Bug#900160: ruby-eventmachine: FTBFS against openssl 1.1.1

[Didier 'OdyX' Raboud]

Control: user debian-rele...@lists.debian.org
Control: usertag -1 +bsp-2018-12-ch-bern
Control: clone -1 -2
Control: retitle -2 ruby-eventmachine: B-D against libssl1.0-dev
Control: severity -2 important
Control: tags -2 +help +upstream
Control: tags -1 +pending

Le jeudi, 4 octobre 2018, 15.38:39 h CET peter green a écrit :
> It seems that ruby-eventmachine has a hardcoded 1024 bit CA certificate and
> key, I tried replacing this with a 4096 bit one but the testsuite still
> failed, I then tried replacing the client cert in the test with one signed
> by the new CA but that didn't fix things either.

I've taken another look, and your patch gets rid of the first error; but then 
other errors trigger:

```
TestSslVerify: 
  test_accept_server: /build/ruby-eventmachine-1.0.7/tests/test_ssl_verify.rb:
64: warning: global variable `$cert_from_server' not initialized
F
```

This seems to indicate that the `ssl_verify_peer` method from the test Servers 
are just not called. If I comment these lines out, then the error becomes:

```
TestSslVerify: 
  test_accept_server:   F
===
Failure: test_accept_server(TestSslVerify):  is not true.
/build/ruby-eventmachine-1.0.7/tests/test_ssl_verify.rb:66:in 
`test_accept_server'
 63: 
 64: #assert_equal($cert_from_file, $cert_from_server)
 65: assert($client_handshake_completed)
  => 66: assert($server_handshake_completed)
 67:   end
 68: 
 69:   def test_deny_server
===
: (0.029365)
```

So it's really not working, even with bigger keys; deactivating the test is 
only going to hide the fact that SSL verification is broken.

I have also tried to build the current status of the VCS repository from 
https://salsa.debian.org/ruby-team/ruby-eventmachine but many other tests fail 
with that version too.

Finally, I have tried backporting various patches from upstream without luck; 
I felt mostly stabbing ghosts in the dark.

In Debian, the package seems very old (2015) and not maintained very actively; 
it should be updated or removed (but has too many reverse dependencies).

That said, the situation upstream doesn't look very bright either; upstream 
doesn't seem to test against OpenSSL 1.1 either:
https://travis-ci.org/eventmachine/eventmachine/jobs/414199579

But… One not too horrible way to fix this bug is to let ruby-eventmachine 
Build-Depend against libssl1.0-dev; thereby letting it build in unstable 
again, and documenting in its Build-Depends that it only builds against 
openssl << 1.1.

debdiff attached, package uploaded!

Cheers,
OdyXdiff -Nru ruby-eventmachine-1.0.7/debian/changelog ruby-eventmachine-1.0.7/debian/changelog
--- ruby-eventmachine-1.0.7/debian/changelog	2017-01-23 01:36:45.0 +0100
+++ ruby-eventmachine-1.0.7/debian/changelog	2018-12-02 13:44:21.0 +0100
@@ -1,3 +1,11 @@
+ruby-eventmachine (1.0.7-4.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Build-Depend against libssl1.0-dev; aka OpenSSL << 1.1
+(Closes: #900160)
+
+ -- Didier Raboud   Sun, 02 Dec 2018 13:44:21 +0100
+
 ruby-eventmachine (1.0.7-4) unstable; urgency=medium
 
   * Team upload.
diff -Nru ruby-eventmachine-1.0.7/debian/control ruby-eventmachine-1.0.7/debian/control
--- ruby-eventmachine-1.0.7/debian/control	2017-01-23 01:36:45.0 +0100
+++ ruby-eventmachine-1.0.7/debian/control	2018-12-02 13:31:53.0 +0100
@@ -9,7 +9,7 @@
Per Andersson 
 Build-Depends: debhelper (>= 9~),
gem2deb,
-   libssl-dev,
+   libssl1.0-dev,
rake,
ruby-test-unit
 Standards-Version: 3.9.8


signature.asc
Description: This is a digitally signed message part.

Bug#900160: ruby-eventmachine: FTBFS against openssl 1.1.1

[Sebastian Andrzej Siewior]

Source: ruby-eventmachine
Version: 1.0.7-4
Severity: important
User: pkg-openssl-de...@lists.alioth.debian.org
Usertags: openssl-1.1.1

The new openssl 1.1.1 is currently in experimental [0]. This package
failed to build against this new package [1] while it built fine against
the openssl version currently in unstable [2].
Could you please have a look?

The Error
|TestSSLMethods: 
|  test_ssl_methods:
140136548670336:error:140AB18F:SSL routines:SSL_CTX_use_certificate:ee key too 
small:../ssl/ssl_rsa.c:310:
|ruby2.5: ssl.cpp:173: SslContext_t::SslContext_t(bool, const string&, const 
string&): Assertion `e > 0' failed.
|Aborted

is due to:
1.1.1~~pre6-1 changelog):
|   * Increase default security level from 1 to 2. This moves from the 80 bit
| security level to the 112 bit securit level and will require 2048 bit RSA
| and DHE keys.

[0] https://lists.debian.org/msgid-search/20180501211400.ga21...@roeckx.be
[1] 
https://breakpoint.cc/openssl-rebuild/2018-05-03-rebuild-openssl1.1.1-pre6/attempted/ruby-eventmachine_1.0.7-4_amd64-2018-05-01T21%3A04%3A28Z
[2] 
https://breakpoint.cc/openssl-rebuild/2018-05-03-rebuild-openssl1.1.1-pre6/successful/ruby-eventmachine_1.0.7-4_amd64-2018-05-02T18%3A51%3A11Z

Sebastian

Bug#900160: ruby-eventmachine: FTBFS against openssl 1.1.1

[peter green]

It seems that ruby-eventmachine has a hardcoded 1024 bit CA certificate and 
key, I tried replacing this with a 4096 bit one but the testsuite still failed, 
I then tried replacing the client cert in the test with one signed by the new 
CA but that didn't fix things either.

Description:  Replace hardcoded cert/key with a 4096 bit one to keep recent openssl happy.
Author: Peter Michael Green 

---
The information above should follow the Patch Tagging Guidelines, please
checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here
are templates for supplementary fields that you might want to add:

Origin: , 
Bug: 
Bug-Debian: https://bugs.debian.org/
Bug-Ubuntu: https://launchpad.net/bugs/
Forwarded: 
Reviewed-By: 
Last-Update: 2018-10-04

Index: ruby-eventmachine-1.0.7/ext/ssl.cpp
===
--- ruby-eventmachine-1.0.7.orig/ext/ssl.cpp
+++ ruby-eventmachine-1.0.7/ext/ssl.cpp
@@ -32,47 +32,96 @@ static EVP_PKEY *DefaultPrivateKey = NUL
 static X509 *DefaultCertificate = NULL;
 
