From levitte at openssl.org Tue May 1 04:09:13 2018
From: levitte at openssl.org (Richard Levitte)
Date: Tue, 01 May 2018 06:09:13 +0200 (CEST)
Subject: [openssl-project] Entropy seeding the DRBG
In-Reply-To: <20180430162209.GA4439@roeckx.be>
References: <20180430.164908.1424770216194967097.levitte@openssl.org>
<20180430.180020.1402330384104485085.levitte@openssl.org>
<20180430162209.GA4439@roeckx.be>
Message-ID: <20180501.060913.811991315461935857.levitte@openssl.org>
In message <20180430162209.GA4439 at roeckx.be> on Mon, 30 Apr 2018 18:22:09 +0200, Kurt Roeckx said:
kurt> On Mon, Apr 30, 2018 at 06:00:20PM +0200, Richard Levitte wrote:
kurt> >
kurt> > So I'd like to have it confirmed that I'm reading this right, that's
kurt> > about 0.08 entropy bits per 8 data bits? Or is it per data bit?
kurt>
kurt> Per symbol, being 8 bits for what you provided.
kurt>
kurt> > Depending on the interpretation, we either have 1 bit of entropy per
kurt> > 12 data bits... or per 100 data bits... The latter has my heart
kurt> > sinking...
kurt>
kurt> It's per 100 bits, and that's really still an overestimate. One
kurt> of the models they used was able to predict it that well.
That well? I'm not sure I understand, the final min-entropy value is
the *lowest* of all different estimates. Also, I'm not sure what
makes you say it's an overestimate... are you simply speculating?
Either way, this is quite discouraging, because this means that with
that estimate, I need to gather about 25 KiB of data to meet the
requirements of our DRBG. Right?
kurt> It might be possible to create a better model.
I'm not sure I understand what you mean.
--
Richard Levitte levitte at openssl.org
OpenSSL Project http://www.openssl.org/~levitte/
From levitte at openssl.org Tue May 1 04:33:33 2018
From: levitte at openssl.org (Richard Levitte)
Date: Tue, 01 May 2018 06:33:33 +0200 (CEST)
Subject: [openssl-project] Entropy seeding the DRBG
In-Reply-To: <20180501.060913.811991315461935857.levitte@openssl.org>
References: <20180430.180020.1402330384104485085.levitte@openssl.org>
<20180430162209.GA4439@roeckx.be>
<20180501.060913.811991315461935857.levitte@openssl.org>
Message-ID: <20180501.063333.138536851222442365.levitte@openssl.org>
In message <20180501.060913.811991315461935857.levitte at openssl.org> on Tue, 01 May 2018 06:09:13 +0200 (CEST), Richard Levitte said:
levitte> Either way, this is quite discouraging, because this means that with
levitte> that estimate, I need to gather about 25 KiB of data to meet the
levitte> requirements of our DRBG. Right?
Gah! Too early in the morning to keep bits and bytes apart! So, err,
about 3 KiB plus change... Still not the most encouraging thought...
--
Richard Levitte levitte at openssl.org
OpenSSL Project http://www.openssl.org/~levitte/
From kurt at roeckx.be Tue May 1 08:43:17 2018
From: kurt at roeckx.be (Kurt Roeckx)
Date: Tue, 1 May 2018 10:43:17 +0200
Subject: [openssl-project] Entropy seeding the DRBG
In-Reply-To: <20180501.060913.811991315461935857.levitte@openssl.org>
References: <20180430.164908.1424770216194967097.levitte@openssl.org>
<20180430.180020.1402330384104485085.levitte@openssl.org>
<20180430162209.GA4439@roeckx.be>
<20180501.060913.811991315461935857.levitte@openssl.org>
Message-ID: <20180501084317.GA32265@roeckx.be>
On Tue, May 01, 2018 at 06:09:13AM +0200, Richard Levitte wrote:
> In message <20180430162209.GA4439 at roeckx.be> on Mon, 30 Apr 2018 18:22:09 +0200, Kurt Roeckx said:
>
> kurt> On Mon, Apr 30, 2018 at 06:00:20PM +0200, Richard Levitte wrote:
> kurt> >
> kurt> > So I'd like to have it confirmed that I'm reading this right, that's
> kurt> > about 0.08 entropy bits per 8 data bits? Or is it per data bit?
> kurt>
> kurt> Per symbol, being 8 bits for what you provided.
> kurt>
> kurt> > Depending on the interpretation, we either have 1 bit of entropy per
> kurt> > 12 data bits... or per 100 data bits... The latter has my heart
> kurt> > sinking...
> kurt>
> kurt> It's per 100 bits, and that's really still an overestimate. One
> kurt> of the models they used was able to predict it that well.
>
> That well? I'm not sure I understand, the final min-entropy value is
> the *lowest* of all different estimates. Also, I'm not sure what
> makes you say it's an overestimate... are you simply speculating?
Those are all just tests to see how easy it is to predict the
next value, but that really don't know anything about the data. It
might be possible to generate a better predictor, one that has an
even lower min-entropy value. That is why you should not rely on
the tool to give you a good min-entropy value, it just shows that
the maximum of the real value is the minimum reported by the tool.
If you actually follow SP800-90B, you should make a theoretical
model of how much entropy you expect, and then use the tool
to verify that your model is correct.
Kurt
From matt at openssl.org Tue May 1 09:02:31 2018
From: matt at openssl.org (Matt Caswell)
Date: Tue, 1 May 2018 10:02:31 +0100
Subject: [openssl-project] Travis is currently failing
Message-ID: <6fb249a8-085a-07a1-9df7-5bdb386898b2@openssl.org>
Can anyone shed any light on this error from travis (master branch is
failing):
/usr/bin/ld: unrecognized option '--push-state--no-as-needed'
/usr/bin/ld: use the --help option for usage information
collect2: error: ld returned 1 exit status
make[1]: *** [libcrypto.so] Error 1
make[1]: Leaving directory `/home/travis/build/openssl/openssl'
make: *** [tests] Error 2
+///// MAKE TEST FAILED
This only seems to happen with one particular build.
Matt
From kurt at roeckx.be Tue May 1 09:52:46 2018
From: kurt at roeckx.be (Kurt Roeckx)
Date: Tue, 1 May 2018 11:52:46 +0200
Subject: [openssl-project] Travis is currently failing
In-Reply-To: <6fb249a8-085a-07a1-9df7-5bdb386898b2@openssl.org>
References: <6fb249a8-085a-07a1-9df7-5bdb386898b2@openssl.org>
Message-ID: <20180501095246.GA6644@roeckx.be>
On Tue, May 01, 2018 at 10:02:31AM +0100, Matt Caswell wrote:
>
> Can anyone shed any light on this error from travis (master branch is
> failing):
>
> /usr/bin/ld: unrecognized option '--push-state--no-as-needed'
> /usr/bin/ld: use the --help option for usage information
> collect2: error: ld returned 1 exit status
> make[1]: *** [libcrypto.so] Error 1
> make[1]: Leaving directory `/home/travis/build/openssl/openssl'
> make: *** [tests] Error 2
> +///// MAKE TEST FAILED
We're also not the only one seeing that problem. We also have the
problem in the 1.1.0-stable branch for the same configuration.
I have no idea what changed.
From matt at openssl.org Tue May 1 10:12:04 2018
From: matt at openssl.org (Matt Caswell)
Date: Tue, 1 May 2018 11:12:04 +0100
Subject: [openssl-project] Travis is currently failing
In-Reply-To: <20180501095246.GA6644@roeckx.be>
References: <6fb249a8-085a-07a1-9df7-5bdb386898b2@openssl.org>
<20180501095246.GA6644@roeckx.be>
Message-ID: <74d05483-e1e1-2fcc-2075-6626713ebae7@openssl.org>
On 01/05/18 10:52, Kurt Roeckx wrote:
> On Tue, May 01, 2018 at 10:02:31AM +0100, Matt Caswell wrote:
>>
>> Can anyone shed any light on this error from travis (master branch is
>> failing):
>>
>> /usr/bin/ld: unrecognized option '--push-state--no-as-needed'
>> /usr/bin/ld: use the --help option for usage information
>> collect2: error: ld returned 1 exit status
>> make[1]: *** [libcrypto.so] Error 1
>> make[1]: Leaving directory `/home/travis/build/openssl/openssl'
>> make: *** [tests] Error 2
>> +///// MAKE TEST FAILED
>
> We're also not the only one seeing that problem. We also have the
> problem in the 1.1.0-stable branch for the same configuration.
> I have no idea what changed.
Looks like it could be a gcc problem:
https://stackoverflow.com/questions/50024731/ld-unrecognized-option-push-state-no-as-needed
Or rather possibly an ubuntu gcc problem?
https://launchpad.net/ubuntu/+source/gcc-7/7.3.0-16ubuntu2
Matt
From kurt at roeckx.be Tue May 1 10:12:10 2018
From: kurt at roeckx.be (Kurt Roeckx)
Date: Tue, 1 May 2018 12:12:10 +0200
Subject: [openssl-project] Travis is currently failing
In-Reply-To: <20180501095246.GA6644@roeckx.be>
References: <6fb249a8-085a-07a1-9df7-5bdb386898b2@openssl.org>
<20180501095246.GA6644@roeckx.be>
Message-ID: <20180501101210.GB6644@roeckx.be>
On Tue, May 01, 2018 at 11:52:46AM +0200, Kurt Roeckx wrote:
> On Tue, May 01, 2018 at 10:02:31AM +0100, Matt Caswell wrote:
> >
> > Can anyone shed any light on this error from travis (master branch is
> > failing):
> >
> > /usr/bin/ld: unrecognized option '--push-state--no-as-needed'
> > /usr/bin/ld: use the --help option for usage information
> > collect2: error: ld returned 1 exit status
> > make[1]: *** [libcrypto.so] Error 1
> > make[1]: Leaving directory `/home/travis/build/openssl/openssl'
> > make: *** [tests] Error 2
> > +///// MAKE TEST FAILED
>
> We're also not the only one seeing that problem. We also have the
> problem in the 1.1.0-stable branch for the same configuration.
> I have no idea what changed.
And I can't reproduce it.
Kurt
From openssl at openssl.org Tue May 1 13:06:36 2018
From: openssl at openssl.org (OpenSSL)
Date: Tue, 1 May 2018 13:06:36 +0000
Subject: [openssl-project] OpenSSL version 1.1.1 pre release 6 published
Message-ID: <20180501130636.GA9299@openssl.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
OpenSSL version 1.1.1 pre release 6 (beta)
===========================================
OpenSSL - The Open Source toolkit for SSL/TLS
https://www.openssl.org/
OpenSSL 1.1.1 is currently in beta. OpenSSL 1.1.1 pre release 6 has now
been made available. For details of changes and known issues see the
release notes at:
https://www.openssl.org/news/openssl-1.1.1-notes.html
Note: This OpenSSL pre-release has been provided for testing ONLY.
It should NOT be used for security critical purposes.
The beta release is available for download via HTTP and FTP from the
following master locations (you can find the various FTP mirrors under
https://www.openssl.org/source/mirror.html):
* https://www.openssl.org/source/
* ftp://ftp.openssl.org/source/
The distribution file name is:
o openssl-1.1.1-pre6.tar.gz
Size: 8286337
SHA1 checksum: d9aa6121ea9e8bfc4632566c72b376620c68ece3
SHA256 checksum: 01f91c5370fe210f7172d863c5bdc5dee2450c3faa98b4af2627ee6f7e128d87
The checksums were calculated using the following commands:
openssl sha1 openssl-1.1.1-pre6.tar.gz
openssl sha256 openssl-1.1.1-pre6.tar.gz
Please download and check this beta release as soon as possible.
To report a bug, open an issue on GitHub:
https://github.com/openssl/openssl/issues
Please check the release notes and mailing lists to avoid duplicate
reports of known issues. (Of course, the source is also available
on GitHub.)
Yours,
The OpenSSL Project Team.
-----BEGIN PGP SIGNATURE-----
iQEcBAEBCAAGBQJa6GGbAAoJENnE0m0OYESRnqwH/jMNw6OXpGYriZphZxLNDBlR
YGJcNypVPcW1y5aDPlhBp9GUTAot4NPtbYpbBegPdvWaI4tA5O3+2gnCRh3xoE9e
k704SlJP+mmBOJSL2/9xSH1tJHNrSmXkHOpfZCr4nKJfayFDnl/H+vf6yNz3CzeB
Oys/VDpLPrV2ev10QNpeypu37es4shNSIRU1OEjH+iDrmTBzt9LzU6dS1rYjtuiV
QK/rdKV8ql0SFNIsrpLHNCT2EMfRqT/kbLcqObrczNBSunZXQF98W4XVhp7dlFBT
GrE8gc/KY8YGfX6kF+1Vy+9vDDKNwaLyzRKXMKUZRLnxkSBbZBREerfwaQT7m0o=
=O0aC
-----END PGP SIGNATURE-----
From matt at openssl.org Tue May 1 13:10:13 2018
From: matt at openssl.org (Matt Caswell)
Date: Tue, 1 May 2018 14:10:13 +0100
Subject: [openssl-project] Freezing the repo
In-Reply-To:
References: <068239e0-7926-d877-6be5-98dfc5dbf737@openssl.org>
Message-ID: <602ff81f-fea2-e968-5cf3-d03f82272bf9@openssl.org>
Release is complete and the repo is unfrozen.
Matt
On 30/04/18 20:04, Salz, Rich wrote:
> Done.
>
> ?On 4/30/18, 3:02 PM, "Matt Caswell" wrote:
>
> Please could someone freeze the repo for me for tomorrow's release:
>
> $ ssh openssl-git at git.openssl.org freeze openssl matt
>
>
> Thanks
>
> Matt
> _______________________________________________
> openssl-project mailing list
> openssl-project at openssl.org
> https://mta.openssl.org/mailman/listinfo/openssl-project
>
>
> _______________________________________________
> openssl-project mailing list
> openssl-project at openssl.org
> https://mta.openssl.org/mailman/listinfo/openssl-project
>
From matt at openssl.org Tue May 1 15:06:30 2018
From: matt at openssl.org (Matt Caswell)
Date: Tue, 1 May 2018 16:06:30 +0100
Subject: [openssl-project] Monthly Status Report (April)
Message-ID:
As well as normal reviews, responding to user queries, wiki user
requests, OMC business, handling security reports, etc., key activities
this month:
- Performed the 1.1.1 pre-4 release
- Supported the 1.1.1 pre-5 release
- Liason with Billy Bob Brumley and team regarding various EC/constant
time improvements
- Various updates to the TLSv1.3 wiki article
- Fixed a problem with the ordering of when libssl and libcrypto config
was loaded
- Fixed some problems with TLSv1.3 ciphersuite configuration
- Fixed some documentation problems for the mem leak functions
- Overhauled the genpkey documentation
- Fixed the info callback in TLSv1.3 Also added new tests for this.
- Fixed the command line tools to make Ed25519/Ed448 usable
- Fixed logic around the status_request extension so that it is ignored
on a resumption
- Fixed a significant problem with the SRP base64 parsing code
- Fixed an assertion failure in SSL_set_bio()
- Co-ordinated activity around CVE-2018-0737 (Cache timing vulnerability
in RSA Key Generation)
- Investigated the feasibility of using constant time by default for BIGNUMs
- Fixed a mem leak found by Coverity
- Updated the EVP_DigestSignInit() docs to be more explicit about the
algorithms they support
- Fixed a no-ec build break
- Investigated an issue with bad SRP group parameters when
interoperating with tlslite
- Fixed a return code issue with the ocsp command line app
- Fixed return code issue in the DH derive code
- Fixed a crash if X509_STORE_CTX_init() is called with a NULL
X509_STORE and then X509_verify_cert() is called
- Fix an incorrect alert that was being sent if there are no shared sig algs
- Fixed the SSL_get_version() documentation
- Fixed the behaviour of the info callback if SSL_in_init() is called
- Fixed a bug in SSL_pending() when used with DTLS
- Fixed a backwards compat issue with the ECDHParameters config directive
- Fixed a problem in OpenSSL 1.1.0 which prevented intermediate CAs from
using RSA-PSS
- Updated the session docs to cover when a session gets removed from the
cache
- Fixed an issue preventing the use of compressed point EC certs in TLSv1.3
- Fixed a problem where AFALG was incorrectly built on Android
- Fixed a behaviour change between 1.0.2 and 1.1.0 for the client
version in a reneg handshake
- Fixed the documentation for the "-showcerts" s_client option
- Fixed the MAX_CURVELIST definition in libssl
- Fixed a copy&paste error in the TLSv1.3 ciphersuites definition
- Provided some updates for the various *use_certificate* functions
- Created a fix for the SSL_get_shared_ciphers() function
- Investigated a reported problem with PSKs in TLSv1.3
- Investigated a reported problem with DNS nameconstraints
- Investigated a reported problem with the x509 app "-nameopt" option
- Investigated a reported problem with implicit tagging
- Fixed various errors in the CMS documentation
- Clarified the use of BN_mod_exp combined with BN_FLG_CONSTTIME
- Added the X509_PARAM_get_hostflags() function
- Investigated and closed or re-assigned to a later milestone a large
number of other issues (not listed above) that were against the 1.1.1
milestone
Matt
From levitte at openssl.org Wed May 2 03:52:19 2018
From: levitte at openssl.org (Richard Levitte)
Date: Wed, 02 May 2018 05:52:19 +0200 (CEST)
Subject: [openssl-project] Entropy seeding the DRBG
In-Reply-To: <20180501084317.GA32265@roeckx.be>
References: <20180430162209.GA4439@roeckx.be>
<20180501.060913.811991315461935857.levitte@openssl.org>
<20180501084317.GA32265@roeckx.be>
Message-ID: <20180502.055219.400891360743110066.levitte@openssl.org>
In message <20180501084317.GA32265 at roeckx.be> on Tue, 1 May 2018 10:43:17 +0200, Kurt Roeckx said:
kurt> If you actually follow SP800-90B, you should make a theoretical
kurt> model of how much entropy you expect, and then use the tool
kurt> to verify that your model is correct.
