search

noxxi / p5-io-socket-ssl

IO::Socket::SSL Perl Module
36 stars 60 forks source link

OpenSSL-3.0.0 support #111

Closed zarniwhoop73 closed 2 years ago

zarniwhoop73 commented 3 years ago

Now that openssl-3.0.0 is out I've been trying it on an experimental system. There are a lot of test failures in IO-Socket-SSL-2.072:

Test Summary Report

t/connectSSL-timeout.t (Wstat: 256 Tests: 10 Failed: 2) Failed tests: 9-10 Non-zero exit status: 1 Parse errors: Bad plan. You planned 16 tests but ran 10. t/core.t (Wstat: 0 Tests: 48 Failed: 13) Failed tests: 22-34 t/readline.t (Wstat: 0 Tests: 19 Failed: 5) Failed tests: 4, 7, 10, 13, 16 Files=42, Tests=782, 40 wallclock secs ( 0.15 usr 0.03 sys + 6.70 cusr 0.54 csys = 7.42 CPU) Result: FAIL Failed 3/42 test programs. 20/782 subtests failed.

In use, when things go well it seems to work. But when a connection fails that is not being noticed. In one of my tests I use (home-built, all from source with system perl modules) biber to access a couple of external bib files via https://. One of those sometimes fails (maybe I run the test at a bad time). With openssl-3.0.0 I assume it failed but the process continued, and then biber reported that the temp file was corrupted. I guess that really means it did not download - unfortunately, the temp file was deleted.

noxxi commented 3 years ago

Thanks for the report. Please make sure first that all tests in Net::SSLeay succeed since IO::Socket::SSL depends on this for the OpenSSL functionality. Please provide also the relevant versions - just running perl -Mblib t/01_loadmodule.t after make in the build directory should give you the necessary data.

zarniwhoop73 commented 3 years ago

Ouch. I'm using BLFS (beyond linuxfromscratch) and I've been allowing Net::SSLeay tests to fail because somebody reported that one test in t/external/15_altnames.t may fail (although they all passed for me a couple of months ago). Now I look, I can see 5 tests and 37 subtests failed in that. Guess I'll be raising an issue there.

1..3
ok 1 - loaded
# openssl version compiled=0x30000000 linked=0x30000000 -- OpenSSL 3.0.0 7 sep 2021
# Net::SSLeay version=1.90
# parent IO::Socket::IP version=0.41
ok 2 - IO::Socket::SSL::DEBUG 1
ok 3 - Net::SSLeay::trace 1```

[...]
Forgot to hit the 'Comment' button.
In the meantime, I've been pointed to some commits for Net-SSLeay which reduce its failures to

Test Summary Report
-------------------
t/local/33_x509_create_cert.t        (Wstat: 256 Tests: 139 Failed: 1)
  Failed test:  37
  Non-zero exit status: 1
Files=43, Tests=2817,  8 wallclock secs ( 0.27 usr  0.03 sys +  5.05 cusr  0.39 csys =  5.74 CPU)
Result: FAIL
Failed 1/43 test programs. 1/2817 subtests failed.

But the failures in this package are unchanged.

I suppose you would need to use Net-SSLeay from git to get to this point, the commits were ​https://github.com/radiator-software/p5-net-ssleay/commit/7d7d74a409493e59850541c2a78519de768d2848.patchhttps://github.com/radiator-software/p5-net-ssleay/commit/0dd5d3d92d9e35e56ccb9d88108adb7a59fbcbca.patchhttps://github.com/radiator-software/p5-net-ssleay/commit/327550f61f5e1e932ea911e59ccc496ebb307030.patchhttps://github.com/radiator-software/p5-net-ssleay/pull/273.patch the 'Changes' part of the last doesn't apply to the release.

pghmcfc commented 3 years ago

Rather than using Net-SSLeay from git, there is a 1.91_01 development release that works for me with OpenSSL 3.0.0 in Fedora Rawhide. Using that build, I get the following results from IO-Socket-SSL's test suite:

$ make test
PERL_DL_NONLAZY=1 "/usr/bin/perl" "-MExtUtils::Command::MM" "-MTest::Harness" "-e" "undef *Test::Harness::Switches; test_harness(0, 'blib/lib', 'blib/arch')" t/*.t t/external/*.t
# openssl version compiled=0x30000000 linked=0x30000000 -- OpenSSL 3.0.0 7 sep 2021
# Net::SSLeay version=1.91_01
# parent IO::Socket::IP version=0.41
t/01loadmodule.t .................. ok
t/acceptSSL-timeout.t ............. ok
t/alpn.t .......................... ok
t/auto_verify_hostname.t .......... ok
t/cert_formats.t .................. ok
t/cert_no_file.t .................. ok
t/compatibility.t ................. ok
t/connectSSL-timeout.t ............ 
Dubious, test returned 1 (wstat 256, 0x100)
Failed 8/16 subtests 

#   Failed test 'Server Getlines Check 1'
#   at t/core.t line 251.
#          got: '0'
#     expected: '6'

#   Failed test 'Server Getlines Check 2'
#   at t/core.t line 253.
#          got: undef
#     expected: '1.04
# '

#   Failed test 'Server Getlines Check 3'
#   at t/core.t line 255.
#          got: undef
#     expected: '4
# '

#   Failed test 'Server Getlines Check 4'
#   at t/core.t line 257.
#          got: undef
#     expected: 'y
# '
Use of uninitialized value in join or string at t/core.t line 259.
Use of uninitialized value in join or string at t/core.t line 259.
Use of uninitialized value in join or string at t/core.t line 259.

#   Failed test 'Server Getlines Check 5'
#   at t/core.t line 259.
#          got: ''
#     expected: 'Test
# Beaver
# Beaver
# '

#   Failed test 'Client Sysread Check'
#   at t/core.t line 137.
#          got: 'aaaaaaaaaaaaaaaaaaaa'
#     expected: 'waaaanf'

#   Failed test 'Client Getline Check'
#   at t/core.t line 147.
#          got: undef
#     expected: 'Test
# '

#   Failed test 'Client Getc Check'
#   at t/core.t line 149.
#          got: '0'
#     expected: '$'

#   Failed test 'Client Getlines Check 1'
#   at t/core.t line 152.
#          got: '0'
#     expected: '6'

#   Failed test 'Client Getlines Check 2'
#   at t/core.t line 154.
#          got: undef
#     expected: '1.04
# '

#   Failed test 'Client Getlines Check 3'
#   at t/core.t line 156.
#          got: undef
#     expected: '4
# '

#   Failed test 'Client Getlines Check 4'
#   at t/core.t line 158.
#          got: undef
#     expected: 'y
# '
Use of uninitialized value in join or string at t/core.t line 160.
Use of uninitialized value in join or string at t/core.t line 160.
Use of uninitialized value in join or string at t/core.t line 160.

