Mark obsolete-server-crypto test as XFAIL in Fedora/GnuTLS/* CI

The system-wide minimum crypto policy on Fedora prevents us from enabling
3DES and RC4 ciphers via GnuTLS priority strings. We have unconditionally
disabled it in OpenConnect for now in commit 7e862f2f03 but the
obsolete-server-crypto test is *still* failing, with ocserv reporting
'GnuTLS error (at worker-vpn.c:861): No supported cipher suites have
been found.'

Just mark obsolete-server-crypto test as XFAIL for these builds.  It's
the most accurate description of the state of those tests: these
environments do not provide OpenConnect with the capabilities to
reliably enable obsolete/insecure crypto algorithms in a self-contained
way.

See https://bugzilla.redhat.com/show_bug.cgi?id=1960763 for ongoing
discussions about how to come up with a more reliable, testable, and
maintainable mechanism for OpenConnect to enable these algorithms without
compromising the system-wide minimum crypto policy.

Signed-off-by: Daniel Lenski <dlenski@gmail.com>
Signed-off-by: David Woodhouse <dwmw2@infradead.org>

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 6f69f190de3e5aae49baf8137a175ece0d12f283..3224ddfb4b0db91660039a88b220caf5a1b93303 100644 (file)
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -171,7 +171,10 @@ ubsan/GnuTLS/Fedora:
   - export UBCFLAGS="-Wall -Wextra -fsanitize=undefined -fsanitize=bool -fsanitize=alignment -fsanitize=null -fsanitize=bounds-strict -fsanitize=enum -fno-sanitize-recover -g -O2"
   - CFLAGS="$UBCFLAGS" ./configure --with-java --disable-dsa-tests --without-gnutls-version-check
   - make -j4
-  - make VERBOSE=1 -j4 check
+# obsolete-server-crypto: system-wide crypto policy prevents --allow-insecure-crypto from working, and the
+#   library-reinitialization hack does not reliably work (https://gitlab.com/openconnect/openconnect/-/issues/243#note_576194663)
+#   XFAIL until we get a solution for https://bugzilla.redhat.com/show_bug.cgi?id=1960763
+  - make VERBOSE=1 XFAIL_TESTS="obsolete-server-crypto" -j4 check
   tags:
   - shared
   - linux
@@ -268,7 +271,10 @@ Fedora/GnuTLS:
 # we don't want pppd to invoke any actual connection scripts
   - mv /etc/ppp /etc/ppp.DISABLED
 # auth-pkcs11: Disable rdrand to work around https://bugzilla.redhat.com/1831086
-  - make VERBOSE=1 OPENSSL_ia32cap=~0x4000000000000000 -j4 check
+# obsolete-server-crypto: system-wide crypto policy prevents --allow-insecure-crypto from working, and the
+#   library-reinitialization hack does not reliably work (https://gitlab.com/openconnect/openconnect/-/issues/243#note_576194663)
+#   XFAIL until we get a solution for https://bugzilla.redhat.com/show_bug.cgi?id=1960763
+  - make VERBOSE=1 OPENSSL_ia32cap=~0x4000000000000000 XFAIL_TESTS="obsolete-server-crypto" -j4 check
   tags:
   - shared
   except:
@@ -294,7 +300,10 @@ Fedora/GnuTLS/ibmtss:
 # we don't want pppd to invoke any actual connection scripts
   - mv /etc/ppp /etc/ppp.DISABLED
 # auth-pkcs11: Disable rdrand to work around https://bugzilla.redhat.com/1831086
-  - make VERBOSE=1 OPENSSL_ia32cap=~0x4000000000000000 -j4 check
+# obsolete-server-crypto: system-wide crypto policy prevents --allow-insecure-crypto from working, and the
+#   library-reinitialization hack does not reliably work (https://gitlab.com/openconnect/openconnect/-/issues/243#note_576194663)
+#   XFAIL until we get a solution for https://bugzilla.redhat.com/show_bug.cgi?id=1960763
+  - make VERBOSE=1 OPENSSL_ia32cap=~0x4000000000000000 XFAIL_TESTS="obsolete-server-crypto" -j4 check
   tags:
   - shared
   except:
@@ -319,7 +328,10 @@ Fedora/GnuTLS/clang:
 # we don't want pppd to invoke any actual connection scripts
   - mv /etc/ppp /etc/ppp.DISABLED
 # auth-pkcs11: Disable rdrand to work around https://bugzilla.redhat.com/1831086
-  - make VERBOSE=1 OPENSSL_ia32cap=~0x4000000000000000 -j4 check
+# obsolete-server-crypto: system-wide crypto policy prevents --allow-insecure-crypto from working, and the
+#   library-reinitialization hack does not reliably work (https://gitlab.com/openconnect/openconnect/-/issues/243#note_576194663)
+#   XFAIL until we get a solution for https://bugzilla.redhat.com/show_bug.cgi?id=1960763
+  - make VERBOSE=1 OPENSSL_ia32cap=~0x4000000000000000 XFAIL_TESTS="obsolete-server-crypto" -j4 check
   tags:
   - shared
   except: