Mailing List Archive: Apache: Dev

ssl related test failures

Index | Next | Previous | View Threaded

sf at sfritsch

Nov 9, 2009, 2:25 AM

Post #1 of 9 (765 views)
Permalink

ssl related test failures

Hi,

with openssl 0.9.8k, I currently get a large number of test failures:

Test Summary Report
-------------------
t/ssl/basicauth.t (Wstat: 0 Tests: 3 Failed: 2)
Failed tests: 2-3
t/ssl/env.t (Wstat: 0 Tests: 30 Failed: 15)
Failed tests: 16-30
t/ssl/extlookup.t (Wstat: 0 Tests: 2 Failed: 2)
Failed tests: 1-2
t/ssl/fakeauth.t (Wstat: 0 Tests: 3 Failed: 2)
Failed tests: 2-3
t/ssl/proxy.t (Wstat: 0 Tests: 172 Failed: 118)
Failed tests: 1-59, 114-172
t/ssl/require.t (Wstat: 0 Tests: 5 Failed: 2)
Failed tests: 2, 5
t/ssl/varlookup.t (Wstat: 0 Tests: 72 Failed: 72)
Failed tests: 1-72
t/ssl/verify.t (Wstat: 0 Tests: 3 Failed: 1)
Failed test: 2

Can somebody verify that this is a problem in trunk and not with my
perl-framework setup?

Thanks.

Stefan

rpluem at apache

Nov 9, 2009, 2:29 AM

Post #2 of 9 (724 views)
Permalink

Re: ssl related test failures [In reply to]

On 11/09/2009 11:25 AM, Stefan Fritsch wrote:
> Hi,
>
> with openssl 0.9.8k, I currently get a large number of test failures:
>
> Test Summary Report
> -------------------
> t/ssl/basicauth.t (Wstat: 0 Tests: 3 Failed: 2)
> Failed tests: 2-3
> t/ssl/env.t (Wstat: 0 Tests: 30 Failed: 15)
> Failed tests: 16-30
> t/ssl/extlookup.t (Wstat: 0 Tests: 2 Failed: 2)
> Failed tests: 1-2
> t/ssl/fakeauth.t (Wstat: 0 Tests: 3 Failed: 2)
> Failed tests: 2-3
> t/ssl/proxy.t (Wstat: 0 Tests: 172 Failed: 118)
> Failed tests: 1-59, 114-172
> t/ssl/require.t (Wstat: 0 Tests: 5 Failed: 2)
> Failed tests: 2, 5
> t/ssl/varlookup.t (Wstat: 0 Tests: 72 Failed: 72)
> Failed tests: 1-72
> t/ssl/verify.t (Wstat: 0 Tests: 3 Failed: 1)
> Failed test: 2
>
>
> Can somebody verify that this is a problem in trunk and not with my
> perl-framework setup?

Quick and maybe stupid question: Did you do a 'make clean' before
you complied httpd against 0.9.8k?

Regards

Rüdiger

sf at sfritsch

Nov 9, 2009, 2:40 AM

Post #3 of 9 (722 views)
Permalink

Re: ssl related test failures [In reply to]

On Monday 09 November 2009, Ruediger Pluem wrote:
> On 11/09/2009 11:25 AM, Stefan Fritsch wrote:
> > Hi,
> >
> > with openssl 0.9.8k, I currently get a large number of test
> > failures:
> > Test Summary Report
> > -------------------
> > t/ssl/basicauth.t (Wstat: 0 Tests: 3 Failed: 2)
> > Failed tests: 2-3
> > t/ssl/env.t (Wstat: 0 Tests: 30 Failed: 15)
> > Failed tests: 16-30
> > t/ssl/extlookup.t (Wstat: 0 Tests: 2 Failed: 2)
> > Failed tests: 1-2
> > t/ssl/fakeauth.t (Wstat: 0 Tests: 3 Failed: 2)
> > Failed tests: 2-3
> > t/ssl/proxy.t (Wstat: 0 Tests: 172 Failed: 118)
> > Failed tests: 1-59, 114-172
> > t/ssl/require.t (Wstat: 0 Tests: 5 Failed: 2)
> > Failed tests: 2, 5
> > t/ssl/varlookup.t (Wstat: 0 Tests: 72 Failed: 72)
> > Failed tests: 1-72
> > t/ssl/verify.t (Wstat: 0 Tests: 3 Failed: 1)
> > Failed test: 2
> >
> >
> > Can somebody verify that this is a problem in trunk and not with
> > my perl-framework setup?
>
> Quick and maybe stupid question: Did you do a 'make clean' before
> you complied httpd against 0.9.8k?
>
Yes, I did 'make distclean' and 'buildconf'

sctemme at apache

Nov 9, 2009, 7:13 AM

Post #4 of 9 (715 views)
Permalink

Re: ssl related test failures [In reply to]

Hi Stefan,

On Nov 9, 2009, at 2:25 AM, Stefan Fritsch wrote:

> Hi,
>
> with openssl 0.9.8k, I currently get a large number of test failures:

These tests do not fail for me. Can you run a subset in verbose and
see how they fail? Like:

t/TEST ... -verbose t/ssl/basicauth.t

should get you some more insight. Also, which platform?

S.

> Test Summary Report
> -------------------
> t/ssl/basicauth.t (Wstat: 0 Tests: 3 Failed: 2)
> Failed tests: 2-3
> t/ssl/env.t (Wstat: 0 Tests: 30 Failed: 15)
> Failed tests: 16-30
> t/ssl/extlookup.t (Wstat: 0 Tests: 2 Failed: 2)
> Failed tests: 1-2
> t/ssl/fakeauth.t (Wstat: 0 Tests: 3 Failed: 2)
> Failed tests: 2-3
> t/ssl/proxy.t (Wstat: 0 Tests: 172 Failed: 118)
> Failed tests: 1-59, 114-172
> t/ssl/require.t (Wstat: 0 Tests: 5 Failed: 2)
> Failed tests: 2, 5
> t/ssl/varlookup.t (Wstat: 0 Tests: 72 Failed: 72)
> Failed tests: 1-72
> t/ssl/verify.t (Wstat: 0 Tests: 3 Failed: 1)
> Failed test: 2
>
>
> Can somebody verify that this is a problem in trunk and not with my
> perl-framework setup?
>
> Thanks.
>
> Stefan
>
>

--
Sander Temme
sctemme [at] apache
PGP FP: 51B4 8727 466A 0BC3 69F4 B7B8 B2BE BC40 1529 24AF

Attachments:

smime.p7s (2.16 KB)

sf at sfritsch

Nov 9, 2009, 7:55 AM

Post #5 of 9 (720 views)
Permalink

Re: ssl related test failures [In reply to]

On Monday 09 November 2009, Sander Temme wrote:
> Hi Stefan,
>
> On Nov 9, 2009, at 2:25 AM, Stefan Fritsch wrote:
> > Hi,
> >
> > with openssl 0.9.8k, I currently get a large number of test
> > failures:
>
> These tests do not fail for me. Can you run a subset in verbose
> and see how they fail? Like:
>
> t/TEST ... -verbose t/ssl/basicauth.t
>
> should get you some more insight. Also, which platform?

This is Debian unstable with the Debian openssl. It seems to complain
about an expired CRL. AFAICS with tcpdump, it doesn't try to connect
anywhere to get the CRL. Any ideas? If not I will dig deeper later,
no time ATM.

t/ssl/basicauth.t ..
1..3
# Running under perl version 5.010001 for linux
# Current time local: Mon Nov 9 16:36:42 2009
# Current time GMT: Mon Nov 9 15:36:42 2009
# Using Test.pm version 1.25_02
# Using Apache/Test.pm version 1.31
# testing : Getting /ssl-fakebasicauth/index.html with no cert
# expected: 500
# received: 500
ok 1
# testing : Getting /ssl-fakebasicauth/index.html with client_snakeoil cert
# expected: 200
# received: 500
not ok 2
# Failed test 2 in t/ssl/basicauth.t at line 25
# testing : Getting /ssl-fakebasicauth/index.html with client_ok cert
# expected: 401
# received: 500
not ok 3
# Failed test 3 in t/ssl/basicauth.t at line 30
Failed 2/3 subtests

From the error log:

