Failing test with openssl 3.2.0 (test_https_over_http_error)

[danigm]

❓ I'm submitting a ...

• 🐞 bug report
• 🐣 feature request
• ❓ question about the decisions made in the repository

🐞 Describe the bug. What is the current behavior?
test_https_over_http_error test is failing when running cheroot tests suite in opensuse with openssl 3.2.

❓ What is the motivation / use case for changing the behavior?
Test compatibility with latest version of openssl

💡 To Reproduce
Steps to reproduce the behavior:

1. Install openssl 3.2, you can do that in opensuse from this repository https://download.opensuse.org/repositories/security:tls/openSUSE_Tumbleweed/security:tls.repo
2. Run cheroot tests
3. See error

💡 Expected behavior
No errors running the tests

📋 Details

Looks like in the latest version the error returned when trying to connect to https with http is different.

This is the current test output:

[   36s] _____________________ test_https_over_http_error[0.0.0.0] ______________________
[   36s] [gw2] linux -- Python 3.9.18 /usr/bin/python3.9
[   36s] 
[   36s] http_server = <generator object http_server.<locals>.start_srv at 0x7f5ace79ac10>
[   36s] ip_addr = '0.0.0.0'
[   36s] 
[   36s]     @pytest.mark.parametrize(
[   36s]         'ip_addr',
[   36s]         (
[   36s]             ANY_INTERFACE_IPV4,
[   36s]             ANY_INTERFACE_IPV6,
[   36s]         ),
[   36s]     )
[   36s]     def test_https_over_http_error(http_server, ip_addr):
[   36s]         """Ensure that connecting over HTTPS to HTTP port is handled."""
[   36s]         httpserver = http_server.send((ip_addr, EPHEMERAL_PORT))
[   36s]         interface, _host, port = _get_conn_data(httpserver.bind_addr)
[   36s]         with pytest.raises(ssl.SSLError) as ssl_err:
[   36s]             http.client.HTTPSConnection(
[   36s]                 '{interface}:{port}'.format(
[   36s]                     interface=interface,
[   36s]                     port=port,
[   36s]                 ),
[   36s]             ).request('GET', '/')
[   36s]         expected_substring = (
[   36s]             'wrong version number' if IS_ABOVE_OPENSSL10
[   36s]             else 'unknown protocol'
[   36s]         )
[   36s] >       assert expected_substring in ssl_err.value.args[-1]
[   36s] E       AssertionError: assert 'wrong version number' in '[SSL] record layer failure (_ssl.c:1129)'
[   36s] 
[   36s] _host      = '0.0.0.0'
[   36s] expected_substring = 'wrong version number'
[   36s] http_server = <generator object http_server.<locals>.start_srv at 0x7f5ace79ac10>
[   36s] httpserver = <cheroot.server.HTTPServer object at 0x7f5acc1152e0>
[   36s] interface  = '127.0.0.1'
[   36s] ip_addr    = '0.0.0.0'
[   36s] port       = 33045
[   36s] ssl_err    = <ExceptionInfo SSLError(1, '[SSL] record layer failure (_ssl.c:1129)') tblen=10>
[   36s] 

📋 Environment

• Cheroot version: 10.0.0
• Python version: 3.9
• OS: openSUSE Tumbleweed

[webknjaz]

@danigm do you know how to wire newer OpenSSL into GHA? We need a way of testing this. Then, the test could be modified to take new messages into account.

[danigm]

@danigm do you know how to wire newer OpenSSL into GHA? We need a way of testing this. Then, the test could be modified to take new messages into account.

I've created a container image with openssl 3.2 for testing, it can be used directly from the gitlab registry:

docker run --rm -ti registry.gitlab.com/danigm/opensuse-openssl32-container

And I've used it in my github fork with a test gitlabci action: https://github.com/danigm/cheroot/actions/runs/8048767219/job/21980796338

[webknjaz]

It'd be interesting to see if we could integrate testing of a range of openssl versions into CI. Starting to test against the newer version and dropping the old one in CI is probably not a good idea... I wonder how this could be organized in a sane manner. Does this mean testing against a few Python interpreters compiled against different OpenSSL versions?