From fiona.klute at gmx.de Sat Jun 27 21:35:20 2020 From: fiona.klute at gmx.de (Fiona Klute) Date: Sat, 27 Jun 2020 21:35:20 +0200 Subject: [mod_gnutls-devel] New release: mod_gnutls 0.11.0 Message-ID: Hi everyone, I have just uploaded a new source archive and matching signature to https://mod.gnutls.org/downloads/ as well as the signed mod_gnutls/0.11.0 tag to the git repositories [1, 2]. Development of this release (specifically session caching for proxy connections) led me to discover CVE-2020-13777 in GnuTLS [3]. Because of limitations of the GnuTLS key rotation scheme I discovered while looking into that I've disabled session tickets by default, until a rotation that cleanly deletes old primary keys can be implemented (either in mod_gnutls or GnuTLS). This release brings a mix of new features, bug fixes, and better tests: - Change default for GnuTLSOCSPCheckNonce to "off", and send OCSP nonces only if it has been enabled. The reason for this change is that in practice most public CAs do not support OCSP nonces, which is permitted by both RFC 6960 and the CA/Browser Forum baseline requirements (as of version 1.6.9). In this situation enforcing correct nonces by default makes the automatic OCSP stapling support mostly useless. - Add a test for correct nonce handling with "GnuTLSOCSPCheckNonce on", thanks to Krista Karppinen for that and a rewrite of the OCSP responder script in Python! - Support session resumption using session tickets for proxy connections (TLS 1.3 connections only). Requires a suitable GnuTLSCache configuration. - Disable session tickets by default. The GnuTLS built-in key rotation for session tickets never actually changes the primary key, just derives keys from it, so it does not provide forward secrecy in case an attacker learns the primary key (by gaining access to server RAM). A reload of the server is enough to generate a new key, so consider enabling session tickets and reloading the server every few hours, at least until a forward-secret rotation can be implemented. - Fix a bug that mostly prevented searching ServerAliases when selecting the virtual host from SNI. - Add ./configure option to disable building PDF documentation - Deprecate SRP and disable it by default. - Add support for building coverage reports using clang's source-based code coverage. - Make ./configure check if both [::1] and 127.0.0.1 are available, disable either if not. This makes the build work out-of-the-box in Docker containers, which by default use IPv4 only. Regards, Fiona [1] https://mod.gnutls.org/git/mod_gnutls [2] https://github.com/airtower-luna/mod_gnutls.git [3] https://airtower.wordpress.com/2020/06/11/so-about-that-gnutls-session-ticket-bug-cve-2020-13777/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: From pgajdos at suse.cz Mon Jun 29 09:56:56 2020 From: pgajdos at suse.cz (pgajdos) Date: Mon, 29 Jun 2020 09:56:56 +0200 Subject: [mod_gnutls-devel] test-36_OCSP_server_nonce failing in 0.11.0 (Was: New release: mod_gnutls 0.11.0) In-Reply-To: References: Message-ID: <20200629075656.GA31627@laura.suse.cz> Hi, On Sat, Jun 27, 2020 at 09:35:20PM +0200, Fiona Klute wrote: > I have just uploaded a new source archive and matching signature to > https://mod.gnutls.org/downloads/ as well as the signed > mod_gnutls/0.11.0 tag to the git repositories [1, 2]. thanks for the new release. > - Change default for GnuTLSOCSPCheckNonce to "off", and send OCSP nonces > only if it has been enabled. The reason for this change is that in > practice most public CAs do not support OCSP nonces, which is permitted > by both RFC 6960 and the CA/Browser Forum baseline requirements (as of > version 1.6.9). In this situation enforcing correct nonces by default > makes the automatic OCSP stapling support mostly useless. test-36_OCSP_server_nonce test is failing for me, the log is attached. Petr -- Have a lot of fun! -------------- next part -------------- Connecting to OCSP server: localhost... Could not connect to 127.0.0.1:9936: Connection refused Resolving 'localhost:9936'... Connecting to '127.0.0.1:9936'... Connecting to OCSP server: localhost... Assuming response's signer = issuer (use --load-signer to override). Resolving 'localhost:9936'... Connecting to '127.0.0.1:9936'... OCSP Response Information: Response Status: Successful Response Type: Basic OCSP Response Version: 1 Responder ID: CN=Testing Authority OCSP Responder Produced At: Mon Jun 29 06:43:00 UTC 2020 Responses: Certificate ID: Hash Algorithm: SHA1 Issuer Name Hash: bac68790352ceb4c4de1534445348f8b4b5309b3 Issuer Key Hash: 1bc5b230c6819ca393601fc32d10b8b2752e7bfa Serial Number: 22fff0d9 Certificate Status: good This Update: Mon Jun 29 06:43:00 UTC 2020 Next Update: Mon Jun 29 06:48:00 UTC 2020 Extensions: Nonce: bda76c72d988a3372faa2e298a0eb6cb527723f7cba203 Signature Algorithm: RSA-SHA256 -----BEGIN OCSP RESPONSE----- MIIG9AoBAKCCBu0wggbpBgkrBgEFBQcwAQEEggbaMIIG1jCB1aEtMCsxKTAnBgNV BAMTIFRlc3RpbmcgQXV0aG9yaXR5IE9DU1AgUmVzcG9uZGVyGA8yMDIwMDYyOTA2 NDMwMFowZzBlMD0wCQYFKw4DAhoFAAQUusaHkDUs60xN4VNERTSPi0tTCbMEFBvF sjDGgZyjk2Afwy0QuLJ1Lnv6AgQi//DZgAAYDzIwMjAwNjI5MDY0MzAwWqARGA8y MDIwMDYyOTA2NDgwMFqhKjAoMCYGCSsGAQUFBzABAgQZBBe9p2xy2YijNy+qLimK DrbLUncj98uiAzANBgkqhkiG9w0BAQsFAAOCAYEArai9D3z78cp1S69nYMsFRpa2 OGbZJBBcMJGlOSfZo/eaLh5viUIu+rTTFqAbiMj4XHYB6ih1hlOtYgSEl6zAYx5c YE6EC+Qw8+Gk56ciOaqJR0woW61o0Htgjdz1A3yng34dt2qRSu8y/HEvn4gL5YVt 7Ybci4+vEv6fjdshWkJtKPrWRfv7auPl8dXLehiQ1xurZ+6f6S7jPe/hcQArC7jf yl0rLOVpwwxntay39Xr3sq25dVw3w5fgayqNJ/6RKFGWrVaMDfJtLph+x1jdq9Xy 5uOpPEJd7yRD/IVu4AEjbnRgCOxRegcZIBKw/BcCeHmrzpzjDee64nktlZa5Nfpo t6sQ+YJe7BJNEozwhVYnUtAZ7BgkMulc8FMIXuF9Nd3FCn48cdH9a4nZGoNiwJIm VKHZD0IWnk5As81PcpS2PjFgiuIDr6tPh6S4qG6IKkpbhIgzbjXwb1Nh1lohZ2G7 v1zaUstsUi+H+BYIH/i08f/et5c/+hPQYJ7k7EIQoIIEZjCCBGIwggReMIICxqAD AgECAhQQvxFAe86Pw+8xF/wabLqRnBuAlzANBgkqhkiG9w0BAQsFADAcMRowGAYD VQQDExFUZXN0aW5nIEF1dGhvcml0eTAeFw0yMDA2MjkwNjQxNTJaFw0yMTA2Mjkw NjQxNTJaMCsxKTAnBgNVBAMTIFRlc3RpbmcgQXV0aG9yaXR5IE9DU1AgUmVzcG9u ZGVyMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAuESW06LtNNkn28n8 FnprWuZuEXMqmdc7VtXHxaB74JQtFwsnNzB6/dr90Qg3/i+6uAd0USfvCMDJkMgI 443AQj5daeH/fiwTjqhXsQ1K5zy2Uzz3zSkrztIwQrYF6raf2vOyM1oYpZ8H4v01 M0ydJRUNpskBGL19fn+EYtdnR8HraXUh6EvAo8WdRN7MwqOx2bUIo0vvDqMyjSFd mdoaB0BObxiHgp9LWuDpjBI0ejH+hri7Oqi424KkVYsLPqohuKSzpffaPTcxtKM1 3pYrXGoxGMSe7hB8mURiN7AAOScN8bheAmVQQZnK8I7DztQGyZ2uM2hCMJcN+POR 8oD7KrSuLfolaKiox0TLDPPK8u50m24ARIPNkMyn6axd6hjMrHc/xUcct+y/hLcD e8lfnCvH7xJjgxprJj0G1gCnTExhn0mNABwE4mwEdoVyFT7OtONRwCpmcBW82E2D TRWrGwkXt0DgNJu+R1UCkK1HwurioQ/a3zZsgOmEjIYjoFZLAgMBAAGjgYgwgYUw DwYJKwYBBQUHMAEFBAIFADAMBgNVHRMBAf8EAjAAMBMGA1UdJQQMMAoGCCsGAQUF BwMJMA8GA1UdDwEB/wQFAwMHgAAwHQYDVR0OBBYEFAzSQGxBP0G4yyXA7DdkYgRm u9GBMB8GA1UdIwQYMBaAFDGdH2r2Np+qY6exoxLiARNvOGsjMA0GCSqGSIb3DQEB CwUAA4IBgQCrHYB3hE7BXqtgh0+TdWBzc3uBedYc0aZSt25XJOYtfXC+WOU97nFo IPvJ323UlDRj17bGoGKvocH40HwW6qTOrXwhOxb/3hmeut0bZwQyM8w8/0evKOPP wE7THaKfVrotMShcZzFp8504yKol5UcsNCDLZDgdzRVSMlhzaPubvi75rn2lUtA7 HDJdO8x2xc7NKdyiNhU9sIwEecPHQi7PUXG90NN6w26wOQ4bTSSiAmlIuCs8kLz3 ZEpsCStuogAe0EDGyCAcj7X6DdfLP6jLyH7BCPFGYOheRdhlB9biRHgIFaZshxWZ 85LhvqV+Uu8HqL77iN+y+mYL91vc1JAowZl0RWRhmQwPF9efbXFlYNhZhyrRub8q y7en/IjqPlzH7y6rH9IRpppo0qY7lmzyzjboP00ZUCeZdhugK6bQiYmWW0K3IlST rCCscGch/csY8ZGcByWIG/kcaFtqL/bADFdLendVIQrvpAS7O5jp3pMgi09wIEzM JEu/vTpbQtY= -----END OCSP RESPONSE----- Verifying OCSP Response: Success. [Mon Jun 29 06:43:00.169518 2020] [gnutls:debug] [pid 7861:tid 139887182583808] gnutls_cache.c(367): mgs_cache_inst_config: Socache 'shmcb:cache/gnutls_cache_36_OCSP_server_nonce(65536)' created. Found test 36_OCSP_server_nonce, test dir is /home/abuild/rpmbuild/BUILD/mod_gnutls-0.11.0/test/tests/36_OCSP_server_nonce Starting: ['/usr/sbin/httpd', '-f', '/home/abuild/rpmbuild/BUILD/mod_gnutls-0.11.0/test/tests/36_OCSP_server_nonce/ocsp.conf', '-k', 'start', '-DFOREGROUND'] Starting: ['/usr/sbin/httpd', '-f', '/home/abuild/rpmbuild/BUILD/mod_gnutls-0.11.0/test/tests/36_OCSP_server_nonce/apache.conf', '-k', 'start', '-DFOREGROUND'] Running test connection 0: Check if the HTTPS server provides an OCSP status Aquiring lock on test.lock... Got lock on test.lock. *** Fatal error: A TLS fatal alert has been received. Processed 1 CA certificate(s). Resolving 'localhost:9932'... Connecting to '127.0.0.1:9932'... *** Received alert [40]: Handshake failed [Mon Jun 29 06:43:00.703870 2020] [gnutls:debug] [pid 7925:tid 139782033618944] gnutls_cache.c(367): mgs_cache_inst_config: Socache 'shmcb:cache/gnutls_cache_36_OCSP_server_nonce(65536)' created. Unlocking test.lock... Unlocked test.lock. Stopping: ['/usr/sbin/httpd', '-f', '/home/abuild/rpmbuild/BUILD/mod_gnutls-0.11.0/test/tests/36_OCSP_server_nonce/apache.conf', '-k', 'stop'] Stopping: ['/usr/sbin/httpd', '-f', '/home/abuild/rpmbuild/BUILD/mod_gnutls-0.11.0/test/tests/36_OCSP_server_nonce/ocsp.conf', '-k', 'stop'] Traceback (most recent call last): File "./runtest.py", line 256, in main(args) File "./runtest.py", line 204, in main run_test_conf(test_conf, File "/home/abuild/rpmbuild/BUILD/mod_gnutls-0.11.0/test/mgstest/tests.py", line 569, in run_test_conf test_conn.run(timeout=timeout, conn_log=conn_log, File "/home/abuild/rpmbuild/BUILD/mod_gnutls-0.11.0/test/mgstest/tests.py", line 182, in run act.run(conn, response_log) File "/home/abuild/rpmbuild/BUILD/mod_gnutls-0.11.0/test/mgstest/tests.py", line 242, in run raise err File "/home/abuild/rpmbuild/BUILD/mod_gnutls-0.11.0/test/mgstest/tests.py", line 233, in run resp = conn.getresponse() File "/usr/lib64/python3.8/http/client.py", line 1332, in getresponse response.begin() File "/usr/lib64/python3.8/http/client.py", line 303, in begin version, status, reason = self._read_status() File "/usr/lib64/python3.8/http/client.py", line 264, in _read_status line = str(self.fp.readline(_MAXLINE + 1), "iso-8859-1") File "/usr/lib64/python3.8/socket.py", line 669, in readinto return self._sock.recv_into(b) ConnectionResetError: [Errno 104] Connection reset by peer FAIL test-36_OCSP_server_nonce.bash (exit status: 1) From pgajdos at suse.cz Mon Jun 29 11:03:11 2020 From: pgajdos at suse.cz (pgajdos) Date: Mon, 29 Jun 2020 11:03:11 +0200 Subject: [mod_gnutls-devel] test-36_OCSP_server_nonce failing in 0.11.0 (Was: New release: mod_gnutls 0.11.0) In-Reply-To: <20200629075656.GA31627@laura.suse.cz> References: <20200629075656.GA31627@laura.suse.cz> Message-ID: <20200629090311.GB31627@laura.suse.cz> On Mon, Jun 29, 2020 at 09:56:57AM +0200, pgajdos wrote: > test-36_OCSP_server_nonce test is failing for me, the log is > attached. I had test-27_OCSP_server and test-34_TLS_reverse_proxy_h2 excluded. test-34_TLS_reverse_proxy_h2 now passes, test-27_OCSP_server does not. Attaching test-suite.log. Thanks! Petr -- Have a lot of fun! -------------- next part -------------- ============================================ mod_gnutls 0.11.0: test/test-suite.log ============================================ # TOTAL: 38 # PASS: 36 # SKIP: 0 # XFAIL: 0 # FAIL: 2 # XPASS: 0 # ERROR: 0 .. contents:: :depth: 2 FAIL: test-27_OCSP_server ========================= Connecting to OCSP server: localhost... Could not connect to 127.0.0.1:9936: Connection refused Resolving 'localhost:9936'... Connecting to '127.0.0.1:9936'... Connecting to OCSP server: localhost... Assuming response's signer = issuer (use --load-signer to override). Resolving 'localhost:9936'... Connecting to '127.0.0.1:9936'... OCSP Response Information: Response Status: Successful Response Type: Basic OCSP Response Version: 1 Responder ID: CN=Testing Authority OCSP Responder Produced At: Mon Jun 29 08:57:25 UTC 2020 Responses: Certificate ID: Hash Algorithm: SHA1 Issuer Name Hash: bac68790352ceb4c4de1534445348f8b4b5309b3 Issuer Key Hash: 82073b891fe61f7b24fd4d59400bac2b7968af5c Serial Number: 22fff0d9 Certificate Status: good This Update: Mon Jun 29 08:57:25 UTC 2020 Next Update: Mon Jun 29 09:02:25 UTC 2020 Extensions: Nonce: 98e151184deb0fb8babbe4bc9d26e4d823be1753c440ee Signature Algorithm: RSA-SHA256 -----BEGIN OCSP RESPONSE----- MIIG9AoBAKCCBu0wggbpBgkrBgEFBQcwAQEEggbaMIIG1jCB1aEtMCsxKTAnBgNV BAMTIFRlc3RpbmcgQXV0aG9yaXR5IE9DU1AgUmVzcG9uZGVyGA8yMDIwMDYyOTA4 NTcyNVowZzBlMD0wCQYFKw4DAhoFAAQUusaHkDUs60xN4VNERTSPi0tTCbMEFIIH O4kf5h97JP1NWUALrCt5aK9cAgQi//DZgAAYDzIwMjAwNjI5MDg1NzI1WqARGA8y MDIwMDYyOTA5MDIyNVqhKjAoMCYGCSsGAQUFBzABAgQZBBeY4VEYTesPuLq75Lyd JuTYI74XU8RA7jANBgkqhkiG9w0BAQsFAAOCAYEAhA8VYALKQP26kqpfRaz7o6ZS oAWUMEE87poZVUoePV/H2vvDYnOxb5xPc3YLZXDUOohOsMkdOBDWDtgTftDhbxiX Rhkc7Rk6GAoFl9aQFQMSvAAaFQqE4vOWAfm17TLUjK1FZ3TY9G5KOIaiMCYR2wQ8 IvgX8yHmlX0owublclJPw95OSWP7SfNabczG7vbYa1C1E8XVi5SfsdoxG8Fnv+KR KicXNs/v/ST1NZM+V64To2fZO/iep9mvOyxMQe9k1nZ0gfbvCA2YcOG1FsJA3PCy h35aen5viSIdKewjojUx7yiIBV4FNa4G1CGOuZLv/1UegdQmUW7TipPuD73bJnqq fQ41rd7Fe/KdfKxGZv8W3qTD59wmS7GPUNAE0L+UvxVqPUPeSIcsenRKvEYhQ3ya aQM5Hh790E0lugmgAEG8n9GIPVyAbOJNqKw13AU+j+puUDjMaoTNMirinA4PtVHX K3dHAO/9/fY/yOFIOXWEnVr11NzjlgUGVCquWjK+oIIEZjCCBGIwggReMIICxqAD AgECAhQCHZC/89WL9SL2Q9ZEB90tWPBeEzANBgkqhkiG9w0BAQsFADAcMRowGAYD VQQDExFUZXN0aW5nIEF1dGhvcml0eTAeFw0yMDA2MjkwODU2MzJaFw0yMTA2Mjkw ODU2MzJaMCsxKTAnBgNVBAMTIFRlc3RpbmcgQXV0aG9yaXR5IE9DU1AgUmVzcG9u ZGVyMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAx92EMKGBy3LjtL9Q SEJ+Zk84EvphTDFbk/83I08mjK5lh/AMtwTj2jhlBb2Vb8a0cKq9qoCqEJgwVFwk jKiUqc6XXrkK2YPDz2vRfWJb4jRAzNCLY/kjvy5qzbDxfyCv1DHGJkcBTS4C+hWU D7mR70ou4ZHY2QwR7bEfS/iQJjh65UD92yGWUGOdF0wwRR9BNCbz1ubpTRHzDH8G l943b1SHx0w7EXPl8838gYJ8+SiJQqMptAw9wxy8OQwuFTNxisfhr2bbB+O0sEJG XmAXG9/iOYSnIbJfedwk0nj5El6wsbcdbOBl4J0CsjJt3emquB2CO5OGPE0iUys/ 1VSAmRZ3QYuIZ0v9k+2xYoSSFYP5r4vkynNisw72oDRsaTHzfb8AcTXrkSSa1MoM HwoIFBS9dlWnmDdCmYOGIIVNHChu9rAwzTrUGDQXVERyc1HAMncdZSfrOfQc/bjG GZQJiKiZrihWEA7rp550ZQwrqub/QU9Wsav2+5WpDS25796BAgMBAAGjgYgwgYUw DwYJKwYBBQUHMAEFBAIFADAMBgNVHRMBAf8EAjAAMBMGA1UdJQQMMAoGCCsGAQUF BwMJMA8GA1UdDwEB/wQFAwMHgAAwHQYDVR0OBBYEFIcaHKtQUHyztriZ/WVTJvbR oD5ZMB8GA1UdIwQYMBaAFLS6IJu5dPyUaLggikE/cUIlF+NiMA0GCSqGSIb3DQEB CwUAA4IBgQAneH96gA1fK+cpPxT50HS3yWvK8XT6s5Budu5V47tIkn6cF16p9uSp Bo35+lyXiT6k1WG+i1zesMVSZxfHyShI3CqdiPP8uOtAHd/pIDoHI6eV7UdiU5Di N/pBBOAKJZwSoKpO8hOTmF2vwqNg/LQNlEoH2zJyHaDRfwLAYVBpJWyxTS/DDNmH nwHtcuvrskqVYcQHwGhvZXzLIQkGaL4h1mwVg+f3Iso/0eRUJ8kYj6o/LBp6eGw0 LvS2khtdDC46xbav44gDn5sKFEguUGiqu/QnJeJ5WGuYfleJrHnBH5UO1SBa2nx3 fxPxZkGWmdzWGVHE+WJyqUmzgOVjrc4X5D2zl3esQGEouaT3gtb1NepKMpZPhgFl WaFv8tzKO2/YAODH+6GhFRAcXxS1jGbkZ8A2ZY9lxR1jXl0d+iq2LWMgukEUalLm xgRPOoBAkA8Ll3cLoNjS99DBCXO2qFaBSPH+nI2N3BhiI8p4+LLJQopdxZscUKrL mcGOjvtGz0w= -----END OCSP RESPONSE----- Verifying OCSP Response: Success. [Mon Jun 29 08:57:25.528843 2020] [gnutls:debug] [pid 25131:tid 140166432016384] gnutls_cache.c(367): mgs_cache_inst_config: Socache 'shmcb:cache/gnutls_cache_27_OCSP_server(65536)' created. Found test 27_OCSP_server, test dir is /home/abuild/rpmbuild/BUILD/mod_gnutls-0.11.0/test/tests/27_OCSP_server Starting: ['/usr/sbin/httpd', '-f', '/home/abuild/rpmbuild/BUILD/mod_gnutls-0.11.0/test/tests/27_OCSP_server/ocsp.conf', '-k', 'start', '-DFOREGROUND'] Starting: ['/usr/sbin/httpd', '-f', '/home/abuild/rpmbuild/BUILD/mod_gnutls-0.11.0/test/tests/27_OCSP_server/apache.conf', '-k', 'start', '-DFOREGROUND'] Running test connection 0: Check if the HTTPS server provides an OCSP status Aquiring lock on test.lock... Got lock on test.lock. *** Fatal error: A TLS fatal alert has been received. Processed 1 CA certificate(s). Resolving 'localhost:9932'... Connecting to '127.0.0.1:9932'... *** Received alert [40]: Handshake failed [Mon Jun 29 08:57:26.057916 2020] [gnutls:debug] [pid 25195:tid 140098251180032] gnutls_cache.c(367): mgs_cache_inst_config: Socache 'shmcb:cache/gnutls_cache_27_OCSP_server(65536)' created. Unlocking test.lock... Unlocked test.lock. Stopping: ['/usr/sbin/httpd', '-f', '/home/abuild/rpmbuild/BUILD/mod_gnutls-0.11.0/test/tests/27_OCSP_server/apache.conf', '-k', 'stop'] Stopping: ['/usr/sbin/httpd', '-f', '/home/abuild/rpmbuild/BUILD/mod_gnutls-0.11.0/test/tests/27_OCSP_server/ocsp.conf', '-k', 'stop'] Traceback (most recent call last): File "./runtest.py", line 256, in main(args) File "./runtest.py", line 204, in main run_test_conf(test_conf, File "/home/abuild/rpmbuild/BUILD/mod_gnutls-0.11.0/test/mgstest/tests.py", line 569, in run_test_conf test_conn.run(timeout=timeout, conn_log=conn_log, File "/home/abuild/rpmbuild/BUILD/mod_gnutls-0.11.0/test/mgstest/tests.py", line 182, in run act.run(conn, response_log) File "/home/abuild/rpmbuild/BUILD/mod_gnutls-0.11.0/test/mgstest/tests.py", line 242, in run raise err File "/home/abuild/rpmbuild/BUILD/mod_gnutls-0.11.0/test/mgstest/tests.py", line 233, in run resp = conn.getresponse() File "/usr/lib64/python3.8/http/client.py", line 1332, in getresponse response.begin() File "/usr/lib64/python3.8/http/client.py", line 303, in begin version, status, reason = self._read_status() File "/usr/lib64/python3.8/http/client.py", line 264, in _read_status line = str(self.fp.readline(_MAXLINE + 1), "iso-8859-1") File "/usr/lib64/python3.8/socket.py", line 669, in readinto return self._sock.recv_into(b) ConnectionResetError: [Errno 104] Connection reset by peer FAIL test-27_OCSP_server.bash (exit status: 1) FAIL: test-36_OCSP_server_nonce =============================== Connecting to OCSP server: localhost... Could not connect to 127.0.0.1:9936: Connection refused Resolving 'localhost:9936'... Connecting to '127.0.0.1:9936'... Connecting to OCSP server: localhost... Assuming response's signer = issuer (use --load-signer to override). Resolving 'localhost:9936'... Connecting to '127.0.0.1:9936'... OCSP Response Information: Response Status: Successful Response Type: Basic OCSP Response Version: 1 Responder ID: CN=Testing Authority OCSP Responder Produced At: Mon Jun 29 08:57:43 UTC 2020 Responses: Certificate ID: Hash Algorithm: SHA1 Issuer Name Hash: bac68790352ceb4c4de1534445348f8b4b5309b3 Issuer Key Hash: 82073b891fe61f7b24fd4d59400bac2b7968af5c Serial Number: 22fff0d9 Certificate Status: good This Update: Mon Jun 29 08:57:43 UTC 2020 Next Update: Mon Jun 29 09:02:43 UTC 2020 Extensions: Nonce: 358a8453ae23d8982ecade3e462d356565cb185075cf0e Signature Algorithm: RSA-SHA256 -----BEGIN OCSP RESPONSE----- MIIG9AoBAKCCBu0wggbpBgkrBgEFBQcwAQEEggbaMIIG1jCB1aEtMCsxKTAnBgNV BAMTIFRlc3RpbmcgQXV0aG9yaXR5IE9DU1AgUmVzcG9uZGVyGA8yMDIwMDYyOTA4 NTc0M1owZzBlMD0wCQYFKw4DAhoFAAQUusaHkDUs60xN4VNERTSPi0tTCbMEFIIH O4kf5h97JP1NWUALrCt5aK9cAgQi//DZgAAYDzIwMjAwNjI5MDg1NzQzWqARGA8y MDIwMDYyOTA5MDI0M1qhKjAoMCYGCSsGAQUFBzABAgQZBBc1ioRTriPYmC7K3j5G LTVlZcsYUHXPDjANBgkqhkiG9w0BAQsFAAOCAYEAZtqdWZ3tojbXmcwsyhiroieU n+RL3jMThwQHix8ovp69wTNo6sg0f4yDcXY/QbCVzHGGEYI5ma0Ys6mSvCC6aWDQ C30QS/8MSs5hmbT+QVLEfFaBTfmxHlNAbjbdnRVCEvo2sC35wA9nztbgnK/i7E1S FrFyFmFHA0HkasSryFo4cj7n5/VbwdcEqsQvaJFZeMUeDxIq7aW7IMUw7/hFQr9b Sr4jVtOYVqKnEXTyBAWTlIZN2MdxzIeBVOL33D7BnbrrkYPFFpSRwEjxdznxTY/G PJ6ZPc5+iq5L5WBzirHHBKlcqDxVIsITHxT4s+Z6FPskpW99pM9MRtfh9owwf2Bz 97QUVcLgUJ91VJXoMcnTr6R2oA9MnGpsklRZkZ1uO8UgdSy6cC8/3ToEs5Xf0lNi daCCyMnmy5h6irN1ck/fRnkKtH1xijgIhGAGGdf3l+GLaOwQonjV7yDtN1HvPVtW tgdU0q84i8G2NGlX5zmrv0Xd8D8DJ6ka75ZRaxH9oIIEZjCCBGIwggReMIICxqAD AgECAhQCHZC/89WL9SL2Q9ZEB90tWPBeEzANBgkqhkiG9w0BAQsFADAcMRowGAYD VQQDExFUZXN0aW5nIEF1dGhvcml0eTAeFw0yMDA2MjkwODU2MzJaFw0yMTA2Mjkw ODU2MzJaMCsxKTAnBgNVBAMTIFRlc3RpbmcgQXV0aG9yaXR5IE9DU1AgUmVzcG9u ZGVyMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAx92EMKGBy3LjtL9Q SEJ+Zk84EvphTDFbk/83I08mjK5lh/AMtwTj2jhlBb2Vb8a0cKq9qoCqEJgwVFwk jKiUqc6XXrkK2YPDz2vRfWJb4jRAzNCLY/kjvy5qzbDxfyCv1DHGJkcBTS4C+hWU D7mR70ou4ZHY2QwR7bEfS/iQJjh65UD92yGWUGOdF0wwRR9BNCbz1ubpTRHzDH8G l943b1SHx0w7EXPl8838gYJ8+SiJQqMptAw9wxy8OQwuFTNxisfhr2bbB+O0sEJG XmAXG9/iOYSnIbJfedwk0nj5El6wsbcdbOBl4J0CsjJt3emquB2CO5OGPE0iUys/ 1VSAmRZ3QYuIZ0v9k+2xYoSSFYP5r4vkynNisw72oDRsaTHzfb8AcTXrkSSa1MoM HwoIFBS9dlWnmDdCmYOGIIVNHChu9rAwzTrUGDQXVERyc1HAMncdZSfrOfQc/bjG GZQJiKiZrihWEA7rp550ZQwrqub/QU9Wsav2+5WpDS25796BAgMBAAGjgYgwgYUw DwYJKwYBBQUHMAEFBAIFADAMBgNVHRMBAf8EAjAAMBMGA1UdJQQMMAoGCCsGAQUF BwMJMA8GA1UdDwEB/wQFAwMHgAAwHQYDVR0OBBYEFIcaHKtQUHyztriZ/WVTJvbR oD5ZMB8GA1UdIwQYMBaAFLS6IJu5dPyUaLggikE/cUIlF+NiMA0GCSqGSIb3DQEB CwUAA4IBgQAneH96gA1fK+cpPxT50HS3yWvK8XT6s5Budu5V47tIkn6cF16p9uSp Bo35+lyXiT6k1WG+i1zesMVSZxfHyShI3CqdiPP8uOtAHd/pIDoHI6eV7UdiU5Di N/pBBOAKJZwSoKpO8hOTmF2vwqNg/LQNlEoH2zJyHaDRfwLAYVBpJWyxTS/DDNmH nwHtcuvrskqVYcQHwGhvZXzLIQkGaL4h1mwVg+f3Iso/0eRUJ8kYj6o/LBp6eGw0 LvS2khtdDC46xbav44gDn5sKFEguUGiqu/QnJeJ5WGuYfleJrHnBH5UO1SBa2nx3 