Skip Menu |
 

This queue is for tickets about the IO-Socket-SSL CPAN distribution.

Report information
The Basics
Id: 127095
Status: resolved
Priority: 0/
Queue: IO-Socket-SSL

People
Owner: Nobody in particular
Requestors: bernhard+rtcpan [...] lsmod.de
Cc:
AdminCc:

Bug Information
Severity: Normal
Broken in: 2.059
Fixed in: 2.060



Subject: Tests fail in 2019-03-01
Download (untitled) / with headers
text/plain 945b
Also filed at https://bugzilla.opensuse.org/show_bug.cgi?id=1102852 probably an SSL cert expires [ 47s] t/sni_verify.t (Wstat: 256 Tests: 5 Failed: 4) [ 47s] Failed tests: 2-5 [ 47s] Non-zero exit status: 1 [ 47s] Parse errors: Bad plan. You planned 17 tests but ran 5. [ 47s] t/startssl.t (Wstat: 256 Tests: 10 Failed: 4) [ 47s] Failed tests: 5-8 [ 47s] Non-zero exit status: 1 [ 47s] Parse errors: Bad plan. You planned 21 tests but ran 10. [ 47s] t/sysread_write.t (Wstat: 0 Tests: 2 Failed: 1) [ 47s] Failed test: 2 [ 47s] Parse errors: Bad plan. You planned 9 tests but ran 2. [ 47s] t/verify_hostname.t (Wstat: 0 Tests: 42 Failed: 2) [ 47s] Failed tests: 41-42 [ 47s] Files=38, Tests=636, 38 wallclock secs ( 0.20 usr 0.08 sys + 8.61 cu) [ 47s] Result: FAIL [ 47s] Failed 11/38 test programs. 33/636 subtests failed.
Download (untitled) / with headers
text/plain 397b
Am Mi 12. Sep 2018, 01:09:33, http://bmwiedemann.zq1.de/ schrieb: Show quoted text
> Also filed at > https://bugzilla.opensuse.org/show_bug.cgi?id=1102852 > > probably an SSL cert expires
I cannot reproduce this problem. All test certificates shipped with the distribution are at least valid until 01/2019, i.e. unless you've set the system time several month into the future no certificates should be expired.
Download (untitled) / with headers
text/plain 361b
On Wed Sep 12 01:56:05 2018, SULLR wrote: Show quoted text
> I cannot reproduce this problem. > All test certificates shipped with the distribution are at least valid > until 01/2019, i.e. unless you've set the system time several month > into the future no certificates should be expired.
All certificates expired now, see: https://bugzilla.suse.com/show_bug.cgi?id=1102852#c2
Download (untitled) / with headers
text/plain 578b
Am Di 22. Jan 2019, 05:30:58, pmgdeb@gmail.com schrieb: Show quoted text
> On Wed Sep 12 01:56:05 2018, SULLR wrote:
> > I cannot reproduce this problem. > > All test certificates shipped with the distribution are at least valid > > until 01/2019, i.e. unless you've set the system time several month > > into the future no certificates should be expired.
> > All certificates expired now, see: > https://bugzilla.suse.com/show_bug.cgi?id=1102852#c2
The certificates where renewed in 09/2018. Please use the latest version of IO::Socket::SSL (2.060) which comes with the renewed certificates.
Download (untitled) / with headers
text/plain 606b
On 2019-01-22 10:53:55, SULLR wrote: Show quoted text
> The certificates where renewed in 09/2018. Please use the latest > version of IO::Socket::SSL (2.060) which comes with the renewed > certificates.
I found that the new certs expire in 2028, so not very far in the future either. What is the point of having tests that stop working later? Background: as part of my work on reproducible builds for openSUSE, I check that software built in the future still gives the same build results as today. The default is building +15 years from now, because that is how long we expect today's software to be used (in some places)
Download (untitled) / with headers
text/plain 1.8k
Am Di 22. Jan 2019, 07:31:06, bmwiedemann schrieb: Show quoted text
> On 2019-01-22 10:53:55, SULLR wrote:
> > The certificates where renewed in 09/2018. Please use the latest > > version of IO::Socket::SSL (2.060) which comes with the renewed > > certificates.
> > I found that the new certs expire in 2028, so not very far in the > future either. > What is the point of having tests that stop working later?
One might ask the question this way but one might also ask what's the point of installing in 2028 a software from 2018 when the software deals with cryptographic stuff. 10 years is not a small time in cryptography. For example 10 years ago we did not even have an OpenSSL version supporting TLS 1.2. Users should be encouraged to install current software at least in this area. Show quoted text
> Background: as part of my work on reproducible builds for openSUSE, I > check that software built in the future still gives the same build > results as today. The default is building +15 years from now, because > that is how long we expect today's software to be used (in some > places)
That's a use case I did not think of. But I hope that this version of IO::Socket::SSL is not used for 15 years - it is already today a big trouble supporting users which happen to run older versions of IO::Socket::SSL or openssl since these versions come with the (often also outdated) distribution they use. There are often problems due to missing features in older versions which are considered essential today. And that's not even addressing the security problems: older versions had defaults which are considered weak or insecure today. But you can use the script https://github.com/noxxi/p5-io-socket-ssl/blob/master/certs/create-certs.pl which is part of the source code but not part of the distribution to generate fresh certificates whenever you need, i.e. regenerate the certificates whenever you are doing a time shift.


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.