Bug#907219: m2crypto: autopkgtest needs update for new version of openssl

To: submit@bugs.debian.org
Subject: Bug#907219: m2crypto: autopkgtest needs update for new version of openssl
From: Paul Gevers <elbrus@debian.org>
Date: Fri, 24 Aug 2018 22:04:38 +0200
Message-id: <[🔎] 31e2f322-896d-4332-0d68-6ddecab9a997@debian.org>
Reply-to: Paul Gevers <elbrus@debian.org>, 907219@bugs.debian.org
Source: m2crypto
Version: 0.27.0-6
X-Debbugs-CC: debian-ci@lists.debian.org
User: debian-ci@lists.debian.org
Usertags: needs-update
Control: affects -1 src:openssl
Control: block 907015 by -1

Dear maintainers,

With a recent upload of openssl the autopkgtest of m2crypto started to
fail in testing. I copied some of the output below.

Of course, openssl shouldn't just break your autopkgtest (or even worse,
your package), but the change in openssl was intended and your package
needs to update to the new situation. If needed, please change the bug's
severity.

If this is a real problem in your package (and not only in your
autopkgtest), the right binary package(s) from openssl should really add
a versioned Breaks on the unfixed version of (one of your) package(s),
hence I added a blocking relation on the openssl bug that tracks that.
Note: the Breaks is nice even if the issue is only in the autopkgtest as
it helps the migration software to figure out the right versions to
combine in the tests.

A quote from the openssl maintainer about the openssl update:
"
This is probably the result of the default openssl.cfg now having:
[system_default_sect]
MinProtocol = TLSv1.2
CipherString = DEFAULT@SECLEVEL=2

Where the SECLEVEL 2 requires a 112 / 2048 bit security level.
"

More information about this bug and the reason for filing it can be found on
https://wiki.debian.org/ContinuousIntegration/RegressionEmailInformation

Paul

[1] https://qa.debian.org/excuses.php?package=openssl

https://ci.debian.net/data/autopkgtest/testing/amd64/m/m2crypto/874888/log.gz

/usr/lib/python2.7/dist-packages/M2Crypto/httpslib.py:88: error
_____________ TwistedSSLClientTestCase.test_makefile_timeout_fires
_____________

self = <tests.test_ssl.TwistedSSLClientTestCase
testMethod=test_makefile_timeout_fires>

    def test_makefile_timeout_fires(self):
        # This is convoluted because (openssl s_server -www) starts
        # writing the response as soon as it receives the first line of
        # the request, so it's possible for it to send the response
        # before the request is sent and there would be no timeout.  So,
        # let the server spend time reading from an empty pipe
        FIFO_NAME = 'test_makefile_timeout_fires_fifo'  # noqa
        os.mkfifo('tests/' + FIFO_NAME)
        pipe_pid = os.fork()
        try:
            if pipe_pid == 0:
                try:
                    with open('tests/' + FIFO_NAME, 'w') as f:
                        time.sleep(sleepTime + 1)
                        f.write('Content\n')
                finally:
                    os._exit(0)
            self.args[self.args.index('-www')] = '-WWW'
            pid = self.start_server(self.args)
            try:
                c = httpslib.HTTPSConnection(srv_host, self.srv_port)
                c.putrequest('GET', '/' + FIFO_NAME)
                c.putheader('Accept', 'text/html')
                c.putheader('Accept', 'text/plain')
>               c.endheaders()

tests/test_ssl.py:988:
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
_ _ _ _
/usr/lib/python2.7/httplib.py:1038: in endheaders
    self._send_output(message_body)
/usr/lib/python2.7/httplib.py:882: in _send_output
    self.send(msg)
/usr/lib/python2.7/httplib.py:844: in send
    self.connect()
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
_ _ _ _

self = <M2Crypto.httpslib.HTTPSConnection instance at 0x7f6b85bfde60>

    def connect(self):
        # type: () -> None
        error = None
        # We ignore the returned sockaddr because SSL.Connection.connect
needs
        # a host name.
        for (family, _, _, _, _) in \
                socket.getaddrinfo(self.host, self.port, 0,
                                   socket.SOCK_STREAM):
            sock = None
            try:
                sock = SSL.Connection(self.ssl_ctx, family=family)

                # set SNI server name since we know it at this point
                sock.set_tlsext_host_name(self.host)

                if self.session is not None:
                    sock.set_session(self.session)
                sock.connect((self.host, self.port))

                self.sock = sock
                sock = None
                return
            except socket.error as e:
                # Other exception are probably SSL-related, in that case we
                # abort and the exception is forwarded to the caller.
                error = e
            finally:
                if sock is not None:
                    sock.close()

        if error is None:
            raise AssertionError("Empty list returned by getaddrinfo")
>       raise error
E       error: [Errno 111] Connection refused

/usr/lib/python2.7/dist-packages/M2Crypto/httpslib.py:88: error
____________________ TwistedSSLClientTestCase.test_timeout
_____________________

self = <tests.test_ssl.TwistedSSLClientTestCase testMethod=test_timeout>

    def test_timeout(self):
        pid = self.start_server(self.args)
        try:
            ctx = SSL.Context()
            s = SSL.Connection(ctx)
            # Just a really small number so we can timeout
            s.settimeout(0.000000000000000000000000000001)
            with self.assertRaises(SSL.SSLTimeoutError):
>               s.connect(self.srv_addr)

tests/test_ssl.py:941:
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
_ _ _ _
/usr/lib/python2.7/dist-packages/M2Crypto/SSL/Connection.py:298: in connect
    self.socket.connect(addr)
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
_ _ _ _

name = 'connect', self = <socket._socketobject object at 0x7f6b85725ec0>
args = (('localhost', 39635),)

    def meth(name,self,*args):
>       return getattr(self._sock,name)(*args)
E       error: [Errno 111] Connection refused

/usr/lib/python2.7/socket.py:228: error
________________________ ContextTestCase.test_certstore
________________________

self = <tests.test_ssl_offline.ContextTestCase testMethod=test_certstore>

    def test_certstore(self):
        ctx = SSL.Context()
        ctx.set_verify(SSL.verify_peer | SSL.verify_fail_if_no_peer_cert, 9)
        ctx.load_verify_locations('tests/ca.pem')
>       ctx.load_cert('tests/x509.pem')

tests/test_ssl_offline.py:58:
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
_ _ _ _

self = <M2Crypto.SSL.Context.Context instance at 0x7f6b859ada28>
certfile = 'tests/x509.pem', keyfile = None
callback = <function passphrase_callback at 0x7f6b85efdf50>

    def load_cert(self, certfile, keyfile=None,
                  callback=util.passphrase_callback):
        # type: (AnyStr, Optional[AnyStr], Callable) -> None
        """Load certificate and private key into the context.

            :param certfile: File that contains the PEM-encoded certificate.
            :param keyfile:  File that contains the PEM-encoded private key.
                             Default value of None indicates that the
private key
                             is to be found in 'certfile'.
            :param callback: Callable object to be invoked if the
private key is
                             passphrase-protected. Default callback
provides a
                             simple terminal-style input for the passphrase.
            """
        m2.ssl_ctx_passphrase_callback(self.ctx, callback)
>       m2.ssl_ctx_use_cert(self.ctx, certfile)
E       SSLError: ee key too small
Attachment: signature.asc
Description: OpenPGP digital signature
Reply to:
Prev by Date: Bug#907218: yapf: autopkgtest regression
Next by Date: Adding dependencies for autopkgtest run at Debian CI
Previous by thread: Bug#907218: yapf: autopkgtest regression
Next by thread: Adding dependencies for autopkgtest run at Debian CI
Index(es):
- Date
- Thread