Bug #127095 for IO-Socket-SSL: Tests fail in 2019-03-01

Wed Sep 12 01:09:33 2018 http://bmwiedemann.zq1.de/ - Ticket created

Subject:

Tests fail in 2019-03-01

Also filed at https://bugzilla.opensuse.org/show_bug.cgi?id=1102852 probably an SSL cert expires [ 47s] t/sni_verify.t (Wstat: 256 Tests: 5 Failed: 4) [ 47s] Failed tests: 2-5 [ 47s] Non-zero exit status: 1 [ 47s] Parse errors: Bad plan. You planned 17 tests but ran 5. [ 47s] t/startssl.t (Wstat: 256 Tests: 10 Failed: 4) [ 47s] Failed tests: 5-8 [ 47s] Non-zero exit status: 1 [ 47s] Parse errors: Bad plan. You planned 21 tests but ran 10. [ 47s] t/sysread_write.t (Wstat: 0 Tests: 2 Failed: 1) [ 47s] Failed test: 2 [ 47s] Parse errors: Bad plan. You planned 9 tests but ran 2. [ 47s] t/verify_hostname.t (Wstat: 0 Tests: 42 Failed: 2) [ 47s] Failed tests: 41-42 [ 47s] Files=38, Tests=636, 38 wallclock secs ( 0.20 usr 0.08 sys + 8.61 cu) [ 47s] Result: FAIL [ 47s] Failed 11/38 test programs. 33/636 subtests failed.

Wed Sep 12 01:56:05 2018 Steffen_Ullrich [...] genua.de - Correspondence added

Am Mi 12. Sep 2018, 01:09:33, http://bmwiedemann.zq1.de/ schrieb: Show quoted text

> Also filed at > https://bugzilla.opensuse.org/show_bug.cgi?id=1102852 > > probably an SSL cert expires

I cannot reproduce this problem. All test certificates shipped with the distribution are at least valid until 01/2019, i.e. unless you've set the system time several month into the future no certificates should be expired.

Wed Sep 12 01:56:06 2018 The RT System itself - Status changed from 'new' to 'open'

Tue Jan 22 05:30:58 2019 pmgdeb [...] gmail.com - Correspondence added

On Wed Sep 12 01:56:05 2018, SULLR wrote: Show quoted text

> I cannot reproduce this problem. > All test certificates shipped with the distribution are at least valid > until 01/2019, i.e. unless you've set the system time several month > into the future no certificates should be expired.

All certificates expired now, see: https://bugzilla.suse.com/show_bug.cgi?id=1102852#c2

Tue Jan 22 05:53:55 2019 Steffen_Ullrich [...] genua.de - Correspondence added

Am Di 22. Jan 2019, 05:30:58, pmgdeb@gmail.com schrieb: Show quoted text

> On Wed Sep 12 01:56:05 2018, SULLR wrote:

> > I cannot reproduce this problem. > > All test certificates shipped with the distribution are at least valid > > until 01/2019, i.e. unless you've set the system time several month > > into the future no certificates should be expired.

> > All certificates expired now, see: > https://bugzilla.suse.com/show_bug.cgi?id=1102852#c2

The certificates where renewed in 09/2018. Please use the latest version of IO::Socket::SSL (2.060) which comes with the renewed certificates.

Tue Jan 22 05:53:55 2019 Steffen_Ullrich [...] genua.de - Status changed from 'open' to 'resolved'

Tue Jan 22 05:53:56 2019 Steffen_Ullrich [...] genua.de - Fixed in 2.060 added

Tue Jan 22 07:31:06 2019 bitcardbmw [...] lsmod.de - Correspondence added

On 2019-01-22 10:53:55, SULLR wrote: Show quoted text

> The certificates where renewed in 09/2018. Please use the latest > version of IO::Socket::SSL (2.060) which comes with the renewed > certificates.

I found that the new certs expire in 2028, so not very far in the future either. What is the point of having tests that stop working later? Background: as part of my work on reproducible builds for openSUSE, I check that software built in the future still gives the same build results as today. The default is building +15 years from now, because that is how long we expect today's software to be used (in some places)

Wed Jan 23 02:48:28 2019 Steffen_Ullrich [...] genua.de - Correspondence added

Am Di 22. Jan 2019, 07:31:06, bmwiedemann schrieb: Show quoted text

> On 2019-01-22 10:53:55, SULLR wrote:

> > The certificates where renewed in 09/2018. Please use the latest > > version of IO::Socket::SSL (2.060) which comes with the renewed > > certificates.

> > I found that the new certs expire in 2028, so not very far in the > future either. > What is the point of having tests that stop working later?

One might ask the question this way but one might also ask what's the point of installing in 2028 a software from 2018 when the software deals with cryptographic stuff. 10 years is not a small time in cryptography. For example 10 years ago we did not even have an OpenSSL version supporting TLS 1.2. Users should be encouraged to install current software at least in this area. Show quoted text

> Background: as part of my work on reproducible builds for openSUSE, I > check that software built in the future still gives the same build > results as today. The default is building +15 years from now, because > that is how long we expect today's software to be used (in some > places)

That's a use case I did not think of. But I hope that this version of IO::Socket::SSL is not used for 15 years - it is already today a big trouble supporting users which happen to run older versions of IO::Socket::SSL or openssl since these versions come with the (often also outdated) distribution they use. There are often problems due to missing features in older versions which are considered essential today. And that's not even addressing the security problems: older versions had defaults which are considered weak or insecure today. But you can use the script https://github.com/noxxi/p5-io-socket-ssl/blob/master/certs/create-certs.pl which is part of the source code but not part of the distribution to generate fresh certificates whenever you need, i.e. regenerate the certificates whenever you are doing a time shift.