[issue36037] test_ssl fails on RHEL8 strict OpenSSL configuration

STINNER Victor report at bugs.python.org
Tue Feb 19 09:19:42 EST 2019 

New submission from STINNER Victor <vstinner at redhat.com>:

RHEL8 uses a strict crypto policy by default. For example, SSLContext uses TLS 1.2 as the minimum version by default.

Attached PR fix test_ssl for RHEL8. The PR is not specific to RHEL8. It should also fix test_ssl on Debian: see bpo-35925 and bpo-36005.

test_ssl failures on RHEL8:

======================================================================
ERROR: test_PROTOCOL_TLS (test.test_ssl.ThreadedTests)
Connecting to an SSLv23 server with various client options
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/root/cpython-master/Lib/test/test_ssl.py", line 3079, in test_PROTOCOL_TLS
    try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLSv1, 'TLSv1')
  File "/root/cpython-master/Lib/test/test_ssl.py", line 2623, in try_protocol_combo
    stats = server_params_test(client_context, server_context,
  File "/root/cpython-master/Lib/test/test_ssl.py", line 2549, in server_params_test
    s.connect((HOST, server.port))
  File "/root/cpython-master/Lib/ssl.py", line 1150, in connect
    self._real_connect(addr, False)
  File "/root/cpython-master/Lib/ssl.py", line 1141, in _real_connect
    self.do_handshake()
  File "/root/cpython-master/Lib/ssl.py", line 1117, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: TLSV1_ALERT_PROTOCOL_VERSION] tlsv1 alert protocol version (_ssl.c:1055)

======================================================================
ERROR: test_protocol_tlsv1_1 (test.test_ssl.ThreadedTests)
Connecting to a TLSv1.1 server with various client options.
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/root/cpython-master/Lib/test/test_ssl.py", line 3150, in test_protocol_tlsv1_1
    try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLSv1_1, 'TLSv1.1')
  File "/root/cpython-master/Lib/test/test_ssl.py", line 2623, in try_protocol_combo
    stats = server_params_test(client_context, server_context,
  File "/root/cpython-master/Lib/test/test_ssl.py", line 2549, in server_params_test
    s.connect((HOST, server.port))
  File "/root/cpython-master/Lib/ssl.py", line 1150, in connect
    self._real_connect(addr, False)
  File "/root/cpython-master/Lib/ssl.py", line 1141, in _real_connect
    self.do_handshake()
  File "/root/cpython-master/Lib/ssl.py", line 1117, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: TLSV1_ALERT_PROTOCOL_VERSION] tlsv1 alert protocol version (_ssl.c:1055)

======================================================================
FAIL: test_min_max_version (test.test_ssl.ContextTests)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/root/cpython-master/Lib/test/test_ssl.py", line 1093, in test_min_max_version
    self.assertIn(
AssertionError: <TLSVersion.TLSv1_2: 771> not found in {<TLSVersion.TLSv1: 769>, <TLSVersion.MINIMUM_SUPPORTED: -2>}

----------------------------------------------------------------------

Ran 150 tests in 3.318s

FAILED (failures=1, errors=2, skipped=9)

----------
assignee: christian.heimes
components: SSL, Tests
messages: 335950
nosy: christian.heimes, vstinner
priority: normal
severity: normal
status: open
title: test_ssl fails on RHEL8 strict OpenSSL configuration
versions: Python 3.8

_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue36037>
_______________________________________

More information about the Python-bugs-list mailing list