On 2/9/24 10:26, Dmitry Belyavskiy wrote:
Dear Yaakov,
On Fri, Feb 9, 2024 at 4:51 AM Yaakov Selkowitz <yselk...@redhat.com>
wrote:
On Thu, 2024-02-08 at 20:37 +0100, Sahana Prasad wrote:
> Hello everyone,
> OpenSSL 3.2.1 is now available in rawhide [1].
> There are no API/ABI changes in comparison with the last version in
> rawhide
> (3.1.4).
> This version (3.2.0 onwards) supports PQ algorithms that can be
> loaded
> through
> the OQS provider.
> A few tests that needed some downstream tweaks have been
disabled and
> being
> worked on.
> Other than this issue [2] upstream, we did not see any new
> failures/breakages.
>
> If you observe any new issues with this new version, kindly report a
> bug.
Would this be related to openssl 3.2.1?
https://koji.fedoraproject.org/koji/taskinfo?taskID=113198856
The tests pass locally in mock with openssl 3.1.4.
I can imagine the situation where upgrading to 3.2 could cause this
failure but the logs are too vague.
Could you please provide more details (e.g. openssl low-level
diagnostics) or even better a minimal reproducer for diagnostics?
Hi,
I am not that well versed in openssl but I think I got it quite minimal,
as I can reproduce the error message using `openssl` command itself.
And I confirmed, at least locally, that the error started happening once
I introduce Openssl 3.2.1 into buildroot, whether that's all to that
story, I do not know.
As a result I have ruled out mariadb version update as the cause.
rubygem-mysql2 has a few tests that test SSL connection. Keys and certs
are in upstream: https://github.com/brianmario/mysql2/tree/master/spec/ssl
However, we regenerate all certificates using `gen_certs.sh`:
https://github.com/brianmario/mysql2/blob/master/spec/ssl/gen_certs.sh
In our repo:
https://src.fedoraproject.org/rpms/rubygem-mysql2/blob/rawhide/f/rubygem-mysql2.spec#_94
Above the line in the file I linked from Fedora set CN to localhost as
we expect connecting through that host.
Now, with the certs regenerated in mock I execute following:
```
$ openssl verify -CAfile ca-cert.pem client-cert.pem
CN=ca_mysql2gem
error 79 at 1 depth lookup: invalid CA certificate
error client-cert.pem: verification failed
```
Since the error from the scratch build says "invalid CA certificate" I
thought to use some openssl "verification" command,
this one seems like I'm on the right path.
I have tried more permutations of the command with certificates
available in the `spec/ssl/` directory, including using `-untrusted`
with various certs, all seem to fail the same.
Any idea what's up or how to fix it?
Regards,
Jarek Prokop
As for now we don't see any significant regressions in our downstream
tests.
--
Dmitry Belyavskiy
--
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
