Thanks to visit codestin.com
Credit goes to github.com

Skip to content

[3.6] bpo-35925: Skip SSL tests that fail due to weak external certs or old TLS (GH-13124) #13252

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
May 29, 2019
Merged

[3.6] bpo-35925: Skip SSL tests that fail due to weak external certs or old TLS (GH-13124) #13252

merged 3 commits into from
May 29, 2019

Conversation

gpshead
Copy link
Member

@gpshead gpshead commented May 11, 2019
edited
Loading

Modern Linux distros such as Debian Buster have default OpenSSL system
configurations that reject connections to servers with weak certificates
and the use of TLS versions less than TLSv1.2 by default. This causes our
test suite run with external networking resources enabled to skip these tests
when they encounter such a failure or configuration.

(cherry picked from commit 2cc0223)

Additional change to test_ssl.py required as 3.6 and earlier have legacy protocol tests.
The test_httplib.py change is omitted from this backport as self-signed.pythontest.net's
certificate was updated.

Authored-by: Gregory P. Smith [email protected]

https://bugs.python.org/issue35925

gpshead added 2 commits May 11, 2019 11:36
@gpshead
[3.6] bpo-35925: Skip SSL tests that fail due to weak external certs. (
cc6870f 
…pythonGH-13124)

Modern Linux distros such as Debian Buster have default OpenSSL system
configurations that reject connections to servers with weak certificates
by default.  This causes our test suite run with external networking
resources enabled to skip these tests when they encounter such a failure.

Fixing the network servers is a separate issue..
(cherry picked from commit 2cc0223)

Co-authored-by: Gregory P. Smith <[email protected]>
@gpshead
Also skip ssl tests that fail when the system rejects TLSv1.
8766941
@gpshead gpshead added the tests Tests in the Lib/test dir label May 11, 2019
@bedevere-bot bedevere-bot mentioned this pull request May 11, 2019
Merged
@gpshead gpshead requested a review from tiran May 11, 2019 18:44
@gpshead gpshead removed the sprint label May 11, 2019
@gpshead
Remove the test_httplib change; server was updated.
60d4fb9 
self-signed.pythontest.net was updated so the test_httplib change is
no longer necessary.
@gpshead gpshead mentioned this pull request May 11, 2019
Merged
@gpshead
Copy link
Member Author

gpshead commented May 13, 2019

This will make the debian buster buildbot green again for 3.6.

@larryhastings you might want to cherry pick this for 3.5 as well if people building 3.5.x on systems with a modern openssl configuration and running -u all tests is a concern.

@ned-deily ned-deily merged commit 8ab624b into python:3.6 May 29, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tiran tiran Awaiting requested review from tiran

Assignees

@ned-deily ned-deily

Labels
tests Tests in the Lib/test dir
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@gpshead @ned-deily @the-knights-who-say-ni @bedevere-bot