search

droe / sslsplit

Transparent SSL/TLS interception
https://www.roe.ch/SSLsplit
BSD 2-Clause "Simplified" License
1.73k stars 327 forks source link

tests fail without network connection #310

Open lindi2 opened 1 year ago

lindi2 commented 1 year ago

The testsuite is currently failing on Debian build machines. I debugged this issue and noticed that it seems that the issue is that Debian packages are built in an environment where they cannot access the Internet. This is done using the "unshare" command so that the tests get run in an environment where "lo" is up and has a valid address but no other interfaces are available:

$ ./sslsplit.test 
defaults: 2 tests omitted because not building as root
Running suite(s): 
 main
 opts
 dynbuf
 logbuf
 cert
 cachemgr
 cachefkcrt
 cachetgcrt
 cachedsess
 cachessess
 ssl
 sys
 base64
 url
 util
 pxythrmgr
 defaults
100%: Checks: 142, Failures: 0, Errors: 0
$ sudo /usr/bin/sudo unshare -n -- /usr/lib/pbuilder/pbuilder-unshare-wrapper ./sslsplit.test 
Running suite(s): 
 main
 opts
Cannot resolve address '127.0.0.1' port '10443': Name or service not known
Cannot resolve address '::1' port '10443': Name or service not known
Cannot resolve address '127.0.0.1' port '10443': Name or service not known
Cannot resolve address '127.0.0.1' port '10443': Name or service not known
Cannot resolve address '127.0.0.1' port '10443': Name or service not known
Cannot resolve address '127.0.0.1' port '10443': Name or service not known
Cannot resolve address '127.0.0.1' port '10443': Name or service not known
Cannot resolve address '127.0.0.1' port '10443': Name or service not known
Cannot resolve address '127.0.0.1' port '10443': Name or service not known
Cannot resolve address '127.0.0.1' port '10025': Name or service not known
Cannot resolve address '127.0.0.1' port '10025': Name or service not known
Cannot resolve address '127.0.0.1' port '10443': Name or service not known
 dynbuf
 logbuf
 cert
 cachemgr
 cachefkcrt
 cachetgcrt
 cachedsess
 cachessess
 ssl
 sys
 base64
 url
 util
 pxythrmgr
 defaults
90%: Checks: 144, Failures: 1, Errors: 12
opts.t.c:99:E:proxyspec_parse:proxyspec_parse_01:0: (after this point) Early exit with return value 1
opts.t.c:124:E:proxyspec_parse:proxyspec_parse_02:0: (after this point) Early exit with return value 1
opts.t.c:179:E:proxyspec_parse:proxyspec_parse_05:0: (after this point) Early exit with return value 1
opts.t.c:203:E:proxyspec_parse:proxyspec_parse_06:0: (after this point) Early exit with return value 1
opts.t.c:227:E:proxyspec_parse:proxyspec_parse_07:0: (after this point) Early exit with return value 1
opts.t.c:251:E:proxyspec_parse:proxyspec_parse_08:0: (after this point) Early exit with return value 1
opts.t.c:302:E:proxyspec_parse:proxyspec_parse_11:0: (after this point) Early exit with return value 1
opts.t.c:342:E:proxyspec_parse:proxyspec_parse_13:0: (after this point) Early exit with return value 1
opts.t.c:377:E:proxyspec_parse:proxyspec_parse_14:0: (after this point) Early exit with return value 1
opts.t.c:414:E:proxyspec_parse:proxyspec_parse_15:0: (after this point) Early exit with return value 1
opts.t.c:437:E:proxyspec_parse:proxyspec_parse_16:0: (after this point) Early exit with return value 1
opts.t.c:487:E:proxyspec_parse:proxyspec_parse_18:0: (after this point) Early exit with return value 1
defaults.t.c:57:F:dropuser:defaults_dropuser_02:0: connect failed for user running tests
$ sudo /usr/bin/sudo unshare -n -- /usr/lib/pbuilder/pbuilder-unshare-wrapper ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever

I tried to troubleshoot this further and noticed that sys_sockaddr_parse in sys.c passes EVUTIL_AI_ADDRCONFIG to evutil_getaddrinfo which then further passes it to the libc getaddrinfo. According to documentation this flag requires the system to have a working IPv4 or IPv6 address other than just localhost:

       If hints.ai_flags includes the AI_ADDRCONFIG flag, then IPv4
       addresses are returned in the list pointed to by res only if the
       local system has at least one IPv4 address configured, and IPv6
       addresses are returned only if the local system has at least one
       IPv6 address configured.  The loopback address is not considered
       for this case as valid as a configured address.

What do you think? Should we

  1. Disable some or all tests during the build?
  2. Modify sys_sockaddr_parse so that sslsplit would be usable without a network connection?
lindi2 commented 1 year ago

Here's also a pointer back to the Debian bug on this issue: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1007962