cherrypy
Failing test with openssl 3.2.0 (test_https_over_http_error)
❓ I'm submitting a ...
- [X] 🐞 bug report
- [ ] 🐣 feature request
- [ ] ❓ question about the decisions made in the repository
🐞 Describe the bug. What is the current behavior?
test_https_over_http_error test is failing when running cheroot tests suite in opensuse with openssl 3.2.
❓ What is the motivation / use case for changing the behavior? Test compatibility with latest version of openssl
💡 To Reproduce Steps to reproduce the behavior:
- Install openssl 3.2, you can do that in opensuse from this repository https://download.opensuse.org/repositories/security:tls/openSUSE_Tumbleweed/security:tls.repo
- Run cheroot tests
- See error
💡 Expected behavior No errors running the tests
📋 Details
Looks like in the latest version the error returned when trying to connect to https with http is different.
This is the current test output:
[ 36s] _____________________ test_https_over_http_error[0.0.0.0] ______________________
[ 36s] [gw2] linux -- Python 3.9.18 /usr/bin/python3.9
[ 36s]
[ 36s] http_server = <generator object http_server.<locals>.start_srv at 0x7f5ace79ac10>
[ 36s] ip_addr = '0.0.0.0'
[ 36s]
[ 36s] @pytest.mark.parametrize(
[ 36s] 'ip_addr',
[ 36s] (
[ 36s] ANY_INTERFACE_IPV4,
[ 36s] ANY_INTERFACE_IPV6,
[ 36s] ),
[ 36s] )
[ 36s] def test_https_over_http_error(http_server, ip_addr):
[ 36s] """Ensure that connecting over HTTPS to HTTP port is handled."""
[ 36s] httpserver = http_server.send((ip_addr, EPHEMERAL_PORT))
[ 36s] interface, _host, port = _get_conn_data(httpserver.bind_addr)
[ 36s] with pytest.raises(ssl.SSLError) as ssl_err:
[ 36s] http.client.HTTPSConnection(
[ 36s] '{interface}:{port}'.format(
[ 36s] interface=interface,
[ 36s] port=port,
[ 36s] ),
[ 36s] ).request('GET', '/')
[ 36s] expected_substring = (
[ 36s] 'wrong version number' if IS_ABOVE_OPENSSL10
[ 36s] else 'unknown protocol'
[ 36s] )
[ 36s] > assert expected_substring in ssl_err.value.args[-1]
[ 36s] E AssertionError: assert 'wrong version number' in '[SSL] record layer failure (_ssl.c:1129)'
[ 36s]
[ 36s] _host = '0.0.0.0'
[ 36s] expected_substring = 'wrong version number'
[ 36s] http_server = <generator object http_server.<locals>.start_srv at 0x7f5ace79ac10>
[ 36s] httpserver = <cheroot.server.HTTPServer object at 0x7f5acc1152e0>
[ 36s] interface = '127.0.0.1'
[ 36s] ip_addr = '0.0.0.0'
[ 36s] port = 33045
[ 36s] ssl_err = <ExceptionInfo SSLError(1, '[SSL] record layer failure (_ssl.c:1129)') tblen=10>
[ 36s]
📋 Environment
- Cheroot version: 10.0.0
- Python version: 3.9
- OS: openSUSE Tumbleweed
@danigm do you know how to wire newer OpenSSL into GHA? We need a way of testing this. Then, the test could be modified to take new messages into account.
@danigm do you know how to wire newer OpenSSL into GHA? We need a way of testing this. Then, the test could be modified to take new messages into account.
I've created a container image with openssl 3.2 for testing, it can be used directly from the gitlab registry:
docker run --rm -ti registry.gitlab.com/danigm/opensuse-openssl32-container
And I've used it in my github fork with a test gitlabci action: https://github.com/danigm/cheroot/actions/runs/8048767219/job/21980796338
It'd be interesting to see if we could integrate testing of a range of openssl versions into CI. Starting to test against the newer version and dropping the old one in CI is probably not a good idea... I wonder how this could be organized in a sane manner. Does this mean testing against a few Python interpreters compiled against different OpenSSL versions?