[issue36816] self-signed.pythontest.net TLS certificate key is too weak

[Gregory P. Smith]

Gregory P. Smith  added the comment:

I believe this has been addressed.

--
stage: patch review -> resolved
status: open -> closed

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue36816] self-signed.pythontest.net TLS certificate key is too weak

[Larry Hastings]

Larry Hastings  added the comment:


New changeset 221178aea686abf13ff92b7e2b5ed3e739a53b3f by larryhastings 
(Gregory P. Smith) in branch '3.5':
[3.5] bpo-36816: Update the self-signed.pythontest.net cert (GH-13192) (#13200)
https://github.com/python/cpython/commit/221178aea686abf13ff92b7e2b5ed3e739a53b3f


--
nosy: +larry

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue36816] self-signed.pythontest.net TLS certificate key is too weak

[Chih-Hsuan Yen]

Chih-Hsuan Yen  added the comment:

Hi Michael Felt,

> And, what it looks like you are trying to do with an updated 'signing" .pem 
> is to remove the 'self-signed' charasteric.

If I understand it correctly, the new certificate is indeed still self-signed. 
It's updated to match the certificate deployed at 
https://self-signed.pythontest.net/. Under the hood load_verify_locations() at 
line 1628 is used to make the test accept any valid certificate signed with the 
given certificate.

As a record, with CPython e7cb23bf2079087068a08502f96fdf20b317d69c and OpenSSL 
1.1.1b on Arch Linux x86_64, the test is green:

test_networked_good_cert (test.test_httplib.HTTPSTest) ... ok

By the way, I believe the "key too weak" workaround can be removed now and then 
this issue can be closed.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue36816] self-signed.pythontest.net TLS certificate key is too weak

[Michael Felt]

Michael Felt  added the comment:

On 21/05/2019 12:08, Michael Felt wrote:
> Michael Felt  added the comment:
>
> p.s. On Centos I could not even get a python3 (at least not easily).
>
> On debian (on POWER) I get the same error (message) as on AIX - although the 
> line number did change.
>
> ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate 
> verify failed: self signed certificate (_ssl.c:1056)
>
> so, not a message about "key too small error" - pure, this is self-signed, so 
> error.
>
> --
p.s. blush: seems I was testing against the wrong fork - seems to be
cleared in 'master'. My apologies for the noise.
> ___
> Python tracker 
> 
> ___
>

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue36816] self-signed.pythontest.net TLS certificate key is too weak

[Michael Felt]

Michael Felt  added the comment:

p.s. On Centos I could not even get a python3 (at least not easily).

On debian (on POWER) I get the same error (message) as on AIX - although the 
line number did change.

ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate 
verify failed: self signed certificate (_ssl.c:1056)

so, not a message about "key too small error" - pure, this is self-signed, so 
error.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue36816] self-signed.pythontest.net TLS certificate key is too weak

[Michael Felt]

Michael Felt  added the comment:

I am not an OpenSSL expert - and I am conscious of OpenSSL changes with regard 
to 'acceptance' of anything self-signed.

And, what it looks like you are trying to do with an updated 'signing" .pem is 
to remove the 'self-signed' charasteric.

On AIX - atm - I get, as did Chih-Hsuan Yen (yan12125),

==
ERROR: test_networked_good_cert (test.test_httplib.HTTPSTest)
--
Traceback (most recent call last):
  File "/home/buildbot/python-master/Lib/test/test_httplib.py", line 1632, in 
test_networked_good_cert
h.request('GET', '/')
  File "/home/buildbot/python-master/Lib/http/client.py", line 1221, in request
self._send_request(method, url, body, headers, encode_chunked)
  File "/home/buildbot/python-master/Lib/http/client.py", line 1267, in 
_send_request
self.endheaders(body, encode_chunked=encode_chunked)
  File "/home/buildbot/python-master/Lib/http/client.py", line 1216, in 
endheaders
self._send_output(message_body, encode_chunked=encode_chunked)
  File "/home/buildbot/python-master/Lib/http/client.py", line 1004, in 
_send_output
self.send(msg)
  File "/home/buildbot/python-master/Lib/http/client.py", line 944, in send
self.connect()
  File "/home/buildbot/python-master/Lib/http/client.py", line 1383, in connect
self.sock = self._context.wrap_socket(self.sock,
  File "/home/buildbot/python-master/Lib/ssl.py", line 405, in wrap_socket
return self.sslsocket_class._create(
  File "/home/buildbot/python-master/Lib/ssl.py", line 853, in _create
self.do_handshake()
  File "/home/buildbot/python-master/Lib/ssl.py", line 1117, in do_handshake
self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate 
verify failed: self signed certificate (_ssl.c:1055)

And I see why now:
test_networked_good_cert (test.test_httplib.HTTPSTest) ... skipped "Use of the 
'network' resource not enabled"