Errrr... look, I'm kind of a rookie in this particular area, so errr,
I'm not sure I have the knowledge to think of a theoretical model.
Given a crash course, I can probably come up with *something*, but at
this moment, I don't know where to start.
A side note to this discussion, the way the rand pool routines are
currently implemented, specifically rand_pool_bytes_needed(), we
cannot handle a source with less than 1 entropy bit per 8 bits of
data. Or well, it can, if that particular routine isn't used, but
considering it's a fairly crucial routine for entropy acquisition, I'd
say it needs a small change. PR coming up.
Cheers,
Richard
--
Richard Levitte levitte at openssl.org
OpenSSL Project http://www.openssl.org/~levitte/
From levitte at openssl.org Wed May 2 06:17:28 2018
From: levitte at openssl.org (Richard Levitte)
Date: Wed, 02 May 2018 08:17:28 +0200 (CEST)
Subject: [openssl-project] Monthly Status Report (April)
Message-ID: <20180502.081728.1022233216684071925.levitte@openssl.org>
Apart from normal business, such as normal reviews, OMC business,
normal system administration tasks, etc., key activities this month:
Development:
- Supported the 1.1.1-pre4 release
- Performed the 1.1.1-pre5 release
- Made an extensive regression test of 1.1.0 against 1.1.1 libraries
- Fixed build and testing problems (see #5833, #5872, #5928, #5930,
#5754, #6033, #6100)
- Fixed 'openssl rehash' defaults and documentation
- Fixed the OpenSSL_init_crypto documentation
- Fixed 'openssl ca' to open the output file in binary mode for -spkac
- Fixed 'openssl rehash' to behave like c_rehash on warnings
- Fixed PEM_def_callback() to stop looping around too short password
check (which was dead code in practice)
- Stopped our dists from including internal / team member config
targets
- Adapted the scrypt and RSA-PSS for the man-page directory layout
- Worked on the issues surrounding the creation of output files
(-out)
- Worked on details surrounding the new DRBG, mostly centered around
VMS support
- Helped testing and reviewing the Windows OneCore effort
- Updated and documented the list of digest commands that can be used
as aliases for 'openssl dgst'
- Notable participation (reviewing and/or merging): the effort to have
TLSProxy use random ports; DRBG related PRs; SM2 related issues and
PRs
Admin:
- Updates and occasional reboot
- Set up of XYMON monitoring of our machinery (only available through
firewall SSH tunnel proxy)
- Authoring and installing XYMON client to check the backup logs
- Set up of experimental Buildbot, intended for participatory builds
by external parties
- Added support at openssl.org, forwarding to osf-contact at openssl.org
- Updated the deploy script
Others:
- Fixed minor release tool issue
- Fixed web site scripts to recognise 1.1.1
- Restarted code style change proposals
--
Richard Levitte levitte at openssl.org
OpenSSL Project http://www.openssl.org/~levitte/
From rsalz at akamai.com Wed May 2 11:51:52 2018
From: rsalz at akamai.com (Salz, Rich)
Date: Wed, 2 May 2018 11:51:52 +0000
Subject: [openssl-project] Entropy seeding the DRBG
In-Reply-To: <20180502.055219.400891360743110066.levitte@openssl.org>
References: <20180430162209.GA4439@roeckx.be>
<20180501.060913.811991315461935857.levitte@openssl.org>
<20180501084317.GA32265@roeckx.be>
<20180502.055219.400891360743110066.levitte@openssl.org>
Message-ID: <4416FE90-8BE8-45EC-A988-101F0E16DE6A@akamai.com>
We have not committed to being FIPS/NIST capable with our RNG this release. We have committed to other things, and we seem to be falling behind on those.
From rsalz at akamai.com Wed May 2 17:36:54 2018
From: rsalz at akamai.com (Salz, Rich)
Date: Wed, 2 May 2018 17:36:54 +0000
Subject: [openssl-project] Tags for draft-21 and draft-23?
Message-ID:
Do we have tags or branches for draft-21 and draft-23? I see only 18 and 19 ?
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From rsalz at akamai.com Fri May 4 13:46:47 2018
From: rsalz at akamai.com (Salz, Rich)
Date: Fri, 4 May 2018 13:46:47 +0000
Subject: [openssl-project] FW: [openssl-commits] FAILED build of OpenSSL
branch master with options -d --strict-warnings no-tls1_2-method
In-Reply-To: <1525428553.781571.12443.nullmailer@run.openssl.org>
References: <1525428553.781571.12443.nullmailer@run.openssl.org>
Message-ID:
Been failing for two days now ...
?On 5/4/18, 6:09 AM, "OpenSSL run-checker" wrote:
Platform and configuration command:
$ uname -a
Linux run 4.4.0-119-generic #143-Ubuntu SMP Mon Apr 2 16:08:24 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
$ CC=clang ../openssl/config -d --strict-warnings no-tls1_2-method
Commit log since last time:
bc624bd v3_purp.c: add locking to x509v3_cache_extensions()
463e6ef VMS: modernise rand_pool_acquire_entropy, step 2
ce147f7 VMS: modernise rand_pool_acquire_entropy, step 1
b1860d6 Return an error from BN_mod_inverse if n is 1 (or -1)
4db296d Make X509_VERIFY_PARAM_get_hostflags() take a const arg
e401389 Add a test for SSL_get_shared_ciphers()
6021d8e Fix a bug in create_ssl_ctx_pair()
3bfa475 Add some documentation for SSL_get_shared_ciphers()
f054160 Fix comment in ssl_locl.h
a216df5 Fix SSL_get_shared_ciphers()
Build log ended with (last 100 lines):
../../openssl/test/recipes/30-test_evp.t ...................... ok
../../openssl/test/recipes/30-test_evp_extra.t ................ ok
../../openssl/test/recipes/30-test_pbelu.t .................... ok
../../openssl/test/recipes/30-test_pkey_meth.t ................ ok
../../openssl/test/recipes/30-test_pkey_meth_kdf.t ............ ok
../../openssl/test/recipes/40-test_rehash.t ................... ok
../../openssl/test/recipes/60-test_x509_check_cert_pkey.t ..... ok
../../openssl/test/recipes/60-test_x509_dup_cert.t ............ ok
../../openssl/test/recipes/60-test_x509_store.t ............... ok
../../openssl/test/recipes/60-test_x509_time.t ................ ok
../../openssl/test/recipes/70-test_asyncio.t .................. ok
../../openssl/test/recipes/70-test_bad_dtls.t ................. ok
../../openssl/test/recipes/70-test_clienthello.t .............. ok
../../openssl/test/recipes/70-test_comp.t ..................... ok
../../openssl/test/recipes/70-test_key_share.t ................ ok
../../openssl/test/recipes/70-test_packet.t ................... ok
../../openssl/test/recipes/70-test_recordlen.t ................ ok
../../openssl/test/recipes/70-test_renegotiation.t ............ skipped: test_renegotiation needs TLS <= 1.2 enabled
../../openssl/test/recipes/70-test_servername.t ............... ok
../../openssl/test/recipes/70-test_sslcbcpadding.t ............ skipped: test_sslcbcpadding needs TLSv1.2 enabled
../../openssl/test/recipes/70-test_sslcertstatus.t ............ skipped: test_sslcertstatus needs TLS enabled
../../openssl/test/recipes/70-test_sslextension.t ............. ok
../../openssl/test/recipes/70-test_sslmessages.t .............. skipped: test_sslmessages needs TLS enabled
../../openssl/test/recipes/70-test_sslrecords.t ............... skipped: test_sslrecords needs TLSv1.2 enabled
../../openssl/test/recipes/70-test_sslsessiontick.t ........... skipped: test_sslsessiontick needs SSLv3, TLSv1, TLSv1.1 or TLSv1.2 enabled
../../openssl/test/recipes/70-test_sslsigalgs.t ............... ok
../../openssl/test/recipes/70-test_sslsignature.t ............. ok
../../openssl/test/recipes/70-test_sslskewith0p.t ............. ok
../../openssl/test/recipes/70-test_sslversions.t .............. skipped: test_sslversions needs TLS1.3, TLS1.2 and TLS1.1 enabled
../../openssl/test/recipes/70-test_sslvertol.t ................ ok
../../openssl/test/recipes/70-test_tls13cookie.t .............. ok
../../openssl/test/recipes/70-test_tls13downgrade.t ........... skipped: test_tls13downgrade needs TLS1.3 and TLS1.2 enabled
../../openssl/test/recipes/70-test_tls13hrr.t ................. ok
../../openssl/test/recipes/70-test_tls13kexmodes.t ............ ok
../../openssl/test/recipes/70-test_tls13messages.t ............ ok
../../openssl/test/recipes/70-test_tls13psk.t ................. ok
../../openssl/test/recipes/70-test_tlsextms.t ................. skipped: test_tlsextms needs TLSv1.0, TLSv1.1 or TLSv1.2 enabled
../../openssl/test/recipes/70-test_verify_extra.t ............. ok
../../openssl/test/recipes/70-test_wpacket.t .................. ok
../../openssl/test/recipes/80-test_ca.t ....................... ok
../../openssl/test/recipes/80-test_cipherbytes.t .............. ok
../../openssl/test/recipes/80-test_cipherlist.t ............... ok
../../openssl/test/recipes/80-test_ciphername.t ............... ok
../../openssl/test/recipes/80-test_cms.t ...................... ok
../../openssl/test/recipes/80-test_ct.t ....................... ok
../../openssl/test/recipes/80-test_dane.t ..................... ok
../../openssl/test/recipes/80-test_dtls.t ..................... ok
../../openssl/test/recipes/80-test_dtls_mtu.t ................. ok
../../openssl/test/recipes/80-test_dtlsv1listen.t ............. ok
../../openssl/test/recipes/80-test_ocsp.t ..................... ok
../../openssl/test/recipes/80-test_pkcs12.t ................... ok
../../openssl/test/recipes/80-test_ssl_new.t .................. ok
../../openssl/test/recipes/80-test_ssl_old.t .................. ok
../../openssl/test/recipes/80-test_ssl_test_ctx.t ............. ok
../../openssl/test/recipes/80-test_sslcorrupt.t ............... ok
../../openssl/test/recipes/80-test_tsa.t ...................... ok
../../openssl/test/recipes/80-test_x509aux.t .................. ok
../../openssl/test/recipes/90-test_asn1_time.t ................ ok
../../openssl/test/recipes/90-test_async.t .................... ok
../../openssl/test/recipes/90-test_bio_enc.t .................. ok
../../openssl/test/recipes/90-test_constant_time.t ............ ok
../../openssl/test/recipes/90-test_fatalerr.t ................. ok
../../openssl/test/recipes/90-test_gmdiff.t ................... ok
../../openssl/test/recipes/90-test_ige.t ...................... ok
../../openssl/test/recipes/90-test_includes.t ................. ok
../../openssl/test/recipes/90-test_memleak.t .................. ok
../../openssl/test/recipes/90-test_overhead.t ................. skipped: Only supported in no-shared builds
../../openssl/test/recipes/90-test_secmem.t ................... ok
../../openssl/test/recipes/90-test_shlibload.t ................ ok
../../openssl/test/recipes/90-test_srp.t ...................... ok
../../openssl/test/recipes/90-test_sslapi.t ...................
Dubious, test returned 1 (wstat 256, 0x100)
Failed 1/1 subtests
../../openssl/test/recipes/90-test_sslbuffers.t ............... ok
../../openssl/test/recipes/90-test_store.t .................... ok
../../openssl/test/recipes/90-test_sysdefault.t ............... skipped: test_sysdefault is not supported in this build
../../openssl/test/recipes/90-test_threads.t .................. ok
../../openssl/test/recipes/90-test_time_offset.t .............. ok
../../openssl/test/recipes/90-test_tls13ccs.t ................. ok
../../openssl/test/recipes/90-test_tls13encryption.t .......... ok
../../openssl/test/recipes/90-test_tls13secrets.t ............. ok
../../openssl/test/recipes/90-test_v3name.t ................... ok
../../openssl/test/recipes/95-test_external_boringssl.t ....... skipped: No external tests in this configuration
../../openssl/test/recipes/95-test_external_krb5.t ............ skipped: No external tests in this configuration
../../openssl/test/recipes/95-test_external_pyca.t ............ skipped: No external tests in this configuration
../../openssl/test/recipes/99-test_ecstress.t ................. ok
../../openssl/test/recipes/99-test_fuzz.t ..................... ok
Test Summary Report
-------------------
../../openssl/test/recipes/90-test_sslapi.t (Wstat: 256 Tests: 1 Failed: 1)
Failed test: 1
Non-zero exit status: 1
Files=146, Tests=1261, 179 wallclock secs ( 1.75 usr 0.32 sys + 153.54 cusr 9.28 csys = 164.89 CPU)
Result: FAIL
Makefile:204: recipe for target '_tests' failed
make[1]: *** [_tests] Error 1
make[1]: Leaving directory '/home/openssl/run-checker/no-tls1_2-method'
Makefile:202: recipe for target 'tests' failed
make: *** [tests] Error 2
_____
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
From rsalz at akamai.com Mon May 7 01:37:00 2018
From: rsalz at akamai.com (Salz, Rich)
Date: Mon, 7 May 2018 01:37:00 +0000
Subject: [openssl-project] Current votes FYI
Message-ID: <504DAF06-51AC-494D-9768-C50E897F7B1E@akamai.com>
Greetings OpenSSL folks!
The OMC met this past weekend. Much was accomplished. Per our policy, we?re telling the project that the following votes are now active among the OMC. As the votes are concluded, more information (blog posts, website updates, whatever?s appropriate) will be made available.
VOTE: openssl-web and tools repositories shall be under the same review policy as per the openssl repository where the reviewers are OMC members
VOTE: That we remove "We strongly believe that the right to advance patches/info should not be based in any way on paid membership to some forum. You cannot pay us to get security patches in advance" from the security policy and Mark posts a blog entry to explain the change including that we have no current such service.
VOTE: 1.1.1 beta release schedule changed so that the next two beta releases are now 29th May, 19 June and we will re-review release readiness after that. We will also ensure that there is at least one beta release post TLS-1.3 RFC publication prior to the final release.
VOTE: Remove the entire "Forthcoming Features" section from the Roadmap Policy and open github issues for those items listed which have not yet been completed and do not currently have issues raised or PR submitted.
VOTE: We don't intend to be involved in adding any additional platforms to the OpenSSL FIPS validation; instead we will work to enable other parties to meet this need.
VOTE: The next LTS release will be 1.1.1 and the LTS expiry date for 1.0.2 will not be changed.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From paul.dale at oracle.com Tue May 8 16:26:59 2018
From: paul.dale at oracle.com (Oracle)
Date: Tue, 8 May 2018 12:26:59 -0400
Subject: [openssl-project] Entropy seeding the DRBG
In-Reply-To: <20180430.180020.1402330384104485085.levitte@openssl.org>
References: <20180430131000.GA25216@roeckx.be>
<20180430.152609.587396153749337701.levitte@openssl.org>
<20180430.164908.1424770216194967097.levitte@openssl.org>
<20180430.180020.1402330384104485085.levitte@openssl.org>
Message-ID:
I can conform that it is measured in bits per sample size (in this case bytes). The estimate is very low and this is not a great source.
We can explore other options and I should be able to spare some time over ICMC to assist. I?m not well versed in VMS though.
Pauli
> On 30 Apr 2018, at 12:00 pm, Richard Levitte wrote:
>
> In message <20180430.164908.1424770216194967097.levitte at openssl.org> on Mon, 30 Apr 2018 16:49:08 +0200 (CEST), Richard Levitte said:
>
> levitte> In message <20180430.152609.587396153749337701.levitte at openssl.org> on Mon, 30 Apr 2018 15:26:09 +0200 (CEST), Richard Levitte said:
> levitte>
> levitte> levitte> In message <20180430131000.GA25216 at roeckx.be> on Mon, 30 Apr 2018 15:10:01 +0200, Kurt Roeckx said:
> levitte> levitte>
> levitte> levitte> kurt> The comment about not hashing it is if you want to use the tool to
> levitte> levitte> kurt> do entropy estimation. Hashing it will not increase the entropy,
> levitte> levitte> kurt> but the estimation will be totally wrong.
> levitte> levitte> kurt>
> levitte> levitte> kurt> Passing the hashed data to the drbg as entropy input is fine if
> levitte> levitte> kurt> you already know how much entropy that it contains.
> levitte> levitte>
> levitte> levitte> Thanks, that's what I suspected. Ok, on to the next step
> levitte>
> levitte> Not done running, but does show some promise...
> levitte>
> levitte> : ; ./a.out ../../../levitte/vms-experiments/entropy-gathering/entropy-stats.bin 8 -v
> levitte> Opening file: ../../../levitte/vms-experiments/entropy-gathering/entropy-stats.bin
> levitte>
> levitte> Running non-IID tests...
> levitte>
> levitte> Entropic statistic estimates:
> levitte> Most Common Value Estimate = 0.975224
> levitte> Collision Test Estimate = 0.902997
> levitte> Markov Test Estimate = 0.410808
> levitte> Compression Test Estimate = 0.811274
> levitte>
> levitte> I assume that estimate is per "word" (i.e. per 8 bits of data in this
> levitte> case).
>
> Ok, done running... suffice to say, the first tests left me ever so
> hopeful...
>
> : ; ./a.out ../../../levitte/vms-experiments/entropy-gathering/entropy-stats.bin 8 -v
> Opening file: ../../../levitte/vms-experiments/entropy-gathering/entropy-stats.bin
>
> Running non-IID tests...
>
> Entropic statistic estimates:
> Most Common Value Estimate = 0.975224
> Collision Test Estimate = 0.902997
> Markov Test Estimate = 0.410808
> Compression Test Estimate = 0.811274
> t-Tuple Test Estimate = 0.0818796
> Longest Reapeated Substring Test Estimate = 0.0818772
>
> Predictor estimates:
> Multi Most Common in Window (MultiMCW) Test: 100% complete
> Correct: 507351
> P_avg (global): 0.508671
> P_run (local): 0.587891
> Multi Most Common in Window (Multi MCW) Test = 0.76638
> Lag Test: 100% complete
> Correct: 269907
> P_avg (global): 0.271051
> P_run (local): 0.347168
> Lag Prediction Test = 1.52629
> MultiMMC Test: 100% complete
> Correct: 11700
> P_avg (global): 0.011977
> P_run (local): 0.444824
> Multi Markov Model with Counting (MultiMMC) Prediction Test = 1.16869
> LZ78Y Test: 99% complete
> Correct: 572107
> P_avg (global): 0.573391
> P_run (local): 0.615723
> LZ78Y Prediction Test = 0.699647
> Min Entropy: 0.0818772
>
> So I'd like to have it confirmed that I'm reading this right, that's
> about 0.08 entropy bits per 8 data bits? Or is it per data bit?
> Depending on the interpretation, we either have 1 bit of entropy per
> 12 data bits... or per 100 data bits... The latter has my heart
> sinking...
>
> --
> Richard Levitte levitte at openssl.org
> OpenSSL Project http://www.openssl.org/~levitte/
> _______________________________________________
> openssl-project mailing list
> openssl-project at openssl.org
> https://mta.openssl.org/mailman/listinfo/openssl-project
From rsalz at akamai.com Tue May 8 16:36:23 2018
From: rsalz at akamai.com (Salz, Rich)
Date: Tue, 8 May 2018 16:36:23 +0000
Subject: [openssl-project] FW: [TLS] WGLC for draft-ietf-tls-tls13-vectors
In-Reply-To: <5F30CC9E-EFFC-4A36-801F-A17B9DDF85E0@sn3rd.com>
References: <5F30CC9E-EFFC-4A36-801F-A17B9DDF85E0@sn3rd.com>
Message-ID: <5953B84D-6F03-411B-A520-7A5D4786D2E5@akamai.com>
Anyone want to take a look at wedging this into our test suite?
?On 5/8/18, 12:31 PM, "Sean Turner" wrote:
All,
This is the working group last call for the "Example Handshake Traces for TLS 1.3" draft available at https://datatracker.ietf.org/doc/draft-ietf-tls-tls13-vectors/. Please review the document and send your comments to the list by 2359 UTC on 22 May 2018.
Thanks - J&S
_______________________________________________
TLS mailing list
TLS at ietf.org
https://www.ietf.org/mailman/listinfo/tls
From matt at openssl.org Tue May 8 16:44:50 2018
From: matt at openssl.org (Matt Caswell)
Date: Tue, 8 May 2018 17:44:50 +0100
Subject: [openssl-project] FW: [TLS] WGLC for
draft-ietf-tls-tls13-vectors
In-Reply-To: <5953B84D-6F03-411B-A520-7A5D4786D2E5@akamai.com>
References: <5F30CC9E-EFFC-4A36-801F-A17B9DDF85E0@sn3rd.com>
<5953B84D-6F03-411B-A520-7A5D4786D2E5@akamai.com>
Message-ID: <44c8f1e8-e3ed-3389-9a57-717ac1ccc7e8@openssl.org>
tls13secretstest was originally based on these vectors:
https://github.com/openssl/openssl/blob/master/test/tls13secretstest.c
However, because we were moving faster with updating the vectors to
match all the latest changes to the secrets calculations in the main
spec, and because it's a major pain to update the test to match the
latest vectors, I have not kept up-to-date with the latest version.
Instead we swapped to self-generated vectors. It should still be
possible to swap back to the official vectors though now things have
settled down.
Matt
On 08/05/18 17:36, Salz, Rich wrote:
> Anyone want to take a look at wedging this into our test suite?
>
> ?On 5/8/18, 12:31 PM, "Sean Turner" wrote:
>
> All,
>
> This is the working group last call for the "Example Handshake Traces for TLS 1.3" draft available at https://datatracker.ietf.org/doc/draft-ietf-tls-tls13-vectors/. Please review the document and send your comments to the list by 2359 UTC on 22 May 2018.
>
> Thanks - J&S
> _______________________________________________
> TLS mailing list
> TLS at ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>
>
> _______________________________________________
> openssl-project mailing list
> openssl-project at openssl.org
> https://mta.openssl.org/mailman/listinfo/openssl-project
>
From levitte at openssl.org Tue May 8 18:24:19 2018
From: levitte at openssl.org (Richard Levitte)
Date: Tue, 08 May 2018 20:24:19 +0200 (CEST)
Subject: [openssl-project] Entropy seeding the DRBG
In-Reply-To:
References: <20180430.164908.1424770216194967097.levitte@openssl.org>
<20180430.180020.1402330384104485085.levitte@openssl.org>
Message-ID: <20180508.202419.551774525074577026.levitte@openssl.org>
In message on Tue, 8 May 2018 12:26:59 -0400, Oracle said:
paul.dale> I can conform that it is measured in bits per sample size
paul.dale> (in this case bytes). The estimate is very low and this is
paul.dale> not a great source.
Note that this is on a fairly inactive machine, and it's not *one*
source, but rather the concatenation of diverse counters all at once
(700+ bytes worth of data each time). Also, I've had other
suggestions from the folks on comp.os.vms that I'm gonna try as well
as time allows.
paul.dale> We can explore other options and I should be able to spare
paul.dale> some time over ICMC to assist. I?m not well versed in VMS
paul.dale> though.
Unfortunately, I'm not present there... But I would see no problem
having a conversation directly with you, by email or by video link.
Cheers,
Richard
--
Richard Levitte levitte at openssl.org
OpenSSL Project http://www.openssl.org/~levitte/
From paul.dale at oracle.com Tue May 8 23:33:24 2018
From: paul.dale at oracle.com (Oracle)
Date: Tue, 8 May 2018 19:33:24 -0400
Subject: [openssl-project] Entropy seeding the DRBG
In-Reply-To: <20180430131000.GA25216@roeckx.be>
References: <6f707b9d-3a18-4912-9685-bc23a0714a5e@default>
<20180424172439.GA8068@roeckx.be>
<20180430.144253.1714680705314385876.levitte@openssl.org>
<20180430131000.GA25216@roeckx.be>
Message-ID:
Kurt wrote:
> The comment about not hashing it is if you want to use the tool to
> do entropy estimation. Hashing it will not increase the entropy,
> but the estimation will be totally wrong.
> Passing the hashed data to the drbg as entropy input is fine if
> you already know how much entropy that it contains.
This is spot on. Hash the data and it will appear to have eight bits per byte of entropy regardless of the input. The estimate output from NIST?s suite will be around 7.8 bits per byte but that?s close enough. The standards refer to this as ?whitening?. It is fine to whiten the entropy data before passing it to the DRBG but the entropy estimate must be based on the pre-whitened data.
Pauli
From paul.dale at oracle.com Wed May 9 01:09:58 2018
From: paul.dale at oracle.com (Dr Paul Dale)
Date: Tue, 8 May 2018 21:09:58 -0400
Subject: [openssl-project] Entropy seeding the DRBG
In-Reply-To:
References: <6f707b9d-3a18-4912-9685-bc23a0714a5e@default>
<20180424172439.GA8068@roeckx.be>
<20180430.144253.1714680705314385876.levitte@openssl.org>
<20180430131000.GA25216@roeckx.be>
Message-ID: <4A8DA9A9-5906-4FA0-A2C9-241BB08FEE3E@oracle.com>
Apologies for the name I?ve been sending under. I don?t represent Oracle of course.
A temporary new MUA that isn?t quite doing what I expected.
Pauli
> On 8 May 2018, at 7:33 pm, Oracle wrote:
>
> Kurt wrote:
>
>> The comment about not hashing it is if you want to use the tool to
>> do entropy estimation. Hashing it will not increase the entropy,
>> but the estimation will be totally wrong.
>
>
>> Passing the hashed data to the drbg as entropy input is fine if
>> you already know how much entropy that it contains.
>
>
> This is spot on. Hash the data and it will appear to have eight bits per byte of entropy regardless of the input. The estimate output from NIST?s suite will be around 7.8 bits per byte but that?s close enough. The standards refer to this as ?whitening?. It is fine to whiten the entropy data before passing it to the DRBG but the entropy estimate must be based on the pre-whitened data.
>
>
> Pauli
>
>
>
>
> _______________________________________________
> openssl-project mailing list
> openssl-project at openssl.org
> https://mta.openssl.org/mailman/listinfo/openssl-project
From rsalz at akamai.com Wed May 9 11:30:46 2018
From: rsalz at akamai.com (Salz, Rich)
Date: Wed, 9 May 2018 11:30:46 +0000
Subject: [openssl-project] FW: [openssl-commits] Still FAILED build of
OpenSSL branch master with options -d --strict-warnings no-tls1_2
In-Reply-To: <1525858357.436708.25025.nullmailer@run.openssl.org>
References: <1525858357.436708.25025.nullmailer@run.openssl.org>
Message-ID: <5B1ED117-2985-43D6-BF1B-2DD58EF3EFB4@akamai.com>
I think it's been more than a week now
?On 5/9/18, 5:32 AM, "OpenSSL run-checker" wrote:
Platform and configuration command:
$ uname -a
Linux run 4.4.0-119-generic #143-Ubuntu SMP Mon Apr 2 16:08:24 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
$ CC=clang ../openssl/config -d --strict-warnings no-tls1_2
Commit log since last time:
06e0950 VMS rand: assign before check, not the other way around
8c8fbca Fix --strict-warnings build of ppc-linux target
7d859d1 ec/ec_mult.c: get BN_CTX_start,end sequence right.
61e9655 Add a DTLS test for dropped records
f750641 Keep the DTLS timer running after the end of the handshake if appropriate
ad96225 Only auto-retry for DTLS if configured to do so
6f6da2f Fix s_client and s_server so that they correctly handle the DTLS timer
f20404f Don't fail on an out-of-order CCS in DTLS
e15e92d Add a CMS API test
3d551b2 Fix a mem leak in CMS
Build log ended with (last 100 lines):
../../openssl/test/recipes/30-test_evp_extra.t ................ ok
../../openssl/test/recipes/30-test_pbelu.t .................... ok
../../openssl/test/recipes/30-test_pkey_meth.t ................ ok
../../openssl/test/recipes/30-test_pkey_meth_kdf.t ............ ok
../../openssl/test/recipes/40-test_rehash.t ................... ok
../../openssl/test/recipes/60-test_x509_check_cert_pkey.t ..... ok
../../openssl/test/recipes/60-test_x509_dup_cert.t ............ ok
../../openssl/test/recipes/60-test_x509_store.t ............... ok
../../openssl/test/recipes/60-test_x509_time.t ................ ok
../../openssl/test/recipes/70-test_asyncio.t .................. ok
../../openssl/test/recipes/70-test_bad_dtls.t ................. ok
../../openssl/test/recipes/70-test_clienthello.t .............. ok
../../openssl/test/recipes/70-test_comp.t ..................... ok
../../openssl/test/recipes/70-test_key_share.t ................ ok
../../openssl/test/recipes/70-test_packet.t ................... ok
../../openssl/test/recipes/70-test_recordlen.t ................ ok
../../openssl/test/recipes/70-test_renegotiation.t ............ skipped: test_renegotiation needs TLS <= 1.2 enabled
../../openssl/test/recipes/70-test_servername.t ............... ok
../../openssl/test/recipes/70-test_sslcbcpadding.t ............ skipped: test_sslcbcpadding needs TLSv1.2 enabled
../../openssl/test/recipes/70-test_sslcertstatus.t ............ skipped: test_sslcertstatus needs TLS enabled
../../openssl/test/recipes/70-test_sslextension.t ............. ok
../../openssl/test/recipes/70-test_sslmessages.t .............. skipped: test_sslmessages needs TLS enabled
../../openssl/test/recipes/70-test_sslrecords.t ............... skipped: test_sslrecords needs TLSv1.2 enabled
../../openssl/test/recipes/70-test_sslsessiontick.t ........... skipped: test_sslsessiontick needs SSLv3, TLSv1, TLSv1.1 or TLSv1.2 enabled
../../openssl/test/recipes/70-test_sslsigalgs.t ............... ok
../../openssl/test/recipes/70-test_sslsignature.t ............. ok
../../openssl/test/recipes/70-test_sslskewith0p.t ............. ok
../../openssl/test/recipes/70-test_sslversions.t .............. skipped: test_sslversions needs TLS1.3, TLS1.2 and TLS1.1 enabled
../../openssl/test/recipes/70-test_sslvertol.t ................ ok
../../openssl/test/recipes/70-test_tls13cookie.t .............. ok
../../openssl/test/recipes/70-test_tls13downgrade.t ........... skipped: test_tls13downgrade needs TLS1.3 and TLS1.2 enabled
../../openssl/test/recipes/70-test_tls13hrr.t ................. ok
../../openssl/test/recipes/70-test_tls13kexmodes.t ............ ok
../../openssl/test/recipes/70-test_tls13messages.t ............ ok
../../openssl/test/recipes/70-test_tls13psk.t ................. ok
../../openssl/test/recipes/70-test_tlsextms.t ................. skipped: test_tlsextms needs TLSv1.0, TLSv1.1 or TLSv1.2 enabled
../../openssl/test/recipes/70-test_verify_extra.t ............. ok
../../openssl/test/recipes/70-test_wpacket.t .................. ok
../../openssl/test/recipes/80-test_ca.t ....................... ok
../../openssl/test/recipes/80-test_cipherbytes.t .............. ok
../../openssl/test/recipes/80-test_cipherlist.t ............... ok
../../openssl/test/recipes/80-test_ciphername.t ............... ok
../../openssl/test/recipes/80-test_cms.t ...................... ok
../../openssl/test/recipes/80-test_cmsapi.t ................... ok
../../openssl/test/recipes/80-test_ct.t ....................... ok
../../openssl/test/recipes/80-test_dane.t ..................... ok
../../openssl/test/recipes/80-test_dtls.t ..................... ok
../../openssl/test/recipes/80-test_dtls_mtu.t ................. ok
../../openssl/test/recipes/80-test_dtlsv1listen.t ............. ok
../../openssl/test/recipes/80-test_ocsp.t ..................... ok
../../openssl/test/recipes/80-test_pkcs12.t ................... ok
../../openssl/test/recipes/80-test_ssl_new.t .................. ok
../../openssl/test/recipes/80-test_ssl_old.t .................. ok
../../openssl/test/recipes/80-test_ssl_test_ctx.t ............. ok
../../openssl/test/recipes/80-test_sslcorrupt.t ............... ok
../../openssl/test/recipes/80-test_tsa.t ...................... ok
../../openssl/test/recipes/80-test_x509aux.t .................. ok
../../openssl/test/recipes/90-test_asn1_time.t ................ ok
../../openssl/test/recipes/90-test_async.t .................... ok
../../openssl/test/recipes/90-test_bio_enc.t .................. ok
../../openssl/test/recipes/90-test_constant_time.t ............ ok
../../openssl/test/recipes/90-test_fatalerr.t ................. ok
../../openssl/test/recipes/90-test_gmdiff.t ................... ok
../../openssl/test/recipes/90-test_ige.t ...................... ok
../../openssl/test/recipes/90-test_includes.t ................. ok
../../openssl/test/recipes/90-test_memleak.t .................. ok
../../openssl/test/recipes/90-test_overhead.t ................. skipped: Only supported in no-shared builds
../../openssl/test/recipes/90-test_secmem.t ................... ok
../../openssl/test/recipes/90-test_shlibload.t ................ ok
../../openssl/test/recipes/90-test_srp.t ...................... ok
../../openssl/test/recipes/90-test_sslapi.t ...................
Dubious, test returned 1 (wstat 256, 0x100)
Failed 1/1 subtests
../../openssl/test/recipes/90-test_sslbuffers.t ............... ok
../../openssl/test/recipes/90-test_store.t .................... ok
../../openssl/test/recipes/90-test_sysdefault.t ............... skipped: test_sysdefault is not supported in this build
../../openssl/test/recipes/90-test_threads.t .................. ok
../../openssl/test/recipes/90-test_time_offset.t .............. ok
../../openssl/test/recipes/90-test_tls13ccs.t ................. ok
../../openssl/test/recipes/90-test_tls13encryption.t .......... ok
../../openssl/test/recipes/90-test_tls13secrets.t ............. ok
../../openssl/test/recipes/90-test_v3name.t ................... ok
../../openssl/test/recipes/95-test_external_boringssl.t ....... skipped: No external tests in this configuration
../../openssl/test/recipes/95-test_external_krb5.t ............ skipped: No external tests in this configuration
../../openssl/test/recipes/95-test_external_pyca.t ............ skipped: No external tests in this configuration
../../openssl/test/recipes/99-test_ecstress.t ................. ok
../../openssl/test/recipes/99-test_fuzz.t ..................... ok
Test Summary Report
-------------------
../../openssl/test/recipes/90-test_sslapi.t (Wstat: 256 Tests: 1 Failed: 1)
Failed test: 1
Non-zero exit status: 1
Files=147, Tests=1262, 186 wallclock secs ( 1.73 usr 0.33 sys + 160.14 cusr 9.34 csys = 171.54 CPU)
Result: FAIL
Makefile:204: recipe for target '_tests' failed
make[1]: *** [_tests] Error 1
make[1]: Leaving directory '/home/openssl/run-checker/no-tls1_2'
Makefile:202: recipe for target 'tests' failed
make: *** [tests] Error 2
_____
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
From levitte at openssl.org Wed May 9 11:48:42 2018
From: levitte at openssl.org (Richard Levitte)
Date: Wed, 09 May 2018 13:48:42 +0200 (CEST)
Subject: [openssl-project] FW: [openssl-commits] Still FAILED build of
OpenSSL branch master with options -d --strict-warnings no-tls1_2
In-Reply-To: <5B1ED117-2985-43D6-BF1B-2DD58EF3EFB4@akamai.com>
References: <1525858357.436708.25025.nullmailer@run.openssl.org>
<5B1ED117-2985-43D6-BF1B-2DD58EF3EFB4@akamai.com>
Message-ID: <20180509.134842.973840512960602147.levitte@openssl.org>
Cannot reproduce on my machine, that test goes through smoothly
there. So I tried again on the machine that runs run-checker (verbose
test), and here's where things go wrong:
ok 33 - test_ssl_pending
# Subtest: test_ssl_get_shared_ciphers
1..5
# INFO: @ ../openssl/test/ssltestlib.c:697
# SSL_connect() failed -1, 1
# INFO: @ ../openssl/test/ssltestlib.c:711
# SSL_accept() failed -1, 1
# ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:4538
# false
# 140218663200512:error:141FC044:SSL routines:tls_setup_handshake:internal error:../openssl/ssl/statem/statem_lib.c:110:
not ok 1 - iteration 1
# INFO: @ ../openssl/test/ssltestlib.c:697
# SSL_connect() failed -1, 1
# INFO: @ ../openssl/test/ssltestlib.c:711
# SSL_accept() failed -1, 1
# ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:4538
# false
# 140218663200512:error:141FC044:SSL routines:tls_setup_handshake:internal error:../openssl/ssl/statem/statem_lib.c:110:
not ok 2 - iteration 2
# INFO: @ ../openssl/test/ssltestlib.c:697
# SSL_connect() failed -1, 1
# INFO: @ ../openssl/test/ssltestlib.c:711
# SSL_accept() failed -1, 1
# ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:4538
# false
# 140218663200512:error:141FC044:SSL routines:tls_setup_handshake:internal error:../openssl/ssl/statem/statem_lib.c:110:
not ok 3 - iteration 3
# ERROR: (int) 'strcmp(buf, shared_ciphers_data[tst].shared) == 0' failed @ ../openssl/test/sslapitest.c:4542
# [-58] compared to [0]
# INFO: @ ../openssl/test/sslapitest.c:4543
# Shared ciphers are: TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
#
not ok 4 - iteration 4
ok 5 - iteration 5
not ok 34 - test_ssl_get_shared_ciphers
../../util/shlib_wrap.sh ../../test/sslapitest ../../../openssl/apps/server.pem ../../../openssl/apps/server.pem ../../../openssl/test/recipes/90-test_sslapi_data/passwd.txt /tmp/luFFon5Hte => 1
not ok 1 - running sslapitest
# Failed test 'running sslapitest'
# at ../../openssl/test/recipes/90-test_sslapi.t line 23.
# Looks like you failed 1 test of 1.
Dubious, test returned 1 (wstat 256, 0x100)
Failed 1/1 subtests
I'll see if I can figure out what's happening...
Among the differences between my machine (lapdog [*]) and the
run-checkers runner (run):
lapdog: Debian GNU/Linux [sid]
run: Ubuntu 16.04
lapdog: clang 4.0.1-10
run: 3.8.0-2ubuntu4
Cheers,
Richard
In message <5B1ED117-2985-43D6-BF1B-2DD58EF3EFB4 at akamai.com> on Wed, 9 May 2018 11:30:46 +0000, "Salz, Rich" said:
rsalz> I think it's been more than a week now
rsalz>
rsalz> ?On 5/9/18, 5:32 AM, "OpenSSL run-checker" wrote:
rsalz>
rsalz> Platform and configuration command:
rsalz>
rsalz> $ uname -a
rsalz> Linux run 4.4.0-119-generic #143-Ubuntu SMP Mon Apr 2 16:08:24 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
rsalz> $ CC=clang ../openssl/config -d --strict-warnings no-tls1_2
rsalz>
rsalz> Commit log since last time:
rsalz>
rsalz> 06e0950 VMS rand: assign before check, not the other way around
rsalz> 8c8fbca Fix --strict-warnings build of ppc-linux target
rsalz> 7d859d1 ec/ec_mult.c: get BN_CTX_start,end sequence right.
rsalz> 61e9655 Add a DTLS test for dropped records
rsalz> f750641 Keep the DTLS timer running after the end of the handshake if appropriate
rsalz> ad96225 Only auto-retry for DTLS if configured to do so
rsalz> 6f6da2f Fix s_client and s_server so that they correctly handle the DTLS timer
rsalz> f20404f Don't fail on an out-of-order CCS in DTLS
rsalz> e15e92d Add a CMS API test
rsalz> 3d551b2 Fix a mem leak in CMS
rsalz>
rsalz> Build log ended with (last 100 lines):
rsalz>
rsalz> ../../openssl/test/recipes/30-test_evp_extra.t ................ ok
rsalz> ../../openssl/test/recipes/30-test_pbelu.t .................... ok
rsalz> ../../openssl/test/recipes/30-test_pkey_meth.t ................ ok
rsalz> ../../openssl/test/recipes/30-test_pkey_meth_kdf.t ............ ok
rsalz> ../../openssl/test/recipes/40-test_rehash.t ................... ok
rsalz> ../../openssl/test/recipes/60-test_x509_check_cert_pkey.t ..... ok
rsalz> ../../openssl/test/recipes/60-test_x509_dup_cert.t ............ ok
rsalz> ../../openssl/test/recipes/60-test_x509_store.t ............... ok
rsalz> ../../openssl/test/recipes/60-test_x509_time.t ................ ok
rsalz> ../../openssl/test/recipes/70-test_asyncio.t .................. ok
rsalz> ../../openssl/test/recipes/70-test_bad_dtls.t ................. ok
rsalz> ../../openssl/test/recipes/70-test_clienthello.t .............. ok
rsalz> ../../openssl/test/recipes/70-test_comp.t ..................... ok
rsalz> ../../openssl/test/recipes/70-test_key_share.t ................ ok
rsalz> ../../openssl/test/recipes/70-test_packet.t ................... ok
rsalz> ../../openssl/test/recipes/70-test_recordlen.t ................ ok
rsalz> ../../openssl/test/recipes/70-test_renegotiation.t ............ skipped: test_renegotiation needs TLS <= 1.2 enabled
rsalz> ../../openssl/test/recipes/70-test_servername.t ............... ok
rsalz> ../../openssl/test/recipes/70-test_sslcbcpadding.t ............ skipped: test_sslcbcpadding needs TLSv1.2 enabled
rsalz> ../../openssl/test/recipes/70-test_sslcertstatus.t ............ skipped: test_sslcertstatus needs TLS enabled
rsalz> ../../openssl/test/recipes/70-test_sslextension.t ............. ok
rsalz> ../../openssl/test/recipes/70-test_sslmessages.t .............. skipped: test_sslmessages needs TLS enabled
rsalz> ../../openssl/test/recipes/70-test_sslrecords.t ............... skipped: test_sslrecords needs TLSv1.2 enabled
rsalz> ../../openssl/test/recipes/70-test_sslsessiontick.t ........... skipped: test_sslsessiontick needs SSLv3, TLSv1, TLSv1.1 or TLSv1.2 enabled
rsalz> ../../openssl/test/recipes/70-test_sslsigalgs.t ............... ok
rsalz> ../../openssl/test/recipes/70-test_sslsignature.t ............. ok
rsalz> ../../openssl/test/recipes/70-test_sslskewith0p.t ............. ok
rsalz> ../../openssl/test/recipes/70-test_sslversions.t .............. skipped: test_sslversions needs TLS1.3, TLS1.2 and TLS1.1 enabled
rsalz> ../../openssl/test/recipes/70-test_sslvertol.t ................ ok
rsalz> ../../openssl/test/recipes/70-test_tls13cookie.t .............. ok
rsalz> ../../openssl/test/recipes/70-test_tls13downgrade.t ........... skipped: test_tls13downgrade needs TLS1.3 and TLS1.2 enabled
rsalz> ../../openssl/test/recipes/70-test_tls13hrr.t ................. ok
rsalz> ../../openssl/test/recipes/70-test_tls13kexmodes.t ............ ok
rsalz> ../../openssl/test/recipes/70-test_tls13messages.t ............ ok
rsalz> ../../openssl/test/recipes/70-test_tls13psk.t ................. ok
rsalz> ../../openssl/test/recipes/70-test_tlsextms.t ................. skipped: test_tlsextms needs TLSv1.0, TLSv1.1 or TLSv1.2 enabled
rsalz> ../../openssl/test/recipes/70-test_verify_extra.t ............. ok
rsalz> ../../openssl/test/recipes/70-test_wpacket.t .................. ok
rsalz> ../../openssl/test/recipes/80-test_ca.t ....................... ok
rsalz> ../../openssl/test/recipes/80-test_cipherbytes.t .............. ok
rsalz> ../../openssl/test/recipes/80-test_cipherlist.t ............... ok
rsalz> ../../openssl/test/recipes/80-test_ciphername.t ............... ok
rsalz> ../../openssl/test/recipes/80-test_cms.t ...................... ok
rsalz> ../../openssl/test/recipes/80-test_cmsapi.t ................... ok
rsalz> ../../openssl/test/recipes/80-test_ct.t ....................... ok
rsalz> ../../openssl/test/recipes/80-test_dane.t ..................... ok
rsalz> ../../openssl/test/recipes/80-test_dtls.t ..................... ok
rsalz> ../../openssl/test/recipes/80-test_dtls_mtu.t ................. ok
rsalz> ../../openssl/test/recipes/80-test_dtlsv1listen.t ............. ok
rsalz> ../../openssl/test/recipes/80-test_ocsp.t ..................... ok
rsalz> ../../openssl/test/recipes/80-test_pkcs12.t ................... ok
rsalz> ../../openssl/test/recipes/80-test_ssl_new.t .................. ok
rsalz> ../../openssl/test/recipes/80-test_ssl_old.t .................. ok
rsalz> ../../openssl/test/recipes/80-test_ssl_test_ctx.t ............. ok
rsalz> ../../openssl/test/recipes/80-test_sslcorrupt.t ............... ok
rsalz> ../../openssl/test/recipes/80-test_tsa.t ...................... ok
rsalz> ../../openssl/test/recipes/80-test_x509aux.t .................. ok
rsalz> ../../openssl/test/recipes/90-test_asn1_time.t ................ ok
rsalz> ../../openssl/test/recipes/90-test_async.t .................... ok
rsalz> ../../openssl/test/recipes/90-test_bio_enc.t .................. ok
rsalz> ../../openssl/test/recipes/90-test_constant_time.t ............ ok
rsalz> ../../openssl/test/recipes/90-test_fatalerr.t ................. ok
rsalz> ../../openssl/test/recipes/90-test_gmdiff.t ................... ok
rsalz> ../../openssl/test/recipes/90-test_ige.t ...................... ok
rsalz> ../../openssl/test/recipes/90-test_includes.t ................. ok
rsalz> ../../openssl/test/recipes/90-test_memleak.t .................. ok
rsalz> ../../openssl/test/recipes/90-test_overhead.t ................. skipped: Only supported in no-shared builds
rsalz> ../../openssl/test/recipes/90-test_secmem.t ................... ok
rsalz> ../../openssl/test/recipes/90-test_shlibload.t ................ ok
rsalz> ../../openssl/test/recipes/90-test_srp.t ...................... ok
rsalz> ../../openssl/test/recipes/90-test_sslapi.t ...................
rsalz> Dubious, test returned 1 (wstat 256, 0x100)
rsalz> Failed 1/1 subtests
rsalz> ../../openssl/test/recipes/90-test_sslbuffers.t ............... ok
rsalz> ../../openssl/test/recipes/90-test_store.t .................... ok
rsalz> ../../openssl/test/recipes/90-test_sysdefault.t ............... skipped: test_sysdefault is not supported in this build
rsalz> ../../openssl/test/recipes/90-test_threads.t .................. ok
rsalz> ../../openssl/test/recipes/90-test_time_offset.t .............. ok
rsalz> ../../openssl/test/recipes/90-test_tls13ccs.t ................. ok
rsalz> ../../openssl/test/recipes/90-test_tls13encryption.t .......... ok
rsalz> ../../openssl/test/recipes/90-test_tls13secrets.t ............. ok
rsalz> ../../openssl/test/recipes/90-test_v3name.t ................... ok
rsalz> ../../openssl/test/recipes/95-test_external_boringssl.t ....... skipped: No external tests in this configuration
rsalz> ../../openssl/test/recipes/95-test_external_krb5.t ............ skipped: No external tests in this configuration
rsalz> ../../openssl/test/recipes/95-test_external_pyca.t ............ skipped: No external tests in this configuration
rsalz> ../../openssl/test/recipes/99-test_ecstress.t ................. ok
rsalz> ../../openssl/test/recipes/99-test_fuzz.t ..................... ok
rsalz>
rsalz> Test Summary Report
rsalz> -------------------
rsalz> ../../openssl/test/recipes/90-test_sslapi.t (Wstat: 256 Tests: 1 Failed: 1)
rsalz> Failed test: 1
rsalz> Non-zero exit status: 1
rsalz> Files=147, Tests=1262, 186 wallclock secs ( 1.73 usr 0.33 sys + 160.14 cusr 9.34 csys = 171.54 CPU)
rsalz> Result: FAIL
rsalz> Makefile:204: recipe for target '_tests' failed
rsalz> make[1]: *** [_tests] Error 1
rsalz> make[1]: Leaving directory '/home/openssl/run-checker/no-tls1_2'
rsalz> Makefile:202: recipe for target 'tests' failed
rsalz> make: *** [tests] Error 2
rsalz> _____
rsalz> openssl-commits mailing list
rsalz> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
rsalz>
rsalz>
rsalz> _______________________________________________
rsalz> openssl-project mailing list
rsalz> openssl-project at openssl.org
rsalz> https://mta.openssl.org/mailman/listinfo/openssl-project
From rsalz at akamai.com Thu May 10 12:57:42 2018
From: rsalz at akamai.com (Salz, Rich)
Date: Thu, 10 May 2018 12:57:42 +0000
Subject: [openssl-project] FW: [openssl-commits] Still FAILED build of
OpenSSL branch master with options -d --strict-warnings no-tls1_2
In-Reply-To: <1525949829.951873.423.nullmailer@run.openssl.org>
References: <1525949829.951873.423.nullmailer@run.openssl.org>
Message-ID: <44193246-B7C4-4EF7-96C2-057EB9EAFFBB@akamai.com>
sigh
?On 5/10/18, 6:57 AM, "OpenSSL run-checker" wrote:
Platform and configuration command:
$ uname -a
Linux run 4.4.0-119-generic #143-Ubuntu SMP Mon Apr 2 16:08:24 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
$ CC=clang ../openssl/config -d --strict-warnings no-tls1_2
Commit log since last time:
7f35627 Fix typos in x509 documentation
60845a0 Add CHANGES entry for PR#6009
0dae8ba Add blinding in BN_GF2m_mod_inv for binary field inversions
a7b0b69 ECC: unify generic ec2 and ecp scalar multiplication, deprecate ec2_mult.c
fe2d397 ECDSA: remove nonce padding (delegated to EC_POINT_mul)
Build log ended with (last 100 lines):
../../openssl/test/recipes/30-test_evp_extra.t ................ ok
../../openssl/test/recipes/30-test_pbelu.t .................... ok
../../openssl/test/recipes/30-test_pkey_meth.t ................ ok
../../openssl/test/recipes/30-test_pkey_meth_kdf.t ............ ok
../../openssl/test/recipes/40-test_rehash.t ................... ok
../../openssl/test/recipes/60-test_x509_check_cert_pkey.t ..... ok
../../openssl/test/recipes/60-test_x509_dup_cert.t ............ ok
../../openssl/test/recipes/60-test_x509_store.t ............... ok
../../openssl/test/recipes/60-test_x509_time.t ................ ok
../../openssl/test/recipes/70-test_asyncio.t .................. ok
../../openssl/test/recipes/70-test_bad_dtls.t ................. ok
../../openssl/test/recipes/70-test_clienthello.t .............. ok
../../openssl/test/recipes/70-test_comp.t ..................... ok
../../openssl/test/recipes/70-test_key_share.t ................ ok
../../openssl/test/recipes/70-test_packet.t ................... ok
../../openssl/test/recipes/70-test_recordlen.t ................ ok
../../openssl/test/recipes/70-test_renegotiation.t ............ skipped: test_renegotiation needs TLS <= 1.2 enabled
../../openssl/test/recipes/70-test_servername.t ............... ok
../../openssl/test/recipes/70-test_sslcbcpadding.t ............ skipped: test_sslcbcpadding needs TLSv1.2 enabled
../../openssl/test/recipes/70-test_sslcertstatus.t ............ skipped: test_sslcertstatus needs TLS enabled
../../openssl/test/recipes/70-test_sslextension.t ............. ok
../../openssl/test/recipes/70-test_sslmessages.t .............. skipped: test_sslmessages needs TLS enabled
../../openssl/test/recipes/70-test_sslrecords.t ............... skipped: test_sslrecords needs TLSv1.2 enabled
../../openssl/test/recipes/70-test_sslsessiontick.t ........... skipped: test_sslsessiontick needs SSLv3, TLSv1, TLSv1.1 or TLSv1.2 enabled
../../openssl/test/recipes/70-test_sslsigalgs.t ............... ok
../../openssl/test/recipes/70-test_sslsignature.t ............. ok
../../openssl/test/recipes/70-test_sslskewith0p.t ............. ok
../../openssl/test/recipes/70-test_sslversions.t .............. skipped: test_sslversions needs TLS1.3, TLS1.2 and TLS1.1 enabled
../../openssl/test/recipes/70-test_sslvertol.t ................ ok
../../openssl/test/recipes/70-test_tls13cookie.t .............. ok
../../openssl/test/recipes/70-test_tls13downgrade.t ........... skipped: test_tls13downgrade needs TLS1.3 and TLS1.2 enabled
../../openssl/test/recipes/70-test_tls13hrr.t ................. ok
../../openssl/test/recipes/70-test_tls13kexmodes.t ............ ok
../../openssl/test/recipes/70-test_tls13messages.t ............ ok
../../openssl/test/recipes/70-test_tls13psk.t ................. ok
../../openssl/test/recipes/70-test_tlsextms.t ................. skipped: test_tlsextms needs TLSv1.0, TLSv1.1 or TLSv1.2 enabled
../../openssl/test/recipes/70-test_verify_extra.t ............. ok
../../openssl/test/recipes/70-test_wpacket.t .................. ok
../../openssl/test/recipes/80-test_ca.t ....................... ok
../../openssl/test/recipes/80-test_cipherbytes.t .............. ok
../../openssl/test/recipes/80-test_cipherlist.t ............... ok
../../openssl/test/recipes/80-test_ciphername.t ............... ok
../../openssl/test/recipes/80-test_cms.t ...................... ok
../../openssl/test/recipes/80-test_cmsapi.t ................... ok
../../openssl/test/recipes/80-test_ct.t ....................... ok
../../openssl/test/recipes/80-test_dane.t ..................... ok
../../openssl/test/recipes/80-test_dtls.t ..................... ok
../../openssl/test/recipes/80-test_dtls_mtu.t ................. ok
../../openssl/test/recipes/80-test_dtlsv1listen.t ............. ok
../../openssl/test/recipes/80-test_ocsp.t ..................... ok
../../openssl/test/recipes/80-test_pkcs12.t ................... ok
../../openssl/test/recipes/80-test_ssl_new.t .................. ok
../../openssl/test/recipes/80-test_ssl_old.t .................. ok
../../openssl/test/recipes/80-test_ssl_test_ctx.t ............. ok
../../openssl/test/recipes/80-test_sslcorrupt.t ............... ok
../../openssl/test/recipes/80-test_tsa.t ...................... ok
../../openssl/test/recipes/80-test_x509aux.t .................. ok
../../openssl/test/recipes/90-test_asn1_time.t ................ ok
../../openssl/test/recipes/90-test_async.t .................... ok
../../openssl/test/recipes/90-test_bio_enc.t .................. ok
../../openssl/test/recipes/90-test_constant_time.t ............ ok
../../openssl/test/recipes/90-test_fatalerr.t ................. ok
../../openssl/test/recipes/90-test_gmdiff.t ................... ok
../../openssl/test/recipes/90-test_ige.t ...................... ok
../../openssl/test/recipes/90-test_includes.t ................. ok
../../openssl/test/recipes/90-test_memleak.t .................. ok
../../openssl/test/recipes/90-test_overhead.t ................. skipped: Only supported in no-shared builds
../../openssl/test/recipes/90-test_secmem.t ................... ok
../../openssl/test/recipes/90-test_shlibload.t ................ ok
../../openssl/test/recipes/90-test_srp.t ...................... ok
../../openssl/test/recipes/90-test_sslapi.t ...................
Dubious, test returned 1 (wstat 256, 0x100)
Failed 1/1 subtests
../../openssl/test/recipes/90-test_sslbuffers.t ............... ok
../../openssl/test/recipes/90-test_store.t .................... ok
../../openssl/test/recipes/90-test_sysdefault.t ............... skipped: test_sysdefault is not supported in this build
../../openssl/test/recipes/90-test_threads.t .................. ok
../../openssl/test/recipes/90-test_time_offset.t .............. ok
../../openssl/test/recipes/90-test_tls13ccs.t ................. ok
../../openssl/test/recipes/90-test_tls13encryption.t .......... ok
../../openssl/test/recipes/90-test_tls13secrets.t ............. ok
../../openssl/test/recipes/90-test_v3name.t ................... ok
../../openssl/test/recipes/95-test_external_boringssl.t ....... skipped: No external tests in this configuration
../../openssl/test/recipes/95-test_external_krb5.t ............ skipped: No external tests in this configuration
../../openssl/test/recipes/95-test_external_pyca.t ............ skipped: No external tests in this configuration
../../openssl/test/recipes/99-test_ecstress.t ................. ok
../../openssl/test/recipes/99-test_fuzz.t ..................... ok
Test Summary Report
-------------------
../../openssl/test/recipes/90-test_sslapi.t (Wstat: 256 Tests: 1 Failed: 1)
Failed test: 1
Non-zero exit status: 1
Files=147, Tests=1262, 221 wallclock secs ( 1.65 usr 0.33 sys + 195.60 cusr 9.50 csys = 207.08 CPU)
Result: FAIL
Makefile:204: recipe for target '_tests' failed
make[1]: *** [_tests] Error 1
make[1]: Leaving directory '/home/openssl/run-checker/no-tls1_2'
Makefile:202: recipe for target 'tests' failed
make: *** [tests] Error 2
_____
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
From matt at openssl.org Thu May 10 12:59:35 2018
From: matt at openssl.org (Matt Caswell)
Date: Thu, 10 May 2018 13:59:35 +0100
Subject: [openssl-project] FW: [openssl-commits] Still FAILED build of
OpenSSL branch master with options -d --strict-warnings no-tls1_2
In-Reply-To: <44193246-B7C4-4EF7-96C2-057EB9EAFFBB@akamai.com>
References: <1525949829.951873.423.nullmailer@run.openssl.org>
<44193246-B7C4-4EF7-96C2-057EB9EAFFBB@akamai.com>
Message-ID: <7ff17149-3390-86d9-5d8f-3cfc9e77dc26@openssl.org>
It should be fixed already - but the fixes didn't go in in time for the
latest run-checker run. By tomorrow it should be ok (hopefully).
Matt
On 10/05/18 13:57, Salz, Rich wrote:
> sigh
>
> ?On 5/10/18, 6:57 AM, "OpenSSL run-checker" wrote:
>
> Platform and configuration command:
>
> $ uname -a
> Linux run 4.4.0-119-generic #143-Ubuntu SMP Mon Apr 2 16:08:24 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
> $ CC=clang ../openssl/config -d --strict-warnings no-tls1_2
>
> Commit log since last time:
>
> 7f35627 Fix typos in x509 documentation
> 60845a0 Add CHANGES entry for PR#6009
> 0dae8ba Add blinding in BN_GF2m_mod_inv for binary field inversions
> a7b0b69 ECC: unify generic ec2 and ecp scalar multiplication, deprecate ec2_mult.c
> fe2d397 ECDSA: remove nonce padding (delegated to EC_POINT_mul)
>
> Build log ended with (last 100 lines):
>
> ../../openssl/test/recipes/30-test_evp_extra.t ................ ok
> ../../openssl/test/recipes/30-test_pbelu.t .................... ok
> ../../openssl/test/recipes/30-test_pkey_meth.t ................ ok
> ../../openssl/test/recipes/30-test_pkey_meth_kdf.t ............ ok
> ../../openssl/test/recipes/40-test_rehash.t ................... ok
> ../../openssl/test/recipes/60-test_x509_check_cert_pkey.t ..... ok
> ../../openssl/test/recipes/60-test_x509_dup_cert.t ............ ok
> ../../openssl/test/recipes/60-test_x509_store.t ............... ok
> ../../openssl/test/recipes/60-test_x509_time.t ................ ok
> ../../openssl/test/recipes/70-test_asyncio.t .................. ok
> ../../openssl/test/recipes/70-test_bad_dtls.t ................. ok
> ../../openssl/test/recipes/70-test_clienthello.t .............. ok
> ../../openssl/test/recipes/70-test_comp.t ..................... ok
> ../../openssl/test/recipes/70-test_key_share.t ................ ok
> ../../openssl/test/recipes/70-test_packet.t ................... ok
> ../../openssl/test/recipes/70-test_recordlen.t ................ ok
> ../../openssl/test/recipes/70-test_renegotiation.t ............ skipped: test_renegotiation needs TLS <= 1.2 enabled
> ../../openssl/test/recipes/70-test_servername.t ............... ok
> ../../openssl/test/recipes/70-test_sslcbcpadding.t ............ skipped: test_sslcbcpadding needs TLSv1.2 enabled
> ../../openssl/test/recipes/70-test_sslcertstatus.t ............ skipped: test_sslcertstatus needs TLS enabled
> ../../openssl/test/recipes/70-test_sslextension.t ............. ok
> ../../openssl/test/recipes/70-test_sslmessages.t .............. skipped: test_sslmessages needs TLS enabled
> ../../openssl/test/recipes/70-test_sslrecords.t ............... skipped: test_sslrecords needs TLSv1.2 enabled
> ../../openssl/test/recipes/70-test_sslsessiontick.t ........... skipped: test_sslsessiontick needs SSLv3, TLSv1, TLSv1.1 or TLSv1.2 enabled
> ../../openssl/test/recipes/70-test_sslsigalgs.t ............... ok
> ../../openssl/test/recipes/70-test_sslsignature.t ............. ok
> ../../openssl/test/recipes/70-test_sslskewith0p.t ............. ok
> ../../openssl/test/recipes/70-test_sslversions.t .............. skipped: test_sslversions needs TLS1.3, TLS1.2 and TLS1.1 enabled
> ../../openssl/test/recipes/70-test_sslvertol.t ................ ok
> ../../openssl/test/recipes/70-test_tls13cookie.t .............. ok
> ../../openssl/test/recipes/70-test_tls13downgrade.t ........... skipped: test_tls13downgrade needs TLS1.3 and TLS1.2 enabled
> ../../openssl/test/recipes/70-test_tls13hrr.t ................. ok
> ../../openssl/test/recipes/70-test_tls13kexmodes.t ............ ok
> ../../openssl/test/recipes/70-test_tls13messages.t ............ ok
> ../../openssl/test/recipes/70-test_tls13psk.t ................. ok
> ../../openssl/test/recipes/70-test_tlsextms.t ................. skipped: test_tlsextms needs TLSv1.0, TLSv1.1 or TLSv1.2 enabled
> ../../openssl/test/recipes/70-test_verify_extra.t ............. ok
> ../../openssl/test/recipes/70-test_wpacket.t .................. ok
> ../../openssl/test/recipes/80-test_ca.t ....................... ok
> ../../openssl/test/recipes/80-test_cipherbytes.t .............. ok
> ../../openssl/test/recipes/80-test_cipherlist.t ............... ok
> ../../openssl/test/recipes/80-test_ciphername.t ............... ok
> ../../openssl/test/recipes/80-test_cms.t ...................... ok
> ../../openssl/test/recipes/80-test_cmsapi.t ................... ok
> ../../openssl/test/recipes/80-test_ct.t ....................... ok
> ../../openssl/test/recipes/80-test_dane.t ..................... ok
> ../../openssl/test/recipes/80-test_dtls.t ..................... ok
> ../../openssl/test/recipes/80-test_dtls_mtu.t ................. ok
> ../../openssl/test/recipes/80-test_dtlsv1listen.t ............. ok
> ../../openssl/test/recipes/80-test_ocsp.t ..................... ok
> ../../openssl/test/recipes/80-test_pkcs12.t ................... ok
> ../../openssl/test/recipes/80-test_ssl_new.t .................. ok
> ../../openssl/test/recipes/80-test_ssl_old.t .................. ok
> ../../openssl/test/recipes/80-test_ssl_test_ctx.t ............. ok
> ../../openssl/test/recipes/80-test_sslcorrupt.t ............... ok
> ../../openssl/test/recipes/80-test_tsa.t ...................... ok
> ../../openssl/test/recipes/80-test_x509aux.t .................. ok
> ../../openssl/test/recipes/90-test_asn1_time.t ................ ok
> ../../openssl/test/recipes/90-test_async.t .................... ok
> ../../openssl/test/recipes/90-test_bio_enc.t .................. ok
> ../../openssl/test/recipes/90-test_constant_time.t ............ ok
> ../../openssl/test/recipes/90-test_fatalerr.t ................. ok
> ../../openssl/test/recipes/90-test_gmdiff.t ................... ok
> ../../openssl/test/recipes/90-test_ige.t ...................... ok
> ../../openssl/test/recipes/90-test_includes.t ................. ok
> ../../openssl/test/recipes/90-test_memleak.t .................. ok
> ../../openssl/test/recipes/90-test_overhead.t ................. skipped: Only supported in no-shared builds
> ../../openssl/test/recipes/90-test_secmem.t ................... ok
> ../../openssl/test/recipes/90-test_shlibload.t ................ ok
> ../../openssl/test/recipes/90-test_srp.t ...................... ok
> ../../openssl/test/recipes/90-test_sslapi.t ...................
> Dubious, test returned 1 (wstat 256, 0x100)
> Failed 1/1 subtests
> ../../openssl/test/recipes/90-test_sslbuffers.t ............... ok
> ../../openssl/test/recipes/90-test_store.t .................... ok
> ../../openssl/test/recipes/90-test_sysdefault.t ............... skipped: test_sysdefault is not supported in this build
> ../../openssl/test/recipes/90-test_threads.t .................. ok
> ../../openssl/test/recipes/90-test_time_offset.t .............. ok
> ../../openssl/test/recipes/90-test_tls13ccs.t ................. ok
> ../../openssl/test/recipes/90-test_tls13encryption.t .......... ok
> ../../openssl/test/recipes/90-test_tls13secrets.t ............. ok
> ../../openssl/test/recipes/90-test_v3name.t ................... ok
> ../../openssl/test/recipes/95-test_external_boringssl.t ....... skipped: No external tests in this configuration
> ../../openssl/test/recipes/95-test_external_krb5.t ............ skipped: No external tests in this configuration
> ../../openssl/test/recipes/95-test_external_pyca.t ............ skipped: No external tests in this configuration
> ../../openssl/test/recipes/99-test_ecstress.t ................. ok
> ../../openssl/test/recipes/99-test_fuzz.t ..................... ok
>
> Test Summary Report
> -------------------
> ../../openssl/test/recipes/90-test_sslapi.t (Wstat: 256 Tests: 1 Failed: 1)
> Failed test: 1
> Non-zero exit status: 1
> Files=147, Tests=1262, 221 wallclock secs ( 1.65 usr 0.33 sys + 195.60 cusr 9.50 csys = 207.08 CPU)
> Result: FAIL
> Makefile:204: recipe for target '_tests' failed
> make[1]: *** [_tests] Error 1
> make[1]: Leaving directory '/home/openssl/run-checker/no-tls1_2'
> Makefile:202: recipe for target 'tests' failed
> make: *** [tests] Error 2
> _____
> openssl-commits mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
>
>
> _______________________________________________
> openssl-project mailing list
> openssl-project at openssl.org
> https://mta.openssl.org/mailman/listinfo/openssl-project
>
From levitte at openssl.org Thu May 10 17:28:10 2018
From: levitte at openssl.org (Richard Levitte)
Date: Thu, 10 May 2018 19:28:10 +0200 (CEST)
Subject: [openssl-project] FW: [openssl-commits] Still FAILED build of
OpenSSL branch master with options -d --strict-warnings no-tls1_2
In-Reply-To: <7ff17149-3390-86d9-5d8f-3cfc9e77dc26@openssl.org>
References: <1525949829.951873.423.nullmailer@run.openssl.org>
<44193246-B7C4-4EF7-96C2-057EB9EAFFBB@akamai.com>
<7ff17149-3390-86d9-5d8f-3cfc9e77dc26@openssl.org>
Message-ID: <20180510.192810.745367931451519332.levitte@openssl.org>
A simple 'got log --oneline' confirms this:
13f6857db1 PPC assembly pack: add POWER9 results.
41b77d5447 .travis.yml: add pair of linux-ppc64le targets.
a01b9cd5a7 Fix no-cms
60155b9ae1 Fix no-tls1_2, no-tls1_2-method, no-chacha and no-poly1305
7f35627c79 Fix typos in x509 documentation
60845a0aa4 Add CHANGES entry for PR#6009
Cheers,
Richard
In message <7ff17149-3390-86d9-5d8f-3cfc9e77dc26 at openssl.org> on Thu, 10 May 2018 13:59:35 +0100, Matt Caswell said:
matt> It should be fixed already - but the fixes didn't go in in time for the
matt> latest run-checker run. By tomorrow it should be ok (hopefully).
matt>
matt> Matt
matt>
matt>
matt> On 10/05/18 13:57, Salz, Rich wrote:
matt> > sigh
matt> >
matt> > ?On 5/10/18, 6:57 AM, "OpenSSL run-checker" wrote:
matt> >
matt> > Platform and configuration command:
matt> >
matt> > $ uname -a
matt> > Linux run 4.4.0-119-generic #143-Ubuntu SMP Mon Apr 2 16:08:24 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
matt> > $ CC=clang ../openssl/config -d --strict-warnings no-tls1_2
matt> >
matt> > Commit log since last time:
matt> >
matt> > 7f35627 Fix typos in x509 documentation
matt> > 60845a0 Add CHANGES entry for PR#6009
matt> > 0dae8ba Add blinding in BN_GF2m_mod_inv for binary field inversions
matt> > a7b0b69 ECC: unify generic ec2 and ecp scalar multiplication, deprecate ec2_mult.c
matt> > fe2d397 ECDSA: remove nonce padding (delegated to EC_POINT_mul)
matt> >
matt> > Build log ended with (last 100 lines):
matt> >
matt> > ../../openssl/test/recipes/30-test_evp_extra.t ................ ok
matt> > ../../openssl/test/recipes/30-test_pbelu.t .................... ok
matt> > ../../openssl/test/recipes/30-test_pkey_meth.t ................ ok
matt> > ../../openssl/test/recipes/30-test_pkey_meth_kdf.t ............ ok
matt> > ../../openssl/test/recipes/40-test_rehash.t ................... ok
matt> > ../../openssl/test/recipes/60-test_x509_check_cert_pkey.t ..... ok
matt> > ../../openssl/test/recipes/60-test_x509_dup_cert.t ............ ok
matt> > ../../openssl/test/recipes/60-test_x509_store.t ............... ok
matt> > ../../openssl/test/recipes/60-test_x509_time.t ................ ok
matt> > ../../openssl/test/recipes/70-test_asyncio.t .................. ok
matt> > ../../openssl/test/recipes/70-test_bad_dtls.t ................. ok
matt> > ../../openssl/test/recipes/70-test_clienthello.t .............. ok
matt> > ../../openssl/test/recipes/70-test_comp.t ..................... ok
matt> > ../../openssl/test/recipes/70-test_key_share.t ................ ok
matt> > ../../openssl/test/recipes/70-test_packet.t ................... ok
matt> > ../../openssl/test/recipes/70-test_recordlen.t ................ ok
matt> > ../../openssl/test/recipes/70-test_renegotiation.t ............ skipped: test_renegotiation needs TLS <= 1.2 enabled
matt> > ../../openssl/test/recipes/70-test_servername.t ............... ok
matt> > ../../openssl/test/recipes/70-test_sslcbcpadding.t ............ skipped: test_sslcbcpadding needs TLSv1.2 enabled
matt> > ../../openssl/test/recipes/70-test_sslcertstatus.t ............ skipped: test_sslcertstatus needs TLS enabled
matt> > ../../openssl/test/recipes/70-test_sslextension.t ............. ok
matt> > ../../openssl/test/recipes/70-test_sslmessages.t .............. skipped: test_sslmessages needs TLS enabled
matt> > ../../openssl/test/recipes/70-test_sslrecords.t ............... skipped: test_sslrecords needs TLSv1.2 enabled
matt> > ../../openssl/test/recipes/70-test_sslsessiontick.t ........... skipped: test_sslsessiontick needs SSLv3, TLSv1, TLSv1.1 or TLSv1.2 enabled
matt> > ../../openssl/test/recipes/70-test_sslsigalgs.t ............... ok
matt> > ../../openssl/test/recipes/70-test_sslsignature.t ............. ok
matt> > ../../openssl/test/recipes/70-test_sslskewith0p.t ............. ok
matt> > ../../openssl/test/recipes/70-test_sslversions.t .............. skipped: test_sslversions needs TLS1.3, TLS1.2 and TLS1.1 enabled
matt> > ../../openssl/test/recipes/70-test_sslvertol.t ................ ok
matt> > ../../openssl/test/recipes/70-test_tls13cookie.t .............. ok
matt> > ../../openssl/test/recipes/70-test_tls13downgrade.t ........... skipped: test_tls13downgrade needs TLS1.3 and TLS1.2 enabled
matt> > ../../openssl/test/recipes/70-test_tls13hrr.t ................. ok
matt> > ../../openssl/test/recipes/70-test_tls13kexmodes.t ............ ok
matt> > ../../openssl/test/recipes/70-test_tls13messages.t ............ ok
matt> > ../../openssl/test/recipes/70-test_tls13psk.t ................. ok
matt> > ../../openssl/test/recipes/70-test_tlsextms.t ................. skipped: test_tlsextms needs TLSv1.0, TLSv1.1 or TLSv1.2 enabled
matt> > ../../openssl/test/recipes/70-test_verify_extra.t ............. ok
matt> > ../../openssl/test/recipes/70-test_wpacket.t .................. ok
matt> > ../../openssl/test/recipes/80-test_ca.t ....................... ok
matt> > ../../openssl/test/recipes/80-test_cipherbytes.t .............. ok
matt> > ../../openssl/test/recipes/80-test_cipherlist.t ............... ok
matt> > ../../openssl/test/recipes/80-test_ciphername.t ............... ok
matt> > ../../openssl/test/recipes/80-test_cms.t ...................... ok
matt> > ../../openssl/test/recipes/80-test_cmsapi.t ................... ok
matt> > ../../openssl/test/recipes/80-test_ct.t ....................... ok
matt> > ../../openssl/test/recipes/80-test_dane.t ..................... ok
matt> > ../../openssl/test/recipes/80-test_dtls.t ..................... ok
matt> > ../../openssl/test/recipes/80-test_dtls_mtu.t ................. ok
matt> > ../../openssl/test/recipes/80-test_dtlsv1listen.t ............. ok
matt> > ../../openssl/test/recipes/80-test_ocsp.t ..................... ok
matt> > ../../openssl/test/recipes/80-test_pkcs12.t ................... ok
matt> > ../../openssl/test/recipes/80-test_ssl_new.t .................. ok
matt> > ../../openssl/test/recipes/80-test_ssl_old.t .................. ok
matt> > ../../openssl/test/recipes/80-test_ssl_test_ctx.t ............. ok
matt> > ../../openssl/test/recipes/80-test_sslcorrupt.t ............... ok
matt> > ../../openssl/test/recipes/80-test_tsa.t ...................... ok
matt> > ../../openssl/test/recipes/80-test_x509aux.t .................. ok
matt> > ../../openssl/test/recipes/90-test_asn1_time.t ................ ok
matt> > ../../openssl/test/recipes/90-test_async.t .................... ok
matt> > ../../openssl/test/recipes/90-test_bio_enc.t .................. ok
matt> > ../../openssl/test/recipes/90-test_constant_time.t ............ ok
matt> > ../../openssl/test/recipes/90-test_fatalerr.t ................. ok
matt> > ../../openssl/test/recipes/90-test_gmdiff.t ................... ok
matt> > ../../openssl/test/recipes/90-test_ige.t ...................... ok
matt> > ../../openssl/test/recipes/90-test_includes.t ................. ok
matt> > ../../openssl/test/recipes/90-test_memleak.t .................. ok
matt> > ../../openssl/test/recipes/90-test_overhead.t ................. skipped: Only supported in no-shared builds
matt> > ../../openssl/test/recipes/90-test_secmem.t ................... ok
matt> > ../../openssl/test/recipes/90-test_shlibload.t ................ ok
matt> > ../../openssl/test/recipes/90-test_srp.t ...................... ok
matt> > ../../openssl/test/recipes/90-test_sslapi.t ...................
matt> > Dubious, test returned 1 (wstat 256, 0x100)
matt> > Failed 1/1 subtests
matt> > ../../openssl/test/recipes/90-test_sslbuffers.t ............... ok
matt> > ../../openssl/test/recipes/90-test_store.t .................... ok
matt> > ../../openssl/test/recipes/90-test_sysdefault.t ............... skipped: test_sysdefault is not supported in this build
matt> > ../../openssl/test/recipes/90-test_threads.t .................. ok
matt> > ../../openssl/test/recipes/90-test_time_offset.t .............. ok
matt> > ../../openssl/test/recipes/90-test_tls13ccs.t ................. ok
matt> > ../../openssl/test/recipes/90-test_tls13encryption.t .......... ok
matt> > ../../openssl/test/recipes/90-test_tls13secrets.t ............. ok
matt> > ../../openssl/test/recipes/90-test_v3name.t ................... ok
matt> > ../../openssl/test/recipes/95-test_external_boringssl.t ....... skipped: No external tests in this configuration
matt> > ../../openssl/test/recipes/95-test_external_krb5.t ............ skipped: No external tests in this configuration
matt> > ../../openssl/test/recipes/95-test_external_pyca.t ............ skipped: No external tests in this configuration
matt> > ../../openssl/test/recipes/99-test_ecstress.t ................. ok
matt> > ../../openssl/test/recipes/99-test_fuzz.t ..................... ok
matt> >
matt> > Test Summary Report
matt> > -------------------
matt> > ../../openssl/test/recipes/90-test_sslapi.t (Wstat: 256 Tests: 1 Failed: 1)
matt> > Failed test: 1
matt> > Non-zero exit status: 1
matt> > Files=147, Tests=1262, 221 wallclock secs ( 1.65 usr 0.33 sys + 195.60 cusr 9.50 csys = 207.08 CPU)
matt> > Result: FAIL
matt> > Makefile:204: recipe for target '_tests' failed
matt> > make[1]: *** [_tests] Error 1
matt> > make[1]: Leaving directory '/home/openssl/run-checker/no-tls1_2'
matt> > Makefile:202: recipe for target 'tests' failed
matt> > make: *** [tests] Error 2
matt> > _____
matt> > openssl-commits mailing list
matt> > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
matt> >
matt> >
matt> > _______________________________________________
matt> > openssl-project mailing list
matt> > openssl-project at openssl.org
matt> > https://mta.openssl.org/mailman/listinfo/openssl-project
matt> >
matt> _______________________________________________
matt> openssl-project mailing list
matt> openssl-project at openssl.org
matt> https://mta.openssl.org/mailman/listinfo/openssl-project
From rsalz at akamai.com Tue May 15 15:38:25 2018
From: rsalz at akamai.com (Salz, Rich)
Date: Tue, 15 May 2018 15:38:25 +0000
Subject: [openssl-project] FW: [openssl-omc] VOTE on removing rationale for
binary compatibility
Message-ID: <785BD30B-F00B-4967-968B-83BCEA45FD79@akamai.com>
FYI
From: Rich Salz
Reply-To: "openssl-omc at openssl.org"
Date: Tuesday, May 15, 2018 at 11:36 AM
To: "openssl-omc at openssl.org"
Subject: [openssl-omc] VOTE on removing rationale for binary compatibility
Matt raised the issue that since this paragraph is in the release strategy, we need a vote to remove it.
In policies/releasestrat.html:
> @@ -34,20 +34,6 @@
performance improvements and so on. There is no need to
recompile applications to benefit from these features.
- Binary compatibility also allows other possibilities. For
- example, consider an application that wishes to utilize
- a new cipher provided in a specific 1.0.x release, but it
- is also desirable to maintain the application in a 1.0.0
- context. Customarily this would be resolved at compile time
- resulting in two binary packages targeting different OpenSSL
- versions. However, depending on the feature, it might be
- possible to check for its availability at run-time, thus cutting
- down on the maintenance of multiple binary packages. Admittedly
- it takes a certain discipline and some extra coding, but we
- would like to encourage such practice. This is because we
- want to see later releases being adopted faster, because new
- features can improve security.
-
Mark?s pointed out that when he removed rationale from the security policy, it was with a vote. So here?s a vote.
----------------
topic: Remove the second paragraph ("Binary compatibility...improve security")
from the release strategy.
Proposed by Rich
Public: yes
opened: 2018-05-15
closed: yyyy-mm-dd
ONE WEEK VOTE
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From rsalz at akamai.com Wed May 16 17:14:29 2018
From: rsalz at akamai.com (Salz, Rich)
Date: Wed, 16 May 2018 17:14:29 +0000
Subject: [openssl-project] About efail
Message-ID: <327D5DAF-19F8-4F58-A8F8-9CE6BEC0251B@akamai.com>
Doesn?t all this make you very glad that we have resisted added AEAD support to the enc command, for streaming especially?
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From rsalz at akamai.com Mon May 21 12:15:49 2018
From: rsalz at akamai.com (Salz, Rich)
Date: Mon, 21 May 2018 12:15:49 +0000
Subject: [openssl-project] build/test before merging
Message-ID: <21C57A0E-558D-40B5-96D0-DB5F297C4374@akamai.com>
The ghmerge script has a commented-out call to ?opensslbuild? to build+test before submitting.
I would like to enable that, and add either ?build or ?nobuild flags. Thoughts?
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From openssl-users at dukhovni.org Wed May 23 00:25:25 2018
From: openssl-users at dukhovni.org (Viktor Dukhovni)
Date: Tue, 22 May 2018 20:25:25 -0400
Subject: [openssl-project] build/test before merging
In-Reply-To: <21C57A0E-558D-40B5-96D0-DB5F297C4374@akamai.com>
References: <21C57A0E-558D-40B5-96D0-DB5F297C4374@akamai.com>
Message-ID: <227913D1-E509-4F46-B774-865A001C500F@dukhovni.org>
> On May 21, 2018, at 8:15 AM, Salz, Rich wrote:
>
> The ghmerge script has a commented-out call to ?opensslbuild? to build+test before submitting.
> I would like to enable that, and add either ?build or ?nobuild flags. Thoughts?
It probably does not know how/where I prefer to do builds...
--
Viktor.
From rsalz at akamai.com Wed May 23 00:37:24 2018
From: rsalz at akamai.com (Salz, Rich)
Date: Wed, 23 May 2018 00:37:24 +0000
Subject: [openssl-project] build/test before merging
In-Reply-To: <227913D1-E509-4F46-B774-865A001C500F@dukhovni.org>
References: <21C57A0E-558D-40B5-96D0-DB5F297C4374@akamai.com>
<227913D1-E509-4F46-B774-865A001C500F@dukhovni.org>
Message-ID: <05572D78-146C-448B-B3D0-66542ADDE5F7@akamai.com>
> It probably does not know how/where I prefer to do builds...
No, I'm sure it does not. I think the safer thing is to do a full build, to catch things like make update errors, and such. I also run the test suite before I submit. YMMV.
From openssl-users at dukhovni.org Wed May 23 00:39:21 2018
From: openssl-users at dukhovni.org (Viktor Dukhovni)
Date: Tue, 22 May 2018 20:39:21 -0400
Subject: [openssl-project] build/test before merging
In-Reply-To: <05572D78-146C-448B-B3D0-66542ADDE5F7@akamai.com>
References: <21C57A0E-558D-40B5-96D0-DB5F297C4374@akamai.com>
<227913D1-E509-4F46-B774-865A001C500F@dukhovni.org>
<05572D78-146C-448B-B3D0-66542ADDE5F7@akamai.com>
Message-ID:
> On May 22, 2018, at 8:37 PM, Salz, Rich wrote:
>
> No, I'm sure it does not. I think the safer thing is to do a full build, to catch things like make update errors, and such. I also run the test suite before I submit.
I do the same, but I am reluctant having a script doing it for me using some fixed recipe...
--
Viktor.
From kaduk at mit.edu Wed May 23 00:41:59 2018
From: kaduk at mit.edu (Benjamin Kaduk)
Date: Tue, 22 May 2018 19:41:59 -0500
Subject: [openssl-project] build/test before merging
In-Reply-To:
References: <21C57A0E-558D-40B5-96D0-DB5F297C4374@akamai.com>
<227913D1-E509-4F46-B774-865A001C500F@dukhovni.org>
<05572D78-146C-448B-B3D0-66542ADDE5F7@akamai.com>
Message-ID: <20180523004158.GH10597@kduck.kaduk.org>
On Tue, May 22, 2018 at 08:39:21PM -0400, Viktor Dukhovni wrote:
>
>
> > On May 22, 2018, at 8:37 PM, Salz, Rich wrote:
> >
> > No, I'm sure it does not. I think the safer thing is to do a full build, to catch things like make update errors, and such. I also run the test suite before I submit.
>
> I do the same, but I am reluctant having a script doing it for me using some fixed recipe...
I'm happy doing the build/test manually before merging, too.
-Ben
From rsalz at akamai.com Wed May 23 00:43:58 2018
From: rsalz at akamai.com (Salz, Rich)
Date: Wed, 23 May 2018 00:43:58 +0000
Subject: [openssl-project] build/test before merging
In-Reply-To: <20180523004158.GH10597@kduck.kaduk.org>
References: <21C57A0E-558D-40B5-96D0-DB5F297C4374@akamai.com>
<227913D1-E509-4F46-B774-865A001C500F@dukhovni.org>
<05572D78-146C-448B-B3D0-66542ADDE5F7@akamai.com>
<20180523004158.GH10597@kduck.kaduk.org>
Message-ID: <25FEB2A8-B363-443D-BAE8-C47D1AD92F2D@akamai.com>
> I do the same, but I am reluctant having a script doing it for me using some fixed recipe...
> I'm happy doing the build/test manually before merging, too.
So do you guys use the ghmerge script or own procedures? I'm curious.
From openssl-users at dukhovni.org Wed May 23 00:46:51 2018
From: openssl-users at dukhovni.org (Viktor Dukhovni)
Date: Tue, 22 May 2018 20:46:51 -0400
Subject: [openssl-project] build/test before merging
In-Reply-To: <25FEB2A8-B363-443D-BAE8-C47D1AD92F2D@akamai.com>
References: <21C57A0E-558D-40B5-96D0-DB5F297C4374@akamai.com>
<227913D1-E509-4F46-B774-865A001C500F@dukhovni.org>
<05572D78-146C-448B-B3D0-66542ADDE5F7@akamai.com>
<20180523004158.GH10597@kduck.kaduk.org>
<25FEB2A8-B363-443D-BAE8-C47D1AD92F2D@akamai.com>
Message-ID:
> On May 22, 2018, at 8:43 PM, Salz, Rich wrote:
>
> So do you guys use the ghmerge script or own procedures? I'm curious.
Good point, I've not yet had a chance to look at ghmerge and figure
out how/whether to use it. If that continues, ... my preferences for
its implementation don't carry much weight! [ Though some changes might
prolong my state of indifference... ]
--
Viktor.
From kaduk at mit.edu Wed May 23 01:00:26 2018
From: kaduk at mit.edu (Benjamin Kaduk)
Date: Tue, 22 May 2018 20:00:26 -0500
Subject: [openssl-project] build/test before merging
In-Reply-To: <25FEB2A8-B363-443D-BAE8-C47D1AD92F2D@akamai.com>
References: <21C57A0E-558D-40B5-96D0-DB5F297C4374@akamai.com>
<227913D1-E509-4F46-B774-865A001C500F@dukhovni.org>
<05572D78-146C-448B-B3D0-66542ADDE5F7@akamai.com>
<20180523004158.GH10597@kduck.kaduk.org>
<25FEB2A8-B363-443D-BAE8-C47D1AD92F2D@akamai.com>
Message-ID: <20180523010025.GI10597@kduck.kaduk.org>
On Wed, May 23, 2018 at 12:43:58AM +0000, Salz, Rich wrote:
> > I do the same, but I am reluctant having a script doing it for me using some fixed recipe...
>
> > I'm happy doing the build/test manually before merging, too.
>
>
> So do you guys use the ghmerge script or own procedures? I'm curious.
My own procedures (the addrev script and push by hand).
-Ben
From levitte at openssl.org Wed May 23 06:03:44 2018
From: levitte at openssl.org (Richard Levitte)
Date: Wed, 23 May 2018 08:03:44 +0200 (CEST)
Subject: [openssl-project] build/test before merging
In-Reply-To: <25FEB2A8-B363-443D-BAE8-C47D1AD92F2D@akamai.com>
References:
<20180523004158.GH10597@kduck.kaduk.org>
<25FEB2A8-B363-443D-BAE8-C47D1AD92F2D@akamai.com>
Message-ID: <20180523.080344.290952061342669193.levitte@openssl.org>
In message <25FEB2A8-B363-443D-BAE8-C47D1AD92F2D at akamai.com> on Wed, 23 May 2018 00:43:58 +0000, "Salz, Rich" said:
rsalz> > I do the same, but I am reluctant having a script doing it for me using some fixed recipe...
rsalz>
rsalz> > I'm happy doing the build/test manually before merging, too.
rsalz>
rsalz>
rsalz> So do you guys use the ghmerge script or own procedures? I'm curious.
I use addrev and git commands. ghmerge does too much for my taste.
--
Richard Levitte levitte at openssl.org
OpenSSL Project http://www.openssl.org/~levitte/
From matt at openssl.org Wed May 23 08:19:48 2018
From: matt at openssl.org (Matt Caswell)
Date: Wed, 23 May 2018 09:19:48 +0100
Subject: [openssl-project] build/test before merging
In-Reply-To: <25FEB2A8-B363-443D-BAE8-C47D1AD92F2D@akamai.com>
References: <21C57A0E-558D-40B5-96D0-DB5F297C4374@akamai.com>
<227913D1-E509-4F46-B774-865A001C500F@dukhovni.org>
<05572D78-146C-448B-B3D0-66542ADDE5F7@akamai.com>
<20180523004158.GH10597@kduck.kaduk.org>
<25FEB2A8-B363-443D-BAE8-C47D1AD92F2D@akamai.com>
Message-ID:
On 23/05/18 01:43, Salz, Rich wrote:
> > I do the same, but I am reluctant having a script doing it for me using some fixed recipe...
>
>> I'm happy doing the build/test manually before merging, too.
>
>
> So do you guys use the ghmerge script or own procedures? I'm curious.
I tried it once. Didn't like it, so I always do my own procedure.
Matt
From matt at openssl.org Wed May 23 08:34:19 2018
From: matt at openssl.org (Matt Caswell)
Date: Wed, 23 May 2018 09:34:19 +0100
Subject: [openssl-project] Current votes FYI
In-Reply-To: <504DAF06-51AC-494D-9768-C50E897F7B1E@akamai.com>
References: <504DAF06-51AC-494D-9768-C50E897F7B1E@akamai.com>
Message-ID:
FYI, all of these votes are now closed. The final vote results are
inserted below.
On 07/05/18 02:37, Salz, Rich wrote:
> VOTE: openssl-web and tools repositories shall be under the same review
> policy as per the openssl repository where the reviewers are OMC members
+1: 5
0: 1
-1: 1
No vote: 1
The vote passed.
> VOTE: That we remove "We strongly believe that the right to advance
> patches/info should not be based in any way on paid membership to ?some
> forum. You cannot pay us to get security patches in advance" from the
> security policy and Mark posts a blog entry to explain the change
> including that we have no current such service.
+1: 4
0: 2
-1: 1
No vote: 1
The vote passed.
> VOTE: 1.1.1 beta release schedule changed so that the next two beta
> releases are now 29th May, 19 June and we will re-review release
> readiness after that. We will also ensure that there is at least one
> beta release post TLS-1.3 RFC publication prior to the final release.
+1: 7
0: 0
-1: 0
No vote: 1
The vote passed.
> VOTE: Remove the entire "Forthcoming Features" section from the Roadmap
> Policy and open github issues for those items listed which have not yet
> been completed and do not currently have issues raised or PR submitted.?
+1: 4
0: 3
-1: 0
No vote: 1
The vote passed.
> VOTE: We don't intend to be involved in adding any additional platforms
> to the OpenSSL FIPS validation; instead we will work to enable other
> parties to meet this need.
+1: 5
0: 2
-1: 0
No vote: 1
The vote passed.
> VOTE: The next LTS release will be 1.1.1 and the LTS expiry date for
> 1.0.2 will not be changed.?
+1: 7
0: 0
-1: 0
No vote: 1
The vote passed.
From rsalz at akamai.com Wed May 23 14:58:58 2018
From: rsalz at akamai.com (Salz, Rich)
Date: Wed, 23 May 2018 14:58:58 +0000
Subject: [openssl-project] Current votes FYI
In-Reply-To:
References: <504DAF06-51AC-494D-9768-C50E897F7B1E@akamai.com>
Message-ID:
Another update
VOTE: Remove the second paragraph ("Binary compatibility...improve security")
from the release strategy.
+1: 2
0: 1
-1: 0
No vote: 5
The vote passed.
From Matthias.St.Pierre at ncp-e.com Wed May 23 15:12:30 2018
From: Matthias.St.Pierre at ncp-e.com (Dr. Matthias St. Pierre)
Date: Wed, 23 May 2018 15:12:30 +0000
Subject: [openssl-project] build/test before merging
In-Reply-To: <25FEB2A8-B363-443D-BAE8-C47D1AD92F2D@akamai.com>
References: <21C57A0E-558D-40B5-96D0-DB5F297C4374@akamai.com>
<227913D1-E509-4F46-B774-865A001C500F@dukhovni.org>
<05572D78-146C-448B-B3D0-66542ADDE5F7@akamai.com>
<20180523004158.GH10597@kduck.kaduk.org>
<25FEB2A8-B363-443D-BAE8-C47D1AD92F2D@akamai.com>
Message-ID:
> So do you guys use the ghmerge script or own procedures? I'm curious.
At the beginnning, I tried to use ghmerge but it was not flexible enough for my needs. In particular, it only gives me the choice between squashing everything or leaving everything as it is. Most notably, it does not support partial squashing by interactive rebasing. Or alternatively: pausing + letting me fix something + resuming. What I also dislike is that it uses a lot of GitHub API overhead, for example it pulls the commits from the pr owner's repository, instead of pulling the branch directly from openssl/openssl using the refs/pull/*/head references (which wouldn't require the github api).
Currently, I use only addrev and raw git commands. As an aid, I have a fetch rule
fetch = +refs/pull/*/head:refs/remotes/github/pr-*
which enables me to do a simple 'git checkout pr-xxxx'.
Matthias
From Matthias.St.Pierre at ncp-e.com Wed May 23 15:35:07 2018
From: Matthias.St.Pierre at ncp-e.com (Dr. Matthias St. Pierre)
Date: Wed, 23 May 2018 15:35:07 +0000
Subject: [openssl-project] build/test before merging
In-Reply-To:
References: <21C57A0E-558D-40B5-96D0-DB5F297C4374@akamai.com>
<227913D1-E509-4F46-B774-865A001C500F@dukhovni.org>
<05572D78-146C-448B-B3D0-66542ADDE5F7@akamai.com>
<20180523004158.GH10597@kduck.kaduk.org>
<25FEB2A8-B363-443D-BAE8-C47D1AD92F2D@akamai.com>
Message-ID:
My vision is a more versatile tool (say: ghtool) with separate subcommands as building blocks to simplify common subtasks:
ghtool {checkout,rebase,squash,addrev,push} ...
This tool could support the concept of a "current pull request" by using a naming convention for the local branches: 'ghtool checkout xxxx' could fetch and checkout to branch pr-xxxx, after which the following commands 'git rebase', 'git addrev', etc. could use the branch name as indicator for the current branch. This would make it possible to implement 'ghtool addrev' such that one neither has to provide --prnum=xxxx nor a commit range.
Unfortunately, I didn't have time to follow my vision yet. Also, it would have been easier for me to do it in Python than in Perl.
Matthias
From openssl-users at dukhovni.org Wed May 23 15:36:11 2018
From: openssl-users at dukhovni.org (Viktor Dukhovni)
Date: Wed, 23 May 2018 11:36:11 -0400
Subject: [openssl-project] Some failing builds in travis?
Message-ID:
https://travis-ci.org/openssl/openssl/jobs/382694134
https://api.travis-ci.org/v3/job/382694134/log.txt
Test Summary Report
-------------------
../test/recipes/70-test_comp.t (Wstat: 26624 Tests: 0 Failed: 0)
Non-zero exit status: 104
Parse errors: No plan found in TAP output
../test/recipes/70-test_key_share.t (Wstat: 26624 Tests: 0 Failed: 0)
Non-zero exit status: 104
Parse errors: No plan found in TAP output
../test/recipes/70-test_sslrecords.t (Wstat: 26624 Tests: 17 Failed: 0)
Non-zero exit status: 104
Parse errors: Bad plan. You planned 18 tests but ran 17.
../test/recipes/70-test_sslsigalgs.t (Wstat: 26624 Tests: 0 Failed: 0)
Non-zero exit status: 104
Parse errors: No plan found in TAP output
../test/recipes/70-test_sslsignature.t (Wstat: 26624 Tests: 0 Failed: 0)
Non-zero exit status: 104
Parse errors: No plan found in TAP output
../test/recipes/70-test_sslversions.t (Wstat: 26624 Tests: 4 Failed: 0)
Non-zero exit status: 104
Parse errors: Bad plan. You planned 7 tests but ran 4.
../test/recipes/70-test_tls13cookie.t (Wstat: 26624 Tests: 0 Failed: 0)
Non-zero exit status: 104
Parse errors: No plan found in TAP output
../test/recipes/70-test_tls13kexmodes.t (Wstat: 19712 Tests: 0 Failed: 0)
Non-zero exit status: 77
Parse errors: No plan found in TAP output
../test/recipes/70-test_tls13messages.t (Wstat: 8192 Tests: 1 Failed: 0)
Non-zero exit status: 32
Parse errors: Bad plan. You planned 16 tests but ran 1.
../test/recipes/70-test_tls13psk.t (Wstat: 19712 Tests: 0 Failed: 0)
Non-zero exit status: 77
Parse errors: No plan found in TAP output
../test/recipes/70-test_tlsextms.t (Wstat: 26624 Tests: 9 Failed: 0)
Non-zero exit status: 104
Parse errors: Bad plan. You planned 10 tests but ran 9.
Files=147, Tests=1249, 358 wallclock secs ( 5.94 usr 1.09 sys + 287.60 cusr 53.16 csys = 347.79 CPU)
Result: FAIL
make[1]: *** [_tests] Error 1
make[1]: Leaving directory `/home/travis/build/openssl/openssl'
make: *** [tests] Error 2
+///// MAKE TEST FAILED
--
Viktor.
From rsalz at akamai.com Wed May 23 15:37:03 2018
From: rsalz at akamai.com (Salz, Rich)
Date: Wed, 23 May 2018 15:37:03 +0000
Subject: [openssl-project] build/test before merging
In-Reply-To:
References: <21C57A0E-558D-40B5-96D0-DB5F297C4374@akamai.com>
<227913D1-E509-4F46-B774-865A001C500F@dukhovni.org>
<05572D78-146C-448B-B3D0-66542ADDE5F7@akamai.com>
<20180523004158.GH10597@kduck.kaduk.org>
<25FEB2A8-B363-443D-BAE8-C47D1AD92F2D@akamai.com>
Message-ID:
> Unfortunately, I didn't have time to follow my vision yet. Also, it would have been easier for me to do it in Python than in Perl.
+1 for python! :)
From Matthias.St.Pierre at ncp-e.com Wed May 23 15:48:43 2018
From: Matthias.St.Pierre at ncp-e.com (Dr. Matthias St. Pierre)
Date: Wed, 23 May 2018 15:48:43 +0000
Subject: [openssl-project] build/test before merging
In-Reply-To:
References: <21C57A0E-558D-40B5-96D0-DB5F297C4374@akamai.com>
<227913D1-E509-4F46-B774-865A001C500F@dukhovni.org>
<05572D78-146C-448B-B3D0-66542ADDE5F7@akamai.com>
<20180523004158.GH10597@kduck.kaduk.org>
<25FEB2A8-B363-443D-BAE8-C47D1AD92F2D@akamai.com>
Message-ID: <5fc7b93aa39248bf9c2b852a76117b3e@Ex13.ncp.local>
> +1 for python! :)
Well, if this is a "go for it"... ;-)
Oh, and I forgot to mention 'ghtool cherry-pick {110,102}'
From kaduk at mit.edu Wed May 23 15:50:07 2018
From: kaduk at mit.edu (Benjamin Kaduk)
Date: Wed, 23 May 2018 10:50:07 -0500
Subject: [openssl-project] build/test before merging
In-Reply-To:
References: <21C57A0E-558D-40B5-96D0-DB5F297C4374@akamai.com>
<227913D1-E509-4F46-B774-865A001C500F@dukhovni.org>
<05572D78-146C-448B-B3D0-66542ADDE5F7@akamai.com>
<20180523004158.GH10597@kduck.kaduk.org>
<25FEB2A8-B363-443D-BAE8-C47D1AD92F2D@akamai.com>
Message-ID: <20180523155007.GC32807@kduck.kaduk.org>
On Wed, May 23, 2018 at 03:12:30PM +0000, Dr. Matthias St. Pierre wrote:
> > So do you guys use the ghmerge script or own procedures? I'm curious.
>
> At the beginnning, I tried to use ghmerge but it was not flexible
> enough for my needs. In particular, it only gives me the choice
> between squashing everything or leaving everything as it is. Most
> notably, it does not support partial squashing by interactive
> rebasing. Or alternatively: pausing + letting me fix something +
> resuming. What I also dislike is that it uses a lot of GitHub API
Sorry for partially hijacking the thread, but this reminds me that
several people have started using the "git commit --fixup" tooling,
which is in general helpful for the reviewer (to know what the
squashing intention is).
But I am curious if we currently do and/or should have a commit hook
on git.openssl.org to reject commits that start with "!fixup".
-Ben
From Matthias.St.Pierre at ncp-e.com Wed May 23 15:52:03 2018
From: Matthias.St.Pierre at ncp-e.com (Dr. Matthias St. Pierre)
Date: Wed, 23 May 2018 15:52:03 +0000
Subject: [openssl-project] build/test before merging
In-Reply-To: <20180523155007.GC32807@kduck.kaduk.org>
References: <21C57A0E-558D-40B5-96D0-DB5F297C4374@akamai.com>
<227913D1-E509-4F46-B774-865A001C500F@dukhovni.org>
<05572D78-146C-448B-B3D0-66542ADDE5F7@akamai.com>
<20180523004158.GH10597@kduck.kaduk.org>
<25FEB2A8-B363-443D-BAE8-C47D1AD92F2D@akamai.com>
<20180523155007.GC32807@kduck.kaduk.org>
Message-ID:
> But I am curious if we currently do and/or should have a commit hook on git.openssl.org to reject commits that start with "!fixup".
