On Mon, Jun 27, 2022 at 11:15:01AM +0200, Clemens Lang wrote: > Hi, > > Richard W.M. Jones <rjones@xxxxxxxxxx> wrote: > > >On Mon, Jun 27, 2022 at 09:11:29AM +0100, Tom Hughes wrote: > >>On 27/06/2022 08:53, Richard W.M. Jones wrote: > >>>On Fri, Jun 24, 2022 at 01:20:27PM +0200, Dmitry Belyavskiy wrote: > >>>>Dear Richard, > >>>> > >>>>If the only problem is legacy (and unsafe) ciphersuites, > >>>>loading the legacy > >>>>provider will solve this problem. > >>> > >>>Any clues on how to do that? > >> > >>https://wiki.openssl.org/index.php/OpenSSL_3.0#Providers > > > >Results unclear. Loading legacy + default doesn't seem to give any > >errors, but I still see the same errors in the tests. I might be > >loading these providers in the wrong way however. > > > >The code is here: > >https://github.com/rwmjones/cpython/commits/python-2.7-openssl-3 > > Two comments: > > Most of your failures are "no suitable signature algorithm” and “no shared > ciphers”. I suspect those might instead be caused by increased minimum TLS > versions enforced by the crypto-policy. Did you try running those tests in > the LEGACY crypto-policy? If that’s the issue, you don’t need to load the > legacy provider, and doing so doesn’t actually help. I somehow thought that loading the legacy provider would be the same as the LEGACY crypto policy, except just for Python 2.7 rather than for the entire system. Setting the whole system crypto-policy to LEGACY (and reverting the code for loading the legacy provider) fixes almost everything. The remaining errors are real, but minor problems with my patch series: ====================================================================== ERROR: test_load_verify_cadata (test.test_ssl.ContextTests) ---------------------------------------------------------------------- Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 1033, in test_load_verify_cadata ctx.load_verify_locations(cadata=cacert_der) SSLError: unknown error (_ssl.c:2989) ====================================================================== FAIL: test_openssl_version (test.test_ssl.BasicSocketTests) ---------------------------------------------------------------------- Traceback (most recent call last): File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 382, in test_openssl_version (s, t)) AssertionError: ('OpenSSL 3.0.3 3 May 2022', (3, 0, 0, 3, 0)) Anyhow, I'm not really working on this, but it does seem possible that for someone who wants to fix this and cares about Python and OpenSSL it wouldn't be too difficult to do the backport. > I know the OpenSSL upstream documentation says so, but please don’t load the > legacy provider into the NULL OSSL_LIB_CTX. Doing so activates the legacy > provider for all code in the same address space by default. This means, for > example, that applications that embed a Python interpreter will inherit its > use of the legacy provider, even if they don’t want to. See [1] for further > discussion of this issue, and examples on how to avoid it. > > [1] https://github.com/lsh123/xmlsec/issues/339 Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming and virtualization blog: http://rwmj.wordpress.com virt-builder quickly builds VMs from scratch http://libguestfs.org/virt-builder.1.html _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