Digging a bit:

buildbot@x064:[/home/buildbot/python-master]openssl s_client -connect 
self-signed.pythontest.net:443
CONNECTED(0003)
depth=0 C = XY, ST = Castle Anthrax, L = Argument Clinic, O = Python Software 
Foundation, CN = self-signed.pythontest.net
verify error:num=18:self signed certificate
verify return:1
depth=0 C = XY, ST = Castle Anthrax, L = Argument Clinic, O = Python Software 
Foundation, CN = self-signed.pythontest.net
verify return:1
---
Certificate chain
 0 s:/C=XY/ST=Castle Anthrax/L=Argument Clinic/O=Python Software 
Foundation/CN=self-signed.pythontest.net

   i:/C=XY/ST=Castle Anthrax/L=Argument Clinic/O=Python Software 
Foundation/CN=self-signed.pythontest.net

And while this:
How to know if it has been fixed?  Monitor the test_networked_good_cert test on 
any "Debian buster" builtbot(s) such as 
https://buildbot.python.org/all/#/workers/23 to make sure it is not skipped.  
(the test _currently_ fails, I am going to have it be _skipped_ on this 
specific key too small error for the time being to get that stable buildbot 
green again)

is nice for some, it is not nice for all!

Perhaps the test should be switched to 'warn' on failure, rather than error on 
failure, until fixed!

--
nosy: +Michael.Felt

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue36816] self-signed.pythontest.net TLS certificate key is too weak

[Gregory P. Smith]

Gregory P. Smith  added the comment:


New changeset 7b5dca8345f4a909367836a3a2c3c7ac6e4e2c0c by Gregory P. Smith in 
branch '2.7':
[2.7] bpo-36816: Update the self-signed.pythontest.net cert (GH-13192) 
(GH-13199)
https://github.com/python/cpython/commit/7b5dca8345f4a909367836a3a2c3c7ac6e4e2c0c


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue36816] self-signed.pythontest.net TLS certificate key is too weak

[miss-islington]

miss-islington  added the comment:


New changeset 6daaf3f7de78eec2c80eaa8e94e4cca54f758a30 by Miss Islington (bot) 
(Gregory P. Smith) in branch '3.7':
[3.7] bpo-36816: Update the self-signed.pythontest.net cert (GH-13192) 
(GH-13197)
https://github.com/python/cpython/commit/6daaf3f7de78eec2c80eaa8e94e4cca54f758a30


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue36816] self-signed.pythontest.net TLS certificate key is too weak

[Ned Deily]

Ned Deily  added the comment:


New changeset 2b9d7abdbd4b41e2c624858f5bc80da59d8a681d by Ned Deily (Gregory P. 
Smith) in branch '3.6':
[3.6] bpo-36816: Update the self-signed.pythontest.net cert (GH-13192) 
(GH-13198)
https://github.com/python/cpython/commit/2b9d7abdbd4b41e2c624858f5bc80da59d8a681d


--
nosy: +ned.deily

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue36816] self-signed.pythontest.net TLS certificate key is too weak

[Gregory P. Smith]

Change by Gregory P. Smith :


--
pull_requests: +13111

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue36816] self-signed.pythontest.net TLS certificate key is too weak

[Gregory P. Smith]

Change by Gregory P. Smith :


--
pull_requests: +13110

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue36816] self-signed.pythontest.net TLS certificate key is too weak

[Gregory P. Smith]

Change by Gregory P. Smith :


--
pull_requests: +13109

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue36816] self-signed.pythontest.net TLS certificate key is too weak

[Gregory P. Smith]

Change by Gregory P. Smith :


--
pull_requests: +13108

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue36816] self-signed.pythontest.net TLS certificate key is too weak

[miss-islington]

miss-islington  added the comment:


New changeset 6bd81734de0b73f1431880d6a75fb71bcbc65fa1 by Miss Islington (bot) 
(Gregory P. Smith) in branch 'master':
bpo-36816: Update the self-signed.pythontest.net cert (GH-13192)
https://github.com/python/cpython/commit/6bd81734de0b73f1431880d6a75fb71bcbc65fa1


--
nosy: +miss-islington

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue36816] self-signed.pythontest.net TLS certificate key is too weak

[Gregory P. Smith]

Change by Gregory P. Smith :


--
pull_requests: +13104
stage: commit review -> patch review

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue36816] self-signed.pythontest.net TLS certificate key is too weak

[Chih-Hsuan Yen]

Chih-Hsuan Yen  added the comment:

Lib/test/selfsigned_pythontestdotnet.pem in the cpython repository needs to be 
updated to match 
https://github.com/python/pythontestdotnet/blob/master/tls/self-signed-cert.pem,
 or the test fails :)

==
ERROR: test_networked_good_cert (test.test_httplib.HTTPSTest)
--
Traceback (most recent call last):
  File "/home/yen/tmp/cpython/Lib/test/test_httplib.py", line 1632, in 
test_networked_good_cert
h.request('GET', '/')
  File "/home/yen/tmp/cpython/Lib/http/client.py", line 1221, in request
self._send_request(method, url, body, headers, encode_chunked)
  File "/home/yen/tmp/cpython/Lib/http/client.py", line 1267, in _send_request
self.endheaders(body, encode_chunked=encode_chunked)
  File "/home/yen/tmp/cpython/Lib/http/client.py", line 1216, in endheaders
self._send_output(message_body, encode_chunked=encode_chunked)
  File "/home/yen/tmp/cpython/Lib/http/client.py", line 1004, in _send_output
self.send(msg)
  File "/home/yen/tmp/cpython/Lib/http/client.py", line 944, in send
self.connect()
  File "/home/yen/tmp/cpython/Lib/http/client.py", line 1383, in connect
self.sock = self._context.wrap_socket(self.sock,
  File "/home/yen/tmp/cpython/Lib/ssl.py", line 405, in wrap_socket
return self.sslsocket_class._create(
  File "/home/yen/tmp/cpython/Lib/ssl.py", line 853, in _create
self.do_handshake()
  File "/home/yen/tmp/cpython/Lib/ssl.py", line 1117, in do_handshake
self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate 
verify failed: self signed certificate (_ssl.c:1055)

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue36816] self-signed.pythontest.net TLS certificate key is too weak

[Ernest W. Durbin III]

Ernest W. Durbin III  added the comment:

Cert updated, reassigning back to gregory.p.smith to verify and close this out.

--
assignee: EWDurbin -> gregory.p.smith

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue36816] self-signed.pythontest.net TLS certificate key is too weak

[Chih-Hsuan Yen]

Change by Chih-Hsuan Yen :


--
nosy: +yan12125

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue36816] self-signed.pythontest.net TLS certificate key is too weak

[Gregory P. Smith]

Gregory P. Smith  added the comment:

Updated cert+key committed to pythontestdotnet.  reassigning to EWDurbin to see 
that they're deployed.

https://github.com/python/pythontestdotnet/commit/2d121419796dad6d4285bf5aefd464aff0f47a91

--
assignee: gregory.p.smith -> EWDurbin
resolution:  -> remind
stage: patch review -> commit review

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue36816] self-signed.pythontest.net TLS certificate key is too weak

[Gregory P. Smith]

Gregory P. Smith  added the comment:

EWDurbin says I can just open a PR with new certs in the repo and it'll go from 
there. :)

--
assignee: EWDurbin -> gregory.p.smith

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue36816] self-signed.pythontest.net TLS certificate key is too weak

[Gregory P. Smith]

Change by Gregory P. Smith :


--
keywords: +patch
pull_requests: +13037
stage: needs patch -> patch review

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue36816] self-signed.pythontest.net TLS certificate key is too weak

[Gregory P. Smith]

New submission from Gregory P. Smith :

test_httplib uses self-signed.pythontest.net in it's test_networked_good_cert 
test.

On modern Linux distros (current Debian testing sid), the certificate it 
currently uses is rightfully rejected as being too weak:

ERROR: test_networked_good_cert (test.test_httplib.HTTPSTest)
--
Traceback (most recent call last):
  File "/home/greg/oss/cpython/Lib/test/test_httplib.py", line 1628, in 
test_networked_good_cert
h.request('GET', '/')
  File "/home/greg/oss/cpython/Lib/http/client.py", line 1221, in request
self._send_request(method, url, body, headers, encode_chunked)
  File "/home/greg/oss/cpython/Lib/http/client.py", line 1267, in _send_request
self.endheaders(body, encode_chunked=encode_chunked)
  File "/home/greg/oss/cpython/Lib/http/client.py", line 1216, in endheaders
self._send_output(message_body, encode_chunked=encode_chunked)
  File "/home/greg/oss/cpython/Lib/http/client.py", line 1004, in _send_output
self.send(msg)
  File "/home/greg/oss/cpython/Lib/http/client.py", line 944, in send
self.connect()
  File "/home/greg/oss/cpython/Lib/http/client.py", line 1383, in connect
self.sock = self._context.wrap_socket(self.sock,
  File "/home/greg/oss/cpython/Lib/ssl.py", line 405, in wrap_socket
return self.sslsocket_class._create(
  File "/home/greg/oss/cpython/Lib/ssl.py", line 853, in _create
self.do_handshake()
  File "/home/greg/oss/cpython/Lib/ssl.py", line 1117, in do_handshake
self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate 
verify failed: EE certificate key too weak (_ssl.c:1055)

The TLS certificate on the server needs to be updated to something modern.  I 
_believe_ this can be done by someone with infrastructure access via an update 
to https://github.com/python/pythontestdotnet/tree/master/tls

Assigning to EWDurbin for triage and redirection to someone else infrastructury 
if he's not the right person.

How to know if it has been fixed?  Monitor the test_networked_good_cert test on 
any "Debian buster" builtbot(s) such as 
https://buildbot.python.org/all/#/workers/23 to make sure it is not skipped.  
(the test _currently_ fails, I am going to have it be _skipped_ on this 
specific key too small error for the time being to get that stable buildbot 
green again)

--
assignee: EWDurbin
components: SSL, Tests
messages: 341579
nosy: EWDurbin, gregory.p.smith
priority: normal
severity: normal
stage: needs patch
status: open
title: self-signed.pythontest.net TLS certificate key is too weak
type: behavior
versions: Python 2.7, Python 3.5, Python 3.6, Python 3.7, Python 3.8

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com