GNU bug report logs -
#58650
OpenSSL 1.1.1n test failures due to expired certificates (time bomb)
Previous Next
To reply to this bug, email your comments to 58650 AT debbugs.gnu.org.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-guix <at> gnu.org:
bug#58650; Package
guix.
(Thu, 20 Oct 2022 02:41:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Sjors Provoost <sjors <at> sprovoost.nl>:
New bug report received and forwarded. Copy sent to
bug-guix <at> gnu.org.
(Thu, 20 Oct 2022 02:41:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Sorry if this is a duplicate or has already been fixed in a more recent commit.
/builder for `/gnu/store/mw6ax0gk33gh082anrdrxp2flrbskxv6-openssl-1.1.1n.drv' failed with exit code 1
build of /gnu/store/mw6ax0gk33gh082anrdrxp2flrbskxv6-openssl-1.1.1n.drv failed
View build log at '/var/log/guix/drvs/mw/6ax0gk33gh082anrdrxp2flrbskxv6-openssl-1.1.1n.drv.gz'.
cannot build derivation `/gnu/store/236k6ncjl0nf7bqv4j0hni8i4yib3la4-git-minimal-2.36.0.drv': 1 dependencies couldn't be built
cannot build derivation `/gnu/store/gd577lh9007s0687m56fn65n8hrsjiqf-mallard-ducktype-1.0.2-checkout.drv': 1 dependencies couldn't be built
cannot build derivation `/gnu/store/rvj5bx06w2kjlxm3fg5p88dkxb6n8v9p-openjpeg-data-2020.11.30-checkout.drv': 1 dependencies couldn't be built
cannot build derivation `/gnu/store/00p96drllzndfp7zr63y26n1d64bdjwl-mallard-ducktype-1.0.2.drv': 1 dependencies couldn't be built
cannot build derivation `/gnu/store/kz4g88f4jv0w75qibq74q5lmpkgpl894-openjpeg-data-2020.11.30.drv': 1 dependencies couldn't be built
cannot build derivation `/gnu/store/izf75k3gvz0x6399qiks1drps445ykpg-openjpeg-2.4.0.drv': 1 dependencies couldn't be built
Backtrace:
14 (primitive-load "/gnu/store/wkw084zcvkyj53acs1gkchnvp0m7bvbl-compute-guix-derivation")
In ice-9/eval.scm:
155:9 13 (_ _)
159:9 12 (_ #(#(#(#(#(#(#(#(#(#(#(#(#(#(#(#(#<directory (guile-u?> ?) ?) ?) ?) ?) ?) ?) ?) ?) ?) ?) ?) ?) ?) ?) ?))
In ice-9/boot-9.scm:
152:2 11 (with-fluid* _ _ _)
152:2 10 (with-fluid* _ _ _)
In ./guix/store.scm:
2129:24 9 (run-with-store #<store-connection 256.99 7fbb6af39140> #<procedure 7fbb55577a50 at ./guix/self.scm:12?> ?)
1966:8 8 (_ #<store-connection 256.99 7fbb6af39140>)
In ./guix/gexp.scm:
300:22 7 (_ #<store-connection 256.99 7fbb6af39140>)
1181:2 6 (_ #<store-connection 256.99 7fbb6a984690>)
1047:2 5 (_ #<store-connection 256.99 7fbb6a984690>)
893:4 4 (_ #<store-connection 256.99 7fbb6a984690>)
In ./guix/store.scm:
2014:12 3 (_ #<store-connection 256.99 7fbb6a984690>)
1406:5 2 (map/accumulate-builds #<store-connection 256.99 7fbb6a984690> #<procedure 7fbb5d369580 at ./guix/stor?> ?)
1421:15 1 (_ #<store-connection 256.99 7fbb6a984690> ("/gnu/store/gcvv1i5shqmkd6x1pjwjdrvr7z4lb5ss-guile-ssh-?" ?) ?)
1421:15 0 (loop #f)
./guix/store.scm:1421:15: In procedure loop:
ERROR:
1. &store-protocol-error:
message: "build of `/gnu/store/gwqx9mq7ll5ic97zvz22j9irlx2922wx-graphviz-2.49.0.drv' failed"
status: 100
guix pull: error: You found a bug: the program '/gnu/store/wkw084zcvkyj53acs1gkchnvp0m7bvbl-compute-guix-derivation'
failed to compute the derivation for Guix (version: "998eda3067c7d21e0d9bb3310d2f5a14b8f1c681"; system: "x86_64-linux";
host version: "1.3.0.18313-998eda"; pull-version: 1).
- Sjors
[6ax0gk33gh082anrdrxp2flrbskxv6-openssl-1.1.1n.drv.gz (application/x-gzip, attachment)]
[Message part 3 (text/plain, inline)]
Information forwarded
to
bug-guix <at> gnu.org:
bug#58650; Package
guix.
(Thu, 03 Nov 2022 10:05:03 GMT)
Full text and
rfc822 format available.
Message #8 received at 58650 <at> debbugs.gnu.org (full text, mbox):
Hi,
Thanks for the report.
On Wed, 19 Oct 2022 at 21:46, Sjors Provoost <sjors <at> sprovoost.nl> wrote:
> Sorry if this is a duplicate or has already been fixed in a more recent commit.
>
> /builder for `/gnu/store/mw6ax0gk33gh082anrdrxp2flrbskxv6-openssl-1.1.1n.drv' failed with exit code 1
> build of /gnu/store/mw6ax0gk33gh082anrdrxp2flrbskxv6-openssl-1.1.1n.drv failed
> View build log at '/var/log/guix/drvs/mw/6ax0gk33gh082anrdrxp2flrbskxv6-openssl-1.1.1n.drv.gz'.
> cannot build derivation `/gnu/store/236k6ncjl0nf7bqv4j0hni8i4yib3la4-git-minimal-2.36.0.drv': 1 dependencies couldn't be built
> cannot build derivation `/gnu/store/gd577lh9007s0687m56fn65n8hrsjiqf-mallard-ducktype-1.0.2-checkout.drv': 1 dependencies couldn't be built
> cannot build derivation `/gnu/store/rvj5bx06w2kjlxm3fg5p88dkxb6n8v9p-openjpeg-data-2020.11.30-checkout.drv': 1 dependencies couldn't be built
> cannot build derivation `/gnu/store/00p96drllzndfp7zr63y26n1d64bdjwl-mallard-ducktype-1.0.2.drv': 1 dependencies couldn't be built
> cannot build derivation `/gnu/store/kz4g88f4jv0w75qibq74q5lmpkgpl894-openjpeg-data-2020.11.30.drv': 1 dependencies couldn't be built
> cannot build derivation `/gnu/store/izf75k3gvz0x6399qiks1drps445ykpg-openjpeg-2.4.0.drv': 1 dependencies couldn't be built
> Backtrace:
> 14 (primitive-load "/gnu/store/wkw084zcvkyj53acs1gkchnvp0m7bvbl-compute-guix-derivation")
> In ice-9/eval.scm:
> 155:9 13 (_ _)
> 159:9 12 (_ #(#(#(#(#(#(#(#(#(#(#(#(#(#(#(#(#<directory (guile-u?> ?) ?) ?) ?) ?) ?) ?) ?) ?) ?) ?) ?) ?) ?) ?) ?))
> In ice-9/boot-9.scm:
> 152:2 11 (with-fluid* _ _ _)
> 152:2 10 (with-fluid* _ _ _)
> In ./guix/store.scm:
> 2129:24 9 (run-with-store #<store-connection 256.99 7fbb6af39140> #<procedure 7fbb55577a50 at ./guix/self.scm:12?> ?)
> 1966:8 8 (_ #<store-connection 256.99 7fbb6af39140>)
> In ./guix/gexp.scm:
> 300:22 7 (_ #<store-connection 256.99 7fbb6af39140>)
> 1181:2 6 (_ #<store-connection 256.99 7fbb6a984690>)
> 1047:2 5 (_ #<store-connection 256.99 7fbb6a984690>)
> 893:4 4 (_ #<store-connection 256.99 7fbb6a984690>)
> In ./guix/store.scm:
> 2014:12 3 (_ #<store-connection 256.99 7fbb6a984690>)
> 1406:5 2 (map/accumulate-builds #<store-connection 256.99 7fbb6a984690> #<procedure 7fbb5d369580 at ./guix/stor?> ?)
> 1421:15 1 (_ #<store-connection 256.99 7fbb6a984690> ("/gnu/store/gcvv1i5shqmkd6x1pjwjdrvr7z4lb5ss-guile-ssh-?" ?) ?)
> 1421:15 0 (loop #f)
>
> ./guix/store.scm:1421:15: In procedure loop:
> ERROR:
> 1. &store-protocol-error:
> message: "build of `/gnu/store/gwqx9mq7ll5ic97zvz22j9irlx2922wx-graphviz-2.49.0.drv' failed"
> status: 100
> guix pull: error: You found a bug: the program '/gnu/store/wkw084zcvkyj53acs1gkchnvp0m7bvbl-compute-guix-derivation'
> failed to compute the derivation for Guix (version: "998eda3067c7d21e0d9bb3310d2f5a14b8f1c681"; system: "x86_64-linux";
> host version: "1.3.0.18313-998eda"; pull-version: 1).
It seems an error with the store. Do you use the offload mechanism?
And have you allowed the substitutes?
Cheers,
simon
Information forwarded
to
bug-guix <at> gnu.org:
bug#58650; Package
guix.
(Thu, 03 Nov 2022 10:34:02 GMT)
Full text and
rfc822 format available.
Message #11 received at 58650 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On 03-11-2022 11:03, zimoun wrote:
> Hi,
>
> Thanks for the report.
>
> On Wed, 19 Oct 2022 at 21:46, Sjors Provoost <sjors <at> sprovoost.nl> wrote:
>> Sorry if this is a duplicate or has already been fixed in a more recent commit.
>>
>> /builder for `/gnu/store/mw6ax0gk33gh082anrdrxp2flrbskxv6-openssl-1.1.1n.drv' failed with exit code 1
>> build of /gnu/store/mw6ax0gk33gh082anrdrxp2flrbskxv6-openssl-1.1.1n.drv failed
>> View build log at '/var/log/guix/drvs/mw/6ax0gk33gh082anrdrxp2flrbskxv6-openssl-1.1.1n.drv.gz'.
>> [...]
>>
>> ./guix/store.scm:1421:15: In procedure loop: [...]1).
>
> It seems an error with the store. Do you use the offload mechanism?
> And have you allowed the substitutes?
Looking at the attached build log, it is a build failure, not some store
error:
Test Summary Report
-------------------
../test/recipes/80-test_ssl_new.t (Wstat: 256 Tests: 29
Failed: 1)
Failed test: 12
Non-zero exit status: 1
Files=158, Tests=2640, 66 wallclock secs ( 0.87 usr 0.07 sys + 56.47
cusr 7.90 csys = 65.31 CPU)
Result: FAIL
make[1]: *** [Makefile:208: _tests] Error 1
make[1]: Leaving directory
'/tmp/guix-build-openssl-1.1.1n.drv-0/openssl-1.1.1n'
make: *** [Makefile:205: tests] Error 2
Except for the different version number IIRC, I've noticed that one
before (on core-updates). That was without offloading and with
substitutes, though the substitute servers didn't have a substitute
available.
As the backtrace is a distraction, I propose merging something like
<https://issues.guix.gnu.org/50238>.
Greetings,
Maxime
[OpenPGP_0x49E3EE22191725EE.asc (application/pgp-keys, attachment)]
[OpenPGP_signature (application/pgp-signature, attachment)]
Information forwarded
to
bug-guix <at> gnu.org:
bug#58650; Package
guix.
(Thu, 03 Nov 2022 11:09:02 GMT)
Full text and
rfc822 format available.
Message #14 received at 58650 <at> debbugs.gnu.org (full text, mbox):
I built using --no-substitutes and no offloading.
Information forwarded
to
bug-guix <at> gnu.org:
bug#58650; Package
guix.
(Thu, 03 Nov 2022 11:23:03 GMT)
Full text and
rfc822 format available.
Message #17 received at 58650 <at> debbugs.gnu.org (full text, mbox):
Hi,
On Thu, 03 Nov 2022 at 11:32, Maxime Devos <maximedevos <at> telenet.be> wrote:
> Looking at the attached build log, it is a build failure, not some store
> error:
>
> Test Summary Report
> -------------------
> ../test/recipes/80-test_ssl_new.t (Wstat: 256 Tests: 29
> Failed: 1)
> Failed test: 12
> Non-zero exit status: 1
> Files=158, Tests=2640, 66 wallclock secs ( 0.87 usr 0.07 sys + 56.47
> cusr 7.90 csys = 65.31 CPU)
> Result: FAIL
> make[1]: *** [Makefile:208: _tests] Error 1
> make[1]: Leaving directory
> '/tmp/guix-build-openssl-1.1.1n.drv-0/openssl-1.1.1n'
> make: *** [Makefile:205: tests] Error 2
Indeed. My bad, I have missed the attachment.
Well, looking closer, I am confused by:
--8<---------------cut here---------------start------------->8---
failed to compute the derivation for Guix (version: "998eda3067c7d21e0d9bb3310d2f5a14b8f1c681"; system:
"x86_64-linux"; host version: "1.3.0.18313-998eda"; pull-version: 1).
--8<---------------cut here---------------end--------------->8---
What is this host version?
> As the backtrace is a distraction, I propose merging something like
> <https://issues.guix.gnu.org/50238>.
Well, I do not know if it is related, although patch#50238 would help
for sure.
Cheers,
simon
Information forwarded
to
bug-guix <at> gnu.org:
bug#58650; Package
guix.
(Thu, 03 Nov 2022 11:26:02 GMT)
Full text and
rfc822 format available.
Message #20 received at 58650 <at> debbugs.gnu.org (full text, mbox):
I tried building again using:
guix build --cores=1 /gnu/store/mw6ax0gk33gh082anrdrxp2flrbskxv6-openssl-1.1.1n.drv
This made it more clear that the error was an expired certificate:
../test/recipes/80-test_ssl_new.t ..................
Dubious, test returned 1 (wstat 256, 0x100)
Failed 1/29 subtests
I was able to work around that by adjusting the machine time:
sudo timedatectl set-ntp no
sudo date --set "28 may 2022 15:00:00"
guix build ....
sudo timedatectl set-ntp yes
Information forwarded
to
bug-guix <at> gnu.org:
bug#58650; Package
guix.
(Thu, 03 Nov 2022 11:33:01 GMT)
Full text and
rfc822 format available.
Message #23 received at 58650 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
reopen 56137
merge 56137 58650
thanks
On 03-11-2022 12:25, Sjors Provoost wrote:
> I tried building again using:
> guix build --cores=1 /gnu/store/mw6ax0gk33gh082anrdrxp2flrbskxv6-openssl-1.1.1n.drv
>
> This made it more clear that the error was an expired certificate:
>
> ../test/recipes/80-test_ssl_new.t ..................
> Dubious, test returned 1 (wstat 256, 0x100)
> Failed 1/29 subtests
>
> I was able to work around that by adjusting the machine time:
>
> sudo timedatectl set-ntp no
> sudo date --set "28 may 2022 15:00:00"
> guix build ....
> sudo timedatectl set-ntp yes
In that case, this appears to be an instance
<https://issues.guix.gnu.org/56137> (‘OpenSSL 3.0.3/1.1.1n includes a
time-dependent test’), this time for different test case.
I propose to implement <https://issues.guix.gnu.org/56137#3> to solve
this more permanently.
Greetings,
Maxime.
[OpenPGP_0x49E3EE22191725EE.asc (application/pgp-keys, attachment)]
[OpenPGP_signature (application/pgp-signature, attachment)]
Severity set to 'important' from 'normal'
Request was from
Maxime Devos <maximedevos <at> telenet.be>
to
control <at> debbugs.gnu.org.
(Tue, 08 Nov 2022 02:00:02 GMT)
Full text and
rfc822 format available.
Merged 56137 58650.
Request was from
Maxime Devos <maximedevos <at> telenet.be>
to
control <at> debbugs.gnu.org.
(Tue, 08 Nov 2022 02:00:02 GMT)
Full text and
rfc822 format available.
Changed bug title to 'OpenSSL 1.1.1n test failures due to expired certificates (time bomb)' from 'build of /gnu/store/mw6ax0gk33gh082anrdrxp2flrbskxv6-openssl-1.1.1n.drv failed'
Request was from
Ludovic Courtès <ludo <at> gnu.org>
to
control <at> debbugs.gnu.org.
(Tue, 15 Nov 2022 16:16:01 GMT)
Full text and
rfc822 format available.
Information forwarded
to
bug-guix <at> gnu.org:
bug#58650; Package
guix.
(Mon, 27 Feb 2023 04:05:02 GMT)
Full text and
rfc822 format available.
Message #32 received at 58650 <at> debbugs.gnu.org (full text, mbox):
Hi,
I also tried with libfaketime, which seemed more complete and easy to
setup globally via environment variables:
--8<---------------cut here---------------start------------->8---
modified gnu/packages/tls.scm
@@ -491,11 +491,47 @@ (define (target->openssl-target target)
(error "unsupported openssl target architecture")))))
(string-append kernel "-" arch))))
+;;; A minimal version of libfaketime that should remain private. Its only
+;;; purpose is to avoid introducing a cycle with openssl due to libfaketime's
+;;; git-fetch origin, which pulls git (which requires openssl).
+(define libfaketime-minimal
+ (package
+ (name "libfaketime")
+ (version "0.9.10")
+ (home-page "https://github.com/wolfcw/libfaketime")
+ (source (origin
+ (method url-fetch)
+ ;; XXX: We cheat and use a dynamically generated archive GitHub
+ ;; link here, since we can't fetch from git.
+ (uri (string-append "https://github.com/wolfcw/" name
+ "/archive/refs/tags/v" version ".tar.gz"))
+ (sha256
+ (base32
+ "0zwlwxpya3scayf8b3ans6pp82k8k42bk5wfqvcm02kmkhxx76kj"))))
+ (build-system gnu-build-system)
+ (arguments
+ (list
+ #:make-flags #~(list "all")
+ #:tests? #f
+ #:phases
+ #~(modify-phases %standard-phases
+ (replace 'configure
+ (lambda* (#:key outputs #:allow-other-keys)
+ (setenv "CC" #$(cc-for-target))
+ (setenv "PREFIX" #$output))))))
+ (synopsis "Fake the system time for single applications")
+ (description
+ "The libfaketime library allows users to modify the system time that an
+application \"sees\". It is meant to be loaded using the dynamic linker's
+@code{LD_PRELOAD} environment variable. The @command{faketime} command
+provides a simple way to achieve this.")
+ (license license:gpl2)))
+
(define-public openssl-1.1
;; Note to maintainers: when updating this package, make sure to update the
;; RELEASE-DATE variable below. It is used by datefudge to avoid time bombs
;; in the test suite.
- (let ((release-date "2021-08-24 00:00"))
+ (let ((release-date "@2021-08-24 00:00:00"))
(package
(name "openssl")
(version "1.1.1l")
@@ -517,7 +553,7 @@ (define-public openssl-1.1
(outputs '("out"
"doc" ;6.8 MiB of man3 pages and full HTML documentation
"static")) ;6.4 MiB of .a files
- (native-inputs (list datefudge perl))
+ (native-inputs (list libfaketime-minimal perl))
(arguments
(list
#:modules '((guix build gnu-build-system)
@@ -537,6 +573,15 @@ (define-public openssl-1.1
#:disallowed-references (list (canonical-package perl))
#:phases
#~(modify-phases %standard-phases
+ (add-before 'unpack 'setup-libfaketime
+ (lambda* (#:key native-inputs inputs #:allow-other-keys)
+ (let ((libfaketime.so.1 (search-input-file
+ (or native-inputs inputs)
+ "lib/faketime/libfaketime.so.1")))
+ (setenv "LD_PRELOAD" libfaketime.so.1)
+ (setenv "NO_FAKE_STAT" "1")
+ (setenv "FAKETIME_DONT_RESET" "1")
+ (setenv "FAKETIME" #$release-date))))
#$@(if (%current-target-system)
#~((add-before 'configure 'set-cross-compile
--8<---------------cut here---------------end--------------->8---
But I still get the same error:
--8<---------------cut here---------------start------------->8---
../../util/shlib_wrap.sh /gnu/store/hy6abswwv4d89zp464fw52z65fkzr7h5-perl-5.34.0/bin/perl -I ../../util/perl ../generate_ssl_tests.pl ../ssl-tests/12-ct.conf.in > 12-ct.conf.30543.tmp => 0
ok 1 - Getting output from generate_ssl_tests.pl.
ok 2 - Comparing generated sources.
# Subtest: ../ssl_test
1..1
# Subtest: test_handshake
1..6
ok 1 - iteration 1
# ERROR: (int) 'result->result == test_ctx->expected_result' failed @ test/ssl_test.c:33
# [2] compared to [0]
# INFO: @ test/ssl_test.c:34
# ExpectedResult mismatch: expected Success, got ClientFail.
# 140450700142400:error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired:ssl/record/rec_layer_s3.c:1543:SSL alert number 45
not ok 2 - iteration 2
ok 3 - iteration 3
# ERROR: (int) 'result->result == test_ctx->expected_result' failed @ test/ssl_test.c:33
# [2] compared to [0]
# INFO: @ test/ssl_test.c:34
# ExpectedResult mismatch: expected Success, got ClientFail.
# 140450700142400:error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired:ssl/record/rec_layer_s3.c:1543:SSL alert number 45
not ok 4 - iteration 4
# ERROR: (int) 'result->result == test_ctx->expected_result' failed @ test/ssl_test.c:33
# [4] compared to [0]
# INFO: @ test/ssl_test.c:34
# ExpectedResult mismatch: expected Success, got FirstHandshakeFailed.
# 140450700142400:error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired:ssl/record/rec_layer_s3.c:1543:SSL alert number 45
not ok 5 - iteration 5
# ERROR: (int) 'result->result == test_ctx->expected_result' failed @ test/ssl_test.c:33
# [4] compared to [0]
# INFO: @ test/ssl_test.c:34
# ExpectedResult mismatch: expected Success, got FirstHandshakeFailed.
# 140450700142400:error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired:ssl/record/rec_layer_s3.c:1543:SSL alert number 45
not ok 6 - iteration 6
not ok 1 - test_handshake
../../util/shlib_wrap.sh ../ssl_test 12-ct.conf.30543.tmp => 1
not ok 3 - running ssl_test 12-ct.conf
# Failed test 'running ssl_test 12-ct.conf'
# at ../test/recipes/80-test_ssl_new.t line 148.
# Looks like you failed 1 test of 3.
not ok 12 - Test configuration 12-ct.conf
# Failed test 'Test configuration 12-ct.conf'
# at
# /tmp/guix-build-openssl-1.1.1l.drv-0/openssl-1.1.1l/test/../util/perl/OpenSSL/Test.pm
# line 1212.
--8<---------------cut here---------------end--------------->8---
When attempting to build with
--8<---------------cut here---------------start------------->8---
./pre-inst-env guix build --no-grafts -e '(@@ (gnu packages tls) openssl-1.1)'
--8<---------------cut here---------------end--------------->8---
Upstream seems to have moved to give very large expiry dates on their
test certs (100 years), so perhaps we can simply remove this test and
hope the problem doesn't come back to haunt us...
--
Thanks,
Maxim
This bug report was last modified 2 years and 63 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.