Package: nodejs
Version: 18.13.0+dfsg1-1
Severity: important
Tags: patch
The nodejs version in unstable FTBFS against openssl 3.1 due to the
testsuite. I had something working and then looked in the upstream git
and backported their against the packaging master-18.x branch. Hopefully
this makes less work for everyone. One patch is for upstream, one I made
myself.
Now I'm about to test this… But it looks promising ;)
Sebastian
From 85aa9556000424fcde6748bed969a01e864be266 Mon Sep 17 00:00:00 2001
From: OttoHollmann <o...@hollmann.cz>
Date: Thu, 1 Jun 2023 16:52:53 +0200
Subject: [PATCH 1/2] test: adapt tests for OpenSSL 3.1
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
PR-URL: https://github.com/nodejs/node/pull/47859
Reviewed-By: Tobias Nießen <tnies...@tnie.de>
Reviewed-By: Richard Lau <r...@redhat.com>
(cherry picked from commit 5f283722072e400234d3e15f1f2caa2ca2fd8d60)
Signed-off-by: Sebastian Andrzej Siewior <sebast...@breakpoint.cc>
---
test/common/index.js | 6 +++++-
.../test-https-agent-session-eviction.js | 1 +
test/parallel/test-tls-alert.js | 1 +
test/parallel/test-tls-getprotocol.js | 16 +++++++++++++---
test/parallel/test-tls-min-max-version.js | 3 +++
test/parallel/test-tls-session-cache.js | 1 +
6 files changed, 24 insertions(+), 4 deletions(-)
diff --git a/test/common/index.js b/test/common/index.js
index e0c6e7aa0c996..35c3eac6481b3 100644
--- a/test/common/index.js
+++ b/test/common/index.js
@@ -56,7 +56,10 @@ const hasCrypto = Boolean(process.versions.openssl) &&
!process.env.NODE_SKIP_CRYPTO;
const hasOpenSSL3 = hasCrypto &&
- require('crypto').constants.OPENSSL_VERSION_NUMBER >= 805306368;
+ require('crypto').constants.OPENSSL_VERSION_NUMBER >= 0x30000000;
+
+const hasOpenSSL31 = hasCrypto &&
+ require('crypto').constants.OPENSSL_VERSION_NUMBER >= 0x30100000;
const hasQuic = hasCrypto && !!process.config.variables.openssl_quic;
@@ -899,6 +902,7 @@ const common = {
hasIntl,
hasCrypto,
hasOpenSSL3,
+ hasOpenSSL31,
hasQuic,
hasMultiLocalhost,
invalidArgTypeHelper,
diff --git a/test/parallel/test-https-agent-session-eviction.js b/test/parallel/test-https-agent-session-eviction.js
index 940c43cc40bf1..36c360a96503d 100644
--- a/test/parallel/test-https-agent-session-eviction.js
+++ b/test/parallel/test-https-agent-session-eviction.js
@@ -54,6 +54,7 @@ function faultyServer(port) {
function second(server, session) {
const req = https.request({
port: server.address().port,
+ ciphers: (common.hasOpenSSL31 ? 'DEFAULT:@SECLEVEL=0' : 'DEFAULT'),
rejectUnauthorized: false
}, function(res) {
res.resume();
diff --git a/test/parallel/test-tls-alert.js b/test/parallel/test-tls-alert.js
index 31b07104c241a..04000771aa977 100644
--- a/test/parallel/test-tls-alert.js
+++ b/test/parallel/test-tls-alert.js
@@ -42,6 +42,7 @@ const server = tls.Server({
cert: loadPEM('agent2-cert')
}, null).listen(0, common.mustCall(() => {
const args = ['s_client', '-quiet', '-tls1_1',
+ '-cipher', (common.hasOpenSSL31 ? 'DEFAULT:@SECLEVEL=0' : 'DEFAULT'),
'-connect', `127.0.0.1:${server.address().port}`];
execFile(common.opensslCli, args, common.mustCall((err, _, stderr) => {
diff --git a/test/parallel/test-tls-getprotocol.js b/test/parallel/test-tls-getprotocol.js
index d45287d671d8a..7da2f60676d00 100644
--- a/test/parallel/test-tls-getprotocol.js
+++ b/test/parallel/test-tls-getprotocol.js
@@ -11,9 +11,18 @@ const tls = require('tls');
const fixtures = require('../common/fixtures');
const clientConfigs = [
- { secureProtocol: 'TLSv1_method', version: 'TLSv1' },
- { secureProtocol: 'TLSv1_1_method', version: 'TLSv1.1' },
- { secureProtocol: 'TLSv1_2_method', version: 'TLSv1.2' },
+ {
+ secureProtocol: 'TLSv1_method',
+ version: 'TLSv1',
+ ciphers: (common.hasOpenSSL31 ? 'DEFAULT:@SECLEVEL=0' : 'DEFAULT')
+ }, {
+ secureProtocol: 'TLSv1_1_method',
+ version: 'TLSv1.1',
+ ciphers: (common.hasOpenSSL31 ? 'DEFAULT:@SECLEVEL=0' : 'DEFAULT')
+ }, {
+ secureProtocol: 'TLSv1_2_method',
+ version: 'TLSv1.2'
+ },
];
const serverConfig = {
@@ -30,6 +39,7 @@ const server = tls.createServer(serverConfig, common.mustCall(clientConfigs.leng
tls.connect({
host: common.localhostIPv4,
port: server.address().port,
+ ciphers: v.ciphers,
rejectUnauthorized: false,
secureProtocol: v.secureProtocol
}, common.mustCall(function() {
diff --git a/test/parallel/test-tls-min-max-version.js b/test/parallel/test-tls-min-max-version.js
index 5cea41ca7e0bd..ab351558a4c8b 100644
--- a/test/parallel/test-tls-min-max-version.js
+++ b/test/parallel/test-tls-min-max-version.js
@@ -22,6 +22,9 @@ function test(cmin, cmax, cprot, smin, smax, sprot, proto, cerr, serr) {
if (serr !== 'ERR_SSL_UNSUPPORTED_PROTOCOL')
ciphers = 'ALL@SECLEVEL=0';
}
+ if (common.hasOpenSSL31 && cerr === 'ERR_SSL_TLSV1_ALERT_PROTOCOL_VERSION') {
+ ciphers = 'DEFAULT@SECLEVEL=0';
+ }
// Report where test was called from. Strip leading garbage from
// at Object.<anonymous> (file:line)
// from the stack location, we only want the file:line part.
diff --git a/test/parallel/test-tls-session-cache.js b/test/parallel/test-tls-session-cache.js
index c4bebff2e3208..e4ecb53282fba 100644
--- a/test/parallel/test-tls-session-cache.js
+++ b/test/parallel/test-tls-session-cache.js
@@ -100,6 +100,7 @@ function doTest(testOptions, callback) {
const args = [
's_client',
'-tls1',
+ '-cipher', (common.hasOpenSSL31 ? 'DEFAULT:@SECLEVEL=0' : 'DEFAULT'),
'-connect', `localhost:${this.address().port}`,
'-servername', 'ohgod',
'-key', fixtures.path('keys/rsa_private.pem'),
--
2.40.1
>From caef2948f3f4881a25736bdfee472798ff12110e Mon Sep 17 00:00:00 2001
From: Sebastian Andrzej Siewior <sebast...@breakpoint.cc>
Date: Thu, 21 Sep 2023 22:38:32 +0200
Subject: [PATCH 2/2] test: Use seclevel=0 unconditionally on OpenSSL 3
OpenSSL 3.1 forces TLS v1.1 and less to security level 0 so the security
level was lowered in the tests to pass them.
There is no need to conditionally lower the limit on OpenSSL 3.1 since the
same can be done on 3.0. Both OpenSSL share the same ABI so it nodejs
can be compiled again 3.0 and run the tests against 3.1.
Remove 3.1 special case and use it unconditionally on the 3 series.
Signed-off-by: Sebastian Andrzej Siewior <sebast...@breakpoint.cc>
---
test/common/index.js | 4 ----
test/parallel/test-https-agent-session-eviction.js | 2 +-
test/parallel/test-tls-alert.js | 2 +-
test/parallel/test-tls-getprotocol.js | 4 ++--
test/parallel/test-tls-min-max-version.js | 4 ++--
test/parallel/test-tls-session-cache.js | 2 +-
6 files changed, 7 insertions(+), 11 deletions(-)
diff --git a/test/common/index.js b/test/common/index.js
index 35c3eac6481b3..73ae906a3f08d 100644
--- a/test/common/index.js
+++ b/test/common/index.js
@@ -58,9 +58,6 @@ const hasCrypto = Boolean(process.versions.openssl) &&
const hasOpenSSL3 = hasCrypto &&
require('crypto').constants.OPENSSL_VERSION_NUMBER >= 0x30000000;
-const hasOpenSSL31 = hasCrypto &&
- require('crypto').constants.OPENSSL_VERSION_NUMBER >= 0x30100000;
-
const hasQuic = hasCrypto && !!process.config.variables.openssl_quic;
function parseTestFlags(filename = process.argv[1]) {
@@ -902,7 +899,6 @@ const common = {
hasIntl,
hasCrypto,
hasOpenSSL3,
- hasOpenSSL31,
hasQuic,
hasMultiLocalhost,
invalidArgTypeHelper,
diff --git a/test/parallel/test-https-agent-session-eviction.js b/test/parallel/test-https-agent-session-eviction.js
index 36c360a96503d..b094403af8e07 100644
--- a/test/parallel/test-https-agent-session-eviction.js
+++ b/test/parallel/test-https-agent-session-eviction.js
@@ -54,7 +54,7 @@ function faultyServer(port) {
function second(server, session) {
const req = https.request({
port: server.address().port,
- ciphers: (common.hasOpenSSL31 ? 'DEFAULT:@SECLEVEL=0' : 'DEFAULT'),
+ ciphers: 'DEFAULT:@SECLEVEL=0',
rejectUnauthorized: false
}, function(res) {
res.resume();
diff --git a/test/parallel/test-tls-alert.js b/test/parallel/test-tls-alert.js
index 04000771aa977..6a95a5db5ad7c 100644
--- a/test/parallel/test-tls-alert.js
+++ b/test/parallel/test-tls-alert.js
@@ -42,7 +42,7 @@ const server = tls.Server({
cert: loadPEM('agent2-cert')
}, null).listen(0, common.mustCall(() => {
const args = ['s_client', '-quiet', '-tls1_1',
- '-cipher', (common.hasOpenSSL31 ? 'DEFAULT:@SECLEVEL=0' : 'DEFAULT'),
+ '-cipher', 'DEFAULT:@SECLEVEL=0',
'-connect', `127.0.0.1:${server.address().port}`];
execFile(common.opensslCli, args, common.mustCall((err, _, stderr) => {
diff --git a/test/parallel/test-tls-getprotocol.js b/test/parallel/test-tls-getprotocol.js
index 7da2f60676d00..0873106477bd9 100644
--- a/test/parallel/test-tls-getprotocol.js
+++ b/test/parallel/test-tls-getprotocol.js
@@ -14,11 +14,11 @@ const clientConfigs = [
{
secureProtocol: 'TLSv1_method',
version: 'TLSv1',
- ciphers: (common.hasOpenSSL31 ? 'DEFAULT:@SECLEVEL=0' : 'DEFAULT')
+ ciphers: 'DEFAULT:@SECLEVEL=0'
}, {
secureProtocol: 'TLSv1_1_method',
version: 'TLSv1.1',
- ciphers: (common.hasOpenSSL31 ? 'DEFAULT:@SECLEVEL=0' : 'DEFAULT')
+ ciphers: 'DEFAULT:@SECLEVEL=0'
}, {
secureProtocol: 'TLSv1_2_method',
version: 'TLSv1.2'
diff --git a/test/parallel/test-tls-min-max-version.js b/test/parallel/test-tls-min-max-version.js
index ab351558a4c8b..a196f1c320bd1 100644
--- a/test/parallel/test-tls-min-max-version.js
+++ b/test/parallel/test-tls-min-max-version.js
@@ -22,8 +22,8 @@ function test(cmin, cmax, cprot, smin, smax, sprot, proto, cerr, serr) {
if (serr !== 'ERR_SSL_UNSUPPORTED_PROTOCOL')
ciphers = 'ALL@SECLEVEL=0';
}
- if (common.hasOpenSSL31 && cerr === 'ERR_SSL_TLSV1_ALERT_PROTOCOL_VERSION') {
- ciphers = 'DEFAULT@SECLEVEL=0';
+ if (common.hasOpenSSL3 && cerr === 'ERR_SSL_TLSV1_ALERT_PROTOCOL_VERSION') {
+ ciphers = 'DEFAULT:@SECLEVEL=0';
}
// Report where test was called from. Strip leading garbage from
// at Object.<anonymous> (file:line)
diff --git a/test/parallel/test-tls-session-cache.js b/test/parallel/test-tls-session-cache.js
index e4ecb53282fba..94e8fc567fabc 100644
--- a/test/parallel/test-tls-session-cache.js
+++ b/test/parallel/test-tls-session-cache.js
@@ -100,7 +100,7 @@ function doTest(testOptions, callback) {
const args = [
's_client',
'-tls1',
- '-cipher', (common.hasOpenSSL31 ? 'DEFAULT:@SECLEVEL=0' : 'DEFAULT'),
+ '-cipher', 'DEFAULT:@SECLEVEL=0',
'-connect', `localhost:${this.address().port}`,
'-servername', 'ohgod',
'-key', fixtures.path('keys/rsa_private.pem'),
--
2.40.1
