Package: stunnel4 Version: 3:5.60+dfsg-1 Severity: normal Dear Maintainer,
the upcoming python 3.10 deprecates SSL.PROTOCOL_TLS[1]: Deprecated since version 3.10: TLS clients and servers require different default settings for secure communication. The generic TLS protocol constant is deprecated in favor of PROTOCOL_TLS_CLIENT and PROTOCOL_TLS_SERVER. This is used in debian/tests/python/struntime/__main__.py:437:[2] ctx = ssl.SSLContext(ssl.PROTOCOL_TLS) With python3.10, the above line will cause this warning to be printed to stderr: debian/tests/python/struntime/__main__.py:437: DeprecationWarning: ssl.PROTOCOL_TLS is deprecated Which will break the test since `allow-stderr` is not used. We could, of course, allow stderr, but let's take the opportunity to fix the warning and not use a deprecated value. Given the context, this should probably be replaced with PROTOCOL_TLS_CLIENT, but that brings in another change[3]: ... The protocol enables CERT_REQUIRED and check_hostname by default. Namely, the `check_hostname` bit being set to True. And that fails a test a bit later: Failed to connect to 127.0.0.1:6503: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: IP address mismatch, certificate is not valid for '127.0.0.1'. (_ssl.c:1129) Since the test certificate only has a commonName of "localhost". I propose: a) this patch: --- a/debian/tests/python/struntime/__main__.py +++ b/debian/tests/python/struntime/__main__.py @@ -434,7 +434,7 @@ async def test_connect(cfg: Config, conn: TestConnection) -> None: try: if conn.encrypted: print(f"[{tag}] Creating an SSL context") - ctx = ssl.SSLContext(ssl.PROTOCOL_TLS) + ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT) print(f"[{tag}] - cert required") ctx.verify_mode = ssl.CERT_REQUIRED print(f"[{tag}] - load_verify_locations()") b) regenerate the test certificate with an extra -addext "subjectAltName = IP:127.0.0.1". Something like: openssl req -new -x509 -days 3650 -nodes -out debian/tests/certs/certificate.pem -keyout debian/tests/certs/key.pem -addext "subjectAltName = IP:127.0.0.1" Alternatively, one could set check_hostname to False in the ssl context, restoring the behavior of the deprecated ssl.PROTOCOL_TLS value. Thanks for any comments, and please let me know if you would like to have a salsa PR with the above. Cheers! 1. https://docs.python.org/3/library/ssl.html#ssl.PROTOCOL_TLS 2. https://salsa.debian.org/debian/stunnel/-/blob/master/debian/tests/python/struntime/__main__.py#L437 3. https://docs.python.org/3/library/ssl.html#ssl.PROTOCOL_TLS_CLIENT