RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1078301 - perl-IO-Socket-SSL-1.31 t/dhe.t test fails due to updated openssl
Summary: perl-IO-Socket-SSL-1.31 t/dhe.t test fails due to updated openssl
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: perl-IO-Socket-SSL
Version: 6.5
Hardware: Unspecified
OS: Unspecified
high
medium
Target Milestone: rc
: ---
Assignee: perl-maint-list
QA Contact: Stanislav Zidek
URL:
Whiteboard:
Depends On:
Blocks: 1078084 1254457 1269913
TreeView+ depends on / blocked
 
Reported: 2014-03-19 14:55 UTC by Petr Pisar
Modified: 2016-05-11 06:55 UTC (History)
6 users (show)

Fixed In Version: perl-IO-Socket-SSL-1.31-3.el6
Doc Type: Bug Fix
Doc Text:
Cause: Building perl-IO-Socket-SSL RPM package from source package with current openssl package. Consequence: Package cannot be built because a Diffie-Hellman Exchange (DHE) test run when building the package fails. Fix: Upstream test tweak required for recent OpenSSL was applied. Result: The perl-IO-Socket-SSL package can be built with openssl-1.0.1e-42.el6.
Clone Of:
Environment:
Last Closed: 2016-05-10 20:06:47 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
Upstream fix (1.97 KB, patch)
2014-03-19 14:55 UTC, Petr Pisar 		no flags Details | Diff
Upstream fix ported to 1.31 (1.47 KB, patch)
2014-03-19 15:49 UTC, Petr Pisar 		no flags Details | Diff
1.956 upstream fix ported to 1.31 (2.15 KB, patch)
2015-11-13 14:33 UTC, Petr Pisar 		no flags Details | Diff
Show Obsolete (2) View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:0768 0 normal SHIPPED_LIVE perl-IO-Socket-SSL bug fix and enhancement update 2016-05-10 22:34:18 UTC

Description Petr Pisar 2014-03-19 14:55:23 UTC 
Created attachment 876385 [details]
Upstream fix

perl-IO-Socket-SSL-1.31-2.el6 fails to be build from sources:

Executing(%check): /bin/sh -e /var/tmp/rpm-tmp.wMjpD7
+ umask 022
+ cd /builddir/build/BUILD
+ cd IO-Socket-SSL-1.31
+ unset DISPLAY
+ /bin/mv t/sessions.t t/sessions.t.disable
+ /usr/bin/make test
PERL_DL_NONLAZY=1 /usr/bin/perl "-MExtUtils::Command::MM" "-e" "test_harness(0, 'blib/lib', 'blib/arch')" t/*.t
t/01loadmodule.t ........... ok
t/02settings.t ............. ok
t/acceptSSL-timeout.t ...... ok
t/auto_verify_hostname.t ... ok
t/cert_no_file.t ........... ok
t/compatibility.t .......... ok
t/connectSSL-timeout.t ..... ok
t/core.t ................... ok
t/dhe.t .................... 
Failed 2/3 subtests 
t/inet6.t .................. ok
t/memleak_bad_handshake.t .. ok
t/nonblock.t ............... ok
t/readline.t ............... ok
t/start-stopssl.t .......... ok
t/startssl.t ............... ok
t/sysread_write.t .......... ok
t/verify_hostname.t ........ ok
Test Summary Report
-------------------
t/dhe.t                  (Wstat: 0 Tests: 2 Failed: 1)
  Failed test:  2
  Parse errors: Bad plan.  You planned 3 tests but ran 2.
Files=17, Tests=262, 35 wallclock secs ( 0.59 usr  0.03 sys +  2.08 cusr  0.43 csys =  3.13 CPU)
Result: FAIL

This is because t/dhe.t test exhibiting DHE and recent openssl does not like DHE with RSA authentication enabled.

There is a simple correction for the test implemented in upstream version 1.73:

commit 00483ba8fe33cf0559bda8c20b892ab10aa48d41
Author: Steffen Ullrich <github>
Date:   Fri May 11 21:27:40 2012 +0200

    1.73 fixes to t/dhe.t to support more openssl versions
Comment 1 Petr Pisar 2014-03-19 15:26:38 UTC 
Actually the patch does not work if SSLv2 is enabled which is default until 1.68. We need different tweak.
Comment 2 Petr Pisar 2014-03-19 15:49:18 UTC 
Created attachment 876398 [details]
Upstream fix ported to 1.31

This older fix works with openssl-1.0.1e-15.el6.x86_64, perl-Net-SSLeay-1.35-10.el6.x86_64.
Comment 10 Petr Pisar 2015-11-13 13:32:13 UTC 
Yay. There is a new regression triggered by new OpenSSL somewhere in:

* Út čen 02 2015 Tomáš Mráz <tmraz> 1.0.1e-39
- fix regression in RAND locking that can cause segfaults on read
  in multithreaded applications

* Po kvě 25 2015 Tomáš Mráz <tmraz> 1.0.1e-38
- fix CVE-2015-4000 - prevent the logjam attack on client - restrict
  the DH key size to at least 768 bits (limit will be increased in future)

The t/dhe.t test fails on "[server] accept failed" test without getting failure reason. Also "[client] connect failed" test fails randomly with "IO::Socket::INET6 configuration failederror:00000000:lib(0):func(0):reason(0)" message.
Comment 11 Petr Pisar 2015-11-13 14:33:02 UTC 
Created attachment 1093686 [details]
1.956 upstream fix ported to 1.31

Since openssl-1.0.1e-39.el6, indeed the originally pointed upstream commit 00483ba8fe33cf0559bda8c20b892ab10aa48d41 (and another later fix) is needed.

This patch restores the test compatibility with up-to-date RHEL-6 OpenSSL (openssl-1.0.1e-42.el6).
Comment 13 Petr Pisar 2015-11-13 15:41:32 UTC 
How to test:

(1) Build perl-IO-Socket-SSL package from SRPM.
Before: t/dhe.t test fails.
After: t/dhe.t test passes and the build finished successfully.
Comment 17 errata-xmlrpc 2016-05-10 20:06:47 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0768.html
Note You need to log in before you can comment on or make changes to this bug.