Re: Issues with test framework against OpenSSL 3.2

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: users@xxxxxxxxxxxxxxxx
Subject: Re: Issues with test framework against OpenSSL 3.2
From: David Anes <david.anes@xxxxxxxxxxxxxxxxxxxx>
Date: Fri, 26 Jan 2024 18:28:28 +0100
In-reply-to: <2fa8a24a-b516-4686-933b-db982b6c3462@suse.com>
Organization: SUSE
Reply-to: users@xxxxxxxxxxxxxxxx
User-agent: Mozilla Thunderbird

Hi all,

I finally found a solution that passes all tests, but this should really be revised by someone else.

Apache::Test module expects x509v1 certificates to be created by default. As of OpenSSL 3.2, the parameter/app "-x509" generates v3 certificates and this makes the testsuite to fail. The solution is to use the new parameter "-x509v1", but unfortunately this doesn't work with previous versions of OpenSSL, therefore we need to use it conditionally.

I was able to patch the perl module Apache::Test (note: I have zero idea about Perl) to circumvent this issue and everything seems to work, but I guess some expert should look into this to find a proper fix. For now, the following patch can be used against TestSSLCA.pm:


Index: httpd-2.4.58/httpd-framework/Apache-Test/lib/Apache/TestSSLCA.pm
===================================================================
--- httpd-2.4.58.orig/httpd-framework/Apache-Test/lib/Apache/TestSSLCA.pm
+++ httpd-2.4.58/httpd-framework/Apache-Test/lib/Apache/TestSSLCA.pm
@@ -326,8 +326,20 @@ sub new_ca {
               join ':', dn_oneline('client_snakeoil'),
               $basic_auth_password);

-    openssl req => "-new -x509 -keyout $cakey -out $cacert $days",
-                   config('ca');
+    if (Apache::Test::normalize_vstring($version) >=
+        Apache::Test::normalize_vstring("3.2.0"))
+    {
+        # since OpenSSL 3.2 "-x509" flag generates v3 certificates
+        # by default. A new specific flag "-x509v1" was introduced
+        # (and previous versions don't have that flag available)
+        openssl req => "-new -x509v1 -keyout $cakey -out $cacert $days",
+            config('ca');
+    }
+    else
+    {
+        openssl req => "-new -x509 -keyout $cakey -out $cacert $days",
+            config('ca');
+    }

     export_cert('ca'); #useful for importing into IE
 }


If some expert can look into this it would be greatly appreciated. I'm not sure this is the 100% correct solution.

Cheers,
David.


On 26/01/2024 11:17, David Anes wrote:

Hello everyone,
After fighting the tests, I can confirm that the issue is certificatesare not being verified correctly.
For example, for t/protocol/echo.t, I was able to make it pass byupdating vhost_socket in TestRequest.pm by bypassing cert verification:
Index:httpd-2.4.58/httpd-framework/Apache-Test/lib/Apache/TestRequest.pm
     ===================================================================
---httpd-2.4.58.orig/httpd-framework/Apache-Test/lib/Apache/TestRequest.pm
     +++ httpd-2.4.58/httpd-framework/Apache-Test/lib/Apache/TestRequest.pm
     @@ -34,6 +34,8 @@ use constant UA_TIMEOUT => 60 * 10; #lon

     my $have_lwp = 0;

     +use IO::Socket::SSL;
     +
     # APACHE_TEST_PRETEND_NO_LWP=1 pretends that LWP is not available so
     # one can test whether the test suite survives if the user doesn't
     # have lwp installed
     @@ -296,7 +298,15 @@ sub vhost_socket {
             require IO::Socket::SSL;
             # Add all conn_opts to args
             map {$args{$_} = $conn_opts->{$_}} keys %{$conn_opts};
     -        return IO::Socket::SSL->new(%args, Timeout => UA_TIMEOUT);
     +
     +        my $sock = IO::Socket::SSL->new(
     +            %args,
     +            Timeout => UA_TIMEOUT,
     +            SSL_verify_mode => SSL_VERIFY_NONE,
     +        ) or die "failed connect or ssl handshake: $!, $SSL_ERROR";
     +
     +        return $sock
     +
         }
         else {
             require IO::Socket;
Of course, this is not the way to move forward, as I understand all certverification should work.
My guess is that in TestSSLCA.pm, when all certificates are generated,we are missing some option and/or tweaks. Unfortunately I'm not asecurity expert and I would like someone with more knowledge to lookinto this, if possible.
Basically, all tests fail with a similar trace as this one:
ssl_engine_kernel.c(2213): [client 127.0.0.1:33114] OpenSSL: Loop:SSLv3/TLS write finished ssl_engine_kernel.c(2213): [client 127.0.0.1:33114] OpenSSL: Loop:TLSv1.3 early data ssl_engine_io.c(2401): [client 127.0.0.1:33114] OpenSSL: read 5/5bytes from BIO#7fb2a40045c0 [mem: 7fb2a401c523] (BIO dump follows) ssl_engine_io.c(2331): [client 127.0.0.1:33114]+-------------------------------------------------------------------------+ ssl_engine_io.c(2368): [client 127.0.0.1:33114] | 0000: 15 03 03 0002 ..... | ssl_engine_io.c(2373): [client 127.0.0.1:33114]+-------------------------------------------------------------------------+ ssl_engine_io.c(2401): [client 127.0.0.1:33114] OpenSSL: read 2/2bytes from BIO#7fb2a40045c0 [mem: 7fb2a401c528] (BIO dump follows) ssl_engine_io.c(2331): [client 127.0.0.1:33114]+-------------------------------------------------------------------------+ ssl_engine_io.c(2368): [client 127.0.0.1:33114] | 0000: 0230 .0 | ssl_engine_io.c(2373): [client 127.0.0.1:33114]+-------------------------------------------------------------------------+ ssl_engine_kernel.c(2218): [client 127.0.0.1:33114] OpenSSL: Read:TLSv1.3 early data ssl_engine_kernel.c(2242): [client 127.0.0.1:33114] OpenSSL: Exit:error in error [client 127.0.0.1:33114] AH02008: SSL library error 1 in handshake(server laptop:8532) SSL Library Error: error:0A000418:SSL routines::tlsv1 alert unknownca (SSL alert number 48) [client 127.0.0.1:33114] AH01998: Connection closed to child 9 withabortive shutdown (server laptop:8532)
The key here is the "unknown ca", failing the handshake, either becausethe trust chain is broken somehow or the certs need to be generated nowin a different way with OpenSSL 3.2.
Any idea to move forward?

Cheers,
David.




On 25/01/2024 13:54, David Anes wrote:
Hello all,
I've successfully compiled apache 2.4.58 against OpenSSL 3.2, but Isee lot's of issues when running the test suite.
My first guess are the changes in 3.2 regarding the way certificatesare generated (from the changelog athttps://github.com/openssl/openssl/blob/openssl-3.2.0/NEWS.md):
   * The x509, ca, and req apps now always produce X.509v3 certificates.

Also, other potential incompatible issues metioned there are:

   * The default SSL/TLS security level has been changed from 1 to 2.
* Subject or issuer names in X.509 objects are now displayed asUTF-8 strings by default.
I've tried compiling normally, as prefork and event but all of themfail the same way:
     Test Summary Report
     -------------------
t/protocol/echo.t (Wstat: 65280 (exited 255)Tests: 1 Failed: 1)
       Failed test:  1
       Non-zero exit status: 255
       Parse errors: Bad plan.  You planned 8 tests but ran 1.
     t/security/CVE-2005-2700.t        (Wstat: 0 Tests: 2 Failed: 1)
       Failed test:  1
t/security/CVE-2009-3555.t (Wstat: 65280 (exited 255)Tests: 1 Failed: 1)
       Failed test:  1
       Non-zero exit status: 255
       Parse errors: Bad plan.  You planned 4 tests but ran 1.
     t/ssl/basicauth.t                 (Wstat: 0 Tests: 4 Failed: 2)
       Failed tests:  2-3
     t/ssl/env.t                       (Wstat: 0 Tests: 30 Failed: 23)
       Failed tests:  1-8, 16-30
     t/ssl/extlookup.t                 (Wstat: 0 Tests: 4 Failed: 4)
       Failed tests:  1-4
     t/ssl/fakeauth.t                  (Wstat: 0 Tests: 3 Failed: 2)
       Failed tests:  2-3
     t/ssl/headers.t                   (Wstat: 0 Tests: 3 Failed: 3)
       Failed tests:  1-3
     t/ssl/ocsp.t                      (Wstat: 0 Tests: 3 Failed: 3)
       Failed tests:  1-3
     t/ssl/pr12355.t                   (Wstat: 0 Tests: 10 Failed: 10)
       Failed tests:  1-10
     t/ssl/pr43738.t                   (Wstat: 0 Tests: 4 Failed: 4)
       Failed tests:  1-4
     t/ssl/proxy.t                     (Wstat: 0 Tests: 290 Failed: 290)
       Failed tests:  1-290
     t/ssl/require.t                   (Wstat: 0 Tests: 10 Failed: 5)
       Failed tests:  2, 5-7, 9
     t/ssl/varlookup.t                 (Wstat: 0 Tests: 81 Failed: 81)
       Failed tests:  1-81
     t/ssl/verify.t                    (Wstat: 0 Tests: 3 Failed: 1)
       Failed test:  2
Files=142, Tests=7248, 132 wallclock secs ( 3.04 usr 0.50 sys +50.18 cusr 28.03 csys = 81.75 CPU)
     Result: FAIL
     Failed 15/142 test programs. 431/7248 subtests failed.

Any clue? Does anyone had success running the tests against OpenSSL 3.2?

Thanks,
David.


--
David Anes <david.anes@xxxxxxxx>

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature

Follow-Ups:
- Re: Re: Issues with test framework against OpenSSL 3.2
  - From: Eric Covener

References:
- Issues with test framework against OpenSSL 3.2
  - From: David Anes
- Re: Issues with test framework against OpenSSL 3.2
  - From: David Anes

Prev by Date: Re: If statement against AUTHENTICATE_memberOf variable created by authnz_ldap
Next by Date: Re: Re: Issues with test framework against OpenSSL 3.2
Previous by thread: Re: Issues with test framework against OpenSSL 3.2
Next by thread: Re: Re: Issues with test framework against OpenSSL 3.2
Index(es):
- Date
- Thread

[Index of Archives] [Open SSH Users] [Linux ACPI] [Linux Kernel] [Linux Laptop] [Kernel Newbies] [Security] [Netfilter] [Bugtraq] [Squid] [Yosemite News] [MIPS Linux] [ARM Linux] [Linux Security] [Linux RAID] [Samba] [Video 4 Linux] [Device Mapper]