You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Ruediger Pluem <rp...@apache.org> on 2009/12/10 21:28:32 UTC
Failures in SSL tests in test suite
Apparently because of the fix in openssl for the TLS renegotiation issue the following
failed tests now pop up in our test suite (trunk and 2.2.x the same):
Failed Test Stat Wstat Total Fail List of Failed
-------------------------------------------------------------------------------
t/ssl/basicauth.t 3 2 2-3
t/ssl/env.t 30 15 16-30
t/ssl/extlookup.t 2 2 1-2
t/ssl/fakeauth.t 3 2 2-3
t/ssl/pr12355.t 10 10 1-10
t/ssl/pr43738.t 4 4 1-4
t/ssl/proxy.t 172 10 3-7 116-120
t/ssl/require.t 5 2 2 5
t/ssl/varlookup.t 72 72 1-72
t/ssl/verify.t 3 1 2
4 tests and 2 subtests skipped.
Failed 10/83 test scripts. 120/3119 subtests failed.
Files=83, Tests=3119, 95 wallclock secs (28.57 cusr + 3.32 csys = 31.89 CPU)
Failed 10/83 test programs. 120/3119 subtests failed.
Can someone confirm that this is really related to the openssl TLS renegotiation fix?
Regards
Rüdiger
Re: Failures in SSL tests in test suite
Posted by Ruediger Pluem <rp...@apache.org>.
On 12.12.2009 18:26, Jeff Trawick wrote:
> On Thu, Dec 10, 2009 at 3:28 PM, Ruediger Pluem <rp...@apache.org> wrote:
>> Apparently because of the fix in openssl for the TLS renegotiation issue the following
>> failed tests now pop up in our test suite (trunk and 2.2.x the same):
>>
>>
>> Failed Test Stat Wstat Total Fail List of Failed
>> -------------------------------------------------------------------------------
>> t/ssl/basicauth.t 3 2 2-3
>> t/ssl/env.t 30 15 16-30
>> t/ssl/extlookup.t 2 2 1-2
>> t/ssl/fakeauth.t 3 2 2-3
>> t/ssl/pr12355.t 10 10 1-10
>> t/ssl/pr43738.t 4 4 1-4
>> t/ssl/proxy.t 172 10 3-7 116-120
>> t/ssl/require.t 5 2 2 5
>> t/ssl/varlookup.t 72 72 1-72
>> t/ssl/verify.t 3 1 2
>> 4 tests and 2 subtests skipped.
>
> I picked up almost identical failures on 2.2.14 on OpenSolaris when
> moving to a dev build with 0.9.8l from a dev build with 0.9.8k. At
> least a few of those testcases mention renegotiation. As I also
> picked up another failure that didn't seem to be related, I'll try to
> find time to perform before/after testing with just the OpenSSL k->l
> change.
>
> It would be helpful to end up with some skip-renegotiation option to
> skip such tests.
>
> Also, when the permanent enable-legacy-renegotiation API is in a
> released OpenSSL version do we expect to provide access to it from the
> config as a means for the admin to confirm that whatever
> server-initiated renegotiation is configured should be allowed?
IMHO yes, because otherwise we block server driven renegotiation completely
and would force some people to stick with old OpenSSL versions.
Better have them open this problem in a controlled manner than have them
sitting with old OpenSSL versions. Additionally, once we have Hartmut Keils
patch in we are also safe against splitting attacks and thus have one
important attack vector less.
Regards
Rüdiger
Re: Failures in SSL tests in test suite
Posted by Dr Stephen Henson <sh...@oss-institute.org>.
Jeff Trawick wrote:
> On Sat, Dec 12, 2009 at 12:26 PM, Jeff Trawick <tr...@gmail.com> wrote:
>> On Thu, Dec 10, 2009 at 3:28 PM, Ruediger Pluem <rp...@apache.org> wrote:
>>> Apparently because of the fix in openssl for the TLS renegotiation issue the following
>>> failed tests now pop up in our test suite (trunk and 2.2.x the same):
>>>
>>>
>>> Failed Test Stat Wstat Total Fail List of Failed
>>> -------------------------------------------------------------------------------
>>> t/ssl/basicauth.t 3 2 2-3
>>> t/ssl/env.t 30 15 16-30
>>> t/ssl/extlookup.t 2 2 1-2
>>> t/ssl/fakeauth.t 3 2 2-3
>>> t/ssl/pr12355.t 10 10 1-10
>>> t/ssl/pr43738.t 4 4 1-4
>>> t/ssl/proxy.t 172 10 3-7 116-120
>>> t/ssl/require.t 5 2 2 5
>>> t/ssl/varlookup.t 72 72 1-72
>>> t/ssl/verify.t 3 1 2
>>> 4 tests and 2 subtests skipped.
>> I picked up almost identical failures on 2.2.14 on OpenSolaris when
>> moving to a dev build with 0.9.8l from a dev build with 0.9.8k. At
>> least a few of those testcases mention renegotiation. As I also
>> picked up another failure that didn't seem to be related, I'll try to
>> find time to perform before/after testing with just the OpenSSL k->l
>> change.
>
> A straight k->l comparison shows exactly the same failures as you with
> httpd trunk/apr[-util] 1.4 HEAD on a recent OpenSolaris dev build.
>
I'd suggest you try OpenSSL 0.9.8-dev (i.e. a recent snapshot). Renegotiation is
now possible but only with itself (which presumably that tests). The only thing
that is not allowed is renegotiation with the deprecated SSLv2.
If there are still any problems I'll check them.
Steve.
--
Dr Stephen N. Henson. Senior Technical/Cryptography Advisor,
Open Source Software Institute: www.oss-institute.org
OpenSSL Core team: www.openssl.org
Re: Failures in SSL tests in test suite
Posted by Jeff Trawick <tr...@gmail.com>.
On Sat, Dec 12, 2009 at 12:26 PM, Jeff Trawick <tr...@gmail.com> wrote:
> On Thu, Dec 10, 2009 at 3:28 PM, Ruediger Pluem <rp...@apache.org> wrote:
>> Apparently because of the fix in openssl for the TLS renegotiation issue the following
>> failed tests now pop up in our test suite (trunk and 2.2.x the same):
>>
>>
>> Failed Test Stat Wstat Total Fail List of Failed
>> -------------------------------------------------------------------------------
>> t/ssl/basicauth.t 3 2 2-3
>> t/ssl/env.t 30 15 16-30
>> t/ssl/extlookup.t 2 2 1-2
>> t/ssl/fakeauth.t 3 2 2-3
>> t/ssl/pr12355.t 10 10 1-10
>> t/ssl/pr43738.t 4 4 1-4
>> t/ssl/proxy.t 172 10 3-7 116-120
>> t/ssl/require.t 5 2 2 5
>> t/ssl/varlookup.t 72 72 1-72
>> t/ssl/verify.t 3 1 2
>> 4 tests and 2 subtests skipped.
>
> I picked up almost identical failures on 2.2.14 on OpenSolaris when
> moving to a dev build with 0.9.8l from a dev build with 0.9.8k. At
> least a few of those testcases mention renegotiation. As I also
> picked up another failure that didn't seem to be related, I'll try to
> find time to perform before/after testing with just the OpenSSL k->l
> change.
A straight k->l comparison shows exactly the same failures as you with
httpd trunk/apr[-util] 1.4 HEAD on a recent OpenSolaris dev build.
Re: Failures in SSL tests in test suite
Posted by Jeff Trawick <tr...@gmail.com>.
On Thu, Dec 10, 2009 at 3:28 PM, Ruediger Pluem <rp...@apache.org> wrote:
> Apparently because of the fix in openssl for the TLS renegotiation issue the following
> failed tests now pop up in our test suite (trunk and 2.2.x the same):
>
>
> Failed Test Stat Wstat Total Fail List of Failed
> -------------------------------------------------------------------------------
> t/ssl/basicauth.t 3 2 2-3
> t/ssl/env.t 30 15 16-30
> t/ssl/extlookup.t 2 2 1-2
> t/ssl/fakeauth.t 3 2 2-3
> t/ssl/pr12355.t 10 10 1-10
> t/ssl/pr43738.t 4 4 1-4
> t/ssl/proxy.t 172 10 3-7 116-120
> t/ssl/require.t 5 2 2 5
> t/ssl/varlookup.t 72 72 1-72
> t/ssl/verify.t 3 1 2
> 4 tests and 2 subtests skipped.
I picked up almost identical failures on 2.2.14 on OpenSolaris when
moving to a dev build with 0.9.8l from a dev build with 0.9.8k. At
least a few of those testcases mention renegotiation. As I also
picked up another failure that didn't seem to be related, I'll try to
find time to perform before/after testing with just the OpenSSL k->l
change.
It would be helpful to end up with some skip-renegotiation option to
skip such tests.
Also, when the permanent enable-legacy-renegotiation API is in a
released OpenSSL version do we expect to provide access to it from the
config as a means for the admin to confirm that whatever
server-initiated renegotiation is configured should be allowed?