Comments (17)
What about OpenSSL.test.test_ssl.ContextTests.test_set_default_verify_paths
? On my FreeBSD system that throws an error because my OpenSSL installation does not have any default trusted certificates. This might not be a problem for you of course, but you can check with $ openssl s_client -connect verisign.com:443
. If it says "cannot get local issuer certificate" then probably that's the problem.
from pyopenssl.
Having said that, I should add that the test also fails for me on FreeBSD regardless of whether verification is properly set up.
from pyopenssl.
@kouk This was the only test failure I saw (other than unrelated #37)
Verify return code: 20 (unable to get local issuer certificate)
FWIW, security/ca_root_nss is installed with ETCSYMLINK option
Can the test be made robust, to either skip or warn based on this? What is actually being tested here?
from pyopenssl.
For me this specific problem was solved with f012467. The sleep value could be even lower for me but I left it at 50ms. By the way I get another 8 failures (9 if you count #37) on this old FreeBSD laptop of mine, but I haven't had time to check them out.
from pyopenssl.
@koobs do you have security/openssl
installed or did you build against /usr/lib/libssl.so ? What version? 7/8 fails I was getting were due to /usr/bin
being before /usr/local/bin
in PATH
and a different openssl version was being used by the test run. But I'm getting a fail from OpenSSL.test.test_crypto.X509Tests.test_digest
because the calculated digests are different.
from pyopenssl.
Hmm, so I found an issue (minor) which led me to something else.
Prior to 0.14, the py-openssl port depended on OpenSSL. Now that pyopenssl uses cryptography for its OpenSSL bits, I neglected to move the openssl depends from py-openssl to py-cryptography.
So I checked links for the .so's created there and found:
./build/lib.freebsd-9.2-STABLE-amd64-2.7/cryptography/_cffi__x9ee276ddxb4fc9075.so:
libcrypto.so.6 => /lib/libcrypto.so.6 (0x80125f000)
libssl.so.6 => /usr/lib/libssl.so.6 (0x801607000)
libc.so.7 => /lib/libc.so.7 (0x80081d000)
I do have security/openssl installed, and the dependency was 'supposed' to have linked against that in /usr/local.
Here's what the py-openssl port does (that is no longer relevant since 0.14) to set the correct include/library paths:
pre-configure:
@${ECHO_CMD} "[build_ext]" >> ${WRKSRC}/setup.cfg
@${ECHO_CMD} "include-dirs = ${OPENSSLINC}" >> ${WRKSRC}/setup.cfg
@${ECHO_CMD} "library-dirs = ${OPENSSLLIB}" >> ${WRKSRC}/setup.cfg
I imagine I now need to do the same for cryptography, but it does lend weight to your theory. Why and how do the tests use different bits when pyopenssl uses cryptography for all its functions?
from pyopenssl.
The tests that were failing were just running the openssl command to get "good" output to compare against the test output. There were some formatting differences in the output of /usr/bin/openssl
so the tests were failing.
As for cryptography, I built it by hand in a virtualenv but first did:
export CFLAGS="-I/usr/local/include -L/usr/local/lib -DCRYPTO_MDEBUG"
This is how I managed to get cffi
which is used by cryptography
to pass the correct flags to the compiler. I don't know of any better way atm.
from pyopenssl.
Adding:
CFLAGS+= -I${OPENSSLINC}
LDFLAGS+= -L${OPENSSLLIB}
To cryptography's build, results in:
ldd ./work/cryptography-0.2.1/build/lib.freebsd-9.2-STABLE-amd64-2.7/cryptography
/_cffi__x9ee276ddxb4fc9075.so
./work/cryptography-0.2.1/build/lib.freebsd-9.2-STABLE-amd64-2.7/cryptography/_cffi__x9ee276ddxb4fc9075.so:
libcrypto.so.8 => /usr/local/lib/libcrypto.so.8 (0x80125f000)
libssl.so.8 => /usr/local/lib/libssl.so.8 (0x80165a000)
libc.so.7 => /lib/libc.so.7 (0x80081d000)
libthr.so.3 => /lib/libthr.so.3 (0x8018c0000)
Tests:
62912 passed, 12 skipped in 145.50 seconds
from pyopenssl.
With py-cryptography compiled & linked against OpenSSL from ports, the following tests fail in pyopenssl:
Ran 352 tests in 1.774s -FAILED (failures=10, errors=1)
FAIL: test_dump_certificate_request (OpenSSL.test.test_crypto.FunctionTests)
FAIL: test_export_without_args (OpenSSL.test.test_crypto.PKCS12Tests)
FAIL: test_export_without_mac (OpenSSL.test.test_crypto.PKCS12Tests)
FAIL: test_friendly_name (OpenSSL.test.test_crypto.PKCS12Tests)
FAIL: test_various_empty_passphrases (OpenSSL.test.test_crypto.PKCS12Tests)
FAIL: test_digest (OpenSSL.test.test_crypto.X509Tests)
FAIL: test_wantWriteError (OpenSSL.test.test_ssl.ConnectionTests)
FAIL: test_set_verify_callback_exception (OpenSSL.test.test_ssl.ContextTests)
/usr/bin/openssl version
OpenSSL 0.9.8y 5 Feb 2013
/usr/local/bin/openssl version
OpenSSL 1.0.1f 6 Jan 2014
from pyopenssl.
ok, we have the same versions. Also I believe if you make sure that /usr/local/bin
is before /usr/bin
in $PATH
all tests will pass except test_digest
. I opened #41 for test_digest
in particular.
from pyopenssl.
Not sure if you expected this:
PATH="/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin" /usr/bin/make regression-test
ERROR: test_set_default_verify_paths (OpenSSL.test.test_ssl.ContextTests)
Error: [('SSL routines', 'SSL3_GET_SERVER_CERTIFICATE', 'certificate verify failed')]
FAIL: test_digest (OpenSSL.test.test_crypto.X509Tests)
AssertionError: 'C1:B5:90:A4:41:11:C8:30:BF:D4:AA:78:13:46:66:59' != 'A8:EB:07:F8:53:25:0A:F2:56:05:C5:A5:C4:C4:C7:15'
FAIL: test_wantWriteError (OpenSSL.test.test_ssl.ConnectionTests)
AssertionError: <class 'OpenSSL.SSL.WantReadError'> raised instead of WantWriteError
FAIL: test_set_verify_callback_exception (OpenSSL.test.test_ssl.ContextTests)
AssertionError: Exception not raised (None returned)
Ran 352 tests in 1.835s - FAILED (failures=3, errors=1)
Note: regression-test is just the port make target that runs python setup.py test
How might the tests be made to run without requiring the PATH be modified?
from pyopenssl.
FWIW, if you're using FreeBSD, I've committed the latest update to the security/py-cryptography port, which has already propagated to the portsnap mirrors if you want it:
http://svnweb.freebsd.org/ports?view=revision&revision=345962
CFLAGS & LDFLAGS environment variables were used.
from pyopenssl.
Hmm for test_set_default_verify_paths
try export SSL_CERT_FILE=/usr/local/share/certs/ca-root-nss.crt
.
Apart from test_digest
the other problems are fixed I think in #39 and #43.
Also, thanks for committing the port. Although my work with pyopenssl isn't on FreeBSD (Windows unfortunately) it's nice to be able to get it for cheap on my workstation.
from pyopenssl.
about the modified PATH requirement perhaps there is another to get "good" test output apart from running the openssl
binary, but off the top of my head I can't think of one.
from pyopenssl.
If the definition of good is that the underlying system openssl output matches that which comes out of the library you leverage for crypto, then it sounds like a test that only cryptography can do, since it has private knowledge of the environment its been built within.
Perhaps the rest of the @pyca crew could provide some input on making these tests more robust?
from pyopenssl.
The test fails for me on NetBSD using pyOpenSSL-0.14 and cryptography-0.2.2.
FAIL: test_set_verify_callback_exception (OpenSSL.test.test_ssl.ContextTests)
Traceback (most recent call last):
File "/scratch/security/py-OpenSSL/work/pyOpenSSL-0.14/OpenSSL/test/test_ssl.py", line 1002, in test_set_verify_callback_exception
Exception, self._handshake_test, serverContext, clientContext)
File "/scratch/security/py-OpenSSL/work/pyOpenSSL-0.14/OpenSSL/test/util.py", line 270, in failUnlessRaises
% (exception.__name__, result))
AssertionError: Exception not raised (None returned)
This is in a sandbox with no certificates installed. If the test needs any, IMHO it should install them.
from pyopenssl.
This code has also certainly been rewritten in the last 3 years, so I'm going to close. Please comment if this is still an issue.
from pyopenssl.
Related Issues (20)
- Raise a More Specific Error for SSL_ERROR_SYSCALL? HOT 5
- [macOS] SysCallError: (32, 'EPIPE') when the server requires certs but the client does not present one HOT 4
- Version 23.0.0 required Cryptography x509 but in Cryptography version 39 doesn't have the module HOT 6
- Should upgrade cryptography to 39.0.1 HOT 7
- test_ssl:TestConnection.test_connect_ex succeeds unexpectedly on FreeBSD 13.1-RELEASE-p3 HOT 1
- TypeError: deprecated() got an unexpected keyword argument 'name' HOT 3
- cryptographyMain jobs don't test main HOT 1
- `X509Extension.get_short_name` does not handle error case of `OBJ_nid2sn` HOT 2
- Expose constants that are no longer available in latest cryptography HOT 1
- Seeing failures with get_short_name when used with cryptography >=40.0 HOT 3
- Once cryptography minimal version is 41, do some relevant cleanup HOT 4
- RuntimeError: cannot use string() on <cdata 'char *' NULL> HOT 2
- Incorrect password error when importing a PKCS12 certificate due to the certificate's encryption algorithm HOT 4
- NOTIFY_POLICY doesn't do anything
- bind SSL_get_info_callback
- Misleading docstring in test_renegotiation
- Missing export of `OpenSSL.SSL.FILETYPE_ASN1` HOT 1
- SSL_CTX_set_cipher_list missing implementation HOT 1
- Does pyopenssl support SM2?
- [feature request] implement new API "SSL.Context.set_cert_store" HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from pyopenssl.