Bug#923446: m2crypto: autopkgtest with new version of openssl: Connection refused
Control: severity -1 serious For this actually is a FTBFS bug I'm raising its severity. Thanks, DS -- 4096R/DF5182C8 https://danielstender.com
Bug#923446: m2crypto: autopkgtest with new version of openssl: Connection refused
Sebastian Andrzej Siewior píše v So 02. 03. 2019 v 17:16 +0100: > The thing is that m2ctypto uses TLS1.3 cipher but uses the -cipher > option instead of -ciphersuites which is for TLS1.3: > > $ openssl s_server --help 2>&1 |grep -- -cipher > > -cipher valSpecify TLSv1.2 and below cipher list to be used > > -ciphersuites val Specify TLSv1.3 ciphersuites to be used > > The patch attached against m2crypto fixes the testsuite issue. Thank you, merged in https://gitlab.com/m2crypto/m2crypto/merge_requests/224 Matěj -- https://matej.ceplovi.cz/blog/, Jabber: mc...@ceplovi.cz GPG Finger: 3C76 A027 CA45 AD70 98B5 BC1D 7920 5802 880B C9D8 I would like to die sleeping, like my father — rather than screaming and helpless, like his passengers. signature.asc Description: This is a digitally signed message part
Bug#923446: m2crypto: autopkgtest with new version of openssl: Connection refused
control: tags -1 patch
On 2019-03-01 23:27:47 [+0100], To Paul Gevers wrote:
> debugging on openssl side gives me the same result as in #923448 which
No. I've been testing the wrong package…
So m2crypto fails due to openssl commit 1c31fe7eb093:
|Author: Sam Roberts
|Date: Mon Nov 26 13:58:52 2018 -0800
|
|Ignore cipher suites when setting cipher list
|
|set_cipher_list() sets TLSv1.2 (and below) ciphers, and its success or
|failure should not depend on whether set_ciphersuites() has been used to
|setup TLSv1.3 ciphers.
|
|Reviewed-by: Paul Dale
|Reviewed-by: Ben Kaduk
|Reviewed-by: Matt Caswell
|(Merged from https://github.com/openssl/openssl/pull/7759)
|
|(cherry picked from commit 3c83c5ba4f6502c708b7a5f55c98a10e312668da)
The thing is that m2ctypto uses TLS1.3 cipher but uses the -cipher
option instead of -ciphersuites which is for TLS1.3:
|$ openssl s_server --help 2>&1 |grep -- -cipher
| -cipher valSpecify TLSv1.2 and below cipher list to be used
| -ciphersuites val Specify TLSv1.3 ciphersuites to be used
The patch attached against m2crypto fixes the testsuite issue.
Sebastian
>From 862167880780c1b1219b6be3864ba587f0bdddba Mon Sep 17 00:00:00 2001
From: Sebastian Andrzej Siewior
Date: Sat, 2 Mar 2019 17:08:39 +0100
Subject: [PATCH] tests/test_ssl: use -ciphercuites for TLS1.3 cipher in
openssl1.1
The -cipher can not be used in OpenSSL 1.1.b+ for TLS1.3 cipher since
openssl upstream commit 1c31fe7eb093a ("Ignore cipher suites when
setting cipher list").
Use -ciphersuites for TLS1.3 cipher as documented.
Signed-off-by: Sebastian Andrzej Siewior
---
tests/test_ssl.py | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/tests/test_ssl.py b/tests/test_ssl.py
index a3e2a318c315..925d365a5810 100644
--- a/tests/test_ssl.py
+++ b/tests/test_ssl.py
@@ -460,9 +460,10 @@ sleepTime = float(os.getenv('M2CRYPTO_TEST_SSL_SLEEP', '1.5'))
def test_cipher_ok(self):
if OPENSSL111:
TCIPHER = 'TLS_AES_256_GCM_SHA384'
+self.args = self.args + ['-ciphersuites', TCIPHER]
else:
TCIPHER = 'AES128-SHA'
-self.args = self.args + ['-cipher', TCIPHER]
+self.args = self.args + ['-cipher', TCIPHER]
pid = self.start_server(self.args)
try:
--
2.20.1
Bug#923446: m2crypto: autopkgtest with new version of openssl: Connection refused
On 2019-02-28 12:17:49 [+0100], Paul Gevers wrote: > === FAILURES > _ MiscSSLClientTestCase.test_cipher_ok > > self = … > tests/test_ssl.py:472: > _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ > /usr/lib/python2.7/dist-packages/M2Crypto/SSL/Connection.py:303: in connect > self.socket.connect(addr) debugging on openssl side gives me the same result as in #923448 which means m2crypto sets somewhere a DH with <2048 bits and now it fails. So now the DH needs to be located :) Sebastian
Bug#923446: m2crypto: autopkgtest with new version of openssl: Connection refused
Source: m2crypto
Version: 0.31.0-2
Severity: important
X-Debbugs-CC: debian...@lists.debian.org, open...@packages.debian.org
User: debian...@lists.debian.org
Usertags: needs-update
Control: affects -1 src:openssl
Dear maintainers,
With a recent upload of openssl the autopkgtest of m2crypto fails in
testing when that autopkgtest is run with the binary packages of openssl
from unstable. It passes when run with only packages from testing. In
tabular form:
passfail
opensslfrom testing1.1.1b-1
m2crypto from testing0.31.0-2
all others from testingfrom testing
I copied some of the output at the bottom of this report.
Currently this regression is blocking the migration of openssl to
testing [1]. Of course, openssl shouldn't just break your autopkgtest
(or even worse, your package), but it seems to me that the change in
openssl could very well be intended and your package needs to update to
the new situation. If needed, please change the bug's severity and in
doubt, please discuss with the maintainers of openssl (in X-Debbugs-CC).
If this is a real problem in your package (and not only in your
autopkgtest), the right binary package(s) from openssl should really add
a versioned Breaks on the unfixed version of (one of your) package(s).
Please note that the window to fix this to allow openssl to migrate
without intervention is closing extremely soon.
More information about this bug and the reason for filing it can be found on
https://wiki.debian.org/ContinuousIntegration/RegressionEmailInformation
Paul
[1] https://qa.debian.org/excuses.php?package=openssl
https://ci.debian.net/data/autopkgtest/testing/amd64/m/m2crypto/2021379/log.gz
=== FAILURES
===
_ MiscSSLClientTestCase.test_cipher_ok
_
self =
def test_cipher_ok(self):
if OPENSSL111:
TCIPHER = 'TLS_AES_256_GCM_SHA384'
else:
TCIPHER = 'AES128-SHA'
self.args = self.args + ['-cipher', TCIPHER]
pid = self.start_server(self.args)
try:
ctx = SSL.Context()
s = SSL.Connection(ctx)
s.set_cipher_list(TCIPHER)
> s.connect(self.srv_addr)
tests/test_ssl.py:472:
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
_ _ _ _
/usr/lib/python2.7/dist-packages/M2Crypto/SSL/Connection.py:303: in connect
self.socket.connect(addr)
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
_ _ _ _
name = 'connect', self =
args = (('localhost', 43581),)
def meth(name,self,*args):
> return getattr(self._sock,name)(*args)
E error: [Errno 111] Connection refused
/usr/lib/python2.7/socket.py:228: error
signature.asc
Description: OpenPGP digital signature
