Re: initial release candidate
The following patch fixes the problem with older versions of the SSL library.
It also works on the latest Fedora 17, so I think it's low risk.
Shall I commit it?
8
diff --git a/proton-c/src/ssl/openssl.c b/proton-c/src/ssl/openssl.c
index 6ea951f..dd775cd 100644
--- a/proton-c/src/ssl/openssl.c
+++ b/proton-c/src/ssl/openssl.c
@@ -296,6 +296,14 @@ int pn_ssl_set_credentials( pn_ssl_t *ssl,
ssl-has_certificate = true;
+ // bug in older versions of OpenSSL: servers may request client cert even if
anonymous
+ // cipher was negotiated. TLSv1 will reject such a request. Hack: once a
cert is
+ // configured, allow only authenticated ciphers.
+ if (!SSL_CTX_set_cipher_list( ssl-ctx, CIPHERS_AUTHENTICATE )) {
+ _log_ssl_error(ssl, Failed to set cipher list to %s\n,
CIPHERS_AUTHENTICATE);
+ return -6;
+ }
+
_log( ssl, Configured local certificate file %s\n, certificate_file );
return 0;
}
@@ -543,6 +551,7 @@ pn_ssl_t *pn_ssl(pn_transport_t *transport)
ssl_initialized = 1;
SSL_library_init();
SSL_load_error_strings();
+OpenSSL_add_all_algorithms();
}
pn_ssl_t *ssl = calloc(1, sizeof(pn_ssl_t));
8
- Original Message -
Interesting - that test uses a certificate I created and checked into
the repo. I generated the certificate using a newer toolset.
I'll have a look at it...
-K
- Original Message -
My (64-bit) Ubuntu 12.04 works fine...
On Ubuntu 10.04 I'm seeing SSL errors... presumably these are
related
to the age of the ssl library and the algorithms it supports...
proton_tests.ssl.SslTest.test_client_authentication
.SSL_CTX_use_PrivateKey_file(
/home/rob/qpid-proton-c-0.1/tests/proton_tests/ssl_db/server-private-key.pem
) failed
error:06074079:digital envelope routines:EVP_PBE_CipherInit:unknown
pbe algorithm
error:23077073:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 algor
cipherinit error
error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe
crypt error
error:0907B00D:PEM routines:PEM_READ_BIO_PRIVATEKEY:ASN1 lib
error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib
fail
Error during test: Traceback (most recent call last):
File ./proton-test, line 331, in run
phase()
File /home/rob/qpid-proton-c-0.1/tests/proton_tests/ssl.py,
line
130, in test_client_authentication
server-password)
File /home/rob/qpid-proton-c-0.1/bindings/python/proton.py,
line
2111, in set_credentials
password) )
File /home/rob/qpid-proton-c-0.1/bindings/python/proton.py,
line
2096, in _check
raise exc(SSL failure.)
SSLException: SSL failure.
-- Rob
On 24 October 2012 18:05, Ken Giusti kgiu...@redhat.com wrote:
Ubuntu 12.04-1 LTS, fully patched and up to date:
1) had to install the following packages - similar to the README,
but ubuntu specific:
sudo apt-get install cmake swig libssl-dev python-dev ruby
ruby-dev
python-epydoc uuid-dev
[note: cmake is version 2.8.7, so I didn't get that OPTIONAL
issue]
2) make and install went well!
3) example/send.py and recv.py worked - need to try with SSL
next..
4) am seeing a failure in the python-tests:
proton_tests.codec.DataTest.testDecimal128
pass
proton_tests.codec.DataTest.testDecimal32
.
pass
proton_tests.codec.DataTest.testDecimal64
.
fail
Error during test: Traceback (most recent call last):
File ./proton-test, line 331, in run
phase()
File
/home/kgiusti/proton-rc/qpid-proton-c-0.1/tests/proton_tests/codec.py,
line 246, in testDecimal64
self._test(decimal64, 0, 1, 2, 3, 4, 2**60)
File
/home/kgiusti/proton-rc/qpid-proton-c-0.1/tests/proton_tests/codec.py,
line 183, in _test
putter(v)
File
/home/kgiusti/proton-rc/install/lib/python2.7/dist-packages/proton.py,
line 1134, in put_decimal64
self._check(pn_data_put_decimal64(self._data, d))
TypeError: in method 'pn_data_put_decimal64', argument 2 of
type
'pn_decimal64_t'
proton_tests.codec.DataTest.testDescribedEmptyArray
...
pass
This happens to be on a 32-bit VM - I'll look into it.
-K
- Original Message -
Hi Everyone,
I've posted an initial release candidate here:
Re: RC3
Centos5 x64 build failure - funny didn't I see this before? [ 69%] Building C object CMakeFiles/qpid-proton.dir/src/driver.c.o /home/kgiusti/proton/qpid-proton-c-0.1/src/driver.c:75:1: error: NAME_MAX redefined In file included from /usr/include/bits/local_lim.h:36, from /usr/include/bits/posix1_lim.h:153, from /usr/include/limits.h:145, from /usr/lib/gcc/x86_64-redhat-linux/4.1.2/include/limits.h:122, from /usr/lib/gcc/x86_64-redhat-linux/4.1.2/include/syslimits.h:7, from /usr/lib/gcc/x86_64-redhat-linux/4.1.2/include/limits.h:11, from /usr/include/bits/socket.h:31, from /usr/include/sys/socket.h:35, from /home/kgiusti/proton/qpid-proton-c-0.1/src/driver.c:29: /usr/include/linux/limits.h:13:1: error: this is the location of the previous definition make[2]: *** [CMakeFiles/qpid-proton.dir/src/driver.c.o] Error 1 make[1]: *** [CMakeFiles/qpid-proton.dir/all] Error 2 make: *** [all] Error 2 -K - Original Message - Are the examples supposed to work for this release? Because the instructions don't tell people how to get them running. I don't see the config.sh file. (I mentioned this in a previous email. I'll log a Jira.) William - Original Message - I've put up an RC3 here: http://people.apache.org/~rhs/qpid-proton-0.1rc3/ The following are the changes from RC2: - added README and LICENSE for proton-j - updated the proton-c README - fixed cmake build to not use the OPTIONAL thing for older versions - fixed detection of LIB_SUFFIX (i.e. we won't install into lib64 on 32 bit systems anymore) --Rafael
Re: RC3
Thanks. It was ambiguous. Looked like it was optional and had a default (which it did) Now hopefully people can just deduce more info about the examples from the examples/README.txt and PROTON-100 can be ignored ;-) Sent from my iPhone On Oct 25, 2012, at 4:14 AM, Rafael Schloming r...@alum.mit.edu wrote: Done. I stopped short of putting Hey William! Set the install prefix. ;-) --Rafael On Wed, Oct 24, 2012 at 11:22 PM, William Henry whe...@redhat.com wrote: Change: # depending on your system you may want to adjust the install prefix cmake -DCMAKE_INSTALL_PREFIX=/usr .. To: # Set the install prefix. You may need to adjust depending on your system cmake -DCMAKE_INSTALL_PREFIX=/usr .. - Original Message - It looks like you installed everything into /usr/local. I'm guessing the system python (installed in /usr) does not look under /usr/local as part of it's module search path. Try installing into /usr instead. --Rafael On Wed, Oct 24, 2012 at 10:10 PM, William Henry whe...@redhat.com wrote: $ more build/install_manifest.txt /usr/local/bin/proton /usr/local/bin/proton-dump /usr/local/lib64/libqpid-proton.so /usr/local/include/proton/parser.h /usr/local/include/proton/util.h /usr/local/include/proton/ssl.h /usr/local/include/proton/scanner.h /usr/local/include/proton/cproton.i /usr/local/include/proton/messenger.h /usr/local/include/proton/message.h /usr/local/include/proton/sasl.h /usr/local/include/proton/driver.h /usr/local/include/proton/types.h /usr/local/include/proton/buffer.h /usr/local/include/proton/framing.h /usr/local/include/proton/codec.h /usr/local/include/proton/engine.h /usr/local/include/proton/error.h /usr/local/share/proton/LICENSE /usr/local/share/proton/README /usr/local/share/proton/TODO /usr/local/lib64/pkgconfig/libqpid-proton.pc /usr/local/lib64/python2.7/site-packages/cproton.py /usr/local/lib64/python2.7/site-packages/cproton.pyc /usr/local/lib64/python2.7/site-packages/cproton.pyo /usr/local/lib64/python2.7/site-packages/proton.py /usr/local/lib64/python2.7/site-packages/proton.pyc /usr/local/lib64/python2.7/site-packages/proton.pyo /usr/local/lib64/python2.7/site-packages/_cproton.so /usr/local/lib64/ruby/cproton.so /usr/local/lib64/php/modules/cproton.so /usr/local/share/php/cproton.php /usr/local/share/php/proton.php /etc/php.d/cproton.ini - Original Message - Can you post the contents of your install_manifest.txt? On Wed, Oct 24, 2012 at 9:50 PM, William Henry whe...@redhat.com wrote: Ok install was successful. Still have an ImportError for proton. Not sure what I'm missing William Sent from my iPhone On Oct 24, 2012, at 7:29 PM, Rafael Schloming r...@alum.mit.edu wrote: The examples should work without the config.sh, it just sets up stuff for the dev environment. If you do the make install, all the proton stuff should be available without any special environmental config. --Rafael On Wed, Oct 24, 2012 at 8:11 PM, William Henry whe...@redhat.com wrote: Are the examples supposed to work for this release? Because the instructions don't tell people how to get them running. I don't see the config.sh file. (I mentioned this in a previous email. I'll log a Jira.) William - Original Message - I've put up an RC3 here: http://people.apache.org/~rhs/qpid-proton-0.1rc3/ The following are the changes from RC2: - added README and LICENSE for proton-j - updated the proton-c README - fixed cmake build to not use the OPTIONAL thing for older versions - fixed detection of LIB_SUFFIX (i.e. we won't install into lib64 on 32 bit systems anymore) --Rafael
Re: RC4
Ok, I'm -1ing this one because ken's ssl fix didn't make it in. Sorry for the churn. RC5 will be up shortly with ken's ssl fix in it. --Rafael On Thu, Oct 25, 2012 at 1:42 PM, Rafael Schloming r...@alum.mit.edu wrote: I've posted an RC4 here: http://people.apache.org/~rhs/qpid-proton-0.1rc4/ I believe both the koji issue and the decimal64 issue should be fixed now. The full changelog from the previous RC is here: r1402224 | rhs | 2012-10-25 13:29:14 -0400 (Thu, 25 Oct 2012) | 1 line gracefully skip ssl tests when ssl is not built r1402223 | mcpierce | 2012-10-25 13:16:49 -0400 (Thu, 25 Oct 2012) | 1 line NO-JIRA: Removes the path from the usage filename displayed for proton. r1402221 | rhs | 2012-10-25 13:09:48 -0400 (Thu, 25 Oct 2012) | 1 line fixed swig interface typedefs r1402217 | rgodfrey | 2012-10-25 13:00:37 -0400 (Thu, 25 Oct 2012) | 1 line PROTON-103 : Implement SASL in proton-j r1402184 | kgiusti | 2012-10-25 11:01:06 -0400 (Thu, 25 Oct 2012) | 1 line NO-JIRA: fix warnings for swig code on older linux r1402141 | kgiusti | 2012-10-25 09:11:29 -0400 (Thu, 25 Oct 2012) | 1 line NO-JIRA: fix macro name collision r1402100 | rhs | 2012-10-25 06:57:27 -0400 (Thu, 25 Oct 2012) | 1 line don't ignore the return value of write r1402079 | rhs | 2012-10-25 06:12:46 -0400 (Thu, 25 Oct 2012) | 1 line tweaked the README language r1401959 | rajith | 2012-10-24 22:55:17 -0400 (Wed, 24 Oct 2012) | 2 lines PROTON-66 We now register for WRITE_OP if we are unable to write to the channel. As soon we are successful in writing we deregister the WRITE_OP.
RC5
Please have a look. This one includes ken's ssl fix in addition to everything that was in RC4: http://people.apache.org/~rhs/qpid-proton-0.1rc5/
[jira] [Created] (PROTON-106) OS X: MSG_NOSIGNAL does not exist
Hiram Chirino created PROTON-106: Summary: OS X: MSG_NOSIGNAL does not exist Key: PROTON-106 URL: https://issues.apache.org/jira/browse/PROTON-106 Project: Qpid Proton Issue Type: Bug Components: proton-c Reporter: Hiram Chirino MSG_NOSIGNAL is used in proton-c/src/driver.c but it does not exist on OS X. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Created] (PROTON-107) OS X: _POSIX_C_SOURCE is redefined in proton-c/src/ssl/ssl-internal.h
Hiram Chirino created PROTON-107: Summary: OS X: _POSIX_C_SOURCE is redefined in proton-c/src/ssl/ssl-internal.h Key: PROTON-107 URL: https://issues.apache.org/jira/browse/PROTON-107 Project: Qpid Proton Issue Type: Bug Reporter: Hiram Chirino This causes a build failure.. I got around the problem by changing the define in ssl-internal.h to: #ifndef _POSIX_C_SOURCE #define _POSIX_C_SOURCE 1 #endif -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Created] (PROTON-108) OS X: PHP libs not linked
Hiram Chirino created PROTON-108: Summary: OS X: PHP libs not linked Key: PROTON-108 URL: https://issues.apache.org/jira/browse/PROTON-108 Project: Qpid Proton Issue Type: Bug Components: proton-c Reporter: Hiram Chirino gcc command run was: /usr/bin/gcc-bundle -Wl,-headerpad_max_install_names -o cproton.so CMakeFiles/cproton.dir/phpPHP_wrap.c.o ../../libqpid-proton.dylib /usr/lib/libssl.dylib /usr/lib/libcrypto.dylib results in the following failures: https://gist.github.com/b14d9243bd3d5715f60e -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (PROTON-107) OS X: _POSIX_C_SOURCE is redefined in proton-c/src/ssl/ssl-internal.h
[ https://issues.apache.org/jira/browse/PROTON-107?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Hiram Chirino updated PROTON-107: - Component/s: proton-c OS X: _POSIX_C_SOURCE is redefined in proton-c/src/ssl/ssl-internal.h - Key: PROTON-107 URL: https://issues.apache.org/jira/browse/PROTON-107 Project: Qpid Proton Issue Type: Bug Components: proton-c Reporter: Hiram Chirino This causes a build failure.. I got around the problem by changing the define in ssl-internal.h to: #ifndef _POSIX_C_SOURCE #define _POSIX_C_SOURCE 1 #endif -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (PROTON-104) OS X: Don't link uuid
[ https://issues.apache.org/jira/browse/PROTON-104?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Hiram Chirino updated PROTON-104: - Component/s: proton-c OS X: Don't link uuid - Key: PROTON-104 URL: https://issues.apache.org/jira/browse/PROTON-104 Project: Qpid Proton Issue Type: Bug Components: proton-c Reporter: Hiram Chirino Don't link uuid lib on OX, it does not exist / is part the clib. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira
Re: RC5
mea culpa - apologies. However, RC5 looks pretty good on these platforms: Fedora 17 (64bit) Debian 6 (32bit, vm) Ubuntu 12.04 (32bit, vm) Centos 6 (64bit, vm) I simply did a make install, then ran the proton test suite. A few warnings during build, but all tests pass. The only problem platform was my Centos5 VM (32bit). The make all/make install failed due to the php.swg file not being present. It appears that the version of swig on Centos5 (1.3.29) does not include that php.swg file: [ 95%] Swig source /home/kgiusti/work/proton/RC1/qpid-proton-c-0.1/bindings/php/php.i:4: Error: Unable to find 'php.swg' make[2]: *** [bindings/php/phpPHP_wrap.c] Error 1 make[1]: *** [bindings/php/CMakeFiles/cproton.dir/all] Error 2 make: *** [all] Error 2 IMHO: +1 RC5, fix the Centos 5 issue in the next release. -K - Original Message - Please have a look. This one includes ken's ssl fix in addition to everything that was in RC4: http://people.apache.org/~rhs/qpid-proton-0.1rc5/
Re: RC5
OK - proton-c built OK for me on Ubuntu 12.04 (32-bit) and Centos 6.3 (32 bit)... Tests all worked fine on the Ubuntu machine. On CentOS I got the following error: proton_tests.messenger.MessengerTest.testSendBogus ... start server timed out proton_tests.messenger.MessengerTest.testSendBogus ... fail Error during teardown: Traceback (most recent call last): File ./proton-test, line 331, in run phase() File /home/rob/qpid-proton-c-0.1/tests/proton_tests/messenger.py, line 45, in teardown self.client.send() File /home/rob/qpid-proton-c-0.1/bindings/python/proton.py, line 288, in send self._check(pn_messenger_send(self._mng)) File /home/rob/qpid-proton-c-0.1/bindings/python/proton.py, line 149, in _check raise exc([%s]: %s % (err, pn_messenger_error(self._mng))) Timeout: [-7]: unable to send to address: totally-bogus-address (getaddrinfo: Name or service not known) all other tests passed -- Rob On 25 October 2012 22:07, Rafael Schloming r...@alum.mit.edu wrote: Please have a look. This one includes ken's ssl fix in addition to everything that was in RC4: http://people.apache.org/~rhs/qpid-proton-0.1rc5/
Re: RC5
That particular test does a DNS lookup on an invalid address, and if that happens to take a while it can fail the way you're seeing. It will also fail if you happen to be on one of those networks that are configured to resolve all invalid hostnames to some kind of search engine. --Rafael On Thu, Oct 25, 2012 at 6:56 PM, Rob Godfrey rob.j.godf...@gmail.comwrote: OK - proton-c built OK for me on Ubuntu 12.04 (32-bit) and Centos 6.3 (32 bit)... Tests all worked fine on the Ubuntu machine. On CentOS I got the following error: proton_tests.messenger.MessengerTest.testSendBogus ... start server timed out proton_tests.messenger.MessengerTest.testSendBogus ... fail Error during teardown: Traceback (most recent call last): File ./proton-test, line 331, in run phase() File /home/rob/qpid-proton-c-0.1/tests/proton_tests/messenger.py, line 45, in teardown self.client.send() File /home/rob/qpid-proton-c-0.1/bindings/python/proton.py, line 288, in send self._check(pn_messenger_send(self._mng)) File /home/rob/qpid-proton-c-0.1/bindings/python/proton.py, line 149, in _check raise exc([%s]: %s % (err, pn_messenger_error(self._mng))) Timeout: [-7]: unable to send to address: totally-bogus-address (getaddrinfo: Name or service not known) all other tests passed -- Rob On 25 October 2012 22:07, Rafael Schloming r...@alum.mit.edu wrote: Please have a look. This one includes ken's ssl fix in addition to everything that was in RC4: http://people.apache.org/~rhs/qpid-proton-0.1rc5/
Re: RC5
This was my bad, I'll post an RC6 with the shim fixed. --Rafael On Thu, Oct 25, 2012 at 5:35 PM, Rajith Attapattu rajit...@gmail.comwrote: We have a build failure on the java side. It appears the SSL tests added in Kens fix is failing. proton_tests.ssl.SslTest.test_client_authentication . fail We should exclude this test before we spin the final release. Rajith On Thu, Oct 25, 2012 at 5:25 PM, Ken Giusti kgiu...@redhat.com wrote: mea culpa - apologies. However, RC5 looks pretty good on these platforms: Fedora 17 (64bit) Debian 6 (32bit, vm) Ubuntu 12.04 (32bit, vm) Centos 6 (64bit, vm) I simply did a make install, then ran the proton test suite. A few warnings during build, but all tests pass. The only problem platform was my Centos5 VM (32bit). The make all/make install failed due to the php.swg file not being present. It appears that the version of swig on Centos5 (1.3.29) does not include that php.swg file: [ 95%] Swig source /home/kgiusti/work/proton/RC1/qpid-proton-c-0.1/bindings/php/php.i:4: Error: Unable to find 'php.swg' make[2]: *** [bindings/php/phpPHP_wrap.c] Error 1 make[1]: *** [bindings/php/CMakeFiles/cproton.dir/all] Error 2 make: *** [all] Error 2 IMHO: +1 RC5, fix the Centos 5 issue in the next release. -K - Original Message - Please have a look. This one includes ken's ssl fix in addition to everything that was in RC4: http://people.apache.org/~rhs/qpid-proton-0.1rc5/
[jira] [Resolved] (PROTON-107) OS X: _POSIX_C_SOURCE is redefined in proton-c/src/ssl/ssl-internal.h
[ https://issues.apache.org/jira/browse/PROTON-107?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Rafael H. Schloming resolved PROTON-107. Resolution: Fixed OS X: _POSIX_C_SOURCE is redefined in proton-c/src/ssl/ssl-internal.h - Key: PROTON-107 URL: https://issues.apache.org/jira/browse/PROTON-107 Project: Qpid Proton Issue Type: Bug Components: proton-c Reporter: Hiram Chirino This causes a build failure.. I got around the problem by changing the define in ssl-internal.h to: #ifndef _POSIX_C_SOURCE #define _POSIX_C_SOURCE 1 #endif -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira
RC6
I put up an RC6 here[1] with the java shim fixed so the SSL tests skip properly. That's the only change from RC5. [1] http://people.apache.org/~rhs/qpid-proton-0.1rc6/ --Rafael
