Daniele wrote:
I hope to have the time to investigate also this: urllib3/contrib/pyopenssl.py contains code to have SSL with SNI_-support for Python 2 and it depends on pyOpenSSL, cryptography and idna. Maybe looking at them can give us more clues.

Also, could you see if using Python3 the connection to https://pub.orcid.org work?

It conditionally works. Using curl, I found that TLSv1_0 or TLSv1_1 will support a successful connection, but only if the maximum SSL_VERSION is constrained to TLSv1_0 or TLSv1_1 (e.g. curl -v --tlsv1.1 --tls-max 1.1 https://pub.orcid.org). Without the max, the connection fails:
$ curl --tlsv1.1  https://pub.orcid.org
curl: (35) error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure

The urllib3 failure was similar, but I do not know how to set tls-max with urllib3. I could only find the option with curl. I could set up a custom HTTPAdapter as suggested at https://requests.readthedocs.io/en/master/user/advanced/#example-specific-ssl-version to set ssl_version=ssl.PROTOCOL_TLSv1_1 but the ssl module doesn't have the SSLVERSION_MAX_TLSv1_1 value that curl has. I could solve it with pycurl using c.setopt(pycurl.SSLVERSION, pycurl.SSLVERSION_TLSv1_1 | pycurl.SSLVERSION_MAX_TLSv1_1)

Evidently the orcid server only supports TLSv1.0 and TLSv1.1 and no higher (why haven't they activated TLSv1.3 yet?!), while curl and urllib3 without tls-max first test TLSv1.3 and then quit without cascading downwards once they receive the TLSv1.3 handshake failure. Which is rather odd behaviour when I think about it. The whole point of supporting multiple protocol versions is to try the next available version if the first one doesn't work.

Th package build was successful on my system but gives build-time errors in
chroot (on buildd).  I'm not sure why that's failing.
I will look at them during this weekend, I already had a look at build log from
the phone, but it's better to look from a PC.

I had a closer look. The failing tests were in python2 only, coming from the non-ascii (Gërman http://Königsgäßchen.de/straße and Japanese http://ヒ:キ@ヒ.abc.ニ/ヒ?キ#ワ) unicode url tests. So from one perspective we don't need to worry so much about them, we could just disable them (e.g. prepend @onlyPy3 to test_parse_url and test_url_vulnerabilities in test_util.py). We'll be dropping python2 any way in the near future.

On the other hand, given the nature of the vulnerabilities and the possible uses of urllib3, it's probably best not to leave python2 untested, especially since they are known to pass on python2 anyway in the right conditions. Probably there is some package that should be added to Build-Depends to enable python2 tests to pass, though I have no idea which that package might be.


Reply via email to