Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Tests fail with openssl 3 due to test certificates not meeting current standards #8701

Open
AdamWill opened this issue Jun 19, 2024 · 0 comments · May be fixed by #8707
Open

Tests fail with openssl 3 due to test certificates not meeting current standards #8701

AdamWill opened this issue Jun 19, 2024 · 0 comments · May be fixed by #8707
Labels
needs triage

Comments

@AdamWill
Copy link
Contributor

Describe the issue: When run against openssl 3, some of the tests that use the certificates in distributed/tests (tls-cert.pem et al) fail, with errors like "Client certificate validation failed: Basic Constraints of CA cert not marked critical". Per this page, this is due to constraints in newer versions of openssl that the current certificate files do not meet.

The last time the certificate generation script was really updated (apart from linting) appears to be 2021 (by openQA author @bmwiedemann ...small world!), and that was just to extend some validity periods. The last time it was really overhauled was f242303 in 2018. By comparison, the script it was based on - make_ssl_certs.py from cpython - has been updated several times to adapt to stricter constraints, including adding the basicConstraints = critical,CA:false directive we need here.

Unfortunately the two scripts diverge enough that applying the updates to distributed's version isn't straightforward. I intend to look at it tomorrow, but am filing this in case someone else wants to get to it first, or I don't manage to do it.

Minimal Complete Verifiable Example:

Run the test suite with openssl 3.x, I think that should be enough. You'll get failures like:

________________ TestClientSecurityLoader.test_security_loader _________________
self = <distributed.comm.tcp.TLSConnector object at 0x7f671c814c20>
address = '0.0.0.0:38217', deserialize = True
connection_args = {'extra_conn_args': {}, 'require_encryption': True, 'ssl_context': <ssl.SSLContext object at 0x7f66af648f80>}
ip = '0.0.0.0', port = 38217
kwargs = {'ssl_options': <ssl.SSLContext object at 0x7f66af648f80>}
    async def connect(self, address, deserialize=True, **connection_args):
        self._check_encryption(address, connection_args)
        ip, port = parse_host_port(address)
        kwargs = self._get_connect_args(**connection_args)
    
        try:
            # server_hostname option (for SNI) only works with tornado.iostream.IOStream
            if "server_hostname" in kwargs:
                stream = await self.client.connect(
                    ip, port, max_buffer_size=MAX_BUFFER_SIZE
                )
                stream = await stream.start_tls(False, **kwargs)
            else:
>               stream = await self.client.connect(
                    ip, port, max_buffer_size=MAX_BUFFER_SIZE, **kwargs
                )
../../BUILDROOT/usr/lib/python3.13/site-packages/distributed/comm/tcp.py:546: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 
/usr/lib64/python3.13/site-packages/tornado/tcpclient.py:292: in connect
    stream = await stream.start_tls(
/usr/lib64/python3.13/site-packages/tornado/iostream.py:1367: in _do_ssl_handshake
    self.socket.do_handshake()
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 
self = <ssl.SSLSocket [closed] fd=-1, family=2, type=1, proto=0>, block = False
    @_sslcopydoc
    def do_handshake(self, block=False):
        self._check_connected()
        timeout = self.gettimeout()
        try:
            if timeout == 0.0 and block:
                self.settimeout(None)
>           self._sslobj.do_handshake()
E           ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Basic Constraints of CA cert not marked critical (_ssl.c:1020)
/usr/lib64/python3.13/ssl.py:1363: SSLCertVerificationError

Anything else we need to know?:

Environment:

  • Dask version: 2024.6.0
  • Python version: 3.13
  • Operating System: Fedora Rawhide
  • Install method (conda, pip, source): distro packages (I am a distro packager working on rebuilds for Python 3.13, including getting distributed packaged, which means getting the tests to pass)
AdamWill added a commit to AdamWill/distributed that referenced this issue Jun 19, 2024
@AdamWill
Update make_tls_certs.py, work with openssl 3 (dask#8701)
210a819 
make_tls_certs.py has not been updated significantly since 2018,
and the certs it generates are not good enough for openssl 3:

E           ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Basic Constraints of CA cert not marked critical (_ssl.c:1020)

This resyncs the generation script with the current version of
cpython's make_ssl_certs.py, on which it is based. I dropped
various superficial changes which were made (wrapping, spacing,
quote style), because they make diffing it against the original
to see what's *really* different unnecessarily hard.

This also updates all the certificates, of course, which makes
the tests work against openssl 3.

Signed-off-by: Adam Williamson <[email protected]>
AdamWill added a commit to AdamWill/distributed that referenced this issue Jun 19, 2024
@AdamWill
Update make_tls_certs.py, work with openssl 3 (dask#8701)
221875f 
make_tls_certs.py has not been updated significantly since 2018,
and the certs it generates are not good enough for openssl 3:

E           ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Basic Constraints of CA cert not marked critical (_ssl.c:1020)

This resyncs the generation script with the current version of
cpython's make_ssl_certs.py, on which it is based. I dropped
various superficial changes which were made (wrapping, spacing,
quote style), because they make diffing it against the original
to see what's *really* different unnecessarily hard.

This also updates all the certificates, of course, which makes
the tests work against openssl 3.

Signed-off-by: Adam Williamson <[email protected]>
@AdamWill AdamWill linked a pull request Jun 19, 2024 that will close this issue
Open
2 tasks
QuLogic pushed a commit to QuLogic/distributed that referenced this issue Jun 20, 2024
@AdamWill @QuLogic
Update make_tls_certs.py, work with openssl 3 (dask#8701)
d2ea954 
make_tls_certs.py has not been updated significantly since 2018,
and the certs it generates are not good enough for openssl 3:

E           ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Basic Constraints of CA cert not marked critical (_ssl.c:1020)

This resyncs the generation script with the current version of
cpython's make_ssl_certs.py, on which it is based. I dropped
various superficial changes which were made (wrapping, spacing,
quote style), because they make diffing it against the original
to see what's *really* different unnecessarily hard.

This also updates all the certificates, of course, which makes
the tests work against openssl 3.

Signed-off-by: Adam Williamson <[email protected]>
QuLogic pushed a commit to QuLogic/distributed that referenced this issue Jun 21, 2024
@AdamWill @QuLogic
Update make_tls_certs.py, work with openssl 3 (dask#8701)
c09be7b 
make_tls_certs.py has not been updated significantly since 2018,
and the certs it generates are not good enough for openssl 3:

E           ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Basic Constraints of CA cert not marked critical (_ssl.c:1020)

This resyncs the generation script with the current version of
cpython's make_ssl_certs.py, on which it is based. I dropped
various superficial changes which were made (wrapping, spacing,
quote style), because they make diffing it against the original
to see what's *really* different unnecessarily hard.

This also updates all the certificates, of course, which makes
the tests work against openssl 3.

Signed-off-by: Adam Williamson <[email protected]>
QuLogic pushed a commit to QuLogic/distributed that referenced this issue Jul 8, 2024
@AdamWill @QuLogic
Update make_tls_certs.py, work with openssl 3 (dask#8701)
be5185f 
make_tls_certs.py has not been updated significantly since 2018,
and the certs it generates are not good enough for openssl 3:

E           ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Basic Constraints of CA cert not marked critical (_ssl.c:1020)

This resyncs the generation script with the current version of
cpython's make_ssl_certs.py, on which it is based. I dropped
various superficial changes which were made (wrapping, spacing,
quote style), because they make diffing it against the original
to see what's *really* different unnecessarily hard.

This also updates all the certificates, of course, which makes
the tests work against openssl 3.

Signed-off-by: Adam Williamson <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
needs triage
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Update make_tls_certs.py, work with openssl 3 (#8701) AdamWill/distributed
1 participant
@AdamWill