Skip to content

[3.6] bpo-35925: Skip SSL tests that fail due to weak external certs or old TLS (GH-13124)#13252

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
ned-deily merged 3 commits into from
May 29, 2019
Merged

[3.6] bpo-35925: Skip SSL tests that fail due to weak external certs or old TLS (GH-13124) #13252

ned-deily merged 3 commits into from
May 29, 2019

Conversation

@gpshead
Copy link
Member

@gpsheadgpshead commented May 11, 2019
edited
Loading

Modern Linux distros such as Debian Buster have default OpenSSL system
configurations that reject connections to servers with weak certificates
and the use of TLS versions less than TLSv1.2 by default. This causes our
test suite run with external networking resources enabled to skip these tests
when they encounter such a failure or configuration.

(cherry picked from commit 2cc0223)

Additional change to test_ssl.py required as 3.6 and earlier have legacy protocol tests.
The test_httplib.py change is omitted from this backport as self-signed.pythontest.net's
certificate was updated.

Authored-by: Gregory P. Smith greg@krypto.org

https://bugs.python.org/issue35925

gpshead added 2 commits May 11, 2019 11:36
@gpshead
[3.6] bpo-35925: Skip SSL tests that fail due to weak external certs. (
cc6870f
…pythonGH-13124) Modern Linux distros such as Debian Buster have default OpenSSL system configurations that reject connections to servers with weak certificates by default. This causes our test suite run with external networking resources enabled to skip these tests when they encounter such a failure. Fixing the network servers is a separate issue.. (cherry picked from commit 2cc0223) Co-authored-by: Gregory P. Smith <greg@krypto.org>
@gpshead
Also skip ssl tests that fail when the system rejects TLSv1.
8766941
@gpsheadgpshead added the tests Tests in the Lib/test dir label May 11, 2019
@bedevere-botbedevere-bot mentioned this pull request May 11, 2019
Merged
@gpsheadgpshead requested a review from tiranMay 11, 2019 18:44
@gpsheadgpshead removed the sprint label May 11, 2019
@gpshead
Remove the test_httplib change; server was updated.
60d4fb9
self-signed.pythontest.net was updated so the test_httplib change is no longer necessary.
@gpsheadgpshead mentioned this pull request May 11, 2019
Merged
@gpshead
Copy link
MemberAuthor

gpshead commented May 13, 2019

This will make the debian buster buildbot green again for 3.6.

@larryhastings you might want to cherry pick this for 3.5 as well if people building 3.5.x on systems with a modern openssl configuration and running -u all tests is a concern.

@ned-deilyned-deily merged commit 8ab624b into python:3.6May 29, 2019
Sign up for freeto join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tirantiranAwaiting requested review from tiran

Assignees

@ned-deilyned-deily

Labels

testsTests in the Lib/test dir

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@gpshead@ned-deily@the-knights-who-say-ni@bedevere-bot