-
-
Notifications
You must be signed in to change notification settings - Fork 30.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
test_asyncio: test_create_connection_ssl_failed_certificate() failed on ARM64 macOS 3.x buildbot #107077
Comments
The test expects
But a
According to the error message:
I'm not sure why PySSL_SetError() of |
@pablogsal: Would it be possible that I get a SSH access to this buildbot machine? |
I believe @gpshead was the most recent person to update the error code handling for the various OpenSSL versions. |
this error location can be narrowed between OpenSSL 3.1.1 and 3.09 |
It smells like some error reporting changes within OpenSSL that we just need to be aware of? Building against openssl 3.1.1 on Linux I cannot reproduce this. Odd. This shouldn't be platform specific AFAICT. You can trigger a PR test run on a subset of our stable bots via adding the |
this error was triggered by OpenSSL commit 00ce831152403589f7f0e558d5291de12bfedc5f diff --git a/crypto/store/store_lib.c b/crypto/store/store_lib.c
index 5ff9278629..5ac7ff593e 100644
--- a/crypto/store/store_lib.c
+++ b/crypto/store/store_lib.c
@@ -114,13 +114,17 @@ OSSL_STORE_open_ex(const char *uri, OSSL_LIB_CTX *libctx, const char *propq,
scheme = schemes[i];
OSSL_TRACE1(STORE, "Looking up scheme %s\n", scheme);
#ifndef OPENSSL_NO_DEPRECATED_3_0
+ ERR_set_mark();
if ((loader = ossl_store_get0_loader_int(scheme)) != NULL) {
+ ERR_clear_last_mark();
no_loader_found = 0;
if (loader->open_ex != NULL)
loader_ctx = loader->open_ex(loader, uri, libctx, propq,
ui_method, ui_data);
else
loader_ctx = loader->open(loader, uri, ui_method, ui_data);
+ } else {
+ ERR_pop_to_mark();
}
#endif
if (loader == NULL |
I can try to set https://tmate.io/ because I don't have a stable IP infortunately. |
…set via SSL_ERROR_SYSCALL
…a SSL_ERROR_SYSCALL (#107586) Co-authored-by: T. Wouters <[email protected]>
…set via SSL_ERROR_SYSCALL (pythonGH-107586) (cherry picked from commit 77e0919) Co-authored-by: Pablo Galindo Salgado <[email protected]> Co-authored-by: T. Wouters <[email protected]>
…set via SSL_ERROR_SYSCALL (pythonGH-107586) (cherry picked from commit 77e0919) Co-authored-by: Pablo Galindo Salgado <[email protected]> Co-authored-by: T. Wouters <[email protected]>
…set via SSL_ERROR_SYSCALL (pythonGH-107586) (cherry picked from commit 77e0919) Co-authored-by: Pablo Galindo Salgado <[email protected]> Co-authored-by: T. Wouters <[email protected]>
…set via SSL_ERROR_SYSCALL (pythonGH-107586) (cherry picked from commit 77e0919) Co-authored-by: Pablo Galindo Salgado <[email protected]> Co-authored-by: T. Wouters <[email protected]>
… set via SSL_ERROR_SYSCALL (GH-107586) (#107588) Co-authored-by: Pablo Galindo Salgado <[email protected]> Co-authored-by: T. Wouters <[email protected]>
… set via SSL_ERROR_SYSCALL (GH-107586) (#107587) Co-authored-by: Pablo Galindo Salgado <[email protected]> Co-authored-by: T. Wouters <[email protected]>
… set via SSL_ERROR_SYSCALL (GH-107586) (#107589) Co-authored-by: Pablo Galindo Salgado <[email protected]> Co-authored-by: T. Wouters <[email protected]>
…f the error is set via SSL_ERROR_SYSCALL (pythonGH-107586) (python#107589)" This reverts commit 24d54fe.
Thanks for investigating and fixing this ssl issue @pablogsal! |
Backports to 3.8 and 3.9 are still not merged. |
…set via SSL_ERROR_SYSCALL (GH-107586) (GH-107591) (cherry picked from commit 77e0919) Co-authored-by: Pablo Galindo Salgado <[email protected]> Co-authored-by: T. Wouters <[email protected]> Co-authored-by: Łukasz Langa <[email protected]> Co-authored-by: Serhiy Storchaka <[email protected]>
…set via SSL_ERROR_SYSCALL (GH-107586) (#107590) (cherry picked from commit 77e0919) Co-authored-by: Pablo Galindo Salgado <[email protected]> Co-authored-by: T. Wouters <[email protected]> Co-authored-by: Łukasz Langa <[email protected]> Co-authored-by: Serhiy Storchaka <[email protected]>
They are merged now. |
…_SYSCALL Seems that in some conditions, OpenSSL will return set ``SSL_ERROR_SYSCALL`` instead of ``SSL_ERROR_SSL`` when a certification verification has failed, but the error parameters will still contain ``ERR_LIB_SSL`` and ``SSL_R_CERTIFICATE_VERIFY_FAILED``. We are now detecting this situation and raising the appropiate ``ssl.SSLCertVerificationError``. Co-authored-by: T. Wouters <[email protected]> Fixes: gh#python#107077 From-PR: gh#python/cpython!107586 Patch: openssl-300-raise-SSLCertVerificationError.patch Released-in: 3.8.19
…_SYSCALL Seems that in some conditions, OpenSSL will return set ``SSL_ERROR_SYSCALL`` instead of ``SSL_ERROR_SSL`` when a certification verification has failed, but the error parameters will still contain ``ERR_LIB_SSL`` and ``SSL_R_CERTIFICATE_VERIFY_FAILED``. We are now detecting this situation and raising the appropiate ``ssl.SSLCertVerificationError``. Co-authored-by: T. Wouters <[email protected]> Fixes: gh#python#107077 From-PR: gh#python/cpython!107586 Patch: openssl-300-raise-SSLCertVerificationError.patch Released-in: 3.8.19
…_SYSCALL Seems that in some conditions, OpenSSL will return set ``SSL_ERROR_SYSCALL`` instead of ``SSL_ERROR_SSL`` when a certification verification has failed, but the error parameters will still contain ``ERR_LIB_SSL`` and ``SSL_R_CERTIFICATE_VERIFY_FAILED``. We are now detecting this situation and raising the appropiate ``ssl.SSLCertVerificationError``. Co-authored-by: T. Wouters <[email protected]> Fixes: gh#python#107077 From-PR: gh#python/cpython!107586 Patch: openssl-300-raise-SSLCertVerificationError.patch Released-in: 3.8.19
…_SYSCALL Seems that in some conditions, OpenSSL will return set ``SSL_ERROR_SYSCALL`` instead of ``SSL_ERROR_SSL`` when a certification verification has failed, but the error parameters will still contain ``ERR_LIB_SSL`` and ``SSL_R_CERTIFICATE_VERIFY_FAILED``. We are now detecting this situation and raising the appropiate ``ssl.SSLCertVerificationError``. Co-authored-by: T. Wouters <[email protected]> Fixes: gh#python#107077 From-PR: gh#python/cpython!107586 Patch: openssl-300-raise-SSLCertVerificationError.patch Released-in: 3.8.19
…_SYSCALL Seems that in some conditions, OpenSSL will return set ``SSL_ERROR_SYSCALL`` instead of ``SSL_ERROR_SSL`` when a certification verification has failed, but the error parameters will still contain ``ERR_LIB_SSL`` and ``SSL_R_CERTIFICATE_VERIFY_FAILED``. We are now detecting this situation and raising the appropiate ``ssl.SSLCertVerificationError``. Co-authored-by: T. Wouters <[email protected]> Fixes: gh#python#107077 From-PR: gh#python/cpython!107586 Patch: openssl-300-raise-SSLCertVerificationError.patch Released-in: 3.8.19
ARM64 macOS 3.x:
https://buildbot.python.org/all/#/builders/725/builds/5088
The test started to fail when OpenSSL was upgrade from 3.0.0 to 3.1.1 at July 13.
cc @pablogsal @ned-deily @ambv
ssl.OPENSSL_VERSION: OpenSSL 3.0.0 7 sep 2021
ssl.OPENSSL_VERSION: OpenSSL 3.1.1 30 May 2023
Error:
test.pythoninfo:
Linked PRs
The text was updated successfully, but these errors were encountered: