Bug#911836: pytest-localserver: autopkgtest needs update for new version of openssl

[Paul Gevers <elbrus@debian.org>]

Source: pytest-localserver
Version: 0.3.7-2
User: debian-ci@lists.debian.org
Usertags: needs-update
Control: affects -1 src:python3-defaults

[X-Debbugs-CC: debian-ci@lists.debian.org,
python3-defaults@packages.debian.org]

Dear maintainers,

With a recent upload of python3-defaults the autopkgtest of
pytest-localserver fails in testing when that autopkgtest is run with
the binary packages of python3-defaults from unstable. It passes when
run with only packages from testing. In tabular form:
                       pass            fail
python3-defaults       from testing    3.6.7-1
pytest-localserver     from testing    0.3.7-2
versioned deps [0]     from testing    from unstable
all others             from testing    from testing

I copied some of the output at the bottom of this report. Looking at the
error, it seems you need to update the tests for the version of openssl
in unstable, version 1.1.1. We have a Wiki page that describes the
common updates required [1].

Currently this regression is contributing to the delay of the migration
of python3-defaults to testing [2].

If this is a real problem in your package (and not only in your
autopkgtest), the right binary package(s) from python3-defaults should
really add a versioned Breaks on the unfixed version of (one of your)
package(s). Note: the Breaks is nice even if the issue is only in the
autopkgtest as it helps the migration software to figure out the right
versions to combine in the tests.

More information about this bug and the reason for filing it can be found on
https://wiki.debian.org/ContinuousIntegration/RegressionEmailInformation

Paul

[0] You can see what packages were added from the second line of the log
file quoted below. The migration software adds source package from
unstable to the list if they are needed to install packages from
python3-defaults/3.6.7-1. I.e. due to versioned dependencies or
breaks/conflicts. In this case: python3-defaults/3.6.7-1 openssl/1.1.1-1
python3-stdlib-extensions/3.7.1-1 python3.6/3.6.7-1
[1] https://wiki.debian.org/ContinuousIntegration/TriagingTips/openssl-1.1.1
[2] https://qa.debian.org/excuses.php?package=python3-defaults

https://ci.debian.net/data/autopkgtest/testing/amd64/p/pytest-localserver/1204135/log.gz

==================================== ERRORS
====================================
__________________ ERROR at setup of test_httpsserver_funcarg
__________________

request = <SubRequest 'httpsserver' for <Function
'test_httpsserver_funcarg'>>

    @pytest.fixture
    def httpsserver(request):
        """The returned ``httpsserver`` (note the additional S!) provides a
        threaded HTTP server instance similar to funcarg ``httpserver``
but with
        SSL encryption.
        """
        from pytest_localserver import https
>       server = https.SecureContentServer()

pytest_localserver/plugin.py:65:
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
_ _ _ _
pytest_localserver/https.py:103: in __init__
    super(SecureContentServer, self).__init__(host, port,
ssl_context=(key, cert))
pytest_localserver/http.py:64: in __init__
    super(ContentServer, self).__init__(host, port, self,
ssl_context=ssl_context)
pytest_localserver/http.py:22: in __init__
    self._server = make_server(host, port, self.app, **kwargs)
/usr/lib/python3/dist-packages/werkzeug/serving.py:666: in make_server
    passthrough_errors, ssl_context, fd=fd)
/usr/lib/python3/dist-packages/werkzeug/serving.py:601: in __init__
    self.socket = ssl_context.wrap_socket(sock, server_side=True)
/usr/lib/python3/dist-packages/werkzeug/serving.py:511: in wrap_socket
    ssl_version=self._protocol, **kwargs)
/usr/lib/python3.6/ssl.py:1158: in wrap_socket
    ciphers=ciphers)
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
_ _ _ _

self = <ssl.SSLSocket fd=-1, family=AddressFamily.AF_UNSPEC, type=0,
proto=0>
sock = <socket.socket fd=8, family=AddressFamily.AF_INET,
type=SocketKind.SOCK_STREAM, proto=0, laddr=('127.0.0.1', 43969)>
keyfile =
'/tmp/autopkgtest-lxc.4ukr44pr/downtmp/build.fTj/src/pytest_localserver/server.pem'
certfile =
'/tmp/autopkgtest-lxc.4ukr44pr/downtmp/build.fTj/src/pytest_localserver/server.pem'
server_side = True, cert_reqs = <VerifyMode.CERT_NONE: 0>
ssl_version = <_SSLMethod.PROTOCOL_TLS: 2>, ca_certs = None
do_handshake_on_connect = True, family = <AddressFamily.AF_INET: 2>
type = <SocketKind.SOCK_STREAM: 1>, proto = 0, fileno = None
suppress_ragged_eofs = True, npn_protocols = None, ciphers = None
server_hostname = None, _context = None, _session = None

    def __init__(self, sock=None, keyfile=None, certfile=None,
                 server_side=False, cert_reqs=CERT_NONE,
                 ssl_version=PROTOCOL_TLS, ca_certs=None,
                 do_handshake_on_connect=True,
                 family=AF_INET, type=SOCK_STREAM, proto=0, fileno=None,
                 suppress_ragged_eofs=True, npn_protocols=None,
ciphers=None,
                 server_hostname=None,
                 _context=None, _session=None):

        if _context:
            self._context = _context
        else:
            if server_side and not certfile:
                raise ValueError("certfile must be specified for
server-side "
                                 "operations")
            if keyfile and not certfile:
                raise ValueError("certfile must be specified")
            if certfile and not keyfile:
                keyfile = certfile
            self._context = SSLContext(ssl_version)
            self._context.verify_mode = cert_reqs
            if ca_certs:
                self._context.load_verify_locations(ca_certs)
            if certfile:
>               self._context.load_cert_chain(certfile, keyfile)
E               ssl.SSLError: [SSL: CA_MD_TOO_WEAK] ca md too weak
(_ssl.c:3486)

/usr/lib/python3.6/ssl.py:750: SSLError

Attachment: signature.asc
Description: OpenPGP digital signature