Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at
Bug 1778357 - python3: FTBFS with crypto-policies-20191002-1.gitc93dc99.fc32: ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER).maximum_version has changed
Summary: python3: FTBFS with crypto-policies-20191002-1.gitc93dc99.fc32: ssl.SSLContex...
Alias: None
Product: Fedora
Classification: Fedora
Component: python3
Version: 32
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
Assignee: Python Maintainers
QA Contact: Fedora Extras Quality Assurance
Depends On:
Blocks: F32FTBFS
TreeView+ depends on / blocked
Reported: 2019-11-30 09:08 UTC by Miro Hrončok
Modified: 2020-04-01 13:04 UTC (History)
14 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2020-04-01 13:04:41 UTC
Type: Bug

Attachments (Terms of Use)

Description Miro Hrončok 2019-11-30 09:08:10 UTC
Description of problem:
Package python3 fails to build from source in Fedora rawhide.

FAIL: test_min_max_version (test.test_ssl.ContextTests)
Traceback (most recent call last):
  File "/builddir/build/BUILD/Python-3.8.0/Lib/test/", line 1207, in test_min_max_version
AssertionError: <TLSVersion.TLSv1_3: 772> != <TLSVersion.MAXIMUM_SUPPORTED: -1>

Version-Release number of selected component (if applicable):

Steps to Reproduce:
koji build --scratch f32 python3-3.8.0-2.fc32.src.rpm

Additional info:
This package is tracked by Koschei. See:

Koschei says glibc was updated:

Is that possibly related?

Comment 1 Miro Hrončok 2019-12-01 20:56:26 UTC
I get a consistent result with glibc 2.30.9000-20.fc32. That was a red herring.


However, I've bisected the problem to crypto-policies-20191002-1.gitc93dc99.fc32

$ rpm -q crypto-policies

$ python3 -c 'import ssl; ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER); print(repr(ctx.maximum_version))'

$ dnf -qy update crypto-policies
$ rpm -q crypto-policies

$ python3 -c 'import ssl; ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER); print(repr(ctx.maximum_version))'
<TLSVersion.TLSv1_3: 772>

Tomáš, has there been a deliberate change or is it a regression? I don't see anything related in the changelog.


Comment 2 Tomas Mraz 2019-12-02 07:25:46 UTC
Yes, this was a deliberate change. It is related to the addition of OSPP subpolicy which requires setting the MaxProtocol to TLSv1.2. Ideally this test in Python should be written in a way that it would not depend on system-wide settings.

Comment 3 Tomas Mraz 2019-12-02 07:26:23 UTC
This is coming to RHEL-8.2 as well.

Comment 4 Miro Hrončok 2019-12-02 11:11:47 UTC

I think this can be workarounded by reintroducing

Comment 5 Miro Hrončok 2019-12-02 12:13:36 UTC

$ python3 -c 'import ssl; ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER); print(repr(ctx.maximum_version))'
<TLSVersion.TLSv1_3: 772>

$ env OPENSSL_CONF=/non-existing-file python3 -c 'import ssl; ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER); print(repr(ctx.maximum_version))'

Comment 6 Miro Hrončok 2019-12-02 12:21:57 UTC
First PR:

Comment 7 Miro Hrončok 2019-12-02 12:26:14 UTC
Second PR:

Comment 8 Miro Hrončok 2019-12-03 17:58:10 UTC
A workaround has been set. We keep this open until the fix is changed. It was done in upstream for the future versions of 3.9, 3.8 and 3.7.

Comment 9 Miro Hrončok 2019-12-03 17:59:45 UTC
s/the fix is changed/the test is changed/

Comment 10 Ben Cotton 2020-02-11 17:42:21 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 32 development cycle.
Changing version to 32.

Comment 11 Petr Viktorin (pviktori) 2020-03-18 13:14:30 UTC
We can probably drop the workaround now, someone needs to check & drop.

Comment 12 Tomáš Hrnčiar 2020-03-27 13:35:08 UTC
PR to drop workaround, it works without it.

Note You need to log in before you can comment on or make changes to this bug.