Bug#900160: ruby-eventmachine: FTBFS against openssl 1.1.1
Control: user debian-rele...@lists.debian.org Control: usertag -1 +bsp-2018-12-ch-bern Control: clone -1 -2 Control: retitle -2 ruby-eventmachine: B-D against libssl1.0-dev Control: severity -2 important Control: tags -2 +help +upstream Control: tags -1 +pending Le jeudi, 4 octobre 2018, 15.38:39 h CET peter green a écrit : > It seems that ruby-eventmachine has a hardcoded 1024 bit CA certificate and > key, I tried replacing this with a 4096 bit one but the testsuite still > failed, I then tried replacing the client cert in the test with one signed > by the new CA but that didn't fix things either. I've taken another look, and your patch gets rid of the first error; but then other errors trigger: ``` TestSslVerify: test_accept_server: /build/ruby-eventmachine-1.0.7/tests/test_ssl_verify.rb: 64: warning: global variable `$cert_from_server' not initialized F ``` This seems to indicate that the `ssl_verify_peer` method from the test Servers are just not called. If I comment these lines out, then the error becomes: ``` TestSslVerify: test_accept_server: F === Failure: test_accept_server(TestSslVerify): is not true. /build/ruby-eventmachine-1.0.7/tests/test_ssl_verify.rb:66:in `test_accept_server' 63: 64: #assert_equal($cert_from_file, $cert_from_server) 65: assert($client_handshake_completed) => 66: assert($server_handshake_completed) 67: end 68: 69: def test_deny_server === : (0.029365) ``` So it's really not working, even with bigger keys; deactivating the test is only going to hide the fact that SSL verification is broken. I have also tried to build the current status of the VCS repository from https://salsa.debian.org/ruby-team/ruby-eventmachine but many other tests fail with that version too. Finally, I have tried backporting various patches from upstream without luck; I felt mostly stabbing ghosts in the dark. In Debian, the package seems very old (2015) and not maintained very actively; it should be updated or removed (but has too many reverse dependencies). That said, the situation upstream doesn't look very bright either; upstream doesn't seem to test against OpenSSL 1.1 either: https://travis-ci.org/eventmachine/eventmachine/jobs/414199579 But… One not too horrible way to fix this bug is to let ruby-eventmachine Build-Depend against libssl1.0-dev; thereby letting it build in unstable again, and documenting in its Build-Depends that it only builds against openssl << 1.1. debdiff attached, package uploaded! Cheers, OdyXdiff -Nru ruby-eventmachine-1.0.7/debian/changelog ruby-eventmachine-1.0.7/debian/changelog --- ruby-eventmachine-1.0.7/debian/changelog 2017-01-23 01:36:45.0 +0100 +++ ruby-eventmachine-1.0.7/debian/changelog 2018-12-02 13:44:21.0 +0100 @@ -1,3 +1,11 @@ +ruby-eventmachine (1.0.7-4.1) unstable; urgency=medium + + * Non-maintainer upload. + * Build-Depend against libssl1.0-dev; aka OpenSSL << 1.1 +(Closes: #900160) + + -- Didier Raboud Sun, 02 Dec 2018 13:44:21 +0100 + ruby-eventmachine (1.0.7-4) unstable; urgency=medium * Team upload. diff -Nru ruby-eventmachine-1.0.7/debian/control ruby-eventmachine-1.0.7/debian/control --- ruby-eventmachine-1.0.7/debian/control 2017-01-23 01:36:45.0 +0100 +++ ruby-eventmachine-1.0.7/debian/control 2018-12-02 13:31:53.0 +0100 @@ -9,7 +9,7 @@ Per Andersson Build-Depends: debhelper (>= 9~), gem2deb, - libssl-dev, + libssl1.0-dev, rake, ruby-test-unit Standards-Version: 3.9.8 signature.asc Description: This is a digitally signed message part.
