You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@serf.apache.org by "James McCoy (Jira)" <ji...@apache.org> on 2022/02/06 01:55:00 UTC

[jira] [Commented] (SERF-202) SSL tests are not passing with openssl 3

    [ https://issues.apache.org/jira/browse/SERF-202?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17487609#comment-17487609 ] 

James McCoy commented on SERF-202:
----------------------------------

OpenSSL released on 2021/09/07.

The {{ERR_GET_FUNC()}} macro was removed, as the function is always 0 now, so something like this is needed to build:

{noformat}
Index: buckets/ssl_buckets.c
===================================================================
--- buckets/ssl_buckets.c	(revision 1897794)
+++ buckets/ssl_buckets.c	(working copy)
@@ -1655,7 +1655,11 @@
             else {
                 serf__log(LOGLVL_ERROR, LOGCOMP_SSL, __FILE__, ctx->config,
                           "OpenSSL cert error: %d %d %d\n", ERR_GET_LIB(err),
+#ifdef ERR_GET_FUNC
                           ERR_GET_FUNC(err),
+#else
+                          0,
+#endif
                           ERR_GET_REASON(err));
                 PKCS12_free(p12);
                 bio_meth_free(biom);
{noformat}

As far as the tests, that sounds like it might be related to this bit from the [migration guide|https://www.openssl.org/docs/man3.0/man7/migration_guide.html]:

{quote}The security strength of SHA1 and MD5 based signatures in TLS has been reduced.

This results in SSL 3, TLS 1.0, TLS 1.1 and DTLS 1.0 no longer working at the default security level of 1 and instead requires security level 0. The security level can be changed either using the cipher string with @SECLEVEL, or calling SSL_CTX_set_security_level(3). This also means that where the signature algorithms extension is missing from a ClientHello then the handshake will fail in TLS 1.2 at security level 1. This is because, although this extension is optional, failing to provide one means that OpenSSL will fallback to a default set of signature algorithms. This default set requires the availability of SHA1.
{quote}

