[SERVER-79172] KMIP Server problems with python upgrade Created: 20/Jul/23 Updated: 01/Feb/24 Resolved: 01/Feb/24 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | 8.0.0-rc0 |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Alex Neben | Assignee: | Adam Rayner |
| Resolution: | Fixed | Votes: | 1 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Attachments: |
|
||||||||||||||||
| Issue Links: |
|
||||||||||||||||
| Assigned Teams: |
Server Security
|
||||||||||||||||
| Backwards Compatibility: | Fully Compatible | ||||||||||||||||
| Operating System: | ALL | ||||||||||||||||
| Sprint: | Security 2023-08-07, Security 2023-11-13, Security 2023-11-27, Security 2023-12-11, Security 2023-12-25, Security 2024-01-08, Security 2024-01-22, Security 2024-02-05 | ||||||||||||||||
| Participants: | |||||||||||||||||
| Description |
|
From a before and after I noticed the cipher selected before vs after my change is different I tried hardcoding the tls_cipher_suites but that didn't fix the problem
|
| Comments |
| Comment by Alex Neben [ 01/Feb/24 ] | |||||||||||||||
|
I'm 90% sure this is done, just doing some Jira cleanup since i am closing my ticket | |||||||||||||||
| Comment by Alex Neben [ 28/Nov/23 ] | |||||||||||||||
|
We are currently using vsCurrent right? Are you saying that windows 2019 is not ok? | |||||||||||||||
| Comment by Alex Neben [ 22/Nov/23 ] | |||||||||||||||
|
I agree with you that doing #1 is preferable. I am asking brian.mccarthy@mongodb.com about the windows versions to see if we can just upgrade windows on these variants. | |||||||||||||||
| Comment by Alex Neben [ 14/Aug/23 ] | |||||||||||||||
|
I see that this is moved to the backlog with no obvious path forward. To me this indicates this test is on the brittler side and, of all our tests, harder to maintain. I think we should strongly consider removing this test or writing it in a way that works independent of python version. We will eventually need to upgrade python again and when we do this will crop up again. When a python upgrade happens I am not sure what will change that will allow this issue to be solved. I don't think a sustainable path is to only run this test on python <=3.9.
To be specific could you explain what might change between now and the next time we upgrade python? If there is nothing that might change between now and then would we be able to delete this test when we need to upgrade python again? | |||||||||||||||
| Comment by Gabriel Marks [ 11/Aug/23 ] | |||||||||||||||
|
The underlying issue here seems to be that on Windows, `mongod` uses SChannel for SSL communication. SChannel seems to be only able to use SHA1- and MD5-based signature hash algorithms to communicate. On the other hand, in Python 3.10, the security defaults were made more secure, and no SHA1- or MD5-based signature hash algorithms are allowed. To make matters worse, while Python provides API to modify the SSL context in some ways (for example, the set of cipher suites can be reverted back to pre-3.10 defaults), it does not provide an API to modify the set of signature algorithms which are available for communication. Therefore, getting Python 3.10 to work with Windows will require further investigation and work. | |||||||||||||||
| Comment by Alex Neben [ 01/Aug/23 ] | |||||||||||||||
|
After running patches where I used python 3.9 and python 3.8 it seems that the problem might be specific to python 3.10. This means I am unblocked and might provide some clues as to what this problem really is. | |||||||||||||||
| Comment by Alex Neben [ 24/Jul/23 ] | |||||||||||||||
|
I tried making this change in kmip_server.py
This had the same problem as before (https://parsley.mongodb.com/resmoke/41079da29613b0d3206547d23960f701/test/1773b59f0b82d3e04274548514262849?bookmarks=0,248&shareLine=194) |