search

nginx / unit

NGINX Unit - universal web app server - a lightweight and versatile open source server that simplifies the application stack by natively executing application code across eight different programming language runtimes.
https://unit.nginx.org
Apache License 2.0
5.25k stars 322 forks source link

OpenSSL 3.2.1 breaks TLS related pytests #1202

Closed andypost closed 2 months ago

andypost commented 3 months ago

Started to package new release and see a lot of test failures, probably it's caused by upgrade to OpenSSL 3.2.1

There's following logs 

test/test_tls_sni.py::test_tls_sni FAILEDPath to unit.log:
/tmp/unit-test-i46362ls/unit.log
2024/03/27 03:05:18 [error] 6224#6227 *39315 SSL_do_handshake(12) failed (1048: tlsv1 alert unknown ca) (OpenSSL: error:0A000418:SSL routines::tlsv1 alert unknown ca:SSL alert number 48)
test/test_tls_sni.py::test_tls_sni_no_hostname FAILEDPath to unit.log:
/tmp/unit-test-i46362ls/unit.log
2024/03/27 03:05:19 [error] 6224#6227 *39444 SSL_do_handshake(12) failed (1048: tlsv1 alert unknown ca) (OpenSSL: error:0A000418:SSL routines::tlsv1 alert unknown ca:SSL alert number 48)
test/test_tls_sni.py::test_tls_sni_upper_case FAILEDPath to unit.log:
/tmp/unit-test-i46362ls/unit.log
2024/03/27 03:05:21 [error] 6224#6227 *39573 SSL_do_handshake(12) failed (1048: tlsv1 alert unknown ca) (OpenSSL: error:0A000418:SSL routines::tlsv1 alert unknown ca:SSL alert number 48)
test/test_tls_sni.py::test_tls_sni_only_bundle FAILEDPath to unit.log:
/tmp/unit-test-i46362ls/unit.log
2024/03/27 03:05:23 [error] 6224#6227 *39702 SSL_do_handshake(12) failed (1048: tlsv1 alert unknown ca) (OpenSSL: error:0A000418:SSL routines::tlsv1 alert unknown ca:SSL alert number 48)
test/test_tls_sni.py::test_tls_sni_wildcard FAILEDPath to unit.log:
/tmp/unit-test-i46362ls/unit.log
2024/03/27 03:05:26 [error] 6224#6227 *39831 SSL_do_handshake(12) failed (1048: tlsv1 alert unknown ca) (OpenSSL: error:0A000418:SSL routines::tlsv1 alert unknown ca:SSL alert number 48)
test/test_tls_sni.py::test_tls_sni_duplicated_bundle FAILEDPath to unit.log:
/tmp/unit-test-i46362ls/unit.log
2024/03/27 03:05:28 [warn] 6224#6224 ignored duplicate name "localhost.com" in certificate "localhost.com", identical name appears in "localhost.com"
2024/03/27 03:05:28 [warn] 6224#6224 ignored duplicate name "alt2.localhost.com" in certificate "localhost.com", identical name appears in "localhost.com"
2024/03/27 03:05:28 [error] 6224#6227 *39960 SSL_do_handshake(12) failed (1048: tlsv1 alert unknown ca) (OpenSSL: error:0A000418:SSL routines::tlsv1 alert unknown ca:SSL alert number 48)
test/test_tls_sni.py::test_tls_sni_same_alt FAILEDPath to unit.log:
/tmp/unit-test-i46362ls/unit.log
2024/03/27 03:05:30 [warn] 6224#6224 ignored duplicate name "s" in certificate "example", identical name appears in "localhost"
2024/03/27 03:05:30 [warn] 6224#6224 ignored duplicate name "a" in certificate "example", identical name appears in "localhost"
2024/03/27 03:05:30 [warn] 6224#6224 ignored duplicate name "m" in certificate "example", identical name appears in "localhost"
2024/03/27 03:05:30 [warn] 6224#6224 ignored duplicate name "e" in certificate "example", identical name appears in "localhost"
2024/03/27 03:05:30 [warn] 6224#6224 ignored duplicate name "." in certificate "example", identical name appears in "localhost"
2024/03/27 03:05:30 [warn] 6224#6224 ignored duplicate name "l" in certificate "example", identical name appears in "localhost"
2024/03/27 03:05:30 [warn] 6224#6224 ignored duplicate name "t" in certificate "example", identical name appears in "localhost"
2024/03/27 03:05:30 [warn] 6224#6224 ignored duplicate name "n" in certificate "example", identical name appears in "localhost"
2024/03/27 03:05:30 [warn] 6224#6224 ignored duplicate name "c" in certificate "example", identical name appears in "localhost"
2024/03/27 03:05:30 [warn] 6224#6224 ignored duplicate name "o" in certificate "example", identical name appears in "localhost"
2024/03/27 03:05:30 [error] 6224#6227 *40089 SSL_do_handshake(12) failed (1048: tlsv1 alert unknown ca) (OpenSSL: error:0A000418:SSL routines::tlsv1 alert unknown ca:SSL alert number 48)
test/test_tls_sni.py::test_tls_sni_empty_cn FAILEDPath to unit.log:
/tmp/unit-test-i46362ls/unit.log
2024/03/27 03:05:32 [error] 6224#6227 *40218 SSL_do_handshake(12) failed (1048: tlsv1 alert unknown ca) (OpenSSL: error:0A000418:SSL routines::tlsv1 alert unknown ca:SSL alert number 48)
test/test_tls_sni.py::test_tls_sni_invalid PASSED
test/test_tls_tickets.py::test_tls_ticket SKIPPED (ticket check is not
supported)
test/test_tls_tickets.py::test_tls_ticket_string SKIPPED (ticket check
is not supported)
test/test_tls_tickets.py::test_tls_ticket_array SKIPPED (ticket check is
not supported)
test/test_tls_tickets.py::test_tls_ticket_invalid PASSED
andypost commented 3 months ago

all CI jobs https://gitlab.alpinelinux.org/alpine/aports/-/pipelines/222161

ac000 commented 3 months ago

This looks like something specific to our tests as OpenSSL 3.2.1 itself seems to work fine with current Unit.

This error

2024/03/27 21:17:49 [error] 4401#4404 *26 SSL_do_handshake(33) failed (1048: tlsv1 alert unknown ca) (OpenSSL: error:0A000418:SSL routines::tlsv1 alert unknown ca:SSL alert number 48)

Would indicate that it doesn't know about our CA, which will just be some dummy thing for the tests.

I get the above error from Unit when I use curl without the -k option with a self-signed certificate.

Looks like our tests need to do the same thing as -k in curl...

andypost commented 2 months ago

thank you! works as patch on Alpine

ac000 commented 2 months ago

Great, thanks for testing!