I'm running IPA tests in the environment which has only OpenSSL1.1.0+ :
[builder@localhost .in]$ find /lib64/ -name 'libcrypto*' /lib64/libcrypto.so.1.1 [builder@localhost .in]$
make fasttest PYTHONPATH=/usr/src/RPM/BUILD/freeipa-4.7.2 /usr/bin/python3 ipatests/ipa-run-tests \ --skip-ipaapi \ --ignore /usr/src/RPM/BUILD/freeipa-4.7.2/ipatests/test_integration \ --ignore /usr/src/RPM/BUILD/freeipa-4.7.2/ipatests/test_xmlrpc ===================================== test session starts ===================================== platform linux -- Python 3.7.3, pytest-3.10.1, py-1.8.0, pluggy-0.9.0 rootdir: /usr/src/RPM/BUILD/freeipa-4.7.2, inifile: plugins: sourceorder-0.5.1, multihost-3.0, pylama-6.1.1 collected 786 items / 84 skipped ipatests/test_util.py ........ [ 1%] ipatests/util.py .. [ 1%] ipatests/test_cmdline/test_cli.py ssssssssssssssss.sssssssssssssssssssss [ 6%] ipatests/test_cmdline/test_help.py sssssss [ 6%] ipatests/test_install/test_changeconf.py . [ 7%] ipatests/test_install/test_install_checks.py ........ [ 8%] ipatests/test_install/test_updates.py sssssssssss [ 9%] ipatests/test_ipaclient/test_csrgen.py ..............make: *** [Makefile:1210: fasttest] Segmentation fault
(Pdb) w ... -> testfunction(**testargs) /usr/src/RPM/BUILD/freeipa-4.7.2/ipatests/test_ipaclient/test_csrgen.py(229)test_works_with_lowercase_attr_type_shortname() -> config.encode('utf-8'), adaptor.get_subject_public_key_info())) /usr/src/RPM/BUILD/freeipa-4.7.2/ipaclient/csrgen_ffi.py(292)build_requestinfo() -> subject = X509_REQ_get_subject_name(req) > /usr/src/RPM/BUILD/freeipa-4.7.2/ipaclient/csrgen_ffi.py(163)X509_REQ_get_subject_name() -> def X509_REQ_get_subject_name(req) (Pdb) l 158 i2d_X509_REQ_INFO = _libcrypto.i2d_X509_REQ_INFO 159 X509_NAME_add_entry_by_OBJ = _libcrypto.X509_NAME_add_entry_by_OBJ 160 X509_NAME_entry_count = _libcrypto.X509_NAME_entry_count 161 162 163 -> def X509_REQ_get_subject_name(req): 164 return req.req_info.subject 165 166 167 # openssl/objects.h 168 OBJ_txt2obj = _libcrypto.OBJ_txt2obj (Pdb) req <cdata 'X509_REQ *' 0x1cb47c0> (Pdb) req.req_info <cdata 'X509_REQ_INFO *' NULL> (Pdb)
As you can see req.req_info hasn't been initialized properly. Since OpenSSL 1.1.0 the req_info field of X509_REQ structure is no longer a pointer to X509_REQ_INFO.
req.req_info
req_info
master:
build_requestinfo
Metadata Update from @fcami: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Metadata Update from @cheimes: - Custom field affects_doc adjusted to on - Issue status updated to: Open (was: Closed)
The fix is not compatible with platforms that use LibreSSL instead of OpenSSL. LibreSSL returns OpenSSL version number 2.0.0 but uses the old ABI with X509_REQ_INFO *req_info. We need extra checks to detect LibreSSL and force the old ABI.
X509_REQ_INFO *req_info
The python-cryptography project contains a bunch of examples.
Thank you for pointing that out. Let me check and fix myself.
I'm totally OK with not supporting LibreSSL. ALT Linux, Debian, Fedora, RHEL, and Ubuntu all use OpenSSL. For example you could detect LibreSSL from the version string and raise an import error.
Metadata Update from @rcritten: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1691442
Issue linked to Bugzilla: Bug 1691442
Metadata Update from @cheimes: - Issue assigned to fcami - Issue priority set to: normal - Issue set to the milestone: FreeIPA 4.7.3
ipa-4-7:
Metadata Update from @frenaud: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.