Closed bentoi closed 5 years ago
For some reason OPENSSL_VERSION_NUMBER
is not correctly defined with bdist builds
Actually OPENSSL_VERSION_NUMBER
is correctly defined with the build.
In the build VM opensslv.h has
# define OPENSSL_VERSION_NUMBER 0x1010007fL
# ifdef OPENSSL_FIPS
# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.0g-fips 2 Nov 2017"
# else
# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.0g 2 Nov 2017"
# endif
In the test VM opesslv.h has:
# define OPENSSL_VERSION_NUMBER 0x1010100fL
# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1 11 Sep 2018"
The later has tls1.3 support
/usr/include/openssl$ grep SSL_OP_NO_TLSv1_3 *
ssl.h:# define SSL_OP_NO_TLSv1_3 0x20000000U
ssl.h: SSL_OP_NO_TLSv1|SSL_OP_NO_TLSv1_1|SSL_OP_NO_TLSv1_2|SSL_OP_NO_TLSv1_3)
SSL_OP_NO_TLSv1_3
is not defined in the build VM so code to disable tls1_3 is not working, https://github.com/zeroc-ice/ice/blob/71426c11713f89be000a4cc60c48b946dc89d373/cpp/src/IceSSL/OpenSSLEngine.cpp#L1093
The tests that fails is expecting TLS1.3 to be disabled, and the peers to negotiate an anon cipher ...
I've fixed our Debian & Ubuntu VMs to run apt-get upgrade
to upgrade the packages on provisioning... this should help with keeping the packages up-to-date.
Occurred on both bionic64 and bionic64arm with distribution testing.