Re: OpenSSL 3.2.1 available in rawhide
On 2/9/24 14:47, Tom Hughes via devel wrote: On 09/02/2024 13:34, Jarek Prokop wrote: Since the error from the scratch build says "invalid CA certificate" I thought to use some openssl "verification" command, this one seems like I'm on the right path. I have tried more permutations of the command with certificates available in the `spec/ssl/` directory, including using `-untrusted` with various certs, all seem to fail the same. Any idea what's up or how to fix it? As you say it doesn't like the CA certificate: % openssl verify -verbose -CAfile ca-cert.pem server-cert.pem CN=ca_mysql2gem error 79 at 1 depth lookup: invalid CA certificate error server-cert.pem: verification failed That CA certificate doesn't have the CA:TRUE constraint set which might be the problem? Seems to have been exactly that. When I add `-addext basicConstraints=critical,CA:TRUE,pathlen:1` to the ca-cert.pem generation command, the tests and the verify command then work! Seems that magic did the trick, thanks. Jarek Tom -- ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: OpenSSL 3.2.1 available in rawhide
On 09/02/2024 13:34, Jarek Prokop wrote: Since the error from the scratch build says "invalid CA certificate" I thought to use some openssl "verification" command, this one seems like I'm on the right path. I have tried more permutations of the command with certificates available in the `spec/ssl/` directory, including using `-untrusted` with various certs, all seem to fail the same. Any idea what's up or how to fix it? As you say it doesn't like the CA certificate: % openssl verify -verbose -CAfile ca-cert.pem server-cert.pem CN=ca_mysql2gem error 79 at 1 depth lookup: invalid CA certificate error server-cert.pem: verification failed That CA certificate doesn't have the CA:TRUE constraint set which might be the problem? Tom -- Tom Hughes (t...@compton.nu) http://compton.nu/ -- ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: OpenSSL 3.2.1 available in rawhide
On 2/9/24 10:26, Dmitry Belyavskiy wrote: Dear Yaakov, On Fri, Feb 9, 2024 at 4:51 AM Yaakov Selkowitz wrote: On Thu, 2024-02-08 at 20:37 +0100, Sahana Prasad wrote: > Hello everyone, > OpenSSL 3.2.1 is now available in rawhide [1]. > There are no API/ABI changes in comparison with the last version in > rawhide > (3.1.4). > This version (3.2.0 onwards) supports PQ algorithms that can be > loaded > through > the OQS provider. > A few tests that needed some downstream tweaks have been disabled and > being > worked on. > Other than this issue [2] upstream, we did not see any new > failures/breakages. > > If you observe any new issues with this new version, kindly report a > bug. Would this be related to openssl 3.2.1? https://koji.fedoraproject.org/koji/taskinfo?taskID=113198856 The tests pass locally in mock with openssl 3.1.4. I can imagine the situation where upgrading to 3.2 could cause this failure but the logs are too vague. Could you please provide more details (e.g. openssl low-level diagnostics) or even better a minimal reproducer for diagnostics? Hi, I am not that well versed in openssl but I think I got it quite minimal, as I can reproduce the error message using `openssl` command itself. And I confirmed, at least locally, that the error started happening once I introduce Openssl 3.2.1 into buildroot, whether that's all to that story, I do not know. As a result I have ruled out mariadb version update as the cause. rubygem-mysql2 has a few tests that test SSL connection. Keys and certs are in upstream: https://github.com/brianmario/mysql2/tree/master/spec/ssl However, we regenerate all certificates using `gen_certs.sh`: https://github.com/brianmario/mysql2/blob/master/spec/ssl/gen_certs.sh In our repo: https://src.fedoraproject.org/rpms/rubygem-mysql2/blob/rawhide/f/rubygem-mysql2.spec#_94 Above the line in the file I linked from Fedora set CN to localhost as we expect connecting through that host. Now, with the certs regenerated in mock I execute following: ``` $ openssl verify -CAfile ca-cert.pem client-cert.pem CN=ca_mysql2gem error 79 at 1 depth lookup: invalid CA certificate error client-cert.pem: verification failed ``` Since the error from the scratch build says "invalid CA certificate" I thought to use some openssl "verification" command, this one seems like I'm on the right path. I have tried more permutations of the command with certificates available in the `spec/ssl/` directory, including using `-untrusted` with various certs, all seem to fail the same. Any idea what's up or how to fix it? Regards, Jarek Prokop As for now we don't see any significant regressions in our downstream tests. -- Dmitry Belyavskiy-- ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: OpenSSL 3.2.1 available in rawhide
Dear Yaakov, On Fri, Feb 9, 2024 at 4:51 AM Yaakov Selkowitz wrote: > On Thu, 2024-02-08 at 20:37 +0100, Sahana Prasad wrote: > > Hello everyone, > > OpenSSL 3.2.1 is now available in rawhide [1]. > > There are no API/ABI changes in comparison with the last version in > > rawhide > > (3.1.4). > > This version (3.2.0 onwards) supports PQ algorithms that can be > > loaded > > through > > the OQS provider. > > A few tests that needed some downstream tweaks have been disabled and > > being > > worked on. > > Other than this issue [2] upstream, we did not see any new > > failures/breakages. > > > > If you observe any new issues with this new version, kindly report a > > bug. > > Would this be related to openssl 3.2.1? > > https://koji.fedoraproject.org/koji/taskinfo?taskID=113198856 > > The tests pass locally in mock with openssl 3.1.4. I can imagine the situation where upgrading to 3.2 could cause this failure but the logs are too vague. Could you please provide more details (e.g. openssl low-level diagnostics) or even better a minimal reproducer for diagnostics? As for now we don't see any significant regressions in our downstream tests. -- Dmitry Belyavskiy -- ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: OpenSSL 3.2.1 available in rawhide
On Thu, 2024-02-08 at 20:37 +0100, Sahana Prasad wrote: > Hello everyone, > OpenSSL 3.2.1 is now available in rawhide [1]. > There are no API/ABI changes in comparison with the last version in > rawhide > (3.1.4). > This version (3.2.0 onwards) supports PQ algorithms that can be > loaded > through > the OQS provider. > A few tests that needed some downstream tweaks have been disabled and > being > worked on. > Other than this issue [2] upstream, we did not see any new > failures/breakages. > > If you observe any new issues with this new version, kindly report a > bug. Would this be related to openssl 3.2.1? https://koji.fedoraproject.org/koji/taskinfo?taskID=113198856 The tests pass locally in mock with openssl 3.1.4. -- Yaakov Selkowitz Principal Software Engineer - Emerging RHEL Red Hat, Inc. -- ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
OpenSSL 3.2.1 available in rawhide
Hello everyone, OpenSSL 3.2.1 is now available in rawhide [1]. There are no API/ABI changes in comparison with the last version in rawhide (3.1.4). This version (3.2.0 onwards) supports PQ algorithms that can be loaded through the OQS provider. A few tests that needed some downstream tweaks have been disabled and being worked on. Other than this issue [2] upstream, we did not see any new failures/breakages. If you observe any new issues with this new version, kindly report a bug. Thank you! [1] https://koji.fedoraproject.org/koji/taskinfo?taskID=113160945 [2] https://github.com/openssl/openssl/issues/23528 Regards. Sahana Prasad -- ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