Bug#900160: ruby-eventmachine: FTBFS against openssl 1.1.1
It seems that ruby-eventmachine has a hardcoded 1024 bit CA certificate and key, I tried replacing this with a 4096 bit one but the testsuite still failed, I then tried replacing the client cert in the test with one signed by the new CA but that didn't fix things either. Description: Replace hardcoded cert/key with a 4096 bit one to keep recent openssl happy. Author: Peter Michael Green --- The information above should follow the Patch Tagging Guidelines, please checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here are templates for supplementary fields that you might want to add: Origin: , Bug: Bug-Debian: https://bugs.debian.org/ Bug-Ubuntu: https://launchpad.net/bugs/ Forwarded: Reviewed-By: Last-Update: 2018-10-04 Index: ruby-eventmachine-1.0.7/ext/ssl.cpp === --- ruby-eventmachine-1.0.7.orig/ext/ssl.cpp +++ ruby-eventmachine-1.0.7/ext/ssl.cpp @@ -32,47 +32,96 @@ static EVP_PKEY *DefaultPrivateKey = NUL static X509 *DefaultCertificate = NULL; static char PrivateMaterials[] = { -"-BEGIN RSA PRIVATE KEY-\n" -"MIICXAIBAAKBgQDCYYhcw6cGRbhBVShKmbWm7UVsEoBnUf0cCh8AX+MKhMxwVDWV\n" -"Igdskntn3cSJjRtmgVJHIK0lpb/FYHQB93Ohpd9/Z18pDmovfFF9nDbFF0t39hJ/\n" -"AqSzFB3GiVPoFFZJEE1vJqh+3jzsSF5K56bZ6azz38VlZgXeSozNW5bXkQIDAQAB\n" -"AoGALA89gIFcr6BIBo8N5fL3aNHpZXjAICtGav+kTUpuxSiaym9cAeTHuAVv8Xgk\n" -"H2Wbq11uz+6JMLpkQJH/WZ7EV59DPOicXrp0Imr73F3EXBfR7t2EQDYHPMthOA1D\n" -"I9EtCzvV608Ze90hiJ7E3guGrGppZfJ+eUWCPgy8CZH1vRECQQDv67rwV/oU1aDo\n" -"6/+d5nqjeW6mWkGqTnUU96jXap8EIw6B+0cUKskwx6mHJv+tEMM2748ZY7b0yBlg\n" -"w4KDghbFAkEAz2h8PjSJG55LwqmXih1RONSgdN9hjB12LwXL1CaDh7/lkEhq0PlK\n" -"PCAUwQSdM17Sl0Xxm2CZiekTSlwmHrtqXQJAF3+8QJwtV2sRJp8u2zVe37IeH1cJ\n" -"xXeHyjTzqZ2803fnjN2iuZvzNr7noOA1/Kp+pFvUZUU5/0G2Ep8zolPUjQJAFA7k\n" -"xRdLkzIx3XeNQjwnmLlncyYPRv+qaE3FMpUu7zftuZBnVCJnvXzUxP3vPgKTlzGa\n" -"dg5XivDRfsV+okY5uQJBAMV4FesUuLQVEKb6lMs7rzZwpeGQhFDRfywJzfom2TLn\n" -"2RdJQQ3dcgnhdVDgt5o1qkmsqQh8uJrJ9SdyLIaZQIc=\n" -"-END RSA PRIVATE KEY-\n" +"-BEGIN PRIVATE KEY-\n" +"MIIJQQIBADANBgkqhkiG9w0BAQEFAASCCSswggknAgEAAoICAQCemVhlidvoMwyR\n" +"BRwAvYIFbfpZq9i/qbn+N14+imfNif9LzrLRRwyRQ08r2gNowMBieuN0RDap6fMP\n" +"0f7Q3hgKpZ/5p3E2GqSw+xSiFJcFqCf0GtrH8UWKRsVwZFYfEPSyWzzuvgsCEh8d\n" +"58vD8TKhdENSfoAI7wV9AifWFKPJwjt4cOi49JoW15aUODb87QvHdz84KoJ3vxN1\n" +"X6u5ndp74vKhIhdL54heCHdaWG0B1EFong7QzWKn9k9LenopemyqHhCrfbil58ps\n" +"a12wYgVpptY1up1PsgChfrRvGsp0eoe2fIxgXihsBUbszUeAdvo4evd54VIzcgP/\n" +"8WBQknrFS0D/TJh3XWPKen36XGjSWxgPo4lc6gqYgf5EiUZM50M09nJ/zvEvBsGc\n" +"wz1wNxRpQ8EJpUiz1gxGN6FMVvn7neS2LoDgKGmhplGanUhpYSswWr1NRJmY94aR\n" +"0JRO5cvLriUAYhuj0vnUAfVMazlDg9bXI9KC57yNGg4UvtovdOBqxey5dVE//GG7\n" +"/zAoHbPkPg7BdLMIolB7HXz/DOEGyzTIGYAFg3KUIl42PsbxtsPCKjKqb/T23mKc\n" +"ZcbmdLhPOiGm4yVwM4LDUlW3nywtq7fcnJarTWz9B7tjszJYIMcAH95hnXIb6LQB\n" +"wlY4F8ts+DzGfKGtZSifkTsKMzboxQIDAQABAoICAEla06/jG3tCYUWR/2m4PTMV\n" +"sv1WpmG/tu8F3OlAStKeSR5e9AYnvoBRiYTWyUziGhlyjVFxW3crZeijUCB7GNOT\n" +"13I5J/vGRvY0q05sB43uQMx+v0JLLcbPBPL+9XZY+VSlLoGeFKlYiFvkojJ2lNxo\n" +"UdsN91oqc3dmT9aMpVTkKW2Di6BAQiTegh78ATLq0M/pL6xivQV1syJOpbasdClo\n" +"xqAQjIXnCQO1Fr8KtyBpc/dXY7LfzAmzuulGNMqKfUgRr9Qhyg2yL8YFwseaDrbX\n" +"G6yuK6R4yCHp4LqiwZEuOycEZEkOQ9PyfON57uBUJ1eISH5u4P46de8jTVD27yEn\n" +"SezHd1TxzOl1pXMZfEOthRiDaXuEATxioJsxNVOp+boEXrtQ3k61goqs7JPWzi1g\n" +"vLTK4YVlDHaCz8NTeqgnaMl1J04ourXJV/uTVcPjNiaof6f+tXS/PWEPef2mraDl\n" +"PSdwpOThQvQbknl9sVKFpIyqUvHDZWm0lcn4eK2DAkux9nW4FBduqCRjtJej+nzw\n" +"kTlyqaFhxvfwEwBq7by82a6wV86Qu1TyA3vRnGrB7u3/ZGvXbq25S2PvmB5BEctQ\n" +"5qHL3bQxbGOqgHUo/E3y/zqwF5bSnwKNyy1DlPowQW9DkTcYqj/kdYTq9gxaCFpB\n" +"6yr5tnsCBGil+sYdkhYBAoIBAQDMyi93tQT2sXV5+iK6ah5FsjIttNb10BMdqoI0\n" +"UUJrjWIfbbx/BDAI4CWzQI4rVcdeNW4On/4wUFfeiNmwRYBQ7z26182gptNpEQFc\n" +"dIn0hbv0Q7S/gkiqncpWRFCFu2/9QwD45SkcNOswTwis+YNFWUSTq2rJuFmDNHKj\n" +"6W//OPK/b8Efq9pMqSdISXHmx2LCapgYiifqKy/PDeWnw+E07R7yLJE6AQceXLhd\n" +"NHsWUR8O0ubTk8BwroocHw6VKM/9hVsEaXOemcMt4Ia7AbR3Qn13HbnJyQyDFd/9\n" +"jUaAPpd8fspYk1KI9HVaA1JnZEWgyMvqCbd0XNEwScV83e1VAoIBAQDGQjZzFrDS\n" +"G5G4bvVwAMEbvg1+diU5PScbhMLss5kMlunCm6LROsQLLiYOxynFMNkJvfa8X7z0\n" +"1fsOYmDsCu7RTw2VO7nRiJP3AS6b9cvj4SpcjqvssC6L3GmXIvPlrYQAn/K6QMUe\n" +"E3DnwT9Zn1op5C7H1Cid7AnAEYVWcSLzQd0QrBCaNVAK756ucop+7dls7YTgWz8T\n" +"07rc1YWmZXFwhmXXv5DcpkU3sExQTro0ZhIg9iJe4A3j7lXCSmugL2JL7l0lNTIq\n" +"1GsJvDQfRaSnizbiS2oY6FaRGPSelifyUn8pjSyR0HVV1pN/Z9kNzeHd3A24NuYg\n" +"XbjOO2tJ1o2xAoIBAHvB77+iyFYg1gKZtCT9fj/WOVa/w2wXi4XRBhCBzubaMSMX\n" +"GOOVb0Xd10qlR4VOuEXpehIig+VEmGVmRE+vIKVIfwCL67sbNgV3fmAWGUyJCRXL\n" +"WM6m+C0LYDyT2imHJV1jAZJoQljGbh7qlC6cNsVQ9g1beRRgcM/GgUUnDESrcJ9Z\n" +"9Naj7y+GxbN8lvXFJpyg+DtUOlzcLm8tUcz5pf5rEdl+L2FjP58Mn2nMDlplOaSm\n" +"tVHFJ3WxNMtbxV9Eo7Tswx0+cN22xGnUFveqRxoPN20lrKIR+pq5PHyoxKM5sChP\n" +"Iw82MJmNSeHUwhazVRSeZASSTKhocw6AdnVIVGUCggEAfm06y6lsmI98HWCkowfY\n" +"HRjVAg/VLOsSRTokE010C9MwvikBautOmNKU8lePC3Ba9xtsfDORC5BoyINzyxIt\n" +"uMvwnXm4xSWTNbBLSKk1m9u6Z8uTVxwCkq27p+ViItTDmKJm5t7m1IcROLjC7SPx\n" +"G0Wnj0Z7oDkk/pYtsTH0V6tojXksHSpiIJ