Issue 8322: test_ssl failures with OpenSSL 1.0.0 (original) (raw)
Created on 2010-04-05 20:45 by pitrou, last changed 2022-04-11 14:56 by admin. This issue is now closed.
Messages (10)
Author: Antoine Pitrou (pitrou) *
Date: 2010-04-05 20:45
When I compile and link against a local build of OpenSSL 1.0.0 (vanilla), I get the following errors in test_ssl:
====================================================================== ERROR: testProtocolSSL2 (test.test_ssl.ThreadedTests)
Traceback (most recent call last): File "/home/antoine/cpython/newssl/Lib/test/test_ssl.py", line 869, in testProtocolSSL2 tryProtocolCombo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv23, True) File "/home/antoine/cpython/newssl/Lib/test/test_ssl.py", line 736, in tryProtocolCombo CERTFILE, CERTFILE, client_protocol, chatty=False) File "/home/antoine/cpython/newssl/Lib/test/test_ssl.py", line 688, in serverParamsTest raise test_support.TestFailed("Unexpected exception: " + str(x)) TestFailed: Unexpected exception: [Errno 104] Connection reset by peer
====================================================================== ERROR: testProtocolSSL3 (test.test_ssl.ThreadedTests)
Traceback (most recent call last): File "/home/antoine/cpython/newssl/Lib/test/test_ssl.py", line 903, in testProtocolSSL3 tryProtocolCombo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv23, False) File "/home/antoine/cpython/newssl/Lib/test/test_ssl.py", line 745, in tryProtocolCombo ssl.get_protocol_name(server_protocol))) TestFailed: Client protocol SSLv23 succeeded with server protocol SSLv3!
====================================================================== ERROR: testProtocolTLS1 (test.test_ssl.ThreadedTests)
Traceback (most recent call last): File "/home/antoine/cpython/newssl/Lib/test/test_ssl.py", line 914, in testProtocolTLS1 tryProtocolCombo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_SSLv23, False) File "/home/antoine/cpython/newssl/Lib/test/test_ssl.py", line 745, in tryProtocolCombo ssl.get_protocol_name(server_protocol))) TestFailed: Client protocol SSLv23 succeeded with server protocol TLSv1!
Author: STINNER Victor (vstinner) *
Date: 2010-04-06 08:57
Extract of SSL_CTX_new manual page:
SSLv23_method(void), SSLv23_server_method(void), SSLv23_client_method(void)
A TLS/SSL connection established with these methods will understand the SSLv2, SSLv3, and TLSv1 protocol. A client will send out SSLv2 client hello messages and will indicate that it also understands SSLv3 and TLSv1. A server will understand SSLv2, SSLv3, and TLSv1 client hello messages. This is the best choice when compatibility is a concern.
I don't think that "Client protocol SSLv23 succeeded with server protocol SSLv3" or "Client protocol SSLv23 succeeded with server protocol TLSv1" are errors.
Author: Antoine Pitrou (pitrou) *
Date: 2010-04-06 09:05
It begs the question of why the tests succeed with previous OpenSSL versions. The only possibly relevant entry I could find in the OpenSSL changelog (but I'm not an expert) is the following:
*) If no SSLv2 ciphers are used don't use an SSLv2 compatible client hello: this allows the use of compression and extensions. Change default cipher string to remove SSLv2 ciphersuites. This effectively avoids ancient SSLv2 by default unless an application cipher string requests it. [Steve Henson]
Author: STINNER Victor (vstinner) *
Date: 2010-04-06 09:56
All errors concern SSLv23 at server side, and another protocol at client side (SSLv23 for client and server works as expected).
Author: Antoine Pitrou (pitrou) *
Date: 2010-04-09 22:36
After some investigation, the error does occur because of the aforementioned changelog entry (SSLv2 weak ciphers are now disabled by default). To check it I just added the following line to newPySSLObject():
SSL_CTX_set_cipher_list(self->ctx, "ALL");
Of course this isn't desirable: we shouldn't blindly enable weak ciphers. Instead we could simply add an argument to configure allowed ciphers, and use "ALL" in our tests. Or we could add a separate method to configure ciphers.
(this begs the question of whether this is suitable post-beta1)
What do you think?
Author: Roumen Petrov (rpetrov) *
Date: 2010-04-10 14:51
Antoine Pitrou wrote:
Antoine Pitrou<pitrou@free.fr> added the comment:
After some investigation, the error does occur because of the aforementioned changelog entry (SSLv2 weak ciphers are now disabled by default). To check it I just added the following line to newPySSLObject():
SSL_CTX_set_cipher_list(self->ctx, "ALL");
Of course this isn't desirable: we shouldn't blindly enable weak ciphers. Instead we could simply add an argument to configure allowed ciphers, and use "ALL" in our tests. Or we could add a separate method to configure ciphers.
(this begs the question of whether this is suitable post-beta1)
What do you think?
List of ciphers is application dependent and configure script can't limit users(applications) .
Roumen
Author: Antoine Pitrou (pitrou) *
Date: 2010-04-10 14:53
List of ciphers is application dependent and configure script can't limit users(applications) .
I was obviously talking about a runtime argument to ssl.wrap_socket().
Author: Antoine Pitrou (pitrou) *
Date: 2010-04-16 20:34
A set_ciphers() method turns out to be highly impractical, since the underlying SSL objects are created lazily when we actually connect the socket. Therefore, I have instead opted for a new "ciphers" argument to the SSL constructor(s). Patch attached.
Author: Antoine Pitrou (pitrou) *
Date: 2010-04-16 21:35
New patch updating docs.
Author: Antoine Pitrou (pitrou) *
Date: 2010-04-17 17:41
Committed in r80151 (trunk), r80154 (py3k).
History
Date
User
Action
Args
2022-04-11 14:56:59
admin
set
github: 52569
2010-04-17 17:41:14
pitrou
set
status: open -> closed
resolution: fixed
messages: +
stage: patch review -> resolved
2010-04-16 21:39:44
pitrou
set
stage: needs patch -> patch review
2010-04-16 21:35:24
pitrou
set
files: + ciphers2.patch
messages: +
2010-04-16 20:40:04
pitrou
set
files: + ciphers.patch
2010-04-16 20:39:51
pitrou
set
files: - ciphers.patch
2010-04-16 20:34:50
pitrou
set
files: + ciphers.patch
keywords: + patch
messages: +
2010-04-10 14:53:54
pitrou
set
messages: +
2010-04-10 14:51:55
rpetrov
set
nosy: + rpetrov
messages: +
2010-04-09 22:36:59
pitrou
set
nosy: + benjamin.peterson
messages: +
2010-04-06 14:50:15
Arfrever
set
nosy: + Arfrever
2010-04-06 09:56:15
vstinner
set
messages: +
2010-04-06 09:05:23
pitrou
set
messages: +
2010-04-06 08:57:34
vstinner
set
nosy: + vstinner
messages: +
2010-04-05 20:45:34
pitrou
create