Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSL tests may fail on modern systems using openSSL with SECLEVEL2 #2147

Closed
dleidert opened this issue Mar 5, 2020 · 4 comments · Fixed by #2333
Closed

SSL tests may fail on modern systems using openSSL with SECLEVEL2 #2147

dleidert opened this issue Mar 5, 2020 · 4 comments · Fixed by #2333
Labels
bug contrib-wanted maintenance ssl

Comments

@dleidert
Copy link

dleidert commented Mar 5, 2020

The tests in test/test_puma_server_ssl.rb fail on a current Debian Linux system with errors like

Error:
TestPumaServerSSL#test_very_large_return:
OpenSSL::SSL::SSLError: SSL_connect SYSCALL returned=5 errno=0 state=SSLv3/TLS write client hello

After some debugging the keys and certificates have issues:

$ openssl s_server -key examples/puma/puma_keypair.pem -cert examples/puma/cert_puma.pem 
Using default temp DH parameters
error setting certificate
140711881110720:error:0909006C:PEM routines:get_name:no start line:../crypto/pem/pem_lib.c:745:Expecting: DH PARAMETERS
140711881110720:error:140AB18F:SSL routines:SSL_CTX_use_certificate:ee key too small:../ssl/ssl_rsa.c:310:

$ openssl s_server -key examples/puma/client-certs/client_unknown.key -cert examples/puma/client-certs/client_unknown.crt 
Using default temp DH parameters
error setting certificate
140568795444416:error:0909006C:PEM routines:get_name:no start line:../crypto/pem/pem_lib.c:745:Expecting: DH PARAMETERS
140568795444416:error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak:../ssl/ssl_rsa.c:310:

Because of these issues the tests now fail. Would you mind updating the files for both the 3.12 and the 4.3 series?

To Reproduce

Configure openssl (openssl.cnf) to use

[system_default_sect]
CipherString = DEFAULT@SECLEVEL=2

and run the tests.
@nateberkopec
Copy link
Member

Is this failing a distro's packaging system somewhere? If so, can I get a link?

@MSP-Greg
Copy link
Member

MSP-Greg commented Mar 5, 2020

@nateberkopec

JFYI, there have been similar issues with ruby/openssl. It's not a failure in Puma, it's an issue that test fixtures (files) were created with either insecure ciphers or key 'lengths' that were too short.

@dleidert
Copy link
Author

dleidert commented Mar 5, 2020
edited

@nateberkopec I've disabled the tests for the moment. The tests are successful if I manually edit the openssl configuration and use SECLEVEL=1 or override the configuration using OPENSSL_CONF='' (seems SECLEVEL=1 is the default, but Debian decided to increase the level). And yes, it is just that the keys/ciphers are weak or too short for security level 2. Can the tests override the system configuration?

This was referenced Aug 7, 2020
Closed
Merged
@MSP-Greg
Copy link
Member

MSP-Greg commented Aug 7, 2020

@dleidert

Apologies for the delay. If you have time, could you see if PR #2333 fixes this issue?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug contrib-wanted maintenance ssl
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Update Actions, test certs, test code [changelog skip] MSP-Greg/puma
3 participants
@nateberkopec @dleidert @MSP-Greg