[issue36816] self-signed.pythontest.net TLS certificate key is too weak

Mon, 06 May 2019 11:11:06 -0700 


New submission from Gregory P. Smith <g...@krypto.org>:

test_httplib uses self-signed.pythontest.net in it's test_networked_good_cert 
test.

On modern Linux distros (current Debian testing sid), the certificate it 
currently uses is rightfully rejected as being too weak:

ERROR: test_networked_good_cert (test.test_httplib.HTTPSTest)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/home/greg/oss/cpython/Lib/test/test_httplib.py", line 1628, in 
test_networked_good_cert
    h.request('GET', '/')
  File "/home/greg/oss/cpython/Lib/http/client.py", line 1221, in request
    self._send_request(method, url, body, headers, encode_chunked)
  File "/home/greg/oss/cpython/Lib/http/client.py", line 1267, in _send_request
    self.endheaders(body, encode_chunked=encode_chunked)
  File "/home/greg/oss/cpython/Lib/http/client.py", line 1216, in endheaders
    self._send_output(message_body, encode_chunked=encode_chunked)
  File "/home/greg/oss/cpython/Lib/http/client.py", line 1004, in _send_output
    self.send(msg)
  File "/home/greg/oss/cpython/Lib/http/client.py", line 944, in send
    self.connect()
  File "/home/greg/oss/cpython/Lib/http/client.py", line 1383, in connect
    self.sock = self._context.wrap_socket(self.sock,
  File "/home/greg/oss/cpython/Lib/ssl.py", line 405, in wrap_socket
    return self.sslsocket_class._create(
  File "/home/greg/oss/cpython/Lib/ssl.py", line 853, in _create
    self.do_handshake()
  File "/home/greg/oss/cpython/Lib/ssl.py", line 1117, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate 
verify failed: EE certificate key too weak (_ssl.c:1055)

The TLS certificate on the server needs to be updated to something modern.  I 
_believe_ this can be done by someone with infrastructure access via an update 
to https://github.com/python/pythontestdotnet/tree/master/tls

Assigning to EWDurbin for triage and redirection to someone else infrastructury 
if he's not the right person.

How to know if it has been fixed?  Monitor the test_networked_good_cert test on 
any "Debian buster" builtbot(s) such as 
https://buildbot.python.org/all/#/workers/23 to make sure it is not skipped.  
(the test _currently_ fails, I am going to have it be _skipped_ on this 
specific key too small error for the time being to get that stable buildbot 
green again)

----------
assignee: EWDurbin
components: SSL, Tests
messages: 341579
nosy: EWDurbin, gregory.p.smith
priority: normal
severity: normal
stage: needs patch
status: open
title: self-signed.pythontest.net TLS certificate key is too weak
type: behavior
versions: Python 2.7, Python 3.5, Python 3.6, Python 3.7, Python 3.8

_______________________________________
Python tracker <rep...@bugs.python.org>
<https://bugs.python.org/issue36816>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

Reply via email to