Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OpenSSL 3.2.1 breaks TLS related pytests #1202

Closed
andypost opened this issue Mar 27, 2024 · 4 comments · Fixed by #1215
Closed

OpenSSL 3.2.1 breaks TLS related pytests #1202

andypost opened this issue Mar 27, 2024 · 4 comments · Fixed by #1215
Assignees
@andrey-zelenkov

Comments

@andypost
Copy link

Started to package new release and see a lot of test failures, probably it's caused by upgrade to OpenSSL 3.2.1

There's following logs

test/test_tls_sni.py::test_tls_sni FAILEDPath to unit.log:
/tmp/unit-test-i46362ls/unit.log
2024/03/27 03:05:18 [error] 6224#6227 *39315 SSL_do_handshake(12) failed (1048: tlsv1 alert unknown ca) (OpenSSL: error:0A000418:SSL routines::tlsv1 alert unknown ca:SSL alert number 48)
test/test_tls_sni.py::test_tls_sni_no_hostname FAILEDPath to unit.log:
/tmp/unit-test-i46362ls/unit.log
2024/03/27 03:05:19 [error] 6224#6227 *39444 SSL_do_handshake(12) failed (1048: tlsv1 alert unknown ca) (OpenSSL: error:0A000418:SSL routines::tlsv1 alert unknown ca:SSL alert number 48)
test/test_tls_sni.py::test_tls_sni_upper_case FAILEDPath to unit.log:
/tmp/unit-test-i46362ls/unit.log
2024/03/27 03:05:21 [error] 6224#6227 *39573 SSL_do_handshake(12) failed (1048: tlsv1 alert unknown ca) (OpenSSL: error:0A000418:SSL routines::tlsv1 alert unknown ca:SSL alert number 48)
test/test_tls_sni.py::test_tls_sni_only_bundle FAILEDPath to unit.log:
/tmp/unit-test-i46362ls/unit.log
2024/03/27 03:05:23 [error] 6224#6227 *39702 SSL_do_handshake(12) failed (1048: tlsv1 alert unknown ca) (OpenSSL: error:0A000418:SSL routines::tlsv1 alert unknown ca:SSL alert number 48)
test/test_tls_sni.py::test_tls_sni_wildcard FAILEDPath to unit.log:
/tmp/unit-test-i46362ls/unit.log
2024/03/27 03:05:26 [error] 6224#6227 *39831 SSL_do_handshake(12) failed (1048: tlsv1 alert unknown ca) (OpenSSL: error:0A000418:SSL routines::tlsv1 alert unknown ca:SSL alert number 48)
test/test_tls_sni.py::test_tls_sni_duplicated_bundle FAILEDPath to unit.log:
/tmp/unit-test-i46362ls/unit.log
2024/03/27 03:05:28 [warn] 6224#6224 ignored duplicate name "localhost.com" in certificate "localhost.com", identical name appears in "localhost.com"
2024/03/27 03:05:28 [warn] 6224#6224 ignored duplicate name "alt2.localhost.com" in certificate "localhost.com", identical name appears in "localhost.com"
2024/03/27 03:05:28 [error] 6224#6227 *39960 SSL_do_handshake(12) failed (1048: tlsv1 alert unknown ca) (OpenSSL: error:0A000418:SSL routines::tlsv1 alert unknown ca:SSL alert number 48)
test/test_tls_sni.py::test_tls_sni_same_alt FAILEDPath to unit.log:
/tmp/unit-test-i46362ls/unit.log
2024/03/27 03:05:30 [warn] 6224#6224 ignored duplicate name "s" in certificate "example", identical name appears in "localhost"
2024/03/27 03:05:30 [warn] 6224#6224 ignored duplicate name "a" in certificate "example", identical name appears in "localhost"
2024/03/27 03:05:30 [warn] 6224#6224 ignored duplicate name "m" in certificate "example", identical name appears in "localhost"
2024/03/27 03:05:30 [warn] 6224#6224 ignored duplicate name "e" in certificate "example", identical name appears in "localhost"
2024/03/27 03:05:30 [warn] 6224#6224 ignored duplicate name "." in certificate "example", identical name appears in "localhost"
2024/03/27 03:05:30 [warn] 6224#6224 ignored duplicate name "l" in certificate "example", identical name appears in "localhost"
2024/03/27 03:05:30 [warn] 6224#6224 ignored duplicate name "t" in certificate "example", identical name appears in "localhost"
2024/03/27 03:05:30 [warn] 6224#6224 ignored duplicate name "n" in certificate "example", identical name appears in "localhost"
2024/03/27 03:05:30 [warn] 6224#6224 ignored duplicate name "c" in certificate "example", identical name appears in "localhost"
2024/03/27 03:05:30 [warn] 6224#6224 ignored duplicate name "o" in certificate "example", identical name appears in "localhost"
2024/03/27 03:05:30 [error] 6224#6227 *40089 SSL_do_handshake(12) failed (1048: tlsv1 alert unknown ca) (OpenSSL: error:0A000418:SSL routines::tlsv1 alert unknown ca:SSL alert number 48)
test/test_tls_sni.py::test_tls_sni_empty_cn FAILEDPath to unit.log:
/tmp/unit-test-i46362ls/unit.log
2024/03/27 03:05:32 [error] 6224#6227 *40218 SSL_do_handshake(12) failed (1048: tlsv1 alert unknown ca) (OpenSSL: error:0A000418:SSL routines::tlsv1 alert unknown ca:SSL alert number 48)
test/test_tls_sni.py::test_tls_sni_invalid PASSED
test/test_tls_tickets.py::test_tls_ticket SKIPPED (ticket check is not
supported)
test/test_tls_tickets.py::test_tls_ticket_string SKIPPED (ticket check
is not supported)
test/test_tls_tickets.py::test_tls_ticket_array SKIPPED (ticket check is
not supported)
test/test_tls_tickets.py::test_tls_ticket_invalid PASSED
@andypost
Copy link
Author

all CI jobs https://gitlab.alpinelinux.org/alpine/aports/-/pipelines/222161

@ac000 ac000 self-assigned this Mar 27, 2024
@ac000
Copy link
Member

ac000 commented Mar 27, 2024

This looks like something specific to our tests as OpenSSL 3.2.1 itself
seems to work fine with current Unit.

This error

2024/03/27 21:17:49 [error] 4401#4404 *26 SSL_do_handshake(33) failed (1048: tlsv1 alert unknown ca) (OpenSSL: error:0A000418:SSL routines::tlsv1 alert unknown ca:SSL alert number 48)

Would indicate that it doesn't know about our CA, which will just be
some dummy thing for the tests.

I get the above error from Unit when I use curl without the -k option
with a self-signed certificate.

Looks like our tests need to do the same thing as -k in curl...

@ac000 ac000 assigned andrey-zelenkov and unassigned ac000 Mar 27, 2024
@ac000 ac000 changed the title 1.32.1 test fails on Alpinelinux OpenSSL 3.2.1 breaks TLS related pytests Mar 29, 2024
@ac000 ac000 linked a pull request Apr 9, 2024 that will close this issue
Tests: compatibility with OpenSSL 3.2.0 #1215
Merged
andrey-zelenkov added a commit to andrey-zelenkov/unit that referenced this issue Apr 10, 2024
@andrey-zelenkov
Tests: compatibility with OpenSSL 3.2.0
8923ec7 
OpenSSL 3.2.0 generates X.509v3 certificates by default. These
certificates, even self-signed, cannot sign other certificates unless
"CA:TRUE" is explicitly set in the basicConstraints extension.
As a result, tests attempting this are currently failing.

Fix is to provide "CA:TRUE" in the basicConstraints for self-signed root
certificates used in "openssl ca" commands.

Closes: nginx#1202
Tested-by: Andrew Clayton <a.clayton@nginx.com>
Reviewed-by: Andrew Clayton <a.clayton@nginx.com>
andrey-zelenkov added a commit that referenced this issue Apr 10, 2024
@andrey-zelenkov
Tests: compatibility with OpenSSL 3.2.0
a625a0b 
OpenSSL 3.2.0 generates X.509v3 certificates by default. These
certificates, even self-signed, cannot sign other certificates unless
"CA:TRUE" is explicitly set in the basicConstraints extension.
As a result, tests attempting this are currently failing.

Fix is to provide "CA:TRUE" in the basicConstraints for self-signed root
certificates used in "openssl ca" commands.

Closes: #1202
Tested-by: Andrew Clayton <a.clayton@nginx.com>
Reviewed-by: Andrew Clayton <a.clayton@nginx.com>
@andypost
Copy link
Author

thank you! works as patch on Alpine

@ac000
Copy link
Member

ac000 commented Apr 10, 2024

Great, thanks for testing!

pkillarjun pushed a commit to pkillarjun/unit that referenced this issue May 29, 2024
@andrey-zelenkov
Tests: compatibility with OpenSSL 3.2.0
8348ec3 
OpenSSL 3.2.0 generates X.509v3 certificates by default. These
certificates, even self-signed, cannot sign other certificates unless
"CA:TRUE" is explicitly set in the basicConstraints extension.
As a result, tests attempting this are currently failing.

Fix is to provide "CA:TRUE" in the basicConstraints for self-signed root
certificates used in "openssl ca" commands.

Closes: nginx#1202
Tested-by: Andrew Clayton <a.clayton@nginx.com>
Reviewed-by: Andrew Clayton <a.clayton@nginx.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@andrey-zelenkov andrey-zelenkov

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Tests: compatibility with OpenSSL 3.2.0 andrey-zelenkov/unit
3 participants
@ac000 @andypost @andrey-zelenkov