[issue36816] self-signed.pythontest.net TLS certificate key is too weak
Gregory P. Smith
report at bugs.python.org
Mon May 6 14:05:40 EDT 2019
New submission from Gregory P. Smith <greg at krypto.org>:
test_httplib uses self-signed.pythontest.net in it's test_networked_good_cert test.
On modern Linux distros (current Debian testing sid), the certificate it currently uses is rightfully rejected as being too weak:
ERROR: test_networked_good_cert (test.test_httplib.HTTPSTest)
----------------------------------------------------------------------
Traceback (most recent call last):
File "/home/greg/oss/cpython/Lib/test/test_httplib.py", line 1628, in test_networked_good_cert
h.request('GET', '/')
File "/home/greg/oss/cpython/Lib/http/client.py", line 1221, in request
self._send_request(method, url, body, headers, encode_chunked)
File "/home/greg/oss/cpython/Lib/http/client.py", line 1267, in _send_request
self.endheaders(body, encode_chunked=encode_chunked)
File "/home/greg/oss/cpython/Lib/http/client.py", line 1216, in endheaders
self._send_output(message_body, encode_chunked=encode_chunked)
File "/home/greg/oss/cpython/Lib/http/client.py", line 1004, in _send_output
self.send(msg)
File "/home/greg/oss/cpython/Lib/http/client.py", line 944, in send
self.connect()
File "/home/greg/oss/cpython/Lib/http/client.py", line 1383, in connect
self.sock = self._context.wrap_socket(self.sock,
File "/home/greg/oss/cpython/Lib/ssl.py", line 405, in wrap_socket
return self.sslsocket_class._create(
File "/home/greg/oss/cpython/Lib/ssl.py", line 853, in _create
self.do_handshake()
File "/home/greg/oss/cpython/Lib/ssl.py", line 1117, in do_handshake
self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: EE certificate key too weak (_ssl.c:1055)
The TLS certificate on the server needs to be updated to something modern. I _believe_ this can be done by someone with infrastructure access via an update to https://github.com/python/pythontestdotnet/tree/master/tls
Assigning to EWDurbin for triage and redirection to someone else infrastructury if he's not the right person.
How to know if it has been fixed? Monitor the test_networked_good_cert test on any "Debian buster" builtbot(s) such as https://buildbot.python.org/all/#/workers/23 to make sure it is not skipped. (the test _currently_ fails, I am going to have it be _skipped_ on this specific key too small error for the time being to get that stable buildbot green again)
----------
assignee: EWDurbin
components: SSL, Tests
messages: 341579
nosy: EWDurbin, gregory.p.smith
priority: normal
severity: normal
stage: needs patch
status: open
title: self-signed.pythontest.net TLS certificate key is too weak
type: behavior
versions: Python 2.7, Python 3.5, Python 3.6, Python 3.7, Python 3.8
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue36816>
_______________________________________
More information about the Python-bugs-list
mailing list