Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Make crypto tests resilient to Azure Linux OpenSSL #106489

Closed
3 tasks done
richlander opened this issue Aug 15, 2024 · 6 comments
Closed
3 tasks done

Make crypto tests resilient to Azure Linux OpenSSL #106489

richlander opened this issue Aug 15, 2024 · 6 comments
Assignees
@vcsjones
Labels
area-System.Security
Milestone
9.0.0

Comments

@richlander
Copy link
Member

richlander commented Aug 15, 2024
edited by vcsjones
Loading

Context: #106330 (comment)
@dotnet-policy-service dotnet-policy-service bot added the untriaged New issue has not been triaged by the area owner label Aug 15, 2024
@dotnet-policy-service Dotnet Policy Service
Copy link
Contributor

Tagging subscribers to this area: @dotnet/area-system-security, @bartonjs, @vcsjones
See info in area-owners.md if you want to be subscribed.

@bartonjs bartonjs changed the title Make crypto tests resilient to OpenSSL algorithms being disabled Make crypto tests resilient to RSA+MD5 being disabled Aug 15, 2024
@vcsjones vcsjones self-assigned this Aug 15, 2024
@richlander
Copy link
Member Author

Note that we'll need to do this in .NET 8, 9, and main branches. We should have a conversation on whether this makes sense to backport to .NET 6. .NET 6 is supported on Azure Linux 3.0. I had been intending on adding this helix image to the .NET 6 branch.

@richlander richlander mentioned this issue Aug 15, 2024
Merged
@bartonjs
Copy link
Member

There aren't any product changes anticipated here. The underlying library says "thou shalt not do RSA signatures with MD5" (or MD4, etc), and we're just going to accept that.

All we're going to do is make the tests tolerate it.

Given that there are only 3 patch updates left for 6, I don't think it makes any sense to port test-only changes there, or turn on a new OS in the test matrix.

@vcsjones
Copy link
Member

Also to set some expectations, there are a considerable number of things broken besides RSA+MD5 (see attached log with full results). It's going to take time to work through these, and not all of them will be fixed by OPENSSL_ENABLE_MD5_VERIFY, in fact most won't.

console.c079ebb9.log

@vcsjones vcsjones changed the title Make crypto tests resilient to RSA+MD5 being disabled Make crypto tests resilient to Azure Linux OpenSSL Aug 15, 2024
@vcsjones
Copy link
Member

As a condition to considering this issue complete, we need to remember to undo this change:

https://github.com/dotnet/dotnet-buildtools-prereqs-docker/pull/1177/files#diff-829f3ba91af430a8bbd05b4fc16a6f26cd1b26d912d502c1df6c0e42beb01f04R87

This was referenced Aug 16, 2024
Merged
Merged
Merged
@bartonjs bartonjs removed the untriaged New issue has not been triaged by the area owner label Aug 20, 2024
@bartonjs bartonjs added this to the 9.0.0 milestone Aug 20, 2024
This was referenced Aug 22, 2024
Merged
Merged
Merged
@vcsjones
Copy link
Member

This is complete and all backports are merged, so I think this can be closed.

Please re-open if there are still any outstanding issues to address.

@github-actions github-actions bot locked and limited conversation to collaborators Oct 12, 2024
# for free to subscribe to this conversation on GitHub. Already have an account? #.
Assignees

@vcsjones vcsjones

Labels
area-System.Security
Projects
None yet
Milestone
9.0.0
Development

No branches or pull requests
3 participants
@vcsjones @richlander @bartonjs