OpenSSL 1.1.1 test failures in Ruby

[voxik]

OpenSSL 1.1.1 have landed in Fedora Rawhide:

$ rpm -q openssl-devel
openssl-devel-1.1.1-0.pre8.fc29.x86_64

Trying to build Ruby 2.5.1, I observe the following errors:

  1) Failure:
OpenSSL::TestSSL#test_add_certificate [/builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:280]:
exceptions on 1 threads:
#<Thread:0x0000563de18a9038@/builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:252 dead>:
/builddir/build/BUILD/ruby-2.5.1/.ext/common/openssl/ssl.rb:485:in `accept': Broken pipe - SSL_accept (Errno::EPIPE)
    from /builddir/build/BUILD/ruby-2.5.1/.ext/common/openssl/ssl.rb:485:in `accept'
    from /builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:226:in `block (3 levels) in start_server'
    from /builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:222:in `loop'
    from /builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:222:in `block (2 levels) in start_server'
  2) Failure:
OpenSSL::TestSSL#test_alpn_protocol_selection_ary [/builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:280]:
exceptions on 1 threads:
#<Thread:0x0000563de1d98148@/builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:252 dead>:
/builddir/build/BUILD/ruby-2.5.1/.ext/common/openssl/ssl.rb:485:in `accept': Broken pipe - SSL_accept (Errno::EPIPE)
    from /builddir/build/BUILD/ruby-2.5.1/.ext/common/openssl/ssl.rb:485:in `accept'
    from /builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:226:in `block (3 levels) in start_server'
    from /builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:222:in `loop'
    from /builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:222:in `block (2 levels) in start_server'
  3) Failure:
OpenSSL::TestSSL#test_client_ca [/builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:280]:
exceptions on 1 threads:
#<Thread:0x0000563de2ce8d50@/builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:252 dead>:
/builddir/build/BUILD/ruby-2.5.1/.ext/common/openssl/ssl.rb:485:in `accept': Broken pipe - SSL_accept (Errno::EPIPE)
    from /builddir/build/BUILD/ruby-2.5.1/.ext/common/openssl/ssl.rb:485:in `accept'
    from /builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:226:in `block (3 levels) in start_server'
    from /builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:222:in `loop'
    from /builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:222:in `block (2 levels) in start_server'
  4) Failure:
OpenSSL::TestSSL#test_close_after_socket_close [/builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:280]:
exceptions on 1 threads:
#<Thread:0x0000563de2e1a2a0@/builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:252 dead>:
/builddir/build/BUILD/ruby-2.5.1/.ext/common/openssl/ssl.rb:485:in `accept': Broken pipe - SSL_accept (Errno::EPIPE)
    from /builddir/build/BUILD/ruby-2.5.1/.ext/common/openssl/ssl.rb:485:in `accept'
    from /builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:226:in `block (3 levels) in start_server'
    from /builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:222:in `loop'
    from /builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:222:in `block (2 levels) in start_server'
  5) Failure:
OpenSSL::TestSSL#test_ecdh_curves [/builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:280]:
exceptions on 1 threads:
#<Thread:0x0000563de3f33578@/builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:252 dead>:
/builddir/build/BUILD/ruby-2.5.1/.ext/common/openssl/ssl.rb:485:in `accept': Broken pipe - SSL_accept (Errno::EPIPE)
    from /builddir/build/BUILD/ruby-2.5.1/.ext/common/openssl/ssl.rb:485:in `accept'
    from /builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:226:in `block (3 levels) in start_server'
    from /builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:222:in `loop'
    from /builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:222:in `block (2 levels) in start_server'
  6) Failure:
OpenSSL::TestSSL#test_get_ephemeral_key [/builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:280]:
exceptions on 1 threads:
#<Thread:0x0000563de428afa0@/builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:252 dead>:
/builddir/build/BUILD/ruby-2.5.1/.ext/common/openssl/ssl.rb:485:in `accept': Broken pipe - SSL_accept (Errno::EPIPE)
    from /builddir/build/BUILD/ruby-2.5.1/.ext/common/openssl/ssl.rb:485:in `accept'
    from /builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:226:in `block (3 levels) in start_server'
    from /builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:222:in `loop'
    from /builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:222:in `block (2 levels) in start_server'
  7) Failure:
OpenSSL::TestSSL#test_minmax_version [/builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:280]:
exceptions on 1 threads:
#<Thread:0x0000563de437b360@/builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:252 dead>:
/builddir/build/BUILD/ruby-2.5.1/.ext/common/openssl/ssl.rb:485:in `accept': Broken pipe - SSL_accept (Errno::EPIPE)
    from /builddir/build/BUILD/ruby-2.5.1/.ext/common/openssl/ssl.rb:485:in `accept'
    from /builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:226:in `block (3 levels) in start_server'
    from /builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:222:in `loop'
    from /builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:222:in `block (2 levels) in start_server'
  8) Failure:
OpenSSL::TestSSL#test_options_disable_versions [/builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:280]:
exceptions on 1 threads:
#<Thread:0x0000563de4680010@/builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:252 dead>:
/builddir/build/BUILD/ruby-2.5.1/.ext/common/openssl/ssl.rb:485:in `accept': Broken pipe - SSL_accept (Errno::EPIPE)
    from /builddir/build/BUILD/ruby-2.5.1/.ext/common/openssl/ssl.rb:485:in `accept'
    from /builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:226:in `block (3 levels) in start_server'
    from /builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:222:in `loop'
    from /builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:222:in `block (2 levels) in start_server'
  9) Failure:
OpenSSL::TestSSL#test_post_connection_check [/builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:280]:
exceptions on 1 threads:
#<Thread:0x0000563de4b36208@/builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:252 dead>:
/builddir/build/BUILD/ruby-2.5.1/.ext/common/openssl/ssl.rb:485:in `accept': Broken pipe - SSL_accept (Errno::EPIPE)
    from /builddir/build/BUILD/ruby-2.5.1/.ext/common/openssl/ssl.rb:485:in `accept'
    from /builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:226:in `block (3 levels) in start_server'
    from /builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:222:in `loop'
    from /builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:222:in `block (2 levels) in start_server'
 10) Failure:
OpenSSL::TestSSL#test_renegotiation_cb [/builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:280]:
exceptions on 1 threads:
#<Thread:0x0000563de5bbe698@/builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:252 dead>:
/builddir/build/BUILD/ruby-2.5.1/.ext/common/openssl/ssl.rb:485:in `accept': Broken pipe - SSL_accept (Errno::EPIPE)
    from /builddir/build/BUILD/ruby-2.5.1/.ext/common/openssl/ssl.rb:485:in `accept'
    from /builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:226:in `block (3 levels) in start_server'
    from /builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:222:in `loop'
    from /builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:222:in `block (2 levels) in start_server'
 11) Failure:
OpenSSL::TestSSL#test_set_params_min_version [/builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:280]:
exceptions on 1 threads:
#<Thread:0x0000563de5f42698@/builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:252 dead>:
/builddir/build/BUILD/ruby-2.5.1/.ext/common/openssl/ssl.rb:485:in `accept': Broken pipe - SSL_accept (Errno::EPIPE)
    from /builddir/build/BUILD/ruby-2.5.1/.ext/common/openssl/ssl.rb:485:in `accept'
    from /builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:226:in `block (3 levels) in start_server'
    from /builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:222:in `loop'
    from /builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:222:in `block (2 levels) in start_server'
 12) Failure:
OpenSSL::TestSSL#test_ssl_with_server_cert [/builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:280]:
exceptions on 1 threads:
#<Thread:0x0000563de60b0e80@/builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:252 dead>:
/builddir/build/BUILD/ruby-2.5.1/.ext/common/openssl/ssl.rb:485:in `accept': Broken pipe - SSL_accept (Errno::EPIPE)
    from /builddir/build/BUILD/ruby-2.5.1/.ext/common/openssl/ssl.rb:485:in `accept'
    from /builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:226:in `block (3 levels) in start_server'
    from /builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:222:in `loop'
    from /builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:222:in `block (2 levels) in start_server'
 13) Failure:
OpenSSL::TestSSL#test_sync_close [/builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:280]:
exceptions on 1 threads:
#<Thread:0x0000563de619b250@/builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:252 dead>:
/builddir/build/BUILD/ruby-2.5.1/.ext/common/openssl/ssl.rb:485:in `accept': Broken pipe - SSL_accept (Errno::EPIPE)
    from /builddir/build/BUILD/ruby-2.5.1/.ext/common/openssl/ssl.rb:485:in `accept'
    from /builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:226:in `block (3 levels) in start_server'
    from /builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:222:in `loop'
    from /builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:222:in `block (2 levels) in start_server'
 14) Failure:
OpenSSL::TestSSL#test_tlsext_hostname [/builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:280]:
exceptions on 1 threads:
#<Thread:0x0000563de6122e90@/builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:252 dead>:
/builddir/build/BUILD/ruby-2.5.1/.ext/common/openssl/ssl.rb:485:in `accept': Broken pipe - SSL_accept (Errno::EPIPE)
    from /builddir/build/BUILD/ruby-2.5.1/.ext/common/openssl/ssl.rb:485:in `accept'
    from /builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:226:in `block (3 levels) in start_server'
    from /builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:222:in `loop'
    from /builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:222:in `block (2 levels) in start_server'
 15) Failure:
OpenSSL::TestSSL#test_verify_hostname_on_connect [/builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:280]:
exceptions on 1 threads:
#<Thread:0x0000563de6285288@/builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:252 dead>:
/builddir/build/BUILD/ruby-2.5.1/.ext/common/openssl/ssl.rb:485:in `accept': Broken pipe - SSL_accept (Errno::EPIPE)
    from /builddir/build/BUILD/ruby-2.5.1/.ext/common/openssl/ssl.rb:485:in `accept'
    from /builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:226:in `block (3 levels) in start_server'
    from /builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:222:in `loop'
    from /builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:222:in `block (2 levels) in start_server'
 16) Failure:
OpenSSL::TestSSL#test_verify_result [/builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:280]:
exceptions on 1 threads:
#<Thread:0x0000563de62d71a0@/builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:252 dead>:
/builddir/build/BUILD/ruby-2.5.1/.ext/common/openssl/ssl.rb:485:in `accept': Broken pipe - SSL_accept (Errno::EPIPE)
    from /builddir/build/BUILD/ruby-2.5.1/.ext/common/openssl/ssl.rb:485:in `accept'
    from /builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:226:in `block (3 levels) in start_server'
    from /builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:222:in `loop'
    from /builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:222:in `block (2 levels) in start_server'
 17) Failure:
OpenSSL::TestSSLSession#test_ctx_server_session_cb [/builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:280]:
exceptions on 1 threads:
#<Thread:0x0000563de63440e8@/builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:252 dead>:
/builddir/build/BUILD/ruby-2.5.1/test/lib/minitest/unit.rb:201:in `assert': Expected "\x96YM\x10\xD0\xDEt\x95\x91\xAB\xF3\xCDn#\xDE\xF5\xA0\x11\xC4\x8C\x04\xDFY\vq\v\f\x13zF\xD6\x1C" to be nil. (MiniTest::Assertion)
    from /builddir/build/BUILD/ruby-2.5.1/test/lib/test/unit/assertions.rb:37:in `assert'
    from /builddir/build/BUILD/ruby-2.5.1/test/lib/minitest/unit.rb:301:in `assert_nil'
    from /builddir/build/BUILD/ruby-2.5.1/test/openssl/test_ssl_session.rb:300:in `block in test_ctx_server_session_cb'
    from /builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:258:in `block (2 levels) in start_server'
 18) Failure:
OpenSSL::TestSSLSession#test_resumption [/builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:280]:
exceptions on 1 threads:
#<Thread:0x0000563de63cd870@/builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:252 dead>:
/builddir/build/BUILD/ruby-2.5.1/.ext/common/openssl/ssl.rb:485:in `accept': Broken pipe - SSL_accept (Errno::EPIPE)
    from /builddir/build/BUILD/ruby-2.5.1/.ext/common/openssl/ssl.rb:485:in `accept'
    from /builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:226:in `block (3 levels) in start_server'
    from /builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:222:in `loop'
    from /builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:222:in `block (2 levels) in start_server'
 19) Failure:
OpenSSL::TestSSLSession#test_server_session_cache [/builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:280]:
exceptions on 2 threads:
#<Thread:0x0000563de6403b00@/builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:252 dead>:
/builddir/build/BUILD/ruby-2.5.1/test/lib/minitest/unit.rb:201:in `assert': <"abc\n"> expected but was
<nil>. (MiniTest::Assertion)
    from /builddir/build/BUILD/ruby-2.5.1/test/lib/test/unit/assertions.rb:37:in `assert'
    from /builddir/build/BUILD/ruby-2.5.1/test/lib/test/unit/assertions.rb:300:in `assert_equal'
    from /builddir/build/BUILD/ruby-2.5.1/test/openssl/test_ssl_session.rb:202:in `block (3 levels) in test_server_session_cache'
    from /builddir/build/BUILD/ruby-2.5.1/test/openssl/test_ssl_session.rb:388:in `server_connect_with_session'
    from /builddir/build/BUILD/ruby-2.5.1/test/openssl/test_ssl_session.rb:201:in `block (2 levels) in test_server_session_cache'
    from /builddir/build/BUILD/ruby-2.5.1/test/openssl/test_ssl_session.rb:199:in `times'
    from /builddir/build/BUILD/ruby-2.5.1/test/openssl/test_ssl_session.rb:199:in `block in test_server_session_cache'
    from /builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:258:in `block (2 levels) in start_server'
---
#<Thread:0x0000563de64036c8@/builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:233 dead>:
/builddir/build/BUILD/ruby-2.5.1/test/lib/minitest/unit.rb:201:in `assert': <0> expected but was
<1>. (MiniTest::Assertion)
    from /builddir/build/BUILD/ruby-2.5.1/test/lib/test/unit/assertions.rb:37:in `assert'
    from /builddir/build/BUILD/ruby-2.5.1/test/lib/test/unit/assertions.rb:300:in `assert_equal'
    from /builddir/build/BUILD/ruby-2.5.1/test/openssl/test_ssl_session.rb:162:in `block in test_server_session_cache'
    from /builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:239:in `block (4 levels) in start_server'
 20) Failure:
TestGemRemoteFetcher#test_do_not_allow_invalid_client_cert_auth_connection [/builddir/build/BUILD/ruby-2.5.1/test/rubygems/test_gem_remote_fetcher.rb:845]:
[Gem::RemoteFetcher::FetchError] exception expected, not
Class: <OpenSSL::SSL::SSLError>
Message: <"SSL_read: tlsv1 alert decrypt error">
---Backtrace---
/builddir/build/BUILD/ruby-2.5.1/.ext/common/openssl/buffering.rb:182:in `sysread_nonblock'
/builddir/build/BUILD/ruby-2.5.1/.ext/common/openssl/buffering.rb:182:in `read_nonblock'
/builddir/build/BUILD/ruby-2.5.1/lib/net/protocol.rb:175:in `rbuf_fill'
/builddir/build/BUILD/ruby-2.5.1/lib/net/protocol.rb:157:in `readuntil'
/builddir/build/BUILD/ruby-2.5.1/lib/net/protocol.rb:167:in `readline'
/builddir/build/BUILD/ruby-2.5.1/lib/net/http/response.rb:40:in `read_status_line'
/builddir/build/BUILD/ruby-2.5.1/lib/net/http/response.rb:29:in `read_new'
/builddir/build/BUILD/ruby-2.5.1/lib/net/http.rb:1494:in `block in transport_request'
/builddir/build/BUILD/ruby-2.5.1/lib/net/http.rb:1491:in `catch'
/builddir/build/BUILD/ruby-2.5.1/lib/net/http.rb:1491:in `transport_request'
/builddir/build/BUILD/ruby-2.5.1/lib/net/http.rb:1464:in `request'
/builddir/build/BUILD/ruby-2.5.1/lib/rubygems/request.rb:221:in `perform_request'
/builddir/build/BUILD/ruby-2.5.1/lib/rubygems/request.rb:156:in `fetch'
/builddir/build/BUILD/ruby-2.5.1/lib/rubygems/remote_fetcher.rb:368:in `request'
/builddir/build/BUILD/ruby-2.5.1/lib/rubygems/remote_fetcher.rb:251:in `fetch_http'
/builddir/build/BUILD/ruby-2.5.1/lib/rubygems/remote_fetcher.rb:292:in `fetch_path'
/builddir/build/BUILD/ruby-2.5.1/test/rubygems/test_gem_remote_fetcher.rb:846:in `block (2 levels) in test_do_not_allow_invalid_client_cert_auth_connection'
---------------
 21) Failure:
TestNetHTTPS#test_identity_verify_failure [/builddir/build/BUILD/ruby-2.5.1/test/net/http/utils.rb:48]:
<[]> expected but was
<["[2018-07-26 11:59:54] ERROR Errno::EPIPE: Broken pipe - SSL_accept\n" +
 "\t/builddir/build/BUILD/ruby-2.5.1/lib/webrick/server.rb:299:in `accept'\n" +
 "\t/builddir/build/BUILD/ruby-2.5.1/lib/webrick/server.rb:299:in `block (2 levels) in start_thread'\n" +
 "\t/builddir/build/BUILD/ruby-2.5.1/lib/webrick/utils.rb:263:in `timeout'\n" +
 "\t/builddir/build/BUILD/ruby-2.5.1/lib/webrick/server.rb:297:in `block in start_thread'\n"]>.
 22) Failure:
TestNetHTTPS#test_min_version [/builddir/build/BUILD/ruby-2.5.1/test/net/http/utils.rb:48]:
<[]> expected but was
<["[2018-07-26 11:59:54] ERROR Errno::EPIPE: Broken pipe - SSL_accept\n" +
 "\t/builddir/build/BUILD/ruby-2.5.1/lib/webrick/server.rb:299:in `accept'\n" +
 "\t/builddir/build/BUILD/ruby-2.5.1/lib/webrick/server.rb:299:in `block (2 levels) in start_thread'\n" +
 "\t/builddir/build/BUILD/ruby-2.5.1/lib/webrick/utils.rb:263:in `timeout'\n" +
 "\t/builddir/build/BUILD/ruby-2.5.1/lib/webrick/server.rb:297:in `block in start_thread'\n"]>.
 23) Failure:
TestNetHTTPS#test_session_reuse [/builddir/build/BUILD/ruby-2.5.1/test/net/http/test_https.rb:85]:
Failed assertion, no message given.
 24) Failure:
TestNetHTTPS#test_session_reuse_but_expire [/builddir/build/BUILD/ruby-2.5.1/test/net/http/test_https.rb:112]:
<""> expected to be != to
<"">.
 25) Error:
OpenSSL::TestPKeyRSA#test_dup:
OpenSSL::PKey::RSAError: key size too small
    /builddir/build/BUILD/ruby-2.5.1/test/openssl/test_pkey_rsa.rb:292:in `generate'
    /builddir/build/BUILD/ruby-2.5.1/test/openssl/test_pkey_rsa.rb:292:in `test_dup'

With PR #202 applied, there are fewer issues, but it does not solve everything.

I played a bit more with OpenSSL::TestSSL#test_client_ca and it seems that this test sometimes passes and other times fails. However, when I added ctx.ssl_version = :TLSv1_2 (similarly to PR #202), it passed every time. However, I think this is just a workaround, not a solution.

Discussing this a bit with Fedora OpenSSL maintainer, he confirms that this might be TLSv13 related. Is that a chance to fix this somehow?

[MSP-Greg]

Using WIndows MinGW, I had similar failures using trunk. All had the same, see below:

ruby/test/openssl/utils.rb:280
exceptions on 1 threads:
#<Thread:0x0000000003d3d850@ruby/test/openssl/utils.rb:252 dead>:
ruby-loco/pkg/ruby26_64/ruby26_64/lib/ruby/2.6.0/openssl/ssl.rb:487:in `accept':
An established connection was aborted by the software in your host machine. - SSL_accept (Errno::ECONNABORTED)
        from ruby-loco/pkg/ruby26_64/ruby26_64/lib/ruby/2.6.0/openssl/ssl.rb:487:in `accept'
        from ruby/test/openssl/utils.rb:226:in `block (3 levels) in start_server'
        from ruby/test/openssl/utils.rb:222:in `loop'
        from ruby/test/openssl/utils.rb:222:in `block (2 levels) in start_server'

