[MDEV-20170] main.tls_version and main.tls_version1 fail in buildbot on RHEL8 Created: 2019-07-24  Updated: 2020-03-04  Resolved: 2019-12-27

Status: Closed
Project: MariaDB Server
Component/s: Platform RedHat, SSL, Tests
Affects Version/s: 10.4
Fix Version/s: 10.4.12

Type: Bug Priority: Major
Reporter: Elena Stepanova Assignee: Sergei Golubchik
Resolution: Fixed Votes: 0
Labels: None

Attachments: File MDEV-20170.patch     File openssl_minprot.c    
Issue Links:
Blocks
Relates
relates to MDEV-19475 Add support for OpenSSL configuration... Closed

 Description   

http://buildbot.askmonty.org/buildbot/builders/kvm-rpm-rhel8-amd64/builds/814

10.4 11f3e2366282eb8cf1cb0062793d1020

 
main.tls_version1                        w4 [ fail ]
 
        Test ended at 2019-07-24 18:01:27
 
 
 
CURRENT_TEST: main.tls_version1
 
ERROR 2026 (HY000): Unknown SSL error
 
mysqltest: At line 5: exec of '/usr/bin/mysql --defaults-file=/dev/shm/var/4/my.cnf --host=localhost --ssl -e "show status like 'ssl_version';"' failed, error: 256, status: 1, errno: 11
 
Output from before failure:
 
 
 
 - saving '/dev/shm/var/4/log/main.tls_version1/' to '/dev/shm/var/log/main.tls_version1/'



 Comments   
Comment by Oleksandr Byelkin [ 2019-10-11 ]

georg, check is you can say something about it, if no reassign it to me please

Comment by Georg Richter [ 2019-12-14 ]

TLSv1.0 and TLSv1.1 are deprecated in RHEL 8, unless crypto policy will be changed to legacy.

# update-crypto-policies --set LEGACY

It also looks like they were removed from core crypto libraries, otherwise the error would be "tlsv1 alert protocol version"

See also: Security considerations in adopting RHEL8

Comment by Georg Richter [ 2019-12-17 ]

Patch attached

Comment by Sergei Golubchik [ 2019-12-25 ]

it's not LEGACY vs DEFAULT, it's

sh-4.4$ grep MinP /etc/crypto-policies/back-ends/opensslcnf.config 
MinProtocol = TLSv1.2

A proper detection of supported protocols could be done like this:

#!/bin/bash
 
 
 
openssl s_server -debug -cert std_data/server-cert.pem -key std_data/server-key.pem </dev/zero >/dev/null 2>&1 &
 
SERVER_PID=$!
 
 
 
for v in tls1 tls1_1 tls1_2 tls1_3; do
 
  if openssl s_client -$v </dev/null >/dev/null 2>&1; then
 
    echo $v is supported
 
  else
 
    echo $v is disabled
 
  fi
 
done
 
kill $SERVER_PID

But this exact scrips works unreliably, it needs more work.
Also it might be a tad too heavy to do it on every mtr run independently whether it'll run ssl tests or not.

Comment by Sergei Golubchik [ 2019-12-25 ]

stracing openssl s_server on RHEL8 shows that it reads /etc/pki/tls/openssl.cnf and /etc/crypto-policies/back-ends/opensslcnf.config

Comment by Georg Richter [ 2019-12-26 ]

Serg, how about checking the minimum supported version by a small c program which scans the configuration file(s)?! I attached a small example demo for it.

Generated at Thu Feb 08 08:57:22 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.