On Sun, Jun 14, 2015 at 11:09 AM, olli hauer <oha...@gmx.de> wrote: > On 2015-06-14 02:46, Jeff Trawick wrote: >> On Sat, Jun 13, 2015 at 7:42 PM, Yann Ylavic <ylavic....@gmail.com> wrote: >> >>> On Sun, Jun 14, 2015 at 1:18 AM, Jeff Trawick <traw...@gmail.com> wrote: >>>> On Sat, Jun 13, 2015 at 6:06 PM, Yann Ylavic <ylavic....@gmail.com> >>> wrote: >>>>> >>>>> I did not look at pr12355.t and pr43738.t yet, however those passed in >>>>> my tests, so it's probably something different. >>>> >>>> >>>> Just in case it wasn't clear, these aren't regressions. I get them with >>>> prior releases on FreeBSD 10.1 also. >>> >>> Ah ok, those are possibly the same as I reported in [1] for the 2.4.13 >>> vote (in the Post Scriptum, about latest stable debian 8). >>> >>>> >>>> I don't know if it is the Perl stack or OpenSSL or ??? that results in >>> the >>>> consistent failure. (This FreeBSD has a significantly newer Perl stack >>> from >>>> system packages than CentOS 7.) IIUC, Rainer has been reporting >>>> intermittent failures on various platforms for a while. >>> >>> It seems to be related to latest OpenSSL, maybe RC5 isn't handled anymore? >>> >> >> I just tried on Fedora 22... >> >> For both the Perl interpreter/lib versions and OpenSSL versions, it seems >> to be essentially >> >> CentOS 7 < FreeBSD 10.1 < Fedora 22 >> >> and the one in the middle is the only one where I see the issue. >> >> The CentOS and Fedora builds of OpenSSL are FIPS-enabled; I don't know how >> that affects the enabled ciphers. >> > > From OpenSSL CHANGES (happed already with 0.9.7i in 2005) > The patented RC5 and MDC2 algorithms will now be disabled unless > "enable-rc5" and "enable-mdc2", respectively, are specified. > > And from src/crypto/openssl/Makefile > OPTIONS= ... no-md2 no-rc5 ... > > OpenSSL is build in FreeBSD base with > ... -DOPENSSL_NO_DEPRECATED -DOPENSSL_NO_MD2 -DOPENSSL_NO_RC5 ... > > So is assume tests for RC5 and MD2 will always fail.
Sorry for the noise about RC5, I was misleaded by a typo in ssl/pr12355.t which talks about RC5-MD5 where RC4-MD5 is probably meant (the test seems for force a renegotiation by using exclusively either RC4-SHA or RC4-MD5). So that was a wrong track. However on Debian 8 (Jessie) where I can reproduce the failures here for pr12355.t and pr43738.t, openssl is configured/compiled with no_ssl3 (same on FreeBSD 10.1?). This is more likely the cause, will dig a bit further into this... Thanks for the ./configure hint anyway.
