Bug 1699306

Summary: perl-IO-Socket-SSL - package tests fail due to expired certificates
Product: Red Hat Enterprise Linux 7 Reporter: Stanislav Zidek <szidek>
Component: perl-IO-Socket-SSLAssignee: perl-maint-list
Status: CLOSED NEXTRELEASE QA Contact: RHEL Stacks Subsystem QE <rhel-stacks-subsystem-qe>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.7CC: ppisar, rhughes, rstrode, sandmann
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1699247 Environment:
Last Closed: 2019-11-21 16:29:01 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Stanislav Zidek 2019-04-12 11:22:34 UTC 
Fails on RHEL-7.7 compose: perl-IO-Socket-SSL-1.94-7.el7.noarch

+ make test
make[1]: Entering directory `/tmp/tmp.03WE6GSQny/rpmbuild/BUILD/IO-Socket-SSL-1.94'
PERL_DL_NONLAZY=1 /usr/bin/perl "-MExtUtils::Command::MM" "-e" "test_harness(0, 'blib/lib', 'blib/arch')" t/*.t
t/01loadmodule.t ........... ok
t/02settings.t ............. ok
t/acceptSSL-timeout.t ...... ok
t/auto_verify_hostname.t ... 
Failed 16/30 subtests 
t/cert_no_file.t ........... ok
t/compatibility.t .......... ok
t/connectSSL-timeout.t ..... ok
t/core.t ................... 
Failed 47/52 subtests 
t/dhe.t .................... ok
t/ecdhe.t .................. ok
t/io-socket-inet6.t ........ skipped: no IO::Socket::INET6 available
t/io-socket-ip.t ........... ok
t/memleak_bad_handshake.t .. ok
t/mitm.t ................... 
Failed 6/8 subtests 
t/nonblock.t ............... ok
t/npn.t .................... ok
t/readline.t ............... ok
t/sessions.t ............... 
Failed 27/35 subtests 
t/signal-readline.t ........ ok
Can't call method "verify_hostname" without a package or object reference at t/sni.t line 74.
Can't call method "get_servername" on an undefined value at t/sni.t line 83.
t/sni.t .................... 
Dubious, test returned 255 (wstat 65280, 0xff00)
Failed 16/17 subtests 
t/start-stopssl.t .......... ok
t/startssl-failed.t ........ ok
t/startssl.t ............... ok
t/sysread_write.t .......... ok
Failed 5/25 test programs. 14/255 subtests failed.
t/verify_hostname.t ........ ok

Test Summary Report
-------------------
t/auto_verify_hostname.t (Wstat: 0 Tests: 22 Failed: 8)
  Failed tests:  3, 5-6, 8, 12, 16, 18, 22
  Parse errors: Bad plan.  You planned 30 tests but ran 22.
t/core.t                 (Wstat: 13 Tests: 6 Failed: 1)
  Failed test:  6
  Non-zero wait status: 13
  Parse errors: Bad plan.  You planned 52 tests but ran 6.
t/mitm.t                 (Wstat: 0 Tests: 3 Failed: 1)
  Failed test:  3
  Parse errors: Bad plan.  You planned 8 tests but ran 3.
t/sessions.t             (Wstat: 0 Tests: 10 Failed: 2)
  Failed tests:  9-10
  Parse errors: Bad plan.  You planned 35 tests but ran 10.
t/sni.t                  (Wstat: 65280 Tests: 3 Failed: 2)
  Failed tests:  2-3
  Non-zero exit status: 255
  Parse errors: Bad plan.  You planned 17 tests but ran 3.
Files=25, Tests=255, 36 wallclock secs ( 0.07 usr  0.02 sys +  1.19 cusr  0.34 csys =  1.62 CPU)
Result: FAIL


+++ This bug was initially created as a clone of Bug #1699247 +++

I noticed perl-IO-Socket-SSL-2.056-1.fc28 fails to build on F28 because large amount of tests fail, e.g.:

$ perl -Iblib/{lib,arch} t/auto_verify_hostname.t
1..30
ok 1 - Server Initialization
ok 2 - connection to example.com/www failed
not ok 3 - connection to server.local/ldap succeeded
#   Failed test 'connection to server.local/ldap succeeded'
#   at t/auto_verify_hostname.t line 61.
ok 4 - connection to server.local/www failed
not ok 5 - connection to bla.server.local/www succeeded
#   Failed test 'connection to bla.server.local/www succeeded'
#   at t/auto_verify_hostname.t line 61.
not ok 6 - connection to www7.other.local/www succeeded
#   Failed test 'connection to www7.other.local/www succeeded'
#   at t/auto_verify_hostname.t line 61.
ok 7 - connection to www7.other.local/ldap failed
not ok 8 - connection to bla.server.local/ldap succeeded
#   Failed test 'connection to bla.server.local/ldap succeeded'
#   at t/auto_verify_hostname.t line 61.
ok 9 - tcp connect
ok 10 - ssl upgrade of connection to example.com/www failed
ok 11 - tcp connect
not ok 12 - ssl upgrade of connection to server.local/ldap succeeded
#   Failed test 'ssl upgrade of connection to server.local/ldap succeeded'
#   at t/auto_verify_hostname.t line 79.
ok 13 - tcp connect
ok 14 - ssl upgrade of connection to server.local/www failed
ok 15 - tcp connect
not ok 16 - ssl upgrade of connection to bla.server.local/www succeeded
#   Failed test 'ssl upgrade of connection to bla.server.local/www succeeded'
#   at t/auto_verify_hostname.t line 79.
ok 17 - tcp connect
not ok 18 - ssl upgrade of connection to www7.other.local/www succeeded
#   Failed test 'ssl upgrade of connection to www7.other.local/www succeeded'
#   at t/auto_verify_hostname.t line 79.
ok 19 - tcp connect
ok 20 - ssl upgrade of connection to www7.other.local/ldap failed
ok 21 - tcp connect
not ok 22 - ssl upgrade of connection to bla.server.local/ldap succeeded
#   Failed test 'ssl upgrade of connection to bla.server.local/ldap succeeded'
#   at t/auto_verify_hostname.t line 79.
# Looks like you planned 30 tests but ran 22.
# Looks like you failed 8 tests of 22 run.

It seems to be caused by expired certificates used by the tests. E.g. t/auto_verify_hostname.t uses certs/server-wildcard.pem that has expired:

$ openssl x509 -noout -enddate < certs/server-wildcard.pem
notAfter=Jan 14 19:45:50 2019 GMT

A more recent perl-IO-Socket-SSL in later Fedoras already contains updated certificates.
Comment 2 Petr Pisar 2019-11-21 16:29:01 UTC 
Red Hat does plan to fix this issue in Red Hat Enterprise Linux 7. If this issue is critical for you, please escalate it using appropriate channels. E.g. contact Red Hat support.
Please note that this issue is resolved in Red Hat Enterprise Linux 8 (perl-IO-Socket-SSL-2.066-3.el8 package).