Skip to content

Commit

Permalink
Mark obsolete-server-crypto test as XFAIL in Fedora/GnuTLS/* CI
Browse files Browse the repository at this point in the history
The system-wide minimum crypto policy on Fedora prevents us from enabling
3DES and RC4 ciphers via GnuTLS priority strings. We have unconditionally
disabled it in OpenConnect for now in commit 7e862f2 but the
obsolete-server-crypto test is *still* failing, with ocserv reporting
'GnuTLS error (at worker-vpn.c:861): No supported cipher suites have
been found.'

Just mark obsolete-server-crypto test as XFAIL for these builds.  It's
the most accurate description of the state of those tests: these
environments do not provide OpenConnect with the capabilities to
reliably enable obsolete/insecure crypto algorithms in a self-contained
way.

See https://bugzilla.redhat.com/show_bug.cgi?id=1960763 for ongoing
discussions about how to come up with a more reliable, testable, and
maintainable mechanism for OpenConnect to enable these algorithms without
compromising the system-wide minimum crypto policy.

Signed-off-by: Daniel Lenski <dlenski@gmail.com>
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
  • Loading branch information
dlenski authored and dwmw2 committed Jun 12, 2021
1 parent 7e862f2 commit f39ad18
Showing 1 changed file with 16 additions and 4 deletions.
20 changes: 16 additions & 4 deletions .gitlab-ci.yml
Expand Up @@ -171,7 +171,10 @@ ubsan/GnuTLS/Fedora:
- export UBCFLAGS="-Wall -Wextra -fsanitize=undefined -fsanitize=bool -fsanitize=alignment -fsanitize=null -fsanitize=bounds-strict -fsanitize=enum -fno-sanitize-recover -g -O2"
- CFLAGS="$UBCFLAGS" ./configure --with-java --disable-dsa-tests --without-gnutls-version-check
- make -j4
- make VERBOSE=1 -j4 check
# obsolete-server-crypto: system-wide crypto policy prevents --allow-insecure-crypto from working, and the
# library-reinitialization hack does not reliably work (https://gitlab.com/openconnect/openconnect/-/issues/243#note_576194663)
# XFAIL until we get a solution for https://bugzilla.redhat.com/show_bug.cgi?id=1960763
- make VERBOSE=1 XFAIL_TESTS="obsolete-server-crypto" -j4 check
tags:
- shared
- linux
Expand Down Expand Up @@ -268,7 +271,10 @@ Fedora/GnuTLS:
# we don't want pppd to invoke any actual connection scripts
- mv /etc/ppp /etc/ppp.DISABLED
# auth-pkcs11: Disable rdrand to work around https://bugzilla.redhat.com/1831086
- make VERBOSE=1 OPENSSL_ia32cap=~0x4000000000000000 -j4 check
# obsolete-server-crypto: system-wide crypto policy prevents --allow-insecure-crypto from working, and the
# library-reinitialization hack does not reliably work (https://gitlab.com/openconnect/openconnect/-/issues/243#note_576194663)
# XFAIL until we get a solution for https://bugzilla.redhat.com/show_bug.cgi?id=1960763
- make VERBOSE=1 OPENSSL_ia32cap=~0x4000000000000000 XFAIL_TESTS="obsolete-server-crypto" -j4 check
tags:
- shared
except:
Expand All @@ -294,7 +300,10 @@ Fedora/GnuTLS/ibmtss:
# we don't want pppd to invoke any actual connection scripts
- mv /etc/ppp /etc/ppp.DISABLED
# auth-pkcs11: Disable rdrand to work around https://bugzilla.redhat.com/1831086
- make VERBOSE=1 OPENSSL_ia32cap=~0x4000000000000000 -j4 check
# obsolete-server-crypto: system-wide crypto policy prevents --allow-insecure-crypto from working, and the
# library-reinitialization hack does not reliably work (https://gitlab.com/openconnect/openconnect/-/issues/243#note_576194663)
# XFAIL until we get a solution for https://bugzilla.redhat.com/show_bug.cgi?id=1960763
- make VERBOSE=1 OPENSSL_ia32cap=~0x4000000000000000 XFAIL_TESTS="obsolete-server-crypto" -j4 check
tags:
- shared
except:
Expand All @@ -319,7 +328,10 @@ Fedora/GnuTLS/clang:
# we don't want pppd to invoke any actual connection scripts
- mv /etc/ppp /etc/ppp.DISABLED
# auth-pkcs11: Disable rdrand to work around https://bugzilla.redhat.com/1831086
- make VERBOSE=1 OPENSSL_ia32cap=~0x4000000000000000 -j4 check
# obsolete-server-crypto: system-wide crypto policy prevents --allow-insecure-crypto from working, and the
# library-reinitialization hack does not reliably work (https://gitlab.com/openconnect/openconnect/-/issues/243#note_576194663)
# XFAIL until we get a solution for https://bugzilla.redhat.com/show_bug.cgi?id=1960763
- make VERBOSE=1 OPENSSL_ia32cap=~0x4000000000000000 XFAIL_TESTS="obsolete-server-crypto" -j4 check
tags:
- shared
except:
Expand Down

0 comments on commit f39ad18

Please sign in to comment.