Bug#923446: m2crypto: autopkgtest with new version of openssl: Connection refused
Control: severity -1 serious For this actually is a FTBFS bug I'm raising its severity. Thanks, DS -- 4096R/DF5182C8 https://danielstender.com
Bug#923446: m2crypto: autopkgtest with new version of openssl: Connection refused
Sebastian Andrzej Siewior píše v So 02. 03. 2019 v 17:16 +0100: > The thing is that m2ctypto uses TLS1.3 cipher but uses the -cipher > option instead of -ciphersuites which is for TLS1.3: > > $ openssl s_server --help 2>&1 |grep -- -cipher > > -cipher valSpecify TLSv1.2 and below cipher list to be used > > -ciphersuites val Specify TLSv1.3 ciphersuites to be used > > The patch attached against m2crypto fixes the testsuite issue. Thank you, merged in https://gitlab.com/m2crypto/m2crypto/merge_requests/224 Matěj -- https://matej.ceplovi.cz/blog/, Jabber: mc...@ceplovi.cz GPG Finger: 3C76 A027 CA45 AD70 98B5 BC1D 7920 5802 880B C9D8 I would like to die sleeping, like my father — rather than screaming and helpless, like his passengers. signature.asc Description: This is a digitally signed message part
Bug#923446: m2crypto: autopkgtest with new version of openssl: Connection refused
control: tags -1 patch On 2019-03-01 23:27:47 [+0100], To Paul Gevers wrote: > debugging on openssl side gives me the same result as in #923448 which No. I've been testing the wrong package… So m2crypto fails due to openssl commit 1c31fe7eb093: |Author: Sam Roberts |Date: Mon Nov 26 13:58:52 2018 -0800 | |Ignore cipher suites when setting cipher list | |set_cipher_list() sets TLSv1.2 (and below) ciphers, and its success or |failure should not depend on whether set_ciphersuites() has been used to |setup TLSv1.3 ciphers. | |Reviewed-by: Paul Dale |Reviewed-by: Ben Kaduk |Reviewed-by: Matt Caswell |(Merged from https://github.com/openssl/openssl/pull/7759) | |(cherry picked from commit 3c83c5ba4f6502c708b7a5f55c98a10e312668da) The thing is that m2ctypto uses TLS1.3 cipher but uses the -cipher option instead of -ciphersuites which is for TLS1.3: |$ openssl s_server --help 2>&1 |grep -- -cipher | -cipher valSpecify TLSv1.2 and below cipher list to be used | -ciphersuites val Specify TLSv1.3 ciphersuites to be used The patch attached against m2crypto fixes the testsuite issue. Sebastian >From 862167880780c1b1219b6be3864ba587f0bdddba Mon Sep 17 00:00:00 2001 From: Sebastian Andrzej Siewior Date: Sat, 2 Mar 2019 17:08:39 +0100 Subject: [PATCH] tests/test_ssl: use -ciphercuites for TLS1.3 cipher in openssl1.1 The -cipher can not be used in OpenSSL 1.1.b+ for TLS1.3 cipher since openssl upstream commit 1c31fe7eb093a ("Ignore cipher suites when setting cipher list"). Use -ciphersuites for TLS1.3 cipher as documented. Signed-off-by: Sebastian Andrzej Siewior --- tests/test_ssl.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tests/test_ssl.py b/tests/test_ssl.py index a3e2a318c315..925d365a5810 100644 --- a/tests/test_ssl.py +++ b/tests/test_ssl.py @@ -460,9 +460,10 @@ sleepTime = float(os.getenv('M2CRYPTO_TEST_SSL_SLEEP', '1.5')) def test_cipher_ok(self): if OPENSSL111: TCIPHER = 'TLS_AES_256_GCM_SHA384' +self.args = self.args + ['-ciphersuites', TCIPHER] else: TCIPHER = 'AES128-SHA' -self.args = self.args + ['-cipher', TCIPHER] +self.args = self.args + ['-cipher', TCIPHER] pid = self.start_server(self.args) try: -- 2.20.1
Bug#923446: m2crypto: autopkgtest with new version of openssl: Connection refused
On 2019-02-28 12:17:49 [+0100], Paul Gevers wrote: > === FAILURES > _ MiscSSLClientTestCase.test_cipher_ok > > self = … > tests/test_ssl.py:472: > _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ > /usr/lib/python2.7/dist-packages/M2Crypto/SSL/Connection.py:303: in connect > self.socket.connect(addr) debugging on openssl side gives me the same result as in #923448 which means m2crypto sets somewhere a DH with <2048 bits and now it fails. So now the DH needs to be located :) Sebastian
Bug#923446: m2crypto: autopkgtest with new version of openssl: Connection refused
Source: m2crypto Version: 0.31.0-2 Severity: important X-Debbugs-CC: debian...@lists.debian.org, open...@packages.debian.org User: debian...@lists.debian.org Usertags: needs-update Control: affects -1 src:openssl Dear maintainers, With a recent upload of openssl the autopkgtest of m2crypto fails in testing when that autopkgtest is run with the binary packages of openssl from unstable. It passes when run with only packages from testing. In tabular form: passfail opensslfrom testing1.1.1b-1 m2crypto from testing0.31.0-2 all others from testingfrom testing I copied some of the output at the bottom of this report. Currently this regression is blocking the migration of openssl to testing [1]. Of course, openssl shouldn't just break your autopkgtest (or even worse, your package), but it seems to me that the change in openssl could very well be intended and your package needs to update to the new situation. If needed, please change the bug's severity and in doubt, please discuss with the maintainers of openssl (in X-Debbugs-CC). If this is a real problem in your package (and not only in your autopkgtest), the right binary package(s) from openssl should really add a versioned Breaks on the unfixed version of (one of your) package(s). Please note that the window to fix this to allow openssl to migrate without intervention is closing extremely soon. More information about this bug and the reason for filing it can be found on https://wiki.debian.org/ContinuousIntegration/RegressionEmailInformation Paul [1] https://qa.debian.org/excuses.php?package=openssl https://ci.debian.net/data/autopkgtest/testing/amd64/m/m2crypto/2021379/log.gz === FAILURES === _ MiscSSLClientTestCase.test_cipher_ok _ self = def test_cipher_ok(self): if OPENSSL111: TCIPHER = 'TLS_AES_256_GCM_SHA384' else: TCIPHER = 'AES128-SHA' self.args = self.args + ['-cipher', TCIPHER] pid = self.start_server(self.args) try: ctx = SSL.Context() s = SSL.Connection(ctx) s.set_cipher_list(TCIPHER) > s.connect(self.srv_addr) tests/test_ssl.py:472: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ /usr/lib/python2.7/dist-packages/M2Crypto/SSL/Connection.py:303: in connect self.socket.connect(addr) _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ name = 'connect', self = args = (('localhost', 43581),) def meth(name,self,*args): > return getattr(self._sock,name)(*args) E error: [Errno 111] Connection refused /usr/lib/python2.7/socket.py:228: error signature.asc Description: OpenPGP digital signature