Bugzilla – Bug 1185637
openssl-1_1 fails to build after 2022-06-01
Last modified: 2022-10-28 15:58:35 UTC
While working on reproducible builds for openSUSE, I found that our openssl-1_1/openssl-1.1.1k fails tests after 2022-06-01 Likely reason is one or more of these expiring certs: for cert in `find test -name \*pem` ; do openssl x509 -text < $cert | grep After |grep 2022 && echo $cert ; done 2>&1 |grep -A1 2022 Not After : Apr 13 10:00:00 2022 GMT test/ocsp-tests/D1_Issuer_ICA.pem Not After : Apr 13 10:00:00 2022 GMT test/ocsp-tests/ISIC_D1_Issuer_ICA.pem Not After : Apr 13 10:00:00 2022 GMT test/ocsp-tests/WSNIC_D1_Issuer_ICA.pem Not After : Apr 13 10:00:00 2022 GMT test/ocsp-tests/WKIC_D1_Issuer_ICA.pem Not After : Jun 1 00:00:00 2022 GMT test/certs/embeddedSCTs1_issuer.pem Not After : Jun 1 00:00:00 2022 GMT test/certs/embeddedSCTs1.pem building further in the future might have more failing tests: Test Summary Report ------------------- ../test/recipes/80-test_cms.t (Wstat: 1280 Tests: 6 Failed: 5) Failed tests: 1-5 Non-zero exit status: 5 ../test/recipes/80-test_ssl_new.t (Wstat: 256 Tests: 29 Failed: 1) Failed test: 12 Non-zero exit status: 1 Files=160, Tests=1893, 86 wallclock secs ( 1.22 usr 0.11 sys + 71.76 cusr 7.53 csys = 80.62 CPU) Result: FAIL Steps to Reproduce: osc co openSUSE:Factory/openssl-1_1 && cd $_ osc build --vm-type=kvm --noservice --clean --build-opt=--vm-custom-opt="-rtc base=2022-06-02T00:00:00" once that issue is fixed, try with 2028 and 2036 SUSE:SLE-15-SP2:GA/openssl-1_1 is also affected. Likely affects other enterprise codestreams as well.
Testing with verbose flags it shows expiring certificates: # ERROR: (int) 'result->result == test_ctx->expected_result' failed @ test/ssl_test.c:33 # [2] compared to [0] # INFO: @ test/ssl_test.c:34 # ExpectedResult mismatch: expected Success, got ClientFail. # 139919277639040:error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired:ssl/record/rec_layer_s3.c:1543:SSL alert number 45 not ok 2 - iteration 2 I'll report upstream.
Reported here: https://github.com/openssl/openssl/issues/15179
Only 2 months left...
Now the timebomb triggered and upstream is working on it.
bsc#1200153 for SLE
Raising prio: with openssl-1_1 being in ring0 and failing to build, this basically means all ring0 stagings are blocked until openssl-1_1 has a fix/workaround in place
https://build.opensuse.org/request/show/980584 Not sure this is correct submission, though (openssl maintenance is reportedly different).
*** Bug 1200153 has been marked as a duplicate of this bug. ***
I think I am superfluous here, good luck!
Submissions made for the following streams so far: > | Path | Status | > |--------------------------------------+---------------------------| > | SUSE:SLE-15-SP4:Update/openssl-3 | created request id 273505 | > | SUSE:SLE-15-SP4:Update/openssl-1_1 | created request id 273506 | > | openssl-1_1.SUSE_SLE-15-SP2_Update | | > | openssl-1_1.SUSE_SLE-12-SP4_Update | | > | openssl-1_1.SUSE_SLE-15_Update | created request id 273521 | > | openssl-1_1.SUSE_SLE-15-SP1_Update | created request id 273522 | Only openssl-3 and openssl-1_1 are affected by this issue. Also, there are two code streams that are having issues. @pgajdos gave me some pointers to deal with them so this is still being worked on.
I fixed openssl-1_1 for 15-sp2 by deleting the broken state incident. any others?
(In reply to Marcus Meissner from comment #13) > I fixed openssl-1_1 for 15-sp2 by deleting the broken state incident. > > any others? I hope tumbleweed won't be forgotten
This is an autogenerated message for OBS integration: This bug (1185637) was mentioned in https://build.opensuse.org/request/show/981089 Factory / openssl-1_1
(In reply to Marcus Meissner from comment #13) > I fixed openssl-1_1 for 15-sp2 by deleting the broken state incident. > > any others? Does that mean that the openssl-1_1 package is being removed from SP2? SP2 has a different version than SP1 after all.
No, it was just a incident with a buggy state of openssl-1_1. We still expect resubmission for 15-sp2 of openssl-1_1.
(In reply to Marcus Meissner from comment #17) > No, it was just a incident with a buggy state of openssl-1_1. > > We still expect resubmission for 15-sp2 of openssl-1_1. The patch to update the certificates applies fine for SP2, the other one to fix the CVE does not.
SUSE-SU-2022:2068-1: An update that solves one vulnerability and has one errata is now available. Category: security (important) Bug References: 1185637,1199166 CVE References: CVE-2022-1292 JIRA References: Sources used: SUSE Linux Enterprise Server for SAP 15-SP1 (src): openssl-1_1-1.1.0i-150100.14.30.1 SUSE Linux Enterprise Server 15-SP1-LTSS (src): openssl-1_1-1.1.0i-150100.14.30.1 SUSE Linux Enterprise Server 15-SP1-BCL (src): openssl-1_1-1.1.0i-150100.14.30.1 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src): openssl-1_1-1.1.0i-150100.14.30.1 SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src): openssl-1_1-1.1.0i-150100.14.30.1 SUSE Enterprise Storage 6 (src): openssl-1_1-1.1.0i-150100.14.30.1 SUSE CaaS Platform 4.0 (src): openssl-1_1-1.1.0i-150100.14.30.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:2075-1: An update that solves one vulnerability and has one errata is now available. Category: security (important) Bug References: 1185637,1199166 CVE References: CVE-2022-1292 JIRA References: Sources used: SUSE Linux Enterprise Server for SAP 15 (src): openssl-1_1-1.1.0i-150000.4.69.1 SUSE Linux Enterprise Server 15-LTSS (src): openssl-1_1-1.1.0i-150000.4.69.1 SUSE Linux Enterprise High Performance Computing 15-LTSS (src): openssl-1_1-1.1.0i-150000.4.69.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS (src): openssl-1_1-1.1.0i-150000.4.69.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Complete.
SUSE-SU-2022:2182-1: An update that solves two vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1185637,1199166,1200550 CVE References: CVE-2022-1292,CVE-2022-2068 JIRA References: Sources used: SUSE OpenStack Cloud Crowbar 9 (src): openssl-1_1-1.1.1d-2.66.1 SUSE OpenStack Cloud 9 (src): openssl-1_1-1.1.1d-2.66.1 SUSE Linux Enterprise Software Development Kit 12-SP5 (src): openssl-1_1-1.1.1d-2.66.1 SUSE Linux Enterprise Server for SAP 12-SP4 (src): openssl-1_1-1.1.1d-2.66.1 SUSE Linux Enterprise Server 12-SP5 (src): openssl-1_1-1.1.1d-2.66.1 SUSE Linux Enterprise Server 12-SP4-LTSS (src): openssl-1_1-1.1.1d-2.66.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:2251-1: An update that solves two vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1185637,1199166,1200550 CVE References: CVE-2022-1292,CVE-2022-2068 JIRA References: Sources used: openSUSE Leap 15.3 (src): openssl-1_1-1.1.1d-150200.11.48.1 SUSE Manager Server 4.1 (src): openssl-1_1-1.1.1d-150200.11.48.1 SUSE Manager Retail Branch Server 4.1 (src): openssl-1_1-1.1.1d-150200.11.48.1 SUSE Manager Proxy 4.1 (src): openssl-1_1-1.1.1d-150200.11.48.1 SUSE Linux Enterprise Server for SAP 15-SP2 (src): openssl-1_1-1.1.1d-150200.11.48.1 SUSE Linux Enterprise Server 15-SP2-LTSS (src): openssl-1_1-1.1.1d-150200.11.48.1 SUSE Linux Enterprise Server 15-SP2-BCL (src): openssl-1_1-1.1.1d-150200.11.48.1 SUSE Linux Enterprise Module for Basesystem 15-SP3 (src): openssl-1_1-1.1.1d-150200.11.48.1 SUSE Linux Enterprise Micro 5.2 (src): openssl-1_1-1.1.1d-150200.11.48.1 SUSE Linux Enterprise Micro 5.1 (src): openssl-1_1-1.1.1d-150200.11.48.1 SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src): openssl-1_1-1.1.1d-150200.11.48.1 SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src): openssl-1_1-1.1.1d-150200.11.48.1 SUSE Enterprise Storage 7 (src): openssl-1_1-1.1.1d-150200.11.48.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
*** Bug 1200154 has been marked as a duplicate of this bug. ***
SUSE-SU-2022:2308-1: An update that solves three vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1185637,1199166,1200550,1201099 CVE References: CVE-2022-1292,CVE-2022-2068,CVE-2022-2097 JIRA References: Sources used: openSUSE Leap 15.4 (src): openssl-1_1-1.1.1l-150400.7.7.1 SUSE Linux Enterprise Module for Basesystem 15-SP4 (src): openssl-1_1-1.1.1l-150400.7.7.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:2306-1: An update that solves 6 vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1185637,1199166,1199167,1199168,1199169,1200550,1201099 CVE References: CVE-2022-1292,CVE-2022-1343,CVE-2022-1434,CVE-2022-1473,CVE-2022-2068,CVE-2022-2097 JIRA References: Sources used: openSUSE Leap 15.4 (src): openssl-3-3.0.1-150400.4.7.1 SUSE Linux Enterprise Module for Basesystem 15-SP4 (src): openssl-3-3.0.1-150400.4.7.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:2251-2: An update that solves two vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1185637,1199166,1200550 CVE References: CVE-2022-1292,CVE-2022-2068 JIRA References: Sources used: openSUSE Leap Micro 5.2 (src): openssl-1_1-1.1.1d-150200.11.48.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.