[issue41183] Workaround or fix for SSL ".._KEY_TOO_SMALL" test failures

2020-09-11 Thread Larry Hastings 


Larry Hastings  added the comment:

Nope, it's not fixed.

--
resolution: fixed -> 
stage: resolved -> needs patch
status: closed -> open

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue41183] Workaround or fix for SSL ".._KEY_TOO_SMALL" test failures

2020-09-11 Thread STINNER Victor 


STINNER Victor  added the comment:

Python 3.5.10 has been released, so I understand that this issue has been 
fixed. Thanks Christian Heimes for fixes ;-)

--
nosy: +vstinner
resolution:  -> fixed
stage: patch review -> resolved
status: open -> closed

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue41183] Workaround or fix for SSL ".._KEY_TOO_SMALL" test failures

2020-08-17 Thread Larry Hastings 


Larry Hastings  added the comment:

> Does testing with the environment variable OPENSSL_CONF=/non-existing-file 
> workaround the remaining issues?

Sadly, no.  I get the same failures whether or not that environment variable is 
set.  And I confirmed that the environment variable survives Python's testing 
harness, it doesn't get unset or overwritten.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue41183] Workaround or fix for SSL ".._KEY_TOO_SMALL" test failures

2020-08-14 Thread Miro Hrončok 

Miro Hrončok  added the comment:

Does testing with the environment variable OPENSSL_CONF=/non-existing-file 
workaround the remaining issues?

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue41183] Workaround or fix for SSL ".._KEY_TOO_SMALL" test failures

2020-08-14 Thread Miro Hrončok 

Change by Miro Hrončok :


--
nosy: +hroncok
nosy_count: 2.0 -> 3.0
pull_requests: +21005
pull_request: https://github.com/python/cpython/pull/21882

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue41183] Workaround or fix for SSL ".._KEY_TOO_SMALL" test failures

2020-07-16 Thread Larry Hastings 


Larry Hastings  added the comment:

Ping?

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue41183] Workaround or fix for SSL ".._KEY_TOO_SMALL" test failures

2020-07-09 Thread Larry Hastings 


Larry Hastings  added the comment:

Any news?

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue41183] Workaround or fix for SSL ".._KEY_TOO_SMALL" test failures

2020-07-02 Thread Larry Hastings 


Larry Hastings  added the comment:


New changeset f52bf62fe12d46267e958f80dbe1f4425b55cd0f by Christian Heimes in 
branch '3.5':
bpo-41183: Update finite DH params to 3072 bits (#21278)
https://github.com/python/cpython/commit/f52bf62fe12d46267e958f80dbe1f4425b55cd0f


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue41183] Workaround or fix for SSL ".._KEY_TOO_SMALL" test failures

2020-07-02 Thread Larry Hastings 


Larry Hastings  added the comment:

Gotcha.  Thanks for looking into it for me.  I don't think the world is super 
anxious about getting 3.5.10rc1 so it's not a big huge deal.  But I will wait 
to hear back from you.  Thanks!

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue41183] Workaround or fix for SSL ".._KEY_TOO_SMALL" test failures

2020-07-02 Thread Christian Heimes 


Christian Heimes  added the comment:

GH-21278 takes care of test failures related to DH params.

For the other test failures somebody has to backport 
df6ac7e2b82d921a6e9ff5571b40c6dbcf635581 to 3.6 and 3.5. I cannot promise that 
I'm able to find time to do the backport today.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue41183] Workaround or fix for SSL ".._KEY_TOO_SMALL" test failures

2020-07-02 Thread Christian Heimes 


Change by Christian Heimes :


--
pull_requests: +20427
stage: needs patch -> patch review
pull_request: https://github.com/python/cpython/pull/21278

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue41183] Workaround or fix for SSL ".._KEY_TOO_SMALL" test failures

2020-07-02 Thread Larry Hastings 


Larry Hastings  added the comment:

Do you need a temporary login on one of my Pop!_OS computers, in order to test?

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue41183] Workaround or fix for SSL ".._KEY_TOO_SMALL" test failures

2020-07-02 Thread Larry Hastings 


Larry Hastings  added the comment:

./python -m test -v test_ssl >& test_ssl_verbose_36_master

--
Added file: https://bugs.python.org/file49290/test_ssl_verbose_36_master

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue41183] Workaround or fix for SSL ".._KEY_TOO_SMALL" test failures

2020-07-02 Thread Christian Heimes 


Christian Heimes  added the comment:

test_ssl_36_branch just contains "1 test failed: test_ssl". Could you please 
attach a verbose run?

The problems are caused by security policy. We had similar issues in Fedora.

- Set OPENSSL_TLS_SECURITY_LEVEL=2 as compiled-in minimum security
  level. Change meaning of SECURITY_LEVEL=2 to prohibit TLS versions
  below 1.2 and update documentation. Previous default of 1, can be set
  by calling SSL_CTX_set_security_level(), SSL_set_security_level() or
  using ':@SECLEVEL=1' CipherString value in openssl.cfg.

I can fix "SSL: DH_KEY_TOO_SMALL" in another PR. The other issues are harder to 
fix.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue41183] Workaround or fix for SSL ".._KEY_TOO_SMALL" test failures

2020-07-02 Thread Larry Hastings 


Larry Hastings  added the comment:

I assume this is building against the system OpenSSL.  On this machine, the 
"openssl", "libssl1.1", and "libssl-dev" packages are all version 
"1.1.1f-1ubuntu2".

The OS is "Pop!_OS" version 20.04, which is a derivative of Ubuntu 20.04.  It 
appears to be getting this package straight out of the Ubuntu package repo.  
The maintainer is listed as "Ubuntu Developers 
".

Attached is the revision history, copied and pasted out of the package 
manager's "changelog".

--
Added file: https://bugs.python.org/file49289/openssl.revision.history.txt

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue41183] Workaround or fix for SSL ".._KEY_TOO_SMALL" test failures

2020-07-02 Thread Larry Hastings 


Larry Hastings  added the comment:

The 3.6 branch of python/cpython fails as well on this machine.  Output 
attached.

--
Added file: https://bugs.python.org/file49288/test_ssl_36_branch

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue41183] Workaround or fix for SSL ".._KEY_TOO_SMALL" test failures

2020-07-02 Thread Larry Hastings 


Larry Hastings  added the comment:

test_ssl was one of the seven modules that failed.  But attached here is just 
the output of

% ./python -m test -v test_ssl >& test_ssl_failure

--
Added file: https://bugs.python.org/file49287/test_ssl_failure

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue41183] Workaround or fix for SSL ".._KEY_TOO_SMALL" test failures

2020-07-02 Thread Christian Heimes 


Christian Heimes  added the comment:

I'm testing with latest build of OpenSSL 1.1.1 and Fedora's DEFAULT crypto 
policy here. Your vendor may have configured OpenSSL with a more strict crypto 
policy. 

Could you please attach a full output of ./python -m test -v test_ssl?

Does the 3.6 test suite pass on your test machine?

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue41183] Workaround or fix for SSL ".._KEY_TOO_SMALL" test failures

2020-07-02 Thread Larry Hastings 


Larry Hastings  added the comment:

Upgrading to release blocker.

--
priority: high -> release blocker
resolution: fixed -> 
stage: resolved -> needs patch
status: closed -> open

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue41183] Workaround or fix for SSL ".._KEY_TOO_SMALL" test failures

2020-07-02 Thread Larry Hastings 


Larry Hastings  added the comment:

Christian:  Help!  Again!

I merged your PR, pulled a fresh copy, built it, and ran the test suite.  I get 
seven failures in I think the same modules.

Most of the failures are either "ssl.SSLError: [SSL] internal error 
(_ssl.c:728)", or some flavor of "OSError: [Errno 0] Error".  Sadly not helpful.

But!  Occasionally the test suite prints a very telling error:

ssl.SSLError: [SSL: DH_KEY_TOO_SMALL] dh key too small (_ssl.c:3233)

Attached is the output of running just those seven tests.  (One test is now 
working, not sure why.)

Obviously these tests pass on the buildbots, I assume that's because their 
OpenSSL is slightly older.  But I don't think I can ship 3.5.10rc1 if it won't 
build with current OpenSSL.

You should be able to simply pull the current 3.5 head 
(d565be84993a3d618add139cf21038e12c60a13e) to reproduce the error.

--
title: Workaround or fix for SSL "EE_KEY_TOO_SMALL" test failures -> Workaround 
or fix for SSL ".._KEY_TOO_SMALL" test failures
Added file: https://bugs.python.org/file49286/failures

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com