From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp12.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms5.migadu.com with LMTPS id XkwbOT0y/GOULgEAbAwnHQ (envelope-from ) for ; Mon, 27 Feb 2023 05:31:58 +0100 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp12.migadu.com with LMTPS id UE2OOD0y/GMstQAAauVa8A (envelope-from ) for ; Mon, 27 Feb 2023 05:31:57 +0100 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 4A86128CCD for ; Mon, 27 Feb 2023 05:31:57 +0100 (CET) Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20210112 header.b="ODwEPD/t"; spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org"; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none) ARC-Seal: i=1; s=key1; d=yhetil.org; t=1677472317; a=rsa-sha256; cv=none; b=uaTRxK8NBw+56q7A0kbdtg3RiiOhvDvYzFG6JCjfZXyWp9pJ849GLEnTSnDYMpbSP5DusX HIOQU9xcTLe7VBuj41p+xtacKscSvTq7hlR9oCiWMIikdiA16O840o16BEaXZtyEazI0kk yyxrtSojwVxVlqsrkRifxa9KHWzg3GjX/aUXlBiSrFj2/HU247Sgu+0c44qziJ/G3bTxQl N6vA3bh+ULoAt6LUbxeC828VkcHaeBqoDGwGl4d8+dKudbpyptmviUyamcW5V8ItZ3Aefs w6LEmmftHonCw3/qQ7IEn2/kDf3Lar2OwrNsoD3Dmqmo87dxi9OcDLQhNIyTsg== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20210112 header.b="ODwEPD/t"; spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org"; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1677472317; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:resent-cc:resent-from:resent-sender: resent-message-id:in-reply-to:in-reply-to:references:references: list-id:list-help:list-unsubscribe:list-subscribe:list-post: dkim-signature; bh=YwLkWlTYwbYtJeJ/WhyW+ldpeI8W/GOsp3sPDgpcGyQ=; b=q6670Wk2VOtkdp9FMl9VaWfA6sDyuz8jEzSzoBfsD3FfQmcRcpg5LDA5OEsadkiTe4iLtv CdJQBhi016srlFTX10YHT3daQU5OFTTZ40i9B2ljTFXYACeIWbBzNiDgYnOrWjdysgPrv4 2nrwiSWr8TYnLCIlggfj/F/RmAUApr1zaQJ5WfTYZ6AuOCO6oSCF+r0UKggQQmj64GDNMG OY+hhTCGeGkByEBdLl2a4U61IPI62ZOgx2m3CytXWl4HvhzZuzqcCqpqBkEYHDcApKTy+T W4OfgxMifMua/HonrX47YolNIWWBpcpxYpPQBduE1qhhwF36yyepnRfm0lvRrg== Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pWUlB-000814-6g; Sun, 26 Feb 2023 23:05:09 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pWUl6-00080Q-3F for bug-guix@gnu.org; Sun, 26 Feb 2023 23:05:04 -0500 Received: from debbugs.gnu.org ([209.51.188.43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1pWUl4-00005E-CU for bug-guix@gnu.org; Sun, 26 Feb 2023 23:05:03 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1pWUl3-0003D3-Rj for bug-guix@gnu.org; Sun, 26 Feb 2023 23:05:01 -0500 X-Loop: help-debbugs@gnu.org Subject: bug#56137: bug#58650: OpenSSL 1.1.1n test failures due to expired certificates (time bomb) Resent-From: Maxim Cournoyer Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Mon, 27 Feb 2023 04:05:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 56137 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: 56137@debbugs.gnu.org Cc: sjors@sprovoost.nl, ludo@gnu.org, 58650@debbugs.gnu.org, maximedevos@telenet.be, zimon.toutoune@gmail.com Received: via spool by 56137-submit@debbugs.gnu.org id=B56137.167747064612260 (code B ref 56137); Mon, 27 Feb 2023 04:05:01 +0000 Received: (at 56137) by debbugs.gnu.org; 27 Feb 2023 04:04:06 +0000 Received: from localhost ([127.0.0.1]:45573 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pWUk9-0003BZ-LU for submit@debbugs.gnu.org; Sun, 26 Feb 2023 23:04:06 -0500 Received: from mail-qt1-f174.google.com ([209.85.160.174]:42974) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pWUk5-0003At-72; Sun, 26 Feb 2023 23:04:03 -0500 Received: by mail-qt1-f174.google.com with SMTP id ay9so5361297qtb.9; Sun, 26 Feb 2023 20:04:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:user-agent:message-id:in-reply-to:date:references :subject:cc:to:from:from:to:cc:subject:date:message-id:reply-to; bh=YwLkWlTYwbYtJeJ/WhyW+ldpeI8W/GOsp3sPDgpcGyQ=; b=ODwEPD/t7T9xYrnLoJbPKMx7eAjp4ywNSupMOIW2kG4neT1H804IjRQBTEH376N8l6 85PraOomjDnOOd1MtzLeviWkyqAfp7gW83deDe3nUSAMjN97wROAUuFkysSceAcSB7M4 