From 35c70e379adf79fd7ebd00dfbe3abd9df1e8b745 Mon Sep 17 00:00:00 2001 From: Victor Stinner Date: Apr 26 2019 09:42:15 +0000 Subject: Skip test_ssl and test_asyncio tests failing with OpenSSL 1.1.1 Backport of: https://github.com/python/cpython/pull/12694 Resolves: rhbz#1685609 --- diff --git a/00322-test_ssl-skip-openssl111.patch b/00322-test_ssl-skip-openssl111.patch new file mode 100644 index 0000000..6618f8b --- /dev/null +++ b/00322-test_ssl-skip-openssl111.patch @@ -0,0 +1,90 @@ +bpo-36576: Skip test_ssl and test_asyncio tests failing with OpenSSL 1.1.1 + +Some test_ssl and test_asyncio are written for OpenSSL 1.0 and TLS +1.0, but fail with OpenSSL 1.1.1 and TLS 1.3. + +Fixing these needs require to backport new ssl flags like +ssl.OP_NO_TLSv1_3 or ssl.OP_NO_COMPRESSION which cannot be done in a +minor 3.5.x release. Moreover, it is not really worth it: the code +works fine, issues are in the tests. + +Backport of: https://github.com/python/cpython/pull/12694 + +Resolves: rhbz#1685609 + +diff --git a/Lib/test/test_asyncio/test_events.py b/Lib/test/test_asyncio/test_events.py +index 492a84a2313b..b23889b20dea 100644 +--- a/Lib/test/test_asyncio/test_events.py ++++ b/Lib/test/test_asyncio/test_events.py +@@ -38,6 +38,12 @@ + from asyncio import test_support as support + + ++if ssl is not None: ++ IS_OPENSSL_1_1_1 = ssl.OPENSSL_VERSION_INFO >= (1, 1, 1) ++else: ++ IS_OPENSSL_1_1_1 = False ++ ++ + def data_file(filename): + if hasattr(support, 'TEST_HOME_DIR'): + fullname = os.path.join(support.TEST_HOME_DIR, filename) +@@ -1145,6 +1151,7 @@ def test_legacy_create_unix_server_ssl_verify_failed(self): + self.test_create_unix_server_ssl_verify_failed() + + @unittest.skipIf(ssl is None, 'No ssl module') ++ @unittest.skipIf(IS_OPENSSL_1_1_1, "bpo-36576: fail on OpenSSL 1.1.1") + def test_create_server_ssl_match_failed(self): + proto = MyProto(loop=self.loop) + server, host, port = self._make_ssl_server( +diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py +index 6c78601b4589..30a64ee0a4c7 100644 +--- a/Lib/test/test_ssl.py ++++ b/Lib/test/test_ssl.py +@@ -25,6 +25,7 @@ + HOST = support.HOST + IS_LIBRESSL = ssl.OPENSSL_VERSION.startswith('LibreSSL') + IS_OPENSSL_1_1 = not IS_LIBRESSL and ssl.OPENSSL_VERSION_INFO >= (1, 1, 0) ++IS_OPENSSL_1_1_1 = not IS_LIBRESSL and ssl.OPENSSL_VERSION_INFO >= (1, 1, 1) + + + def data_file(*name): +@@ -857,6 +858,7 @@ def test_ciphers(self): + ctx.set_ciphers("^$:,;?*'dorothyx") + + @skip_if_broken_ubuntu_ssl ++ @unittest.skipIf(IS_OPENSSL_1_1_1, "bpo-36576: fail on OpenSSL 1.1.1") + def test_options(self): + ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1) + # OP_ALL | OP_NO_SSLv2 | OP_NO_SSLv3 is the default value +@@ -3047,6 +3049,7 @@ def test_version_basic(self): + self.assertIs(s.version(), None) + + @unittest.skipUnless(ssl.HAS_ECDH, "test requires ECDH-enabled OpenSSL") ++ @unittest.skipIf(IS_OPENSSL_1_1_1, "bpo-36576: fail on OpenSSL 1.1.1") + def test_default_ecdh_curve(self): + # Issue #21015: elliptic curve-based Diffie Hellman key exchange + # should be enabled by default on SSL contexts. +@@ -3176,6 +3179,7 @@ def test_selected_alpn_protocol_if_server_uses_alpn(self): + self.assertIs(stats['client_alpn_protocol'], None) + + @unittest.skipUnless(ssl.HAS_ALPN, "ALPN support needed for this test") ++ @unittest.skipIf(IS_OPENSSL_1_1_1, "bpo-36576: fail on OpenSSL 1.1.1") + def test_alpn_protocols(self): + server_protocols = ['foo', 'bar', 'milkshake'] + protocol_tests = [ +@@ -3356,6 +3360,7 @@ def cb_wrong_return_type(ssl_sock, server_name, initial_context): + self.assertEqual(cm.exception.reason, 'TLSV1_ALERT_INTERNAL_ERROR') + self.assertIn("TypeError", stderr.getvalue()) + ++ @unittest.skipIf(IS_OPENSSL_1_1_1, "bpo-36576: fail on OpenSSL 1.1.1") + def test_shared_ciphers(self): + server_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1) + server_context.load_cert_chain(SIGNED_CERTFILE) +diff --git a/Misc/NEWS.d/next/Tests/2019-04-05-10-34-29.bpo-36576.7Cp2kK.rst b/Misc/NEWS.d/next/Tests/2019-04-05-10-34-29.bpo-36576.7Cp2kK.rst +new file mode 100644 +index 000000000000..4d15bdf42796 +--- /dev/null ++++ b/Misc/NEWS.d/next/Tests/2019-04-05-10-34-29.bpo-36576.7Cp2kK.rst +@@ -0,0 +1 @@ ++Skip test_ssl and test_asyncio tests failing with OpenSSL 1.1.1. diff --git a/python35.spec b/python35.spec index de4ee05..d6a11e8 100644 --- a/python35.spec +++ b/python35.spec @@ -85,7 +85,7 @@ Name: python%{pyshortver} #global prerel ... %global upstream_version %{general_version}%{?prerel} Version: %{general_version}%{?prerel:~%{prerel}} -Release: 1%{?dist} +Release: 2%{?dist} License: Python # Whether to use RPM build wheels from the python-{pip,setuptools}-wheel package @@ -401,6 +401,11 @@ Patch290: 00290-cryptmodule-Include-crypt.h-for-declaration-of-crypt.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1652843 Patch315: 00315-test_email-mktime.patch +# 00322 # +# Skip test_ssl and test_asyncio tests failing with OpenSSL 1.1.1 +# https://bugzilla.redhat.com/show_bug.cgi?id=1685609 +Patch322: 00322-test_ssl-skip-openssl111.patch + # (New patches go here ^^^) # # When adding new patches to "python" and "python3" in Fedora, EL, etc., @@ -527,6 +532,7 @@ rmdir Lib/ensurepip/_bundled %patch273 -p1 %patch290 -p1 %patch315 -p1 +%patch322 -p1 # Currently (2010-01-15), http://docs.python.org/library is for 2.6, and there # are many differences between 2.6 and the Python 3 library. @@ -1043,6 +1049,9 @@ CheckPython optimized # ====================================================== %changelog +* Tue Apr 02 2019 Victor Stinner - 3.5.7-2 +- Skip test_ssl and test_asyncio tests failing with OpenSSL 1.1.1 (rhbz#1685609) + * Tue Mar 19 2019 Miro HronĨok - 3.5.7-1 - Update to 3.5.7