Re: [naviserver-devel] aead::encrypt test failures
The problem with ns_crypto::aead::encrypt/decrypt test under OpenSSL 1.1.1 (OpenSSL 1.1.1-1ubuntu2.1~18.04.21) on Ubuntu 18.04.4 is now fixed in the repositotry. In short, the problem was that with this version of OpenSSL, setting empty additional authenticated data (AAD) behaved differently from other versions, namely it was clearing incorrectly the information that the initialization vector (IV) was already set. An upgrade of OpenSSL fixed the problem. However, with these changes, also the stock version of OpenSSL can be used. Fixing this was more tricky as already apprehend, but solving a riddle is also rewarding. all the best -g ___ naviserver-devel mailing list naviserver-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/naviserver-devel
Re: [naviserver-devel] aead::encrypt test failures
On 09.03.23 17:30, Andrew Piskorski wrote: In the meantime, how widely used within NaviServer is aead::encrypt? Is it necessary for basic serving of https pages, or just an extra API programmers can optionally use? Do even the latest versions of OpenACS depend on it? (In other words, I'm wondering if these two aead::encrypt test failures actually matter for me.) the aead::* functions are not used anywhere in OpenACS, these are not used for serving pages via TLS/... or other kind of "regular" or "internal" usage. The only public code that i am aware of is the nswebpush module (optional naviserver module). But of course, every tailored OpenACS application might use this... all the best -g ___ naviserver-devel mailing list naviserver-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/naviserver-devel
Re: [naviserver-devel] aead::encrypt test failures
On Thu, Mar 09, 2023 at 12:27:46PM +0100, Gustaf Neumann wrote: > My first suspicion is the version of OpenSSL in use. OpenSSL is a moving > target. > If i see correctly, there is a version "1.1.1-1ubuntu2.1~18.04.21" in > place for Ubuntu 18.04 will all updates. It this what you are using? Yes, I am. Hm, clearly the best overall approach is for me to upgrade this server, Ubuntu 18.04.4 is very old. In the meantime, how widely used within NaviServer is aead::encrypt? Is it necessary for basic serving of https pages, or just an extra API programmers can optionally use? Do even the latest versions of OpenACS depend on it? (In other words, I'm wondering if these two aead::encrypt test failures actually matter for me.) On that old server, I'm currently using an old version of NaviServer with code from 2020-06-15. It had zero failed tests, and still seems to be working fine. Btw, these are the package versions I see on Ubuntu: Ubuntu 18.04.4: libssl-dev version 1.1.1-1ubuntu2.1~18.04.21 Ubuntu 20.04.1: libssl-dev version 1.1.1f-1ubuntu2.17 Ubuntu 22.04.2: libssl-dev version 3.0.2-0ubuntu1.8 Ubuntu 22.04 stopped shipping OpenSSL 1.1.x entirely, and replaced it with 3.0.2. And it looks like the newer OpenSSL 3.x is NOT included at all in the older 18.04 and 20.04 distributions of Ubuntu. -- Andrew Piskorski ___ naviserver-devel mailing list naviserver-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/naviserver-devel
Re: [naviserver-devel] aead::encrypt test failures
Small update: with Ubuntu 18.04 + "OpenSSL 1.1.1-1ubuntu2.1~18.04.21", also older versions of naviserver do not work (went back until 4.99.20, jan 2021). so, in case this is really needed, it requires detailed debugging, including comparing the results of OpenSSL API calls. -gn On 09.03.23 12:27, Gustaf Neumann wrote: On 08.03.23 21:52, Andrew Piskorski wrote: Building the NaviServer head (latest code from 2023-03-02), I'm getting two "make test" failures, both from aead::encrypt (below). Any advice for me on what the problem might be, My first suspicion is the version of OpenSSL in use. OpenSSL is a moving target. If i see correctly, there is a version "1.1.1-1ubuntu2.1~18.04.21" in place for Ubuntu 18.04 will all updates. It this what you are using? Options: - Upgrade of OpenSSL (i have just tested an installation with 18.04 + OpenSSL 3) - Upgrade of Ubuntu (18.04 is not the youngest) - Downgrade of NaviServer: there were changes between NaviServer 4.99.23 and .24 concerning support of OpenSSL 3.0 - using newer API calls - so maybe these newer API calls are available in this version of OpenSSL, but not fully functioning yet. ... and of course, provide a fix to "make it work" also in your combination. -gn or how I should further track it down? (Thanks!) This is on an old Ubuntu 18.04.4 LTS machine, using gcc 8.4.0, and Tcl 8.6.13. My built-from-source Tcl includes nsf 2.4.0, Thread 2.8.9, tdom 0.9.3, and tcllib 1.20. ## Excerpts from "make test" output: [08/Mar/2023:15:23:16][11421.7f2097bfc700][-command-] Notice: SSL_shutdown(33) has failed: error:14094123:SSL