[gnutls-devel] GnuTLS | testcompat-main-openssl fails - 140270991812416:error:140AB18F:SSL routines:SSL_CTX_use_certificate:ee key too small:../ssl/ssl_rsa.c:310: (#572)

Development of GNU's TLS library gnutls-devel at lists.gnutls.org
Sun Sep 23 11:12:29 CEST 2018


Nikos Mavrogiannopoulos @nmav wrote:
> The launch_bare_server runs the server and puts it into background (with &). I'm not sure whether we can check the error code at all at this point. The error should have been caught at the wait_server call later. Wasn't it?

The test erred out, running into a timeout and error on killing:
```
(sid)ametzler at argenau:/tmp/GNUTLS/gnutls.git/tests/suite$ ./testcompat-openssl.sh
Compatibility checks using OpenSSL 1.1.1 11 Sep 2018
Running with FIPS140-2 enabled curves enabled
Disabling interop tests for RC4 ciphersuites
Disabling interop tests for 3DES ciphersuites
Disabling interop tests for NULL ciphersuites
Disabling interop tests for SSL 3.0
#################################################
# Client mode tests (gnutls cli-openssl server) #
#################################################
try 1
try 1
try 1
try 2
try 2
try 2
try 3
try 3
try 3
try 4
try 4
try 4
try 5
try 5
try 5
try 6
try 6
try 6
Server 44595 did not come up
./testcompat-main-openssl: 186: kill: No such process

Server 59694 did not come up
./testcompat-main-openssl: 186: kill: No such process

Server 27091 did not come up
./testcompat-main-openssl: 186: kill: No such process
```

> About the issue itself, I suspect it is the DSA key it is complaining for. Maybe we should separate the DSA tests from the RSA tests to address that issue.

Yes, DSA seems to be the cause, running without rsa key/cert also throws the error:
```
(sid)ametzler at argenau:/tmp/GNUTLS/gnutls.git/tests/suite$ openssl s_server -cipher ALL -quiet -www -accept 35263 -keyform pem -certform pem -tls1 -key ./../cert-tests/data/dsa.1024.pem -cert ./../cert-tests/data/cert.dsa.1024.pem -Verify 1 -CAfile ./../../doc/credentials/x509/ca.pem
error setting certificate
140237331435968:error:0909006C:PEM routines:get_name:no start line:../crypto/pem/pem_lib.c:745:Expecting: DH PARAMETERS
140237331435968:error:140AB18F:SSL routines:SSL_CTX_use_certificate:ee key too small:../ssl/ssl_rsa.c:310:
```

> Is there some way we can have this version of openssl in the debian build image?

I do not think there is a good way, except waiting for 1.1.1 to propagate to testing/buster. It is currently blocked since upgrading from 1.1.0h breaks a couple of reverse dependencies.

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/572#note_103670128
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20180923/c3a9f40e/attachment.html>


More information about the Gnutls-devel mailing list