Hi, With the latest release of cryptography 37.0 the Twisted tests suite fails. I have create a ticket here https://twistedmatrix.com/trac/ticket/10337 As part of another PR [1] and in order to have the CI checks pass, the cryptography dependency was defined as cryptography >= 2.6, < 37.0 So for now, Twisted is limited to cryptography up to 36.0.2 My hope is that we can find the volunteers to look into this issue and have Twisted working with latest cryptography and latest OpenSSL It might be the case that Twisted is OK and we only need to update the assertions in the test code. I guess that the main reason for the failure is OpenSSL 3.0.0. For Twisted CI we used the upstream cryptography wheels, and they are distributed with an embedded OpenSSL If you have time, try to run your Twisted TLS based apps together with cryptography 37.0 upstream wheels and see if you observe any failures. If you have custom wheels that link to OpenSSL 1.1.1, it would also help to test cryptography 37.0 and OpenSSL 1.1.1 Feel free to add any feedback here over email or over IRC / Gittter or over Trac. Thanks [1] https://github.com/twisted/twisted/pull/1724 -- Adi Roiban
I've got a fix in review over here https://github.com/twisted/twisted/pull/1731 <https://github.com/twisted/twisted/pull/1731>. The problem, simply put, was "TLS versions and outdated certificate attributes", and I tried to address TLS versioning in documentation and tests. -g
On Apr 27, 2022, at 6:56 AM, Adi Roiban <adiroiban@gmail.com> wrote:
Hi,
With the latest release of cryptography 37.0 the Twisted tests suite fails.
I have create a ticket here https://twistedmatrix.com/trac/ticket/10337
As part of another PR [1] and in order to have the CI checks pass, the cryptography dependency was defined as
cryptography >= 2.6, < 37.0
So for now, Twisted is limited to cryptography up to 36.0.2
My hope is that we can find the volunteers to look into this issue and have Twisted working with latest cryptography and latest OpenSSL
It might be the case that Twisted is OK and we only need to update the assertions in the test code.
I guess that the main reason for the failure is OpenSSL 3.0.0. For Twisted CI we used the upstream cryptography wheels, and they are distributed with an embedded OpenSSL
If you have time, try to run your Twisted TLS based apps together with cryptography 37.0 upstream wheels and see if you observe any failures.
If you have custom wheels that link to OpenSSL 1.1.1, it would also help to test cryptography 37.0 and OpenSSL 1.1.1
Feel free to add any feedback here over email or over IRC / Gittter or over Trac.
Thanks
[1] https://github.com/twisted/twisted/pull/1724 -- Adi Roiban _______________________________________________ Twisted mailing list -- twisted@python.org To unsubscribe send an email to twisted-leave@python.org https://mail.python.org/mailman3/lists/twisted.python.org/ Message archived at https://mail.python.org/archives/list/twisted@python.org/message/TCXAKCDKHYP... Code of Conduct: https://twisted.org/conduct
The fix is merged, and we should shortly be re-enabled in Cryptography's downstream builds: https://github.com/pyca/cryptography/pull/7211 <https://github.com/pyca/cryptography/pull/7211>. However, we're running a subset of the tests right now because the certificate authority used by twisted.internet.test.test_endpoints.WrapClientTLSParserTests.test_tls has too short of a key length. Apparently the system OpenSSL in Ubuntu checks keys in this context, but the one built by Cryptography itself doesn't. We could potentially test this configuration (and maybe we should, ubuntu+system OpenSSL is almost certainly a configuration some people care about). We don't even need a code change here, just a re-generation of the certificates in src/twisted/internet/test/fake_CAs/. I just fixed up `epsilon` so you can literally run `certcreate` and not translate its options, its defaults seem to have made the transition to the modern era. You can't get it from the divmod wiki though, it lives here now: https://github.com/twisted/epsilon <https://github.com/twisted/epsilon> I'd appreciate it if someone else could take this part though, I've already fallen way too far down the rabbit hole of this bugfix :). Once this is fixed we should be able to re-enable the full suite in Cryptography's CI. -g
On May 11, 2022, at 12:59 AM, Glyph <glyph@twistedmatrix.com> wrote:
I've got a fix in review over here https://github.com/twisted/twisted/pull/1731 <https://github.com/twisted/twisted/pull/1731>. The problem, simply put, was "TLS versions and outdated certificate attributes", and I tried to address TLS versioning in documentation and tests.
-g
On Apr 27, 2022, at 6:56 AM, Adi Roiban <adiroiban@gmail.com <mailto:adiroiban@gmail.com>> wrote:
Hi,
With the latest release of cryptography 37.0 the Twisted tests suite fails.
I have create a ticket here https://twistedmatrix.com/trac/ticket/10337 <https://twistedmatrix.com/trac/ticket/10337>
As part of another PR [1] and in order to have the CI checks pass, the cryptography dependency was defined as
cryptography >= 2.6, < 37.0
So for now, Twisted is limited to cryptography up to 36.0.2
My hope is that we can find the volunteers to look into this issue and have Twisted working with latest cryptography and latest OpenSSL
It might be the case that Twisted is OK and we only need to update the assertions in the test code.
I guess that the main reason for the failure is OpenSSL 3.0.0. For Twisted CI we used the upstream cryptography wheels, and they are distributed with an embedded OpenSSL
If you have time, try to run your Twisted TLS based apps together with cryptography 37.0 upstream wheels and see if you observe any failures.
If you have custom wheels that link to OpenSSL 1.1.1, it would also help to test cryptography 37.0 and OpenSSL 1.1.1
Feel free to add any feedback here over email or over IRC / Gittter or over Trac.
Thanks
[1] https://github.com/twisted/twisted/pull/1724 <https://github.com/twisted/twisted/pull/1724> -- Adi Roiban _______________________________________________ Twisted mailing list -- twisted@python.org <mailto:twisted@python.org> To unsubscribe send an email to twisted-leave@python.org <mailto:twisted-leave@python.org> https://mail.python.org/mailman3/lists/twisted.python.org/ <https://mail.python.org/mailman3/lists/twisted.python.org/> Message archived at https://mail.python.org/archives/list/twisted@python.org/message/TCXAKCDKHYP... Code of Conduct: https://twisted.org/conduct
_______________________________________________ Twisted mailing list -- twisted@python.org To unsubscribe send an email to twisted-leave@python.org https://mail.python.org/mailman3/lists/twisted.python.org/ Message archived at https://mail.python.org/archives/list/twisted@python.org/message/OQPW2FKHEC6... Code of Conduct: https://twisted.org/conduct
participants (2)
-
Adi Roiban -
Glyph