Not sure if it could be considered as a bug, concern the tests suite, let you see
gmail
arbogast.cedric at gmail.com
Sun Mar 27 19:13:50 CEST 2011
Hello,
I have build gnutls-2.12.0 in a chroot jail (gcc 4.5.2/libc
2.13/binutils 2.21/make 3.82) on an athlon architecture as root and got
the following trouble whi dsatest :
[root at pompomgalli] ../gnutls-2.12.0/configure && make
...
[root at pompomgalli] make check
...
make[3]: Leaving directory
`/usr/src/gnutls-2.12.0_build/tests/safe-renegotiation'
make[2]: Leaving directory
`/usr/src/gnutls-2.12.0_build/tests/safe-renegotiation'
Making check in dsa
make[2]: Entering directory `/usr/src/gnutls-2.12.0_build/tests/dsa'
make testdsa
make[3]: Entering directory `/usr/src/gnutls-2.12.0_build/tests/dsa'
make[3]: Nothing to be done for
`../../../gnutls-2.12.0/tests/dsa/testdsa'.
make[3]: Leaving directory `/usr/src/gnutls-2.12.0_build/tests/dsa'
make check-TESTS
make[3]: Entering directory `/usr/src/gnutls-2.12.0_build/tests/dsa'
Checking various DSA key sizes
Checking DSA-1024 with TLS 1.0
Checking server DSA-1024 with client DSA-1024 and TLS 1.0
Processed 1 client certificates...
Processed 1 client X.509 certificates...
Checking server DSA-1024 with client DSA-2048 and TLS 1.0
Checking server DSA-1024 with client DSA-3072 and TLS 1.0
../../../gnutls-2.12.0/tests/dsa/testdsa: line 83: kill: `%1': not
a pid or valid job spec
<[CTRL][C]>
^CFAIL: testdsa
===================================
1 of 1 test failed
Please report to bug-gnutls at gnu.org
===================================
...
[root at pompomgalli]
I choose to ignore the kill notice and focus on the freeze of the test
(a bad idea, as i will see later...),
i relaunch a second time the tests suite to check if it could be repeated :
[root at pompomgalli] make check
...
make[3]: Leaving directory
`/usr/src/gnutls-2.12.0_build/tests/safe-renegotiation'
make[2]: Leaving directory
`/usr/src/gnutls-2.12.0_build/tests/safe-renegotiation'
Making check in dsa
make[2]: Entering directory `/usr/src/gnutls-2.12.0_build/tests/dsa'
make testdsa
make[3]: Entering directory `/usr/src/gnutls-2.12.0_build/tests/dsa'
make[3]: Nothing to be done for
`../../../gnutls-2.12.0/tests/dsa/testdsa'.
make[3]: Leaving directory `/usr/src/gnutls-2.12.0_build/tests/dsa'
make check-TESTS
make[3]: Entering directory `/usr/src/gnutls-2.12.0_build/tests/dsa'
Checking various DSA key sizes
Checking DSA-1024 with TLS 1.0
Checking server DSA-1024 with client DSA-1024 and TLS 1.0
Processed 1 client certificates...
Processed 1 client X.509 certificates...
Checking server DSA-1024 with client DSA-2048 and TLS 1.0
Checking server DSA-1024 with client DSA-3072 and TLS 1.0
../../../gnutls-2.12.0/tests/dsa/testdsa: line 67: kill: `%1': not
a pid or valid job spec
Checking DSA-1024 with TLS 1.2
Checking server DSA-1024 with client DSA-1024 and TLS 1.2
Processed 1 client certificates...
Processed 1 client X.509 certificates...
Checking server DSA-1024 with client DSA-2048 and TLS 1.2
Processed 1 client certificates...
Processed 1 client X.509 certificates...
*** Fatal error: The given DSA key is incompatible with the
selected TLS protocol.
*** Handshake has failed
GnuTLS error: The given DSA key is incompatible with the selected
TLS protocol.
Failure: Failed connection to a server with a client DSA 2048 key
and TLS 1.2!
FAIL: testdsa
===================================
1 of 1 test failed
Please report to bug-gnutls at gnu.org
===================================
...
[root at pompomgalli]
Apparently, something was wrong with TLS 1.2, so i turn on debugging in
testdsa :
--- gnutls-2.12.0/tests/dsa/testdsa.orig 2011-03-23
19:46:59.000000000 +0100
+++ gnutls-2.12.0/tests/dsa/testdsa 2011-03-27 14:01:10.000000000 +0200
@@ -24,7 +24,7 @@
SERV="${SERV:-../../src/gnutls-serv} -q"
CLI="${CLI:-../../src/gnutls-cli}"
PORT="${PORT:-5559}"
-DEBUG=""
+DEBUG="-d 9"
unset RETCODE
fail() {
and relaunch a third time the tests suite :
[root at pompomgalli] make check
...
Checking server DSA-1024 with client DSA-2048 and TLS 1.2
Processed 1 client certificates...
|<2>| ASSERT: ../../gnutls-2.12.0/lib/x509_b64.c:453
|<2>| Could not find '-----BEGIN RSA PRIVATE KEY'
Processed 1 client X.509 certificates...
|<4>| REC[0x8062b20]: Allocating epoch #0
|<2>| ASSERT: ../../gnutls-2.12.0/lib/gnutls_constate.c:695
|<4>| REC[0x8062b20]: Allocating epoch #1
|<3>| HSK[0x8062b20]: Keeping ciphersuite: DHE_RSA_AES_128_CBC_SHA256
|<3>| HSK[0x8062b20]: Keeping ciphersuite: DHE_RSA_AES_128_CBC_SHA1
|<3>| HSK[0x8062b20]: Keeping ciphersuite:
DHE_RSA_CAMELLIA_128_CBC_SHA1
|<3>| HSK[0x8062b20]: Keeping ciphersuite: DHE_RSA_AES_256_CBC_SHA256
|<3>| HSK[0x8062b20]: Keeping ciphersuite: DHE_RSA_AES_256_CBC_SHA1
|<3>| HSK[0x8062b20]: Keeping ciphersuite:
DHE_RSA_CAMELLIA_256_CBC_SHA1
|<3>| HSK[0x8062b20]: Keeping ciphersuite: DHE_RSA_3DES_EDE_CBC_SHA1
|<3>| HSK[0x8062b20]: Keeping ciphersuite: DHE_DSS_AES_128_CBC_SHA256
|<3>| HSK[0x8062b20]: Keeping ciphersuite: DHE_DSS_AES_128_CBC_SHA1
|<3>| HSK[0x8062b20]: Keeping ciphersuite:
DHE_DSS_CAMELLIA_128_CBC_SHA1
|<3>| HSK[0x8062b20]: Keeping ciphersuite: DHE_DSS_AES_256_CBC_SHA256
|<3>| HSK[0x8062b20]: Keeping ciphersuite: DHE_DSS_AES_256_CBC_SHA1
|<3>| HSK[0x8062b20]: Keeping ciphersuite:
DHE_DSS_CAMELLIA_256_CBC_SHA1
|<3>| HSK[0x8062b20]: Keeping ciphersuite: DHE_DSS_3DES_EDE_CBC_SHA1
|<3>| HSK[0x8062b20]: Keeping ciphersuite: DHE_DSS_ARCFOUR_SHA1
|<3>| HSK[0x8062b20]: Keeping ciphersuite: RSA_AES_128_CBC_SHA256
|<3>| HSK[0x8062b20]: Keeping ciphersuite: RSA_AES_128_CBC_SHA1
|<3>| HSK[0x8062b20]: Keeping ciphersuite: RSA_CAMELLIA_128_CBC_SHA1
|<3>| HSK[0x8062b20]: Keeping ciphersuite: RSA_AES_256_CBC_SHA256
|<3>| HSK[0x8062b20]: Keeping ciphersuite: RSA_AES_256_CBC_SHA1
|<3>| HSK[0x8062b20]: Keeping ciphersuite: RSA_CAMELLIA_256_CBC_SHA1
|<3>| HSK[0x8062b20]: Keeping ciphersuite: RSA_3DES_EDE_CBC_SHA1
|<3>| HSK[0x8062b20]: Keeping ciphersuite: RSA_ARCFOUR_SHA1
|<2>| EXT[0x8062b20]: Sending extension CERT TYPE (3 bytes)
|<2>| EXT[0x8062b20]: Sending extension SERVER NAME (14 bytes)
|<2>| EXT[0x8062b20]: Sending extension SAFE RENEGOTIATION (1 bytes)
|<2>| EXT[0x8062b20]: Sending extension SESSION TICKET (0 bytes)
|<2>| EXT[SIGA]: sent signature algo (4.2) DSA-SHA256
|<2>| EXT[SIGA]: sent signature algo (4.1) RSA-SHA256
|<2>| EXT[SIGA]: sent signature algo (2.1) RSA-SHA1
|<2>| EXT[SIGA]: sent signature algo (2.2) DSA-SHA1
|<2>| EXT[0x8062b20]: Sending extension SIGNATURE ALGORITHMS (10 bytes)
|<3>| HSK[0x8062b20]: CLIENT HELLO was sent [139 bytes]
|<4>| REC[0x8062b20]: Sending Packet[0] Handshake(22) with length: 139
|<4>| REC[0x8062b20]: Sent Packet[1] Handshake(22) with length: 144
|<4>| REC[0x8062b20]: Expected Packet[0] Handshake(22) with length: 1
|<4>| REC[0x8062b20]: Received Packet[0] Handshake(22) with length: 85
|<4>| REC[0x8062b20]: Decrypted Packet[0] Handshake(22) with length: 85
|<3>| HSK[0x8062b20]: SERVER HELLO was received [85 bytes]
|<3>| HSK[0x8062b20]: Server's version: 3.1
|<3>| HSK[0x8062b20]: SessionID length: 32
|<3>| HSK[0x8062b20]: SessionID:
42fdb8a2c661db286038ab89073cbb496eace1fa7f43a23b4e5b23a91e09924a
|<3>| HSK[0x8062b20]: Selected cipher suite: DHE_DSS_AES_128_CBC_SHA1
|<2>| EXT[0x8062b20]: Parsing extension 'SAFE RENEGOTIATION/65281'
(1 bytes)
|<2>| EXT[0x8062b20]: Parsing extension 'SESSION TICKET/35' (0 bytes)
|<3>| HSK[0x8062b20]: Safe renegotiation succeeded
|<4>| REC[0x8062b20]: Expected Packet[1] Handshake(22) with length: 1
|<4>| REC[0x8062b20]: Received Packet[1] Handshake(22) with length: 863
|<4>| REC[0x8062b20]: Decrypted Packet[1] Handshake(22) with
length: 863
|<3>| HSK[0x8062b20]: CERTIFICATE was received [863 bytes]
|<2>| ASSERT: ../../gnutls-2.12.0/lib/ext_signature.c:386
|<4>| REC[0x8062b20]: Expected Packet[2] Handshake(22) with length: 1
|<4>| REC[0x8062b20]: Received Packet[2] Handshake(22) with length: 315
|<4>| REC[0x8062b20]: Decrypted Packet[2] Handshake(22) with
length: 315
|<3>| HSK[0x8062b20]: SERVER KEY EXCHANGE was received [315 bytes]
|<4>| REC[0x8062b20]: Expected Packet[3] Handshake(22) with length: 1
|<4>| REC[0x8062b20]: Received Packet[3] Handshake(22) with length: 9
|<4>| REC[0x8062b20]: Decrypted Packet[3] Handshake(22) with length: 9
|<3>| HSK[0x8062b20]: CERTIFICATE REQUEST was received [9 bytes]
|<2>| ASSERT: ../../gnutls-2.12.0/lib/ext_signature.c:499
|<4>| REC[0x8062b20]: Expected Packet[4] Handshake(22) with length: 1
|<4>| REC[0x8062b20]: Received Packet[4] Handshake(22) with length: 4
|<4>| REC[0x8062b20]: Decrypted Packet[4] Handshake(22) with length: 4
|<3>| HSK[0x8062b20]: SERVER HELLO DONE was received [4 bytes]
|<3>| HSK[0x8062b20]: CERTIFICATE was sent [1293 bytes]
|<3>| HSK[0x8062b20]: CLIENT KEY EXCHANGE was sent [134 bytes]
|<2>| ASSERT: ../../gnutls-2.12.0/lib/gnutls_sig.c:716
|<2>| ASSERT: ../../gnutls-2.12.0/lib/auth_cert.c:1559
|<2>| ASSERT: ../../gnutls-2.12.0/lib/gnutls_kx.c:336
|<2>| ASSERT: ../../gnutls-2.12.0/lib/gnutls_handshake.c:2832
*** Fatal error: The given DSA key is incompatible with the
selected TLS protocol.
|<4>| REC: Sending Alert[2|40] - Handshake failed
|<4>| REC[0x8062b20]: Sending Packet[1] Alert(21) with length: 2
|<4>| REC[0x8062b20]: Sent Packet[2] Alert(21) with length: 7
*** Handshake has failed
GnuTLS error: The given DSA key is incompatible with the selected
TLS protocol.
|<4>| REC[0x8062b20]: Epoch #0 freed
|<4>| REC[0x8062b20]: Epoch #1 freed
Failure: Failed connection to a server with a client DSA 2048 key
and TLS 1.2!
FAIL: testdsa
===================================
1 of 1 test failed
Please report to bug-gnutls at gnu.org
===================================
...
[root at pompomgalli]
After having check the assert at line 716 in
gnutls-2.12.0/lib/gnutls_sig.c and seen nothing wrong,
i modify it to get details on what the client get from the server :
--- gnutls-2.12.0/lib/gnutls_sig.c.orig 2011-03-23 19:46:37.000000000 +0100
+++ gnutls-2.12.0/lib/gnutls_sig.c 2011-03-27 14:47:22.000000000 +0200
@@ -712,8 +712,10 @@
case GNUTLS_PK_DSA:
/* ensure 1024 bit DSA keys are used */
hash_algo = _gnutls_dsa_q_to_hash (cert->params[1]);
- if (!_gnutls_version_has_selectable_sighash (ver) && hash_algo !=
GNUTLS_DIG_SHA1)
+ if (!_gnutls_version_has_selectable_sighash (ver) && hash_algo !=
GNUTLS_DIG_SHA1) {
+ _gnutls_debug_log ("DEBUGLOG: %d, %d, %s\n", ver, hash_algo,
gnutls_mac_get_name (hash_algo));
return
gnutls_assert_val(GNUTLS_E_INCOMPAT_DSA_KEY_WITH_TLS_PROTOCOL);
+ }
dconcat.data = &concat[16];
dconcat.size = 20;
And relaunch, fourth time, the tests suite :
[root at pompomgalli] make check
...
|<3>| HSK[0x8062b20]: CERTIFICATE REQUEST was received [9 bytes]
|<2>| ASSERT: ../../gnutls-2.12.0/lib/ext_signature.c:499
|<4>| REC[0x8062b20]: Expected Packet[4] Handshake(22) with length: 1
|<4>| REC[0x8062b20]: Received Packet[4] Handshake(22) with length: 4
|<4>| REC[0x8062b20]: Decrypted Packet[4] Handshake(22) with length: 4
|<3>| HSK[0x8062b20]: SERVER HELLO DONE was received [4 bytes]
|<3>| HSK[0x8062b20]: CERTIFICATE was sent [1293 bytes]
|<3>| HSK[0x8062b20]: CLIENT KEY EXCHANGE was sent [134 bytes]
|<2>| DEBUGLOG: 2, 6, SHA256
|<2>| ASSERT: ../../gnutls-2.12.0/lib/gnutls_sig.c:717
|<2>| ASSERT: ../../gnutls-2.12.0/lib/auth_cert.c:1559
|<2>| ASSERT: ../../gnutls-2.12.0/lib/gnutls_kx.c:336
|<2>| ASSERT: ../../gnutls-2.12.0/lib/gnutls_handshake.c:2832
*** Fatal error: The given DSA key is incompatible with the
selected TLS protocol.
|<4>| REC: Sending Alert[2|40] - Handshake failed
|<4>| REC[0x8062b20]: Sending Packet[1] Alert(21) with length: 2
|<4>| REC[0x8062b20]: Sent Packet[2] Alert(21) with length: 7
*** Handshake has failed
GnuTLS error: The given DSA key is incompatible with the selected
TLS protocol.
|<4>| REC[0x8062b20]: Epoch #0 freed
|<4>| REC[0x8062b20]: Epoch #1 freed
Failure: Failed connection to a server with a client DSA 2048 key
and TLS 1.2!
FAIL: testdsa
===================================
1 of 1 test failed
Please report to bug-gnutls at gnu.org
===================================
...
[root at pompomgalli]
The value 2 in (|<2>| DEBUGLOG: 2, 6, SHA256) mean TLS 1.0, but the test
was supposed to deal with a TLS 1.2 server at this step...
I then remember, with a shiver in the back, the kill notice... :
[root at pompomgalli] ps -efa | grep tls
root 2329 26908 0 15:01 pts/10 00:00:00 vi
gnutls-2.12.0/tests/dsa/testd
root 2361 7462 0 15:07 pts/2 00:00:00 grep tls
root 5752 1 0 Mar26 pts/2 00:00:00
/usr/src/gnutls-2.12.0_build/src
[root at pompomgalli] cat /proc/5752/cmdline
/usr/src/gnutls-2.12.0_build/src/.libs/lt-gnutls-serv-q-p5559--priorityNORMAL:-VERS-TLS-ALL:+VERS-TLS1.0--x509certfile../../../gnutls-2.12.0/tests/dsa/cert.dsa.1024.pem--x509keyfile../../../gnutls-2.12.0/tests/dsa/dsa.1024.pem
[root at pompomgalli]
Well... The client was still discussing with the TLS 1.0 server launched
a the first tests suite run, which was never killed...
I then modify gnutls-2.12.0/tests/dsa/testdsa to signal the fact there
was a problem with server's launch (full patch at the end of the mail),
remove debug mode and launch the tests suite :
[root at pompomgalli] make check
...
make[3]: Leaving directory
`/usr/src/gnutls-2.12.0_build/tests/safe-renegotiation'
make[2]: Leaving directory
`/usr/src/gnutls-2.12.0_build/tests/safe-renegotiation'
Making check in dsa
make[2]: Entering directory `/usr/src/gnutls-2.12.0_build/tests/dsa'
make testdsa
make[3]: Entering directory `/usr/src/gnutls-2.12.0_build/tests/dsa'
make[3]: Nothing to be done for
`../../../gnutls-2.12.0/tests/dsa/testdsa'.
make[3]: Leaving directory `/usr/src/gnutls-2.12.0_build/tests/dsa'
make check-TESTS
make[3]: Entering directory `/usr/src/gnutls-2.12.0_build/tests/dsa'
Checking various DSA key sizes
Checking DSA-1024 with TLS 1.0
Failure: Unable to launch server DSA-1024 with TLS 1.0 !
FAIL: testdsa
===================================
1 of 1 test failed
Please report to bug-gnutls at gnu.org
===================================
...
[root at pompomgalli]
Ok, this time the testdsa script warn about some trouble with the server
launch from the first server launch.
It's the expected behavior, considering there is still a running server
on the 5559 tcp port.
I finally focus on the kill notice and do some basics checks :
[root at pompomgalli] read &
[1] 12466
[root at pompomgalli] /bin/kill %1
kill: can't find process "%1"
[1]+ Stopped read
[root at pompomgalli] /bin/kill --version
kill from util-linux 2.19
[root at pompomgalli] kill %1
[1]+ Stopped read
[root at pompomgalli]
The testdsa shell does not use shell builtin kill command and builtin
kill command is mandatory for job control monitoring.
I then modfy the testdsa in this way :
--- gnutls-2.12.0/tests/dsa/testdsa.orig 2011-03-23
19:46:59.000000000 +0100
+++ gnutls-2.12.0/tests/dsa/testdsa 2011-03-27 17:37:04.000000000 +0200
@@ -32,6 +32,26 @@
exit 1
}
+enable_bash_job_monitoring() {
+ set -m
+ enable jobs
+ enable kill
+}
+
+# Check for ps or /proc availability
+if test "$(ps 2>&1 > /dev/null; echo $?)" != "0" ; then
+ # Check for porc filesusyem
+ if test -d /proc -a -d /proc/$$ ; then
+ CHECKPS="test -d /proc/\${PROCESS}"
+ fi
+else
+ CHECKPS="test \"\$(ps -p \${PROCESS} 2>&1 > /dev/null; echo
\$?)\" = \"0\""
+fi
+
+# Required for bash allowing job montioring bultins
+enable_bash_job_monitoring 2>&1 > /dev/null
+
+
echo "Checking various DSA key sizes"
# DSA 1024 + TLS 1.0
@@ -39,127 +59,166 @@
echo "Checking DSA-1024 with TLS 1.0"
$SERV $DEBUG -p $PORT --priority "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0"
--x509certfile $srcdir/cert.dsa.1024.pem --x509keyfile
$srcdir/dsa.1024.pem >/dev/null 2>&1 &
+PROCESS=$!
# give the server a chance to initialize
sleep 2
-$CLI $DEBUG -p $PORT 127.0.0.1 --insecure </dev/null >/dev/null || \
- fail "Failed connection to a server with DSA 1024 key and TLS 1.0!"
+if eval ${CHECKPS} ; then
+
+ $CLI $DEBUG -p $PORT 127.0.0.1 --insecure </dev/null >/dev/null || \
+ fail "Failed connection to a server with DSA 1024 key and TLS
1.0!"
-echo "Checking server DSA-1024 with client DSA-1024 and TLS 1.0"
+ echo "Checking server DSA-1024 with client DSA-1024 and TLS 1.0"
-#try with client key of 1024 bits (should succeed)
-$CLI $DEBUG -p $PORT 127.0.0.1 --insecure --x509certfile
$srcdir/cert.dsa.1024.pem --x509keyfile $srcdir/dsa.1024.pem </dev/null
>/dev/null || \
- fail "Failed connection to a server with DSA 1024 key and TLS 1.0!"
+ #try with client key of 1024 bits (should succeed)
+ $CLI $DEBUG -p $PORT 127.0.0.1 --insecure --x509certfile
$srcdir/cert.dsa.1024.pem --x509keyfile $srcdir/dsa.1024.pem </dev/null
>/dev/null || \
+ fail "Failed connection to a server with DSA 1024 key and TLS
1.0!"
-echo "Checking server DSA-1024 with client DSA-2048 and TLS 1.0"
+ echo "Checking server DSA-1024 with client DSA-2048 and TLS 1.0"
-#try with client key of 2048 bits (should fail)
-$CLI $DEBUG -p $PORT 127.0.0.1 --insecure --x509certfile
$srcdir/cert.dsa.2048.pem --x509keyfile $srcdir/dsa.2048.pem </dev/null
>/dev/null 2>&1 && \
- fail "Succeeded connection to a server with a client DSA 2048 key and
TLS 1.0!"
+ #try with client key of 2048 bits (should fail)
+ $CLI $DEBUG -p $PORT 127.0.0.1 --insecure --x509certfile
$srcdir/cert.dsa.2048.pem --x509keyfile $srcdir/dsa.2048.pem </dev/null
>/dev/null 2>&1 && \
+ fail "Succeeded connection to a server with a client DSA 2048
key and TLS 1.0!"
-echo "Checking server DSA-1024 with client DSA-3072 and TLS 1.0"
+ echo "Checking server DSA-1024 with client DSA-3072 and TLS 1.0"
-#try with client key of 3072 bits (should fail)
-$CLI $DEBUG -p $PORT 127.0.0.1 --insecure --x509certfile
$srcdir/cert.dsa.3072.pem --x509keyfile $srcdir/dsa.3072.pem </dev/null
>/dev/null 2>&1 && \
- fail "Succeeded connection to a server with a client DSA 3072 key and
TLS 1.0!"
+ #try with client key of 3072 bits (should fail)
+ $CLI $DEBUG -p $PORT 127.0.0.1 --insecure --x509certfile
$srcdir/cert.dsa.3072.pem --x509keyfile $srcdir/dsa.3072.pem </dev/null
>/dev/null 2>&1 && \
+ fail "Succeeded connection to a server with a client DSA 3072
key and TLS 1.0!"
-kill %1
-wait
+ jobs >&2
+ kill %1
+ wait
+else
+ fail "Unable to launch server DSA-1024 with TLS 1.0 !"
+fi
# DSA 1024 + TLS 1.2
echo "Checking DSA-1024 with TLS 1.2"
$SERV $DEBUG -p $PORT --priority "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2"
--x509certfile $srcdir/cert.dsa.1024.pem --x509keyfile
$srcdir/dsa.1024.pem >/dev/null 2>&1 &
+PROCESS=$!
# give the server a chance to initialize
sleep 2
-$CLI $DEBUG -p $PORT 127.0.0.1 --insecure </dev/null >/dev/null || \
- fail "Failed connection to a server with DSA 1024 key and TLS 1.2!"
+if eval ${CHECKPS} ; then
+
+ $CLI $DEBUG -p $PORT 127.0.0.1 --insecure </dev/null >/dev/null || \
+ fail "Failed connection to a server with DSA 1024 key and TLS
1.2!"
-echo "Checking server DSA-1024 with client DSA-1024 and TLS 1.2"
+ echo "Checking server DSA-1024 with client DSA-1024 and TLS 1.2"
-#try with client key of 1024 bits (should succeed)
-$CLI $DEBUG -p $PORT 127.0.0.1 --insecure --x509certfile
$srcdir/cert.dsa.1024.pem --x509keyfile $srcdir/dsa.1024.pem </dev/null
>/dev/null || \
- fail "Failed connection to a server with DSA 1024 key and TLS 1.2!"
+ #try with client key of 1024 bits (should succeed)
+ $CLI $DEBUG -p $PORT 127.0.0.1 --insecure --x509certfile
$srcdir/cert.dsa.1024.pem --x509keyfile $srcdir/dsa.1024.pem </dev/null
>/dev/null || \
+ fail "Failed connection to a server with DSA 1024 key and TLS
1.2!"
-echo "Checking server DSA-1024 with client DSA-2048 and TLS 1.2"
+ echo "Checking server DSA-1024 with client DSA-2048 and TLS 1.2"
-#try with client key of 2048 bits (should succeed)
-$CLI $DEBUG -p $PORT 127.0.0.1 --insecure --x509certfile
$srcdir/cert.dsa.2048.pem --x509keyfile $srcdir/dsa.2048.pem </dev/null
>/dev/null || \
- fail "Failed connection to a server with a client DSA 2048 key and
TLS 1.2!"
+ #try with client key of 2048 bits (should succeed)
+ $CLI $DEBUG -p $PORT 127.0.0.1 --insecure --x509certfile
$srcdir/cert.dsa.2048.pem --x509keyfile $srcdir/dsa.2048.pem </dev/null
>/dev/null || \
+ fail "Failed connection to a server with a client DSA 2048 key
and TLS 1.2!"
-echo "Checking server DSA-1024 with client DSA-3072 and TLS 1.2"
+ echo "Checking server DSA-1024 with client DSA-3072 and TLS 1.2"
-#try with client key of 3072 bits (should succeed)
-$CLI $DEBUG -p $PORT 127.0.0.1 --insecure --x509certfile
$srcdir/cert.dsa.3072.pem --x509keyfile $srcdir/dsa.3072.pem </dev/null
>/dev/null || \
- fail "Failed connection to a server with a client DSA 3072 key and
TLS 1.2!"
+ #try with client key of 3072 bits (should succeed)
+ $CLI $DEBUG -p $PORT 127.0.0.1 --insecure --x509certfile
$srcdir/cert.dsa.3072.pem --x509keyfile $srcdir/dsa.3072.pem </dev/null
>/dev/null || \
+ fail "Failed connection to a server with a client DSA 3072 key
and TLS 1.2!"
-kill %1
-wait
+ kill %1
+ wait
+else
+ fail "Unable to launch server DSA-1024 with TLS 1.2 !"
+fi
# DSA 2048 + TLS 1.0
echo "Checking DSA-2048 with TLS 1.0"
$SERV $DEBUG -p $PORT --priority "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0"
--x509certfile $srcdir/cert.dsa.2048.pem --x509keyfile
$srcdir/dsa.2048.pem >/dev/null 2>&1 &
+PROCESS=$!
# give the server a chance to initialize
sleep 2
-$CLI $DEBUG -p $PORT 127.0.0.1 --insecure </dev/null >/dev/null 2>&1 && \
- fail "Succeeded connection to a server with DSA 2048 key and TLS 1.0.
Should have failed!"
+if eval ${CHECKPS} ; then
-kill %1
-wait
+ $CLI $DEBUG -p $PORT 127.0.0.1 --insecure </dev/null >/dev/null
2>&1 && \
+ fail "Succeeded connection to a server with DSA 2048 key and
TLS 1.0. Should have failed!"
+
+ kill %1
+ wait
+else
+ fail "Unable to launch server DSA-2048 with TLS 1.0 !"
+fi
# DSA 2048 + TLS 1.2
echo "Checking DSA-2048 with TLS 1.2"
$SERV $DEBUG -p $PORT --priority "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2"
--x509certfile $srcdir/cert.dsa.2048.pem --x509keyfile
$srcdir/dsa.2048.pem >/dev/null 2>&1 &
+PROCESS=$!
# give the server a chance to initialize
sleep 2
-$CLI $DEBUG -p $PORT 127.0.0.1 --insecure </dev/null >/dev/null || \
- fail "Failed connection to a server with DSA 2048 key and TLS 1.2!"
+if eval ${CHECKPS} ; then
+
+ $CLI $DEBUG -p $PORT 127.0.0.1 --insecure </dev/null >/dev/null || \
+ fail "Failed connection to a server with DSA 2048 key and TLS
1.2!"
-kill %1
-wait
+ kill %1
+ wait
+else
+ fail "Unable to launch server DSA-2048 with TLS 1.2 !"
+fi
# DSA 3072 + TLS 1.0
echo "Checking DSA-3072 with TLS 1.0"
$SERV $DEBUG -p $PORT --priority "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0"
--x509certfile $srcdir/cert.dsa.3072.pem --x509keyfile
$srcdir/dsa.3072.pem >/dev/null 2>&1 &
+PROCESS=$!
# give the server a chance to initialize
sleep 2
-$CLI $DEBUG -p $PORT 127.0.0.1 --insecure </dev/null >/dev/null 2>&1 && \
- fail "Succeeded connection to a server with DSA 2048 key and TLS 1.0.
Should have failed!"
+if eval ${CHECKPS} ; then
+
+ $CLI $DEBUG -p $PORT 127.0.0.1 --insecure </dev/null >/dev/null
2>&1 && \
+ fail "Succeeded connection to a server with DSA 2048 key and
TLS 1.0. Should have failed!"
+
+ kill %1
+ wait
+else
+ fail "Unable to launch server DSA-3072 with TLS 1.0 !"
+fi
-kill %1
-wait
# DSA 3072 + TLS 1.2
echo "Checking DSA-3072 with TLS 1.2"
$SERV $DEBUG -p $PORT --priority "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2"
--x509certfile $srcdir/cert.dsa.3072.pem --x509keyfile
$srcdir/dsa.3072.pem >/dev/null 2>&1 &
+PROCESS=$!
# give the server a chance to initialize
sleep 2
-$CLI $DEBUG -p $PORT 127.0.0.1 --insecure </dev/null >/dev/null || \
- fail "Failed connection to a server with DSA 3072 key and TLS 1.2!"
+if eval ${CHECKPS} ; then
+
+ $CLI $DEBUG -p $PORT 127.0.0.1 --insecure </dev/null >/dev/null || \
+ fail "Failed connection to a server with DSA 3072 key and TLS
1.2!"
+
+ kill %1
+ wait
+else
+ fail "Unable to launch server DSA-3072 with TLS 1.2 !"
+fi
-kill %1
-wait
exit 0
And then kill the still running TLS server and relaunch the tests suite :
[root at pompomgalli] kill 5752
[root at pompomgalli] make check
...
make[3]: Leaving directory
`/usr/src/gnutls-2.12.0_build/tests/safe-renegotiation'
make[2]: Leaving directory
`/usr/src/gnutls-2.12.0_build/tests/safe-renegotiation'
Making check in dsa
make[2]: Entering directory `/usr/src/gnutls-2.12.0_build/tests/dsa'
make testdsa
make[3]: Entering directory `/usr/src/gnutls-2.12.0_build/tests/dsa'
make[3]: Nothing to be done for
`../../../gnutls-2.12.0/tests/dsa/testdsa'.
make[3]: Leaving directory `/usr/src/gnutls-2.12.0_build/tests/dsa'
make check-TESTS
make[3]: Entering directory `/usr/src/gnutls-2.12.0_build/tests/dsa'
Checking various DSA key sizes
Checking DSA-1024 with TLS 1.0
Checking server DSA-1024 with client DSA-1024 and TLS 1.0
Processed 1 client certificates...
Processed 1 client X.509 certificates...
Checking server DSA-1024 with client DSA-2048 and TLS 1.0
Checking server DSA-1024 with client DSA-3072 and TLS 1.0
[1]+ Running $SERV $DEBUG -p $PORT --priority
"NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0" --x509certfile
$srcdir/cert.dsa.1024.pem --x509keyfile $srcdir/dsa.1024.pem >/dev/null
2>&1 &
Checking DSA-1024 with TLS 1.2
Checking server DSA-1024 with client DSA-1024 and TLS 1.2
Processed 1 client certificates...
Processed 1 client X.509 certificates...
Checking server DSA-1024 with client DSA-2048 and TLS 1.2
Processed 1 client certificates...
Processed 1 client X.509 certificates...
Checking server DSA-1024 with client DSA-3072 and TLS 1.2
Processed 1 client certificates...
Processed 1 client X.509 certificates...
Checking DSA-2048 with TLS 1.0
Checking DSA-2048 with TLS 1.2
Checking DSA-3072 with TLS 1.0
Checking DSA-3072 with TLS 1.2
PASS: testdsa
=============
1 test passed
=============
...
Finally it's successfull...
And this time, i have checked the gnutls commit's page before sending
this report :-)
Hope this will help, best regards, Cedric.
More information about the Gnutls-devel
mailing list