OpenSSL 3.2.1 breaks TLS related pytests

[andypost]

Started to package new release and see a lot of test failures, probably it's caused by upgrade to OpenSSL 3.2.1

There's following logs

test/test_tls_sni.py::test_tls_sni FAILEDPath to unit.log:
/tmp/unit-test-i46362ls/unit.log
2024/03/27 03:05:18 [error] 6224#6227 *39315 SSL_do_handshake(12) failed (1048: tlsv1 alert unknown ca) (OpenSSL: error:0A000418:SSL routines::tlsv1 alert unknown ca:SSL alert number 48)
test/test_tls_sni.py::test_tls_sni_no_hostname FAILEDPath to unit.log:
/tmp/unit-test-i46362ls/unit.log
2024/03/27 03:05:19 [error] 6224#6227 *39444 SSL_do_handshake(12) failed (1048: tlsv1 alert unknown ca) (OpenSSL: error:0A000418:SSL routines::tlsv1 alert unknown ca:SSL alert number 48)
test/test_tls_sni.py::test_tls_sni_upper_case FAILEDPath to unit.log:
/tmp/unit-test-i46362ls/unit.log
2024/03/27 03:05:21 [error] 6224#6227 *39573 SSL_do_handshake(12) failed (1048: tlsv1 alert unknown ca) (OpenSSL: error:0A000418:SSL routines::tlsv1 alert unknown ca:SSL alert number 48)
test/test_tls_sni.py::test_tls_sni_only_bundle FAILEDPath to unit.log:
/tmp/unit-test-i46362ls/unit.log
2024/03/27 03:05:23 [error] 6224#6227 *39702 SSL_do_handshake(12) failed (1048: tlsv1 alert unknown ca) (OpenSSL: error:0A000418:SSL routines::tlsv1 alert unknown ca:SSL alert number 48)
test/test_tls_sni.py::test_tls_sni_wildcard FAILEDPath to unit.log:
/tmp/unit-test-i46362ls/unit.log
2024/03/27 03:05:26 [error] 6224#6227 *39831 SSL_do_handshake(12) failed (1048: tlsv1 alert unknown ca) (OpenSSL: error:0A000418:SSL routines::tlsv1 alert unknown ca:SSL alert number 48)
test/test_tls_sni.py::test_tls_sni_duplicated_bundle FAILEDPath to unit.log:
/tmp/unit-test-i46362ls/unit.log
2024/03/27 03:05:28 [warn] 6224#6224 ignored duplicate name "localhost.com" in certificate "localhost.com", identical name appears in "localhost.com"
2024/03/27 03:05:28 [warn] 6224#6224 ignored duplicate name "alt2.localhost.com" in certificate "localhost.com", identical name appears in "localhost.com"
2024/03/27 03:05:28 [error] 6224#6227 *39960 SSL_do_handshake(12) failed (1048: tlsv1 alert unknown ca) (OpenSSL: error:0A000418:SSL routines::tlsv1 alert unknown ca:SSL alert number 48)
test/test_tls_sni.py::test_tls_sni_same_alt FAILEDPath to unit.log:
/tmp/unit-test-i46362ls/unit.log
2024/03/27 03:05:30 [warn] 6224#6224 ignored duplicate name "s" in certificate "example", identical name appears in "localhost"
2024/03/27 03:05:30 [warn] 6224#6224 ignored duplicate name "a" in certificate "example", identical name appears in "localhost"
2024/03/27 03:05:30 [warn] 6224#6224 ignored duplicate name "m" in certificate "example", identical name appears in "localhost"
2024/03/27 03:05:30 [warn] 6224#6224 ignored duplicate name "e" in certificate "example", identical name appears in "localhost"
2024/03/27 03:05:30 [warn] 6224#6224 ignored duplicate name "." in certificate "example", identical name appears in "localhost"
2024/03/27 03:05:30 [warn] 6224#6224 ignored duplicate name "l" in certificate "example", identical name appears in "localhost"
2024/03/27 03:05:30 [warn] 6224#6224 ignored duplicate name "t" in certificate "example", identical name appears in "localhost"
2024/03/27 03:05:30 [warn] 6224#6224 ignored duplicate name "n" in certificate "example", identical name appears in "localhost"
2024/03/27 03:05:30 [warn] 6224#6224 ignored duplicate name "c" in certificate "example", identical name appears in "localhost"
2024/03/27 03:05:30 [warn] 6224#6224 ignored duplicate name "o" in certificate "example", identical name appears in "localhost"
2024/03/27 03:05:30 [error] 6224#6227 *40089 SSL_do_handshake(12) failed (1048: tlsv1 alert unknown ca) (OpenSSL: error:0A000418:SSL routines::tlsv1 alert unknown ca:SSL alert number 48)
test/test_tls_sni.py::test_tls_sni_empty_cn FAILEDPath to unit.log:
/tmp/unit-test-i46362ls/unit.log
2024/03/27 03:05:32 [error] 6224#6227 *40218 SSL_do_handshake(12) failed (1048: tlsv1 alert unknown ca) (OpenSSL: error:0A000418:SSL routines::tlsv1 alert unknown ca:SSL alert number 48)
test/test_tls_sni.py::test_tls_sni_invalid PASSED
test/test_tls_tickets.py::test_tls_ticket SKIPPED (ticket check is not
supported)
test/test_tls_tickets.py::test_tls_ticket_string SKIPPED (ticket check
is not supported)
test/test_tls_tickets.py::test_tls_ticket_array SKIPPED (ticket check is
not supported)
test/test_tls_tickets.py::test_tls_ticket_invalid PASSED

[andypost]

all CI jobs https://gitlab.alpinelinux.org/alpine/aports/-/pipelines/222161

[ac000]

This looks like something specific to our tests as OpenSSL 3.2.1 itself
seems to work fine with current Unit.

This error

2024/03/27 21:17:49 [error] 4401#4404 *26 SSL_do_handshake(33) failed (1048: tlsv1 alert unknown ca) (OpenSSL: error:0A000418:SSL routines::tlsv1 alert unknown ca:SSL alert number 48)

Would indicate that it doesn't know about our CA, which will just be
some dummy thing for the tests.

I get the above error from Unit when I use curl without the -k option
with a self-signed certificate.

Looks like our tests need to do the same thing as -k in curl...

[andypost]

thank you! works as patch on Alpine

[ac000]

Great, thanks for testing!