Issue 24985: Python install test fails - OpenSSL - "dh key too small" (original) (raw)

Installing Python 3.4.3 on a new CentOS Linux release 7.1.1503 server. Started with source tarball, did usual ./configure; make; make test SSL test fails with "dh key too small". See below.

OpenSSL has recently been modified to reject short keys, due to a security vulnerability. See http://www.ubuntu.com/usn/usn-2639-1/ and see here for an analysis of the issue on a Python install: http://www.alexrhino.net/jekyll/update/2015/07/14/dh-params-test-fail.html

Apparently the "dh512.pem" file in the test suite is now obsolete, because the minimum length dh key is now 768.

The question is, does this break anything else? Google for "dh key too small" and various other projects report problems.

====================================================================== ERROR: test_dh_params (test.test_ssl.ThreadedTests)

Traceback (most recent call last): File "/home/sitetruth/private/downloads/python/Python-3.4.3/Lib/test/test_ssl. py", line 2728, in test_dh_params chatty=True, connectionchatty=True) File "/home/sitetruth/private/downloads/python/Python-3.4.3/Lib/test/test_ssl. py", line 1866, in server_params_test s.connect((HOST, server.port)) File "/home/sitetruth/private/downloads/python/Python-3.4.3/Lib/ssl.py", line 846, in connect self._real_connect(addr, False) File "/home/sitetruth/private/downloads/python/Python-3.4.3/Lib/ssl.py", line 837, in _real_connect self.do_handshake() File "/home/sitetruth/private/downloads/python/Python-3.4.3/Lib/ssl.py", line 810, in do_handshake self._sslobj.do_handshake() ssl.SSLError: [SSL: SSL_NEGATIVE_LENGTH] dh key too small (_ssl.c:600)

Ran 99 tests in 12.012s

FAILED (errors=1, skipped=4) test test_ssl failed make: *** [test] Error 1

======================================================================