[Mon Nov 09 16:38:53 2009] [info] Initial (No.1) HTTPS request received for child 1 (server localhost:8532)
[Mon Nov 09 16:38:53 2009] [debug] ssl_engine_kernel.c(552): [client 127.0.0.1] Changed client verification type will force renegotiation
[Mon Nov 09 16:38:53 2009] [info] [client 127.0.0.1] Requesting connection re-negotiation
[Mon Nov 09 16:38:53 2009] [debug] ssl_engine_kernel.c(728): [client 127.0.0.1] Performing full renegotiation: complete handshake protocol
[Mon Nov 09 16:38:53 2009] [debug] ssl_engine_kernel.c(1831): OpenSSL: Handshake: start
[Mon Nov 09 16:38:53 2009] [debug] ssl_engine_kernel.c(1839): OpenSSL: Loop: SSL renegotiate ciphers
[Mon Nov 09 16:38:53 2009] [debug] ssl_engine_kernel.c(1839): OpenSSL: Loop: SSLv3 write hello request A
[Mon Nov 09 16:38:53 2009] [debug] ssl_engine_kernel.c(1839): OpenSSL: Loop: SSLv3 flush data
[Mon Nov 09 16:38:53 2009] [debug] ssl_engine_kernel.c(1839): OpenSSL: Loop: SSLv3 write hello request C
[Mon Nov 09 16:38:53 2009] [info] [client 127.0.0.1] Awaiting re-negotiation handshake
[Mon Nov 09 16:38:53 2009] [debug] ssl_engine_kernel.c(1831): OpenSSL: Handshake: start
[Mon Nov 09 16:38:53 2009] [debug] ssl_engine_kernel.c(1839): OpenSSL: Loop: before accept initialization
[Mon Nov 09 16:38:53 2009] [debug] ssl_engine_kernel.c(1839): OpenSSL: Loop: SSLv3 read client hello A
[Mon Nov 09 16:38:53 2009] [debug] ssl_engine_kernel.c(1839): OpenSSL: Loop: SSLv3 write server hello A
[Mon Nov 09 16:38:53 2009] [debug] ssl_engine_kernel.c(1839): OpenSSL: Loop: SSLv3 write certificate A
[Mon Nov 09 16:38:53 2009] [debug] ssl_engine_kernel.c(1231): [client 127.0.0.1] handing out temporary 1024 bit DH key
[Mon Nov 09 16:38:53 2009] [debug] ssl_engine_kernel.c(1839): OpenSSL: Loop: SSLv3 write key exchange A
[Mon Nov 09 16:38:53 2009] [debug] ssl_engine_kernel.c(1839): OpenSSL: Loop: SSLv3 write certificate request A
[Mon Nov 09 16:38:53 2009] [debug] ssl_engine_kernel.c(1839): OpenSSL: Loop: SSLv3 flush data
[Mon Nov 09 16:38:53 2009] [debug] ssl_engine_kernel.c(1273): [client 127.0.0.1] Certificate Verification, depth 1 [subject: /C=US/ST=California/L=San
Francisco/O=ASF/OU=httpd-test/CN=ca/emailAddress=test-dev [at] httpd, issuer: /C=US/ST=California/L=San Francisco/O=ASF/OU=httpd-test/CN=ca/emailAddress=test-
dev [at] httpd, serial: D11C47D1766CFD0D]
[Mon Nov 09 16:38:53 2009] [debug] ssl_engine_kernel.c(1480): CA CRL: Issuer: C=US, ST=California, L=San Francisco, O=ASF, OU=httpd-test, CN=ca/emailAddress=test-
dev [at] httpd, lastUpdate: Oct 3 12:01:39 2009 GMT, nextUpdate: Nov 2 12:01:39 2009 GMT
[Mon Nov 09 16:38:53 2009] [warn] Found CRL is expired - revoking all certificates until you get updated CRL
[Mon Nov 09 16:38:53 2009] [error] [client 127.0.0.1] Certificate Verification: Error (12): CRL has expired
[Mon Nov 09 16:38:53 2009] [debug] ssl_engine_kernel.c(1849): OpenSSL: Write: SSLv3 read client certificate B
[Mon Nov 09 16:38:53 2009] [debug] ssl_engine_kernel.c(1868): OpenSSL: Exit: error in SSLv3 read client certificate B
[Mon Nov 09 16:38:53 2009] [error] [client 127.0.0.1] Re-negotiation handshake failed: Not accepted by client!?
[Mon Nov 09 16:38:53 2009] [debug] ssl_engine_kernel.c(1273): [client 127.0.0.1] Certificate Verification, depth 1 [subject: /C=US/ST=California/L=San
Francisco/O=ASF/OU=httpd-test/CN=ca/emailAddress=test-dev [at] httpd, issuer: /C=US/ST=California/L=San Francisco/O=ASF/OU=httpd-test/CN=ca/emailAddress=test-
dev [at] httpd, serial: D11C47D1766CFD0D]
[Mon Nov 09 16:38:53 2009] [debug] ssl_engine_kernel.c(1480): CA CRL: Issuer: C=US, ST=California, L=San Francisco, O=ASF, OU=httpd-test, CN=ca/emailAddress=test-
dev [at] httpd, lastUpdate: Oct 3 12:01:39 2009 GMT, nextUpdate: Nov 2 12:01:39 2009 GMT
[Mon Nov 09 16:38:53 2009] [warn] Found CRL is expired - revoking all certificates until you get updated CRL
[Mon Nov 09 16:38:53 2009] [error] [client 127.0.0.1] Certificate Verification: Error (12): CRL has expired
[Mon Nov 09 16:38:53 2009] [debug] ssl_engine_kernel.c(1849): OpenSSL: Write: SSLv3 read client certificate B
[Mon Nov 09 16:38:53 2009] [debug] ssl_engine_kernel.c(1868): OpenSSL: Exit: error in SSLv3 read client certificate B
[Mon Nov 09 16:38:53 2009] [info] [client 127.0.0.1] SSL library error 1 in handshake (server localhost:8532)
[Mon Nov 09 16:38:53 2009] [info] SSL Library Error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
[Mon Nov 09 16:38:53 2009] [info] [client 127.0.0.1] Connection closed to child 1 with abortive shutdown (server localhost:8532)

trawick at gmail

Nov 9, 2009, 8:02 AM

Post #6 of 9 (721 views)
Permalink

Re: ssl related test failures [In reply to]

