Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Multiple tests fail due to expired certificates if system date is set further than year 2037ish #107562

Closed
kanavin opened this issue Aug 2, 2023 · 5 comments
Closed

Multiple tests fail due to expired certificates if system date is set further than year 2037ish #107562

kanavin opened this issue Aug 2, 2023 · 5 comments
Labels
tests Tests in the Lib/test dir type-bug An unexpected behavior, bug, or error

Comments

@kanavin
Copy link
Contributor

kanavin commented Aug 2, 2023
edited by bedevere-app bot
Loading

To test the readiness of Yocto stack for Y2038 we run qemu virtual machines with RTC set to some day in 2040. This causes many of python's tests to fail on both 32 bit and 64 bit systems: the reason is that test certificate expiry dates are set to 2037 or so by Lib/test/make_ssl_certs.py:

startdate = "20180829142316Z"
enddate = "20371028142316Z"

I would propose to set the expiry date to far enough in the future that it won't have to be tweaked in our lifetimes: this way real Y2038 issues in python (or in things it depends on) can be exposed and fixed (it's well possible there are none, but that needs confirmation too).

Failures seen:

6 tests failed:
test_asyncio test_httplib test_imaplib test_poplib test_ssl
test_urllib2_localnet

If there's agreement on this, I can prepare the patch.

Linked PRs
@kanavin kanavin added the type-bug An unexpected behavior, bug, or error label Aug 2, 2023
@AlexWaygood AlexWaygood changed the title Y2038: tests are failing due to expired certificates if system date is set further than year 2037ish Multiple tests fail due to expired certificates if system date is set further than year 2037ish Aug 2, 2023
@AlexWaygood AlexWaygood added the tests Tests in the Lib/test dir label Aug 2, 2023
@Eclips4
Copy link
Member

Eclips4 commented Aug 2, 2023
edited
Loading

Looks like a duplicate of Related: #101732

@kanavin
Copy link
Contributor Author

kanavin commented Aug 2, 2023
edited
Loading

Looks like a duplicate of #101732

It's related, but not a duplicate. This ticket is about tests failing if system date is set to 2040 because certificates have expired, and suggests re-setting the expiry date directly in python upstream.

That ticket #101732 is about what happens when system date is set to 2040 and certificates have been re-generated with expiry date further in the future (the ticket specifically mentions doing that in reproducibility instructions). In that case, other issues, e.g. in ssl module are uncovered.

@bedevere-bot bedevere-bot mentioned this issue Aug 3, 2023
Merged
@encukou encukou mentioned this issue May 6, 2024
Closed
encukou added a commit to encukou/cpython that referenced this issue Oct 8, 2024
@encukou
pythongh-107562: Update test certificates to expire far in the future
dac302c 
Generated with Lib/test/certdata/make_ssl_certs.py
using openssl-3.2.2-3.fc40.x86_64 (Fedora 40).
@bedevere-app bedevere-app bot mentioned this issue Oct 8, 2024
Merged
encukou pushed a commit that referenced this issue Oct 9, 2024
@kanavin
gh-107562: make_ssl_certs.py: produce test certificates that expire f…
53930cb 
…ar in the future by default (GH-107594)

This allows testing Y2038 with system time set to after that,
so that actual Y2038 issues can be exposed, and not masked
by expired certificate errors.

Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
encukou added a commit that referenced this issue Oct 9, 2024
@encukou
gh-107562: Update test certificates to expire far in the future (GH-1…
d20c43d 
…25104)

Generated with Lib/test/certdata/make_ssl_certs.py
using openssl-3.2.2-3.fc40.x86_64 (Fedora 40).
@encukou
Copy link
Member

encukou commented Oct 9, 2024

Merged to main. Thanks for the patch, and for your patience!

@encukou encukou closed this as completed Oct 9, 2024
@kanavin
Copy link
Contributor Author

kanavin commented Oct 9, 2024

Merged to main. Thanks for the patch, and for your patience!

Thanks for support! But they still need to be regenerated and committed?

@kanavin
Copy link
Contributor Author

kanavin commented Oct 9, 2024

Ah NVM I see it already happened just a moment ago in #125104 . No idea why github wouldn't send me notifications as this ticket was made by me.

efimov-mikhail pushed a commit to efimov-mikhail/cpython that referenced this issue Oct 9, 2024
@kanavin @efimov-mikhail
pythongh-107562: make_ssl_certs.py: produce test certificates that ex…
2c98a00 
…pire far in the future by default (pythonGH-107594)

This allows testing Y2038 with system time set to after that,
so that actual Y2038 issues can be exposed, and not masked
by expired certificate errors.

Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
tests Tests in the Lib/test dir type-bug An unexpected behavior, bug, or error
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@encukou @kanavin @AlexWaygood @Eclips4