Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Cause:
Building perl-IO-Socket-SSL RPM package from source
package with current openssl package.
Consequence:
Package cannot be built because a Diffie-Hellman Exchange
(DHE) test run when building the package fails.
Fix:
Upstream test tweak required for recent OpenSSL was
applied.
Result:
The perl-IO-Socket-SSL package can be built with
openssl-1.0.1e-42.el6.
Created attachment 876385[details]
Upstream fix
perl-IO-Socket-SSL-1.31-2.el6 fails to be build from sources:
Executing(%check): /bin/sh -e /var/tmp/rpm-tmp.wMjpD7
+ umask 022
+ cd /builddir/build/BUILD
+ cd IO-Socket-SSL-1.31
+ unset DISPLAY
+ /bin/mv t/sessions.t t/sessions.t.disable
+ /usr/bin/make test
PERL_DL_NONLAZY=1 /usr/bin/perl "-MExtUtils::Command::MM" "-e" "test_harness(0, 'blib/lib', 'blib/arch')" t/*.t
t/01loadmodule.t ........... ok
t/02settings.t ............. ok
t/acceptSSL-timeout.t ...... ok
t/auto_verify_hostname.t ... ok
t/cert_no_file.t ........... ok
t/compatibility.t .......... ok
t/connectSSL-timeout.t ..... ok
t/core.t ................... ok
t/dhe.t ....................
Failed 2/3 subtests
t/inet6.t .................. ok
t/memleak_bad_handshake.t .. ok
t/nonblock.t ............... ok
t/readline.t ............... ok
t/start-stopssl.t .......... ok
t/startssl.t ............... ok
t/sysread_write.t .......... ok
t/verify_hostname.t ........ ok
Test Summary Report
-------------------
t/dhe.t (Wstat: 0 Tests: 2 Failed: 1)
Failed test: 2
Parse errors: Bad plan. You planned 3 tests but ran 2.
Files=17, Tests=262, 35 wallclock secs ( 0.59 usr 0.03 sys + 2.08 cusr 0.43 csys = 3.13 CPU)
Result: FAIL
This is because t/dhe.t test exhibiting DHE and recent openssl does not like DHE with RSA authentication enabled.
There is a simple correction for the test implemented in upstream version 1.73:
commit 00483ba8fe33cf0559bda8c20b892ab10aa48d41
Author: Steffen Ullrich <github>
Date: Fri May 11 21:27:40 2012 +0200
1.73 fixes to t/dhe.t to support more openssl versions
Created attachment 876398[details]
Upstream fix ported to 1.31
This older fix works with openssl-1.0.1e-15.el6.x86_64, perl-Net-SSLeay-1.35-10.el6.x86_64.
Yay. There is a new regression triggered by new OpenSSL somewhere in:
* Út čen 02 2015 Tomáš Mráz <tmraz> 1.0.1e-39
- fix regression in RAND locking that can cause segfaults on read
in multithreaded applications
* Po kvě 25 2015 Tomáš Mráz <tmraz> 1.0.1e-38
- fix CVE-2015-4000 - prevent the logjam attack on client - restrict
the DH key size to at least 768 bits (limit will be increased in future)
The t/dhe.t test fails on "[server] accept failed" test without getting failure reason. Also "[client] connect failed" test fails randomly with "IO::Socket::INET6 configuration failederror:00000000:lib(0):func(0):reason(0)" message.
Created attachment 1093686[details]
1.956 upstream fix ported to 1.31
Since openssl-1.0.1e-39.el6, indeed the originally pointed upstream commit 00483ba8fe33cf0559bda8c20b892ab10aa48d41 (and another later fix) is needed.
This patch restores the test compatibility with up-to-date RHEL-6 OpenSSL (openssl-1.0.1e-42.el6).
How to test:
(1) Build perl-IO-Socket-SSL package from SRPM.
Before: t/dhe.t test fails.
After: t/dhe.t test passes and the build finished successfully.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://rhn.redhat.com/errata/RHBA-2016-0768.html
Created attachment 876385 [details] Upstream fix perl-IO-Socket-SSL-1.31-2.el6 fails to be build from sources: Executing(%check): /bin/sh -e /var/tmp/rpm-tmp.wMjpD7 + umask 022 + cd /builddir/build/BUILD + cd IO-Socket-SSL-1.31 + unset DISPLAY + /bin/mv t/sessions.t t/sessions.t.disable + /usr/bin/make test PERL_DL_NONLAZY=1 /usr/bin/perl "-MExtUtils::Command::MM" "-e" "test_harness(0, 'blib/lib', 'blib/arch')" t/*.t t/01loadmodule.t ........... ok t/02settings.t ............. ok t/acceptSSL-timeout.t ...... ok t/auto_verify_hostname.t ... ok t/cert_no_file.t ........... ok t/compatibility.t .......... ok t/connectSSL-timeout.t ..... ok t/core.t ................... ok t/dhe.t .................... Failed 2/3 subtests t/inet6.t .................. ok t/memleak_bad_handshake.t .. ok t/nonblock.t ............... ok t/readline.t ............... ok t/start-stopssl.t .......... ok t/startssl.t ............... ok t/sysread_write.t .......... ok t/verify_hostname.t ........ ok Test Summary Report ------------------- t/dhe.t (Wstat: 0 Tests: 2 Failed: 1) Failed test: 2 Parse errors: Bad plan. You planned 3 tests but ran 2. Files=17, Tests=262, 35 wallclock secs ( 0.59 usr 0.03 sys + 2.08 cusr 0.43 csys = 3.13 CPU) Result: FAIL This is because t/dhe.t test exhibiting DHE and recent openssl does not like DHE with RSA authentication enabled. There is a simple correction for the test implemented in upstream version 1.73: commit 00483ba8fe33cf0559bda8c20b892ab10aa48d41 Author: Steffen Ullrich <github> Date: Fri May 11 21:27:40 2012 +0200 1.73 fixes to t/dhe.t to support more openssl versions