2005056 – Test case failure: /CoreOS/httpd/Regression/bz1057687-Custom-big-DH-parameters-not-supported

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2005056 - Test case failure: /CoreOS/httpd/Regression/bz1057687-Custom-big-DH-parameters-not-supported

Summary: Test case failure: /CoreOS/httpd/Regression/bz1057687-Custom-big-DH-parameter...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	httpd
Sub Component:
Version:	CentOS Stream
Hardware:	Unspecified
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Luboš Uhliarik
QA Contact:	rhel-cs-infra-services-qe
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-09-16 16:28 UTC by Branislav Náter
Modified:	2021-09-17 09:26 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-09-17 09:23:18 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-97436	0	None	None	None	2021-09-17 09:26:07 UTC

Description Branislav Náter 2021-09-16 16:28:15 UTC

DH key bit value doesn't match RSA value (openssl issue?)

Version-Release number of selected component (if applicable):
RHEL-9.0.0-20210907.4
httpd-2.4.48-17.el9.x86_64
openssl-3.0.0-0.beta2.7.el9.x86_64

Steps to Reproduce: 
run test mentioned in summary


Actual results: 
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   Test for 2500 bits
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [ 10:41:35 ] :: [   INFO   ] :: Testing 2500 bit RSA keys with 2500 DHE keys
:: [ 10:41:35 ] :: [  BEGIN   ] :: Running 'rm -f /etc/pki/tls/private/localhost.key /etc/pki/tls/certs/localhost.crt'
:: [ 10:41:35 ] :: [   PASS   ] :: Command 'rm -f /etc/pki/tls/private/localhost.key /etc/pki/tls/certs/localhost.crt' (Expected 0, got 0)
:: [ 10:41:35 ] :: [  BEGIN   ] :: Running 'openssl req -x509 -newkey rsa:2500 -keyout /etc/pki/tls/private/localhost.key -out /etc/pki/tls/certs/localhost.crt -subj /CN=localhost -nodes -batch'
..........+............+..+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+.....+.+.........+...........+.+..+.+............+..+.......+........+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*..+......+...........+...+.+.........+...+.....+..........+..............+.+........+....+...+.....+.............+.........+...+..+.......+.........+.....+...................+..+.+..............+....+.................+....+.....+......+.......+...+..+.+......+........+...+...............+............+.+.....+.........+..........+............+..........................+.............+.....................+........+.......+.........+......+...+.....+......+....+......+............+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
....+......+...+...............+.......+......+...+..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*..+.....+...+.+.....+......+.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+..+....+............+.....+.......+..+...+.+.....+..........+............+.........+......+...+.....+.+...+.....+...+..........+.....+...+......+...+................+......+........+...+.............+.....+.+.....+...+...+...+....+..+.+........+......+................+...+..+............+.+.....+.+...+.....+......+.+......+...+..............+...+....+........+......+.+........................+......+.....+......+.......+...+.........+...+.................+......+....+........................+.....+......+.+..............+......+...+.........+......+....+............+.........+.........+...+..+................+...........+...+.+......+.........+...............+.....+.........+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-----
