GNU bug report logs - #56137
OpenSSL 1.1.1n test failures due to expired certificates (time bomb)

Previous Next

Package: guix;

Reported by: Ludovic Courtès <ludo <at> gnu.org>

Date: Wed, 22 Jun 2022 09:59:02 UTC

Severity: important

Merged with 58650, 60821

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Ludovic Courtès <ludo <at> gnu.org>
Cc: tracker <at> debbugs.gnu.org
Subject: bug#56137: closed (OpenSSL 3.0.3/1.1.1n includes a time-dependent
 test)
Date: Wed, 22 Jun 2022 10:40:03 +0000

[Message part 1 (text/plain, inline)]
Your message dated Wed, 22 Jun 2022 12:39:12 +0200
with message-id <87ilot3ru7.fsf <at> gnu.org>
and subject line Re: bug#56137: OpenSSL 3.0.3/1.1.1n includes a time-dependent test
has caused the debbugs.gnu.org bug report #56137,
regarding OpenSSL 3.0.3/1.1.1n includes a time-dependent test
to be marked as done.

(If you believe you have received this mail in error, please contact
help-debbugs <at> gnu.org.)


-- 
56137: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=56137
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]
From: Ludovic Courtès <ludo <at> gnu.org>
To: bug-guix <at> gnu.org
Subject: OpenSSL 3.0.3/1.1.1n includes a time-dependent test
Date: Wed, 22 Jun 2022 11:58:04 +0200

Hello,

As reported by phodina in <https://issues.guix.gnu.org/53581>, OpenSSL
1.1.1n and 3.0.3 include a time-dependent test that now fails due to an
expired certificate:

  https://github.com/openssl/openssl/issues/18441

The log looks like this:

--8<---------------cut here---------------start------------->8---
80-test_ocsp.t ..................... ok
80-test_pkcs12.t ................... ok

            # ERROR: (int) 'result->result == test_ctx->expected_result' failed @ test/ssl_test.c:36
            # [2] compared to [0]
            # INFO:  @ test/ssl_test.c:37
            # ExpectedResult mismatch: expected Success, got ClientFail.
            # 40B78AF7FF7F0000:error:0A000415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired:ssl/record/rec_layer_s3.c:1584:SSL alert number 45
            # OPENSSL_TEST_RAND_ORDER=1655844368
            not ok 2 - iteration 2
# ------------------------------------------------------------------------------
            # ERROR: (int) 'result->result == test_ctx->expected_result' failed @ test/ssl_test.c:36
            # [2] compared to [0]
            # INFO:  @ test/ssl_test.c:37
            # ExpectedResult mismatch: expected Success, got ClientFail.
            # 40B78AF7FF7F0000:error:0A000415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired:ssl/record/rec_layer_s3.c:1584:SSL alert number 45
            # OPENSSL_TEST_RAND_ORDER=1655844368
            not ok 4 - iteration 4
# ------------------------------------------------------------------------------
            # ERROR: (int) 'result->result == test_ctx->expected_result' failed @ test/ssl_test.c:36
            # [4] compared to [0]
            # INFO:  @ test/ssl_test.c:37
            # ExpectedResult mismatch: expected Success, got FirstHandshakeFailed.
            # 40B78AF7FF7F0000:error:0A000415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired:ssl/record/rec_layer_s3.c:1584:SSL alert number 45
            # OPENSSL_TEST_RAND_ORDER=1655844368
            not ok 5 - iteration 5
# ------------------------------------------------------------------------------
            # ERROR: (int) 'result->result == test_ctx->expected_result' failed @ test/ssl_test.c:36
            # [4] compared to [0]
            # INFO:  @ test/ssl_test.c:37
            # ExpectedResult mismatch: expected Success, got FirstHandshakeFailed.
            # 40B78AF7FF7F0000:error:0A000415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired:ssl/record/rec_layer_s3.c:1584:SSL alert number 45
            # OPENSSL_TEST_RAND_ORDER=1655844368
            not ok 6 - iteration 6
# ------------------------------------------------------------------------------
        # OPENSSL_TEST_RAND_ORDER=1655844368
        not ok 1 - test_handshake
# ------------------------------------------------------------------------------
../../util/wrap.pl ../../test/ssl_test 12-ct.cnf.none none => 1
    not ok 3 - running ssl_test 12-ct.cnf
# ------------------------------------------------------------------------------
            # ERROR: (int) 'result->result == test_ctx->expected_result' failed @ test/ssl_test.c:36
            # [2] compared to [0]
            # INFO:  @ test/ssl_test.c:37
            # ExpectedResult mismatch: expected Success, got ClientFail.
            # 40B78AF7FF7F0000:error:0A000415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired:ssl/record/rec_layer_s3.c:1584:SSL alert number 45
            # OPENSSL_TEST_RAND_ORDER=1655844369
            not ok 2 - iteration 2
# ------------------------------------------------------------------------------
            # ERROR: (int) 'result->result == test_ctx->expected_result' failed @ test/ssl_test.c:36
            # [2] compared to [0]
            # INFO:  @ test/ssl_test.c:37
            # ExpectedResult mismatch: expected Success, got ClientFail.
            # 40B78AF7FF7F0000:error:0A000415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired:ssl/record/rec_layer_s3.c:1584:SSL alert number 45
            # OPENSSL_TEST_RAND_ORDER=1655844369
            not ok 4 - iteration 4
# ------------------------------------------------------------------------------
            # ERROR: (int) 'result->result == test_ctx->expected_result' failed @ test/ssl_test.c:36
            # [4] compared to [0]
            # INFO:  @ test/ssl_test.c:37
            # ExpectedResult mismatch: expected Success, got FirstHandshakeFailed.
            # 40B78AF7FF7F0000:error:0A000415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired:ssl/record/rec_layer_s3.c:1584:SSL alert number 45
            # OPENSSL_TEST_RAND_ORDER=1655844369
            not ok 5 - iteration 5
# ------------------------------------------------------------------------------
            # ERROR: (int) 'result->result == test_ctx->expected_result' failed @ test/ssl_test.c:36
            # [4] compared to [0]
            # INFO:  @ test/ssl_test.c:37
            # ExpectedResult mismatch: expected Success, got FirstHandshakeFailed.
            # 40B78AF7FF7F0000:error:0A000415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired:ssl/record/rec_layer_s3.c:1584:SSL alert number 45
            # OPENSSL_TEST_RAND_ORDER=1655844369
            not ok 6 - iteration 6
# ------------------------------------------------------------------------------
        # OPENSSL_TEST_RAND_ORDER=1655844369
        not ok 1 - test_handshake
# ------------------------------------------------------------------------------
../../util/wrap.pl ../../test/ssl_test 12-ct.cnf.default default => 1
    not ok 6 - running ssl_test 12-ct.cnf
# ------------------------------------------------------------------------------
    #   Failed test 'running ssl_test 12-ct.cnf'
    #   at test/recipes/80-test_ssl_new.t line 171.
    # Looks like you failed 2 tests of 6.
not ok 12 - Test configuration 12-ct.cnf
# ------------------------------------------------------------------------------
# Looks like you failed 1 test of 30.80-test_ssl_new.t .................. 
Dubious, test returned 1 (wstat 256, 0x100)
Failed 1/30 subtests 
80-test_ssl_old.t .................. ok
80-test_ssl_test_ctx.t ............. ok
--8<---------------cut here---------------end--------------->8---