 static char PrivateMaterials[] = {
-"-BEGIN RSA PRIVATE KEY-\n"
-"MIICXAIBAAKBgQDCYYhcw6cGRbhBVShKmbWm7UVsEoBnUf0cCh8AX+MKhMxwVDWV\n"
-"Igdskntn3cSJjRtmgVJHIK0lpb/FYHQB93Ohpd9/Z18pDmovfFF9nDbFF0t39hJ/\n"
-"AqSzFB3GiVPoFFZJEE1vJqh+3jzsSF5K56bZ6azz38VlZgXeSozNW5bXkQIDAQAB\n"
-"AoGALA89gIFcr6BIBo8N5fL3aNHpZXjAICtGav+kTUpuxSiaym9cAeTHuAVv8Xgk\n"
-"H2Wbq11uz+6JMLpkQJH/WZ7EV59DPOicXrp0Imr73F3EXBfR7t2EQDYHPMthOA1D\n"
-"I9EtCzvV608Ze90hiJ7E3guGrGppZfJ+eUWCPgy8CZH1vRECQQDv67rwV/oU1aDo\n"
-"6/+d5nqjeW6mWkGqTnUU96jXap8EIw6B+0cUKskwx6mHJv+tEMM2748ZY7b0yBlg\n"
-"w4KDghbFAkEAz2h8PjSJG55LwqmXih1RONSgdN9hjB12LwXL1CaDh7/lkEhq0PlK\n"
-"PCAUwQSdM17Sl0Xxm2CZiekTSlwmHrtqXQJAF3+8QJwtV2sRJp8u2zVe37IeH1cJ\n"
-"xXeHyjTzqZ2803fnjN2iuZvzNr7noOA1/Kp+pFvUZUU5/0G2Ep8zolPUjQJAFA7k\n"
-"xRdLkzIx3XeNQjwnmLlncyYPRv+qaE3FMpUu7zftuZBnVCJnvXzUxP3vPgKTlzGa\n"
-"dg5XivDRfsV+okY5uQJBAMV4FesUuLQVEKb6lMs7rzZwpeGQhFDRfywJzfom2TLn\n"
-"2RdJQQ3dcgnhdVDgt5o1qkmsqQh8uJrJ9SdyLIaZQIc=\n"
-"-END RSA PRIVATE KEY-\n"
+"-BEGIN PRIVATE KEY-\n"
+"MIIJQQIBADANBgkqhkiG9w0BAQEFAASCCSswggknAgEAAoICAQCemVhlidvoMwyR\n"
+"BRwAvYIFbfpZq9i/qbn+N14+imfNif9LzrLRRwyRQ08r2gNowMBieuN0RDap6fMP\n"
+"0f7Q3hgKpZ/5p3E2GqSw+xSiFJcFqCf0GtrH8UWKRsVwZFYfEPSyWzzuvgsCEh8d\n"
+"58vD8TKhdENSfoAI7wV9AifWFKPJwjt4cOi49JoW15aUODb87QvHdz84KoJ3vxN1\n"
+"X6u5ndp74vKhIhdL54heCHdaWG0B1EFong7QzWKn9k9LenopemyqHhCrfbil58ps\n"
+"a12wYgVpptY1up1PsgChfrRvGsp0eoe2fIxgXihsBUbszUeAdvo4evd54VIzcgP/\n"
+"8WBQknrFS0D/TJh3XWPKen36XGjSWxgPo4lc6gqYgf5EiUZM50M09nJ/zvEvBsGc\n"
+"wz1wNxRpQ8EJpUiz1gxGN6FMVvn7neS2LoDgKGmhplGanUhpYSswWr1NRJmY94aR\n"
+"0JRO5cvLriUAYhuj0vnUAfVMazlDg9bXI9KC57yNGg4UvtovdOBqxey5dVE//GG7\n"
+"/zAoHbPkPg7BdLMIolB7HXz/DOEGyzTIGYAFg3KUIl42PsbxtsPCKjKqb/T23mKc\n"
+"ZcbmdLhPOiGm4yVwM4LDUlW3nywtq7fcnJarTWz9B7tjszJYIMcAH95hnXIb6LQB\n"
+"wlY4F8ts+DzGfKGtZSifkTsKMzboxQIDAQABAoICAEla06/jG3tCYUWR/2m4PTMV\n"
+"sv1WpmG/tu8F3OlAStKeSR5e9AYnvoBRiYTWyUziGhlyjVFxW3crZeijUCB7GNOT\n"
+"13I5J/vGRvY0q05sB43uQMx+v0JLLcbPBPL+9XZY+VSlLoGeFKlYiFvkojJ2lNxo\n"
+"UdsN91oqc3dmT9aMpVTkKW2Di6BAQiTegh78ATLq0M/pL6xivQV1syJOpbasdClo\n"
+"xqAQjIXnCQO1Fr8KtyBpc/dXY7LfzAmzuulGNMqKfUgRr9Qhyg2yL8YFwseaDrbX\n"
+"G6yuK6R4yCHp4LqiwZEuOycEZEkOQ9PyfON57uBUJ1eISH5u4P46de8jTVD27yEn\n"
+"SezHd1TxzOl1pXMZfEOthRiDaXuEATxioJsxNVOp+boEXrtQ3k61goqs7JPWzi1g\n"
+"vLTK4YVlDHaCz8NTeqgnaMl1J04ourXJV/uTVcPjNiaof6f+tXS/PWEPef2mraDl\n"
+"PSdwpOThQvQbknl9sVKFpIyqUvHDZWm0lcn4eK2DAkux9nW4FBduqCRjtJej+nzw\n"
+"kTlyqaFhxvfwEwBq7by82a6wV86Qu1TyA3vRnGrB7u3/ZGvXbq25S2PvmB5BEctQ\n"
+"5qHL3bQxbGOqgHUo/E3y/zqwF5bSnwKNyy1DlPowQW9DkTcYqj/kdYTq9gxaCFpB\n"
+"6yr5tnsCBGil+sYdkhYBAoIBAQDMyi93tQT2sXV5+iK6ah5FsjIttNb10BMdqoI0\n"
+"UUJrjWIfbbx/BDAI4CWzQI4rVcdeNW4On/4wUFfeiNmwRYBQ7z26182gptNpEQFc\n"
+"dIn0hbv0Q7S/gkiqncpWRFCFu2/9QwD45SkcNOswTwis+YNFWUSTq2rJuFmDNHKj\n"
+"6W//OPK/b8Efq9pMqSdISXHmx2LCapgYiifqKy/PDeWnw+E07R7yLJE6AQceXLhd\n"
+"NHsWUR8O0ubTk8BwroocHw6VKM/9hVsEaXOemcMt4Ia7AbR3Qn13HbnJyQyDFd/9\n"
+"jUaAPpd8fspYk1KI9HVaA1JnZEWgyMvqCbd0XNEwScV83e1VAoIBAQDGQjZzFrDS\n"
+"G5G4bvVwAMEbvg1+diU5PScbhMLss5kMlunCm6LROsQLLiYOxynFMNkJvfa8X7z0\n"
+"1fsOYmDsCu7RTw2VO7nRiJP3AS6b9cvj4SpcjqvssC6L3GmXIvPlrYQAn/K6QMUe\n"
+"E3DnwT9Zn1op5C7H1Cid7AnAEYVWcSLzQd0QrBCaNVAK756ucop+7dls7YTgWz8T\n"
+"07rc1YWmZXFwhmXXv5DcpkU3sExQTro0ZhIg9iJe4A3j7lXCSmugL2JL7l0lNTIq\n"
+"1GsJvDQfRaSnizbiS2oY6FaRGPSelifyUn8pjSyR0HVV1pN/Z9kNzeHd3A24NuYg\n"
+"XbjOO2tJ1o2xAoIBAHvB77+iyFYg1gKZtCT9fj/WOVa/w2wXi4XRBhCBzubaMSMX\n"
+"GOOVb0Xd10qlR4VOuEXpehIig+VEmGVmRE+vIKVIfwCL67sbNgV3fmAWGUyJCRXL\n"
+"WM6m+C0LYDyT2imHJV1jAZJoQljGbh7qlC6cNsVQ9g1beRRgcM/GgUUnDESrcJ9Z\n"
+"9Naj7y+GxbN8lvXFJpyg+DtUOlzcLm8tUcz5pf5rEdl+L2FjP58Mn2nMDlplOaSm\n"
+"tVHFJ3WxNMtbxV9Eo7Tswx0+cN22xGnUFveqRxoPN20lrKIR+pq5PHyoxKM5sChP\n"
+"Iw82MJmNSeHUwhazVRSeZASSTKhocw6AdnVIVGUCggEAfm06y6lsmI98HWCkowfY\n"
+"HRjVAg/VLOsSRTokE010C9MwvikBautOmNKU8lePC3Ba9xtsfDORC5BoyINzyxIt\n"
+"uMvwnXm4xSWTNbBLSKk1m9u6Z8uTVxwCkq27p+ViItTDmKJm5t7m1IcROLjC7SPx\n"
+"G0Wnj0Z7oDkk/pYtsTH0V6tojXksHSpiIJ