Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

test-tls-server-verify fails consistently on v0.12 #7194

Closed
rvagg opened this issue Jun 7, 2016 · 4 comments
Closed

test-tls-server-verify fails consistently on v0.12 #7194

rvagg opened this issue Jun 7, 2016 · 4 comments
Labels
test Issues and PRs related to the tests. tls Issues and PRs related to the tls subsystem.

Comments

@rvagg
Copy link
Member

rvagg commented Jun 7, 2016

Fails with output like this across all platforms on v0.12 based builds:

not ok 731 - test-tls-server-verify.js
#0 Running 'Do not request certs. Everyone is unauthorized.'
#1 Running 'Allow both authed and unauthed connections with CA1'
#0 - unauthed connection: null
#0 - unauthed connection: null
#0 - unauthed connection: null
#0 - unauthed connection: null
#1 - authed connection: agent1
#1 - unauthed connection: DEPTH_ZERO_SELF_SIGNED_CERT
#1 - unauthed connection: UNABLE_TO_GET_ISSUER_CERT
#1 - unauthed connection: UNABLE_TO_VERIFY_LEAF_SIGNATURE
#0 0   * unauthed
#0 1   * unauthed
#0 2   * unauthed
#0 3   * unauthed
#1 0   * authed
#1 1   * unauthed
#1 3   * unauthed
#1 2   * unauthed
#2 Running 'Do not request certs at connection. Do that later'
#3 Running 'Allow only authed connections with CA1'
#3 - authed connection: agent1
#3 0   * authed
#4 Running 'Allow only authed connections with CA1 and CA2'
#4 - authed connection: agent1
#4 0   * authed
#4 - authed connection: agent3
#4 2   * authed
#5 Running 'Allow only certs signed by CA2 but not in the CRL'
#
#assert.js:86
#  throw new assert.AssertionError({
#        ^
#AssertionError: 5 2 agent3 rejected, but should NOT have been
#    at ChildProcess.<anonymous> (/home/iojs/build/workspace/node-test-commit-linux/nodes/centos7-64/test/simple/test-tls-server-verify.js:240:14)
#    at ChildProcess.emit (events.js:110:17)
#    at Process.ChildProcess._handle.onexit (child_process.js:1078:12)
#0 0   connecting with agent1
#0 1   connecting with agent2
#0 2   connecting with agent3
#0 3   connecting with nocert
#1 0   connecting with agent1
#1 1   connecting with agent2
#1 2   connecting with agent3
#1 3   connecting with nocert
#2 0   connecting with agent1
#3 0   connecting with agent1
#3 1   connecting with agent2
#3 2   connecting with agent3
#3 3   connecting with nocert
#4 0   connecting with agent1
#4 1   connecting with agent2
#4 2   connecting with agent3
#4 3   connecting with nocert
#5 0   connecting with agent1
#5 1   connecting with agent2
#5 2   connecting with agent3
#5 3   connecting with agent4
#5 4   connecting with nocert

Perhaps we failed to update something after the last OpenSSL upgrade.

Don't have links to public CI runs to show this but easily reproducible on local machines by all accounts.

@mscdex mscdex added tls Issues and PRs related to the tls subsystem. test Issues and PRs related to the tests. v0.12 labels Jun 7, 2016
@bnoordhuis
Copy link
Member

Perhaps we failed to update something after the last OpenSSL upgrade.

It's probably more prosaic than that. Looks like the CRL has simply expired:

$ openssl crl -noout -nextupdate -in test/fixtures/keys/ca2-crl.pem
nextUpdate=Apr 26 11:19:01 2016 GMT

@bnoordhuis
Copy link
Member

Cherry-picking 76f40f7 from master seems to fix it.

@bnoordhuis
Copy link
Member

#7195

bnoordhuis added a commit to bnoordhuis/io.js that referenced this issue Jun 7, 2016
Back-port commit 76f40f7 ("test: stronger crypto in test fixtures") from
the master branch.

Pushes back the expiration date of test/fixtures/keys/ca2-crl.pem to
2018, fixing a CRL_HAS_EXPIRED error in simple/test-tls-server-verify.

Fixes: nodejs#7194
PR-URL: nodejs#7195
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
@rvagg rvagg closed this as completed Jun 23, 2016
@rvagg
Copy link
Member Author

rvagg commented Jun 23, 2016

thanks @bnoordhuis!

mmallick-ca pushed a commit to ibmruntimes/node that referenced this issue Oct 19, 2016
Back-port commit 76f40f7 ("test: stronger crypto in test fixtures") from
the master branch.

Pushes back the expiration date of test/fixtures/keys/ca2-crl.pem to
2018, fixing a CRL_HAS_EXPIRED error in simple/test-tls-server-verify.

Fixes: nodejs/node#7194
PR-URL: nodejs/node#7195
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
jBarz pushed a commit to ibmruntimes/node that referenced this issue Nov 4, 2016
Back-port commit 76f40f7 ("test: stronger crypto in test fixtures") from
the master branch.

Pushes back the expiration date of test/fixtures/keys/ca2-crl.pem to
2018, fixing a CRL_HAS_EXPIRED error in simple/test-tls-server-verify.

Fixes: nodejs/node#7194
PR-URL: nodejs/node#7195
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
test Issues and PRs related to the tests. tls Issues and PRs related to the tls subsystem.
Projects
None yet
Development

No branches or pull requests

3 participants