From f39ad183b1dd0508a8fae68f809922228ae33ec1 Mon Sep 17 00:00:00 2001 From: Daniel Lenski Date: Sat, 29 May 2021 10:39:57 -0700 Subject: [PATCH] Mark obsolete-server-crypto test as XFAIL in Fedora/GnuTLS/* CI The system-wide minimum crypto policy on Fedora prevents us from enabling 3DES and RC4 ciphers via GnuTLS priority strings. We have unconditionally disabled it in OpenConnect for now in commit 7e862f2f03 but the obsolete-server-crypto test is *still* failing, with ocserv reporting 'GnuTLS error (at worker-vpn.c:861): No supported cipher suites have been found.' Just mark obsolete-server-crypto test as XFAIL for these builds. It's the most accurate description of the state of those tests: these environments do not provide OpenConnect with the capabilities to reliably enable obsolete/insecure crypto algorithms in a self-contained way. See https://bugzilla.redhat.com/show_bug.cgi?id=1960763 for ongoing discussions about how to come up with a more reliable, testable, and maintainable mechanism for OpenConnect to enable these algorithms without compromising the system-wide minimum crypto policy. Signed-off-by: Daniel Lenski Signed-off-by: David Woodhouse --- .gitlab-ci.yml | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 6f69f190..3224ddfb 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -171,7 +171,10 @@ ubsan/GnuTLS/Fedora: - export UBCFLAGS="-Wall -Wextra -fsanitize=undefined -fsanitize=bool -fsanitize=alignment -fsanitize=null -fsanitize=bounds-strict -fsanitize=enum -fno-sanitize-recover -g -O2" - CFLAGS="$UBCFLAGS" ./configure --with-java --disable-dsa-tests --without-gnutls-version-check - make -j4 - - make VERBOSE=1 -j4 check +# obsolete-server-crypto: system-wide crypto policy prevents --allow-insecure-crypto from working, and the +# library-reinitialization hack does not reliably work (https://gitlab.com/openconnect/openconnect/-/issues/243#note_576194663) +# XFAIL until we get a solution for https://bugzilla.redhat.com/show_bug.cgi?id=1960763 + - make VERBOSE=1 XFAIL_TESTS="obsolete-server-crypto" -j4 check tags: - shared - linux @@ -268,7 +271,10 @@ Fedora/GnuTLS: # we don't want pppd to invoke any actual connection scripts - mv /etc/ppp /etc/ppp.DISABLED # auth-pkcs11: Disable rdrand to work around https://bugzilla.redhat.com/1831086 - - make VERBOSE=1 OPENSSL_ia32cap=~0x4000000000000000 -j4 check +# obsolete-server-crypto: system-wide crypto policy prevents --allow-insecure-crypto from working, and the +# library-reinitialization hack does not reliably work (https://gitlab.com/openconnect/openconnect/-/issues/243#note_576194663) +# XFAIL until we get a solution for https://bugzilla.redhat.com/show_bug.cgi?id=1960763 + - make VERBOSE=1 OPENSSL_ia32cap=~0x4000000000000000 XFAIL_TESTS="obsolete-server-crypto" -j4 check tags: - shared except: @@ -294,7 +300,10 @@ Fedora/GnuTLS/ibmtss: # we don't want pppd to invoke any actual connection scripts - mv /etc/ppp /etc/ppp.DISABLED # auth-pkcs11: Disable rdrand to work around https://bugzilla.redhat.com/1831086 - - make VERBOSE=1 OPENSSL_ia32cap=~0x4000000000000000 -j4 check +# obsolete-server-crypto: system-wide crypto policy prevents --allow-insecure-crypto from working, and the +# library-reinitialization hack does not reliably work (https://gitlab.com/openconnect/openconnect/-/issues/243#note_576194663) +# XFAIL until we get a solution for https://bugzilla.redhat.com/show_bug.cgi?id=1960763 + - make VERBOSE=1 OPENSSL_ia32cap=~0x4000000000000000 XFAIL_TESTS="obsolete-server-crypto" -j4 check tags: - shared except: @@ -319,7 +328,10 @@ Fedora/GnuTLS/clang: # we don't want pppd to invoke any actual connection scripts - mv /etc/ppp /etc/ppp.DISABLED # auth-pkcs11: Disable rdrand to work around https://bugzilla.redhat.com/1831086 - - make VERBOSE=1 OPENSSL_ia32cap=~0x4000000000000000 -j4 check +# obsolete-server-crypto: system-wide crypto policy prevents --allow-insecure-crypto from working, and the +# library-reinitialization hack does not reliably work (https://gitlab.com/openconnect/openconnect/-/issues/243#note_576194663) +# XFAIL until we get a solution for https://bugzilla.redhat.com/show_bug.cgi?id=1960763 + - make VERBOSE=1 OPENSSL_ia32cap=~0x4000000000000000 XFAIL_TESTS="obsolete-server-crypto" -j4 check tags: - shared except: -- 2.49.0