Details
-
Bug
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Fixed
-
10.4(EOL), 10.5
-
None
Description
The mentioned tests are now failing on the new Ubuntu Focal builders:
main.tls_version1 w1 [ fail ]
|
Test ended at 2020-03-17 13:43:25
|
|
|
CURRENT_TEST: main.tls_version1
|
ERROR 2026 (HY000): SSL connection error: tlsv1 alert internal error
|
mysqltest: At line 5: exec of '/usr/bin/mysql --defaults-file=/dev/shm/var/1/my.cnf --host=localhost --ssl -e "show status like 'ssl_version';"' failed, error: 256, status: 1, errno: 11
|
Output from before failure:
|
|
|
- saving '/dev/shm/var/1/log/main.tls_version1/' to '/dev/shm/var/log/main.tls_version1/'
|
|
|
Retrying test main.tls_version1, attempt(2/3)...
|
|
|
worker[1] > Restart - not started
|
main.tls_version1 w1 [ retry-fail ]
|
Test ended at 2020-03-17 13:43:25
|
|
|
CURRENT_TEST: main.tls_version1
|
ERROR 2026 (HY000): SSL connection error: tlsv1 alert internal error
|
mysqltest: At line 5: exec of '/usr/bin/mysql --defaults-file=/dev/shm/var/1/my.cnf --host=localhost --ssl -e "show status like 'ssl_version';"' failed, error: 256, status: 1, errno: 11
|
Output from before failure:
|
|
|
- skipping '/dev/shm/var/1/log/main.tls_version1/'
|
|
|
Test main.tls_version1 has failed 2 times, no more retries!
|
|
|
worker[1] > Restart - not started
|
main.tls_version w1 [ fail ]
|
Test ended at 2020-03-17 13:43:26
|
|
|
CURRENT_TEST: main.tls_version
|
ERROR 2026 (HY000): SSL connection error: no protocols available
|
mysqltest: At line 10: exec of '/usr/bin/mysql --defaults-file=/dev/shm/var/1/my.cnf --host=localhost --ssl --tls_version=TLSv1.1 -e "show status like 'ssl_version';"' failed, error: 256, status: 1, errno: 11
|
Output from before failure:
|
Variable_name Value
|
Ssl_version TLSv1.2
|
|
|
|
|
|
|
The result from queries just before the failure was:
|
Variable_name Value
|
Ssl_version TLSv1.2
|
Variable_name Value
|
Ssl_version TLSv1.2
|
|
|
- skipping '/dev/shm/var/1/log/main.tls_version/'
|
Example: http://buildbot.askmonty.org/buildbot/builders/kvm-deb-focal-amd64/builds/150/steps/mtr/logs/stdio
This is also reproducable on Launchpad builds, example: https://launchpad.net/~mysql-ubuntu/+archive/ubuntu/mariadb-10.5/+build/18849686/+files/buildlog_ubuntu-focal-s390x.mariadb-10.5_1%3A10.5.2+maria~sid~ubuntu20.04.1~1584479139.d16ec42f3ea_BUILDING.txt.gz
It is however not failing on `kvm-deb-sid-amd64` even though they have the same libssl version. Maybe Ubuntu has some customization to drop TLS 1.0 and 1.1 as an extra override somewhere?
Notes to self:
- tests introduced in https://github.com/mariadb/server/commit/d13080133f6de9d89975b4c1f09615d47a10748d
- adjusted to be compatible with how RHEL introduced the policy to forbid TLS 1.0 and 1.1 in
MDEV-20170
Attachments
Activity
I disabled this temporarily in 3574b6f52e80861ed2bc010deec58d7ffed462d6, otherwise all other QA work would be stalled. Please re-enable it once this issue has been solved.
Here is something I tried to do myself in March but did not get it working in all situations: https://github.com/MariaDB/server/compare/10.5...ottok:wip-10.5-MDEV-21965
Temporarily disabled in https://github.com/MariaDB/server/commit/6f0b621caf76cf636771cab2e78b6e1846b31c78 - we can't have this keeping the CI red permanently, that halts all other quality assurance / testing work. Please fix and re-enable when you have a chance.
In the rightmost column all is green now on 10.5 head, and the 3 remaining MTR failures are this bug.
When do you plan to work on this?
< TLS-1.2 disabled for:
Affected:
Debian-10/buster - openssl-1.1.1[d] https://sources.debian.org/patches/openssl/1.1.1d-0+deb10u3/Set-systemwide-default-settings-for-libssl-users.patch/
but not Debian-9/stretch - openssl-1.1.0[l]
Affects:
Ubuntu Focal (20.04) 1.1.1f (http://changelogs.ubuntu.com/changelogs/pool/main/o/openssl/openssl_1.1.1f-1ubuntu2/changelog) - SECURITY_LEVEL=2 compile time minimium, can drop to SECURITY_LEVEL=1 with configuration.
Ubuntu Eoan 1.1.1c http://changelogs.ubuntu.com/changelogs/pool/main/o/openssl/openssl_1.1.1f-1ubuntu2/changelog (per focal)
Partial:
Ubuntu Disco 1.1.1b http://changelogs.ubuntu.com/changelogs/pool/main/o/openssl/openssl_1.1.1b-1ubuntu2.4/changelog TLS_SECURITY_LEVEL=1 hence < TLSv1.1 disabled
Doesn't affect:
Ubuntu Bionic(18.04) 1.1.1 TLS_SECURITY_LEVEL=0 (per revert in changelog) http://changelogs.ubuntu.com/changelogs/pool/main/o/openssl/openssl_1.1.1-1ubuntu2.1~18.04.5/changelog
Given its all about the security level, considering exposing https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_get_security_level.html (added 1.1.0, not in wolfssl) as a read only system variable.
Windows has [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols](https://support.microsoft.com/en-us/help/245030/how-to-restrict-the-use-of-certain-cryptographic-algorithms-and-protoc) [enumeration](https://docs.microsoft.com/en-us/windows/win32/api/winreg/nf-winreg-regenumkeyexa). So a list?
Once this is merged on 10.5, the tests need to be re-enabled:
diff --git a/mysql-test/unstable-tests b/mysql-test/unstable-tests
|
index bb8ae21a638..af5c7638e07 100644
|
--- a/mysql-test/unstable-tests
|
+++ b/mysql-test/unstable-tests
|
@@ -174,8 +174,6 @@ main.subselect : MDEV-20551 - Valgrind failure
|
main.subselect_innodb : MDEV-10614 - Wrong result
|
main.tc_heuristic_recover : MDEV-14189 - Wrong result
|
main.timezone2 : Modified in 10.4.12
|
-main.tls_version : MDEV-21965 - old TLS versions don't work on latest Debian and Ubuntu releases
|
-main.tls_version1 : MDEV-21965 - old TLS versions don't work on latest Debian and Ubuntu releases
|
main.type_blob : MDEV-15195 - Wrong result
|
main.type_datetime : Modified in 10.4.12
|
main.type_datetime_hires : MDEV-10687 - Timeout
|
Seems also AppVeyor builds by ratzpo of current 10.5 git head are also failing on this:
Completed: Failed 1/793 tests, 99.87% were successful.Failing test(s): main.tls_version1https://ci.appveyor.com/project/rasmushoj/server/builds/31952275
If nobody has time to fix this I will just disable the tests temporarily.