Warning: No -copy_extensions given; ignoring any extensions in the request
:: [ 10:41:36 ] :: [   PASS   ] :: Command 'openssl req -x509 -newkey rsa:2500 -keyout /etc/pki/tls/private/localhost.key -out /etc/pki/tls/certs/localhost.crt -subj /CN=localhost -nodes -batch' (Expected 0, got 0)
:: [ 10:41:36 ] :: [  BEGIN   ] :: Running 'rbits=2500'
:: [ 10:41:36 ] :: [   PASS   ] :: Command 'rbits=2500' (Expected 0, got 0)
:: [ 10:41:36 ] :: [   PASS   ] :: File /mnt/tests/CoreOS/httpd/Regression/bz1057687-Custom-big-DH-parameters-not-supported/dh2500.pem should exist 
:: [ 10:41:36 ] :: [  BEGIN   ] :: Running 'cat /mnt/tests/CoreOS/httpd/Regression/bz1057687-Custom-big-DH-parameters-not-supported/dh2500.pem >> /etc/pki/tls/certs/localhost.crt'
:: [ 10:41:36 ] :: [   PASS   ] :: Command 'cat /mnt/tests/CoreOS/httpd/Regression/bz1057687-Custom-big-DH-parameters-not-supported/dh2500.pem >> /etc/pki/tls/certs/localhost.crt' (Expected 0, got 0)
:: [ 10:41:36 ] :: [  BEGIN   ] :: Start httpd server :: actually running 'rlServiceStart httpd'
Redirecting to /bin/systemctl status httpd.service
Redirecting to /bin/systemctl start httpd.service
:: [ 10:41:36 ] :: [   LOG    ] :: rlServiceStart: Service httpd started successfully
:: [ 10:41:36 ] :: [   PASS   ] :: Start httpd server (Expected 0, got 0)
:: [ 10:41:36 ] :: [  BEGIN   ] :: Running 'sleep 5'
:: [ 10:41:41 ] :: [   PASS   ] :: Command 'sleep 5' (Expected 0, got 0)
:: [ 10:41:41 ] :: [  BEGIN   ] :: Running 'openssl s_client -tls1_2 -crlf -CAfile /etc/pki/tls/certs/localhost.crt -cipher 'ALL:!ECDH:!kRSA' -connect localhost:443 < request.txt'
Can't use SSL_get_servername
depth=0 CN = localhost
verify return:1
CONNECTED(00000003)
---
Certificate chain
 0 s:CN = localhost
   i:CN = localhost
   a:PKEY: rsaEncryption, 2500 (bit); sigalg: RSA-SHA256
   v:NotBefore: Sep 16 14:41:36 2021 GMT; NotAfter: Oct 16 14:41:36 2021 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDejCCAimgAwIBAgIUDk6Bt8r34V8IIIZzAt4riw0hrokwDQYJKoZIhvcNAQEL
BQAwFDESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTIxMDkxNjE0NDEzNloXDTIxMTAx
NjE0NDEzNlowFDESMBAGA1UEAwwJbG9jYWxob3N0MIIBWjANBgkqhkiG9w0BAQEF
AAOCAUcAMIIBQgKCATkPnSWvkLz+N3/5K93DslYg42Kzsv0e74V9pfAjzrUaOz0+
L4dBNm5sAjkYEh1X+ULet18m3uO+HOW7UjBT/i5M4FYjSZ1SRJzYhkzSpnw6RHt6
cxNHevqWKiFAGptIJfDnqDFPCc8wtAq3gNXsHahIT6VVRg2BwYp7r2cwBvunl3ju
cB1mAbMWjo6F8aSRNLj06pH+jrAjIWTa4sShAzUpX1NYD8TTwYxib0XoJb/j5Z1R
zDkO/VbPDguyXzLHjfmknESzewtHH8dkKQz7z0zo3vHo7FDwRiyxQ4e+sO57ENRz
7a1e/iHpTTYyuhY+wTH6z6NMHnfWqWjAiopVl2VNnDLvI8VsxHx5uvDCKeQi+IG9
jetsx0DXCcvgyslTYLEF2MwC5nyWeVxHkyOnJthy2O5w38d9g7aZAgMBAAGjUzBR
MB0GA1UdDgQWBBQ44GhY6JKalNorCIZiwhvm/7ChZTAfBgNVHSMEGDAWgBQ44GhY
6JKalNorCIZiwhvm/7ChZTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUA
A4IBOgAKBF/fpk9Zb3yko+PC2vIKFI3xTHaou0pk2oHdfE14wat5BViCO9XZ57XE
vE7jiGRXCOahMjSe+zrkbQgQJ9NJ46AaTz3NsdadTs9XheTrPszhMD/Bo3PvHuRL
tnH+VV2vrhelFhIRYAUXMr0c1qDd4SQFtE3+3pFF7g2cjVEyuzLqpIvFyJ4tRxU+
A+swLx11I3ERsQo6oM2boiErS46pB7404tDduGATnHad7znbrGjAX+ij5Dk8Fqo1
bHBObB9MX3v63DrDwatLWjcKpkjeAQuqVYFdXyNYENolBt0iz2sm+X8okJzYz1Wv
q64fZhfTxdmx8rvG3ogtXn7JiHnihGfTZXGBulaRSslj3vADvch/4T4e2TtXP0a3
Qa7FC90BSUvhWZjZzO8Kcp2oA2YVqeS6Pbqs4HiA
-----END CERTIFICATE-----
subject=CN = localhost

