search

processone / fast_tls

TLS / SSL OpenSSL-based native driver for Erlang / Elixir
https://www.ejabberd.im
Other
83 stars 37 forks source link

FTBFS with openssl 3 #59

Closed benharri closed 2 years ago

benharri commented 2 years ago

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1013644

Building with openssl 3.0.4-2 in debian sid

module 'fast_tls'
  fast_tls: transmission_with_client_certificate_test...*failed*
in function fast_tls:transmission_test_with_opts/2 (fast_tls.erl, line 564)
in call from eunit_test:'-mf_wrapper/2-fun-0-'/2 (eunit_test.erl, line 273)
in call from eunit_test:run_testfun/1 (eunit_test.erl, line 71)
in call from eunit_proc:run_test/1 (eunit_proc.erl, line 531)
in call from eunit_proc:with_timeout/3 (eunit_proc.erl, line 356)
in call from eunit_proc:handle_test/2 (eunit_proc.erl, line 514)
in call from eunit_proc:tests_inorder/3 (eunit_proc.erl, line 456)
in call from eunit_proc:with_timeout/3 (eunit_proc.erl, line 346)
**error:{assertEqual,[{module,fast_tls},
              {line,564},
              {expression,"Msg"},
              {expected,<<"abcdefghi">>},
              {value,{error,<<"SSL_do_handshake failed: error:1"...>>,<<>>}}]}
  output:<<"">>
badlop commented 2 years ago

Are you able to reproduce the problem? I have a debian:sid docker image from April, and trying there, it works correctly:

root@874166f1fd30:~/fast_tls# uname -a
Linux 874166f1fd30 5.16.0-5-amd64 #1 SMP PREEMPT Debian 5.16.14-1 (2022-03-15) x86_64 GNU/Linux

root@874166f1fd30:~/fast_tls# git describe
1.1.13-15-g35a03e7

root@874166f1fd30:~/fast_tls# openssl version
OpenSSL 3.0.4 21 Jun 2022 (Library: OpenSSL 3.0.4 21 Jun 2022)

root@874166f1fd30:~/fast_tls# rebar eunit -v
INFO:  Looking for p1_utils-.* ; found p1_utils-1.0.23 at /root/fast_tls/deps/p1_utils
INFO:  Looking for p1_utils-.* ; found p1_utils-1.0.23 at /root/fast_tls/deps/p1_utils
==> fast_tls (eunit)
INFO:  sh info:
        cwd: "/root/fast_tls"
        cmd: cp -R src/fast_tls.erl src/p1_sha.erl ".eunit"
INFO:  Cover compiling /root/fast_tls
======================== EUnit ========================
module 'fast_tls'
  fast_tls: transmission_with_client_certificate_test...[0.472 s] ok
  fast_tls: transmission_without_client_certificate_test...[0.408 s] ok
  fast_tls: transmission_without_server_cert_fails_test...ok
  fast_tls: not_compatible_protocol_options_test...[0.406 s] ok
  [done in 1.298 s]
module 'p1_sha'
  p1_sha: sha1_test...ok
  p1_sha: sha224_test...ok
  p1_sha: sha256_test...ok
  p1_sha: sha384_test...ok
  p1_sha: sha512_test...ok
  p1_sha: to_hexlist_test...ok
  [done in 0.018 s]
=======================================================
  All 10 tests passed.
Cover analysis: /root/fast_tls/.eunit/index.html
Coverdata export: /root/fast_tls/.eunit/cover.coverdata
benharri commented 2 years ago

i will try a build outside the debian package (https://salsa.debian.org/ejabberd-packaging-team/erlang-p1-tls)

Neustradamus commented 2 years ago

@benharri: Have you looked?

benharri commented 2 years ago

apologies, just trying now. in a fresh sid container setup:

apt update && apt dist-upgrade -y && apt install -y git erlang-dev libssl-dev rebar make build-essential
make all test

seems to be working?? 

root@1035a4d75234:/fast_tls# make all test
rebar get-deps compile
==> p1_utils (get-deps)
==> fast_tls (get-deps)
==> p1_utils (compile)
==> fast_tls (compile)
Compiling c_src/fast_tls.c
c_src/fast_tls.c: In function 'set_fips_mode_nif':
c_src/fast_tls.c:1409:2: warning: #warning OpenSSL 3 FIPS support not implemented [-Wcpp]
 1409 | #warning OpenSSL 3 FIPS support not implemented
      |  ^~~~~~~
c_src/fast_tls.c:1390:7: warning: unused variable 'ret' [-Wunused-variable]
 1390 |   int ret = 1;
      |       ^~~
c_src/fast_tls.c: In function 'get_fips_mode_nif':
c_src/fast_tls.c:1422:2: warning: #warning OpenSSL 3 FIPS support not implemented [-Wcpp]
 1422 | #warning OpenSSL 3 FIPS support not implemented
      |  ^~~~~~~
Compiling c_src/ioqueue.c
Compiling c_src/p1_sha.c
rebar skip_deps=true eunit
==> fast_tls (eunit)
Compiled src/p1_sha.erl
Compiled src/fast_tls.erl
  All 10 tests passed.
Cover analysis: /fast_tls/.eunit/index.html
Coverdata export: /fast_tls/.eunit/cover.coverdata

still getting the same error with git-buildpackage and the debian package as in my initial report. i'm not able to see anything different. they're both building and running unit tests in a sid chroot/container.

benharri commented 2 years ago

full build log from gbp buildpackage: https://bhh.sh/pub/fast_tls-error.txt

weiss commented 2 years ago

Didn't look into it, but for what it's worth, the full error message is:

fast_tls:transmission_with_client_certificate_test/0
     Failure/Error: ?assertEqual(<<97,98,99,100,101,102,103,104,105>>, Msg)
       expected: <<"abcdefghi">>
            got: {error,<<"SSL_do_handshake failed: error:16000069:STORE routines::unregistered scheme">>,
                        <<>>}
     %% eunit_proc.erl:346:in `eunit_proc:with_timeout/3`
nosnilmot commented 2 years ago

Didn't look into it, but for what it's worth, the full error message is:

fast_tls:transmission_with_client_certificate_test/0
     Failure/Error: ?assertEqual(<<97,98,99,100,101,102,103,104,105>>, Msg)
       expected: <<"abcdefghi">>
            got: {error,<<"SSL_do_handshake failed: error:16000069:STORE routines::unregistered scheme">>,
                        <<>>}
     %% eunit_proc.erl:346:in `eunit_proc:with_timeout/3`

Oh! I've seen that before! It's a nightmare to diagnose. I even have a file nightmare.txt in my fast_tls directory from when I was trying to diagnose it. It happens if the 'certs' directory does not exist in your OpenSSL configuration directory - identified by openssl version -d

fast_tls $ openssl version -d
OPENSSLDIR: "/usr/local/etc/openssl@3"

No certs dir there:

fast_tls $ ls /usr/local/etc/openssl@3/certs
ls: /usr/local/etc/openssl@3/certs: No such file or directory

Reproduce the error:

fast_tls $ rebar3 eunit
===> Verifying dependencies...
===> Analyzing applications...
===> Compiling fast_tls
===> Performing EUnit tests...
F.........
Failures:

  1) fast_tls:transmission_with_client_certificate_test/0
     Failure/Error: ?assertEqual(<<97,98,99,100,101,102,103,104,105>>, Msg)
       expected: <<"abcdefghi">>
            got: {error,<<"SSL_do_handshake failed: error:16000069:STORE routines::unregistered scheme">>,
                        <<>>}
     %% eunit_proc.erl:346:in `eunit_proc:with_timeout/3`
     Output: 
     Output: 

Finished in 1.710 seconds
10 tests, 1 failures
===> Error running tests

Create the directory:

fast_tls $ mkdir /usr/local/etc/openssl@3/certs

Error is gone:

fast_tls $ rebar3 eunit
===> Verifying dependencies...
===> Analyzing applications...
===> Compiling fast_tls
===> Performing EUnit tests...
..........
Finished in 1.814 seconds
10 tests, 0 failures
fast_tls $

It's not a fast_tls issue. I'd argue it's an OpenSSL bug but it drained enough from me diagnosing it that I had nothing left to report it.

benharri commented 2 years ago

I was able to fix the build with gbp by creating that certs dir. Thanks for the info @nosnilmot !!

benharri commented 2 years ago

I think we'll be able to solve this by adding openssl as a build-dep. I'll close it out.