Re: [GUMP@vmgump]: Project tomcat-trunk-test-apr (in module tomcat-trunk) failed

Wed, 13 Apr 2016 03:46:42 -0700 

Am 26.03.2016 um 22:00 schrieb Rainer Jung:

Am 25.03.2016 um 04:53 schrieb Bill Barker:
...


    [concat] Testsuites with failed tests:
    [concat] TEST-org.apache.tomcat.util.net.TestSsl.APR.txt

...


    [concat]
TEST-org.apache.tomcat.websocket.TestWebSocketFrameClientSSL.APR.txt
    [concat]
TEST-org.apache.tomcat.websocket.TestWsWebSocketContainer.APR.txt


Currently SSL tests which initialize APR twice fail with OpenSSL 1.1,
because we call EVP_cleanup() during deinitialize, but OpenSSL 1.1 does
not reinitialize the second time. So looking up digests via EVP fails
after the second init and as a consequence TLS fails.

Example: in TestSsl the first test testSimpleSsl succeeds, then comes
deinit and another init, and the test testKeyPass fails with

error:140A90F2:SSL routines:SSL_CTX_new:unable to load ssl3 md5 routines

Despite the "ssl3" contained in the error text, this error doesn't have
to do with choosing SSLv3 as protocol. In this case the protocol string
doesn't contain SSLv3 and the error happens before the protocol is
configured during looking up a digest named ssl3-md5 via EVP which
normally always exists (hadn't we removed it by calling EVP_cleanup()).

In principle OpenSSL 1.1 does initialize automatically, so we could skip
it for 1.1, but some things in our init might still be necessary and
thus also their respective deinit parts. It is a bit hairy to decide
which parts are still needed and which parts are automatic.

If no one beats me to it I'll try to fix this next week.


The EVP_cleanup problem was probably fixed today in OpenSSL master by:

commit 22c84afa773559279af928652a2d9f3489cc7d73
Author: Matt Caswell <m...@openssl.org>
Date:   Mon Apr 4 15:28:58 2016 +0100

    Deprecate EVP_cleanup() and make it a no-op

    EVP_cleanup() should not be called expicitly - we should leave
    auto-deinit to clean this up instead.

    Reviewed-by: Tim Hudson <t...@openssl.org>
    Reviewed-by: Richard Levitte <levi...@openssl.org>
We'll see how tests behave after Gump picks up the new OpenSSL snapshot tomorrow. 

Regards,

Rainer

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to