bpo-36576: Skip test_ssl and test_asyncio tests failing with OpenSSL 1.1.1 (python#12694)

vstinner · larryhastings · commit 4d1c2541c125 · 2019-09-07T07:06:27.000+01:00
Some test_ssl and test_asyncio tests were written for OpenSSL 1.0 and TLS 1.0, but fail with OpenSSL 1.1.1 and TLS 1.3.  Fixing these requires backporting new ssl flags like ssl.OP_NO_TLSv1_3 or ssl.OP_NO_COMPRESSION, which is inappropriate at this stage in Python 3.5's lifetime. Moreover, it's not really worth it: the code works fine, the problem is just in the tests.  This patch disables those problematic tests when Python 3.5 is built using newer versions of OpenSSL.
diff --git a/Lib/test/test_asyncio/test_events.py b/Lib/test/test_asyncio/test_events.py
@@ -38,6 +38,12 @@
     from asyncio import test_support as support
 
 
+if ssl is not None:
+    IS_OPENSSL_1_1_1 = ssl.OPENSSL_VERSION_INFO >= (1, 1, 1)
+else:
+    IS_OPENSSL_1_1_1 = False
+
+
 def data_file(filename):
     if hasattr(support, 'TEST_HOME_DIR'):
         fullname = os.path.join(support.TEST_HOME_DIR, filename)
@@ -1145,6 +1151,7 @@ def test_legacy_create_unix_server_ssl_verify_failed(self):
             self.test_create_unix_server_ssl_verify_failed()
 
     @unittest.skipIf(ssl is None, 'No ssl module')
+    @unittest.skipIf(IS_OPENSSL_1_1_1, "bpo-36576: fail on OpenSSL 1.1.1")
     def test_create_server_ssl_match_failed(self):
         proto = MyProto(loop=self.loop)
         server, host, port = self._make_ssl_server(
diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
@@ -25,6 +25,7 @@
 HOST = support.HOST
 IS_LIBRESSL = ssl.OPENSSL_VERSION.startswith('LibreSSL')
 IS_OPENSSL_1_1 = not IS_LIBRESSL and ssl.OPENSSL_VERSION_INFO >= (1, 1, 0)
+IS_OPENSSL_1_1_1 = not IS_LIBRESSL and ssl.OPENSSL_VERSION_INFO >= (1, 1, 1)
 
 
 def data_file(*name):
@@ -857,6 +858,7 @@ def test_ciphers(self):
             ctx.set_ciphers("^$:,;?*'dorothyx")
 
     @skip_if_broken_ubuntu_ssl
+    @unittest.skipIf(IS_OPENSSL_1_1_1, "bpo-36576: fail on OpenSSL 1.1.1")
     def test_options(self):
         ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
         # OP_ALL | OP_NO_SSLv2 | OP_NO_SSLv3 is the default value
@@ -3047,6 +3049,7 @@ def test_version_basic(self):
                 self.assertIs(s.version(), None)
 
         @unittest.skipUnless(ssl.HAS_ECDH, "test requires ECDH-enabled OpenSSL")
+        @unittest.skipIf(IS_OPENSSL_1_1_1, "bpo-36576: fail on OpenSSL 1.1.1")
         def test_default_ecdh_curve(self):
             # Issue #21015: elliptic curve-based Diffie Hellman key exchange
             # should be enabled by default on SSL contexts.
@@ -3176,6 +3179,7 @@ def test_selected_alpn_protocol_if_server_uses_alpn(self):
             self.assertIs(stats['client_alpn_protocol'], None)
 
         @unittest.skipUnless(ssl.HAS_ALPN, "ALPN support needed for this test")
+        @unittest.skipIf(IS_OPENSSL_1_1_1, "bpo-36576: fail on OpenSSL 1.1.1")
         def test_alpn_protocols(self):
             server_protocols = ['foo', 'bar', 'milkshake']
             protocol_tests = [
@@ -3356,6 +3360,7 @@ def cb_wrong_return_type(ssl_sock, server_name, initial_context):
             self.assertEqual(cm.exception.reason, 'TLSV1_ALERT_INTERNAL_ERROR')
             self.assertIn("TypeError", stderr.getvalue())
 
+        @unittest.skipIf(IS_OPENSSL_1_1_1, "bpo-36576: fail on OpenSSL 1.1.1")
         def test_shared_ciphers(self):
             server_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
             server_context.load_cert_chain(SIGNED_CERTFILE)
diff --git a/Misc/NEWS.d/next/Tests/2019-04-05-10-34-29.bpo-36576.7Cp2kK.rst b/Misc/NEWS.d/next/Tests/2019-04-05-10-34-29.bpo-36576.7Cp2kK.rst
@@ -0,0 +1 @@
+Skip test_ssl and test_asyncio tests failing with OpenSSL 1.1.1.

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+Skip test_ssl and test_asyncio tests failing with OpenSSL 1.1.1.`