Bug 1078301
| Summary: | perl-IO-Socket-SSL-1.31 t/dhe.t test fails due to updated openssl | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Petr Pisar <ppisar> | ||||||||
| Component: | perl-IO-Socket-SSL | Assignee: | perl-maint-list | ||||||||
| Status: | CLOSED ERRATA | QA Contact: | Stanislav Zidek <szidek> | ||||||||
| Severity: | medium | Docs Contact: | |||||||||
| Priority: | high | ||||||||||
| Version: | 6.5 | CC: | jorton, jplesnik, ksrot, ppisar, psabata, szidek | ||||||||
| Target Milestone: | rc | Keywords: | Patch, Regression | ||||||||
| Target Release: | --- | ||||||||||
| Hardware: | Unspecified | ||||||||||
| OS: | Unspecified | ||||||||||
| Whiteboard: | |||||||||||
| Fixed In Version: | perl-IO-Socket-SSL-1.31-3.el6 | Doc Type: | Bug Fix | ||||||||
| Doc Text: |
Cause:
Building perl-IO-Socket-SSL RPM package from source
package with current openssl package.
Consequence:
Package cannot be built because a Diffie-Hellman Exchange
(DHE) test run when building the package fails.
Fix:
Upstream test tweak required for recent OpenSSL was
applied.
Result:
The perl-IO-Socket-SSL package can be built with
openssl-1.0.1e-42.el6.
|
Story Points: | --- | ||||||||
| Clone Of: | Environment: | ||||||||||
| Last Closed: | 2016-05-10 20:06:47 UTC | Type: | Bug | ||||||||
| Regression: | --- | Mount Type: | --- | ||||||||
| Documentation: | --- | CRM: | |||||||||
| Verified Versions: | Category: | --- | |||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||
| Embargoed: | |||||||||||
| Bug Depends On: | |||||||||||
| Bug Blocks: | 1078084, 1254457, 1269913 | ||||||||||
| Attachments: |
|
||||||||||
Actually the patch does not work if SSLv2 is enabled which is default until 1.68. We need different tweak. Created attachment 876398 [details]
Upstream fix ported to 1.31
This older fix works with openssl-1.0.1e-15.el6.x86_64, perl-Net-SSLeay-1.35-10.el6.x86_64.
Yay. There is a new regression triggered by new OpenSSL somewhere in: * Út čen 02 2015 Tomáš Mráz <tmraz> 1.0.1e-39 - fix regression in RAND locking that can cause segfaults on read in multithreaded applications * Po kvě 25 2015 Tomáš Mráz <tmraz> 1.0.1e-38 - fix CVE-2015-4000 - prevent the logjam attack on client - restrict the DH key size to at least 768 bits (limit will be increased in future) The t/dhe.t test fails on "[server] accept failed" test without getting failure reason. Also "[client] connect failed" test fails randomly with "IO::Socket::INET6 configuration failederror:00000000:lib(0):func(0):reason(0)" message. Created attachment 1093686 [details]
1.956 upstream fix ported to 1.31
Since openssl-1.0.1e-39.el6, indeed the originally pointed upstream commit 00483ba8fe33cf0559bda8c20b892ab10aa48d41 (and another later fix) is needed.
This patch restores the test compatibility with up-to-date RHEL-6 OpenSSL (openssl-1.0.1e-42.el6).
How to test: (1) Build perl-IO-Socket-SSL package from SRPM. Before: t/dhe.t test fails. After: t/dhe.t test passes and the build finished successfully. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-0768.html |
Created attachment 876385 [details] Upstream fix perl-IO-Socket-SSL-1.31-2.el6 fails to be build from sources: Executing(%check): /bin/sh -e /var/tmp/rpm-tmp.wMjpD7 + umask 022 + cd /builddir/build/BUILD + cd IO-Socket-SSL-1.31 + unset DISPLAY + /bin/mv t/sessions.t t/sessions.t.disable + /usr/bin/make test PERL_DL_NONLAZY=1 /usr/bin/perl "-MExtUtils::Command::MM" "-e" "test_harness(0, 'blib/lib', 'blib/arch')" t/*.t t/01loadmodule.t ........... ok t/02settings.t ............. ok t/acceptSSL-timeout.t ...... ok t/auto_verify_hostname.t ... ok t/cert_no_file.t ........... ok t/compatibility.t .......... ok t/connectSSL-timeout.t ..... ok t/core.t ................... ok t/dhe.t .................... Failed 2/3 subtests t/inet6.t .................. ok t/memleak_bad_handshake.t .. ok t/nonblock.t ............... ok t/readline.t ............... ok t/start-stopssl.t .......... ok t/startssl.t ............... ok t/sysread_write.t .......... ok t/verify_hostname.t ........ ok Test Summary Report ------------------- t/dhe.t (Wstat: 0 Tests: 2 Failed: 1) Failed test: 2 Parse errors: Bad plan. You planned 3 tests but ran 2. Files=17, Tests=262, 35 wallclock secs ( 0.59 usr 0.03 sys + 2.08 cusr 0.43 csys = 3.13 CPU) Result: FAIL This is because t/dhe.t test exhibiting DHE and recent openssl does not like DHE with RSA authentication enabled. There is a simple correction for the test implemented in upstream version 1.73: commit 00483ba8fe33cf0559bda8c20b892ab10aa48d41 Author: Steffen Ullrich <github> Date: Fri May 11 21:27:40 2012 +0200 1.73 fixes to t/dhe.t to support more openssl versions