From: Marius Bakke <mbakke@fastmail.com>
To: Mark H Weaver <mhw@netris.org>, guix-devel@gnu.org
Subject: Re: [PATCHES] gnu: nss: Update to 3.30.2 [fixes CVE-2017-5461].
Date: Sat, 22 Apr 2017 09:40:13 +0200 [thread overview]
Message-ID: <878tmsevqa.fsf@fastmail.com> (raw)
In-Reply-To: <87lgqtzlon.fsf@netris.org>
[-- Attachment #1.1: Type: text/plain, Size: 2191 bytes --]
Mark H Weaver <mhw@netris.org> writes:
> Mark H Weaver <mhw@netris.org> writes:
>
>> These patches update nss to 3.30.2 and disable long b64 tests which fail
>> on some systems including armhf. I'll push them soon after some light
>> testing.
>
> Unfortunately, even with "nss-increase-test-timeout.patch" and
> "nss-disable-long-b64-tests.patch", the build still failed on armhf:
>
> https://hydra.gnu.org/build/2010324
>
> It would be good to find a way to fix or work around this issue without
> forcing rebuilds on other platforms. Also, I feel it's important to
> always run tests on NSS on all platforms.
Here is the relevant excerpt from the log:
[ RUN ] SkipVariants/TlsSkipTest.SkipCertificateRsa/0
Version: TLS 1.1
server: Changing state from INIT to CONNECTING
client: Changing state from INIT to CONNECTING
Dropping handshake: 11
record old: [531] 020000510302f666481a7e6747c16e682f37345e569db0d06bdb08b5a8894ec8...
record new: [89] 020000510302f666481a7e6747c16e682f37345e569db0d06bdb08b5a8894ec8...
server: Original packet: [536] 1603020213020000510302f666481a7e6747c16e682f37345e569db0d06bdb08...
server: Filtered packet: [94] 1603020059020000510302f666481a7e6747c16e682f37345e569db0d06bdb08...
Alert: [2] 020a
client: Alert sent: level=2 desc=10
client: Handshake failed with error SSL_ERROR_RX_UNEXPECTED_HELLO_DONE: SSL received an unexpected Server Hello Done handshake message.
client: Changing state from CONNECTING to ERROR
tls_connect.cc:238: Failure
Value of: (client_->state() != TlsAgent::STATE_CONNECTING) && (server_->state() != TlsAgent::STATE_CONNECTING)
Actual: false
Expected: true
tls_connect.cc:374: Failure
Value of: server_->state()
Actual: CONNECTING
Expected: TlsAgent::STATE_ERROR
Which is: ERROR
[ FAILED ] SkipVariants/TlsSkipTest.SkipCertificateRsa/0, where GetParam() = ("TLS", 770) (50449 ms)
This looks very similar to the random connect timeouts that prompted the
"increase-test-timeouts" patch, except this time it took 50s instead of
~20s:
https://lists.gnu.org/archive/html/guix-devel/2017-03/msg00412.html
(search for '[ FAILED' in the build logs)
I am 99% sure the attached patch will do the job. What do you think?
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1.2: 0001-gnu-nss-Further-increase-test-timeouts-on-armhf.patch --]
[-- Type: text/x-patch, Size: 1476 bytes --]
From a6876365f2ee9a82452c3f364ee1cd94e44423c2 Mon Sep 17 00:00:00 2001
From: Marius Bakke <mbakke@fastmail.com>
Date: Sat, 22 Apr 2017 09:25:36 +0200
Subject: [PATCH] gnu: nss: Further increase test timeouts on armhf.
* gnu/packages/gnuzilla.scm (nss)[arguments]<#:phases>: Add a substitution
when target platform is armhf.
---
gnu/packages/gnuzilla.scm | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/gnu/packages/gnuzilla.scm b/gnu/packages/gnuzilla.scm
index efe63adb4..37c2eb006 100644
--- a/gnu/packages/gnuzilla.scm
+++ b/gnu/packages/gnuzilla.scm
@@ -241,6 +241,16 @@ in the Mozilla clients.")
`((setenv "USE_64" "1")))
(_
'()))
+ ;; The timeout values in "increase-test-timeouts" are still
+ ;; too low, so apply this workaround on armhf for now to avoid
+ ;; rebuilding on all platforms. This should be incorporated in
+ ;; the patch for the next update.
+ ;; https://lists.gnu.org/archive/html/guix-devel/2017-04/msg00472.html
+ ,@(if (string-prefix? "armhf" (or (%current-target-system)
+ (%current-system)))
+ `((substitute* "nss/gtests/ssl_gtest/tls_connect.cc"
+ (("25000\\);") "60000);")))
+ '())
#t))
(replace 'check
(lambda _
--
2.12.2
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]
next prev parent reply other threads:[~2017-04-22 7:40 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-04-20 22:29 [PATCHES] gnu: nss: Update to 3.30.2 [fixes CVE-2017-5461] Mark H Weaver
2017-04-21 17:59 ` Mark H Weaver
2017-04-22 7:40 ` Marius Bakke [this message]
2017-04-22 19:51 ` Mark H Weaver
2017-04-23 9:40 ` Marius Bakke
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=878tmsevqa.fsf@fastmail.com \
--to=mbakke@fastmail.com \
--cc=guix-devel@gnu.org \
--cc=mhw@netris.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).