fxPxZkGWmdzWGVHE+WJyqUmzgOVjrc4X5D2zl3esQGEouaT3gtb1NepKMpZPhgFl WaFv8tzKO2/YAODH+6GhFRAcXxS1jGbkZ8A2ZY9lxR1jXl0d+iq2LWMgukEUalLm xgRPOoBAkA8Ll3cLoNjS99DBCXO2qFaBSPH+nI2N3BhiI8p4+LLJQopdxZscUKrL mcGOjvtGz0w= -----END OCSP RESPONSE----- Verifying OCSP Response: Success. [Mon Jun 29 08:57:43.121431 2020] [gnutls:debug] [pid 26051:tid 140023699736576] gnutls_cache.c(367): mgs_cache_inst_config: Socache 'shmcb:cache/gnutls_cache_36_OCSP_server_nonce(65536)' created. Found test 36_OCSP_server_nonce, test dir is /home/abuild/rpmbuild/BUILD/mod_gnutls-0.11.0/test/tests/36_OCSP_server_nonce Starting: ['/usr/sbin/httpd', '-f', '/home/abuild/rpmbuild/BUILD/mod_gnutls-0.11.0/test/tests/36_OCSP_server_nonce/ocsp.conf', '-k', 'start', '-DFOREGROUND'] Starting: ['/usr/sbin/httpd', '-f', '/home/abuild/rpmbuild/BUILD/mod_gnutls-0.11.0/test/tests/36_OCSP_server_nonce/apache.conf', '-k', 'start', '-DFOREGROUND'] Running test connection 0: Check if the HTTPS server provides an OCSP status Aquiring lock on test.lock... Got lock on test.lock. *** Fatal error: A TLS fatal alert has been received. Processed 1 CA certificate(s). Resolving 'localhost:9932'... Connecting to '127.0.0.1:9932'... *** Received alert [40]: Handshake failed [Mon Jun 29 08:57:43.652741 2020] [gnutls:debug] [pid 26115:tid 140361737902080] gnutls_cache.c(367): mgs_cache_inst_config: Socache 'shmcb:cache/gnutls_cache_36_OCSP_server_nonce(65536)' created. Unlocking test.lock... Unlocked test.lock. Stopping: ['/usr/sbin/httpd', '-f', '/home/abuild/rpmbuild/BUILD/mod_gnutls-0.11.0/test/tests/36_OCSP_server_nonce/apache.conf', '-k', 'stop'] Stopping: ['/usr/sbin/httpd', '-f', '/home/abuild/rpmbuild/BUILD/mod_gnutls-0.11.0/test/tests/36_OCSP_server_nonce/ocsp.conf', '-k', 'stop'] Traceback (most recent call last): File "./runtest.py", line 256, in main(args) File "./runtest.py", line 204, in main run_test_conf(test_conf, File "/home/abuild/rpmbuild/BUILD/mod_gnutls-0.11.0/test/mgstest/tests.py", line 569, in run_test_conf test_conn.run(timeout=timeout, conn_log=conn_log, File "/home/abuild/rpmbuild/BUILD/mod_gnutls-0.11.0/test/mgstest/tests.py", line 182, in run act.run(conn, response_log) File "/home/abuild/rpmbuild/BUILD/mod_gnutls-0.11.0/test/mgstest/tests.py", line 242, in run raise err File "/home/abuild/rpmbuild/BUILD/mod_gnutls-0.11.0/test/mgstest/tests.py", line 233, in run resp = conn.getresponse() File "/usr/lib64/python3.8/http/client.py", line 1332, in getresponse response.begin() File "/usr/lib64/python3.8/http/client.py", line 303, in begin version, status, reason = self._read_status() File "/usr/lib64/python3.8/http/client.py", line 264, in _read_status line = str(self.fp.readline(_MAXLINE + 1), "iso-8859-1") File "/usr/lib64/python3.8/socket.py", line 669, in readinto return self._sock.recv_into(b) ConnectionResetError: [Errno 104] Connection reset by peer FAIL test-36_OCSP_server_nonce.bash (exit status: 1)