issuer=CN = localhost

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: DH, 2048 bits <--------------------------------------------------------------------------------------------
---
SSL handshake has read 2083 bytes and written 454 bytes
Verification: OK
---
New, TLSv1.2, Cipher is DHE-RSA-AES256-GCM-SHA384
Server public key is 2500 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : DHE-RSA-AES256-GCM-SHA384
    Session-ID: 8E222199ED9728F5E72DDA565BDF63E7B5A111A32DB872CA6DABD7636CC368F8
    Session-ID-ctx: 
    Master-Key: 0E178B8162EE5B5686E8361AA4E9F822433818D81F8759BC3F3AD242338A2BE03D156593868976107AB7D73CE3DA722F
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 14 a0 18 50 74 a2 14 9e-b1 d2 67 d0 98 93 d9 fe   ...Pt.....g.....
    0010 - 17 bc 89 02 9c 0d 0c bc-38 39 fc 6a db 0c ee f4   ........89.j....
    0020 - 9c e0 de f0 7d c0 67 49-1d 5d be 0d eb 5a ca 4d   ....}.gI.]...Z.M
    0030 - 16 fc 43 d4 39 be 3f 9b-8d c8 bb 80 2f 12 af 40   ..C.9.?...../..@
    0040 - e3 7b 8c 1c b9 c0 c2 48-5e bf ff 64 03 14 f7 c3   .{.....H^..d....
    0050 - ff 52 9a eb b9 a0 c9 1e-86 0c 1e b1 73 e0 8d 93   .R..........s...
    0060 - 2e 7e 50 de b2 f1 50 76-00 c5 71 47 12 f1 2f b9   .~P...Pv..qG../.
    0070 - 09 9b db 38 6e 7f 5a ce-e5 54 63 94 f3 09 99 48   ...8n.Z..Tc....H
    0080 - bc ed 6c 31 57 ef f7 85-28 33 98 89 a9 8e 70 be   ..l1W...(3....p.
    0090 - ea c1 c7 f0 eb ca 3f 9c-2a 96 f7 1a 1a b0 4c e6   ......?.*.....L.
    00a0 - c7 93 1e 32 c4 15 2e 9d-f5 00 65 d1 60 50 f1 90   ...2......e.`P..
    00b0 - 33 31 f9 ce 2a 17 dd 43-b8 27 1b de 9e f9 12 68   31..*..C.'.....h

    Start Time: 1631803301
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---
DONE
:: [ 10:41:42 ] :: [   PASS   ] :: Command 'openssl s_client -tls1_2 -crlf -CAfile /etc/pki/tls/certs/localhost.crt -cipher 'ALL:!ECDH:!kRSA' -connect localhost:443 < request.txt' (Expected 0, got 0)
:: [ 10:41:42 ] :: [   PASS   ] :: File '/var/tmp/rlRun_LOG.VWlk9jLi' should contain 'Server Temp Key' 
:: [ 10:41:42 ] :: [   PASS   ] :: File '/var/tmp/rlRun_LOG.VWlk9jLi' should contain 'Cipher is DHE-RSA' 
:: [ 10:41:42 ] :: [   FAIL   ] :: File '/var/tmp/rlRun_LOG.VWlk9jLi' should contain 'Server Temp Key: DH, 2500 bits' 
:: [ 10:41:42 ] :: [   PASS   ] :: File '/var/tmp/rlRun_LOG.VWlk9jLi' should contain 'Server public key is 2500 bit' 
:: [ 10:41:42 ] :: [   PASS   ] :: File '/var/tmp/rlRun_LOG.VWlk9jLi' should contain 'Verify return code: 0' 
:: [ 10:41:42 ] :: [   PASS   ] :: File '/var/tmp/rlRun_LOG.VWlk9jLi' should not contain ':error:' 
:: [ 10:41:42 ] :: [   PASS   ] :: File '/var/tmp/rlRun_LOG.VWlk9jLi' should not contain ':fail'

Expected results (rhel-8):
Works as expected (Server Temp Key: DH, 2500 bits)

Note You need to log in before you can comment on or make changes to this bug.