Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1778357
Summary: | python3: FTBFS with crypto-policies-20191002-1.gitc93dc99.fc32: ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER).maximum_version has changed | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Miro Hrončok <mhroncok> |
Component: | python3 | Assignee: | Python Maintainers <python-maint> |
Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 32 | CC: | cheimes, cstratak, dmalcolm, m.cyprian, mhroncok, pviktori, rkuska, shcherbina.iryna, slavek.kabrda, thrnciar, tmraz, tomspur, torsava, vstinner |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
URL: | https://koschei.fedoraproject.org/package/python3 | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2020-04-01 13:04:41 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1750908 |
Description
Miro Hrončok
2019-11-30 09:08:10 UTC
I get a consistent result with glibc 2.30.9000-20.fc32. That was a red herring. ------- However, I've bisected the problem to crypto-policies-20191002-1.gitc93dc99.fc32 https://src.fedoraproject.org/rpms/crypto-policies/c/b7ce8f783ce01feb997c7aee323b8276a52777c4?branch=master https://koschei.fedoraproject.org/affected-by/crypto-policies?epoch1=0&version1=20191002&release1=1.gitc93dc99.fc32&epoch2=0&version2=20191128&release2=1.gitcd267a5.fc32&collection=f32 $ rpm -q crypto-policies crypto-policies-20191002-1.gitc93dc99.fc32.noarch $ python3 -c 'import ssl; ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER); print(repr(ctx.maximum_version))' <TLSVersion.MAXIMUM_SUPPORTED: -1> $ dnf -qy update crypto-policies $ rpm -q crypto-policies crypto-policies-20191128-1.gitcd267a5.fc32.noarch $ python3 -c 'import ssl; ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER); print(repr(ctx.maximum_version))' <TLSVersion.TLSv1_3: 772> Tomáš, has there been a deliberate change or is it a regression? I don't see anything related in the changelog. Thanks. Yes, this was a deliberate change. It is related to the addition of OSPP subpolicy which requires setting the MaxProtocol to TLSv1.2. Ideally this test in Python should be written in a way that it would not depend on system-wide settings. This is coming to RHEL-8.2 as well. Thanks. I think this can be workarounded by reintroducing https://src.fedoraproject.org/rpms/python3/c/b33b4a5162e2b5873c5846dcba882f3569ab76cd?branch=master Indeed: $ python3 -c 'import ssl; ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER); print(repr(ctx.maximum_version))' <TLSVersion.TLSv1_3: 772> $ env OPENSSL_CONF=/non-existing-file python3 -c 'import ssl; ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER); print(repr(ctx.maximum_version))' <TLSVersion.MAXIMUM_SUPPORTED: -1> A workaround has been set. We keep this open until the fix is changed. It was done in upstream for the future versions of 3.9, 3.8 and 3.7. s/the fix is changed/the test is changed/ This bug appears to have been reported against 'rawhide' during the Fedora 32 development cycle. Changing version to 32. We can probably drop the workaround now, someone needs to check & drop. PR to drop workaround, it works without it. https://src.fedoraproject.org/rpms/python3/pull-request/180 https://src.fedoraproject.org/tests/python/pull-request/22 |