Hi Mathieu, The test_min_max_version test in Python 3.14 test_ssl.py is failing because of my patch that disables TLS 1 and 1.1 by default.
One of the assertions in the test_min_max_version checks if the minimum supported TLS version is either TLS v1, TLS v1.1, or SSL v3. With TLS v1 and TLS v1.1 disabled, the minimum version is now TLS v1.2, which is not included in that set. If I add TLS v1.2 to the set, test_min_max_version passes. This seems like something I can patch upstream in cpython so I will start that process. I think it's ideal to disable all of these packageconfig options by default together. So in my opinion it would be best to put my patches on hold until this issue with cpython is fixed. I'm also open to discussing short term solutions. Thanks, *_____________________* *Colin Pinnell McAllister* On Thu, Feb 12, 2026 at 10:39 AM Mathieu Dubois-Briand < [email protected]> wrote: > On Wed Feb 11, 2026 at 7:49 PM CET, Colin McAllister via > lists.openembedded.org wrote: > > TLS 1.0 and 1.1 have been deprecated by the IETF since 2021, and > > OpenSSL's legacy module contains deprecated and unmaintained components. > > This series disables legacy support by default in both OpenSSL and > > python3-cryptography, requiring users to explicitly opt-in if needed. > > > > The first two patches add packageconfig options to control legacy TLS > > protocol support and the legacy OpenSSL module. The final patch aligns > > python3-cryptography with the new OpenSSL defaults. > > > > Note that the TLS 1.0/1.1 changes replace the existing "no-tls1" and > > "no-tls1_1" packageconfig options with affirmative "tls1" and "tls1_1" > > options that are disabled by default. While less disruptive to enable > > the "no-*" options by default, using affirmative options provides > > consistency with the new "legacy" option and is clearer than having > > default-enabled "no-*" options. > > > > Testing performed: > > * Verified both recipes build successfully with and without the new > > options > > * Ran OpenSSL ptests with legacy enabled/disabled and TLS 1.0/1.1 > > disabled > > * Ran python3-cryptography ptests with legacy-openssl disabled > > * Confirmed ptests correctly skip tests for disabled legacy features > > > > Colin Pinnell McAllister (3): > > openssl: Disable TLS 1.x by default > > openssl: Add legacy packageconfig option > > python3-cryptography: Disable legacy-openssl by default > > > > meta/recipes-connectivity/openssl/openssl_3.5.5.bb | 14 +++++++++----- > > .../python/python3-cryptography.bb | 2 +- > > 2 files changed, 10 insertions(+), 6 deletions(-) > > Hi Colin, > > Thanks for your patch. > > It looks like we are having some ptest failing on the autobuilder: > > Failed ptests: > {'python3': ['test_min_max_version', 'python3']} > > https://autobuilder.yoctoproject.org/valkyrie/#/builders/73/builds/3075 > https://autobuilder.yoctoproject.org/valkyrie/#/builders/61/builds/3030 > > Test logs can be found here: > > > https://valkyrie.yocto.io/pub/non-release/20260212-56/testresults/qemux86-64-ptest/core-image-ptest-python3/ > > https://valkyrie.yocto.io/pub/non-release/20260212-56/testresults/qemuarm64-ptest/core-image-ptest-python3/ > > Can you have a look at this error? > > Thanks, > Mathieu > > -- > Mathieu Dubois-Briand, Bootlin > Embedded Linux and Kernel engineering > https://bootlin.com > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#231126): https://lists.openembedded.org/g/openembedded-core/message/231126 Mute This Topic: https://lists.openembedded.org/mt/117761903/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
