Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Backport 2.16: Fix SSL tests scripts with recent OpenSSL server with Diffie-Hellman #4326

Merged
merged 1 commit into from
May 21, 2021
Merged

Backport 2.16: Fix SSL tests scripts with recent OpenSSL server with Diffie-Hellman #4326

merged 1 commit into from
May 21, 2021

Conversation

gilles-peskine-arm
Copy link
Contributor

Trivial backport of #4289.

@gilles-peskine-arm
Fix SSL tests scripts with recent OpenSSL server with Diffie-Hellman
63a2b91 
Our interoperability tests fail with a recent OpenSSL server. The
reason is that they force 1024-bit Diffie-Hellman parameters, which
recent OpenSSL (e.g. 1.1.1f on Ubuntu 20.04) reject:
```
140072814650688:error:1408518A:SSL routines:ssl3_ctx_ctrl:dh key too small:../ssl/s3_lib.c:3782:
```

We've been passing custom DH parameters since
6195767 because OpenSSL <=1.0.2a
requires it. This is only concerns the version we use as
OPENSSL_LEGACY. So only use custom DH parameters for that version. In
compat.sh, use it based on the observed version of $OPENSSL_CMD.

This way, ssl-opt.sh and compat.sh work (barring other issues) for all
our reference versions of OpenSSL as well as for a modern system OpenSSL.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
@gilles-peskine-arm gilles-peskine-arm added enhancement mbed TLS team needs-review Every commit must be reviewed by at least two team members, component-tls needs-reviewer This PR needs someone to pick it up for review labels Apr 9, 2021
This was referenced Apr 27, 2021
Merged
Merged
@daverodgman daverodgman self-assigned this May 5, 2021
@daverodgman daverodgman added single-reviewer This PR qualifies for having only one reviewer and removed needs-reviewer This PR needs someone to pick it up for review labels May 5, 2021
@daverodgman daverodgman removed their assignment May 5, 2021
@daverodgman daverodgman self-requested a review May 5, 2021 14:35
@mpg mpg removed the needs-review Every commit must be reviewed by at least two team members, label May 21, 2021
@mpg
Copy link
Contributor

mpg commented May 21, 2021

The Travis error is unrelated (failure to clone) and can be ignored since Jenkins passed. Still labelling "needs: ci" while we're waiting for the pr-merge job on Jenkins to complete.

@mpg mpg added needs-ci Needs to pass CI tests approved Design and code approved - may be waiting for CI or backports labels May 21, 2021
@mpg
Copy link
Contributor

mpg commented May 21, 2021

Actually the pr-merge job on Jenkins passed but just failed to report, so this is all good.

@mpg mpg removed the needs-ci Needs to pass CI tests label May 21, 2021
@mpg mpg merged commit 5ee166b into Mbed-TLS:mbedtls-2.16 May 21, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@daverodgman daverodgman daverodgman approved these changes

Assignees
No one assigned
Labels
approved Design and code approved - may be waiting for CI or backports component-tls enhancement single-reviewer This PR qualifies for having only one reviewer
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@gilles-peskine-arm @mpg @daverodgman