Make test fails on latest git revision

PeterMosmans / openssl

'Extra featured' OpenSSL with ChaCha20 and Poly1305 support

https://onwebsecurity.com/pages/openssl.html

Other

92 stars 18 forks source link

Make test fails on latest git revision #22

Closed DomT4 closed 9 years ago

DomT4 commented 9 years ago

I suspect this is technically an upstream failure rather than yours' but:

perl ./Configure --prefix=/usr/local/Cellar/mosmans-openssl/1.0.2_chacha_m11 --openssldir=/usr/local/etc/mosmans_openssl no-ssl2 no-ssl3 no-ssl3-method enable-tlsext zlib-dynamic shared enable-cms darwin64-x86_64-cc enable-ec_nistp_64_gcc_128

testing connection with weak DH, expecting failure
Testing was requested for a disabled protocol. Skipping tests.
FAIL: connection with weak DH succeeded
make[1]: *** [test_ssl] Error 1
make: *** [tests] Error 2

Full log can be seen here, for however long Travis retains it.

PeterMosmans commented 9 years ago

Hi @DomT4 , thanks for opening an issue. Have you tried the 'same' version from the stock 1.0.2 branch OpenSSL_1_0_2-stable ? This is commit 57e477b9ec66542afc8c9c13ae7c4271209fb88f It would be great if you could check that build as well - hopefully (?) the same error will occur.

Thanks in advance,

Peter

DomT4 commented 9 years ago

Aye, the failure is there as well:

cd openssl
git checkout 57e477b9ec66542afc8c9c13ae7c4271209fb88f

perl ./Configure --prefix=/Users/Dominyk/Downloads/openssl/TESTRUN --openssldir=/Users/Dominyk/Downloads/openssl/TESTRUN/etc no-ssl2 no-ssl3 no-ssl3-method enable-tlsext zlib-dynamic shared enable-cms darwin64-x86_64-cc enable-ec_nistp_64_gcc_128

make ...

make test ...

Testing EDH-RSA-DES-CBC-SHA
Testing was requested for a disabled protocol. Skipping tests.
testing connection with weak DH, expecting failure
Testing was requested for a disabled protocol. Skipping tests.
FAIL: connection with weak DH succeeded
make[1]: *** [test_ssl] Error 1
make: *** [tests] Error 2

PeterMosmans commented 9 years ago

I looked in the code, curious as I was, and I suspect that commit b6f33dce3b1ee563c0866654a9b5c44adc7b79b8 is the issue:

     if [ $protocol = "SSLv3" ] ; then
      $ssltest -cipher EDH -dhe512 -ssl3
    else
      $ssltest -cipher EDH -dhe512
    fi
    if [ $? -eq 0 ]; then
      echo "FAIL: connection with weak DH succeeded"
      exit 1
    fi

As far as I can tell there is no check whether $ssltest is being skipped (and returns 0) due to dhe512 not being allowed.

PeterMosmans commented 9 years ago

You could try to run the tests with lines 175-185 in test/testssl commented out. If everything succeeds - Will you take this 'upstream' ? I'd be much obliged :)

commit b6f33dce3b1ee563c0866654a9b5c44adc7b79b8
Author: Emilia Kasper <emilia@openssl.org>
Date:   Fri May 22 18:35:50 2015 +0200

    Fix ssltest to use 1024-bit DHE parameters

    Also add more ciphersuite test coverage, and a negative test for
    512-bit DHE.

    Reviewed-by: Rich Salz <rsalz@openssl.org>
    (cherry picked from commit 1ee85aab75d7c9f20058f781bfe9222323df08eb)

 test/testssl | 38 ++++++++++++++++++++++++++++++++++----
 1 file changed, 34 insertions(+), 4 deletions(-)

PeterMosmans commented 9 years ago

closed, as this is fixed now (test is commented out in this fork)

DomT4 commented 9 years ago

Argh, Sorry Peter. Apparently Thunderbird filtered this email notification somewhere other than my Github or Inbox folder. Happy to do any testing still required.