[#MDEV-21965] main.tls_version and main.tls_version1 fail in buildbot on Ubuntu Focal

[MDEV-21965] main.tls_version and main.tls_version1 fail in buildbot on Ubuntu Focal Created: 2020-03-17 Updated: 2023-05-16 Resolved: 2020-05-11
Status:	Closed
Project:	MariaDB Server
Component/s:	Platform Debian, SSL, Tests
Affects Version/s:	10.4, 10.5
Fix Version/s:	10.5.4, 10.4.14

Type:

Bug

Priority:

Major

Reporter:

Otto Kekäläinen

Assignee:

Sergei Golubchik

Resolution:

Fixed

Votes:

0

Labels:

None

Attachments:

screenshot-1.png

Issue Links:

Duplicate

Description

The mentioned tests are now failing on the new Ubuntu Focal builders:

main.tls_version1                        w1 [ fail ]

        Test ended at 2020-03-17 13:43:25

CURRENT_TEST: main.tls_version1

ERROR 2026 (HY000): SSL connection error: tlsv1 alert internal error

mysqltest: At line 5: exec of '/usr/bin/mysql --defaults-file=/dev/shm/var/1/my.cnf --host=localhost --ssl -e "show status like 'ssl_version';"' failed, error: 256, status: 1, errno: 11

Output from before failure:

 - saving '/dev/shm/var/1/log/main.tls_version1/' to '/dev/shm/var/log/main.tls_version1/'

Retrying test main.tls_version1, attempt(2/3)...

worker[1] > Restart  - not started

main.tls_version1                        w1 [ retry-fail ]

        Test ended at 2020-03-17 13:43:25

CURRENT_TEST: main.tls_version1

ERROR 2026 (HY000): SSL connection error: tlsv1 alert internal error

mysqltest: At line 5: exec of '/usr/bin/mysql --defaults-file=/dev/shm/var/1/my.cnf --host=localhost --ssl -e "show status like 'ssl_version';"' failed, error: 256, status: 1, errno: 11

Output from before failure:

 - skipping '/dev/shm/var/1/log/main.tls_version1/'

Test main.tls_version1 has failed 2 times, no more retries!

worker[1] > Restart  - not started

main.tls_version                         w1 [ fail ]

        Test ended at 2020-03-17 13:43:26

CURRENT_TEST: main.tls_version

ERROR 2026 (HY000): SSL connection error: no protocols available

mysqltest: At line 10: exec of '/usr/bin/mysql --defaults-file=/dev/shm/var/1/my.cnf --host=localhost --ssl --tls_version=TLSv1.1 -e "show status like 'ssl_version';"' failed, error: 256, status: 1, errno: 11

Output from before failure:

Variable_name	Value

Ssl_version	TLSv1.2

The result from queries just before the failure was:

Variable_name	Value

Ssl_version	TLSv1.2

Variable_name	Value

Ssl_version	TLSv1.2

 - skipping '/dev/shm/var/1/log/main.tls_version/'

Example: http://buildbot.askmonty.org/buildbot/builders/kvm-deb-focal-amd64/builds/150/steps/mtr/logs/stdio

This is also reproducable on Launchpad builds, example: https://launchpad.net/~mysql-ubuntu/+archive/ubuntu/mariadb-10.5/+build/18849686/+files/buildlog_ubuntu-focal-s390x.mariadb-10.5_1%3A10.5.2+maria~sid~ubuntu20.04.1~1584479139.d16ec42f3ea_BUILDING.txt.gz

It is however not failing on `kvm-deb-sid-amd64` even though they have the same libssl version. Maybe Ubuntu has some customization to drop TLS 1.0 and 1.1 as an extra override somewhere?

Notes to self:

tests introduced in https://github.com/mariadb/server/commit/d13080133f6de9d89975b4c1f09615d47a10748d
adjusted to be compatible with how RHEL introduced the policy to forbid TLS 1.0 and 1.1 in ~~MDEV-20170~~

Comments

Comment by Otto Kekäläinen [ 2020-04-04 ]

Seems also AppVeyor builds by ratzpo of current 10.5 git head are also failing on this:

Completed: Failed 1/793 tests, 99.87% were successful.

Failing test(s): main.tls_version1

https://ci.appveyor.com/project/rasmushoj/server/builds/31952275

If nobody has time to fix this I will just disable the tests temporarily.

Comment by Otto Kekäläinen [ 2020-04-07 ]

I disabled this temporarily in 3574b6f52e80861ed2bc010deec58d7ffed462d6, otherwise all other QA work would be stalled. Please re-enable it once this issue has been solved.

Comment by Otto Kekäläinen [ 2020-04-09 ]

Here is something I tried to do myself in March but did not get it working in all situations: https://github.com/MariaDB/server/compare/10.5...ottok:wip-10.5-MDEV-21965

Comment by Otto Kekäläinen [ 2020-04-23 ]

Temporarily disabled in https://github.com/MariaDB/server/commit/6f0b621caf76cf636771cab2e78b6e1846b31c78 - we can't have this keeping the CI red permanently, that halts all other quality assurance / testing work. Please fix and re-enable when you have a chance.

Comment by Otto Kekäläinen [ 2020-04-26 ]

In the rightmost column all is green now on 10.5 head, and the 3 remaining MTR failures are this bug.

When do you plan to work on this?

Comment by Daniel Black [ 2020-05-03 ]

< TLS-1.2 disabled for:

Affected:

Debian-10/buster - openssl-1.1.1[d] https://sources.debian.org/patches/openssl/1.1.1d-0+deb10u3/Set-systemwide-default-settings-for-libssl-users.patch/

but not Debian-9/stretch - openssl-1.1.0[l]

Affects:

Ubuntu Focal (20.04) 1.1.1f (http://changelogs.ubuntu.com/changelogs/pool/main/o/openssl/openssl_1.1.1f-1ubuntu2/changelog) - SECURITY_LEVEL=2 compile time minimium, can drop to SECURITY_LEVEL=1 with configuration.

Ubuntu Eoan 1.1.1c http://changelogs.ubuntu.com/changelogs/pool/main/o/openssl/openssl_1.1.1f-1ubuntu2/changelog (per focal)

Partial:

Ubuntu Disco 1.1.1b http://changelogs.ubuntu.com/changelogs/pool/main/o/openssl/openssl_1.1.1b-1ubuntu2.4/changelog TLS_SECURITY_LEVEL=1 hence < TLSv1.1 disabled

Doesn't affect:

Ubuntu Bionic(18.04) 1.1.1 TLS_SECURITY_LEVEL=0 (per revert in changelog) http://changelogs.ubuntu.com/changelogs/pool/main/o/openssl/openssl_1.1.1-1ubuntu2.1~18.04.5/changelog

Given its all about the security level, considering exposing https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_get_security_level.html (added 1.1.0, not in wolfssl) as a read only system variable.

Windows has [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols](https://support.microsoft.com/en-us/help/245030/how-to-restrict-the-use-of-certain-cryptographic-algorithms-and-protoc) [enumeration](https://docs.microsoft.com/en-us/windows/win32/api/winreg/nf-winreg-regenumkeyexa). So a list?

Comment by Otto Kekäläinen [ 2020-05-14 ]

Once this is merged on 10.5, the tests need to be re-enabled:

diff --git a/mysql-test/unstable-tests b/mysql-test/unstable-tests

index bb8ae21a638..af5c7638e07 100644

--- a/mysql-test/unstable-tests

+++ b/mysql-test/unstable-tests

@@ -174,8 +174,6 @@ main.subselect                        : MDEV-20551 - Valgrind failure

 main.subselect_innodb                 : MDEV-10614 - Wrong result

 main.tc_heuristic_recover             : MDEV-14189 - Wrong result

 main.timezone2                        : Modified in 10.4.12

-main.tls_version                      : MDEV-21965 - old TLS versions don't work on latest Debian and Ubuntu releases

-main.tls_version1                     : MDEV-21965 - old TLS versions don't work on latest Debian and Ubuntu releases

 main.type_blob                        : MDEV-15195 - Wrong result

 main.type_datetime                    : Modified in 10.4.12

 main.type_datetime_hires              : MDEV-10687 - Timeout

Generated at Thu Feb 08 09:11:10 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.