routines:ssl3_read_bytes:application data after close notify ns_crypt.test ns_crypto.test aead-1.0 aead::encrypt FAILED Result was: bytes 0 tag 32 Result should have been (exact matching): bytes 22 tag 32 aead-1.0 FAILED aead-1.1 aead::encrypt and decrypt FAILED Test generated error; Return code was: 1 Return code should have been one of: 0 2 aead-1.1 FAILED Tests ended at Wed Mar 08 15:24:13 EST 2023 all.tcl: Total 1998 Passed 1971 Skipped 25 Failed 2 Sourced 71 Test Files. Files with failing tests: ns_driver.test Number of tests skipped for each constraint: 19 !usingExternalToUtf 2 binaryMismatch 1 copyAliasBug 2 knownBug 1 stress Makefile:236: recipe for target 'test' failed make: *** [test] Error 130 -- Univ.Prof. Dr. Gustaf Neumann Head of the Institute of Information Systems and New Media of Vienna University of Economics and Business Program Director of MSc "Information Systems" ___ naviserver-devel mailing list naviserver-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/naviserver-devel
Re: [naviserver-devel] aead::encrypt test failures
On 08.03.23 21:52, Andrew Piskorski wrote: Building the NaviServer head (latest code from 2023-03-02), I'm getting two "make test" failures, both from aead::encrypt (below). Any advice for me on what the problem might be, My first suspicion is the version of OpenSSL in use. OpenSSL is a moving target. If i see correctly, there is a version "1.1.1-1ubuntu2.1~18.04.21" in place for Ubuntu 18.04 will all updates. It this what you are using? Options: - Upgrade of OpenSSL (i have just tested an installation with 18.04 + OpenSSL 3) - Upgrade of Ubuntu (18.04 is not the youngest) - Downgrade of NaviServer: there were changes between NaviServer 4.99.23 and .24 concerning support of OpenSSL 3.0 - using newer API calls - so maybe these newer API calls are available in this version of OpenSSL, but not fully functioning yet. ... and of course, provide a fix to "make it work" also in your combination. -gn or how I should further track it down? (Thanks!) This is on an old Ubuntu 18.04.4 LTS machine, using gcc 8.4.0, and Tcl 8.6.13. My built-from-source Tcl includes nsf 2.4.0, Thread 2.8.9, tdom 0.9.3, and tcllib 1.20. ## Excerpts from "make test" output: [08/Mar/2023:15:23:16][11421.7f2097bfc700][-command-] Notice: SSL_shutdown(33) has failed: error:14094123:SSL routines:ssl3_read_bytes:application data after close notify ns_crypt.test ns_crypto.test aead-1.0 aead::encrypt FAILED Result was: bytes 0 tag 32 Result should have been (exact matching): bytes 22 tag 32 aead-1.0 FAILED aead-1.1 aead::encrypt and decrypt FAILED Test generated error; Return code was: 1 Return code should have been one of: 0 2 aead-1.1 FAILED Tests ended at Wed Mar 08 15:24:13 EST 2023 all.tcl:Total 1998Passed 1971Skipped 25 Failed 2 Sourced 71 Test Files. Files with failing tests: ns_driver.test Number of tests skipped for each constraint: 19 !usingExternalToUtf 2 binaryMismatch 1 copyAliasBug 2 knownBug 1 stress Makefile:236: recipe for target 'test' failed make: *** [test] Error 130 -- Univ.Prof. Dr. Gustaf Neumann Head of the Institute of Information Systems and New Media of Vienna University of Economics and Business Program Director of MSc "Information Systems" ___ naviserver-devel mailing list naviserver-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/naviserver-devel
[naviserver-devel] aead::encrypt test failures
Building the NaviServer head (latest code from 2023-03-02), I'm getting two "make test" failures, both from aead::encrypt (below). Any advice for me on what the problem might be, or how I should further track it down? (Thanks!) This is on an old Ubuntu 18.04.4 LTS machine, using gcc 8.4.0, and Tcl 8.6.13. My built-from-source Tcl includes nsf 2.4.0, Thread 2.8.9, tdom 0.9.3, and tcllib 1.20. ## Excerpts from "make test" output: [08/Mar/2023:15:23:16][11421.7f2097bfc700][-command-] Notice: SSL_shutdown(33) has failed: error:14094123:SSL routines:ssl3_read_bytes:application data after close notify ns_crypt.test ns_crypto.test aead-1.0 aead::encrypt FAILED Result was: bytes 0 tag 32 Result should have been (exact matching): bytes 22 tag 32 aead-1.0 FAILED aead-1.1 aead::encrypt and decrypt FAILED Test generated error; Return code was: 1 Return code should have been one of: 0 2 aead-1.1 FAILED Tests ended at Wed Mar 08 15:24:13 EST 2023 all.tcl:Total 1998Passed 1971Skipped 25 Failed 2 Sourced 71 Test Files. Files with failing tests: ns_driver.test Number of tests skipped for each constraint: 19 !usingExternalToUtf 2 binaryMismatch 1 copyAliasBug 2 knownBug 1 stress Makefile:236: recipe for target 'test' failed make: *** [test] Error 130 -- Andrew Piskorski ___ naviserver-devel mailing list naviserver-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/naviserver-devel