i tried to modify the testsuite to use stronger keys (patch attatched), however after doing so the testsuite now hangs (relavent output pasted at end of message). Not sure what is going wrong here (I am neither a ruby expert or an openssl expert).
I have attached a patch with my changes so-far.
/ruby-openssl-2.0.5/test/envutil.rb:258:in `assert_join_threads' Failure: test_tlsext_hostname(OpenSSL::TestSSL): exceptions on 2 threads: #<Thread:0x0000557c8bd59848@/ruby-openssl-2.0.5/test/utils.rb:443 dead>: /ruby-openssl-2.0.5/test/test_ssl.rb:654:in `connect': SSL_connect returned=1 errno=0 state=error: sslv3 alert handshake failure (OpenSSL::SSL::SSLError) from /ruby-openssl-2.0.5/test/test_ssl.rb:654:in `block in test_tlsext_hostname' from /ruby-openssl-2.0.5/test/utils.rb:445:in `block (2 levels) in start_server' --- #<Thread:0x0000557c8bd59938@/ruby-openssl-2.0.5/test/utils.rb:432 dead>: /ruby-openssl-2.0.5/debian/ruby-openssl/usr/lib/ruby/vendor_ruby/openssl/ssl.rb:382:in `accept': SSL_accept returned=1 errno=0 state=error: no suitable signature algorithm (OpenSSL::SSL::SSLError) from /ruby-openssl-2.0.5/debian/ruby-openssl/usr/lib/ruby/vendor_ruby/openssl/ssl.rb:382:in `accept' from /ruby-openssl-2.0.5/test/utils.rb:383:in `block in server_loop' from /ruby-openssl-2.0.5/test/utils.rb:376:in `loop' from /ruby-openssl-2.0.5/test/utils.rb:376:in `server_loop' from /ruby-openssl-2.0.5/test/utils.rb:434:in `block (2 levels) in start_server' ===================================================================================================================================================================== : (0.010154) test_unset_OP_ALL: .: (0.059083) test_verify_certificate_identity: .: (0.008254) test_verify_hostname: .: (0.007457) test_verify_hostname_on_connect: .: (0.065102) test_verify_result: .: (0.026004) test_verify_wildcard: .: (0.005284) OpenSSL::TestSSLSession: test_client_session: #<Thread:0x0000557c8bd87ce8@/ruby-openssl-2.0.5/test/utils.rb:443 run> terminated with exception (report_on_exception is true): Traceback (most recent call last): 9: from /ruby-openssl-2.0.5/test/utils.rb:445:in `block (2 levels) in start_server' 8: from /ruby-openssl-2.0.5/test/test_ssl_session.rb:158:in `block in test_client_session' 7: from /ruby-openssl-2.0.5/test/test_ssl_session.rb:158:in `times' 6: from /ruby-openssl-2.0.5/test/test_ssl_session.rb:168:in `block (2 levels) in test_client_session' 5: from /usr/lib/ruby/vendor_ruby/test/unit/assertions.rb:130:in `assert' 4: from /usr/lib/ruby/vendor_ruby/test/unit/assertions.rb:1636:in `_wrap_assertion' 3: from /usr/lib/ruby/vendor_ruby/test/unit/assertions.rb:163:in `block in assert' 2: from /usr/lib/ruby/vendor_ruby/test/unit/assertions.rb:53:in `assert_block' 1: from /usr/lib/ruby/vendor_ruby/test/unit/assertions.rb:1631:in `_wrap_assertion' /usr/lib/ruby/vendor_ruby/test/unit/assertions.rb:55:in `block in assert_block': <false> is not true. (Test::Unit::AssertionFailedError)
Description: Use stronger keys in tests to fix build with new openssl. Author: Peter Michael Green <plugw...@debian.org> --- The information above should follow the Patch Tagging Guidelines, please checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here are templates for supplementary fields that you might want to add: Origin: <vendor|upstream|other>, <url of original patch> Bug: <url in upstream bugtracker> Bug-Debian: https://bugs.debian.org/<bugnumber> Bug-Ubuntu: https://launchpad.net/bugs/<bugnumber> Forwarded: <no|not-needed|url proving that it has been forwarded> Reviewed-By: <name and email of someone who approved the patch> Last-Update: 2018-10-04 Index: ruby-openssl-2.0.5/test/utils.rb =================================================================== --- ruby-openssl-2.0.5.orig/test/utils.rb +++ ruby-openssl-2.0.5/test/utils.rb @@ -64,6 +64,102 @@ gBoDG3WMPZoQj9pb7uMcrnvs4APj2FIhMU8U15Lc -----END RSA PRIVATE KEY----- _end_of_pem_ + TEST_KEY_RSA3072 = OpenSSL::PKey::RSA.new <<-_end_of_pem_ +-----BEGIN RSA PRIVATE KEY----- +MIIG4wIBAAKCAYEAuOfm5u9QvTVA3injjLlNQIdNEpkygrgeKF5yZDGndcsUTIap +tdYW8e78rOFmt/LUHXZpiY/e0vo5WH6Lyp5/EGOCJqatKa21uDef3+bmsWNb9MOE +XaIRjmcNjVim4aVJdGpjQzN/ysjR8KdqRwY3TDzVBsX7eNJpKS10NiMgSGvxxLwE +00Z/YgM9RLKjtjjWLloP/cuiZcLplaXF+Tyi49u8P7yrlNheGGtU5eEZmx+XESES +izsFyFC2zhDKpGlU+v9+oSbOPy6xNB9TjsxpG6QTtGdP9T8f990EcO/TC/JAr/uk +RwoSqMZyeUT0lk+QzfkoVYsuzGjWlLnW+yLgnv4xb003sZCPa7llxhwZYajpZgdm +/xhKBWg7x8u62aOR2pqNrV7aCRbI0AY2OphTuRIj1pwgX+t7RItrLHJ9Q0hVNQYL +iJwwH7QhRcWBx4S07M1uR7u9tESqu1rm5W+AbpV/gWVZE8RGn6KHYndn1l7qjnWH +z7bJYlLHm0AExp67AgMBAAECggGADacZ1n1fIclX08+V/KMGADi9SR1ErIA5wdNP +cPR1n+3xvsDGsSVwpkZ2I7G06uokHVTL8BtOYZeWOmGFot1XFneyeXYfHQ+1djet +N1QOPpTOimERWfSIhVI4nvInyEtzBASC9chMrEVtsu45m6rq1Fc9h3WA3ufyWdcA +WKr5TD+kJ1mWpZ7z8uG4WWUzT1YdAmkl+yBZClh89M67sm52vIpR+QbOSHw9XmI2 +b47SXDDV767Ydq1R/PtwtABrZf5c5sm2ivRQG2xXUug+ykmTWLISQXqA+aWY46XL +ymvwhna9wVNWlRrsVdWyl+O3u8rTS18Y817AraZpHnc049DXovVt3qRLKzuj+EfL ++2Ut00tfdHxrrVmqcncMeFCLphhjTLK8BA7Kxnd1F6mIkH2unYb0tB+yqElX/Zvp +oDRiwpncCi0bnLq8Q+57+m5xn1dp6ebM710G3u9U63oPQAgeHHxYp5ZhvI8rgdUx +nXkQ44SqqPeAKmIkV9cS0p+jp/1JAoHBAOYE+fyTZq4DwEWM3FxvbW+VPS/Fw1oF +1ON3dSZP4UQFcubkUwZedVCdgbkXSHN4u7G7MzZw3SHaiTyCM8eBI7tc3MHo0F5W +7bBAOLrwn9129D8D9ISZaEJejXfJG7aaEvwdSJ1LKgVNOxsPRH8SjdxqNGXUNmtM +SryIWQZz8P/XZfJAvmGEo56YS/7jH0R2xMw3AxYiz4Dwjhk+0xY0W+HT+AcEWRBw +swE/7BEzhkhzmN8xpCN0PFxoOmZF0skGRQKBwQDNynbaR81eCgxtuNYu57cl0dfC +OTMV7fu2I6v0JE/ScE9yzPCgnE1d+kHEjY2wib9bSEGzdbvSfkjatoi/rnayX6I6 +5oDZgRf5zlYxQHc3a/P++NucH8WpxtB4Dq+Ax7c07o0g24NMMywX94OjmN2NN7b9 +Ab+9SOOqPuRvACMKAhFhtiEXu0kR6zg1/FuKP1Ybydl9JUVjMgy4K+jz7TVXWiX6 +/EExdphhPpvPqyEqlwjNkgVTXabk1FmW0wgp4P8CgcAsxUMzGi2eKTS/VM9/XmDa +mx2xsrh3STNKovG2Z03dQ4I91qsiTjhfXIjnUdTUROejjGBHdGhWMocLs/wIFOaz +jTuason8Esdoytc/653yKTkZGtf5BzL32BeI/Sfbvtl7IOgFVZ/0MDgU6D/Yy++4 +uyM/vrJo6AyT7aYGT4LVCUPahyeHK539PH9uOR7Y4JUlen+rS1NAMZI277d+Vuqb +Zfqcwwfi30y4LYzxPCoi5/0VVEAydmlZQyA6z9RbNFECgcBLWv4WhABhlRBkBTD4 +0ASyppp5FnTsbM6lLX7D0aAhENsm0IC0b0etR/xZOvRNVsNpa5YTXuM9+tw2qmx8 +tCfmvTosk0dPXgQnhzTsqAx/kNox3XKdQs0glBq2O7psT7V4fnnTNE5p0rsss4fS +miFWmrY5AzDw4QXsy0belpA+E+/Fdem8ROpG03kr25KxluuzFUC8oK892Y/qyLlu +yMeliu8pbsF4mVLHGSP48VMdw1yH2hZ1Jm/8jv2XSwNMQoUCgcEA3rPR1/I3QPyx +op331aDXtKphMwTBxgynS+hqZczV7BgKW1ksrzffPZRcpEc5HjBGbkUpetCIH50y +XF4c2GK1irD4efWzutGDA2qPxZa83Y6lXehA/uG6YpQ8NnRXZU0iQznyTNrHXVPh +J+9O2PmVhgBsUhHgJaKPe1DAOxagAEDA5ggvnce3xAzovctKTXKsmUd/v+ee5ZJ0 +gTcWrxGHeGs5rX2eKdPR5pDM7bBPT9kF7tDe2+ULTv56dyjskRc2 +-----END RSA PRIVATE KEY----- + _end_of_pem_ + + TEST_KEY_RSA4096 = OpenSSL::PKey::RSA.new <<-_end_of_pem_ +-----BEGIN RSA PRIVATE KEY----- +MIIJKgIBAAKCAgEArP2UZ7bP6HPBDUsTpnx7cxTvSCVXnG1DYolOyyKBOZRgWeAH +gJVa7sni8fvVFYYufKByXj9OKi9/P4KLhdaoFFJlHPyVeck4ZOF7ZTTfWW3C6xA0 +fiPU/VLYiCU/s9woSestHl82vKhkHK658Uwa5NHGo7BuGDYsUJMWIAHnqQJge1+T +0kyftmbJQkf9YHpyMOYk8dO0Y7Gs73blC7WnPmT3i1NAc3JeK1FNu/a14pniS/0P +36FdwFL60ndLH4XjH+sxLSyzgbLL3G/LCOqtExKGsiCLhFjNHgVSfZSDrc82wQM1 +33moyGPkmikhdzNrCK+LMOUSYV3+pqw8y1IxE0YVk3Hq8qitd6+Cckh4Yl/jPLoL +wG8ilZMAkvcSTC/HBjquSZK8s2eMyZl4/s10F8xDKw4Y/9kdkfkWU6DJqWs84RoC +KTGoa/5wHD9BjvaCzlPbn2gqKsa8qvlOW4lht4La+bXH22ER44Td6uh7pA7jAmRQ +MKlchT0jwQpOAYzSLJmQ5b4epTiqQWOyyvLMQIrEHR6UjWNJSiqlTP1N/WHUrwjL +QEKjLzVupGiktwPd6M3XvPfyghBrg9du/+h5gB0qfXd7HUY1Ip3KLjOi1VzKxfbV +UTddHTgQqD6lXwTQ2MzqjR6tk3b3BNofAz/9jLYBrx0ss9kL7UulTj07USUCAwEA +AQKCAgEAk5hXwpWrlf0NPbZMscOL4IiAD+Isef6Pe8cDPzXVY7dA7e3C+OZ1iz8d +LrFbAN5XU2Xhrp/8pOmZfCp5uFuJVK1oL+8h6aLRRuFLUvJljfukTsKoxubzlp/U +t3RwgZjZlxfciwlZvmU95Wr+ou34FDsXbBngFTBDZwvX2L9HVF/+ycSmbsuJiSrx +lGevu109iJMT+nBSfKzfjAC5M+BtLUMgIfOKDfYKepMH69N3JDt/ZK4pmPgo8Srb +bi7yHZcyTc1xS8XT8lkGrrGDXbw8pwUrf1ddMjJB79dCpnrMTsN5R/zhPiai5zaz +mQR21Sk9rU95RuJraD+2Qaa6yA78ZrnM3nPXXI7SXFToOr2VrCE6nC7UpuB/kirG +g7hDsMpW7BjffnonWB5R23J3eHEfcT/Whz4ESMhUHo2Sa1T+OfKek9hR3iSeqZCC +fYOkMlGiTz7I2NzeapnShST5FXtJmABHxkOJfzbgbP43RrfisShbODgeAW2+b5aq +omXV/XljJRwQ3XxRJWJIFBTjiVJ1NvmNnG+z3eya/QqxYQTmXBIkCcuESl3HgdYZ +PGarWlBc+WP1wt9clmfSQUsSbYYkTTw5XLjOmHOe9/DYcBhx7FnkDsXrR2k16AMk +Yiwd4S6ROg2m+aaqyS75YadjoHWIHMJVBcQmdFlkVsKE6pgcpoECggEBAN3zJiqx +CdozelFLu0f3Th8mZPPeW2HT08WPbPlovDxg26lZgt4gdV5ikJlQvRaq6qwReCXo +rfCJ4/1UlifZati1t8oJhy5arsWtY4UzD3v/K+OSpL+rKP64kuM5/2QBzpPtqFQC +Km9stkGqtvHyVw5LO9ud6G9vJqfcLT+1DwjVT8ibfr8yzmFbr0SILRlcVmGBinrK +FL4evwOY4qSFMM6E4JKn6My1HatZqAdmLIsE6HGmFDWnZBkfNfAZz+/dUrnYom6+ +/rscQlERLxmNMLJOedgbT0X3/bAUxrqMm/MSMheJeiSSOjJcocqu1fpvh+rrkhjQ +7BbhU+biiAX4RkkCggEBAMeHmyZFwZaI4di+owz0jeAyQrK+QzQ2QpagpDFO6D9m +bgjO6OgwsmiRTKrgsZrXKBx6QojoTLka32cov2Xit0CcVqR/PebSrtAjHOiQdSjt +E+ufuvUDDCU+R6EtIF68W6zV9PoMJdEkFngDlZzeV6o55kYUyBu/amPcRoairL7F +LdZeyaAMAfihVedQIVQyd6eLiq+VTPdQoKBOrIB9falg7fsCS8ki8MBd0wLEiLJt +dVcpZ8Kk00PAqUMVRYqc25SgER8PzgdIEj2YHrmHN8uAmRAfIHyyhwOh+blHKWIO +KgmYyTjmls9/MGJau5ixqfw/xoALdNZKGOB8dwGzA/0CggEBAJX/VKT3fsQTlC/K +8afiT86ngQR7GuETaoSSuMAZ81UO1IUv9EywPQHrtPOYaCIgonZlXACqrproZcd4 +Wf5WZmpM7QfCxrQiHwmDc8W6S1Wujve+zE6omw0CqmqccKgivHym2eLkj8879jSM +7hS3hfQoDi0PG93rjYFWQNJUR/PdTY0y4UbQTD/p2ZqEOY5xJAPDq1XuqnQOjWMd ++NXdGa4IiUkz5xYptQJvliph9+qAB6N+7RuRpAmCWU6J80iVF+p3qNcVh0vm/j6R +UXaAQA/RD3Foi3uq7K0KbX/3tRFiE65qf7ylgmU0yzcST5RvubifOd5Bm7yezbg1 +El6OetkCggEAe+/bi1Zg/SRhRMSFexKc3dnaXDSageACVJXL52TgFiGFz6rWOQOm +jhVSzgFr0IY8wBOhKHFC1ue+RNGmsZ61vUhe+SagSLQtKdPlrP+uBpHcgcth0bbm +4GtjCtaA+Nd/CkiMNpU9GD+WRU3UrO/e/Dmis31NHw8zAnxcwlxheM35vuJ50xQi +VVHBjkDTsvz2HfgrWQ0gFa7bVzgHJnjMiV1P9U5jzLgLWzHsVBfH4SzkahOqA9ll +8PvHJ4ga/hKYwiT6/ZRPoW4/BktrKkq3eYyThtQO1eX+v17pQxDUv7eUnQluVA3H +N3QFldJOHHae47Spk/eJx2GXOjmVolST8QKCAQEAyzEDBhkjFEiGnDLJx1fd1juZ +FPSKYkBIRp2ae1udXRLL+vUyOiGyi9t70+yh8H/VRb5AjOfer6DFLhoCtId7JQVM +qr6ftzNceqpYkpVMqbADrHRfTf6eoyY1h8Ag9ewWvx7v1Yc1HbgQ5YWVLl3fhkpb ++33hTVhImof4K9bsMwT+ndNQ66oUYTckoR76AordYS9KAFuB9WvhF/gYTniCBE7K +RJQR50tJDwgWuIGm2XwOIKQyAb63hNKKreqI9zfSDzSTx3EesvFtwNc2Kto4V29z +F8UqW/sL3KBM5HYRKsSIXgsanvnybzuH8DdALDkgwXvvoXltkn6Xm2yIFdMRXQ== +-----END RSA PRIVATE KEY----- + _end_of_pem_ + TEST_KEY_DSA256 = OpenSSL::PKey::DSA.new <<-_end_of_pem_ -----BEGIN DSA PRIVATE KEY----- MIH3AgEAAkEAhk2libbY2a8y2Pt21+YPYGZeW6wzaW2yfj5oiClXro9XMR7XWLkE @@ -124,6 +220,23 @@ AQjjxMXhwULlmuR/K+WwlaZPiLIBYalLAZQ7ZbOP TEST_KEY_DH1024.set_key(OpenSSL::BN.new("556AF1598AE69899867CEBA9F29CE4862B884C2B43C9019EA0231908F6EFA785E3C462A6ECB16DF676866E997FFB72B487DC7967C58C3CA38CE974473BF19B2AA5DCBF102735572EBA6F353F6F0BBE7FF1DE1B07FE1381A355C275C33405004317F9491B5955F191F6615A63B30E55A027FB88A1A4B25608E09EEE68A7DF32D", 16), OpenSSL::BN.new("48561834C67E65FFD2A9B47F41E5E78FDC95C387428FDB1E4B0188B64D1643C3A8D3455B945B7E8C4D166010C7C2CE23BFB9BEF43D0348FE7FA5284B0225E7FE1537546D114E3D8A4411B9B9351AB451E1A358F50ED61B1F00DA29336EEBBD649980AC86D76AF8BBB065298C2052672EEF3EF13AB47A15275FC2836F3AC74CEA", 16)) + TEST_KEY_DH4096 = OpenSSL::PKey::DH.new <<-_end_of_pem_ +-----BEGIN DH PARAMETERS----- +MIICCAKCAgEAozcMVx+HsVrSDeyheafTRf9ByUPMR1I0V7AQiJSl7yRvC3se9LuI +lmPMnxr3/NFkFkfOI4Jj/CLjJlKImNnpZ7i57rt96z9UAsByS4n5hpQ4z9cMmkTx +5OtA1xXDoYzf2elX0E1YfEMHYwZeoDMHu6Ek/c+5Wohz7I1z9gsGWVhOgNudzjHx +xh+rM8bV3dUEJuG3AeLcsDjCnYjtHn7XuwMOEqBE40rEPZdiy7uH1AkMayC7dQj4 +fHLc4gXmEtP5ppnNsnRwXWme1j/cor2KEvafDd67S4x+/xkauMqnvgEf4aZ/FBgO +Q6M9MugAg9ELRfaFFFTvtht1zACZzNUTKHf0Me79d2adMc2fNVGOBxd43YwAZ04J +XO9GN5IQdLaIFIW8GChrzHhZs/lINcMGFZRr/oWMMH7GQU6JOQkh258uiGMK8P2f +FKM5GGSdNlNanKlhN8XbwR5R4peDqs5Q+kjQe3V2u89hOkN9hBpTnSw7XBS+ffoQ +e6rhJ1LShI1OonE3EiYPhiCtCVnuDJgMIeHEsz8ctkdGddsyKHtJt5GATbylcsPo +PTJJ70lSU5UaprP3jzesaKsXAKxHQ6fnrls9IAkcCswhBvekvBgOTBd4Z4aDf2Ih +N5KUPsmbqmWIuKrhTHNMXRaxad/ZB4LuycfK3Sz6GbJU53GipNT4rqMCAQI= +-----END DH PARAMETERS----- + _end_of_pem_ + + DSA_SIGNATURE_DIGEST = OpenSSL::OPENSSL_VERSION_NUMBER > 0x10000000 ? OpenSSL::Digest::SHA1 : OpenSSL::Digest::DSS1 @@ -223,8 +336,8 @@ AQjjxMXhwULlmuR/K+WwlaZPiLIBYalLAZQ7ZbOP def setup super @ca_key = OpenSSL::TestUtils::TEST_KEY_RSA2048 - @svr_key = OpenSSL::TestUtils::TEST_KEY_RSA1024 - @cli_key = OpenSSL::TestUtils::TEST_KEY_DSA1024 + @svr_key = OpenSSL::TestUtils::TEST_KEY_RSA3072 + @cli_key = OpenSSL::TestUtils::TEST_KEY_RSA4096 @ca = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=CA") @svr = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=localhost") @cli = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=localhost") Index: ruby-openssl-2.0.5/test/test_ssl.rb =================================================================== --- ruby-openssl-2.0.5.orig/test/test_ssl.rb +++ ruby-openssl-2.0.5/test/test_ssl.rb @@ -625,7 +625,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTes def test_tlsext_hostname ctx3 = OpenSSL::SSL::SSLContext.new ctx3.ciphers = "ADH" - ctx3.tmp_dh_callback = proc { OpenSSL::TestUtils::TEST_KEY_DH1024 } + ctx3.tmp_dh_callback = proc { OpenSSL::TestUtils::TEST_KEY_DH4096 } ctx3.security_level = 0 assert_not_predicate ctx3, :frozen? @@ -675,7 +675,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTes ctx2 = OpenSSL::SSL::SSLContext.new ctx2.ciphers = "aNULL" - ctx2.tmp_dh_callback = proc { OpenSSL::TestUtils::TEST_KEY_DH1024 } + ctx2.tmp_dh_callback = proc { OpenSSL::TestUtils::TEST_KEY_DH4096 } ctx2.security_level = 0 ctx2.servername_cb = lambda { |args| Object.new } @@ -1052,7 +1052,7 @@ end # test it doesn't cause a segmentation fault ctx = OpenSSL::SSL::SSLContext.new ctx.ciphers = "aNULL" - ctx.tmp_dh_callback = proc { OpenSSL::TestUtils::TEST_KEY_DH1024 } + ctx.tmp_dh_callback = proc { OpenSSL::TestUtils::TEST_KEY_DH4096 } ctx.security_level = 0 sock1, sock2 = socketpair @@ -1107,14 +1107,14 @@ end ctx.ciphers = "DH:!NULL" ctx.tmp_dh_callback = ->(*args) { called = true - OpenSSL::TestUtils::TEST_KEY_DH1024 + OpenSSL::TestUtils::TEST_KEY_DH4096 } } start_server(ctx_proc: ctx_proc) do |server, port| server_connect(port) { |ssl| assert called, "dh callback should be called" if ssl.respond_to?(:tmp_key) - assert_equal OpenSSL::TestUtils::TEST_KEY_DH1024.to_der, ssl.tmp_key.to_der + assert_equal OpenSSL::TestUtils::TEST_KEY_DH4096.to_der, ssl.tmp_key.to_der end } end