From alon.barlev at gmail.com Sat May 5 20:44:34 2018 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Sat, 05 May 2018 18:44:34 +0000 Subject: [gnutls-devel] [sparc] test dtls-repro-20170915 fails dtls_try_with_key_mtu:160: dtls_try_with_key_mtu:160: Handshake failed Message-ID: Hi, Any clue how to dig into this? Reference[1] Thanks! Alon [1] https://bugs.gentoo.org/show_bug.cgi?id=654918 -------------- next part -------------- An HTML attachment was scrubbed... URL: From nmav at gnutls.org Sat May 5 21:21:19 2018 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Sat, 05 May 2018 19:21:19 +0000 Subject: [gnutls-devel] [sparc] test dtls-repro-20170915 fails dtls_try_with_key_mtu:160: dtls_try_with_key_mtu:160: Handshake failed In-Reply-To: References: Message-ID: Doesn't ring a bell. Could it be that a different gnutls library is used when running this test? Is there a way to run 'dtls-repro-20170915' manually with GNUTLS_DEBUG_LEVEL=6? On Sat, May 5, 2018 at 9:02 PM Alon Bar-Lev wrote: Hi, Any clue how to dig into this? > > Reference[1] > Thanks! > Alon > > [1] https://bugs.gentoo.org/show_bug.cgi?id=654918 > _______________________________________________ > Gnutls-devel mailing list > Gnutls-devel at lists.gnutls.org > http://lists.gnupg.org/mailman/listinfo/gnutls-devel -------------- next part -------------- An HTML attachment was scrubbed... URL: From alon.barlev at gmail.com Sat May 5 22:07:25 2018 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Sat, 05 May 2018 20:07:25 +0000 Subject: [gnutls-devel] [sparc] test dtls-repro-20170915 fails dtls_try_with_key_mtu:160: dtls_try_with_key_mtu:160: Handshake failed In-Reply-To: References: Message-ID: I will ask. Thanks! On Sat, May 5, 2018 at 10:21 PM Nikos Mavrogiannopoulos wrote: > Doesn't ring a bell. Could it be that a different gnutls library is used when running > this test? Is there a way to run 'dtls-repro-20170915' manually with GNUTLS_DEBUG_LEVEL=6? > On Sat, May 5, 2018 at 9:02 PM Alon Bar-Lev wrote: > Hi, > Any clue how to dig into this? >> Reference[1] >> Thanks! >> Alon >> [1] https://bugs.gentoo.org/show_bug.cgi?id=654918 >> _______________________________________________ >> Gnutls-devel mailing list >> Gnutls-devel at lists.gnutls.org >> http://lists.gnupg.org/mailman/listinfo/gnutls-devel From alon.barlev at gmail.com Sat May 5 22:30:11 2018 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Sat, 05 May 2018 20:30:11 +0000 Subject: [gnutls-devel] [sparc] test dtls-repro-20170915 fails dtls_try_with_key_mtu:160: dtls_try_with_key_mtu:160: Handshake failed In-Reply-To: References: Message-ID: Here[1] [1] https://654918.bugs.gentoo.org/attachment.cgi?id=530054 On Sat, May 5, 2018 at 11:07 PM Alon Bar-Lev wrote: > I will ask. > Thanks! > > On Sat, May 5, 2018 at 10:21 PM Nikos Mavrogiannopoulos > wrote: > > > Doesn't ring a bell. Could it be that a different gnutls library is used > when running > > this test? Is there a way to run 'dtls-repro-20170915' manually with > GNUTLS_DEBUG_LEVEL=6? > > > On Sat, May 5, 2018 at 9:02 PM Alon Bar-Lev > wrote: > > > Hi, > > Any clue how to dig into this? > > >> Reference[1] > >> Thanks! > >> Alon > > >> [1] https://bugs.gentoo.org/show_bug.cgi?id=654918 > >> _______________________________________________ > >> Gnutls-devel mailing list > >> Gnutls-devel at lists.gnutls.org > >> http://lists.gnupg.org/mailman/listinfo/gnutls-devel > -------------- next part -------------- An HTML attachment was scrubbed... URL: From alon.barlev at gmail.com Mon May 7 08:15:27 2018 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Mon, 07 May 2018 06:15:27 +0000 Subject: [gnutls-devel] [tests] seccomp fails Message-ID: Hi, The seccomp tests are failing, I am almost sure these worked in the past. FAIL: dtls-with-seccomp FAIL: tls-with-seccomp FAIL: dtls-client-with-seccomp FAIL: tls-client-with-seccomp Attached a log for example. Any clue? I cannot see anything I can decipher. Kernel 4.9.95 has CONFIG_SECCOMP=y sys-libs/libseccomp-2.3.2. Thanks! -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: tls-client-with-seccomp.log Type: application/octet-stream Size: 2486 bytes Desc: not available URL: From nmav at gnutls.org Mon May 7 08:47:04 2018 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Mon, 7 May 2018 08:47:04 +0200 Subject: [gnutls-devel] [tests] seccomp fails In-Reply-To: References: Message-ID: Could it be a switch of the system call used by glibc? Does strace provide more info on the blocked call? On Mon, May 7, 2018 at 8:15 AM, Alon Bar-Lev wrote: > Hi, > > The seccomp tests are failing, I am almost sure these worked in the past. > > FAIL: dtls-with-seccomp > FAIL: tls-with-seccomp > FAIL: dtls-client-with-seccomp > FAIL: tls-client-with-seccomp > > Attached a log for example. Any clue? I cannot see anything I can decipher. > > Kernel 4.9.95 has CONFIG_SECCOMP=y > sys-libs/libseccomp-2.3.2. > > Thanks! > > > _______________________________________________ > Gnutls-devel mailing list > Gnutls-devel at lists.gnutls.org > http://lists.gnupg.org/mailman/listinfo/gnutls-devel > -------------- next part -------------- An HTML attachment was scrubbed... URL: From alon.barlev at gmail.com Mon May 7 13:01:00 2018 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Mon, 07 May 2018 11:01:00 +0000 Subject: [gnutls-devel] [tests] seccomp fails In-Reply-To: References: Message-ID: Interesting! I cannot reproduce. Strange, nothing was updated, only reboot. But I have this bug[1] I will ask for strace. [1] https://bugs.gentoo.org/show_bug.cgi?id=649396 On Mon, May 7, 2018 at 9:47 AM Nikos Mavrogiannopoulos wrote: > Could it be a switch of the system call used by glibc? Does strace provide > more info on the blocked call? > > On Mon, May 7, 2018 at 8:15 AM, Alon Bar-Lev > wrote: > >> Hi, >> >> The seccomp tests are failing, I am almost sure these worked in the past. >> >> FAIL: dtls-with-seccomp >> FAIL: tls-with-seccomp >> FAIL: dtls-client-with-seccomp >> FAIL: tls-client-with-seccomp >> >> Attached a log for example. Any clue? I cannot see anything I can >> decipher. >> >> Kernel 4.9.95 has CONFIG_SECCOMP=y >> sys-libs/libseccomp-2.3.2. >> >> Thanks! >> >> >> _______________________________________________ >> Gnutls-devel mailing list >> Gnutls-devel at lists.gnutls.org >> http://lists.gnupg.org/mailman/listinfo/gnutls-devel >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ametzler at bebt.de Thu May 10 16:21:17 2018 From: ametzler at bebt.de (Andreas Metzler) Date: Thu, 10 May 2018 16:21:17 +0200 Subject: [gnutls-devel] 3.6.2 testsuite error with softhsm 2.4.0 Message-ID: <20180510142117.GD1218@argenau.bebt.de> Hello, tests/pkcs11/tls-neg-pkcs11-key fails after upgrading softhsm from 2.2.0 to 2.4.0: # 2.2.0 (sid)ametzler at argenau:/tmp/GNUTLS/gnutls-3.6.2/b4deb$ tests/pkcs11/tls-neg-pkcs11-key The token has been initialized. checking: tls1.2: ecc key checking: tls1.2: rsa-sign key checking: tls1.2: rsa-sign key with rsa-pss sigs prioritized checking: tls1.2: rsa-pss-sign key softhsm2 doesn't support CKM_RSA_PKCS_PSS; skipping test checking: tls1.2: rsa-pss cert, rsa-sign key softhsm2 doesn't support CKM_RSA_PKCS_PSS; skipping test checking: tls1.2: rsa-pss cert, rsa-sign key no PSS signatures checking: tls1.2: ed25519 cert, ed25519 key # 2.4.0 (sid)ametzler at argenau:/tmp/GNUTLS/gnutls-3.6.2/b4deb$ tests/pkcs11/tls-neg-pkcs11-key The token has been initialized and is reassigned to slot 1993469037 checking: tls1.2: ecc key checking: tls1.2: rsa-sign key checking: tls1.2: rsa-sign key with rsa-pss sigs prioritized checking: tls1.2: rsa-pss-sign key client[-28]: Resource temporarily unavailable, try again. server[-87]: No supported cipher suites have been found. try_with_key:189: Handshake failed This is on Debian sid. cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' -------------- next part -------------- A non-text attachment was scrubbed... Name: verbose.log.gz Type: application/gzip Size: 6643 bytes Desc: not available URL: From nmav at gnutls.org Thu May 10 20:19:58 2018 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Thu, 10 May 2018 20:19:58 +0200 Subject: [gnutls-devel] 3.6.2 testsuite error with softhsm 2.4.0 In-Reply-To: <20180510142117.GD1218@argenau.bebt.de> References: <20180510142117.GD1218@argenau.bebt.de> Message-ID: On Thu, May 10, 2018 at 4:21 PM, Andreas Metzler wrote: > Hello, > > tests/pkcs11/tls-neg-pkcs11-key fails after upgrading softhsm from 2.2.0 > to 2.4.0: > # 2.2.0 > (sid)ametzler at argenau:/tmp/GNUTLS/gnutls-3.6.2/b4deb$ tests/pkcs11/tls-neg-pkcs11-key > The token has been initialized. > checking: tls1.2: ecc key > checking: tls1.2: rsa-sign key > checking: tls1.2: rsa-sign key with rsa-pss sigs prioritized > checking: tls1.2: rsa-pss-sign key > softhsm2 doesn't support CKM_RSA_PKCS_PSS; skipping test > checking: tls1.2: rsa-pss cert, rsa-sign key > softhsm2 doesn't support CKM_RSA_PKCS_PSS; skipping test > checking: tls1.2: rsa-pss cert, rsa-sign key no PSS signatures > checking: tls1.2: ed25519 cert, ed25519 key > # 2.4.0 > (sid)ametzler at argenau:/tmp/GNUTLS/gnutls-3.6.2/b4deb$ tests/pkcs11/tls-neg-pkcs11-key > The token has been initialized and is reassigned to slot 1993469037 > checking: tls1.2: ecc key > checking: tls1.2: rsa-sign key > checking: tls1.2: rsa-sign key with rsa-pss sigs prioritized > checking: tls1.2: rsa-pss-sign key > client[-28]: Resource temporarily unavailable, try again. > server[-87]: No supported cipher suites have been found. > try_with_key:189: Handshake failed > This is on Debian sid. I have debian testing at home and it seems to work here (trying from gnutls master) $ tests/pkcs11/tls-neg-pkcs11-key The token has been initialized and is reassigned to slot 93147054 checking: tls1.2: ecc key checking: tls1.2: rsa-sign key checking: tls1.2: rsa-sign key with rsa-pss sigs prioritized checking: tls1.2: rsa-pss-sign key checking: tls1.2: rsa-pss cert, rsa-sign key checking: tls1.2: rsa-pss cert, rsa-sign key no PSS signatures checking: tls1.2: ed25519 cert, ed25519 key Seeing the log it is a big modified since 3.6.2 (attached patch). If the patch doesn't fix it (not sure if the new sign algorithms were there), could safely ignore that issue as the RSA-PSS signatures in 3.6.2 are effectively disabled and the failure doesn't indicate a functional issue. regards, Nikos -------------- next part -------------- diff --git a/tests/pkcs11/tls-neg-pkcs11-key.c b/tests/pkcs11/tls-neg-pkcs11-key.c index c85d8789df..c32dee27a6 100644 --- a/tests/pkcs11/tls-neg-pkcs11-key.c +++ b/tests/pkcs11/tls-neg-pkcs11-key.c @@ -286,7 +286,7 @@ static const test_st tests[] = { }, {.name = "tls1.2: rsa-pss cert, rsa-sign key no PSS signatures", .pk = GNUTLS_PK_RSA, - .prio = "NORMAL:+ECDHE-RSA:+ECDHE-ECDSA:-VERS-TLS-ALL:+VERS-TLS1.2:-SIGN-RSA-PSS-SHA256:-SIGN-RSA-PSS-SHA384:-SIGN-RSA-PSS-SHA512", + .prio = "NORMAL:+ECDHE-RSA:+ECDHE-ECDSA:-VERS-TLS-ALL:+VERS-TLS1.2:-SIGN-RSA-PSS-SHA256:-SIGN-RSA-PSS-SHA384:-SIGN-RSA-PSS-SHA512:-SIGN-RSA-PSS-RSAE-SHA256:-SIGN-RSA-PSS-RSAE-SHA384:-SIGN-RSA-PSS-RSAE-SHA512", .cert = &server_ca3_rsa_pss_cert, .key = &server_ca3_rsa_pss_key, .exp_kx = GNUTLS_KX_ECDHE_RSA, From nmav at gnutls.org Fri May 11 08:28:29 2018 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Fri, 11 May 2018 08:28:29 +0200 Subject: [gnutls-devel] [sparc] test dtls-repro-20170915 fails dtls_try_with_key_mtu:160: dtls_try_with_key_mtu:160: Handshake failed In-Reply-To: References:

Message-ID: Hi, What I see there is a timeout of 168026ms. That means that it took quite more than the default value to finish. Could it be that the system is too slow? If you add gnutls_dtls_set_timeouts() and play with the total value would it make it work? (the attached patch simply sets the default values, you'll need to modify the 60*1000 value) regards, Nikos On Sat, May 5, 2018 at 10:30 PM Alon Bar-Lev wrote: > Here[1] > > [1] https://654918.bugs.gentoo.org/attachment.cgi?id=530054 > > On Sat, May 5, 2018 at 11:07 PM Alon Bar-Lev > wrote: > >> I will ask. >> Thanks! >> >> On Sat, May 5, 2018 at 10:21 PM Nikos Mavrogiannopoulos >> wrote: >> >> > Doesn't ring a bell. Could it be that a different gnutls library is used >> when running >> > this test? Is there a way to run 'dtls-repro-20170915' manually with >> GNUTLS_DEBUG_LEVEL=6? >> >> > On Sat, May 5, 2018 at 9:02 PM Alon Bar-Lev >> wrote: >> >> > Hi, >> > Any clue how to dig into this? >> >> >> Reference[1] >> >> Thanks! >> >> Alon >> >> >> [1] https://bugs.gentoo.org/show_bug.cgi?id=654918 >> >> _______________________________________________ >> >> Gnutls-devel mailing list >> >> Gnutls-devel at lists.gnutls.org >> >> http://lists.gnupg.org/mailman/listinfo/gnutls-devel >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- diff --git a/tests/common-cert-key-exchange.c b/tests/common-cert-key-exchange.c index 9d8fbb217..dab5a2ab0 100644 --- a/tests/common-cert-key-exchange.c +++ b/tests/common-cert-key-exchange.c @@ -374,6 +374,7 @@ void dtls_try_with_key_mtu(const char *name, const char *client_prio, gnutls_kx_ gnutls_credentials_set(server, GNUTLS_CRD_CERTIFICATE, serverx509cred); gnutls_credentials_set(server, GNUTLS_CRD_ANON, s_anoncred); + gnutls_dtls_set_timeouts(server, 500, 60*1000); gnutls_priority_set_direct(server, "NORMAL:+ANON-ECDH:+ANON-DH:+ECDHE-RSA:+DHE-RSA:+RSA:+ECDHE-ECDSA:+CURVE-X25519", @@ -413,6 +414,7 @@ void dtls_try_with_key_mtu(const char *name, const char *client_prio, gnutls_kx_ if (ret < 0) exit(1); + gnutls_dtls_set_timeouts(client, 500, 60*1000); gnutls_anon_allocate_client_credentials(&c_anoncred); gnutls_credentials_set(client, GNUTLS_CRD_ANON, c_anoncred); ret = gnutls_credentials_set(client, GNUTLS_CRD_CERTIFICATE, diff --git a/tests/suite/tls-fuzzer/tlsfuzzer b/tests/suite/tls-fuzzer/tlsfuzzer --- a/tests/suite/tls-fuzzer/tlsfuzzer +++ b/tests/suite/tls-fuzzer/tlsfuzzer @@ -1 +1 @@ -Subproject commit ff3ab5e356e413bba5845deecdfe105dd207a9a5 +Subproject commit ff3ab5e356e413bba5845deecdfe105dd207a9a5-dirty From alon.barlev at gmail.com Fri May 11 08:30:50 2018 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Fri, 11 May 2018 09:30:50 +0300 Subject: [gnutls-devel] [sparc] test dtls-repro-20170915 fails dtls_try_with_key_mtu:160: dtls_try_with_key_mtu:160: Handshake failed In-Reply-To: References:

Message-ID: I asked the same question[1]. In the past when we had the nettle problem with big endian we also got timeout errors, I think that most handshake errors may be reported this way. [1] https://bugs.gentoo.org/show_bug.cgi?id=654918#c3 On Fri, May 11, 2018 at 9:28 AM Nikos Mavrogiannopoulos wrote: > Hi, > What I see there is a timeout of 168026ms. That means that it took quite more than the default value to finish. Could it be that the system is too slow? > If you add gnutls_dtls_set_timeouts() and play with the total value would it make it work? (the attached patch simply sets the default values, you'll need to modify the 60*1000 value) > regards, > Nikos > On Sat, May 5, 2018 at 10:30 PM Alon Bar-Lev wrote: >> Here[1] >> [1] https://654918.bugs.gentoo.org/attachment.cgi?id=530054 >> On Sat, May 5, 2018 at 11:07 PM Alon Bar-Lev wrote: >>> I will ask. >>> Thanks! >>> On Sat, May 5, 2018 at 10:21 PM Nikos Mavrogiannopoulos >> wrote: >>> > Doesn't ring a bell. Could it be that a different gnutls library is used >>> when running >>> > this test? Is there a way to run 'dtls-repro-20170915' manually with >>> GNUTLS_DEBUG_LEVEL=6? >>> > On Sat, May 5, 2018 at 9:02 PM Alon Bar-Lev wrote: >>> > Hi, >>> > Any clue how to dig into this? >>> >> Reference[1] >>> >> Thanks! >>> >> Alon >>> >> [1] https://bugs.gentoo.org/show_bug.cgi?id=654918 >>> >> _______________________________________________ >>> >> Gnutls-devel mailing list >>> >> Gnutls-devel at lists.gnutls.org >>> >> http://lists.gnupg.org/mailman/listinfo/gnutls-devel From nmav at gnutls.org Fri May 11 09:04:50 2018 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Fri, 11 May 2018 09:04:50 +0200 Subject: [gnutls-devel] [sparc] test dtls-repro-20170915 fails dtls_try_with_key_mtu:160: dtls_try_with_key_mtu:160: Handshake failed In-Reply-To: References:

Message-ID: Could it be that some of the functions getting the time doesn't work reliably there? It would need quite some investigation from the person with access to the platform. It is not though a big-endian issue, we have a mips run on the CI (over qemu) which runs successfully: https://gitlab.com/gnutls/gnutls/-/jobs/67460307 On Fri, May 11, 2018 at 8:31 AM Alon Bar-Lev wrote: > I asked the same question[1]. > > In the past when we had the nettle problem with big endian we also got > timeout errors, I think that most handshake errors may be reported this > way. > > [1] https://bugs.gentoo.org/show_bug.cgi?id=654918#c3 > > > On Fri, May 11, 2018 at 9:28 AM Nikos Mavrogiannopoulos > wrote: > > > Hi, > > What I see there is a timeout of 168026ms. That means that it took > quite > more than the default value to finish. Could it be that the system is too > slow? > > If you add gnutls_dtls_set_timeouts() and play with the total value would > it make it work? (the attached patch simply sets the default values, you'll > need to modify the 60*1000 value) > > > regards, > > Nikos > > > > On Sat, May 5, 2018 at 10:30 PM Alon Bar-Lev > wrote: > > >> Here[1] > > >> [1] https://654918.bugs.gentoo.org/attachment.cgi?id=530054 > > >> On Sat, May 5, 2018 at 11:07 PM Alon Bar-Lev > wrote: > > >>> I will ask. > >>> Thanks! > > >>> On Sat, May 5, 2018 at 10:21 PM Nikos Mavrogiannopoulos < > nmav at gnutls.org > > >>> wrote: > > >>> > Doesn't ring a bell. Could it be that a different gnutls library is > used > >>> when running > >>> > this test? Is there a way to run 'dtls-repro-20170915' manually with > >>> GNUTLS_DEBUG_LEVEL=6? > > >>> > On Sat, May 5, 2018 at 9:02 PM Alon Bar-Lev > wrote: > > >>> > Hi, > >>> > Any clue how to dig into this? > > >>> >> Reference[1] > >>> >> Thanks! > >>> >> Alon > > >>> >> [1] https://bugs.gentoo.org/show_bug.cgi?id=654918 > >>> >> _______________________________________________ > >>> >> Gnutls-devel mailing list > >>> >> Gnutls-devel at lists.gnutls.org > >>> >> http://lists.gnupg.org/mailman/listinfo/gnutls-devel > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ametzler at bebt.de Sat May 12 14:07:02 2018 From: ametzler at bebt.de (Andreas Metzler) Date: Sat, 12 May 2018 14:07:02 +0200 Subject: [gnutls-devel] 3.6.2 testsuite error with softhsm 2.4.0 In-Reply-To: References: <20180510142117.GD1218@argenau.bebt.de> Message-ID: <20180512120702.GA1094@argenau.bebt.de> On 2018-05-10 Nikos Mavrogiannopoulos wrote: > On Thu, May 10, 2018 at 4:21 PM, Andreas Metzler wrote: > > tests/pkcs11/tls-neg-pkcs11-key fails after upgrading softhsm from 2.2.0 [...] >> # 2.4.0 >> (sid)ametzler at argenau:/tmp/GNUTLS/gnutls-3.6.2/b4deb$ tests/pkcs11/tls-neg-pkcs11-key >> The token has been initialized and is reassigned to slot 1993469037 >> checking: tls1.2: ecc key >> checking: tls1.2: rsa-sign key >> checking: tls1.2: rsa-sign key with rsa-pss sigs prioritized >> checking: tls1.2: rsa-pss-sign key >> client[-28]: Resource temporarily unavailable, try again. >> server[-87]: No supported cipher suites have been found. >> try_with_key:189: Handshake failed >> This is on Debian sid. > I have debian testing at home and it seems to work here (trying from > gnutls master) Hello, Yes, gnutls master works. I have run git bisect to locate the "unbreakage" in between 3.6.2 and master and found 962ef882031062866f6782078af17cf9701266da which reverts | ef44477127952c13e93d7ea88f7b549bf36602f5 | priority: disable the enabled by default RSA-PSS signature | algorithms | | They have been modified in the latest (yet unsupported) TLS 1.3 | drafts, so prevent causes interoperability failures by keeping them | on. And indeed reverting ef44477127952c13e93d7ea88f7b549bf36602f5 on top of 3.6.2 also fixes the testsuite error in tls-neg-pkcs11-key. cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' From n.mavrogiannopoulos at gmail.com Sat May 12 14:20:15 2018 From: n.mavrogiannopoulos at gmail.com (Nikos Mavrogiannopoulos) Date: Sat, 12 May 2018 12:20:15 +0000 Subject: [gnutls-devel] 3.6.2 testsuite error with softhsm 2.4.0 In-Reply-To: <20180512120702.GA1094@argenau.bebt.de> References: <20180510142117.GD1218@argenau.bebt.de> <20180512120702.GA1094@argenau.bebt.de> Message-ID: <4551A9CF-85A3-4BB3-8869-341F8C436EA7@gmail.com> Note that if you use the revert you will make incompatible gnutls with other implementations with RSA PSS. If I remember well, these ciphersuites are from TLS1.3 draft21 and they changed semantics in later drafts. that's why they were disabled in 3.6.2. I think it is best to mark the test as xfail. On May 12, 2018 12:07:02 PM UTC, Andreas Metzler wrote: >On 2018-05-10 Nikos Mavrogiannopoulos wrote: >> On Thu, May 10, 2018 at 4:21 PM, Andreas Metzler >wrote: >> > tests/pkcs11/tls-neg-pkcs11-key fails after upgrading softhsm from >2.2.0 >[...] >>> # 2.4.0 >>> (sid)ametzler at argenau:/tmp/GNUTLS/gnutls-3.6.2/b4deb$ >tests/pkcs11/tls-neg-pkcs11-key >>> The token has been initialized and is reassigned to slot 1993469037 >>> checking: tls1.2: ecc key >>> checking: tls1.2: rsa-sign key >>> checking: tls1.2: rsa-sign key with rsa-pss sigs prioritized >>> checking: tls1.2: rsa-pss-sign key >>> client[-28]: Resource temporarily unavailable, try again. >>> server[-87]: No supported cipher suites have been found. >>> try_with_key:189: Handshake failed >>> This is on Debian sid. > >> I have debian testing at home and it seems to work here (trying from >> gnutls master) > >Hello, > >Yes, gnutls master works. I have run git bisect to locate the >"unbreakage" in between 3.6.2 and master and found >962ef882031062866f6782078af17cf9701266da which reverts >| ef44477127952c13e93d7ea88f7b549bf36602f5 >| priority: disable the enabled by default RSA-PSS signature >| algorithms >| >| They have been modified in the latest (yet unsupported) TLS 1.3 >| drafts, so prevent causes interoperability failures by keeping them >| on. > >And indeed reverting ef44477127952c13e93d7ea88f7b549bf36602f5 on top of >3.6.2 also fixes the testsuite error in tls-neg-pkcs11-key. > >cu Andreas -- Sent from my mobile. Please excuse my brevity. From ametzler at bebt.de Sat May 12 15:14:12 2018 From: ametzler at bebt.de (Andreas Metzler) Date: Sat, 12 May 2018 15:14:12 +0200 Subject: [gnutls-devel] 3.6.2 testsuite error with softhsm 2.4.0 In-Reply-To: <4551A9CF-85A3-4BB3-8869-341F8C436EA7@gmail.com> References: <20180510142117.GD1218@argenau.bebt.de> <20180512120702.GA1094@argenau.bebt.de> <4551A9CF-85A3-4BB3-8869-341F8C436EA7@gmail.com> Message-ID: <20180512131412.GB1094@argenau.bebt.de> On 2018-05-12 Nikos Mavrogiannopoulos wrote: > Note that if you use the revert you will make incompatible gnutls with > other implementations with RSA PSS. If I remember well, these > ciphersuites are from TLS1.3 draft21 and they changed semantics in > later drafts. that's why they were disabled in 3.6.2. I think it is > best to mark the test as xfail. Thanks for the warning, will do. cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' From ametzler at bebt.de Sun May 13 14:54:18 2018 From: ametzler at bebt.de (Andreas Metzler) Date: Sun, 13 May 2018 14:54:18 +0200 Subject: [gnutls-devel] 2 trivial fixes for tests/suite Message-ID: <20180513125418.GA1242@argenau.bebt.de> Hello, find attached two fixes for tests/suite: 1: GnuTLS tests usually can be runned against installed (instead of freshly built) gnutls-utilities. testcompat-main-openssl was lackng this feature. 2. testcompat-main-openssl needs params.dh but the file is not distributed. cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Allow-running-of-test-against-installed-gnutls-serv.patch Type: text/x-diff Size: 1210 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-tests-suite-add-missing-file-to-dist.patch Type: text/x-diff Size: 937 bytes Desc: not available URL: From nmav at gnutls.org Tue May 15 16:48:47 2018 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Tue, 15 May 2018 16:48:47 +0200 Subject: [gnutls-devel] 2 trivial fixes for tests/suite In-Reply-To: <20180513125418.GA1242@argenau.bebt.de> References: <20180513125418.GA1242@argenau.bebt.de> Message-ID: On Sun, May 13, 2018 at 2:54 PM Andreas Metzler wrote: > Hello, > > find attached two fixes for tests/suite: > > 1: GnuTLS tests usually can be runned against installed (instead of > freshly built) gnutls-utilities. testcompat-main-openssl was lackng this > feature. > > 2. testcompat-main-openssl needs params.dh but the file is not > distributed. > Applied, thank you. -------------- next part -------------- An HTML attachment was scrubbed... URL: