[gnutls-devel] test hangs in 3.2.8.1

Thomas Klausner wiz at NetBSD.org
Sun Feb 9 12:52:36 CET 2014


On Sun, Jan 19, 2014 at 06:33:42PM +0100, Nikos Mavrogiannopoulos wrote:
> On 01/17/2014 11:31 AM, Thomas Klausner wrote:
> > On Fri, Jan 17, 2014 at 08:01:21AM +0100, Nikos Mavrogiannopoulos wrote:
> >>  The tests you disabled are simply scripts. Could you try running them
> >> and see where their failure is?
> > 
> > $ ./testdsa
> > Checking various DSA key sizes
> > Checking DSA-1024 with TLS 1.0
> > Error setting the x509 trust file
> > Checking server DSA-1024 with client DSA-1024 and TLS 1.0
> > Error setting the x509 trust file
> > Checking server DSA-1024 with client DSA-2048 and TLS 1.0
> > Checking server DSA-1024 with client DSA-3072 and TLS 1.0
> > (nothing happens for a long time)
> > (when I press CTRL-C it continues with)
> 
> Could there be some bashism in the script that makes it hang?

It seems so. Here's the output when run with bash:
# bash ./testdsa 
Checking various DSA key sizes
Checking DSA-1024 with TLS 1.0
Error setting the x509 trust file
Checking server DSA-1024 with client DSA-1024 and TLS 1.0
Error setting the x509 trust file
Checking server DSA-1024 with client DSA-2048 and TLS 1.0
Checking server DSA-1024 with client DSA-3072 and TLS 1.0
Checking DSA-1024 with TLS 1.2
Error setting the x509 trust file
Checking server DSA-1024 with client DSA-1024 and TLS 1.2
Error setting the x509 trust file
Checking server DSA-1024 with client DSA-2048 and TLS 1.2
Error setting the x509 trust file
*** Fatal error: The given DSA key is incompatible with the selected TLS protocol.
*** Handshake has failed
GnuTLS error: The given DSA key is incompatible with the selected TLS protocol.
Failure: Failed connection to a server with a client DSA 2048 key and TLS 1.2!

> You could also remove the redirections to /dev/null of stderr in that
> command to see the actual error. It's better first to check the script
> with /bin/bash to see if it succeeds.

And attached are the outputs when I set DEBUG="-d 9" in the script and
remove all >/dev/null redirects, both with /bin/sh and bash, then run it with
"... 2>&1 | tee output"

In case it matters, openssl is at 1.0.1f, the NetBSD base system version.

> 
> > Why are there left-over processes?
> > Are they perhaps emptying out the entropy pool and blocking for that
> > reason, or do you have another explanation?
> 
> I have no explanation yet, though it cannot be the entropy pool issue as
> /dev/urandom is used. However to identify the issue I'll need some debug
> data from you, e.g., by running the instance that fails without
> redirection of stderr and using -d 9, both on the client and server.

Let me know if you need further debugging information!

Thanks,
 Thomas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: outputs.tar.gz
Type: application/x-tar-gz
Size: 15197 bytes
Desc: not available
URL: </pipermail/attachments/20140209/9b071ced/attachment.bin>


More information about the Gnutls-devel mailing list