Dear Yaakov,
On Fri, Feb 9, 2024 at 4:51 AM Yaakov Selkowitz <yselkowi@xxxxxxxxxx> wrote:
On Thu, 2024-02-08 at 20:37 +0100, Sahana Prasad wrote:
> Hello everyone,
> OpenSSL 3.2.1 is now available in rawhide [1].
> There are no API/ABI changes in comparison with the last version in
> rawhide
> (3.1.4).
> This version (3.2.0 onwards) supports PQ algorithms that can be
> loaded
> through
> the OQS provider.
> A few tests that needed some downstream tweaks have been disabled and
> being
> worked on.
> Other than this issue [2] upstream, we did not see any new
> failures/breakages.
>
> If you observe any new issues with this new version, kindly report a
> bug.
Would this be related to openssl 3.2.1?
https://koji.fedoraproject.org/koji/taskinfo?taskID=113198856
The tests pass locally in mock with openssl 3.1.4.
I can imagine the situation where upgrading to 3.2 could cause this failure but the logs are too vague.
Could you please provide more details (e.g. openssl low-level diagnostics) or even better a minimal reproducer for diagnostics?
Hi,
I am not that well versed in openssl but I think I got it quite
minimal, as I can reproduce the error message using `openssl`
command itself.
And I confirmed, at least locally, that the error started
happening once I introduce Openssl 3.2.1 into buildroot, whether
that's all to that story, I do not know.
As a result I have ruled out mariadb version update as the cause.
rubygem-mysql2 has a few tests that test SSL connection. Keys and certs are in upstream: https://github.com/brianmario/mysql2/tree/master/spec/ssl
However, we regenerate all certificates using `gen_certs.sh`:
https://github.com/brianmario/mysql2/blob/master/spec/ssl/gen_certs.sh
In our repo:
https://src.fedoraproject.org/rpms/rubygem-mysql2/blob/rawhide/f/rubygem-mysql2.spec#_94
Above the line in the file I linked from Fedora set CN to localhost as we expect connecting through that host.
Now, with the certs regenerated in mock I execute following:
```
$ openssl verify -CAfile ca-cert.pem client-cert.pem
CN=ca_mysql2gem
error 79 at 1 depth lookup: invalid CA certificate
error client-cert.pem: verification failed
```
Since the error from the scratch build says "invalid CA
certificate" I thought to use some openssl "verification" command,
this one seems like I'm on the right path.
I have tried more permutations of the command with certificates
available in the `spec/ssl/` directory, including using
`-untrusted` with various certs, all seem to fail the same.
Any idea what's up or how to fix it?
Regards,
Jarek Prokop
As for now we don't see any significant regressions in our downstream tests.--
Dmitry Belyavskiy
-- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
