SSLClientServerTest.* tests fail with OpenSSL 3.2.1
#1798
Comments
|
This is with OpenSSL 3.2.1, Brotli 1.1.0. |
mgorny
changed the title
SSLClientServerTest.* tests fail on Gentoo LinuxSSLClientServerTest.* tests fail with OpenSSL 3.2.1
|
This seems specific to OpenSSL 3.2.1. With 3.1.5, they work. |
|
@mgorny thanks for the report. It's interesting. Are you able to run the tests with 3.2.0 to see what will happen? |
|
Sure, just done that. I've getting the same failures as with 3.2.1. |
|
Thanks a lot. It seems like something has changed between 3.1.x and 3.2.0 about certificate handling... At this point, I have no idea why the problem came from. I'll do some research about 3.2 when I have time. Please let me know if you find any helpful information regarding this matter. |
|
The release notes are here: https://www.openssl.org/news/openssl-3.2-notes.html My first thought was "The default SSL/TLS security level has been changed from 1 to 2", but I've tried adding |
|
Hi, I can confirm this issue is impacting Debian too. It as been reported as Debian bug #1069357. I've been able to reproduce these failures on cpp-httplib versions as old as 0.10.8. It is unclear how severe this issue is. |
|
I tested with the openssl version 3.0.13 and confirmed that the unit test works, but it fails with the version 3.3.0 on my MacBook. They are both installed by Homebrew. I also generated So it sems like |
|
Nice find! I'll use that workaround in the Debian package in the meantime :) |
|
Maybe due to openssl/openssl#1418.. |
|
It seems like the following code to make certificates is no longer correct with the recent OpenSSL versions... Lines 65 to 77 in ae63b89 @davidgfnet, @PixlRainbow, @ottigeda, @sebblanchet, @jimmy-park, do you have any thoughts on this issue? |
Why though? That issue got fixed in OpenSSL 3.0, but this only manifests on OpenSSL 3.2 an newer. Edit: it might be helpful to run a git bisect on OpenSSL between 3.2 and 3.1 to see which commit effectively introduced the issue. |
|
Any progress here? We're hitting this in Fedora as well. |
|
Nothing so far. Any helpful information would be greatly appreciated. |
Since OpenSSL commit <openssl/openssl@342e365>, the default X.509 certificate format generated with the `openssl req` command has been changed to X.509 v3 from X.509 v1. For some reason, this change breaks cpp-httplib's SSLClientServerTest.* tests. To fix the test failures, this patch passes the '-x509v1' flag instead of '-x509' when OpenSSL 3.2.0 or newer is detected. To detect the version of a command line utility, Meson 0.62.0 or later is required. Fixes <yhirose#1798>, but only for the Meson build system.
|
I've run a git bisection and identified the OpenSSL commit which introduced the regression: openssl/openssl@342e365. I've used the following git bisect script: #!/bin/sh
set -efuxo pipefail
git clean -x -d -f 2>&1 >/dev/null || exit 125
git restore . || exit 125
./Configure --prefix=/tmp/tmp.ApsDLGFvVT/osslprefix --debug no-tests || exit 125
make -j 2 || exit 125
make install_sw || exit 125
cd ../cpp-httplib || exit 125
rm -rf build || exit 125
PATH="$(realpath ../osslprefix/bin):$PATH" meson setup --buildtype=debug -Db_lto=false -Dcpp-httplib_openssl=enabled -Dcpp-httplib_zlib=disabled -Dcpp-httplib_brotli=disabled -Dcpp-httplib_compile=true -Dcpp-httplib_test=true --pkg-config-path $(realpath ../osslprefix/lib64/pkgconfig/) build || exit 125
ninja -C build || exit 125
GTEST_COLOR=yes meson test -C build --verbose --test-args='--gtest_filter=SSLClientServerTest.*'The commit has changed the default X.509 certificate format from v1 to v3, which is what is breaking the tests. I don't know why tests are broken by this change, but the work around is pretty easy. I've submitted #1940 to fix this for the Meson build system. |
Since OpenSSL commit <openssl/openssl@342e365>, the default X.509 certificate format generated with the `openssl req` command has been changed to X.509 v3 from X.509 v1. For some reason, this change breaks cpp-httplib's SSLClientServerTest.* tests. To fix the test failures, this patch passes the '-x509v1' flag instead of '-x509' when OpenSSL 3.2.0 or newer is detected. To detect the version of a command line utility, Meson 0.62.0 or later is required. Fixes <yhirose#1798>, but only for the Meson build system.
) * build(meson): bump minimum version to 0.62.0 This allows making some minor cleanups * test(meson): fix SSLClientServerTest.* tests with OpenSSL 3.2.0 Since OpenSSL commit <openssl/openssl@342e365>, the default X.509 certificate format generated with the `openssl req` command has been changed to X.509 v3 from X.509 v1. For some reason, this change breaks cpp-httplib's SSLClientServerTest.* tests. To fix the test failures, this patch passes the '-x509v1' flag instead of '-x509' when OpenSSL 3.2.0 or newer is detected. To detect the version of a command line utility, Meson 0.62.0 or later is required. Fixes <#1798>, but only for the Meson build system.
|
@Tachi107 fantastic job! I'll make the same change to test/Makefile. |
|
I made the same fix in @sum01 you may want to make the same fix that we did in |
When attempting to run the test suite on Gentoo Linux amd64, I'm seeing most of the
SSLClientServerTest.*tests fail:This is on 548dfff (but I also reproduce the same result on 0.15.3).
Detailed results:
Please let me know how can I help you debug this.
Full output: test.txt
The text was updated successfully, but these errors were encountered: