Package: nodejs Version: 18.13.0+dfsg1-1 Severity: important Tags: patch The nodejs version in unstable FTBFS against openssl 3.1 due to the testsuite. I had something working and then looked in the upstream git and backported their against the packaging master-18.x branch. Hopefully this makes less work for everyone. One patch is for upstream, one I made myself. Now I'm about to test this… But it looks promising ;)
Sebastian
From 85aa9556000424fcde6748bed969a01e864be266 Mon Sep 17 00:00:00 2001 From: OttoHollmann <o...@hollmann.cz> Date: Thu, 1 Jun 2023 16:52:53 +0200 Subject: [PATCH 1/2] test: adapt tests for OpenSSL 3.1 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit PR-URL: https://github.com/nodejs/node/pull/47859 Reviewed-By: Tobias Nießen <tnies...@tnie.de> Reviewed-By: Richard Lau <r...@redhat.com> (cherry picked from commit 5f283722072e400234d3e15f1f2caa2ca2fd8d60) Signed-off-by: Sebastian Andrzej Siewior <sebast...@breakpoint.cc> --- test/common/index.js | 6 +++++- .../test-https-agent-session-eviction.js | 1 + test/parallel/test-tls-alert.js | 1 + test/parallel/test-tls-getprotocol.js | 16 +++++++++++++--- test/parallel/test-tls-min-max-version.js | 3 +++ test/parallel/test-tls-session-cache.js | 1 + 6 files changed, 24 insertions(+), 4 deletions(-) diff --git a/test/common/index.js b/test/common/index.js index e0c6e7aa0c996..35c3eac6481b3 100644 --- a/test/common/index.js +++ b/test/common/index.js @@ -56,7 +56,10 @@ const hasCrypto = Boolean(process.versions.openssl) && !process.env.NODE_SKIP_CRYPTO; const hasOpenSSL3 = hasCrypto && - require('crypto').constants.OPENSSL_VERSION_NUMBER >= 805306368; + require('crypto').constants.OPENSSL_VERSION_NUMBER >= 0x30000000; + +const hasOpenSSL31 = hasCrypto && + require('crypto').constants.OPENSSL_VERSION_NUMBER >= 0x30100000; const hasQuic = hasCrypto && !!process.config.variables.openssl_quic; @@ -899,6 +902,7 @@ const common = { hasIntl, hasCrypto, hasOpenSSL3, + hasOpenSSL31, hasQuic, hasMultiLocalhost, invalidArgTypeHelper, diff --git a/test/parallel/test-https-agent-session-eviction.js b/test/parallel/test-https-agent-session-eviction.js index 940c43cc40bf1..36c360a96503d 100644 --- a/test/parallel/test-https-agent-session-eviction.js +++ b/test/parallel/test-https-agent-session-eviction.js @@ -54,6 +54,7 @@ function faultyServer(port) { function second(server, session) { const req = https.request({ port: server.address().port, + ciphers: (common.hasOpenSSL31 ? 'DEFAULT:@SECLEVEL=0' : 'DEFAULT'), rejectUnauthorized: false }, function(res) { res.resume(); diff --git a/test/parallel/test-tls-alert.js b/test/parallel/test-tls-alert.js index 31b07104c241a..04000771aa977 100644 --- a/test/parallel/test-tls-alert.js +++ b/test/parallel/test-tls-alert.js @@ -42,6 +42,7 @@ const server = tls.Server({ cert: loadPEM('agent2-cert') }, null).listen(0, common.mustCall(() => { const args = ['s_client', '-quiet', '-tls1_1', + '-cipher', (common.hasOpenSSL31 ? 'DEFAULT:@SECLEVEL=0' : 'DEFAULT'), '-connect', `127.0.0.1:${server.address().port}`]; execFile(common.opensslCli, args, common.mustCall((err, _, stderr) => { diff --git a/test/parallel/test-tls-getprotocol.js b/test/parallel/test-tls-getprotocol.js index d45287d671d8a..7da2f60676d00 100644 --- a/test/parallel/test-tls-getprotocol.js +++ b/test/parallel/test-tls-getprotocol.js @@ -11,9 +11,18 @@ const tls = require('tls'); const fixtures = require('../common/fixtures'); const clientConfigs = [ - { secureProtocol: 'TLSv1_method', version: 'TLSv1' }, - { secureProtocol: 'TLSv1_1_method', version: 'TLSv1.1' }, - { secureProtocol: 'TLSv1_2_method', version: 'TLSv1.2' }, + { + secureProtocol: 'TLSv1_method', + version: 'TLSv1', + ciphers: (common.hasOpenSSL31 ? 