> SSL._lib.X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS | SSL._lib.X509_CHECK_FLAG_NEVER_CHECK_SUBJECT ) E AttributeError: module 'lib' has no attribute 'X509_CHECK_FLAG_NEVER_CHECK_SUBJECT' mitmproxy/net/tls.py:290: AttributeError ____________________ TestServerSSL.test_get_current_cipher _____________________ ------------------------------------------------------------------- This is an unstable amd64 chroot image at a tinderbox (==build bot) name: 17.1_hardened-libressl_abi32+64_test-20201027-192603 ------------------------------------------------------------------- gcc-config -l: [1] x86_64-pc-linux-gnu-8.3.1 [2] x86_64-pc-linux-gnu-10.2.0 * clang version 11.0.0 Target: x86_64-pc-linux-gnu Thread model: posix InstalledDir: /usr/lib/llvm/11/bin /usr/lib/llvm/11 11.0.0 Available Python interpreters, in order of preference: [1] python3.7 [2] python3.9 (fallback) [3] python3.8 (fallback) [4] python2.7 (fallback) [5] pypy3 (fallback) Available Rust versions: [1] rust-bin-1.47.0 * [2] rust-1.47.0 The following VMs are available for generation-2: *) AdoptOpenJDK 8.272_p10 [openjdk-bin-8] Available Java Virtual Machines: [1] openjdk-bin-8 system-vm The Glorious Glasgow Haskell Compilation System, version 8.8.4 timestamp(s) of HEAD at this tinderbox image: /var/db/repos/gentoo Fri Nov 6 04:05:32 AM UTC 2020 /var/db/repos/libressl Sun Oct 18 04:35:14 PM UTC 2020 emerge -qpvO net-proxy/mitmproxy [ebuild N ] net-proxy/mitmproxy-5.3.0 USE="test" PYTHON_TARGETS="python3_7 -python3_8 -python3_9"
Created attachment 670154 [details] emerge-info.txt
Created attachment 670157 [details] emerge-history.txt
Created attachment 670160 [details] environment
Created attachment 670163 [details] etc.portage.tbz2
Created attachment 670166 [details] net-proxy:mitmproxy-5.3.0:20201106-043100.log
Seems like X509_CHECK_FLAG_NEVER_CHECK_SUBJECT was added to OpenSSL in version 1.1.0, and it's not present in libressl. Not sure how best to resolve this. Maybe this part of the code is skipped out when mitmproxy is launched with `--insecure`/`--ssl-insecure` so that libressl users can use it with reduced functionality, or maybe it's best to depend on dev-python/cryptography without the libressl flag to block libressl users.
maybe LibreSSL >3.2.0 has it ? : https://fossies.org/linux/libressl/crypto/x509/x509_utl.c
Ah thank you, I was looking in the wrong LibreSSL repository. What is the best way to add the version constraints? Should I add a libressl USE flag and add openssl/libressl to mitmproxy's DEPEND?
(In reply to matt from comment #8) > Ah thank you, I was looking in the wrong LibreSSL repository. > > What is the best way to add the version constraints? Should I add a libressl > USE flag and add openssl/libressl to mitmproxy's DEPEND? That'd be the smartest way in my opinion. Something like !libressl? ( dev-libs/openssl:0= ) libressl? ( >=dev-libs/libressl-3.2.0:= ) should work. You can also || die while utilizing has_version in pkg_setup, but that's not very user-friendly.
(In reply to Joonas Niilola from comment #9) > should work. You can also || die while utilizing has_version in pkg_setup, > but that's not very user-friendly. Indeed, in a worse case emerge starts with a long dep graph and emerges N packages till it breaks here.
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f1c46319317d32c42fb7b7636f01cd03505a1121 commit f1c46319317d32c42fb7b7636f01cd03505a1121 Author: Matt Smith <matt@offtopica.uk> AuthorDate: 2020-11-08 10:13:34 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2020-11-08 12:02:33 +0000 net-proxy/mitmproxy: Require at least LibreSSL 3.2.0 Closes: https://bugs.gentoo.org/753290 Package-Manager: Portage-3.0.9, Repoman-3.0.2 Signed-off-by: Matt Smith <matt@offtopica.uk> Closes: https://github.com/gentoo/gentoo/pull/18180 Signed-off-by: Sam James <sam@gentoo.org> net-proxy/mitmproxy/mitmproxy-5.3.0.ebuild | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)