Lib/ssl.py", line 1024, in do_handshake
    self._sslobj.do_handshake()
   File "/builddir/build/BUILD/Python-3.6.6/Lib/ssl.py", line 645, in do_handshake
    self._sslobj.do_handshake()
 ssl.SSLError: [SSL] called a function you should not call (_ssl.c:866)
ok
test_getpeercert (test.test_ssl.ThreadedTests) ... 
{'issuer': ((('countryName', 'XY'),),
            (('localityName', 'Castle Anthrax'),),
            (('organizationName', 'Python Software Foundation'),),
            (('commonName', 'localhost'),)),
 'notAfter': 'Oct  5 23:01:56 2020 GMT',
 'notBefore': 'Oct  8 23:01:56 2010 GMT',
 'serialNumber': 'D7C7381919AFC24E',
 'subject': ((('countryName', 'XY'),),
             (('localityName', 'Castle Anthrax'),),
             (('organizationName', 'Python Software Foundation'),),
             (('commonName', 'localhost'),)),
 'subjectAltName': (('DNS', 'localhost'),),
 'version': 3}
Connection cipher is ('ECDHE-RSA-AES256-GCM-SHA384', 'TLSv1.2', 256).
ok
test_getpeercert_enotconn (test.test_ssl.ThreadedTests) ... ok
test_handshake_timeout (test.test_ssl.ThreadedTests) ... ok
test_nonblocking_send (test.test_ssl.ThreadedTests) ...  server:  new connection from ('127.0.0.1', 45112)
 server: connection cipher is now ('ECDHE-RSA-AES256-SHA', 'TLSv1.0', 256)
 server: selected protocol is now None
Test server failure:
Traceback (most recent call last):
   File "/builddir/build/BUILD/Python-3.6.6/Lib/test/test_ssl.py", line 1984, in run
    self.write(msg.lower())
   File "/builddir/build/BUILD/Python-3.6.6/Lib/test/test_ssl.py", line 1920, in write
    return self.sslconn.write(bytes)
   File "/builddir/build/BUILD/Python-3.6.6/Lib/ssl.py", line 844, in write
    return self._sslobj.write(data)
   File "/builddir/build/BUILD/Python-3.6.6/Lib/ssl.py", line 598, in write
    return self._sslobj.write(data)
 ConnectionResetError: [Errno 104] Connection reset by peer
ok
test_npn_protocols (test.test_ssl.ThreadedTests) ... skipped 'NPN support needed for this test'
test_protocol_sslv2 (test.test_ssl.ThreadedTests)
Connecting to an SSLv2 server with various client options ... skipped 'OpenSSL is compiled without SSLv2 support'
test_protocol_sslv23 (test.test_ssl.ThreadedTests)
Connecting to an SSLv23 server with various client options ... 
 {PROTOCOL_SSLv3->PROTOCOL_TLS} CERT_NONE
 PROTOCOL_TLS->PROTOCOL_TLS CERT_NONE
 PROTOCOL_TLSv1->PROTOCOL_TLS CERT_NONE
 {PROTOCOL_SSLv3->PROTOCOL_TLS} CERT_OPTIONAL
 PROTOCOL_TLS->PROTOCOL_TLS CERT_OPTIONAL
 PROTOCOL_TLSv1->PROTOCOL_TLS CERT_OPTIONAL
 {PROTOCOL_SSLv3->PROTOCOL_TLS} CERT_REQUIRED
 PROTOCOL_TLS->PROTOCOL_TLS CERT_REQUIRED
 PROTOCOL_TLSv1->PROTOCOL_TLS CERT_REQUIRED
 {PROTOCOL_SSLv3->PROTOCOL_TLS} CERT_NONE
 PROTOCOL_TLS->PROTOCOL_TLS CERT_NONE
 {PROTOCOL_TLSv1->PROTOCOL_TLS} CERT_NONE
ok
test_protocol_sslv3 (test.test_ssl.ThreadedTests)
Connecting to an SSLv3 server with various client options ... 
 PROTOCOL_SSLv3->PROTOCOL_SSLv3 CERT_NONE
 PROTOCOL_SSLv3->PROTOCOL_SSLv3 CERT_OPTIONAL
 PROTOCOL_SSLv3->PROTOCOL_SSLv3 CERT_REQUIRED
 {PROTOCOL_TLS->PROTOCOL_SSLv3} CERT_NONE
 {PROTOCOL_TLSv1->PROTOCOL_SSLv3} CERT_NONE
 {PROTOCOL_TLS->PROTOCOL_SSLv3} CERT_NONE
ok
test_protocol_tlsv1 (test.test_ssl.ThreadedTests)
Connecting to a TLSv1 server with various client options ... 
 PROTOCOL_TLSv1->PROTOCOL_TLSv1 CERT_NONE
 PROTOCOL_TLSv1->PROTOCOL_TLSv1 CERT_OPTIONAL
 PROTOCOL_TLSv1->PROTOCOL_TLSv1 CERT_REQUIRED
 {PROTOCOL_SSLv3->PROTOCOL_TLSv1} CERT_NONE
 {PROTOCOL_TLS->PROTOCOL_TLSv1} CERT_NONE
ok
test_protocol_tlsv1_1 (test.test_ssl.ThreadedTests)
Connecting to a TLSv1.1 server with various client options. ... 
 PROTOCOL_TLSv1_1->PROTOCOL_TLSv1_1 CERT_NONE
 {PROTOCOL_SSLv3->PROTOCOL_TLSv1_1} CERT_NONE
 {PROTOCOL_TLS->PROTOCOL_TLSv1_1} CERT_NONE
 PROTOCOL_TLSv1_1->PROTOCOL_TLS CERT_NONE
 {PROTOCOL_TLSv1->PROTOCOL_TLSv1_1} CERT_NONE
 {PROTOCOL_TLSv1_1->PROTOCOL_TLSv1} CERT_NONE
ok
test_protocol_tlsv1_2 (test.test_ssl.ThreadedTests)
Connecting to a TLSv1.2 server with various client options. ... 
 PROTOCOL_TLSv1_2->PROTOCOL_TLSv1_2 CERT_NONE
 {PROTOCOL_SSLv3->PROTOCOL_TLSv1_2} CERT_NONE
 {PROTOCOL_TLS->PROTOCOL_TLSv1_2} CERT_NONE
 PROTOCOL_TLSv1_2->PROTOCOL_TLS CERT_NONE
 {PROTOCOL_TLSv1->PROTOCOL_TLSv1_2} CERT_NONE
 {PROTOCOL_TLSv1_2->PROTOCOL_TLSv1} CERT_NONE
 {PROTOCOL_TLSv1_1->PROTOCOL_TLSv1_2} CERT_NONE
 {PROTOCOL_TLSv1_2->PROTOCOL_TLSv1_1} CERT_NONE
ok
test_read_write_after_close_raises_valuerror (test.test_ssl.ThreadedTests) ... ok
test_recv_send (test.test_ssl.ThreadedTests)
Test recv(), send() and friends. ... 
 server:  new connection from ('127.0.0.1', 60616)
 server: connection cipher is now ('ECDHE-RSA-AES256-SHA', 'TLSv1.0', 256)
 server: selected protocol is now None
ok
test_recv_zero (test.test_ssl.ThreadedTests) ...  server:  new connection from ('127.0.0.1', 42492)
 server: connection cipher is now ('ECDHE-RSA-AES256-GCM-SHA384', 'TLSv1.2', 256)
 server: selected protocol is now None
ok
test_rude_shutdown (test.test_ssl.ThreadedTests)
A brutal shutdown of an SSL server should raise an OSError ... ok
test_selected_alpn_protocol (test.test_ssl.ThreadedTests) ...  server:  new connection from ('127.0.0.1', 33032)
 server: connection cipher is now ('ECDHE-RSA-AES256-SHA', 'TLSv1.0', 256)
 server: selected protocol is now None
 client:  sending b'FOO\n'...
 client:  read b'foo\n'
 client:  sending b'FOO\n'...
 client:  read b'foo\n'
 client:  sending b'FOO\n'...
 client:  read b'foo\n'
 client:  closing connection.
ok
test_selected_alpn_protocol_if_server_uses_alpn (test.test_ssl.ThreadedTests) ...  server:  new connection from ('127.0.0.1', 34422)
 server: connection cipher is now ('ECDHE-RSA-AES256-SHA', 'TLSv1.0', 256)
 server: selected protocol is now None
 client:  sending b'FOO\n'...
 client:  read b'foo\n'
 client:  sending b'FOO\n'...
 client:  read b'foo\n'
 client:  sending b'FOO\n'...
 client:  read b'foo\n'
 client:  closing connection.
ok
test_selected_npn_protocol (test.test_ssl.ThreadedTests) ...  server:  new connection from ('127.0.0.1', 59266)
 server: connection cipher is now ('ECDHE-RSA-AES256-SHA', 'TLSv1.0', 256)
 server: selected protocol is now None
 client:  sending b'FOO\n'...
 client:  read b'foo\n'
 client:  sending b'FOO\n'...
 client:  read b'foo\n'
 client:  sending b'FOO\n'...
 client:  read b'foo\n'
 client:  closing connection.
ok
test_sendfile (test.test_ssl.ThreadedTests) ... ok
test_server_accept (test.test_ssl.ThreadedTests) ... ok
test_session (test.test_ssl.ThreadedTests) ...  server:  new connection from ('127.0.0.1', 58202)
 server: connection cipher is now ('ECDHE-RSA-AES256-SHA', 'TLSv1.0', 256)
 server: selected protocol is now None
 server:  new connection from ('127.0.0.1', 58902)
 server: connection cipher is now ('ECDHE-RSA-AES256-SHA', 'TLSv1.0', 256)
 server: selected protocol is now None
 server:  new connection from ('127.0.0.1', 34200)
 server: connection cipher is now ('ECDHE-RSA-AES256-SHA', 'TLSv1.0', 256)
 server: selected protocol is now None
 server:  new connection from ('127.0.0.1', 57066)
 server: connection cipher is now ('ECDHE-RSA-AES256-SHA', 'TLSv1.0', 256)
 server: selected protocol is now None
ok
test_session_handling (test.test_ssl.ThreadedTests) ... ok
test_shared_ciphers (test.test_ssl.ThreadedTests) ...  server:  new connection from ('127.0.0.1', 38936)
 server: connection cipher is now ('ECDHE-RSA-AES256-SHA', 'TLSv1.0', 256)
 server: selected protocol is now None
FAIL
test_sni_callback (test.test_ssl.ThreadedTests) ...  server:  new connection from ('127.0.0.1', 40226)
 server: connection cipher is now ('ECDHE-RSA-AES256-SHA', 'TLSv1.0', 256)
 server: selected protocol is now None
 server:  new connection from ('127.0.0.1', 49618)
 server: connection cipher is now ('ECDHE-RSA-AES256-SHA', 'TLSv1.0', 256)
 server: selected protocol is now None
 server:  new connection from ('127.0.0.1', 48184)
 server: connection cipher is now ('ECDHE-RSA-AES256-SHA', 'TLSv1.0', 256)
 server: selected protocol is now None
ok
test_sni_callback_alert (test.test_ssl.ThreadedTests) ... ok
test_sni_callback_raising (test.test_ssl.ThreadedTests) ... ok
test_sni_callback_wrong_return_type (test.test_ssl.ThreadedTests) ... ok
test_socketserver (test.test_ssl.ThreadedTests)
Using socketserver to create and manage SSL connections. ... 
 server (('127.0.0.1', 42207):42207 ('ECDHE-RSA-AES256-GCM-SHA384', 'TLSv1.2', 256)):
   [29/Aug/2018 18:00:35] "GET /keycert.pem HTTP/1.1" 200 -
 client: read 1783 bytes from remote server '<HTTPSServerThread <HTTPSServer localhost.localdomain:42207>>'
stopping HTTPS server
joining HTTPS thread
ok
test_starttls (test.test_ssl.ThreadedTests)
Switching from clear text to encrypted and back again. ... 
 client:  sending b'msg 1'...
 server:  new connection from ('127.0.0.1', 56362)
 server: read b'msg 1' (unencrypted), sending back b'msg 1' (unencrypted)...
 client:  read b'msg 1' from server
 client:  sending b'MSG 2'...
 server: read b'MSG 2' (unencrypted), sending back b'msg 2' (unencrypted)...
 client:  read b'msg 2' from server
 client:  sending b'STARTTLS'...
 server: read STARTTLS from client, sending OK...
 client:  read b'ok' from server, starting TLS...
 server: connection cipher is now ('ECDHE-RSA-AES256-SHA', 'TLSv1.0', 256)
 server: selected protocol is now None
 client:  sending b'MSG 3'...
 server: read b'MSG 3' (encrypted), sending back b'msg 3' (encrypted)...
 client:  read b'msg 3' from server
 client:  sending b'msg 4'...
 server: read b'msg 4' (encrypted), sending back b'msg 4' (encrypted)...
 client:  read b'msg 4' from server
 client:  sending b'ENDTLS'...
 server: read ENDTLS from client, sending OK...
 client:  read b'ok' from server, ending TLS...
 client:  sending b'msg 5'...
 server: connection is now unencrypted...
 server: read b'msg 5' (unencrypted), sending back b'msg 5' (unencrypted)...
 client:  read b'msg 5' from server
 client:  sending b'msg 6'...
 server: read b'msg 6' (unencrypted), sending back b'msg 6' (unencrypted)...
 client:  read b'msg 6' from server
 client:  closing connection.
 server: client closed connection
ok
test_tls1_3 (test.test_ssl.ThreadedTests) ... skipped 'test requires TLSv1.3 enabled OpenSSL'
test_tls_unique_channel_binding (test.test_ssl.ThreadedTests)
Test tls-unique channel binding. ... 
 server:  new connection from ('127.0.0.1', 48684)
 server: connection cipher is now ('ECDHE-RSA-AES256-SHA', 'TLSv1.0', 256)
 server: selected protocol is now None
 got channel binding data: b'\xb5I\xb9\xe1\xaed7J\xb9\x9a\xefB'
 server:  new connection from ('127.0.0.1', 48686)
 server: connection cipher is now ('ECDHE-RSA-AES256-SHA', 'TLSv1.0', 256)
 server: selected protocol is now None
 got another channel binding data: b'\xcc\xabD\xc9{\xfb\x8d\x91\x82\x1ec\xd2'
ok
test_version_basic (test.test_ssl.ThreadedTests) ... ok
test_wrong_cert (test.test_ssl.ThreadedTests)
Connecting when the server rejects the client's certificate ... 
SSLError is SSLError(1, '[SSL: TLSV1_ALERT_UNKNOWN_CA] tlsv1 alert unknown ca (_ssl.c:866)')
ok
======================================================================
FAIL: test_options (test.test_ssl.ContextTests)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/builddir/build/BUILD/Python-3.6.6/Lib/test/test_ssl.py", line 922, in test_options
    self.assertEqual(default, ctx.options)
AssertionError: <Options.OP_ALL|OP_NO_SSLv3|OP_CIPHER_SERVER_PREFERENCE|OP_NO_C[18 chars]3540> != <Options.OP_ALL|OP_NO_TLSv1_3|OP_NO_SSLv3|OP_CIPHER_SERVER_PREF[40 chars]3028>
======================================================================
FAIL: test_default_ciphers (test.test_ssl.ThreadedTests)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/builddir/build/BUILD/Python-3.6.6/Lib/test/test_ssl.py", line 3103, in test_default_ciphers
    self.assertIn("no shared cipher", server.conn_errors[0])
AssertionError: 'no shared cipher' not found in '[SSL: UNEXPECTED_MESSAGE] unexpected message (_ssl.c:866)'
======================================================================
FAIL: test_shared_ciphers (test.test_ssl.ThreadedTests)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/builddir/build/BUILD/Python-3.6.6/Lib/test/test_ssl.py", line 3474, in test_shared_ciphers
    self.fail(name)
AssertionError: TLS_AES_256_GCM_SHA384
----------------------------------------------------------------------
Ran 126 tests in 1.537s
FAILED (failures=3, skipped=8)
test test_ssl failed
0:13:12 load avg: 1.25 [306/406/2] test_startfile -- test_ssl failed
test_startfile skipped -- object <module 'os' from '/builddir/build/BUILD/Python-3.6.6/Lib/os.py'> has no attribute 'startfile'

Comment 24 Charalampos Stratakis 2018-08-29 19:16:42 UTC
(In reply to Tomas Mraz from comment #18)
> The proper fix is to disable TLS-1.3 support when building legacy software
> against the new openssl-1.1.1 as I said previously. There are multiple ways
> how to do that but of course it requires patching the code (fairly
> trivially). If something already built against openssl-1.1.0, switching it
> to build against compat-openssl10 is a regression.

Unfortunately python is deeply intertwined with openssl (along with other things), and having many core parts of the distribution depend on python makes that a big problem.

I'd like to request at least for future rebases of openssl, to create a system wide change as this clearly affects many things and there aren't many people with expertise on that domain.

Comment 25 Tomas Mraz 2018-09-03 09:00:29 UTC
(In reply to Charalampos Stratakis from comment #24)
> I'd like to request at least for future rebases of openssl, to create a
> system wide change as this clearly affects many things and there aren't many
> people with expertise on that domain.

I will do that next time.

Comment 26 Miro Hrončok 2018-09-11 21:49:56 UTC
Christian, any idea if 3.6.7 will be compatible with Fedora 29/30 openssl version?

Comment 27 Miro Hrončok 2019-03-14 13:28:02 UTC
2.7, 3.6, 3.7, 3.8 all build

3.4: https://bugzilla.redhat.com/show_bug.cgi?id=1685612
3.5: https://bugzilla.redhat.com/show_bug.cgi?id=1685609

I'm OK to retire 2.6 when it no longer builds.

I'm closing this, I don't think anything else is needed from Christian.


Note You need to log in before you can comment on or make changes to this bug.