> SSL tests are not passing with openssl 3
> ----------------------------------------
>
>                 Key: SERF-202
>                 URL: https://issues.apache.org/jira/browse/SERF-202
>             Project: serf
>          Issue Type: Bug
>    Affects Versions: serf-1.3.9
>            Reporter: Tomáš Korbař
>            Priority: Major
>
> Hi,
> It appears that libserf 1.3.9 is not able to work with openssl 3 library.
> When i run tests of libserf compiled with openssl 3 then i get following errors:
> Start 1: chunked-empty.response
>  Start 2: chunked-trailers.response
>  Start 3: chunked.response
>  Start 4: deflate.response
>  Start 5: simple.response
>  Start 6: test_all
> 1/6 Test #1: chunked-empty.response ........... Passed 0.00 sec
> 2/6 Test #2: chunked-trailers.response ........ Passed 0.00 sec
> 3/6 Test #3: chunked.response ................. Passed 0.00 sec
> 4/6 Test #4: deflate.response ................. Passed 0.00 sec
> 5/6 Test #5: simple.response .................. Passed 0.00 sec
> 6/6 Test #6: test_all .........................***Failed 44.78 sec
> C02984F7:error:0A00010B:SSL routines:ssl3_get_record:wrong version number:ssl/record/ssl3_record.c:354:
> C02984F7:error:0A00010B:SSL routines:ssl3_get_record:wrong version number:ssl/record/ssl3_record.c:354:
> C02984F7:error:0A00010B:SSL routines:ssl3_get_record:wrong version number:ssl/record/ssl3_record.c:354:
> C02984F7:error:0A00010B:SSL routines:ssl3_get_record:wrong version number:ssl/record/ssl3_record.c:354:
> C02984F7:error:0A00010B:SSL routines:ssl3_get_record:wrong version number:ssl/record/ssl3_record.c:354:
> C02984F7:error:0A00010B:SSL routines:ssl3_get_record:wrong version number:ssl/record/ssl3_record.c:354:
> C02984F7:error:0A00010B:SSL routines:ssl3_get_record:wrong version number:ssl/record/ssl3_record.c:354:
> C02984F7:error:0A00010B:SSL routines:ssl3_get_record:wrong version number:ssl/record/ssl3_record.c:354:
> C02984F7:error:0A00010B:SSL routines:ssl3_get_record:wrong version number:ssl/record/ssl3_record.c:354:
> C02984F7:error:0A00010B:SSL routines:ssl3_get_record:wrong version number:ssl/record/ssl3_record.c:354:
> C02984F7:error:0A00010B:SSL routines:ssl3_get_record:wrong version number:ssl/record/ssl3_record.c:354:
> C02984F7:error:0A00010B:SSL routines:ssl3_get_record:wrong version number:ssl/record/ssl3_record.c:354:
> C02984F7:error:0A00010B:SSL routines:ssl3_get_record:wrong version number:ssl/record/ssl3_record.c:354:
> C02984F7:error:0A00010B:SSL routines:ssl3_get_record:wrong version number:ssl/record/ssl3_record.c:354:
> C02984F7:error:0A00010B:SSL routines:ssl3_get_record:wrong version number:ssl/record/ssl3_record.c:354:
> C02984F7:error:0A00010B:SSL routines:ssl3_get_record:wrong version number:ssl/record/ssl3_record.c:354:
> C02984F7:error:0A00010B:SSL routines:ssl3_get_record:wrong version number:ssl/record/ssl3_record.c:354:
> C02984F7:error:0A00010B:SSL routines:ssl3_get_record:wrong version number:ssl/record/ssl3_record.c:354:
> ...........FF.FFFFFFFFFF.FFFFF....................................
> There were 17 failures:
> 1) test_ssl_handshake: /builddir/build/BUILD/serf-1.3.9/test/test_util.c:456: expected <0> but was <120199>
> 2) test_ssl_trust_rootca: /builddir/build/BUILD/serf-1.3.9/test/test_util.c:456: expected <0> but was <120199>
> 3) test_ssl_certificate_chain_with_anchor: /builddir/build/BUILD/serf-1.3.9/test/test_util.c:456: expected <0> but was <120199>
> 4) test_ssl_certificate_chain_all_from_server: /builddir/build/BUILD/serf-1.3.9/test/test_util.c:456: expected <0> but was <120199>
> 5) test_ssl_no_servercert_callback_allok: /builddir/build/BUILD/serf-1.3.9/test/test_util.c:456: expected <0> but was <120199>
> 6) test_ssl_no_servercert_callback_fail: /builddir/build/BUILD/serf-1.3.9/test/test_context.c:1560: expected <120170> but was <120199>
> 7) test_ssl_large_response: /builddir/build/BUILD/serf-1.3.9/test/test_util.c:456: expected <0> but was <120199>
> 8) test_ssl_large_request: /builddir/build/BUILD/serf-1.3.9/test/test_util.c:456: expected <0> but was <120199>
> 9) test_ssl_client_certificate: /builddir/build/BUILD/serf-1.3.9/test/test_util.c:456: expected <0> but was <120199>
> 10) test_ssl_expired_server_cert: /builddir/build/BUILD/serf-1.3.9/test/test_util.c:456: expected <0> but was <120199>
> 11) test_ssl_future_server_cert: /builddir/build/BUILD/serf-1.3.9/test/test_util.c:456: expected <0> but was <120199>
> 12) test_setup_ssltunnel: /builddir/build/BUILD/serf-1.3.9/test/test_util.c:456: expected <0> but was <120199>
> 13) test_ssltunnel_basic_auth: /builddir/build/BUILD/serf-1.3.9/test/test_context.c:2138: expected <0> but was <120199>
> 14) test_ssltunnel_basic_auth_server_has_keepalive_off: /builddir/build/BUILD/serf-1.3.9/test/test_context.c:2138: expected <0> but was <120199>
> 15) test_ssltunnel_basic_auth_proxy_has_keepalive_off: /builddir/build/BUILD/serf-1.3.9/test/test_context.c:2138: expected <0> but was <120199>
> 16) test_ssltunnel_basic_auth_proxy_close_conn_on_200resp: /builddir/build/BUILD/serf-1.3.9/test/test_context.c:2138: expected <0> but was <120199>
> 17) test_ssltunnel_digest_auth: /builddir/build/BUILD/serf-1.3.9/test/test_util.c:456: expected <0> but was <120199>
> !!!FAILURES!!!
> Runs: 66 Passes: 49 Fails: 17
> 83% tests passed, 1 tests failed out of 6
> Total Test time (real) = 44.79 sec
> The following tests FAILED:
>  6 - test_all (Failed)
>  
> I tried to find cause of this issue but unfortunately with no success. The tests are not able to perform ssl handshake as if the communication was not using tls at all. The certificates are not expired, i regenerated them and tested that the tests work with openssl 1.1.1.
> Thanks for any help you can provide.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)