XwAj6hTvc1lnfY89r7Jk/+y3Q/soaKIFt/EAlHNGDLOmuRBmLJGc0k9HaFELXkf6bWeB sQ/MpomEJ1SbSNb3xhzlXU9fEWuqIUGLYRdYTAbOR2N3mY2CynHBZOa1uBtF7+ln8fzJ H1Mt0bkLGnSJ5m+WRJ8uRMAEqAp51m+DMt0QllX3LxaI4dM+bW24lQFuN0BcPMQoU/+n sDkw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=mime-version:user-agent:message-id:in-reply-to:date:references :subject:cc:to:from:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=YwLkWlTYwbYtJeJ/WhyW+ldpeI8W/GOsp3sPDgpcGyQ=; b=qM11DC+GMSgtURaVS3kzAqREzt3nnSXirpvUjQ2s5Af9O7uicG0M9XkZsjHDPagOu9 vIDNQeiw9d6ZyCVIiCmYfu7wEpEiQVv4+RGtAyK7xDke2+zr5zv1+1qSc2h2MiFJ6BkI udj4wf7JiNHwzfAMu7K91NHMZKhkttFaj/vxSjkPafKea5n46sMApJZhpT5spal4wGwp KW6W7sSAK50Nwy5edEXsuG+K6tZ4Vt7S8NNT+bO67Q5kET0L2Jkns5o5MVM71nloe9Qx si5R97tSaGZ/kmzGKhL4pDnQPyxOp4GI1ywBQJdlpSCJBuneHEFY3nXa5sK6mENlUxXU lhcw== X-Gm-Message-State: AO0yUKVnrECSAuQLDg01F6UBVPEdOE0x7SengjUtxinWbOt3Owjcvkfi s2W3FcEB/Pm6T0L/5MHFgv4= X-Google-Smtp-Source: AK7set/OV1b+40GpghV5HaGadPUzNr7C2Y8Y7Dh1ML5q7+KYotdsSsJZGptkuLWoEPp8H22JkEtnlQ== X-Received: by 2002:ac8:5d8c:0:b0:3bf:cb70:8a4f with SMTP id d12-20020ac85d8c000000b003bfcb708a4fmr10115561qtx.41.1677470635466; Sun, 26 Feb 2023 20:03:55 -0800 (PST) Received: from hurd (dsl-156-86.b2b2c.ca. [66.158.156.86]) by smtp.gmail.com with ESMTPSA id a23-20020ac87217000000b003b62e8b77e7sm3914711qtp.68.2023.02.26.20.03.54 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 26 Feb 2023 20:03:55 -0800 (PST) From: Maxim Cournoyer References: <87r13h3tqr.fsf@gnu.org> <20230226052906.784-1-maxim.cournoyer@gmail.com> Date: Sun, 26 Feb 2023 23:03:53 -0500 In-Reply-To: <20230226052906.784-1-maxim.cournoyer@gmail.com> (Maxim Cournoyer's message of "Sun, 26 Feb 2023 00:29:04 -0500") Message-ID: <871qmbdaae.fsf_-_@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: X-Migadu-Queue-Id: 4A86128CCD X-Spam-Score: -0.09 X-Migadu-Spam-Score: -0.09 X-Migadu-Scanner: scn0.migadu.com List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: bug-guix-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US X-TUID: JWq6lb8dcN/O Hi, I also tried with libfaketime, which seemed more complete and easy to setup globally via environment variables: --8<---------------cut here---------------start------------->8--- modified gnu/packages/tls.scm @@ -491,11 +491,47 @@ (define (target->openssl-target target) (error "unsupported openssl target architecture"))))) (string-append kernel "-" arch)))) +;;; A minimal version of libfaketime that should remain private. Its only +;;; purpose is to avoid introducing a cycle with openssl due to libfaketime's +;;; git-fetch origin, which pulls git (which requires openssl). +(define libfaketime-minimal + (package + (name "libfaketime") + (version "0.9.10") + (home-page "https://github.com/wolfcw/libfaketime") + (source (origin + (method url-fetch) + ;; XXX: We cheat and use a dynamically generated archive GitHub + ;; link here, since we can't fetch from git. + (uri (string-append "https://github.com/wolfcw/" name + "/archive/refs/tags/v" version ".tar.gz")) + (sha256 + (base32 + "0zwlwxpya3scayf8b3ans6pp82k8k42bk5wfqvcm02kmkhxx76kj")))) + (build-system gnu-build-system) + (arguments + (list + #:make-flags #~(list "all") + #:tests? #f + #:phases + #~(modify-phases %standard-phases + (replace 'configure + (lambda* (#:key outputs #:allow-other-keys) + (setenv "CC" #$(cc-for-target)) + (setenv "PREFIX" #$output)))))) + (synopsis "Fake the system time for single applications") + (description + "The libfaketime library allows users to modify the system time that an +application \"sees\". It is meant to be loaded using the dynamic linker's +@code{LD_PRELOAD} environment variable. The @command{faketime} command +provides a simple way to achieve this.") + (license license:gpl2))) + (define-public openssl-1.1 ;; Note to maintainers: when updating this package, make sure to update the ;; RELEASE-DATE variable below. It is used by datefudge to avoid time bombs ;; in the test suite. - (let ((release-date "2021-08-24 00:00")) + (let ((release-date "@2021-08-24 00:00:00")) (package (name "openssl") (version "1.1.1l") @@ -517,7 +553,7 @@ (define-public openssl-1.1 (outputs '("out" "doc" ;6.8 MiB of man3 pages and full HTML documentation "static")) ;6.4 MiB of .a files - (native-inputs (list datefudge perl)) + (native-inputs (list libfaketime-minimal perl)) (arguments (list #:modules '((guix build gnu-build-system) @@ -537,6 +573,15 @@ (define-public openssl-1.1 #:disallowed-references (list (canonical-package perl)) #:phases #~(modify-phases %standard-phases + (add-before 'unpack 'setup-libfaketime + (lambda* (#:key native-inputs inputs #:allow-other-keys) + (let ((libfaketime.so.1 (search-input-file + (or native-inputs inputs) + "lib/faketime/libfaketime.so.1"))) + (setenv "LD_PRELOAD" libfaketime.so.1) + (setenv "NO_FAKE_STAT" "1") + (setenv "FAKETIME_DONT_RESET" "1") + (setenv "FAKETIME" #$release-date)))) #$@(if (%current-target-system) #~((add-before 'configure 'set-cross-compile --8<---------------cut here---------------end--------------->8--- But I still get the same error: --8<---------------cut here---------------start------------->8--- ../../util/shlib_wrap.sh /gnu/store/hy6abswwv4d89zp464fw52z65fkzr7h5-perl-5.34.0/bin/perl -I ../../util/perl ../generate_ssl_tests.pl ../ssl-tests/12-ct.conf.in > 12-ct.conf.30543.tmp => 0 ok 1 - Getting output from generate_ssl_tests.pl. ok 2 - Comparing generated sources. # Subtest: ../ssl_test 1..1 # Subtest: test_handshake 1..6 ok 1 - iteration 1 # ERROR: (int) 'result->result == test_ctx->expected_result' failed @ test/ssl_test.c:33 # [2] compared to [0] # INFO: @ test/ssl_test.c:34 # ExpectedResult mismatch: expected Success, got ClientFail. # 140450700142400:error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired:ssl/record/rec_layer_s3.c:1543:SSL alert number 45 not ok 2 - iteration 2 ok 3 - iteration 3 # ERROR: (int) 'result->result == test_ctx->expected_result' failed @ test/ssl_test.c:33 # [2] compared to [0] # INFO: @ test/ssl_test.c:34 # ExpectedResult mismatch: expected Success, got ClientFail. # 140450700142400:error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired:ssl/record/rec_layer_s3.c:1543:SSL alert number 45 not ok 4 - iteration 4 # ERROR: (int) 'result->result == test_ctx->expected_result' failed @ test/ssl_test.c:33 # [4] compared to [0] # INFO: @ test/ssl_test.c:34 # ExpectedResult mismatch: expected Success, got FirstHandshakeFailed. # 140450700142400:error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired:ssl/record/rec_layer_s3.c:1543:SSL alert number 45 not ok 5 - iteration 5 # ERROR: (int) 'result->result == test_ctx->expected_result' failed @ test/ssl_test.c:33 # [4] compared to [0] # INFO: @ test/ssl_test.c:34 # ExpectedResult mismatch: expected Success, got FirstHandshakeFailed. # 140450700142400:error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired:ssl/record/rec_layer_s3.c:1543:SSL alert number 45 not ok 6 - iteration 6 not ok 1 - test_handshake ../../util/shlib_wrap.sh ../ssl_test 12-ct.conf.30543.tmp => 1 not ok 3 - running ssl_test 12-ct.conf # Failed test 'running ssl_test 12-ct.conf' # at ../test/recipes/80-test_ssl_new.t line 148. # Looks like you failed 1 test of 3. not ok 12 - Test configuration 12-ct.conf # Failed test 'Test configuration 12-ct.conf' # at # /tmp/guix-build-openssl-1.1.1l.drv-0/openssl-1.1.1l/test/../util/perl/OpenSSL/Test.pm # line 1212. --8<---------------cut here---------------end--------------->8--- When attempting to build with --8<---------------cut here---------------start------------->8--- ./pre-inst-env guix build --no-grafts -e '(@@ (gnu packages tls) openssl-1.1)' --8<---------------cut here---------------end--------------->8--- Upstream seems to have moved to give very large expiry dates on their test certs (100 years), so perhaps we can simply remove this test and hope the problem doesn't come back to haunt us... -- Thanks, Maxim