 1) OpenSSL::TestSSL#test_add_certificate
 2) OpenSSL::TestSSL#test_client_ca
 3) OpenSSL::TestSSL#test_close_after_socket_close
 4) OpenSSL::TestSSL#test_get_ephemeral_key
 5) OpenSSL::TestSSL#test_post_connection_check
 6) OpenSSL::TestSSL#test_ssl_with_server_cert
 7) OpenSSL::TestSSL#test_sync_close
 8) OpenSSL::TestSSL#test_tlsext_hostname
 9) OpenSSL::TestSSL#test_verify_result
10) OpenSSL::TestSSLSession#test_resumption

[MSP-Greg]

@voxik

This morning I had a quick look at the OpenSSL wiki & determined that, at least for me, finding the cause of these failures isn't a 10 minute task. IOW, do the tests need changes, does Ruby OpenSSL need changes, or is there an issue with 1.1.1...

Anyway, I forced the tests using OpenSSL::SSLTestCase#start_server to use a max version of TLSv1.2, along with one other change, and the tests pass on both 1.1.1-pre8 & 1.1.0h. See attached patch.

openssl_1.1.1.patch.txt

Unless noted, I always use trunk. Also, building Puma with 1.1.1 causes four test errors that do not occur with 1.1.0.

[rhenium]

Yes, the failures are related to TLS 1.3. The client closes the TCP socket before the server sends NewSessionTicket. #209 will fix them.

[MSP-Greg]

@rhenium

Thanks for the work. Using ruby 2.6.0dev (2018-08-06 trunk 64200) [x64-mingw32] and the OpenSSL snapshot from 03-Aug, I applied the patch into ruby trunk's tests, and all hunks succeeded.

OpenSSL tests in trunk had one failure:

  2) Failure:
OpenSSL::TestSSL#test_add_certificate [ruby/test/openssl/utils.rb:280]:
exceptions on 1 threads:
#<Thread:0x0000000003291938@test/openssl/utils.rb:252 dead>:
C:/Ruby99-x64rl/lib/ruby/2.6.0/openssl/ssl.rb:486:in `accept': An established connection was aborted by the software in your host machine. - SSL_accept (Errno::ECONNABORTED)
        from C:/Ruby99-x64rl/lib/ruby/2.6.0/openssl/ssl.rb:486:in `accept'
        from ruby/test/openssl/utils.rb:226:in `block (3 levels) in start_server'
        from ruby/test/openssl/utils.rb:222:in `loop'
        from ruby/test/openssl/utils.rb:222:in `block (2 levels) in start_server'

Running trunk test/net/http/test_https.rb, two failures:

  1) Failure:
TestNetHTTPS#test_session_reuse_but_expire [ruby/test/net/http/test_https.rb:112]:
<""> expected to be != to
<"">.

  2) Failure:
TestNetHTTPS#test_session_reuse [ruby/test/net/http/test_https.rb:85]:
Failed assertion, no message given.

I won't have a chance to look at these until later. Thanks again, Greg

[rhenium]

@MSP-Greg Thank you for testing.

OpenSSL::TestSSL#test_add_certificate [ruby/test/openssl/utils.rb:280]:

The test case wasn't in the target branch of #209. I'll fix that when I merge to newer branches.

TestNetHTTPS#test_session_reuse_but_expire [ruby/test/net/http/test_https.rb:112]: TestNetHTTPS#test_session_reuse [ruby/test/net/http/test_https.rb:85]:

They need to be forced to use TLS <= 1.2.

[MSP-Greg]

@rhenium

As you might guess, I tend to work from ruby test-all. I'll have to re-check, but it did seem like the tests here had a few tests I didn't see in test-all.

Anyway, I've attached the patch I used to get trunk to pass test-all. spec passed without changes. Most of the patch is based on your patch. I'm not sure if the fixes are proper, or just a means of passing while other issues get finalized in OpenSSL...

FYI, ruby-loco is built on Appveyor, and sometime soon I'll get the OpenSSL package building there. If you're interested, I could add it to Appveyor, along with 2.5...

Thanks, Greg

ruby_openssl_1.1.1.patch.txt

[rhenium]

209 and additional fixes are now in master, and also in Ruby's trunk (r64233). make test-all passes fine for me.