#   Failed test 'Client Getlines Check 5'
#   at t/core.t line 160.
#          got: ''
#     expected: 'Test
# Beaver
# Beaver
# '
t/core.t .......................... 
Failed 13/48 subtests 
t/dhe.t ........................... ok
t/ecdhe.t ......................... ok
# tcp connect to www.chksum.de:443 ok
# fingerprint matches
# validation with default CA w/o OCSP ok
# got stapled response as expected
# validation with default CA with OCSP defaults ok
# validation with default CA with OCSP full chain ok
# tcp connect to www.bild.de:443 ok
# tcp connect to revoked.grc.com:443 ok
t/external/ocsp.t ................. ok
# found 128 CA certs
# have root CA for www.yahoo.com in store
# 5 connections to www.yahoo.com ok
# have root CA for www.comdirect.de in store
# 5 connections to www.comdirect.de ok
# have root CA for www.twitter.com in store
# 5 connections to www.twitter.com ok
# have root CA for www.facebook.com in store
# 5 connections to www.facebook.com ok
# have root CA for www.live.com in store
# 5 connections to www.live.com ok
t/external/usable_ca.t ............ ok
t/io-socket-inet6.t ............... ok
t/io-socket-ip.t .................. ok
t/memleak_bad_handshake.t ......... skipped: - do we measure the right thing?
t/mitm.t .......................... ok
t/multiple-cert-rsa-ecc.t ......... ok
t/nonblock.t ...................... ok
t/npn.t ........................... ok
# -- test: newINET start_SSL stop_SSL start_SSL
# server accepted new client
# wait for initial data from client
# got 0x666f6f from client
# server: got plain data at start of connection
# server: TLS upgrade
# server: TLS downgrade
# server: TLS upgrade#2
# -- test: newSSL stop_SSL connect_SSL
# server accepted new client
# wait for initial data from client
# got 0x160301 from client
# server: TLS upgrade
# server: TLS downgrade
# server: TLS upgrade#2
# -- test: newSSL:0 connect_SSL stop_SSL connect_SSL
# server accepted new client
# wait for initial data from client
# got 0x666f6f from client
# server: got plain data at start of connection
# server: TLS upgrade
# server: TLS downgrade
# server: TLS upgrade#2
# -- test: newSSL:0 start_SSL stop_SSL connect_SSL
# server accepted new client
# wait for initial data from client
# got 0x666f6f from client
# server: got plain data at start of connection
# server: TLS upgrade
# server: TLS downgrade
# server: TLS upgrade#2
# server accepted new client
# wait for initial data from client
# got 0x656e64 from client
# client requested end of tests
t/plain_upgrade_downgrade.t ....... ok
# looks like OpenSSL was compiled without SSLv3 support
# failed to accept TLSv1
# looks like OpenSSL was compiled without TLSv1 support
# failed to accept TLSv1_1
# looks like OpenSSL was compiled without TLSv1_1 support
t/protocol_version.t .............. ok
t/public_suffix_lib_encode_idn.t .. ok
t/public_suffix_lib_libidn.t ...... ok
t/public_suffix_lib_uri.t ......... ok
t/public_suffix_ssl.t ............. ok
Use of uninitialized value $c[0] in string eq at t/readline.t line 34.
Use of uninitialized value $b in string eq at t/readline.t line 48.
Use of uninitialized value $b in concatenation (.) or string at t/readline.t line 48.
Use of uninitialized value $c[0] in string eq at t/readline.t line 58.
Use of uninitialized value $c[0] in string eq at t/readline.t line 71.
Use of uninitialized value $c[0] in string eq at t/readline.t line 84.
t/readline.t ...................... 
Failed 5/19 subtests 
t/session_cache.t ................. ok
# listen at 127.0.0.1:43473
# listen at 127.0.0.1:58645
# connect to 0: success reuse=0 version=TLSv1_3
# connect to 0: success reuse=1 version=TLSv1_3
# connect to 1: success reuse=1 version=TLSv1_3
# connect to 1: success reuse=0 version=TLSv1_3
# connect to 0: success reuse=0 version=TLSv1_3
# connect to 0: success reuse=1 version=TLSv1_3
t/session_ticket.t ................ ok
t/sessions.t ...................... ok
t/set_curves.t .................... ok
t/signal-readline.t ............... ok
t/sni.t ........................... ok
t/sni_verify.t .................... ok
t/start-stopssl.t ................. ok
t/startssl-failed.t ............... ok
t/startssl.t ...................... ok
t/sysread_write.t ................. ok
t/verify_fingerprint.t ............ ok
t/verify_hostname.t ............... ok
t/verify_hostname_standalone.t .... ok
t/verify_partial_chain.t .......... ok

Test Summary Report
-------------------
t/connectSSL-timeout.t          (Wstat: 256 Tests: 10 Failed: 2)
  Failed tests:  9-10
  Non-zero exit status: 1
  Parse errors: Bad plan.  You planned 16 tests but ran 10.
t/core.t                        (Wstat: 0 Tests: 48 Failed: 13)
  Failed tests:  22-34
t/readline.t                    (Wstat: 0 Tests: 19 Failed: 5)
  Failed tests:  4, 7, 10, 13, 16
Files=42, Tests=805, 46 wallclock secs ( 0.12 usr  0.02 sys +  8.33 cusr  0.50 csys =  8.97 CPU)
Result: FAIL
Failed 3/42 test programs. 20/805 subtests failed.
make: *** [Makefile:788: test_dynamic] Error 255
noxxi commented 2 years ago

After small changes to IO::Socket::SSL and t/core.t it now should work with openssl 3.0.0 - released as 2.073