Do not set @SECLEVEL with boringssl by masaori335 · Pull Request #9989 · apache/trafficserver

masaori335 · 2023-07-11T06:31:43Z

An AuTest filed with boringssl. It looks like boringssl doesn't like the change for the openssl 3.0 (#9753).

file /tmp/_sandbox/tls_client_versions/ts/log/diags.log : Diags log file diags.log should not contain errors - Failed
             Reason: Contents of /tmp/_sandbox/tls_client_versions/ts/log/diags.log contains expression: "ERROR:"
                Details:
                  [Jul  6 02:15:55.834] traffic_server ERROR: SSL::140521672264768:error:1000009e:SSL routines:OPENSSL_internal:INVALID_COMMAND:/opt/boringssl/ssl/ssl_cipher.cc:1108 : 21
                  [Jul  6 02:15:55.834] traffic_server ERROR: invalid cipher suite in records.config : 22
                  [Jul  6 02:15:55.834] traffic_server ERROR: SSL::140521672264768:error:1000009e:SSL routines:OPENSSL_internal:INVALID_COMMAND:/opt/boringssl/ssl/ssl_cipher.cc:1108 : 23
                  [Jul  6 02:15:55.834] traffic_server ERROR: invalid cipher suite in records.config : 24
                  [Jul  6 02:15:55.865] [ET_NET 8] ERROR: SSL::140521545656064:error:100000b9:SSL routines:OPENSSL_internal:NULL_SSL_CTX:/opt/boringssl/ssl/ssl_lib.cc:633: peer address is 127.0.0.1 : 45
                  [Jul  6 02:15:55.865] [ET_NET 8] ERROR: failed to create SSL server session : 46
                  [Jul  6 02:15:55.978] [ET_NET 9] ERROR: SSL::140521544603392:error:100000b9:SSL routines:OPENSSL_internal:NULL_SSL_CTX:/opt/boringssl/ssl/ssl_lib.cc:633: peer address is 127.0.0.1 : 47
                  [Jul  6 02:15:55.978] [ET_NET 9] ERROR: failed to create SSL server session : 48

maskit · 2023-07-11T17:01:15Z

Too much duplication. I'd suggest:

cipher_suite = "The basic ones"
if openssl_version == 3
  cipher_suite += ":@SECLEVEL=0"
endif

and

'proxy.config.ssl.server.cipher_suite': '{0}'.format(cipher_suite),

bneradt · 2023-07-11T18:57:38Z

SECLEVEL=0 was OK for a stopgap, but I assume there's a better way to address this. Should the cipher suite value be updated for the more stringent openssl3? This would presumably make boringssl happy too.

bneradt

I assume tests/gold_tests/tls/tls_client_versions_minmax.test.py will need to be updated with a similar change?

bneradt · 2023-07-11T19:16:12Z

SECLEVEL=0 was OK for a stopgap, but I assume there's a better way to address this. Should the cipher suite value be updated for the more stringent openssl3? This would presumably make boringssl happy too.

Ah, nevermind. I suppose the issue with these tests is that they force the older TLS versions which OpenSSL 3.0 now requires an explicit SECLEVEL=0 configuration to use.

bneradt · 2023-07-11T19:19:03Z

Too much duplication. I'd suggest:

cipher_suite = "The basic ones"
if openssl_version == 3
  cipher_suite += ":@SECLEVEL=0"
endif

and

'proxy.config.ssl.server.cipher_suite': '{0}'.format(cipher_suite),

Looks good. But no need for the format string. This should work just fine:

'proxy.config.ssl.server.cipher_suite': cipher_suite,

Thank you @masaori335 for updating for boringssl.

masaori335 · 2023-07-13T00:57:14Z

Updated to reduce dups. Please take another look.

bneradt

Thanks for the update for OpenSSL 3.x

(cherry picked from commit b462f08)

zwoop · 2023-07-17T23:03:45Z

Cherry-picked to v9.2.x

(cherry picked from commit b462f08) (cherry picked from commit 64c648f)

masaori335 added TLS AuTest labels Jul 11, 2023

masaori335 added this to the 10.0.0 milestone Jul 11, 2023

masaori335 self-assigned this Jul 11, 2023

randall changed the title ~~Do not set @SECLEVEL with borginssl~~ Do not set @SECLEVEL with boringssl Jul 11, 2023

bneradt requested changes Jul 11, 2023

View reviewed changes

Do not set @SECLEVEL with borginssl

055d4ca

masaori335 force-pushed the autest-tls_client_versions-boringssl branch from 28470c8 to 055d4ca Compare July 11, 2023 23:21

bneradt approved these changes Jul 17, 2023

View reviewed changes

masaori335 merged commit b462f08 into apache:master Jul 17, 2023

zwoop pushed a commit that referenced this pull request Jul 17, 2023

Do not set @SECLEVEL with borginssl (#9989)

64c648f

(cherry picked from commit b462f08)

zwoop modified the milestones: 10.0.0, 9.2.2 Jul 17, 2023

brbzull0 mentioned this pull request Jul 25, 2023

Do not set @SECLEVEL with boringssl. (round 2) #10090

Merged

masaori335 added a commit to masaori335/trafficserver that referenced this pull request Sep 26, 2023

Do not set @SECLEVEL with borginssl (apache#9989)

5b57933

(cherry picked from commit b462f08) (cherry picked from commit 64c648f)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Do not set @SECLEVEL with boringssl#9989

Do not set @SECLEVEL with boringssl#9989
masaori335 merged 1 commit intoapache:masterfrom
masaori335:autest-tls_client_versions-boringssl

masaori335 commented Jul 11, 2023

Uh oh!

maskit commented Jul 11, 2023

Uh oh!

bneradt commented Jul 11, 2023

Uh oh!

bneradt left a comment

Uh oh!

bneradt commented Jul 11, 2023

Uh oh!

bneradt commented Jul 11, 2023

Uh oh!

masaori335 commented Jul 13, 2023

Uh oh!

bneradt left a comment

Uh oh!

zwoop commented Jul 17, 2023

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

Conversation

masaori335 commented Jul 11, 2023

Uh oh!

maskit commented Jul 11, 2023

Uh oh!

bneradt commented Jul 11, 2023

Uh oh!

bneradt left a comment

Choose a reason for hiding this comment

Uh oh!

bneradt commented Jul 11, 2023

Uh oh!

bneradt commented Jul 11, 2023

Uh oh!

masaori335 commented Jul 13, 2023

Uh oh!

bneradt left a comment

Choose a reason for hiding this comment

Uh oh!

zwoop commented Jul 17, 2023

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants