Bug 789447 - Possible regression from 1.0.0g - perl-AnyEvent SSL test fails
Summary: Possible regression from 1.0.0g - perl-AnyEvent SSL test fails
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: openssl
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Tomas Mraz
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-02-10 19:13 UTC by Paul Howarth
Modified: 2012-04-05 09:17 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-04-05 09:17:00 UTC
Type: Bug

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Paul Howarth 2012-02-10 19:13:18 UTC 
I have a local build of perl-AnyEvent that runs a lot more of the test suite than the Fedora build. The spec can be found here:

http://www.city-fan.org/cfo-trac/browser/perl-AnyEvent/trunk/perl-AnyEvent.spec

If I build this package on a current Fedora 17 or Rawhide with openssl-1.0.1 the SSL test fails:

#   Failed test 'server_error <Protocol error>'
#   at t/80_ssltest.t line 37.
#   Failed test 'server_error <Protocol error>'
#   at t/80_ssltest.t line 37.
#   Failed test 'client_error <Broken pipe>'
#   at t/80_ssltest.t line 97.
#   Failed test 'server_error <Protocol error>'
#   at t/80_ssltest.t line 37.
#   Failed test 'client_error <Broken pipe>'
#   at t/80_ssltest.t line 97.
#   Failed test 'server_error <Protocol error>'
#   at t/80_ssltest.t line 37.
#   Failed test 'client_error <Broken pipe>'
#   at t/80_ssltest.t line 97.
#   Failed test 'server_error <Protocol error>'
#   at t/80_ssltest.t line 37.
#   Failed test 'client_error <Broken pipe>'
#   at t/80_ssltest.t line 97.
# Looks like you planned 415 tests but ran 26.
# Looks like you failed 9 tests of 26 run.
t/80_ssltest.t ..............
Dubious, test returned 9 (wstat 2304, 0x900)
Failed 398/415 subtests

However, if I exclude openssl-1.0.1 from the buildroot and force it to pick up 1.0.0g instead, the test passes, as it does with all older versions of openssl right back to the one in Fedora Core 1.

I'm not sure exactly what's happening here or how to debug it but it looks like an openssl regression to me.
Comment 1 Tom Lane 2012-02-11 17:36:36 UTC 
Possibly unrelated, but mysql is also not very happy with 1.0.1 --- see bug #789600
Comment 2 Paul Howarth 2012-02-20 15:59:35 UTC 
Similar story with perl-IO-Socket-SSL, which also uses perl-Net-SSLeay as its openssl interface, like perl-AnyEvent:

I ran this test suite with some debugging on and got this:

DEBUG: .../IO/Socket/SSL.pm:494: no socket yet
DEBUG: .../IO/Socket/SSL.pm:193: set domain to 2
DEBUG: .../IO/Socket/SSL.pm:334: socket not yet connected
DEBUG: .../IO/Socket/SSL.pm:336: socket connected
DEBUG: .../IO/Socket/SSL.pm:496: accept created normal socket IO::Socket::SSL=GLOB(0x8558278)
DEBUG: .../IO/Socket/SSL.pm:512: starting sslifying
DEBUG: .../IO/Socket/SSL.pm:354: ssl handshake not started
DEBUG: .../IO/Socket/SSL.pm:1281: SSL accept attempt failed with unknown errorerror:04075070:rsa routines:RSA_sign:digest too big for rsa key
SSL error:  31249: 1 - error:1409B006:SSL routines:SSL3_SEND_SERVER_KEY_EXCHANGE:EVP lib
DEBUG: .../IO/Socket/SSL.pm:445: connection failed - connect returned 0
t/dhe.t ....................
1..3
ok # [server] Server Initialization
not ok # [server] accept failed:
Failed 2/3 subtests

Same test passes with 1.0.0g:

DEBUG: .../IO/Socket/SSL.pm:494: no socket yet
DEBUG: .../IO/Socket/SSL.pm:193: set domain to 2
DEBUG: .../IO/Socket/SSL.pm:334: socket not yet connected
DEBUG: .../IO/Socket/SSL.pm:336: socket connected
DEBUG: .../IO/Socket/SSL.pm:496: accept created normal socket IO::Socket::SSL=GLOB(0x8cc2a0)
DEBUG: .../IO/Socket/SSL.pm:354: ssl handshake not started
DEBUG: .../IO/Socket/SSL.pm:512: starting sslifying
DEBUG: .../IO/Socket/SSL.pm:600: handshake done, socket ready
DEBUG: .../IO/Socket/SSL.pm:500: accept_SSL ok
DEBUG: .../IO/Socket/SSL.pm:452: ssl handshake done
t/dhe.t ....................
1..3
ok # [server] Server Initialization
ok # [server] Server accepted
ok # [client] client connected
ok

Perhaps the "error:04075070:rsa routines:RSA_sign:digest too big for rsa key" diagnostic helps?
Comment 3 Fedora Update System 2012-02-29 09:03:28 UTC 
openssl-1.0.0g-2.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/openssl-1.0.0g-2.fc17
Comment 4 Tomas Mraz 2012-02-29 09:05:05 UTC 
This still needs to be fixed in rawhide where we will keep the 1.0.1 releases.
Comment 5 Paul Howarth 2012-02-29 09:20:43 UTC 
The perl-IO-Socket-SSL issue has been addressed upstream: the failing test uses a 384-bit key, which may be too short for the autonegotiated connection type. To work around this, the connection type is being specified explicitly as TLSv1 for openssl 1.0.1 onwards, and the problem no longer appears.

Upstream for perl-AnyEvent hasn't had a chance to look at this yet but I did suggest that they try the Fedora 17 alpha (perhaps in a VM) to look at it. I'd better tell them not to update it...
Comment 6 Fedora Update System 2012-03-06 20:28:32 UTC 
openssl-1.0.0g-4.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Paul Howarth 2012-04-05 08:56:27 UTC 
The problem with perl-AnyEvent was also a short key, which upstream believes is an openssl bug:

  "It seems openssl 1.0.1 enforces a minimum rsa key size, and the
   key is too short. Doubtlessly, this is a bug in openssl, and
   doubtlessly, they are not going to fix it, so I will generate a
   longer key."

The longer key has fixed the compatibility issue.
Note You need to log in before you can comment on or make changes to this bug.