Net::SSLeay-1.85 tests hanging.

[ken@…]

With 8.3 (and earlier) systems using kernels < 4.18.6, the tests pass fine.

Douglas reported that they hang with current svn.

On an 8.3 system running a 4.18.6, they hung. On an svn system (newer openssl, kernel 4.18.9) they hung.

Douglas suggested it might be related to openssl, but my 8.3 systems have not been updated. There was a CPAN ticket for *failures* with newer openssl.

Fixes for that are in a developer release, [ ​https://metacpan.org/release/RADIATOR/Net-SSLeay-1.86_06 ]

I have now tested that version with both IO-Socket-SSL-2.059 and 2.060 on an 8.2 system, to check that the wget testsuite works (using DESTDIR installs and passing PERL5LIB to use the new versions).

Needs more testing before we put a developer release into the book.

[ken@…]

Curiouser and curiouser. It might be some option in the kernel config which causes the hang.

On the old AMD machine where LFS-8.3 and 4.18.5 worked, updating the kernel to 4.18.12 continued to work.

But on the old intel where 8.3 and 4.18.6 hung, updating to 4.18.12 still hung.

Similarly, on the recent AMD with svn where the tests hung with 4.18.9, updating to 4.18.12 still hangs.

But the CPAN ticket said that there were a lot of test failures with openssl-1.1.1 so I think we need to update to 1.86_06 pending a final release of 1.86.

However, using this with IO-Socket-SSL-2.060 and current svn I get a test failure in IO-Socket-SSL-2.060 :

Test Summary Report
-------------------
t/compatibility.t               (Wstat: 13 Tests: 7 Failed: 0)
  Non-zero wait status: 13
  Parse errors: Bad plan.  You planned 9 tests but ran 7.
Files=38, Tests=778, 55 wallclock secs ( 0.11 usr  0.02 sys +  4.12 cusr  0.41 csys =  4.66 CPU)
Result: FAIL
Failed 1/38 test programs. 0/778 subtests failed.
make: *** [Makefile:879: test_dynamic] Error 255

So I no-longer feel confident about any of this.

with 1.86_06 and 2.059 I'm getting different failures:

Test Summary Report
-------------------
t/ecdhe.t                       (Wstat: 0 Tests: 4 Failed: 1)
  Failed test:  3
t/npn.t                         (Wstat: 0 Tests: 5 Failed: 2)
  Failed tests:  4-5
t/protocol_version.t            (Wstat: 65024 Tests: 2 Failed: 1)
  Failed test:  1
  Non-zero exit status: 254
  Parse errors: Tests out of sequence.  Found (1) but expected (2)
                No plan found in TAP output
t/session_ticket.t              (Wstat: 768 Tests: 6 Failed: 3)
  Failed tests:  2-3, 6
  Non-zero exit status: 3
t/sni_verify.t                  (Wstat: 13 Tests: 5 Failed: 2)
  Failed tests:  4-5
  Non-zero wait status: 13
  Parse errors: Bad plan.  You planned 17 tests but ran 5.
Files=38, Tests=757, 71 wallclock secs ( 0.12 usr  0.02 sys +  3.88 cusr  0.42 csys =  4.44 CPU)
Result: FAIL
Failed 5/38 test programs. 9/757 subtests failed.
make: *** [Makefile:879: test_dynamic] Error 255

Even if we upgrade IO-SSLeay for openssl-1.1.1, the test results for IO-Socket-SSL are broken whether we use the old or new versions.

Hopefully, there will be a real Net-SSLeay release soon.

Or, we could just revert openssl-1.1.1 in LFS. ;-)

[Bruce Dubbs]

I'm having a little trouble with this discussion. AFAICT the only place Net::SSLeay is used is in IO::Socket::SSL and that, in turn is strictly optional for wget to run some regression tests.

Is there too much time spent on this? Does IO::Socket::SSL build without Net::SSLeay? Can we use the older version of Net::SSLeay? Can we mark IO::Socket::SSL in wget as currently broken?

[Douglas R. Reno]

IMO OpenSSL needs to be reverted.

The new version of Apache DOES NOT support 1.1.1 due to API changes. I have no idea what else might not work with it, just read it on their website when checking the change notes for the new httpd.

[ken@…]

Replying to bdubbs:

I'm having a little trouble with this discussion. AFAICT the only place Net::SSLeay is used is in IO::Socket::SSL and that, in turn is strictly optional for wget to run some regression tests.

Is there too much time spent on this? Does IO::Socket::SSL build without Net::SSLeay? Can we use the older version of Net::SSLeay? Can we mark IO::Socket::SSL in wget as currently broken?

The older version of Net::SSLeay (1.85) hangs its tests on some machines, but not on others. This appears to be a kernel config issue and therefore ought to be documented.

It might be orthogonal to whether or not openssl-1.1.1 is usable, but at the moment the only machines of mine where the tests hang are using 1.1.1. I had thought that the minimal system where I'm seeing the hang was using 8.3, but I now realize it is using 1.1.1.

Will go back to the pre-8.3 system where I originally tested modules/versions to look at the config, but later.

Unless 1.86 or 1.87 is released in the meantime, of course.

[ken@…]

Replying to renodr:

IMO OpenSSL needs to be reverted.

The new version of Apache DOES NOT support 1.1.1 due to API changes. I have no idea what else might not work with it, just read it on their website when checking the change notes for the new httpd.

And that, of course, sounds like a much more urgent reason for reverting openssl-1.1.1. But I am always very slow to update systems where I use apache, so at the moment mine are using 1.1.0-something and 4.14 kernels.

[ken@…]

I've now booted a different 8.3 machine, and am running a 4.18.5 kernel.

The tests in Net-SSLeay-1.85 ran to completion. I then updated openssl to 1.1.1. The tests now hang. So openssl-1.1.1 is indeed the problem and things are not ready for it.

Leave it to fedora or debian unstable!

[ken@…]

Replying to bdubbs:

I'm having a little trouble with this discussion. AFAICT the only place Net::SSLeay is used is in IO::Socket::SSL and that, in turn is strictly optional for wget to run some regression tests.

Also used by LWP::Protocol-https (used by biber, currently suggested by libwww-perl)

Fedora have a Net-SSLeay-1.85-Adapt-to-OpenSSL-1.1.1.patch and they are using IO::Socket::SSL-2.060 which apparently works with patched Net-SSLeay.

Meanwhile, the Net::SSLeay developers have made any commits since 29th September AFAICS.

Will retest when I have time.

[ken@…]

With fedora's patch, I got Net-SSLeay-1.85 to pass its tests with openssl-1.1.1. But then IO-Socket-SSL-2.060 (which fedora are using) hangs in its tests, with one core at 100%.

[ken@…]

Tests for Net-SSLeay fixed in r20715. Raising new ticket for IO::Socket::SSL.