Hello everyone,
After fighting the tests, I can confirm that the issue is certificates are not being verified correctly.
For example, for t/protocol/echo.t, I was able to make it pass by updating vhost_socket in TestRequest.pm by bypassing cert verification:
Index: httpd-2.4.58/httpd-framework/Apache-Test/lib/Apache/TestRequest.pm
===================================================================
--- httpd-2.4.58.orig/httpd-framework/Apache-Test/lib/Apache/TestRequest.pm
+++ httpd-2.4.58/httpd-framework/Apache-Test/lib/Apache/TestRequest.pm
@@ -34,6 +34,8 @@ use constant UA_TIMEOUT => 60 * 10; #lon
my $have_lwp = 0;
+use IO::Socket::SSL;
+
# APACHE_TEST_PRETEND_NO_LWP=1 pretends that LWP is not available so
# one can test whether the test suite survives if the user doesn't
# have lwp installed
@@ -296,7 +298,15 @@ sub vhost_socket {
require IO::Socket::SSL;
# Add all conn_opts to args
map {$args{$_} = $conn_opts->{$_}} keys %{$conn_opts};
- return IO::Socket::SSL->new(%args, Timeout => UA_TIMEOUT);
+
+ my $sock = IO::Socket::SSL->new(
+ %args,
+ Timeout => UA_TIMEOUT,
+ SSL_verify_mode => SSL_VERIFY_NONE,
+ ) or die "failed connect or ssl handshake: $!, $SSL_ERROR";
+
+ return $sock
+
}
else {
require IO::Socket;
Of course, this is not the way to move forward, as I understand all cert verification should work.
My guess is that in TestSSLCA.pm, when all certificates are generated, we are missing some option and/or tweaks. Unfortunately I'm not a security expert and I would like someone with more knowledge to look into this, if possible.
Basically, all tests fail with a similar trace as this one:
ssl_engine_kernel.c(2213): [client 127.0.0.1:33114] OpenSSL: Loop: SSLv3/TLS write finished
ssl_engine_kernel.c(2213): [client 127.0.0.1:33114] OpenSSL: Loop: TLSv1.3 early data
ssl_engine_io.c(2401): [client 127.0.0.1:33114] OpenSSL: read 5/5 bytes from BIO#7fb2a40045c0 [mem: 7fb2a401c523] (BIO dump follows)
ssl_engine_io.c(2331): [client 127.0.0.1:33114] +-------------------------------------------------------------------------+
ssl_engine_io.c(2368): [client 127.0.0.1:33114] | 0000: 15 03 03 00 02 ..... |
ssl_engine_io.c(2373): [client 127.0.0.1:33114] +-------------------------------------------------------------------------+
ssl_engine_io.c(2401): [client 127.0.0.1:33114] OpenSSL: read 2/2 bytes from BIO#7fb2a40045c0 [mem: 7fb2a401c528] (BIO dump follows)
ssl_engine_io.c(2331): [client 127.0.0.1:33114] +-------------------------------------------------------------------------+
ssl_engine_io.c(2368): [client 127.0.0.1:33114] | 0000: 02 30 .0 |
ssl_engine_io.c(2373): [client 127.0.0.1:33114] +-------------------------------------------------------------------------+
ssl_engine_kernel.c(2218): [client 127.0.0.1:33114] OpenSSL: Read: TLSv1.3 early data
ssl_engine_kernel.c(2242): [client 127.0.0.1:33114] OpenSSL: Exit: error in error
[client 127.0.0.1:33114] AH02008: SSL library error 1 in handshake (server laptop:8532)
SSL Library Error: error:0A000418:SSL routines::tlsv1 alert unknown ca (SSL alert number 48)
[client 127.0.0.1:33114] AH01998: Connection closed to child 9 with abortive shutdown (server laptop:8532)
The key here is the "unknown ca", failing the handshake, either because the trust chain is broken somehow or the certs need to be generated now in a different way with OpenSSL 3.2.
Any idea to move forward?
Cheers,
David.
On 25/01/2024 13:54, David Anes wrote:
Hello all,I've successfully compiled apache 2.4.58 against OpenSSL 3.2, but I see lot's of issues when running the test suite.My first guess are the changes in 3.2 regarding the way certificates are generated (from the changelog at https://github.com/openssl/openssl/blob/openssl-3.2.0/NEWS.md):* The x509, ca, and req apps now always produce X.509v3 certificates. Also, other potential incompatible issues metioned there are: * The default SSL/TLS security level has been changed from 1 to 2.* Subject or issuer names in X.509 objects are now displayed as UTF-8 strings by default.I've tried compiling normally, as prefork and event but all of them fail the same way:Test Summary Report -------------------t/protocol/echo.t (Wstat: 65280 (exited 255) Tests: 1 Failed: 1)Failed test: 1 Non-zero exit status: 255 Parse errors: Bad plan. You planned 8 tests but ran 1. t/security/CVE-2005-2700.t (Wstat: 0 Tests: 2 Failed: 1) Failed test: 1t/security/CVE-2009-3555.t (Wstat: 65280 (exited 255) Tests: 1 Failed: 1)Failed test: 1 Non-zero exit status: 255 Parse errors: Bad plan. You planned 4 tests but ran 1. t/ssl/basicauth.t (Wstat: 0 Tests: 4 Failed: 2) Failed tests: 2-3 t/ssl/env.t (Wstat: 0 Tests: 30 Failed: 23) Failed tests: 1-8, 16-30 t/ssl/extlookup.t (Wstat: 0 Tests: 4 Failed: 4) Failed tests: 1-4 t/ssl/fakeauth.t (Wstat: 0 Tests: 3 Failed: 2) Failed tests: 2-3 t/ssl/headers.t (Wstat: 0 Tests: 3 Failed: 3) Failed tests: 1-3 t/ssl/ocsp.t (Wstat: 0 Tests: 3 Failed: 3) Failed tests: 1-3 t/ssl/pr12355.t (Wstat: 0 Tests: 10 Failed: 10) Failed tests: 1-10 t/ssl/pr43738.t (Wstat: 0 Tests: 4 Failed: 4) Failed tests: 1-4 t/ssl/proxy.t (Wstat: 0 Tests: 290 Failed: 290) Failed tests: 1-290 t/ssl/require.t (Wstat: 0 Tests: 10 Failed: 5) Failed tests: 2, 5-7, 9 t/ssl/varlookup.t (Wstat: 0 Tests: 81 Failed: 81) Failed tests: 1-81 t/ssl/verify.t (Wstat: 0 Tests: 3 Failed: 1) Failed test: 2Files=142, Tests=7248, 132 wallclock secs ( 3.04 usr 0.50 sys + 50.18 cusr 28.03 csys = 81.75 CPU)Result: FAIL Failed 15/142 test programs. 431/7248 subtests failed. Any clue? Does anyone had success running the tests against OpenSSL 3.2? Thanks, David.
-- David Anes <david.anes@xxxxxxxx>
Attachment:
OpenPGP_signature.asc
Description: OpenPGP digital signature
|