Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1778357 - python3: FTBFS with crypto-policies-20191002-1.gitc93dc99.fc32: ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER).maximum_version has changed
Summary: python3: FTBFS with crypto-policies-20191002-1.gitc93dc99.fc32: ssl.SSLContex...
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: python3
Version: 32
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Python Maintainers
QA Contact: Fedora Extras Quality Assurance
URL: https://koschei.fedoraproject.org/pac...
Whiteboard:
Depends On:
Blocks: F32FTBFS
TreeView+ depends on / blocked
 
Reported: 2019-11-30 09:08 UTC by Miro Hrončok
Modified: 2020-04-01 13:04 UTC (History)
14 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-04-01 13:04:41 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Miro Hrončok 2019-11-30 09:08:10 UTC
Description of problem:
Package python3 fails to build from source in Fedora rawhide.

======================================================================
FAIL: test_min_max_version (test.test_ssl.ContextTests)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/builddir/build/BUILD/Python-3.8.0/Lib/test/test_ssl.py", line 1207, in test_min_max_version
    self.assertEqual(
AssertionError: <TLSVersion.TLSv1_3: 772> != <TLSVersion.MAXIMUM_SUPPORTED: -1>
----------------------------------------------------------------------

Version-Release number of selected component (if applicable):
3.8.0-2.fc32

Steps to Reproduce:
koji build --scratch f32 python3-3.8.0-2.fc32.src.rpm

Additional info:
This package is tracked by Koschei. See:
https://koschei.fedoraproject.org/build/7322718

Koschei says glibc was updated: https://src.fedoraproject.org/rpms/glibc/c/17391589c0dd9b92cf9c61efee9b0f12d7d3d030?branch=master

Is that possibly related?

Comment 1 Miro Hrončok 2019-12-01 20:56:26 UTC
I get a consistent result with glibc 2.30.9000-20.fc32. That was a red herring.

-------

However, I've bisected the problem to crypto-policies-20191002-1.gitc93dc99.fc32

https://src.fedoraproject.org/rpms/crypto-policies/c/b7ce8f783ce01feb997c7aee323b8276a52777c4?branch=master

https://koschei.fedoraproject.org/affected-by/crypto-policies?epoch1=0&version1=20191002&release1=1.gitc93dc99.fc32&epoch2=0&version2=20191128&release2=1.gitcd267a5.fc32&collection=f32



$ rpm -q crypto-policies
crypto-policies-20191002-1.gitc93dc99.fc32.noarch

$ python3 -c 'import ssl; ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER); print(repr(ctx.maximum_version))'
<TLSVersion.MAXIMUM_SUPPORTED: -1>



$ dnf -qy update crypto-policies
$ rpm -q crypto-policies
crypto-policies-20191128-1.gitcd267a5.fc32.noarch

$ python3 -c 'import ssl; ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER); print(repr(ctx.maximum_version))'
<TLSVersion.TLSv1_3: 772>





Tomáš, has there been a deliberate change or is it a regression? I don't see anything related in the changelog.


Thanks.

Comment 2 Tomas Mraz 2019-12-02 07:25:46 UTC
Yes, this was a deliberate change. It is related to the addition of OSPP subpolicy which requires setting the MaxProtocol to TLSv1.2. Ideally this test in Python should be written in a way that it would not depend on system-wide settings.

Comment 3 Tomas Mraz 2019-12-02 07:26:23 UTC
This is coming to RHEL-8.2 as well.

Comment 4 Miro Hrončok 2019-12-02 11:11:47 UTC
Thanks.

I think this can be workarounded by reintroducing https://src.fedoraproject.org/rpms/python3/c/b33b4a5162e2b5873c5846dcba882f3569ab76cd?branch=master

Comment 5 Miro Hrončok 2019-12-02 12:13:36 UTC
Indeed:

$ python3 -c 'import ssl; ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER); print(repr(ctx.maximum_version))'
<TLSVersion.TLSv1_3: 772>

$ env OPENSSL_CONF=/non-existing-file python3 -c 'import ssl; ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER); print(repr(ctx.maximum_version))'
<TLSVersion.MAXIMUM_SUPPORTED: -1>

Comment 6 Miro Hrončok 2019-12-02 12:21:57 UTC
First PR: https://src.fedoraproject.org/tests/python/pull-request/15

Comment 7 Miro Hrončok 2019-12-02 12:26:14 UTC
Second PR: https://src.fedoraproject.org/rpms/python3/pull-request/155

Comment 8 Miro Hrončok 2019-12-03 17:58:10 UTC
A workaround has been set. We keep this open until the fix is changed. It was done in upstream for the future versions of 3.9, 3.8 and 3.7.

Comment 9 Miro Hrončok 2019-12-03 17:59:45 UTC
s/the fix is changed/the test is changed/

Comment 10 Ben Cotton 2020-02-11 17:42:21 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 32 development cycle.
Changing version to 32.

Comment 11 Petr Viktorin (pviktori) 2020-03-18 13:14:30 UTC
We can probably drop the workaround now, someone needs to check & drop.

Comment 12 Tomáš Hrnčiar 2020-03-27 13:35:08 UTC
PR to drop workaround, it works without it.
https://src.fedoraproject.org/rpms/python3/pull-request/180
https://src.fedoraproject.org/tests/python/pull-request/22


Note You need to log in before you can comment on or make changes to this bug.