SSL-related test failures with [SSL: EE_KEY_TOO_SMALL] ee key too small

[mgorny]

When running the test suite (via tox -e py39), I get the following failures:

FAILED test_rpc.py::test_clients - ssl.SSLError: [SSL: EE_KEY_TOO_SMALL] ee key too small (_ssl.c:4081)
FAILED test_rpc.py::test_void_api_with_ssl - ssl.SSLError: [SSL: EE_KEY_TOO_SMALL] ee key too small (_ssl.c:4081)
FAILED test_rpc.py::test_string_api_with_ssl - ssl.SSLError: [SSL: EE_KEY_TOO_SMALL] ee key too small (_ssl.c:4081)
FAILED test_rpc.py::test_huge_res_with_ssl - ssl.SSLError: [SSL: EE_KEY_TOO_SMALL] ee key too small (_ssl.c:4081)
FAILED test_rpc.py::test_tstruct_req_with_ssl - ssl.SSLError: [SSL: EE_KEY_TOO_SMALL] ee key too small (_ssl.c:4081)
FAILED test_rpc.py::test_tstruct_res_with_ssl - ssl.SSLError: [SSL: EE_KEY_TOO_SMALL] ee key too small (_ssl.c:4081)
FAILED test_rpc.py::test_complex_tstruct_with_ssl - ssl.SSLError: [SSL: EE_KEY_TOO_SMALL] ee key too small (_ssl.c:4081)
FAILED test_rpc.py::test_exception_iwth_ssl - ssl.SSLError: [SSL: EE_KEY_TOO_SMALL] ee key too small (_ssl.c:4081)
FAILED test_sslsocket.py::test_inet_ssl_socket - ssl.SSLError: [SSL: EE_KEY_TOO_SMALL] ee key too small (_ssl.c:4081)
FAILED test_sslsocket.py::test_ssl_hostname_validate - ssl.SSLError: [SSL: EE_KEY_TOO_SMALL] ee key too small (_ssl.c:4081)
FAILED test_sslsocket.py::test_persist_ssl_context - ssl.SSLError: [SSL: EE_KEY_TOO_SMALL] ee key too small (_ssl.c:4081)

Example traceback:

______________________________________________________ test_persist_ssl_context _______________________________________________________

    def test_persist_ssl_context():
        server_ssl_context = create_thriftpy_context(server_side=True)
        server_ssl_context.load_cert_chain(certfile="ssl/server.pem")
        server_socket = TSSLServerSocket(host="localhost", port=12345,
                                         ssl_context=server_ssl_context)

        client_ssl_context = create_thriftpy_context(server_side=False)
        client_ssl_context.load_verify_locations(cafile="ssl/CA.pem")
>       client_ssl_context.load_cert_chain(certfile="ssl/client.crt",
                                           keyfile="ssl/client.key")
E       ssl.SSLError: [SSL: EE_KEY_TOO_SMALL] ee key too small (_ssl.c:4081)

test_sslsocket.py:93: SSLError

I can reproduce with all versions on Python on my system. This is Gentoo Linux, Python is built against OpenSSL 3.0.7. I suspect it's either due to the newer OpenSSL versions being stricter or system OpenSSL policy forbidding weak keys.

[mgorny]

Full test output: py39.log

[ethe]

It is a known issue, I think it could be resolved by #195

[mgorny]

Thanks. It seems to fix these issues for me but I get now:

_____________________________________________________ test_ssl_hostname_validate ______________________________________________________

    @pytest.mark.skipif(not MODERN_SSL,
                        reason="check hostname not supported")
    def test_ssl_hostname_validate():
        server_socket = TSSLServerSocket(host="localhost", port=12345,
                                         certfile="ssl/server.pem")

        # the ssl cert lock hostname to "localhost"
        client_socket = TSSLSocket(
            host="127.0.0.1", port=12345, socket_timeout=3000,
            cafile="ssl/CA.pem", certfile="ssl/client.crt",
            keyfile="ssl/client.key")
        with pytest.raises((ssl.CertificateError, TTransportException)):
>           _test_socket(server_socket, client_socket)
E           Failed: DID NOT RAISE (<class 'ssl.SSLCertVerificationError'>, <class 'thriftpy2.transport.base.TTransportException'>)

test_sslsocket.py:74: Failed

[ethe]

I am looking into it.

[ethe]

Skip this test case temporarily because the new cert is signed to 127.0.0.1 now, I checked all test cases and they are all passed right now