Debugging failing SSL test

This has been failing on and off for me for a very long time but I didn’t feel like looking into it until now.

This is what I see when I run ctest:

98% tests passed, 1 tests failed out of 62

Total Test time (real) =  19.99 sec

The following tests FAILED:
	 62 - ssl:ssl (Failed)
Errors while running CTest

I copied the invocation I found in swipl-devel/build/packages/ssl/CTestTestfile.cmake and tried to run it from inside of swipl-devel/build/packages/ssl (is that the right place??)

I get:

$ "/home/boris/install/swipl-devel/build/src/swipl" "-p" "foreign=:/home/boris/install/swipl-devel/build/packages/clib:/home/boris/install/swipl-devel/build/packages/sgml:/home/boris/install/swipl-devel/build/packages/http" "-f" "none" "--no-packs" "-s" "/home/boris/install/swipl-devel/packages/ssl/test_ssl.pl" "-g" "test_ssl" "-t" "halt"
% PL-Unit: ssl_options ....... done
% PL-Unit: ssl_server Client error:
ERROR: read_util:read_line_to_codes/2: I/O error in read on stream <stream>(0x562382843df0) (Success)
ERROR: Execution Aborted
ERROR: /home/boris/install/swipl-devel/packages/ssl/test_ssl.pl:229:
	test server: failed

 done
% PL-Unit: ssl_keys ..... done
% PL-Unit: https_open . done
% PL-Unit: ssl_certificates ................................ done
% PL-Unit: crypto_data_encrypt . done
% 1 test failed
% 46 tests passed
ERROR: -g test_ssl: false
Warning: Socket error: Broken pipe
Warning: Socket error: Broken pipe
Warning: Socket error: Broken pipe
Warning: Socket error: Broken pipe
Warning: Socket error: Broken pipe
Warning: Socket error: Broken pipe
Warning: Socket error: Broken pipe
Warning: Socket error: Broken pipe
Warning: Socket error: Broken pipe

How do I proceed from here?

There are three (testing) issues with SSL. Apparently you updated to the latest git which solves one: the test hanging forever. If you build in the same location by simply pulling and running ninja the tests start failing after about a month due to limited validity of the created test certificates. To fix that, run

rm -r packages/ssl/tests
ninja

and than all should be fine again (for a month). Now your problem :slight_smile: My guess is you have upgraded to OpenSSL 1.1.1e, right? There is a problem with this version already reported by our Debian maintainer (Lev Lamberov) and now also reporting on my Mac after updating to the latest Macports. According to Lev, OpenSSL 1.1.1d works fine.

Anyone with an idea or expertise that can help solving this is welcome to help. Matt Lilley had a look at the low level error which relates to kerberos. As this is nowhere involved AFAIK something weird is going on.

1 Like

Yes, everything is exactly as you described it. The test would fail every now and then; deleting the whole build directory seemed to solve that problem for me. A few days back it was just hanging. Now I have upgraded to openssl 1.1.1.e (2020-03-18).

I’m as far as that it is most likely related to this changelog entry in OpenSSL:

Properly detect EOF while reading in libssl. Previously if we hit an EOF
while reading in libssl then we would report an error back to the
application (SSL_ERROR_SYSCALL) but errno would be 0. We now add
an error to the stack (which means we instead return SSL_ERROR_SSL) and
therefore give a hint as to what went wrong.
[Matt Caswell]

The test verifies timeout handling for reading from an SSL stream: it reads, get a timeout because the other side is too slow and then re-reads. That used to work, but it seems the SSL stream is now in an error state and immediately returns an error when trying to restart the read.

edit Requested OpenSSL forum for help

2 Likes

Matt Lilley spent a good deal of yesterday on this issue and found a solution. Applause! The latest git version runs fine on systems using OpenSSL 1.1.1e (and older versions).

7 Likes