Bug 1614884
Summary: | Tests fail with OpenSSL 1.1.1 | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Petr Pisar <ppisar> | ||||
Component: | perl-Net-SSLeay | Assignee: | Petr Pisar <ppisar> | ||||
Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | unspecified | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 29 | CC: | jose.p.oliveira.oss, kasal, nmavrogi, paul, perl-devel, tmraz | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | perl-Net-SSLeay-1.85-7.fc29 | Doc Type: | If docs needed, set a value | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2018-08-13 13:49:06 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | 1615098 | ||||||
Bug Blocks: | |||||||
Attachments: |
|
Description
Petr Pisar
2018-08-10 15:34:27 UTC
Created attachment 1475544 [details]
Fix for t/local/09_ctx_new.t
The cipher AES128-SHA should be allowed by the policy. Could the failure be related to something else e.g., due to @SECLEVEL=1 (RSA or DH parameters < 2048 bits?) @SECLEVEL=1 should allow 1024 bit RSA keys and it is also the default seclevel anyway. So this should not be the cause. Does the test pass if you override the policy with setting these environment variables OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file - this will override the PROFILE=SYSTEM cipherstring policy and OPENSSL_CONF='' - this will override loading the default OpenSSL config file which is now also used to set the ciphers and minimum TLS version. In general overriding the default policy for the build tests makes sense as the tests do not care about the system policy. Setting OPENSSL_CONF='' helps. OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file does not help. It's triggered by "MinProtocol = TLSv1" line when calling SSL_CTX_use_PrivateKey_file() on a SSL_CTX created with SSL_CTX_new_with_method(TLSv1_method()). If I use SSLv23_method() or remove the "MinProtocol = TLSv1" line, it will pass. But that's strange because similar code is used in different tests that work. I will have to isolate the code to see what happens exactly. The t/local/64_ticket_sharing.t Perl test checks SSL_CTX_use_PrivateKey_file() failure by traversing error queue with ERR_get_error() instead of checking SSL_CTX_use_PrivateKey_file() return value first. It reports "error:14187180:SSL routines:ssl_do_config:bad value". This seems to be openssl bug #1615098. (In reply to Petr Pisar from comment #5) > The t/local/64_ticket_sharing.t Perl test checks > SSL_CTX_use_PrivateKey_file() failure by traversing error queue with > ERR_get_error() instead of checking SSL_CTX_use_PrivateKey_file() return > value first. It reports "error:14187180:SSL routines:ssl_do_config:bad > value". This seems to be openssl bug #1615098. Upgrade to openssl-1.1.1-0.pre8.3.fc29 fixed it. Paul, I will push the patches to Fedora 29 if you don't mind. Later we (or upstream) should come with a proper OpenSSL 1.1.1 support like adding TLSv1.3 constants or using TLS_method() instead of deprecated SSv23_method() in Net::SSLeay::CTX_new(). Petr, please go ahead; I'm just back from vacation and catching up with things. |