TestNetHTTPS#test_session_reuse_but_expire [ruby/test/net/http/test_https.rb:112]: TestNetHTTPS#test_session_reuse [ruby/test/net/http/test_https.rb:85]:

They need to be forced to use TLS <= 1.2.

Looking through the code, session resumption in net/http and net/ftp was actually broken with TLS 1.3 (though these test cases needed adjustment, too). r64234 should fix that.

[MSP-Greg]

@rhenium

Thank you.

No need to add TLSv1.3 to OpenSSL::SSL::SSLContext::METHODS_MAP? I'll defer to your opinion...

[rhenium]

@MSP-Greg It's intentional that :TLSv1_3 isn't included. SSLContext::METHODS{,_MAP} are there to copy the behavior of the corresponding "SSL methods", which are declared deprecated by the OpenSSL team. They then decided not to provide version-specific SSL methods for TLS 1.3. I don't think we should provide :TLSv1_3 when TLSv1_3_method() doesn't exist. Anyway, new apps should use SSLContext#{min,max}_version= instead.

[voxik]

I am trying to cherry pick what is needed for Ruby 2.5.1. But I am still not down to zero :(

There is still #208, there is one RubyGems test failure which might be out of the scope:

  6) Failure:
TestGemRemoteFetcher#test_do_not_allow_invalid_client_cert_auth_connection [/builddir/build/BUILD/ruby-2.5.1/test/rubygems/test_gem_remote_fetcher.rb:845]:
[Gem::RemoteFetcher::FetchError] exception expected, not
Class: <OpenSSL::SSL::SSLError>
Message: <"SSL_read: tlsv1 alert decrypt error">
---Backtrace---
/builddir/build/BUILD/ruby-2.5.1/.ext/common/openssl/buffering.rb:182:in `sysread_nonblock'
/builddir/build/BUILD/ruby-2.5.1/.ext/common/openssl/buffering.rb:182:in `read_nonblock'
/builddir/build/BUILD/ruby-2.5.1/lib/net/protocol.rb:175:in `rbuf_fill'
/builddir/build/BUILD/ruby-2.5.1/lib/net/protocol.rb:157:in `readuntil'
/builddir/build/BUILD/ruby-2.5.1/lib/net/protocol.rb:167:in `readline'
/builddir/build/BUILD/ruby-2.5.1/lib/net/http/response.rb:40:in `read_status_line'
/builddir/build/BUILD/ruby-2.5.1/lib/net/http/response.rb:29:in `read_new'
/builddir/build/BUILD/ruby-2.5.1/lib/net/http.rb:1497:in `block in transport_request'
/builddir/build/BUILD/ruby-2.5.1/lib/net/http.rb:1494:in `catch'
/builddir/build/BUILD/ruby-2.5.1/lib/net/http.rb:1494:in `transport_request'
/builddir/build/BUILD/ruby-2.5.1/lib/net/http.rb:1467:in `request'
/builddir/build/BUILD/ruby-2.5.1/lib/rubygems/request.rb:221:in `perform_request'
/builddir/build/BUILD/ruby-2.5.1/lib/rubygems/request.rb:156:in `fetch'
/builddir/build/BUILD/ruby-2.5.1/lib/rubygems/remote_fetcher.rb:368:in `request'
/builddir/build/BUILD/ruby-2.5.1/lib/rubygems/remote_fetcher.rb:251:in `fetch_http'
/builddir/build/BUILD/ruby-2.5.1/lib/rubygems/remote_fetcher.rb:292:in `fetch_path'
/builddir/build/BUILD/ruby-2.5.1/test/rubygems/test_gem_remote_fetcher.rb:846:in `block (2 levels) in test_do_not_allow_invalid_client_cert_auth_connection'
---------------

But I am not sure about these errors:

 2) Failure:
OpenSSL::TestSSL#test_add_certificate [/builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:280]:
exceptions on 1 threads:
#<Thread:0x0000561c1247b3a8@/builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:252 dead>:
/builddir/build/BUILD/ruby-2.5.1/.ext/common/openssl/ssl.rb:485:in `accept': Broken pipe - SSL_accept (Errno::EPIPE)
    from /builddir/build/BUILD/ruby-2.5.1/.ext/common/openssl/ssl.rb:485:in `accept'
    from /builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:226:in `block (3 levels) in start_server'
    from /builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:222:in `loop'
    from /builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:222:in `block (2 levels) in start_server'

  3) Failure:
OpenSSL::TestSSL#test_minmax_version [/builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:280]:
exceptions on 1 threads:
#<Thread:0x0000561c1624e220@/builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:252 dead>:
/builddir/build/BUILD/ruby-2.5.1/.ext/common/openssl/ssl.rb:485:in `accept': Broken pipe - SSL_accept (Errno::EPIPE)
    from /builddir/build/BUILD/ruby-2.5.1/.ext/common/openssl/ssl.rb:485:in `accept'
    from /builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:226:in `block (3 levels) in start_server'
    from /builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:222:in `loop'
    from /builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:222:in `block (2 levels) in start_server'

  4) Failure:
OpenSSL::TestSSL#test_options_disable_versions [/builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:280]:
exceptions on 1 threads:
#<Thread:0x0000561c1651daa0@/builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:252 dead>:
/builddir/build/BUILD/ruby-2.5.1/.ext/common/openssl/ssl.rb:485:in `accept': Broken pipe - SSL_accept (Errno::EPIPE)
    from /builddir/build/BUILD/ruby-2.5.1/.ext/common/openssl/ssl.rb:485:in `accept'
    from /builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:226:in `block (3 levels) in start_server'
    from /builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:222:in `loop'
    from /builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:222:in `block (2 levels) in start_server'

  5) Failure:
OpenSSL::TestSSL#test_set_params_min_version [/builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:280]:
exceptions on 1 threads:
#<Thread:0x0000561c17cfa2b8@/builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:252 dead>:
/builddir/build/BUILD/ruby-2.5.1/.ext/common/openssl/ssl.rb:485:in `accept': Broken pipe - SSL_accept (Errno::EPIPE)
    from /builddir/build/BUILD/ruby-2.5.1/.ext/common/openssl/ssl.rb:485:in `accept'
    from /builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:226:in `block (3 levels) in start_server'
    from /builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:222:in `loop'
    from /builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:222:in `block (2 levels) in start_server'

Could you pleas help me which patch of specific hunk should fix these errors?

[MSP-Greg]

@voxik

If I've got what you're doing correct, you're not using the code here (as a base), and you're building 2.5.1 with OpenSSL 1.1.1.

2.5.1 uses Ruby OpenSSL 2.1.0, which was released approx 2017-Dec-14. OpenSSL openssl-1.1.1-pre1 was released 2018-Feb-13.

Maybe build trunk using 1.1.1, and if all's ok, figure out how to move it's OpenSSL (2.1.1?) back into 2.5.1?

[voxik]

you're building 2.5.1 with OpenSSL 1.1.1.

Yes. This [1] is Fedora .spec file with references to patches/PRs I applied. The patches can be found here [2] and this is this is the section with tests I have to disable [3].

[rhenium]

TestGemRemoteFetcher#test_do_not_allow_invalid_client_cert_auth_connection [/builddir/build/BUILD/ruby-2.5.1/test/rubygems/test_gem_remote_fetcher.rb:845]:

Ah, I overlooked this one. But this needs fixed by RubyGems side. SSLSocket#connect (Net::HTTP#start) won't wait for the server's response for the client certificate, and subsequent SSLSocket#{read,write} raises the exception instead.

OpenSSL::TestSSL#test_add_certificate [/builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:280]: OpenSSL::TestSSL#test_minmax_version [/builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:280]: OpenSSL::TestSSL#test_options_disable_versions [/builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:280]: OpenSSL::TestSSL#test_set_params_min_version [/builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:280]:

They aren't part of #209 because they did not exist in v2.0.x. Please see the 'maint' branch of this Git repository. It is tracking v2.1.x which Ruby 2.5 bundles.

[MSP-Greg]

@rhenium

Thanks for the help. After looking thru a lot of the code, both Ruby OpenSSL & OpenSSL, I think I now see what I was mixing up.

I added a repo for creating MSYS2/MinGW OpenSSL packages (they're staying with 1.0.2 for the time being), and I'm building a package based on OpenSSL master on Appveyor.

As of today, I'm using it when building ruby-loco (MinGW trunk), and it's passing test-all. I'll switch to a release once there is one for 1.1.1...