[issue41183] Workaround or fix for SSL ".._KEY_TOO_SMALL" test failures

Larry Hastings added the comment: Nope, it's not fixed. -- resolution: fixed -> stage: resolved -> needs patch status: closed -> open ___ Python tracker ___

[issue41183] Workaround or fix for SSL ".._KEY_TOO_SMALL" test failures

STINNER Victor added the comment: Python 3.5.10 has been released, so I understand that this issue has been fixed. Thanks Christian Heimes for fixes ;-) -- nosy: +vstinner resolution: -> fixed stage: patch review -> resolved status: open -> closed

[issue41183] Workaround or fix for SSL ".._KEY_TOO_SMALL" test failures

Larry Hastings added the comment: > Does testing with the environment variable OPENSSL_CONF=/non-existing-file > workaround the remaining issues? Sadly, no. I get the same failures whether or not that environment variable is set. And I confirmed that the environment variable survives

[issue41183] Workaround or fix for SSL ".._KEY_TOO_SMALL" test failures

Miro Hrončok added the comment: Does testing with the environment variable OPENSSL_CONF=/non-existing-file workaround the remaining issues? -- ___ Python tracker ___

[issue41183] Workaround or fix for SSL ".._KEY_TOO_SMALL" test failures

Change by Miro Hrončok : -- nosy: +hroncok nosy_count: 2.0 -> 3.0 pull_requests: +21005 pull_request: https://github.com/python/cpython/pull/21882 ___ Python tracker ___

[issue41183] Workaround or fix for SSL ".._KEY_TOO_SMALL" test failures

Larry Hastings added the comment: Ping? -- ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue41183] Workaround or fix for SSL ".._KEY_TOO_SMALL" test failures

Larry Hastings added the comment: Any news? -- ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue41183] Workaround or fix for SSL ".._KEY_TOO_SMALL" test failures

Larry Hastings added the comment: New changeset f52bf62fe12d46267e958f80dbe1f4425b55cd0f by Christian Heimes in branch '3.5': bpo-41183: Update finite DH params to 3072 bits (#21278) https://github.com/python/cpython/commit/f52bf62fe12d46267e958f80dbe1f4425b55cd0f --

[issue41183] Workaround or fix for SSL ".._KEY_TOO_SMALL" test failures

Larry Hastings added the comment: Gotcha. Thanks for looking into it for me. I don't think the world is super anxious about getting 3.5.10rc1 so it's not a big huge deal. But I will wait to hear back from you. Thanks! -- ___ Python tracker

[issue41183] Workaround or fix for SSL ".._KEY_TOO_SMALL" test failures

Christian Heimes added the comment: GH-21278 takes care of test failures related to DH params. For the other test failures somebody has to backport df6ac7e2b82d921a6e9ff5571b40c6dbcf635581 to 3.6 and 3.5. I cannot promise that I'm able to find time to do the backport today. --

[issue41183] Workaround or fix for SSL ".._KEY_TOO_SMALL" test failures

Change by Christian Heimes : -- pull_requests: +20427 stage: needs patch -> patch review pull_request: https://github.com/python/cpython/pull/21278 ___ Python tracker ___

[issue41183] Workaround or fix for SSL ".._KEY_TOO_SMALL" test failures

Larry Hastings added the comment: Do you need a temporary login on one of my Pop!_OS computers, in order to test? -- ___ Python tracker ___

[issue41183] Workaround or fix for SSL ".._KEY_TOO_SMALL" test failures

Larry Hastings added the comment: ./python -m test -v test_ssl >& test_ssl_verbose_36_master -- Added file: https://bugs.python.org/file49290/test_ssl_verbose_36_master ___ Python tracker

[issue41183] Workaround or fix for SSL ".._KEY_TOO_SMALL" test failures

Christian Heimes added the comment: test_ssl_36_branch just contains "1 test failed: test_ssl". Could you please attach a verbose run? The problems are caused by security policy. We had similar issues in Fedora. - Set OPENSSL_TLS_SECURITY_LEVEL=2 as compiled-in minimum security

[issue41183] Workaround or fix for SSL ".._KEY_TOO_SMALL" test failures

Larry Hastings added the comment: I assume this is building against the system OpenSSL. On this machine, the "openssl", "libssl1.1", and "libssl-dev" packages are all version "1.1.1f-1ubuntu2". The OS is "Pop!_OS" version 20.04, which is a derivative of Ubuntu 20.04. It appears to be

[issue41183] Workaround or fix for SSL ".._KEY_TOO_SMALL" test failures

Larry Hastings added the comment: The 3.6 branch of python/cpython fails as well on this machine. Output attached. -- Added file: https://bugs.python.org/file49288/test_ssl_36_branch ___ Python tracker

[issue41183] Workaround or fix for SSL ".._KEY_TOO_SMALL" test failures

Larry Hastings added the comment: test_ssl was one of the seven modules that failed. But attached here is just the output of % ./python -m test -v test_ssl >& test_ssl_failure -- Added file: https://bugs.python.org/file49287/test_ssl_failure ___

[issue41183] Workaround or fix for SSL ".._KEY_TOO_SMALL" test failures

Christian Heimes added the comment: I'm testing with latest build of OpenSSL 1.1.1 and Fedora's DEFAULT crypto policy here. Your vendor may have configured OpenSSL with a more strict crypto policy. Could you please attach a full output of ./python -m test -v test_ssl? Does the 3.6 test

[issue41183] Workaround or fix for SSL ".._KEY_TOO_SMALL" test failures

Larry Hastings added the comment: Upgrading to release blocker. -- priority: high -> release blocker resolution: fixed -> stage: resolved -> needs patch status: closed -> open ___ Python tracker

[issue41183] Workaround or fix for SSL ".._KEY_TOO_SMALL" test failures

Larry Hastings added the comment: Christian: Help! Again! I merged your PR, pulled a fresh copy, built it, and ran the test suite. I get seven failures in I think the same modules. Most of the failures are either "ssl.SSLError: [SSL] internal error (_ssl.c:728)", or some flavor of