Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CI failing on openssl cases #778

Closed
junaruga opened this issue Jul 24, 2024 · 9 comments
Closed

CI failing on openssl cases #778

junaruga opened this issue Jul 24, 2024 · 9 comments

Comments

@junaruga
Copy link
Member

I synchronized the latest master branch in the repository into the one in my forked repository. Then I see the following CI failures in openssl cases.

https://github.com/junaruga/ruby-openssl/actions/runs/10075912441

I see 2 types of failures in the CI.

Failing to download the OpenSSL source archive file

For the most of the openssl cases, failing to get the source code of the OpenSSL from the openssl.org website.

$ curl -OL https://openssl.org/source/openssl-1.0.2u.tar.gz
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   127  100   127    0     0   1182      0 --:--:-- --:--:-- --:--:--  1186

$ echo $?
0

$ cat openssl-1.0.2u.tar.gz
<?xml version='1.0' encoding='UTF-8'?><Error><Code>NoSuchKey</Code><Message>The specified key does not exist.</Message></Error>

Seeing the official page, the source archive is linked to the GitHub's release pages.
https://openssl-library.org/source/index.html

For example, the openssl-3.3.1.tar.gz is linked to the https://github.com/openssl/openssl/releases/download/openssl-3.3.1/openssl-3.3.1.tar.gz .

A challenge is I couldn't find the link to the openssl-1.0.2u.tar.gz . This is not convenient for our CI flow.
https://github.com/openssl/openssl/releases

I am asking the folks at the OpenSSL project on the following discussion page, and getting a temporary workflow.
openssl/openssl#24984

openssl-head fips failing

The 2nd type of the failure is openssl-head fips case specific. The following error happened with OpenSSL master branch commit openssl/openssl@14e4660.

https://github.com/junaruga/ruby-openssl/actions/runs/10075912441/job/27855173380#step:13:35

ruby 3.0.7p220 (2024-04-23 revision 724a071175) [x86_64-linux]
/home/runner/work/ruby-openssl/ruby-openssl/lib/openssl/pkey.rb:132:in `initialize': could not parse pkey (OpenSSL::PKey::DHError)
  from /home/runner/work/ruby-openssl/ruby-openssl/lib/openssl/pkey.rb:132:in `new'
  from /home/runner/work/ruby-openssl/ruby-openssl/lib/openssl/pkey.rb:132:in `new'
  from /home/runner/work/ruby-openssl/ruby-openssl/lib/openssl/ssl.rb:36:in `<class:SSLContext>'
  from /home/runner/work/ruby-openssl/ruby-openssl/lib/openssl/ssl.rb:23:in `<module:SSL>'
  from /home/runner/work/ruby-openssl/ruby-openssl/lib/openssl/ssl.rb:22:in `<module:OpenSSL>'
  from /home/runner/work/ruby-openssl/ruby-openssl/lib/openssl/ssl.rb:21:in `<top (required)>'
  from /home/runner/work/ruby-openssl/ruby-openssl/lib/openssl.rb:22:in `require_relative'
  from /home/runner/work/ruby-openssl/ruby-openssl/lib/openssl.rb:22:in `<top (required)>'
  from <internal:/opt/hostedtoolcache/Ruby/3.0.7/x64/lib/ruby/3.0.0/rubygems/core_ext/kernel_require.rb>:85:in `require'
  from <internal:/opt/hostedtoolcache/Ruby/3.0.7/x64/lib/ruby/3.0.0/rubygems/core_ext/kernel_require.rb>:85:in `require'
rake aborted!
@junaruga junaruga mentioned this issue Jul 24, 2024
Merged
@junaruga
Copy link
Member Author

For the above 1st issue, I sent the PR #779 as a temporary workaround, and merged it.

@junaruga
Copy link
Member Author

junaruga commented Jul 24, 2024
edited
Loading

For the above 2nd issue on openssl-head fips case, the OpenSSL commit we saw the CI passed on the case at is openssl/openssl@2c7cae5 . And the passing log is below.

https://github.com/ruby/openssl/actions/runs/9774837237/job/26983972069#step:3:42

@junaruga
Copy link
Member Author

I sent the PR #780 to improve the CI related to this issue.

@rhenium
Copy link
Member

rhenium commented Jul 24, 2024

Re master-fips failure: I have bisected it to openssl/openssl@6d47e81

However I don't understand why this can break DH.

@junaruga
Copy link
Member Author

Thanks for bisecting it. I am going to ask folks about this issue at OpenSSL project.

@junaruga
Copy link
Member Author

Thanks for bisecting it. I am going to ask folks about this issue at OpenSSL project.

Asking at openssl/openssl#24991.

@junaruga junaruga mentioned this issue Jul 24, 2024
Merged
@junaruga
Copy link
Member Author

For the above 1st issue, I sent the PR #779 as a temporary workaround, and merged it.

I reverted the PR #779 by the PR #781 as I was told that the OpenSSL project resoved their website issue.

@junaruga
Copy link
Member Author

Asking at openssl/openssl#24991.

I noticed that Ruby OpenSSL is loading both the base and fips providers again in the openssl-head fips case again with the OpenSSL openssl/openssl@3c6e114 .

https://github.com/junaruga/ruby-openssl/actions/runs/10093820863/job/27910380793#step:13:40

@junaruga
Copy link
Member Author

I think OpenSSL's commit openssl/openssl@3c6e114 fixed the issue. I tested it on my local, and reported at openssl/openssl#24991 (comment) Let's close this issue ticket.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@junaruga @rhenium