Skip to content

test_tls_certificate_change fails with OpenSSL 3.5 #1600

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
jirutka opened this issue Apr 22, 2025 · 1 comment · May be fixed by #1601
Open

test_tls_certificate_change fails with OpenSSL 3.5 #1600

jirutka opened this issue Apr 22, 2025 · 1 comment · May be fixed by #1601

Comments

@jirutka
Copy link

jirutka commented Apr 22, 2025

Bug Overview

When building the unit package:

===================================================== ERRORS ======================================================
________________________________ ERROR at teardown of test_tls_certificate_change _________________________________

request = <SubRequest 'run' for <Function test_tls_certificate_change>>

    @pytest.fixture(autouse=True)
    def run(request):
        unit = unit_run()

        option.skip_alerts = [
            r'read signalfd\(4\) failed',
            r'sendmsg.+failed',
            r'recvmsg.+failed',
        ]
        option.skip_sanitizer = False

        _fds_info['main']['skip'] = False
        _fds_info['router']['skip'] = False
        _fds_info['controller']['skip'] = False

        yield

        # stop unit

        error_stop_unit = unit_stop()
        error_stop_processes = stop_processes()

        # prepare log

        with Log.open() as f:
            log = f.read()
            Log.set_pos(f.tell())

        if not option.save_log and option.restart:
            shutil.rmtree(unit['temp_dir'])
            Log.set_pos(0)

        # clean temp_dir before the next test

        if not option.restart:
            _clear_conf(log=log)
            _clear_temp_dir()

        # check descriptors

        _check_fds(log=log)

        # check processes id's and amount

        _check_processes()

        # print unit.log in case of error

        if hasattr(request.node, 'rep_call') and request.node.rep_call.failed:
            Log.print_log(log)

        if error_stop_unit or error_stop_processes:
            Log.print_log(log)

        # check unit.log for errors

        assert error_stop_unit is None, 'stop unit'
        assert error_stop_processes is None, 'stop processes'

>       Log.check_alerts(log=log)

test/conftest.py:261:
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
test/unit/log.py:17: in inner_function
    raise exception
test/unit/log.py:14: in inner_function
    func(*args, **kwargs)
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

log = '2025/04/22 22:52:46 [alert] 25717#25722 *7628 SSL_shutdown(15) failed (32: Broken pipe) (32: [null]) (OpenSSL: error:80000020:system library::Broken pipe:tls_retry_write_records failure)\n2025/04/22 22:52:46 [alert] 25717#25722 *7651 SSL_shutdown(15) failed (32: Broken pipe) (32: [null]) (OpenSSL: error:80000020:system library::Broken pipe:tls_retry_write_records failure)\n'

    @staticmethod
    @print_log_on_assert
    def check_alerts(log=None):
        if log is None:
            log = Log.read()

        found = False
        alerts = re.findall(r'.+\[alert\].+', log)

        if alerts:
            found = True

            if option.detailed:
                print('\nAll alerts/sanitizer errors found in log:')
                _ = [print(alert) for alert in alerts]

        if option.skip_alerts:
            for skip in option.skip_alerts:
                alerts = [al for al in alerts if re.search(skip, al) is None]

>       assert not alerts, 'alert(s)'
E       AssertionError: alert(s)

test/unit/log.py:45: AssertionError
============================================= short test summary info =============================================
ERROR test/test_tls.py::test_tls_certificate_change - AssertionError: alert(s)
====================== 735 passed, 55 skipped, 195 deselected, 1 error in 275.93s (0:04:35) =======================

Expected Behavior

.

Steps to Reproduce the Bug

.

Environment Details

  • Target deployment platform: ~
  • Target OS: Alpine Linux Edge x86_64
  • Version of this project or specific commit: 1.34.2
  • Version of any relevant project languages: ~

Additional Context

  • OpenSSL 3.5.0 8 Apr 2025 (Library: OpenSSL 3.5.0 8 Apr 2025)
@ac000
Copy link
Member

ac000 commented Apr 22, 2025

Seeing this on master.

Fedora 42 is OK. That has OpenSSL 3.2.4. Fedora Rawhide is showing the issue with OpenSSL 3.5.0, so yeah, looks like something changed between 3.2 and 3.5...

@jirutka jirutka changed the title test_tls_certificate_change fails on Alpine Linux Edge test_tls_certificate_change fails with OpenSSL 3.5 Apr 23, 2025
andypost added a commit to andypost/unit that referenced this issue Apr 24, 2025
@andypost
Treat a “broken pipe” on SSL_shutdown() as a normal close
31d410f 
Fixes nginx#1600
@andypost andypost linked a pull request Apr 24, 2025 that will close this issue
Open
5 tasks
andypost added a commit to andypost/unit that referenced this issue Apr 25, 2025
@andypost
Treat a “broken pipe” on SSL_shutdown() as a normal close
fbc791a 
Fixes nginx#1600
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Treat a “broken pipe” on SSL_shutdown() as a normal close andypost/unit
2 participants
@ac000 @jirutka