On Mon, Nov 9, 2009 at 10:55 AM, Stefan Fritsch <sf [at] sfritsch> wrote:
> On Monday 09 November 2009, Sander Temme wrote:
>> Hi Stefan,
>>
>> On Nov 9, 2009, at 2:25 AM, Stefan Fritsch wrote:
>> > Hi,
>> >
>> > with openssl 0.9.8k, I currently get a large number of test
>> > failures:
>>
>> These tests do not fail for me. �Can you run a subset in verbose
>> �and see how they fail? �Like:
>>
>> t/TEST ... -verbose t/ssl/basicauth.t
>>
>> should get you some more insight. �Also, which platform?
>
> This is Debian unstable with the Debian openssl. It seems to complain
> about an expired CRL.

this is a test framework tree you've had for a while? the certs will
expire after a while (30 days perhaps?)

does "t/TEST -clean" force the certs to be generated next time you run
the tests? (you can see the openssl output scroll by)

sf at sfritsch

Nov 9, 2009, 11:34 AM

Post #7 of 9 (709 views)
Permalink

Re: ssl related test failures [In reply to]

On Monday 09 November 2009, Jeff Trawick wrote:
> >> and see how they fail? Like:
> >>
> >> t/TEST ... -verbose t/ssl/basicauth.t
> >>
> >> should get you some more insight. Also, which platform?
> >
> > This is Debian unstable with the Debian openssl. It seems to
> > complain about an expired CRL.
>
> this is a test framework tree you've had for a while? the certs
> will expire after a while (30 days perhaps?)
>
> does "t/TEST -clean" force the certs to be generated next time you
> run the tests? (you can see the openssl output scroll by)

Thanks, that was the right hint. With a new svn checkout of the
framework, all tests pass and "t/TEST -clean" or "make clean" cleans
the certs.

For some reason, the cleaning of the certs does not work with the old
tree. I don't think I am interested enough in the problem right now to
debug it, though.

rpluem at apache

Nov 9, 2009, 11:49 AM

Post #8 of 9 (708 views)
Permalink

Re: ssl related test failures [In reply to]

On 11/09/2009 08:34 PM, Stefan Fritsch wrote:
> On Monday 09 November 2009, Jeff Trawick wrote:
>>>> and see how they fail? Like:
>>>>
>>>> t/TEST ... -verbose t/ssl/basicauth.t
>>>>
>>>> should get you some more insight. Also, which platform?
>>> This is Debian unstable with the Debian openssl. It seems to
>>> complain about an expired CRL.
>> this is a test framework tree you've had for a while? the certs
>> will expire after a while (30 days perhaps?)
>>
>> does "t/TEST -clean" force the certs to be generated next time you
>> run the tests? (you can see the openssl output scroll by)
>
> Thanks, that was the right hint. With a new svn checkout of the
> framework, all tests pass and "t/TEST -clean" or "make clean" cleans
> the certs.
>
> For some reason, the cleaning of the certs does not work with the old
> tree. I don't think I am interested enough in the problem right now to
> debug it, though.
>

I noticed as well that from time to time for whatever reason t/TEST -clean
doesn't clean the certificates. But as a fresh checkout fixes this I haven't
had the energy so far to look deep into this.

Regards

R�diger

sctemme at apache

Nov 9, 2009, 12:24 PM

Post #9 of 9 (706 views)
Permalink

Re: ssl related test failures [In reply to]

On Nov 9, 2009, at 11:49 AM, Ruediger Pluem wrote:

>> Thanks, that was the right hint. With a new svn checkout of the
>> framework, all tests pass and "t/TEST -clean" or "make clean" cleans
>> the certs.
>>
>> For some reason, the cleaning of the certs does not work with the old
>> tree. I don't think I am interested enough in the problem right now
>> to
>> debug it, though.
>>
>
> I noticed as well that from time to time for whatever reason t/TEST -
> clean
> doesn't clean the certificates. But as a fresh checkout fixes this I
> haven't
> had the energy so far to look deep into this.

Same here. perl-framework insists on reconfiguring, recompiling and
re-keying every time I run it on my Mac. It reconfigures when I don't
want it to, and I can't make it reconfigure when I do want it to.

I don't have the perl-fu, time or energy to figure this out.

S.

--
Sander Temme
sctemme [at] apache
PGP FP: 51B4 8727 466A 0BC3 69F4 B7B8 B2BE BC40 1529 24AF

Attachments:

smime.p7s (2.16 KB)

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads