http icon indicating copy to clipboard operation
http copied to clipboard

Published 20 hours ago verified publisher icon httprb

Fails ssl tests with ruby2.5, ubuntu bionic, openssl1.1

Open xnox opened this issue 7 years ago • 6 comments

Hello,

In Ubuntu, we are in the process of moving to ruby2.5 by default, with openssl 1.1.

http appears to fail all the ssl based tests, similar to this:

Failures:

  1) HTTP::Client working with SSL fails with OpenSSL::SSL::SSLError if host mismatch
     Failure/Error:
       expect { client.get(dummy_ssl.endpoint.gsub("127.0.0.1", "localhost")) }.
         to raise_error(OpenSSL::SSL::SSLError, /does not match/)

       expected OpenSSL::SSL::SSLError with message matching /does not match/, got #<OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3/TLS write finished: sslv3 alert unsupported certificate> with backtrace:

Is there something wrong with http, http ssl test harness, certifiticate authority, or ruby? Note sslv3 should not be used at all anymore.... as that is not even compiled in

Not sure where the "alert unsupported certificate" is coming from either.

xnox avatar Mar 16 '18 16:03 xnox

Those messages are generated by OpenSSL. Note anything OpenSSL says about "sslv3" is a red herring: it continues to say this about all TLS versions despite the fact it's no longer using SSLv3 (why? Because it's OpenSSL).

That said I'm not sure offhand what "unsupported certificate" is supposed to imply, and a cursory Googling doesn't really clear that up.

tarcieri avatar Mar 16 '18 16:03 tarcieri

right, thanks. So somehow, I am suspecting that whatever ruby-certificate-authority has generated, is not good enough. I guess I should be able to somehow invoke the certificate authority helpers, and inspect if what it has generated is at all valid still?

xnox avatar Mar 16 '18 16:03 xnox

It's possible OpenSSL 1.1 added additional certificate constraints which are not being upheld in those issued certs.

I don't have time to investigate right now but perhaps you could try to compare a certificate known to be working with the ones produced by the gem (using e.g. openssl x509 and openssl asn1parse) and see if you can spot the problem.

tarcieri avatar Mar 16 '18 20:03 tarcieri

We have seen this error in debian too https://ci.debian.net/data/packages/unstable/amd64/r/ruby-http/latest-autopkgtest/log.gz around 20 tests are failing.

pravi avatar May 13 '18 07:05 pravi

I'm not sure asserting on the error message is particularly useful so long as OpenSSL::SSL::SSLError is being raised. It's possible this might just be a different failure mode for the same error.

tarcieri avatar May 13 '18 14:05 tarcieri

Well, there's something wrong with this error in general :(( It's not related to message matching, this sslv3 alert unsupported certificate is causing other specs to fail too :((

ixti avatar Dec 20 '20 09:12 ixti