search

zeroc-ice / ice

All-in-one solution for creating networked applications with RPC, pub/sub, server deployment, and more.
https://zeroc.com
GNU General Public License v2.0
2.03k stars 592 forks source link

IceSSL/configuration certificate verification failure on bionic64 #427

Closed bentoi closed 5 years ago

bentoi commented 5 years ago

Occurred on both bionic64 and bionic64arm with distribution testing.

*** [61/91] Running cpp/IceSSL/configuration tests ***
[ running client/server test - 07/03/19 14:32:32 ]
- Config: amd64
(/home/vagrant/workspace/ice-dist/3.7/dist-utils/build/ice/builds/ice-g++-default/cpp/test/IceSSL/configuration/build/x86_64-linux-gnu/shared/server --Ice.Warn.Connections=1 --Ice.PrintAdapterReady=1 --Ice.NullHandleAbort=1 --Ice.Default.Protocol=tcp --Ice.ThreadPool.Server.Size=1 --Ice.Default.Host=127.0.0.1 --Ice.IPv6=0 --Ice.ThreadPool.Server.SizeMax=3 --Test.BasePort=14100 --Ice.PrintStackTraces=1 --Ice.ThreadPool.Server.SizeWarn=0 "/home/vagrant/workspace/ice-dist/3.7/dist-utils/build/ice/builds/ice-g++-default/cpp/test/IceSSL/configuration" env={'LD_LIBRARY_PATH': '/usr/lib/x86_64-linux-gnu'})
(/home/vagrant/workspace/ice-dist/3.7/dist-utils/build/ice/builds/ice-g++-default/cpp/test/IceSSL/configuration/build/x86_64-linux-gnu/shared/client --Ice.Default.Host=127.0.0.1 --Ice.Warn.Connections=1 --Ice.IPv6=0 --Ice.PrintStackTraces=1 --Test.BasePort=14100 --Ice.NullHandleAbort=1 --Ice.Default.Protocol=tcp "/home/vagrant/workspace/ice-dist/3.7/dist-utils/build/ice/builds/ice-g++-default/cpp/test/IceSSL/configuration" env={'LD_LIBRARY_PATH': '/usr/lib/x86_64-linux-gnu'})
testing with PKCS12 certificates...
testing manual initialization... ok
testing certificate verification... ok
testing certificate info... ok
testing certificate chains... ok
testing certificate extensions... ok
testing custom certificate verifier... ok
testing protocols... ok
testing expired certificates... ok
testing CA certificate directory... ok
testing multiple CA certificates... ok
testing password prompt... ok
testing ciphers... src/IceSSL/OpenSSLTransceiverI.cpp:314: ::Ice::SecurityException:
security exception:
IceSSL: certificate verification failed:
self signed certificate in certificate chain
failed!
test/IceSSL/configuration/AllTests.cpp:2678: assertion `false' failed
pepone commented 5 years ago

For some reason OPENSSL_VERSION_NUMBER is not correctly defined with bdist builds

Actually OPENSSL_VERSION_NUMBER is correctly defined with the build.

pepone commented 5 years ago

In the build VM opensslv.h has

# define OPENSSL_VERSION_NUMBER  0x1010007fL
# ifdef OPENSSL_FIPS
#  define OPENSSL_VERSION_TEXT    "OpenSSL 1.1.0g-fips  2 Nov 2017"
# else
#  define OPENSSL_VERSION_TEXT    "OpenSSL 1.1.0g  2 Nov 2017"
# endif

In the test VM opesslv.h has:

# define OPENSSL_VERSION_NUMBER  0x1010100fL
# define OPENSSL_VERSION_TEXT    "OpenSSL 1.1.1  11 Sep 2018"

The later has tls1.3 support

/usr/include/openssl$ grep SSL_OP_NO_TLSv1_3 *
ssl.h:# define SSL_OP_NO_TLSv1_3                               0x20000000U
ssl.h:        SSL_OP_NO_TLSv1|SSL_OP_NO_TLSv1_1|SSL_OP_NO_TLSv1_2|SSL_OP_NO_TLSv1_3)

SSL_OP_NO_TLSv1_3 is not defined in the build VM so code to disable tls1_3 is not working, https://github.com/zeroc-ice/ice/blob/71426c11713f89be000a4cc60c48b946dc89d373/cpp/src/IceSSL/OpenSSLEngine.cpp#L1093

The tests that fails is expecting TLS1.3 to be disabled, and the peers to negotiate an anon cipher ...

bentoi commented 5 years ago

I've fixed our Debian & Ubuntu VMs to run apt-get upgrade to upgrade the packages on provisioning... this should help with keeping the packages up-to-date.