Closed yuhaoth closed 1 year ago
The SSL test scripts assume that openssl and gnutls have certain features and don't work with versions that are too recent, too old, or built with certain features disabled. Our CI script (all.sh
) are set up to use three different versions of each of openssl and gnutls depending on what is being tested. See https://developer.trustedfirmware.org/w/mbed-tls/testing/ci/#tooling-for-all-sh
Thanks for your report! As Gilles said, currently this script is not meant to work our of the box with arbitrary versions of OpenSSL, so the behaviour you're reporting is not entirely unexpected.
However, of course it's desirable to be able to use it with the latest version. If you want to investigate the reason for this failure and raise a PR improving the script so that it can be used with OpenSSL 1.1.1, that would be welcome!
I regenerate tests/data_files/dhparams.pem
with openssl dhparam -out dhparams.pem 2048
. It can pass test both versions( openssl1.1.1 and openssl1.1.1f )
Can I fix it with above command ? I am not sure if it is right way.
With a recent development
branch with https://github.com/ARMmbed/mbedtls/pull/4429 merged, dhparams.pem
shouldn't be a problem: it isn't used with recent openssl versions anymore. However it looks like we need to update some certificates.
$ tests/ssl-opt.sh -f 'keyUsage cli: DigitalSignature+KeyEncipherment, RSA: OK'
keyUsage cli: DigitalSignature+KeyEncipherment, RSA: OK ................ SERVER START TIMEOUT
./tests/ssl-opt.sh: 828: kill: No such process
FAIL
! server or client failed to reach handshake stage
! outputs saved to o-XXX-1.log
$ cat tests/o-srv-1.log
# keyUsage cli: DigitalSignature+KeyEncipherment, RSA: OK
openssl s_server -www -cert data_files/server5.crt -key data_files/server5.key -accept 17469 -key data_files/server2.key -cert data_files/server2.ku-ds_ke.crt
Using default temp DH parameters
error setting certificate
140304611403072:error:0909006C:PEM routines:get_name:no start line:../crypto/pem/pem_lib.c:745:Expecting: DH PARAMETERS
140304611403072:error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak:../ssl/ssl_rsa.c:310:
SERVER START TIMEOUT
Some of our test certificates are still using SHA-1, for example server2.ku-ds_ke.crt
. I think that's the problem.
Should we add generate command into tests/data_files/Makefile
? dhparams.pem
is not in the file
Yes, eventually. We register all the new files in tests/data_files/Makefile
, but dhparams.pem
is an old file from before that makefile existed. It's a pretty low-priority backlog item right now, we don't even have an issue for it.
Summary
Build and test in ubuntu20.04 ,
ssl-opt.sh
reports fail with development branch.System information
Mbed TLS version (number or commit id): cee21d Operating system and version: Ubuntu 20.04
Expected behavior
ssl-opt.sh
PASSED.Actual behavior
ssl-opt.sh
reports below failo-srv-3*.log
report below errorSteps to reproduce
Additional information