'DEFAULT:@SECLEVEL=0' : 'DEFAULT') + }, { + secureProtocol: 'TLSv1_1_method', + version: 'TLSv1.1', + ciphers: (common.hasOpenSSL31 ? 'DEFAULT:@SECLEVEL=0' : 'DEFAULT') + }, { + secureProtocol: 'TLSv1_2_method', + version: 'TLSv1.2' + }, ]; const serverConfig = { @@ -30,6 +39,7 @@ const server = tls.createServer(serverConfig, common.mustCall(clientConfigs.leng tls.connect({ host: common.localhostIPv4, port: server.address().port, + ciphers: v.ciphers, rejectUnauthorized: false, secureProtocol: v.secureProtocol }, common.mustCall(function() { diff --git a/test/parallel/test-tls-min-max-version.js b/test/parallel/test-tls-min-max-version.js index 5cea41ca7e0bd..ab351558a4c8b 100644 --- a/test/parallel/test-tls-min-max-version.js +++ b/test/parallel/test-tls-min-max-version.js @@ -22,6 +22,9 @@ function test(cmin, cmax, cprot, smin, smax, sprot, proto, cerr, serr) { if (serr !== 'ERR_SSL_UNSUPPORTED_PROTOCOL') ciphers = 'ALL@SECLEVEL=0'; } + if (common.hasOpenSSL31 && cerr === 'ERR_SSL_TLSV1_ALERT_PROTOCOL_VERSION') { + ciphers = 'DEFAULT@SECLEVEL=0'; + } // Report where test was called from. Strip leading garbage from // at Object.<anonymous> (file:line) // from the stack location, we only want the file:line part. diff --git a/test/parallel/test-tls-session-cache.js b/test/parallel/test-tls-session-cache.js index c4bebff2e3208..e4ecb53282fba 100644 --- a/test/parallel/test-tls-session-cache.js +++ b/test/parallel/test-tls-session-cache.js @@ -100,6 +100,7 @@ function doTest(testOptions, callback) { const args = [ 's_client', '-tls1', + '-cipher', (common.hasOpenSSL31 ? 'DEFAULT:@SECLEVEL=0' : 'DEFAULT'), '-connect', `localhost:${this.address().port}`, '-servername', 'ohgod', '-key', fixtures.path('keys/rsa_private.pem'), -- 2.40.1
>From caef2948f3f4881a25736bdfee472798ff12110e Mon Sep 17 00:00:00 2001 From: Sebastian Andrzej Siewior <sebast...@breakpoint.cc> Date: Thu, 21 Sep 2023 22:38:32 +0200 Subject: [PATCH 2/2] test: Use seclevel=0 unconditionally on OpenSSL 3 OpenSSL 3.1 forces TLS v1.1 and less to security level 0 so the security level was lowered in the tests to pass them. There is no need to conditionally lower the limit on OpenSSL 3.1 since the same can be done on 3.0. Both OpenSSL share the same ABI so it nodejs can be compiled again 3.0 and run the tests against 3.1. Remove 3.1 special case and use it unconditionally on the 3 series. Signed-off-by: Sebastian Andrzej Siewior <sebast...@breakpoint.cc> --- test/common/index.js | 4 ---- test/parallel/test-https-agent-session-eviction.js | 2 +- test/parallel/test-tls-alert.js | 2 +- test/parallel/test-tls-getprotocol.js | 4 ++-- test/parallel/test-tls-min-max-version.js | 4 ++-- test/parallel/test-tls-session-cache.js | 2 +- 6 files changed, 7 insertions(+), 11 deletions(-) diff --git a/test/common/index.js b/test/common/index.js index 35c3eac6481b3..73ae906a3f08d 100644 --- a/test/common/index.js +++ b/test/common/index.js @@ -58,9 +58,6 @@ const hasCrypto = Boolean(process.versions.openssl) && const hasOpenSSL3 = hasCrypto && require('crypto').constants.OPENSSL_VERSION_NUMBER >= 0x30000000; -const hasOpenSSL31 = hasCrypto && - require('crypto').constants.OPENSSL_VERSION_NUMBER >= 0x30100000; - const hasQuic = hasCrypto && !!process.config.variables.openssl_quic; function parseTestFlags(filename = process.argv[1]) { @@ -902,7 +899,6 @@ const common = { hasIntl, hasCrypto, hasOpenSSL3, - hasOpenSSL31, hasQuic, hasMultiLocalhost, invalidArgTypeHelper, diff --git a/test/parallel/test-https-agent-session-eviction.js b/test/parallel/test-https-agent-session-eviction.js index 36c360a96503d..b094403af8e07 100644 --- a/test/parallel/test-https-agent-session-eviction.js +++ b/test/parallel/test-https-agent-session-eviction.js @@ -54,7 +54,7 @@ function faultyServer(port) { function second(server, session) { const req = https.request({ port: server.address().port, - ciphers: (common.hasOpenSSL31 ? 'DEFAULT:@SECLEVEL=0' : 'DEFAULT'), + ciphers: 'DEFAULT:@SECLEVEL=0', rejectUnauthorized: false }, function(res) { res.resume(); diff --git a/test/parallel/test-tls-alert.js b/test/parallel/test-tls-alert.js index 04000771aa977..6a95a5db5ad7c 100644 --- a/test/parallel/test-tls-alert.js +++ b/test/parallel/test-tls-alert.js @@ -42,7 +42,7 @@ const server = tls.Server({ cert: loadPEM('agent2-cert') }, null).listen(0, common.mustCall(() => { const args = ['s_client', '-quiet', '-tls1_1', - '-cipher', (common.hasOpenSSL31 ? 'DEFAULT:@SECLEVEL=0' : 'DEFAULT'), + '-cipher', 'DEFAULT:@SECLEVEL=0', '-connect', `127.0.0.1:${server.address().port}`]; execFile(common.opensslCli, args, common.mustCall((err, _, stderr) => { diff --git a/test/parallel/test-tls-getprotocol.js b/test/parallel/test-tls-getprotocol.js index 7da2f60676d00..0873106477bd9 100644 --- a/test/parallel/test-tls-getprotocol.js +++ b/test/parallel/test-tls-getprotocol.js @@ -14,11 +14,11 @@ const clientConfigs = [ { secureProtocol: 'TLSv1_method', version: 'TLSv1', - ciphers: (common.hasOpenSSL31 ? 'DEFAULT:@SECLEVEL=0' : 'DEFAULT') + ciphers: 'DEFAULT:@SECLEVEL=0' }, { secureProtocol: 'TLSv1_1_method', version: 'TLSv1.1', - ciphers: (common.hasOpenSSL31 ? 'DEFAULT:@SECLEVEL=0' : 'DEFAULT') + ciphers: 'DEFAULT:@SECLEVEL=0' }, { secureProtocol: 'TLSv1_2_method', version: 'TLSv1.2' diff --git a/test/parallel/test-tls-min-max-version.js b/test/parallel/test-tls-min-max-version.js index ab351558a4c8b..a196f1c320bd1 100644 --- a/test/parallel/test-tls-min-max-version.js +++ b/test/parallel/test-tls-min-max-version.js @@ -22,8 +22,8 @@ function test(cmin, cmax, cprot, smin, smax, sprot, proto, cerr, serr) { if (serr !== 'ERR_SSL_UNSUPPORTED_PROTOCOL') ciphers = 'ALL@SECLEVEL=0'; } - if (common.hasOpenSSL31 && cerr === 'ERR_SSL_TLSV1_ALERT_PROTOCOL_VERSION') { - ciphers = 'DEFAULT@SECLEVEL=0'; + if (common.hasOpenSSL3 && cerr === 'ERR_SSL_TLSV1_ALERT_PROTOCOL_VERSION') { + ciphers = 'DEFAULT:@SECLEVEL=0'; } // Report where test was called from. Strip leading garbage from // at Object.<anonymous> (file:line) diff --git a/test/parallel/test-tls-session-cache.js b/test/parallel/test-tls-session-cache.js index e4ecb53282fba..94e8fc567fabc 100644 --- a/test/parallel/test-tls-session-cache.js +++ b/test/parallel/test-tls-session-cache.js @@ -100,7 +100,7 @@ function doTest(testOptions, callback) { const args = [ 's_client', '-tls1', - '-cipher', (common.hasOpenSSL31 ? 'DEFAULT:@SECLEVEL=0' : 'DEFAULT'), + '-cipher', 'DEFAULT:@SECLEVEL=0', '-connect', `localhost:${this.address().port}`, '-servername', 'ohgod', '-key', fixtures.path('keys/rsa_private.pem'), -- 2.40.1