Package: stunnel4
Version: 3:5.60+dfsg-1
Severity: normal
Dear Maintainer,
the upcoming python 3.10 deprecates SSL.PROTOCOL_TLS[1]:
Deprecated since version 3.10: TLS clients and servers require
different default settings for secure communication. The generic TLS
protocol constant is deprecated in favor of PROTOCOL_TLS_CLIENT and
PROTOCOL_TLS_SERVER.
This is used in debian/tests/python/struntime/__main__.py:437:[2]
ctx = ssl.SSLContext(ssl.PROTOCOL_TLS)
With python3.10, the above line will cause this warning to be printed to stderr:
debian/tests/python/struntime/__main__.py:437: DeprecationWarning:
ssl.PROTOCOL_TLS is deprecated
Which will break the test since `allow-stderr` is not used.
We could, of course, allow stderr, but let's take the opportunity to
fix the warning and not use a deprecated value. Given the context,
this should probably be replaced with PROTOCOL_TLS_CLIENT, but that
brings in another change[3]:
...
The protocol enables CERT_REQUIRED and check_hostname by default.
Namely, the `check_hostname` bit being set to True. And that fails a
test a bit later:
Failed to connect to 127.0.0.1:6503: [SSL:
CERTIFICATE_VERIFY_FAILED] certificate verify failed: IP address
mismatch, certificate is not valid for '127.0.0.1'. (_ssl.c:1129)
Since the test certificate only has a commonName of "localhost".
I propose:
a) this patch:
--- a/debian/tests/python/struntime/__main__.py
+++ b/debian/tests/python/struntime/__main__.py
@@ -434,7 +434,7 @@ async def test_connect(cfg: Config, conn:
TestConnection) -> None:
try:
if conn.encrypted:
print(f"[{tag}] Creating an SSL context")
- ctx = ssl.SSLContext(ssl.PROTOCOL_TLS)
+ ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
print(f"[{tag}] - cert required")
ctx.verify_mode = ssl.CERT_REQUIRED
print(f"[{tag}] - load_verify_locations()")
b) regenerate the test certificate with an extra -addext
"subjectAltName = IP:127.0.0.1". Something like:
openssl req -new -x509 -days 3650 -nodes -out
debian/tests/certs/certificate.pem -keyout debian/tests/certs/key.pem
-addext "subjectAltName = IP:127.0.0.1"
Alternatively, one could set check_hostname to False in the ssl
context, restoring the behavior of the deprecated ssl.PROTOCOL_TLS
value.
Thanks for any comments, and please let me know if you would like to
have a salsa PR with the above.
Cheers!
1. https://docs.python.org/3/library/ssl.html#ssl.PROTOCOL_TLS
2.
https://salsa.debian.org/debian/stunnel/-/blob/master/debian/tests/python/struntime/__main__.py#L437
3. https://docs.python.org/3/library/ssl.html#ssl.PROTOCOL_TLS_CLIENT
