Re: Issues with test framework against OpenSSL 3.2

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello everyone,

After fighting the tests, I can confirm that the issue is certificates are not being verified correctly.

For example, for t/protocol/echo.t, I was able to make it pass by updating vhost_socket in TestRequest.pm by bypassing cert verification:

    Index: httpd-2.4.58/httpd-framework/Apache-Test/lib/Apache/TestRequest.pm
    ===================================================================
    --- httpd-2.4.58.orig/httpd-framework/Apache-Test/lib/Apache/TestRequest.pm
    +++ httpd-2.4.58/httpd-framework/Apache-Test/lib/Apache/TestRequest.pm
    @@ -34,6 +34,8 @@ use constant UA_TIMEOUT => 60 * 10; #lon

    my $have_lwp = 0;

    +use IO::Socket::SSL;
    +
    # APACHE_TEST_PRETEND_NO_LWP=1 pretends that LWP is not available so
    # one can test whether the test suite survives if the user doesn't
    # have lwp installed
    @@ -296,7 +298,15 @@ sub vhost_socket {
            require IO::Socket::SSL;
            # Add all conn_opts to args
            map {$args{$_} = $conn_opts->{$_}} keys %{$conn_opts};
    -        return IO::Socket::SSL->new(%args, Timeout => UA_TIMEOUT);
    +
    +        my $sock = IO::Socket::SSL->new(
    +            %args,
    +            Timeout => UA_TIMEOUT,
    +            SSL_verify_mode => SSL_VERIFY_NONE,
    +        ) or die "failed connect or ssl handshake: $!, $SSL_ERROR";
    +
    +        return $sock
    +
        }
        else {
            require IO::Socket;


Of course, this is not the way to move forward, as I understand all cert verification should work.

My guess is that in TestSSLCA.pm, when all certificates are generated, we are missing some option and/or tweaks. Unfortunately I'm not a security expert and I would like someone with more knowledge to look into this, if possible.

Basically, all tests fail with a similar trace as this one:

    ssl_engine_kernel.c(2213): [client 127.0.0.1:33114] OpenSSL: Loop: SSLv3/TLS write finished
    ssl_engine_kernel.c(2213): [client 127.0.0.1:33114] OpenSSL: Loop: TLSv1.3 early data
    ssl_engine_io.c(2401): [client 127.0.0.1:33114] OpenSSL: read 5/5 bytes from BIO#7fb2a40045c0 [mem: 7fb2a401c523] (BIO dump follows)
    ssl_engine_io.c(2331): [client 127.0.0.1:33114] +-------------------------------------------------------------------------+
    ssl_engine_io.c(2368): [client 127.0.0.1:33114] | 0000: 15 03 03 00 02                                   .....            |
    ssl_engine_io.c(2373): [client 127.0.0.1:33114] +-------------------------------------------------------------------------+
    ssl_engine_io.c(2401): [client 127.0.0.1:33114] OpenSSL: read 2/2 bytes from BIO#7fb2a40045c0 [mem: 7fb2a401c528] (BIO dump follows)
    ssl_engine_io.c(2331): [client 127.0.0.1:33114] +-------------------------------------------------------------------------+
    ssl_engine_io.c(2368): [client 127.0.0.1:33114] | 0000: 02 30                                            .0               |
    ssl_engine_io.c(2373): [client 127.0.0.1:33114] +-------------------------------------------------------------------------+
    ssl_engine_kernel.c(2218): [client 127.0.0.1:33114] OpenSSL: Read: TLSv1.3 early data
    ssl_engine_kernel.c(2242): [client 127.0.0.1:33114] OpenSSL: Exit: error in error
    [client 127.0.0.1:33114] AH02008: SSL library error 1 in handshake (server laptop:8532)
    SSL Library Error: error:0A000418:SSL routines::tlsv1 alert unknown ca (SSL alert number 48)
    [client 127.0.0.1:33114] AH01998: Connection closed to child 9 with abortive shutdown (server laptop:8532)


The key here is the "unknown ca", failing the handshake, either because the trust chain is broken somehow or the certs need to be generated now in a different way with OpenSSL 3.2.


Any idea to move forward?

Cheers,
David.




On 25/01/2024 13:54, David Anes wrote:
Hello all,

I've successfully compiled apache 2.4.58 against OpenSSL 3.2, but I see lot's of issues when running the test suite.

My first guess are the changes in 3.2 regarding the way certificates are generated (from the changelog at https://github.com/openssl/openssl/blob/openssl-3.2.0/NEWS.md):

   * The x509, ca, and req apps now always produce X.509v3 certificates.

Also, other potential incompatible issues metioned there are:

   * The default SSL/TLS security level has been changed from 1 to 2.
  * Subject or issuer names in X.509 objects are now displayed as UTF-8 strings by default.

I've tried compiling normally, as prefork and event but all of them fail the same way:

     Test Summary Report
     -------------------
    t/protocol/echo.t                 (Wstat: 65280 (exited 255) Tests: 1 Failed: 1)
       Failed test:  1
       Non-zero exit status: 255
       Parse errors: Bad plan.  You planned 8 tests but ran 1.
     t/security/CVE-2005-2700.t        (Wstat: 0 Tests: 2 Failed: 1)
       Failed test:  1
    t/security/CVE-2009-3555.t        (Wstat: 65280 (exited 255) Tests: 1 Failed: 1)
       Failed test:  1
       Non-zero exit status: 255
       Parse errors: Bad plan.  You planned 4 tests but ran 1.
     t/ssl/basicauth.t                 (Wstat: 0 Tests: 4 Failed: 2)
       Failed tests:  2-3
     t/ssl/env.t                       (Wstat: 0 Tests: 30 Failed: 23)
       Failed tests:  1-8, 16-30
     t/ssl/extlookup.t                 (Wstat: 0 Tests: 4 Failed: 4)
       Failed tests:  1-4
     t/ssl/fakeauth.t                  (Wstat: 0 Tests: 3 Failed: 2)
       Failed tests:  2-3
     t/ssl/headers.t                   (Wstat: 0 Tests: 3 Failed: 3)
       Failed tests:  1-3
     t/ssl/ocsp.t                      (Wstat: 0 Tests: 3 Failed: 3)
       Failed tests:  1-3
     t/ssl/pr12355.t                   (Wstat: 0 Tests: 10 Failed: 10)
       Failed tests:  1-10
     t/ssl/pr43738.t                   (Wstat: 0 Tests: 4 Failed: 4)
       Failed tests:  1-4
     t/ssl/proxy.t                     (Wstat: 0 Tests: 290 Failed: 290)
       Failed tests:  1-290
     t/ssl/require.t                   (Wstat: 0 Tests: 10 Failed: 5)
       Failed tests:  2, 5-7, 9
     t/ssl/varlookup.t                 (Wstat: 0 Tests: 81 Failed: 81)
       Failed tests:  1-81
     t/ssl/verify.t                    (Wstat: 0 Tests: 3 Failed: 1)
       Failed test:  2
    Files=142, Tests=7248, 132 wallclock secs ( 3.04 usr  0.50 sys + 50.18 cusr 28.03 csys = 81.75 CPU)
     Result: FAIL
     Failed 15/142 test programs. 431/7248 subtests failed.

Any clue? Does anyone had success running the tests against OpenSSL 3.2?

Thanks,
David.


--
David Anes <david.anes@xxxxxxxx>

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature


[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux