unofficial mirror of bug-guix@gnu.org 
 help / color / mirror / code / Atom feed
* bug#56137: OpenSSL 3.0.3/1.1.1n includes a time-dependent test
@ 2022-06-22  9:58 Ludovic Courtès
  2022-06-22 10:39 ` Ludovic Courtès
  0 siblings, 1 reply; 5+ messages in thread
From: Ludovic Courtès @ 2022-06-22  9:58 UTC (permalink / raw)
  To: 56137; +Cc: phodina

Hello,

As reported by phodina in <https://issues.guix.gnu.org/53581>, OpenSSL
1.1.1n and 3.0.3 include a time-dependent test that now fails due to an
expired certificate:

  https://github.com/openssl/openssl/issues/18441

The log looks like this:

--8<---------------cut here---------------start------------->8---
80-test_ocsp.t ..................... ok
80-test_pkcs12.t ................... ok

            # ERROR: (int) 'result->result == test_ctx->expected_result' failed @ test/ssl_test.c:36
            # [2] compared to [0]
            # INFO:  @ test/ssl_test.c:37
            # ExpectedResult mismatch: expected Success, got ClientFail.
            # 40B78AF7FF7F0000:error:0A000415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired:ssl/record/rec_layer_s3.c:1584:SSL alert number 45
            # OPENSSL_TEST_RAND_ORDER=1655844368
            not ok 2 - iteration 2
# ------------------------------------------------------------------------------
            # ERROR: (int) 'result->result == test_ctx->expected_result' failed @ test/ssl_test.c:36
            # [2] compared to [0]
            # INFO:  @ test/ssl_test.c:37
            # ExpectedResult mismatch: expected Success, got ClientFail.
            # 40B78AF7FF7F0000:error:0A000415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired:ssl/record/rec_layer_s3.c:1584:SSL alert number 45
            # OPENSSL_TEST_RAND_ORDER=1655844368
            not ok 4 - iteration 4
# ------------------------------------------------------------------------------
            # ERROR: (int) 'result->result == test_ctx->expected_result' failed @ test/ssl_test.c:36
            # [4] compared to [0]
            # INFO:  @ test/ssl_test.c:37
            # ExpectedResult mismatch: expected Success, got FirstHandshakeFailed.
            # 40B78AF7FF7F0000:error:0A000415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired:ssl/record/rec_layer_s3.c:1584:SSL alert number 45
            # OPENSSL_TEST_RAND_ORDER=1655844368
            not ok 5 - iteration 5
# ------------------------------------------------------------------------------
            # ERROR: (int) 'result->result == test_ctx->expected_result' failed @ test/ssl_test.c:36
            # [4] compared to [0]
            # INFO:  @ test/ssl_test.c:37
            # ExpectedResult mismatch: expected Success, got FirstHandshakeFailed.
            # 40B78AF7FF7F0000:error:0A000415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired:ssl/record/rec_layer_s3.c:1584:SSL alert number 45
            # OPENSSL_TEST_RAND_ORDER=1655844368
            not ok 6 - iteration 6
# ------------------------------------------------------------------------------
        # OPENSSL_TEST_RAND_ORDER=1655844368
        not ok 1 - test_handshake
# ------------------------------------------------------------------------------
../../util/wrap.pl ../../test/ssl_test 12-ct.cnf.none none => 1
    not ok 3 - running ssl_test 12-ct.cnf
# ------------------------------------------------------------------------------
            # ERROR: (int) 'result->result == test_ctx->expected_result' failed @ test/ssl_test.c:36
            # [2] compared to [0]
            # INFO:  @ test/ssl_test.c:37
            # ExpectedResult mismatch: expected Success, got ClientFail.
            # 40B78AF7FF7F0000:error:0A000415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired:ssl/record/rec_layer_s3.c:1584:SSL alert number 45
            # OPENSSL_TEST_RAND_ORDER=1655844369
            not ok 2 - iteration 2
# ------------------------------------------------------------------------------
            # ERROR: (int) 'result->result == test_ctx->expected_result' failed @ test/ssl_test.c:36
            # [2] compared to [0]
            # INFO:  @ test/ssl_test.c:37
            # ExpectedResult mismatch: expected Success, got ClientFail.
            # 40B78AF7FF7F0000:error:0A000415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired:ssl/record/rec_layer_s3.c:1584:SSL alert number 45
            # OPENSSL_TEST_RAND_ORDER=1655844369
            not ok 4 - iteration 4
# ------------------------------------------------------------------------------
            # ERROR: (int) 'result->result == test_ctx->expected_result' failed @ test/ssl_test.c:36
            # [4] compared to [0]
            # INFO:  @ test/ssl_test.c:37
            # ExpectedResult mismatch: expected Success, got FirstHandshakeFailed.
            # 40B78AF7FF7F0000:error:0A000415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired:ssl/record/rec_layer_s3.c:1584:SSL alert number 45
            # OPENSSL_TEST_RAND_ORDER=1655844369
            not ok 5 - iteration 5
# ------------------------------------------------------------------------------
            # ERROR: (int) 'result->result == test_ctx->expected_result' failed @ test/ssl_test.c:36
            # [4] compared to [0]
            # INFO:  @ test/ssl_test.c:37
            # ExpectedResult mismatch: expected Success, got FirstHandshakeFailed.
            # 40B78AF7FF7F0000:error:0A000415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired:ssl/record/rec_layer_s3.c:1584:SSL alert number 45
            # OPENSSL_TEST_RAND_ORDER=1655844369
            not ok 6 - iteration 6
# ------------------------------------------------------------------------------
        # OPENSSL_TEST_RAND_ORDER=1655844369
        not ok 1 - test_handshake
# ------------------------------------------------------------------------------
../../util/wrap.pl ../../test/ssl_test 12-ct.cnf.default default => 1
    not ok 6 - running ssl_test 12-ct.cnf
# ------------------------------------------------------------------------------
    #   Failed test 'running ssl_test 12-ct.cnf'
    #   at test/recipes/80-test_ssl_new.t line 171.
    # Looks like you failed 2 tests of 6.
not ok 12 - Test configuration 12-ct.cnf
# ------------------------------------------------------------------------------
# Looks like you failed 1 test of 30.80-test_ssl_new.t .................. 
Dubious, test returned 1 (wstat 256, 0x100)
Failed 1/30 subtests 
80-test_ssl_old.t .................. ok
80-test_ssl_test_ctx.t ............. ok
--8<---------------cut here---------------end--------------->8---

That means that ‘openssl’ on current master (ca.
73761d8049f483e6685c2c736872d0366e03238a) now fails to build.

Ludo’.




^ permalink raw reply	[flat|nested] 5+ messages in thread

* bug#56137: OpenSSL 3.0.3/1.1.1n includes a time-dependent test
  2022-06-22  9:58 bug#56137: OpenSSL 3.0.3/1.1.1n includes a time-dependent test Ludovic Courtès
@ 2022-06-22 10:39 ` Ludovic Courtès
  2022-06-22 10:49   ` Maxime Devos
  0 siblings, 1 reply; 5+ messages in thread
From: Ludovic Courtès @ 2022-06-22 10:39 UTC (permalink / raw)
  To: 56137-done; +Cc: phodina

Ludovic Courtès <ludo@gnu.org> skribis:

> As reported by phodina in <https://issues.guix.gnu.org/53581>, OpenSSL
> 1.1.1n and 3.0.3 include a time-dependent test that now fails due to an
> expired certificate:
>
>   https://github.com/openssl/openssl/issues/18441

Fixed on ‘core-updates’ with 6cd438c4c2beb016a821143cdfdd12892aa9fd5f.

That commit skips the test.  I tried another approach with ‘datefudge’,
which has the advantage of being more explicit and future-proof (should
there be similar issues lying around):

               (invoke "datefudge" "2022-01-01"
                       "make" test-target
                       #$@(if (or (target-arm?) (target-riscv64?))
                              #~("TESTS=-test_afalg")
                              #~()))

For some reason it didn’t work.

Note that we cannot use libfaketime because:

--8<---------------cut here---------------start------------->8---
$ guix graph -t derivation --path libfaketime openssl@1
/gnu/store/a4jcd4h7nvn97a2mw4n1yydgbh0i2wmz-libfaketime-0.9.9.drv
/gnu/store/hf5arq562aiisycnjcnhgfwzrl8lwrbc-libfaketime-0.9.9-checkout.drv
/gnu/store/xpnrk8hjfh7rvgqfsjwkjrb9cz1ws626-git-minimal-2.36.1.drv
/gnu/store/gavjhl823bhd95rijqf3iw3vl32ix494-openssl-1.1.1l.drv
--8<---------------cut here---------------end--------------->8---

Ludo’.




^ permalink raw reply	[flat|nested] 5+ messages in thread

* bug#56137: OpenSSL 3.0.3/1.1.1n includes a time-dependent test
  2022-06-22 10:39 ` Ludovic Courtès
@ 2022-06-22 10:49   ` Maxime Devos
  2022-06-24 14:47     ` Ludovic Courtès
  0 siblings, 1 reply; 5+ messages in thread
From: Maxime Devos @ 2022-06-22 10:49 UTC (permalink / raw)
  To: Ludovic Courtès, 56137-done; +Cc: phodina

[-- Attachment #1: Type: text/plain, Size: 965 bytes --]

Ludovic Courtès schreef op wo 22-06-2022 om 12:39 [+0200]:
> That commit skips the test.  I tried another approach with ‘datefudge’,
> which has the advantage of being more explicit and future-proof (should
> there be similar issues lying around):
> 
>                (invoke "datefudge" "2022-01-01"
>                        "make" test-target
>                        #$@(if (or (target-arm?) (target-riscv64?))
>                               #~("TESTS=-test_afalg")
>                               #~()))

Looking at <https://github.com/openssl/openssl/issues/15179>,
upsteam just replaces the certificates when these things happen, so
there could easily be more time bombs.  As such, WDYT of removing _all_
the certs in tests/certs for robustness, maybe generating them locally
with test/smime-certs/mksmime-certs.sh?

Greetings,
Maxime.

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 260 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread

* bug#56137: OpenSSL 3.0.3/1.1.1n includes a time-dependent test
  2022-06-22 10:49   ` Maxime Devos
@ 2022-06-24 14:47     ` Ludovic Courtès
  2022-06-24 15:00       ` Maxime Devos
  0 siblings, 1 reply; 5+ messages in thread
From: Ludovic Courtès @ 2022-06-24 14:47 UTC (permalink / raw)
  To: Maxime Devos; +Cc: 56137-done, phodina

Maxime Devos <maximedevos@telenet.be> skribis:

> Ludovic Courtès schreef op wo 22-06-2022 om 12:39 [+0200]:
>> That commit skips the test.  I tried another approach with ‘datefudge’,
>> which has the advantage of being more explicit and future-proof (should
>> there be similar issues lying around):
>> 
>>                (invoke "datefudge" "2022-01-01"
>>                        "make" test-target
>>                        #$@(if (or (target-arm?) (target-riscv64?))
>>                               #~("TESTS=-test_afalg")
>>                               #~()))
>
> Looking at <https://github.com/openssl/openssl/issues/15179>,
> upsteam just replaces the certificates when these things happen, so
> there could easily be more time bombs.  As such, WDYT of removing _all_
> the certs in tests/certs for robustness, maybe generating them locally
> with test/smime-certs/mksmime-certs.sh?

That’s an option, but it might be trickier than it seems?  Or is it
really just about running that script?

I thought it’d be easier and more robust to use ‘datefudge’ or similar
because it’d amount to freezing things in time (GnuTLS does that in its
test suite).  It didn’t work for some reason but it might be worth
investigating.

Ludo’.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* bug#56137: OpenSSL 3.0.3/1.1.1n includes a time-dependent test
  2022-06-24 14:47     ` Ludovic Courtès
@ 2022-06-24 15:00       ` Maxime Devos
  0 siblings, 0 replies; 5+ messages in thread
From: Maxime Devos @ 2022-06-24 15:00 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: 56137-done, phodina

[-- Attachment #1: Type: text/plain, Size: 482 bytes --]

Ludovic Courtès schreef op vr 24-06-2022 om 16:47 [+0200]:
> That’s an option, but it might be trickier than it seems?  Or is it
> really just about running that script?

I don't know, Someone(™) would need to try it out.  Though to be 100%
correct, it's not sufficient, IIRC there was something about TLS
certificates only supporting years up to 9999, so we would need to
check that the year isn't to big and if so skip tests or something.


Greetings,
Maxime.


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 260 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2022-06-24 15:01 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-06-22  9:58 bug#56137: OpenSSL 3.0.3/1.1.1n includes a time-dependent test Ludovic Courtès
2022-06-22 10:39 ` Ludovic Courtès
2022-06-22 10:49   ` Maxime Devos
2022-06-24 14:47     ` Ludovic Courtès
2022-06-24 15:00       ` Maxime Devos

Code repositories for project(s) associated with this inbox:

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).