That means that ‘openssl’ on current master (ca.
73761d8049f483e6685c2c736872d0366e03238a) now fails to build.

Ludo’.



[Message part 3 (message/rfc822, inline)]
From: Ludovic Courtès <ludo <at> gnu.org>
To: 56137-done <at> debbugs.gnu.org
Cc: phodina <phodina <at> protonmail.com>
Subject: Re: bug#56137: OpenSSL 3.0.3/1.1.1n includes a time-dependent test
Date: Wed, 22 Jun 2022 12:39:12 +0200

Ludovic Courtès <ludo <at> gnu.org> skribis:

> As reported by phodina in <https://issues.guix.gnu.org/53581>, OpenSSL
> 1.1.1n and 3.0.3 include a time-dependent test that now fails due to an
> expired certificate:
>
>   https://github.com/openssl/openssl/issues/18441

Fixed on ‘core-updates’ with 6cd438c4c2beb016a821143cdfdd12892aa9fd5f.

That commit skips the test.  I tried another approach with ‘datefudge’,
which has the advantage of being more explicit and future-proof (should
there be similar issues lying around):

               (invoke "datefudge" "2022-01-01"
                       "make" test-target
                       #$@(if (or (target-arm?) (target-riscv64?))
                              #~("TESTS=-test_afalg")
                              #~()))

For some reason it didn’t work.

Note that we cannot use libfaketime because:

--8<---------------cut here---------------start------------->8---
$ guix graph -t derivation --path libfaketime openssl <at> 1
/gnu/store/a4jcd4h7nvn97a2mw4n1yydgbh0i2wmz-libfaketime-0.9.9.drv
/gnu/store/hf5arq562aiisycnjcnhgfwzrl8lwrbc-libfaketime-0.9.9-checkout.drv
/gnu/store/xpnrk8hjfh7rvgqfsjwkjrb9cz1ws626-git-minimal-2.36.1.drv
/gnu/store/gavjhl823bhd95rijqf3iw3vl32ix494-openssl-1.1.1l.drv
--8<---------------cut here---------------end--------------->8---

Ludo’.
This bug report was last modified 2 years and 64 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.