The fix is merged, and we should shortly be re-enabled in Cryptography's downstream builds: https://github.com/pyca/cryptography/pull/7211 <https://github.com/pyca/cryptography/pull/7211>. However, we're running a subset of the tests right now because the certificate authority used by twisted.internet.test.test_endpoints.WrapClientTLSParserTests.test_tls has too short of a key length. Apparently the system OpenSSL in Ubuntu checks keys in this context, but the one built by Cryptography itself doesn't. We could potentially test this configuration (and maybe we should, ubuntu+system OpenSSL is almost certainly a configuration some people care about).
We don't even need a code change here, just a re-generation of the certificates in src/twisted/internet/test/fake_CAs/. I just fixed up `epsilon` so you can literally run `certcreate` and not translate its options, its defaults seem to have made the transition to the modern era. You can't get it from the divmod wiki though, it lives here now: https://github.com/twisted/epsilon <https://github.com/twisted/epsilon> I'd appreciate it if someone else could take this part though, I've already fallen way too far down the rabbit hole of this bugfix :). Once this is fixed we should be able to re-enable the full suite in Cryptography's CI. -g > On May 11, 2022, at 12:59 AM, Glyph <[email protected]> wrote: > > I've got a fix in review over here > https://github.com/twisted/twisted/pull/1731 > <https://github.com/twisted/twisted/pull/1731>. The problem, simply put, was > "TLS versions and outdated certificate attributes", and I tried to address > TLS versioning in documentation and tests. > > -g > >> On Apr 27, 2022, at 6:56 AM, Adi Roiban <[email protected] >> <mailto:[email protected]>> wrote: >> >> Hi, >> >> With the latest release of cryptography 37.0 the Twisted tests suite fails. >> >> I have create a ticket here https://twistedmatrix.com/trac/ticket/10337 >> <https://twistedmatrix.com/trac/ticket/10337> >> >> As part of another PR [1] and in order to have the CI checks pass, >> the cryptography dependency was defined as >> >> cryptography >= 2.6, < 37.0 >> >> So for now, Twisted is limited to cryptography up to 36.0.2 >> >> My hope is that we can find the volunteers to look into this issue and have >> Twisted working with latest cryptography and latest OpenSSL >> >> It might be the case that Twisted is OK and we only need to update the >> assertions >> in the test code. >> >> I guess that the main reason for the failure is OpenSSL 3.0.0. >> For Twisted CI we used the upstream cryptography wheels, and they are >> distributed with an embedded OpenSSL >> >> If you have time, try to run your Twisted TLS based apps together with >> cryptography 37.0 upstream wheels and see if you observe any failures. >> >> If you have custom wheels that link to OpenSSL 1.1.1, it would also help to >> test >> cryptography 37.0 and OpenSSL 1.1.1 >> >> Feel free to add any feedback here over email or over IRC / Gittter or >> over Trac. >> >> Thanks >> >> [1] https://github.com/twisted/twisted/pull/1724 >> <https://github.com/twisted/twisted/pull/1724> >> -- >> Adi Roiban >> _______________________________________________ >> Twisted mailing list -- [email protected] <mailto:[email protected]> >> To unsubscribe send an email to [email protected] >> <mailto:[email protected]> >> https://mail.python.org/mailman3/lists/twisted.python.org/ >> <https://mail.python.org/mailman3/lists/twisted.python.org/> >> Message archived at >> https://mail.python.org/archives/list/[email protected]/message/TCXAKCDKHYPZPHA4HWWVV4UZRTOU7Y2Z/ >> Code of Conduct: https://twisted.org/conduct > > _______________________________________________ > Twisted mailing list -- [email protected] > To unsubscribe send an email to [email protected] > https://mail.python.org/mailman3/lists/twisted.python.org/ > Message archived at > https://mail.python.org/archives/list/[email protected]/message/OQPW2FKHEC6DUPW7KYNY3SELQUV2OPRP/ > Code of Conduct: https://twisted.org/conduct
_______________________________________________ Twisted mailing list -- [email protected] To unsubscribe send an email to [email protected] https://mail.python.org/mailman3/lists/twisted.python.org/ Message archived at https://mail.python.org/archives/list/[email protected]/message/XVFIPGF7T7OWIN5HMBYF3ECU74FIYWJG/ Code of Conduct: https://twisted.org/conduct
