Support for TLS 1.2 not present (added in 2.7.9)

Bug #1443704 reported by Ted Lemon on 2015-04-14
62
This bug affects 13 people
Affects Status Importance Assigned to Milestone
python2.7 (Ubuntu)
Undecided
Unassigned

Bug Description

There are security issues with TLS 1.0, but Python 2.7.9 doesn't explicitly support TLS 1.2, so programs written in python can't necessarily use it on 14.04. This is requiring me to do a manual install of a more recent version of python, which is fine, but if this is an LTS release lack of support for TLS 1.2 is going to become an even bigger problem going forward. This is specifically a problem with the getmail package.

ksanti% lsb_release -rd
Description: Ubuntu 14.04.2 LTS
Release: 14.04

root@ksanti:/home/mellon/.getmail# apt-cache policy python2.7
python2.7:
  Installed: 2.7.6-8
  Candidate: 2.7.6-8
  Version table:
 *** 2.7.6-8 0
        500 http://us.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
        100 /var/lib/dpkg/status

What I'm expecting:

root@ksanti:/home/mellon/Python-2.7.9# python
Python 2.7.9 (default, Apr 13 2015, 19:47:19)
[GCC 4.8.2] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import ssl
>>> 'PROTOCOL_TLSv1_2' in dir(ssl)
True

What I get:

root@ksanti:/home/mellon/Python-2.7.9# /usr/bin/python
Python 2.7.6 (default, Mar 22 2014, 22:59:56)
[GCC 4.8.2] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import ssl
>>> 'PROTOCOL_TLSv1_2' in dir(ssl)
False

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in python2.7 (Ubuntu):
status: New → Confirmed
Richard Harding (rharding) wrote :

This effects us at Juju because we've removed TLS 1.0 support due to the POODLE vulnerability. Because the default python does not support TLS 1.2 we have broken Python clients for Trusty users.

See lp:1644331

Richard Harding (rharding) wrote :

Also see lp:1536269 and lp:1644153 for additional background.

Matthias Klose (doko) wrote :
Download full text (3.3 KiB)

we did two four test rebuilds for the whole archive:

http://qa.ubuntuwire.org/ftbfs/rebuilds/test-rebuild-20161216-trusty.html
http://qa.ubuntuwire.org/ftbfs/rebuilds/test-rebuild-20161216-updates-trusty.html

http://qa.ubuntuwire.org/ftbfs/rebuilds/test-rebuild-20161216-python2712-trusty.html
http://qa.ubuntuwire.org/ftbfs/rebuilds/test-rebuild-20161216-updates-python2712-trusty.html

the latter two with the python2.7, python-defaults. python-stdlib-extensions, python-eventlet and python-gevent packages from the ubuntu-toolchain-r/ppa archive.

Comparing the build failures, I found the following regressions:

archivemail 0.9.0-1build1 i386 (maybe TODO)
  python related, disabled test in next upload
  https://launchpad.net/ubuntu/+source/archivemail/0.9.0-1.1
bzr 2.6.0+bzr6593-1ubuntu1 any (ok in updates)
cinder 1:2014.1-0ubuntu1 i386 (ok with updated kombu)
commons-exec 1.2-1 all (test failures, java)
docsis 0.9.6+git16-g61ee500+dfsg-2build1 ppc64el (unrelated, GCC ICE)
eclipse 3.8.1-5.1 arm64 (unrelated, OpenJDK issue?)
extsmail 1.4-1 arm64 (unrelated, GCC ICE)
gcc-defaults 1.124ubuntu6 i386 (unrelated)
  gcj out of memory error
glance 1:2014.1-0ubuntu1 all (ok with updated kombu)
indicator-sound 12.10.2+14.04.20140401-0ubuntu1 i386 (looks unrelated)
  test failures
initramfs-tools-ubuntu-touch 0.72 i386 amd64 armhf (TODO)
 TODO: E: Release signed by unknown key (key id 1E9377A2BA9EF27F)
kombu 3.0.7-1ubuntu1 i386 (ok, updated)
libcrypto++ 5.6.1-6 armhf (ok in updates)
liblayout 0.2.10-2 i386 (unrelated)
  OpenJDK out of memory, works when built on amd64)
mgltools-pmv 1.5.7~rc1~cvs.20130519-2 all (TODO)
  pyversions: error parsing Python-Version attribute
nova 1:2014.1-0ubuntu1 i386 (ok with updated kombu)
nuitka 0.5.0.1+ds-1 all (TODO)
  test errors with new python2.7
obexftp 0.23-1.2ubuntu3 any (TODO)
  build error with -Werror=format-security
oslo.messaging 1.3.0-0ubuntu1 all (ok with updated kombu)
pyfltk 1.3.0-1 any (TODO)
  build error with -Werror=format-security
pymol 1.7.0.0-1 any (TODO)
  build error with -Werror=format-security
python-django 1.6.1-2 all (TODO)
  SyntaxError: Non-ASCII character '\xc6' in file test_jslex.py on line 26,
  but no encoding declared
python-eventlet 0.13.0-1ubuntu2 i386 (ok in proposed update)
  0.13.0-1ubuntu2.3
python-glanceclient 1:0.12.0-0ubuntu1 all (TODO)
python-pywcs 1.11-1 any (TODO)
  build error with -Werror=format-security
rawdog 2.19-1 all (TODO)
  Error while fetching feed:
  <urlopen error ('_ssl.c:574: The handshake operation timed out',)>
ruby-lapack 1.5-2 ppc64el (unrelated, ruby)
ruby-timers 1.1.0-1 i386 (unrelated, ruby)
sauerbraten 0.0.20130203.dfsg-1 arm64 (unrelated GCC ICE)
shinken 1.4-2 any
  pyversions: error parsing Python-Version attribute
tora 2.1.3-2build2 arm64 (unrelated, GCC ICE)
wxwidgets2.8 2.8.12.1+dfsg-2ubuntu2 any (unrelated, GCC ICE)
  dump available

With the kombu update in trusty-proposed, there is only the python-glanceclient packages which shows regressions in main. There are a dozen or so packages in universe which show regressions as well, but on a first glance these look all fixable....

Read more...

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers