Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Test failure System.Net.Security.Tests.CertificateValidationRemoteServer.ConnectWithRevocation_StapledOcsp(offlineContext: False) #71037

Closed
VincentBu opened this issue Jun 21, 2022 · 13 comments · Fixed by #73627
Closed

Test failure System.Net.Security.Tests.CertificateValidationRemoteServer.ConnectWithRevocation_StapledOcsp(offlineContext: False) #71037

VincentBu opened this issue Jun 21, 2022 · 13 comments · Fixed by #73627
Assignees
@bartonjs
Labels
arch-x64 area-System.Net.Security disabled-test The test is disabled in source code against the issue os-linux Linux OS (any supported distro)
Milestone
7.0.0

Comments

@VincentBu
Copy link
Contributor

Run: runtime-libraries-coreclr outerloop 20220620.5

Failed test:

net7.0-Linux-Release-x64-CoreCLR_release-RedHat.7.Amd64.Open

- System.Net.Security.Tests.CertificateValidationRemoteServer.ConnectWithRevocation_StapledOcsp(offlineContext: False)

net7.0-Linux-Release-x64-CoreCLR_release-(Centos.7.Amd64.Open)[email protected]/dotnet-buildtools/prereqs:centos-7-mlnet-helix-20220601183719-dde38af

- System.Net.Security.Tests.CertificateValidationRemoteServer.ConnectWithRevocation_StapledOcsp(offlineContext: False)

Error message:

Assert.Contains() Failure
Not found: (filter expression)
In value:  X509ChainStatus[] [System.Security.Cryptography.X509Certificates.X509ChainStatus, System.Security.Cryptography.X509Certificates.X509ChainStatus]


Stack trace
   at System.Net.Security.Tests.CertificateValidationRemoteServer.<ConnectWithRevocation_WithCallback_Core>g__CertificateValidationCallback|6_0(Object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) in /_/src/libraries/System.Net.Security/tests/FunctionalTests/CertificateValidationRemoteServer.cs:line 285
   at System.Net.Security.SslStream.VerifyRemoteCertificate(RemoteCertificateValidationCallback remoteCertValidationCallback, SslCertificateTrust trust, ProtocolToken& alertToken, SslPolicyErrors& sslPolicyErrors, X509ChainStatusFlags& chainStatus) in /_/src/libraries/System.Net.Security/src/System/Net/Security/SslStream.Protocol.cs:line 984
   at System.Net.Security.SslStream.CompleteHandshake(ProtocolToken& alertToken, SslPolicyErrors& sslPolicyErrors, X509ChainStatusFlags& chainStatus) in /_/src/libraries/System.Net.Security/src/System/Net/Security/SslStream.IO.cs:line 519
   at System.Net.Security.SslStream.CompleteHandshake(SslAuthenticationOptions sslAuthenticationOptions) in /_/src/libraries/System.Net.Security/src/System/Net/Security/SslStream.IO.cs:line 543
   at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](Boolean receiveFirst, Byte[] reAuthenticationData, CancellationToken cancellationToken) in /_/src/libraries/System.Net.Security/src/System/Net/Security/SslStream.IO.cs:line 359
   at System.Threading.Tasks.TaskTimeoutExtensions.GetRealException(Task task) in /_/src/libraries/Common/tests/System/Threading/Tasks/TaskTimeoutExtensions.cs:line 128
--- End of stack trace from previous location ---
   at System.Threading.Tasks.TaskTimeoutExtensions.WhenAllOrAnyFailed(Task[] tasks) in /_/src/libraries/Common/tests/System/Threading/Tasks/TaskTimeoutExtensions.cs:line 92
   at System.Threading.Tasks.TaskTimeoutExtensions.WhenAllOrAnyFailed(Task[] tasks, Int32 millisecondsTimeout) in /_/src/libraries/Common/tests/System/Threading/Tasks/TaskTimeoutExtensions.cs:line 55
   at System.Net.Security.Tests.CertificateValidationRemoteServer.ConnectWithRevocation_WithCallback_Core(X509RevocationMode revocationMode, Nullable`1 offlineContext) in /_/src/libraries/System.Net.Security/tests/FunctionalTests/CertificateValidationRemoteServer.cs:line 228
   at System.Net.Security.Tests.CertificateValidationRemoteServer.ConnectWithRevocation_WithCallback_Core(X509RevocationMode revocationMode, Nullable`1 offlineContext) in /_/src/libraries/System.Net.Security/tests/FunctionalTests/CertificateValidationRemoteServer.cs:line 229
   at System.Net.Security.Tests.CertificateValidationRemoteServer.ConnectWithRevocation_WithCallback_Core(X509RevocationMode revocationMode, Nullable`1 offlineContext) in /_/src/libraries/System.Net.Security/tests/FunctionalTests/CertificateValidationRemoteServer.cs:line 229
   at System.Net.Security.Tests.CertificateValidationRemoteServer.ConnectWithRevocation_WithCallback_Core(X509RevocationMode revocationMode, Nullable`1 offlineContext) in /_/src/libraries/System.Net.Security/tests/FunctionalTests/CertificateValidationRemoteServer.cs:line 229
   at System.Net.Security.Tests.CertificateValidationRemoteServer.ConnectWithRevocation_WithCallback_Core(X509RevocationMode revocationMode, Nullable`1 offlineContext) in /_/src/libraries/System.Net.Security/tests/FunctionalTests/CertificateValidationRemoteServer.cs:line 229
--- End of stack trace from previous location ---
@VincentBu VincentBu added area-System.Net.Security os-linux Linux OS (any supported distro) arch-x64 blocking-outerloop Blocking the 'runtime-coreclr outerloop' and 'runtime-libraries-coreclr outerloop' runs labels Jun 21, 2022
@ghost
Copy link

ghost commented Jun 21, 2022

Tagging subscribers to this area: @dotnet/ncl, @vcsjones
See info in area-owners.md if you want to be subscribed.

Issue Details

Run: runtime-libraries-coreclr outerloop 20220620.5

Failed test:

net7.0-Linux-Release-x64-CoreCLR_release-RedHat.7.Amd64.Open

- System.Net.Security.Tests.CertificateValidationRemoteServer.ConnectWithRevocation_StapledOcsp(offlineContext: False)

net7.0-Linux-Release-x64-CoreCLR_release-(Centos.7.Amd64.Open)[email protected]/dotnet-buildtools/prereqs:centos-7-mlnet-helix-20220601183719-dde38af

- System.Net.Security.Tests.CertificateValidationRemoteServer.ConnectWithRevocation_StapledOcsp(offlineContext: False)

Error message:

Assert.Contains() Failure
Not found: (filter expression)
In value:  X509ChainStatus[] [System.Security.Cryptography.X509Certificates.X509ChainStatus, System.Security.Cryptography.X509Certificates.X509ChainStatus]


Stack trace
   at System.Net.Security.Tests.CertificateValidationRemoteServer.<ConnectWithRevocation_WithCallback_Core>g__CertificateValidationCallback|6_0(Object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) in /_/src/libraries/System.Net.Security/tests/FunctionalTests/CertificateValidationRemoteServer.cs:line 285
   at System.Net.Security.SslStream.VerifyRemoteCertificate(RemoteCertificateValidationCallback remoteCertValidationCallback, SslCertificateTrust trust, ProtocolToken& alertToken, SslPolicyErrors& sslPolicyErrors, X509ChainStatusFlags& chainStatus) in /_/src/libraries/System.Net.Security/src/System/Net/Security/SslStream.Protocol.cs:line 984
   at System.Net.Security.SslStream.CompleteHandshake(ProtocolToken& alertToken, SslPolicyErrors& sslPolicyErrors, X509ChainStatusFlags& chainStatus) in /_/src/libraries/System.Net.Security/src/System/Net/Security/SslStream.IO.cs:line 519
   at System.Net.Security.SslStream.CompleteHandshake(SslAuthenticationOptions sslAuthenticationOptions) in /_/src/libraries/System.Net.Security/src/System/Net/Security/SslStream.IO.cs:line 543
   at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](Boolean receiveFirst, Byte[] reAuthenticationData, CancellationToken cancellationToken) in /_/src/libraries/System.Net.Security/src/System/Net/Security/SslStream.IO.cs:line 359
   at System.Threading.Tasks.TaskTimeoutExtensions.GetRealException(Task task) in /_/src/libraries/Common/tests/System/Threading/Tasks/TaskTimeoutExtensions.cs:line 128
--- End of stack trace from previous location ---
   at System.Threading.Tasks.TaskTimeoutExtensions.WhenAllOrAnyFailed(Task[] tasks) in /_/src/libraries/Common/tests/System/Threading/Tasks/TaskTimeoutExtensions.cs:line 92
   at System.Threading.Tasks.TaskTimeoutExtensions.WhenAllOrAnyFailed(Task[] tasks, Int32 millisecondsTimeout) in /_/src/libraries/Common/tests/System/Threading/Tasks/TaskTimeoutExtensions.cs:line 55
   at System.Net.Security.Tests.CertificateValidationRemoteServer.ConnectWithRevocation_WithCallback_Core(X509RevocationMode revocationMode, Nullable`1 offlineContext) in /_/src/libraries/System.Net.Security/tests/FunctionalTests/CertificateValidationRemoteServer.cs:line 228
   at System.Net.Security.Tests.CertificateValidationRemoteServer.ConnectWithRevocation_WithCallback_Core(X509RevocationMode revocationMode, Nullable`1 offlineContext) in /_/src/libraries/System.Net.Security/tests/FunctionalTests/CertificateValidationRemoteServer.cs:line 229
   at System.Net.Security.Tests.CertificateValidationRemoteServer.ConnectWithRevocation_WithCallback_Core(X509RevocationMode revocationMode, Nullable`1 offlineContext) in /_/src/libraries/System.Net.Security/tests/FunctionalTests/CertificateValidationRemoteServer.cs:line 229
   at System.Net.Security.Tests.CertificateValidationRemoteServer.ConnectWithRevocation_WithCallback_Core(X509RevocationMode revocationMode, Nullable`1 offlineContext) in /_/src/libraries/System.Net.Security/tests/FunctionalTests/CertificateValidationRemoteServer.cs:line 229
   at System.Net.Security.Tests.CertificateValidationRemoteServer.ConnectWithRevocation_WithCallback_Core(X509RevocationMode revocationMode, Nullable`1 offlineContext) in /_/src/libraries/System.Net.Security/tests/FunctionalTests/CertificateValidationRemoteServer.cs:line 229
--- End of stack trace from previous location ---
Author: VincentBu
Assignees: -
Labels:

area-System.Net.Security, os-linux, arch-x64, blocking-outerloop
Milestone: -

@ghost ghost added the untriaged New issue has not been triaged by the area owner label Jun 21, 2022
@rzikm
Copy link
Member

rzikm commented Jun 21, 2022

Looks like duplicate of #70322

@rzikm rzikm closed this as completed Jun 21, 2022
@ghost ghost removed the untriaged New issue has not been triaged by the area owner label Jun 21, 2022
@rzikm
Copy link
Member

rzikm commented Jun 21, 2022
edited
Loading

Actually, the duplicate is expected to be fixed since 6 days ago, so the failures should not be occuring anymore, thoughts? @bartonjs ?

The line numbers in the callstack are different, which suggests it is still happening after the fix.

@rzikm rzikm reopened this Jun 21, 2022
@ghost ghost added the untriaged New issue has not been triaged by the area owner label Jun 21, 2022
@runfoapp runfoapp bot mentioned this issue Jun 21, 2022
Closed
@rzikm rzikm assigned rzikm and bartonjs and unassigned rzikm Jun 21, 2022
@ManickaP ManickaP mentioned this issue Jun 22, 2022
Merged
@karelz
Copy link
Member

karelz commented Jun 28, 2022

@bartonjs not sure if you're back and if you had time to look at it?

@karelz
Copy link
Member

karelz commented Jun 28, 2022

@rzikm mentions it is happening quite often -- let's disable the test for now on the affected 2 platforms.

@bartonjs
Copy link
Member

I don't currently have even the capacity to open a PR to disable the test.

@vcsjones
Copy link
Member

I will open a PR to disable the test on the affected platforms shortly.

@vcsjones vcsjones mentioned this issue Jun 28, 2022
Merged
@stephentoub stephentoub added the disabled-test The test is disabled in source code against the issue label Jun 28, 2022
@VincentBu
Copy link
Contributor Author

Failed again in: runtime-libraries-coreclr outerloop 20220628.3

Failed test:

net7.0-Linux-Release-x64-CoreCLR_release-RedHat.7.Amd64.Open

- System.Net.Security.Tests.CertificateValidationRemoteServer.ConnectWithRevocation_StapledOcsp(offlineContext: False)

net7.0-Linux-Release-x64-CoreCLR_release-(Centos.7.Amd64.Open)[email protected]/dotnet-buildtools/prereqs:centos-7-mlnet-helix-20220601183719-dde38af

- System.Net.Security.Tests.CertificateValidationRemoteServer.ConnectWithRevocation_StapledOcsp(offlineContext: False)

Error message:

Assert.Contains() Failure
Not found: (filter expression)
In value:  X509ChainStatus[] [System.Security.Cryptography.X509Certificates.X509ChainStatus, System.Security.Cryptography.X509Certificates.X509ChainStatus]


Stack trace
   at System.Net.Security.Tests.CertificateValidationRemoteServer.<ConnectWithRevocation_WithCallback_Core>g__CertificateValidationCallback|6_0(Object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) in /_/src/libraries/System.Net.Security/tests/FunctionalTests/CertificateValidationRemoteServer.cs:line 285
   at System.Net.Security.SslStream.VerifyRemoteCertificate(RemoteCertificateValidationCallback remoteCertValidationCallback, SslCertificateTrust trust, ProtocolToken& alertToken, SslPolicyErrors& sslPolicyErrors, X509ChainStatusFlags& chainStatus) in /_/src/libraries/System.Net.Security/src/System/Net/Security/SslStream.Protocol.cs:line 984
   at System.Net.Security.SslStream.CompleteHandshake(ProtocolToken& alertToken, SslPolicyErrors& sslPolicyErrors, X509ChainStatusFlags& chainStatus) in /_/src/libraries/System.Net.Security/src/System/Net/Security/SslStream.IO.cs:line 519
   at System.Net.Security.SslStream.CompleteHandshake(SslAuthenticationOptions sslAuthenticationOptions) in /_/src/libraries/System.Net.Security/src/System/Net/Security/SslStream.IO.cs:line 543
   at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](Boolean receiveFirst, Byte[] reAuthenticationData, CancellationToken cancellationToken) in /_/src/libraries/System.Net.Security/src/System/Net/Security/SslStream.IO.cs:line 359
   at System.Threading.Tasks.TaskTimeoutExtensions.GetRealException(Task task) in /_/src/libraries/Common/tests/System/Threading/Tasks/TaskTimeoutExtensions.cs:line 128
--- End of stack trace from previous location ---
   at System.Threading.Tasks.TaskTimeoutExtensions.WhenAllOrAnyFailed(Task[] tasks) in /_/src/libraries/Common/tests/System/Threading/Tasks/TaskTimeoutExtensions.cs:line 92
   at System.Threading.Tasks.TaskTimeoutExtensions.WhenAllOrAnyFailed(Task[] tasks, Int32 millisecondsTimeout) in /_/src/libraries/Common/tests/System/Threading/Tasks/TaskTimeoutExtensions.cs:line 55
   at System.Net.Security.Tests.CertificateValidationRemoteServer.ConnectWithRevocation_WithCallback_Core(X509RevocationMode revocationMode, Nullable`1 offlineContext) in /_/src/libraries/System.Net.Security/tests/FunctionalTests/CertificateValidationRemoteServer.cs:line 228
   at System.Net.Security.Tests.CertificateValidationRemoteServer.ConnectWithRevocation_WithCallback_Core(X509RevocationMode revocationMode, Nullable`1 offlineContext) in /_/src/libraries/System.Net.Security/tests/FunctionalTests/CertificateValidationRemoteServer.cs:line 229
   at System.Net.Security.Tests.CertificateValidationRemoteServer.ConnectWithRevocation_WithCallback_Core(X509RevocationMode revocationMode, Nullable`1 offlineContext) in /_/src/libraries/System.Net.Security/tests/FunctionalTests/CertificateValidationRemoteServer.cs:line 229
   at System.Net.Security.Tests.CertificateValidationRemoteServer.ConnectWithRevocation_WithCallback_Core(X509RevocationMode revocationMode, Nullable`1 offlineContext) in /_/src/libraries/System.Net.Security/tests/FunctionalTests/CertificateValidationRemoteServer.cs:line 229
   at System.Net.Security.Tests.CertificateValidationRemoteServer.ConnectWithRevocation_WithCallback_Core(X509RevocationMode revocationMode, Nullable`1 offlineContext) in /_/src/libraries/System.Net.Security/tests/FunctionalTests/CertificateValidationRemoteServer.cs:line 229
--- End of stack trace from previous location ---

@wfurt wfurt removed the untriaged New issue has not been triaged by the area owner label Jul 14, 2022
@wfurt wfurt added this to the 7.0.0 milestone Jul 14, 2022
@karelz
Copy link
Member

karelz commented Jul 18, 2022

@bartonjs is it related to OCSP? Should it be looked at for 7.0? If yes, who should look?

@karelz karelz removed the blocking-outerloop Blocking the 'runtime-coreclr outerloop' and 'runtime-libraries-coreclr outerloop' runs label Jul 21, 2022
@karelz
Copy link
Member

karelz commented Jul 21, 2022

Test is disabled, so no need for "blocking-outerloop" anymore

@bartonjs
Copy link
Member

bartonjs commented Aug 9, 2022

OK. So the problem is that in OpenSSL 1.0.2 the SSL_CTX* type can't handle the SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE control, only the individual SSL* can.

So I guess we can move it from SslCtxCreate to SslCreate. Doing it in both places as a quick test with X509 tracing on and some extra printing in this test shows that it makes Centos7 happy:

  2022-08-09T00:29:21.650Z: ChainStart - Starting X.509 chain build.
  2022-08-09T00:29:21.652Z: FindFirstChainFinished - First build finished with status 0.
  2022-08-09T00:29:21.663Z: RevocationCheckStart - Starting revocation check in mode 'Offline' with scope 'EndCertificateOnly' on a 3-element chain.
  2022-08-09T00:29:21.663Z: StapledOcspPresent - The target certificate has a stapled OCSP request, skipping the CRL check.
  2022-08-09T00:29:21.664Z: CrlChainFinished - With CRLs applied, the chain build finished with status 3.
  2022-08-09T00:29:21.666Z: RawElementStatus - The reported errors for the chain element at depth 0 are X509_V_ERR_UNABLE_TO_GET_CRL.
  2022-08-09T00:29:21.669Z: OcspResponseFromCache - The OCSP cache result for the certificate at depth 0 is 23.
  2022-08-09T00:29:21.669Z: RevocationCheckStop - Duration 6.613ms
  2022-08-09T00:29:21.670Z: ChainStop - Duration 19.502ms
  Chain Status Code: Revoked
  Chain Element 0: CN=offline.false.server.example, O=""
     Revoked
  Chain Element 1: CN=A Revocation Test CA 0, O=""
  Chain Element 2: CN=A Revocation Test Root, O=""
    Finished:    System.Net.Security.Tests
  === TEST EXECUTION SUMMARY ===
     System.Net.Security.Tests  Total: 1, Errors: 0, Failed: 0, Skipped: 0, Time: 1.180s

(OCSP ... 23 => "the certificate is revoked")

Guess I'll put up a PR tomorrow.

@wfurt
Copy link
Member

wfurt commented Aug 9, 2022

I personally feel it would be OK to skip tests/OCSP on 1.0.1. It is not supported anyway https://www.openssl.org/policies/releasestrat.html and the chance that somebody runs massive production servers on it is small IMHO. I did something similar for TLS resume to avoid weird behavior I was experiencing.

@bartonjs
Copy link
Member

bartonjs commented Aug 9, 2022

Well, the server half of OCSP works fine on 1.0.x, it's the client half that doesn't. If it was the server half, I'd agree: move to new stuff.

The client half I have a bit more sympathy for, I guess. And since it's just moving 3 lines down a bit, it's not too cumbersome. (If it was a lot of work, I'd be back at "eh, move to new stuff")

@bartonjs bartonjs mentioned this issue Aug 9, 2022
Merged
@ghost ghost added the in-pr There is an active PR which will close this issue when it is merged label Aug 9, 2022
@ghost ghost removed the in-pr There is an active PR which will close this issue when it is merged label Aug 10, 2022
@ghost ghost locked as resolved and limited conversation to collaborators Sep 9, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@bartonjs bartonjs

Labels
arch-x64 area-System.Net.Security disabled-test The test is disabled in source code against the issue os-linux Linux OS (any supported distro)
Projects
None yet
Milestone
7.0.0
Development

Successfully merging a pull request may close this issue.

Use SSL_ctrl instead of SSL_CTX_ctrl to enable client OCSP stapling bartonjs/runtime
7 participants
@vcsjones @stephentoub @karelz @bartonjs @wfurt @rzikm @VincentBu