search

reactphp / socket

Async, streaming plaintext TCP/IP and secure TLS socket server and client connections for ReactPHP.
https://reactphp.org/socket/
MIT License
1.21k stars 157 forks source link

Failed tests with OpenSSL 3 #275

Closed remicollet closed 2 years ago

remicollet commented 2 years ago

Found in Fedora CI since Fedora 36 was updated to OpenSSL 3.0 https://koschei.fedoraproject.org/package/php-react-socket

Also found on RHEL 9-Beta

There was 1 error:

1) React\Tests\Socket\FunctionalSecureServerTest::testClientUsesTls10WhenCryptoMethodIsExplicitlyConfiguredByClient
RuntimeException: Connection to tls://127.0.0.1:46863 failed during TLS handshake: Connection lost during TLS handshake (ECONNRESET)

/builddir/build/BUILDROOT/php-react-socket-1.10.0-1.el9.remi.x86_64/usr/share/php/React/Socket/SecureConnector.php:67
/usr/share/php/React/Promise/RejectedPromise.php:28
/usr/share/php/React/Promise/Promise.php:134
/usr/share/php/React/Promise/Promise.php:168
/usr/share/php/React/Promise/Promise.php:148
/usr/share/php/React/Promise/Promise.php:237
/usr/share/php/React/Promise/RejectedPromise.php:42
/usr/share/php/React/Promise/Promise.php:135
/usr/share/php/React/Promise/Promise.php:168
/usr/share/php/React/Promise/Promise.php:148
/usr/share/php/React/Promise/Promise.php:237
/usr/share/php/React/Promise/Deferred.php:43
/builddir/build/BUILDROOT/php-react-socket-1.10.0-1.el9.remi.x86_64/usr/share/php/React/Socket/StreamEncryption.php:129
/builddir/build/BUILDROOT/php-react-socket-1.10.0-1.el9.remi.x86_64/usr/share/php/React/Socket/StreamEncryption.php:76
/usr/share/php/React/EventLoop/StreamSelectLoop.php:245
/usr/share/php/React/EventLoop/StreamSelectLoop.php:212
/usr/share/php/Clue/React/Block/functions.php:147
/builddir/build/BUILD/socket-d132fde589ea97f4165f2d94b5296499eac125ec/tests/FunctionalSecureServerTest.php:175
WyriHaximus commented 2 years ago

Thanks for reporting @remicollet, it this also with the latest 1.10 release from a few hours ago?

WyriHaximus commented 2 years ago

If I'm interpreting https://koji.fedoraproject.org/koji/taskinfo?taskID=79402997 and https://koji.fedoraproject.org/koji/taskinfo?taskID=79257205 correctly this was resolved in 1.10? (Seems that results on that just came in.)

remicollet commented 2 years ago

This report is about 1.9.0 and 1.10.0, build passes because this test is temporarily disabled for 1.10

remicollet commented 2 years ago

FYI /usr/bin/phpunit9 --bootstrap bootstrap.php --filter '^((?!(testConnectorUsesGivenResolverInstance|testConnectorUsesResolvedHostnameIfDnsIsUsed|testClientUsesTls10WhenCryptoMethodIsExplicitlyConfiguredByClient)).)*$' --exclude-group internet --verbose

I need to check testConnectorUsesGivenResolverInstance and testConnectorUsesResolvedHostnameIfDnsIsUsed, pêrhaps they need to be added in the "internet" group => PR #276

clue commented 2 years ago

@remicollet Thank you for reporting!

I can confirm this may indeed cause a test failure on some systems, but this should not affect normal usage of this library in any way.

The test in question explicitly creates a legacy TLS 1.0 connection, which by today's standards would be considered insecure. In fact, this would be prohibited on modern deployments (see MinProtocol = TLSv1.2 in openssl.conf).

The test already has a number of skip sections that check for specific error codes, but it looks like a dropped connection with no error is not among these checks at the moment.

It probably makes sense to refactor these tests to be more robust. I'll look into this when I can find some time, but happy to accept PRs if anybody wants to look into this before I get a chance! :+1: