unit icon indicating copy to clipboard operation
unit copied to clipboard

Published 20 hours ago verified publisher icon nginx

OpenSSL 3.2.1 breaks TLS related pytests

Open andypost opened this issue 10 months ago • 2 comments

Started to package new release and see a lot of test failures, probably it's caused by upgrade to OpenSSL 3.2.1

There's following logs

test/test_tls_sni.py::test_tls_sni FAILEDPath to unit.log:
/tmp/unit-test-i46362ls/unit.log
2024/03/27 03:05:18 [error] 6224#6227 *39315 SSL_do_handshake(12) failed (1048: tlsv1 alert unknown ca) (OpenSSL: error:0A000418:SSL routines::tlsv1 alert unknown ca:SSL alert number 48)
test/test_tls_sni.py::test_tls_sni_no_hostname FAILEDPath to unit.log:
/tmp/unit-test-i46362ls/unit.log
2024/03/27 03:05:19 [error] 6224#6227 *39444 SSL_do_handshake(12) failed (1048: tlsv1 alert unknown ca) (OpenSSL: error:0A000418:SSL routines::tlsv1 alert unknown ca:SSL alert number 48)
test/test_tls_sni.py::test_tls_sni_upper_case FAILEDPath to unit.log:
/tmp/unit-test-i46362ls/unit.log
2024/03/27 03:05:21 [error] 6224#6227 *39573 SSL_do_handshake(12) failed (1048: tlsv1 alert unknown ca) (OpenSSL: error:0A000418:SSL routines::tlsv1 alert unknown ca:SSL alert number 48)
test/test_tls_sni.py::test_tls_sni_only_bundle FAILEDPath to unit.log:
/tmp/unit-test-i46362ls/unit.log
2024/03/27 03:05:23 [error] 6224#6227 *39702 SSL_do_handshake(12) failed (1048: tlsv1 alert unknown ca) (OpenSSL: error:0A000418:SSL routines::tlsv1 alert unknown ca:SSL alert number 48)
test/test_tls_sni.py::test_tls_sni_wildcard FAILEDPath to unit.log:
/tmp/unit-test-i46362ls/unit.log
2024/03/27 03:05:26 [error] 6224#6227 *39831 SSL_do_handshake(12) failed (1048: tlsv1 alert unknown ca) (OpenSSL: error:0A000418:SSL routines::tlsv1 alert unknown ca:SSL alert number 48)
test/test_tls_sni.py::test_tls_sni_duplicated_bundle FAILEDPath to unit.log:
/tmp/unit-test-i46362ls/unit.log
2024/03/27 03:05:28 [warn] 6224#6224 ignored duplicate name "localhost.com" in certificate "localhost.com", identical name appears in "localhost.com"
2024/03/27 03:05:28 [warn] 6224#6224 ignored duplicate name "alt2.localhost.com" in certificate "localhost.com", identical name appears in "localhost.com"
2024/03/27 03:05:28 [error] 6224#6227 *39960 SSL_do_handshake(12) failed (1048: tlsv1 alert unknown ca) (OpenSSL: error:0A000418:SSL routines::tlsv1 alert unknown ca:SSL alert number 48)
test/test_tls_sni.py::test_tls_sni_same_alt FAILEDPath to unit.log:
/tmp/unit-test-i46362ls/unit.log
2024/03/27 03:05:30 [warn] 6224#6224 ignored duplicate name "s" in certificate "example", identical name appears in "localhost"
2024/03/27 03:05:30 [warn] 6224#6224 ignored duplicate name "a" in certificate "example", identical name appears in "localhost"
2024/03/27 03:05:30 [warn] 6224#6224 ignored duplicate name "m" in certificate "example", identical name appears in "localhost"
2024/03/27 03:05:30 [warn] 6224#6224 ignored duplicate name "e" in certificate "example", identical name appears in "localhost"
2024/03/27 03:05:30 [warn] 6224#6224 ignored duplicate name "." in certificate "example", identical name appears in "localhost"
2024/03/27 03:05:30 [warn] 6224#6224 ignored duplicate name "l" in certificate "example", identical name appears in "localhost"
2024/03/27 03:05:30 [warn] 6224#6224 ignored duplicate name "t" in certificate "example", identical name appears in "localhost"
2024/03/27 03:05:30 [warn] 6224#6224 ignored duplicate name "n" in certificate "example", identical name appears in "localhost"
2024/03/27 03:05:30 [warn] 6224#6224 ignored duplicate name "c" in certificate "example", identical name appears in "localhost"
2024/03/27 03:05:30 [warn] 6224#6224 ignored duplicate name "o" in certificate "example", identical name appears in "localhost"
2024/03/27 03:05:30 [error] 6224#6227 *40089 SSL_do_handshake(12) failed (1048: tlsv1 alert unknown ca) (OpenSSL: error:0A000418:SSL routines::tlsv1 alert unknown ca:SSL alert number 48)
test/test_tls_sni.py::test_tls_sni_empty_cn FAILEDPath to unit.log:
/tmp/unit-test-i46362ls/unit.log
2024/03/27 03:05:32 [error] 6224#6227 *40218 SSL_do_handshake(12) failed (1048: tlsv1 alert unknown ca) (OpenSSL: error:0A000418:SSL routines::tlsv1 alert unknown ca:SSL alert number 48)
test/test_tls_sni.py::test_tls_sni_invalid PASSED
test/test_tls_tickets.py::test_tls_ticket SKIPPED (ticket check is not
supported)
test/test_tls_tickets.py::test_tls_ticket_string SKIPPED (ticket check
is not supported)
test/test_tls_tickets.py::test_tls_ticket_array SKIPPED (ticket check is
not supported)
test/test_tls_tickets.py::test_tls_ticket_invalid PASSED

andypost avatar Mar 27 '24 03:03 andypost

all CI jobs https://gitlab.alpinelinux.org/alpine/aports/-/pipelines/222161

andypost avatar Mar 27 '24 03:03 andypost

This looks like something specific to our tests as OpenSSL 3.2.1 itself seems to work fine with current Unit.

This error

2024/03/27 21:17:49 [error] 4401#4404 *26 SSL_do_handshake(33) failed (1048: tlsv1 alert unknown ca) (OpenSSL: error:0A000418:SSL routines::tlsv1 alert unknown ca:SSL alert number 48)

Would indicate that it doesn't know about our CA, which will just be some dummy thing for the tests.

I get the above error from Unit when I use curl without the -k option with a self-signed certificate.

Looks like our tests need to do the same thing as -k in curl...

ac000 avatar Mar 27 '24 21:03 ac000

thank you! works as patch on Alpine

andypost avatar Apr 10 '24 16:04 andypost

Great, thanks for testing!

ac000 avatar Apr 10 '24 18:04 ac000