We probably don't, but it's a good idea to have it.
Matthias
From matt at openssl.org Wed May 23 15:54:23 2018
From: matt at openssl.org (Matt Caswell)
Date: Wed, 23 May 2018 16:54:23 +0100
Subject: [openssl-project] build/test before merging
In-Reply-To: <20180523155007.GC32807@kduck.kaduk.org>
References: <21C57A0E-558D-40B5-96D0-DB5F297C4374@akamai.com>
<227913D1-E509-4F46-B774-865A001C500F@dukhovni.org>
<05572D78-146C-448B-B3D0-66542ADDE5F7@akamai.com>
<20180523004158.GH10597@kduck.kaduk.org>
<25FEB2A8-B363-443D-BAE8-C47D1AD92F2D@akamai.com>
<20180523155007.GC32807@kduck.kaduk.org>
Message-ID: <6d5b206f-a0f1-8b60-fbf5-5f08c7c269d7@openssl.org>
On 23/05/18 16:50, Benjamin Kaduk wrote:
> On Wed, May 23, 2018 at 03:12:30PM +0000, Dr. Matthias St. Pierre wrote:
>>> So do you guys use the ghmerge script or own procedures? I'm curious.
>>
>> At the beginnning, I tried to use ghmerge but it was not flexible
>> enough for my needs. In particular, it only gives me the choice
>> between squashing everything or leaving everything as it is. Most
>> notably, it does not support partial squashing by interactive
>> rebasing. Or alternatively: pausing + letting me fix something +
>> resuming. What I also dislike is that it uses a lot of GitHub API
>
> Sorry for partially hijacking the thread, but this reminds me that
> several people have started using the "git commit --fixup" tooling,
> which is in general helpful for the reviewer (to know what the
> squashing intention is).
It's also helpful because it preserves the history of the review (you
can see what changed since the last time you looked at it).
>
> But I am curious if we currently do and/or should have a commit hook
> on git.openssl.org to reject commits that start with "!fixup".
Not that I know of. We probably should have. A quick check reveals two
such commits that have made it into master...both mine unfortunately :-(
Matt
From levitte at openssl.org Wed May 23 16:01:48 2018
From: levitte at openssl.org (Richard Levitte)
Date: Wed, 23 May 2018 18:01:48 +0200 (CEST)
Subject: [openssl-project] build/test before merging
In-Reply-To: <6d5b206f-a0f1-8b60-fbf5-5f08c7c269d7@openssl.org>
References:
<20180523155007.GC32807@kduck.kaduk.org>
<6d5b206f-a0f1-8b60-fbf5-5f08c7c269d7@openssl.org>
Message-ID: <20180523.180148.154491224151456127.levitte@openssl.org>
In message <6d5b206f-a0f1-8b60-fbf5-5f08c7c269d7 at openssl.org> on Wed, 23 May 2018 16:54:23 +0100, Matt Caswell said:
matt> On 23/05/18 16:50, Benjamin Kaduk wrote:
matt> > But I am curious if we currently do and/or should have a commit hook
matt> > on git.openssl.org to reject commits that start with "!fixup".
That's "fixup! ", and "squash! " (for --squash) should be added as well.
matt> Not that I know of. We probably should have. A quick check reveals two
matt> such commits that have made it into master...both mine unfortunately :-(
I've been close a couple of times...
But yeah, good idea, I'll go ahead and craft that together. Gitolite
makes it quite easy to configure.
Cheers,
Richard
--
Richard Levitte levitte at openssl.org
OpenSSL Project http://www.openssl.org/~levitte/
From levitte at openssl.org Wed May 23 17:02:48 2018
From: levitte at openssl.org (Richard Levitte)
Date: Wed, 23 May 2018 19:02:48 +0200 (CEST)
Subject: [openssl-project] build/test before merging
In-Reply-To: <20180523.180148.154491224151456127.levitte@openssl.org>
References: <20180523155007.GC32807@kduck.kaduk.org>
<6d5b206f-a0f1-8b60-fbf5-5f08c7c269d7@openssl.org>
<20180523.180148.154491224151456127.levitte@openssl.org>
Message-ID: <20180523.190248.1692957295860583944.levitte@openssl.org>
In message <20180523.180148.154491224151456127.levitte at openssl.org> on Wed, 23 May 2018 18:01:48 +0200 (CEST), Richard Levitte said:
levitte> In message <6d5b206f-a0f1-8b60-fbf5-5f08c7c269d7 at openssl.org> on Wed, 23 May 2018 16:54:23 +0100, Matt Caswell said:
levitte>
levitte> matt> On 23/05/18 16:50, Benjamin Kaduk wrote:
levitte> matt> > But I am curious if we currently do and/or should have a commit hook
levitte> matt> > on git.openssl.org to reject commits that start with "!fixup".
levitte>
levitte> That's "fixup! ", and "squash! " (for --squash) should be added as well.
levitte>
levitte> matt> Not that I know of. We probably should have. A quick check reveals two
levitte> matt> such commits that have made it into master...both mine unfortunately :-(
levitte>
levitte> I've been close a couple of times...
levitte>
levitte> But yeah, good idea, I'll go ahead and craft that together. Gitolite
levitte> makes it quite easy to configure.
Quick script added. The quick tests I made seem to work right. If
something strange happens, tell me ASAP.
--
Richard Levitte levitte at openssl.org
OpenSSL Project http://www.openssl.org/~levitte/
From tjh at cryptsoft.com Wed May 23 20:59:56 2018
From: tjh at cryptsoft.com (Tim Hudson)
Date: Thu, 24 May 2018 06:59:56 +1000
Subject: [openssl-project] Current votes FYI
In-Reply-To:
References: <504DAF06-51AC-494D-9768-C50E897F7B1E@akamai.com>
Message-ID:
No that vote does not pass. All votes require participation by a majority
of active members. Failure to have a majority participation causes a vote
to fail.
With only three out of eight members voting this vote simply did not pass.
Tim.
On Thu, 24 May 2018, 12:59 am Salz, Rich, wrote:
> Another update
>
> VOTE: Remove the second paragraph ("Binary compatibility...improve
> security")
> from the release strategy.
>
> +1: 2
> 0: 1
> -1: 0
> No vote: 5
>
> The vote passed.
>
>
> _______________________________________________
> openssl-project mailing list
> openssl-project at openssl.org
> https://mta.openssl.org/mailman/listinfo/openssl-project
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From rsalz at akamai.com Wed May 23 23:58:55 2018
From: rsalz at akamai.com (Salz, Rich)
Date: Wed, 23 May 2018 23:58:55 +0000
Subject: [openssl-project] Current votes FYI
In-Reply-To:
References: <504DAF06-51AC-494D-9768-C50E897F7B1E@akamai.com>
Message-ID: <098D5826-ADE5-4AFA-9101-8CDDB7D2336D@akamai.com>
Dang, you?re right.
I?ll re-run the vote. But for now I reverted the website commit.
From: Tim Hudson
Reply-To: "openssl-project at openssl.org"
Date: Wednesday, May 23, 2018 at 5:00 PM
To: "openssl-project at openssl.org"
Subject: Re: [openssl-project] Current votes FYI
No that vote does not pass. All votes require participation by a majority of active members. Failure to have a majority participation causes a vote to fail.
With only three out of eight members voting this vote simply did not pass.
Tim.
On Thu, 24 May 2018, 12:59 am Salz, Rich, > wrote:
Another update
VOTE: Remove the second paragraph ("Binary compatibility...improve security")
from the release strategy.
+1: 2
0: 1
-1: 0
No vote: 5
The vote passed.
_______________________________________________
openssl-project mailing list
openssl-project at openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-project
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From Matthias.St.Pierre at ncp-e.com Thu May 24 20:32:38 2018
From: Matthias.St.Pierre at ncp-e.com (Dr. Matthias St. Pierre)
Date: Thu, 24 May 2018 20:32:38 +0000
Subject: [openssl-project] build/test before merging
In-Reply-To: <20180523.180148.154491224151456127.levitte@openssl.org>
References:
<20180523155007.GC32807@kduck.kaduk.org>
<6d5b206f-a0f1-8b60-fbf5-5f08c7c269d7@openssl.org>
<20180523.180148.154491224151456127.levitte@openssl.org>
Message-ID: <475e9e0fa3e54ce6a1088b853e8bc8db@Ex13.ncp.local>
There is also the custom to add something like "(to be squashed)" or "(fixup)" in round or square brackets to the end oft he commit title. So maybe also add a regex for "squash" or "fixup" inside round or square brackets?
-----Urspr?ngliche Nachricht-----
Von: openssl-project Im Auftrag von Richard Levitte
Gesendet: Mittwoch, 23. Mai 2018 18:02
An: openssl-project at openssl.org
Betreff: Re: [openssl-project] build/test before merging
In message <6d5b206f-a0f1-8b60-fbf5-5f08c7c269d7 at openssl.org> on Wed, 23 May 2018 16:54:23 +0100, Matt Caswell said:
matt> On 23/05/18 16:50, Benjamin Kaduk wrote:
matt> > But I am curious if we currently do and/or should have a commit
matt> > hook on git.openssl.org to reject commits that start with "!fixup".
That's "fixup! ", and "squash! " (for --squash) should be added as well.
matt> Not that I know of. We probably should have. A quick check reveals
matt> two such commits that have made it into master...both mine
matt> unfortunately :-(
I've been close a couple of times...
But yeah, good idea, I'll go ahead and craft that together. Gitolite makes it quite easy to configure.
Cheers,
Richard
--
Richard Levitte levitte at openssl.org
OpenSSL Project http://www.openssl.org/~levitte/
_______________________________________________
openssl-project mailing list
openssl-project at openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-project
From levitte at openssl.org Thu May 24 20:42:52 2018
From: levitte at openssl.org (Richard Levitte)
Date: Thu, 24 May 2018 22:42:52 +0200
Subject: [openssl-project] build/test before merging
In-Reply-To: <475e9e0fa3e54ce6a1088b853e8bc8db@Ex13.ncp.local>
References:
<20180523155007.GC32807@kduck.kaduk.org>
<6d5b206f-a0f1-8b60-fbf5-5f08c7c269d7@openssl.org>
<20180523.180148.154491224151456127.levitte@openssl.org>
<475e9e0fa3e54ce6a1088b853e8bc8db@Ex13.ncp.local>
Message-ID:
Those are non-standard and a matter of personal taste. I used those before I discovered --fixup and --squash. How many variants should we support?
(I'm not totally against the idea, mind you...)
Cheers
Richard
"Dr. Matthias St. Pierre" skrev: (24 maj 2018 22:32:38 CEST)
>There is also the custom to add something like "(to be squashed)" or
>"(fixup)" in round or square brackets to the end oft he commit title.
>So maybe also add a regex for "squash" or "fixup" inside round or
>square brackets?
>
>-----Urspr?ngliche Nachricht-----
>Von: openssl-project Im Auftrag
>von Richard Levitte
>Gesendet: Mittwoch, 23. Mai 2018 18:02
>An: openssl-project at openssl.org
>Betreff: Re: [openssl-project] build/test before merging
>
>In message <6d5b206f-a0f1-8b60-fbf5-5f08c7c269d7 at openssl.org> on Wed,
>23 May 2018 16:54:23 +0100, Matt Caswell said:
>
>matt> On 23/05/18 16:50, Benjamin Kaduk wrote:
>matt> > But I am curious if we currently do and/or should have a commit
>
>matt> > hook on git.openssl.org to reject commits that start with
>"!fixup".
>
>That's "fixup! ", and "squash! " (for --squash) should be added as
>well.
>
>matt> Not that I know of. We probably should have. A quick check
>reveals
>matt> two such commits that have made it into master...both mine
>matt> unfortunately :-(
>
>I've been close a couple of times...
>
>But yeah, good idea, I'll go ahead and craft that together. Gitolite
>makes it quite easy to configure.
>
>Cheers,
>Richard
--
Skickat fr?n min Android-enhet med K-9 Mail. Urs?kta min f?ordighet.
From Matthias.St.Pierre at ncp-e.com Thu May 24 20:49:16 2018
From: Matthias.St.Pierre at ncp-e.com (Dr. Matthias St. Pierre)
Date: Thu, 24 May 2018 20:49:16 +0000
Subject: [openssl-project] build/test before merging
In-Reply-To:
References:
<20180523155007.GC32807@kduck.kaduk.org>
<6d5b206f-a0f1-8b60-fbf5-5f08c7c269d7@openssl.org>
<20180523.180148.154491224151456127.levitte@openssl.org>
<475e9e0fa3e54ce6a1088b853e8bc8db@Ex13.ncp.local>
Message-ID:
Well, I use --fixup and --squash mostly nowadays, but I'm not sure everybody switched. It was not a feature request, only a remark.
-----Urspr?ngliche Nachricht-----
Von: openssl-project Im Auftrag von Richard Levitte
Gesendet: Donnerstag, 24. Mai 2018 22:43
An: openssl-project at openssl.org
Betreff: Re: [openssl-project] build/test before merging
Those are non-standard and a matter of personal taste. I used those before I discovered --fixup and --squash. How many variants should we support?
(I'm not totally against the idea, mind you...)
Cheers
Richard
From openssl-users at dukhovni.org Thu May 24 21:03:39 2018
From: openssl-users at dukhovni.org (Viktor Dukhovni)
Date: Thu, 24 May 2018 17:03:39 -0400
Subject: [openssl-project] build/test before merging
In-Reply-To:
References:
<20180523155007.GC32807@kduck.kaduk.org>
<6d5b206f-a0f1-8b60-fbf5-5f08c7c269d7@openssl.org>
<20180523.180148.154491224151456127.levitte@openssl.org>
<475e9e0fa3e54ce6a1088b853e8bc8db@Ex13.ncp.local>
Message-ID: <847A64B6-FEA5-432C-97F5-BF7AB3364517@dukhovni.org>
> On May 24, 2018, at 4:42 PM, Richard Levitte wrote:
>
> Those are non-standard and a matter of personal taste. I used those before I discovered --fixup and --squash. How many variants should we support?
>
> (I'm not totally against the idea, mind you...)
Let's stick with the standard versions.
--
Viktor.
From Matthias.St.Pierre at ncp-e.com Tue May 29 05:45:08 2018
From: Matthias.St.Pierre at ncp-e.com (Dr. Matthias St. Pierre)
Date: Tue, 29 May 2018 05:45:08 +0000
Subject: [openssl-project] Current votes FYI
In-Reply-To: <504DAF06-51AC-494D-9768-C50E897F7B1E@akamai.com>
References: <504DAF06-51AC-494D-9768-C50E897F7B1E@akamai.com>
Message-ID:
> VOTE: 1.1.1 beta release schedule changed so that the next two beta releases are now 29th May, 19 June and we will re-review release readiness after that. We will also ensure that there is at least one beta release post TLS-1.3 RFC publication prior to the final release.
Note: I just had a look at https://www.openssl.org/policies/releasestrat.html because I recalled that a beta release was scheduled for today and noticed that the beta release plan has not been updated to reflect your last vote.
Matthias
From levitte at openssl.org Tue May 29 06:25:06 2018
From: levitte at openssl.org (Richard Levitte)
Date: Tue, 29 May 2018 08:25:06 +0200 (CEST)
Subject: [openssl-project] OpenSSL repo frozen
Message-ID: <20180529.082506.1179117302266834943.levitte@openssl.org>
This should have been done yesterday... the openssl repo is now
frozen pending the beta release that's happening later today.
Cheers,
Richard
--
Richard Levitte levitte at openssl.org
OpenSSL Project http://www.openssl.org/~levitte/
From matt at openssl.org Tue May 29 08:31:07 2018
From: matt at openssl.org (Matt Caswell)
Date: Tue, 29 May 2018 09:31:07 +0100
Subject: [openssl-project] Current votes FYI
In-Reply-To:
References: <504DAF06-51AC-494D-9768-C50E897F7B1E@akamai.com>
Message-ID:
On 29/05/18 06:45, Dr. Matthias St. Pierre wrote:
>> VOTE: 1.1.1 beta release schedule changed so that the next two beta releases are now 29th May, 19 June and we will re-review release readiness after that. We will also ensure that there is at least one beta release post TLS-1.3 RFC publication prior to the final release.
>
> Note: I just had a look at https://www.openssl.org/policies/releasestrat.html because I recalled that a beta release was scheduled for today and noticed that the beta release plan has not been updated to reflect your last vote.
>
I thought it had been updated! So,
https://github.com/openssl/web/pull/55
P.S.
Ah! It *was* updated and then the change was reverted!
From openssl at openssl.org Tue May 29 12:38:25 2018
From: openssl at openssl.org (OpenSSL)
Date: Tue, 29 May 2018 12:38:25 +0000
Subject: [openssl-project] OpenSSL version 1.1.1 pre release 7 published
Message-ID: <20180529123825.GA8160@openssl.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
OpenSSL version 1.1.1 pre release 7 (beta)
===========================================
OpenSSL - The Open Source toolkit for SSL/TLS
https://www.openssl.org/
OpenSSL 1.1.1 is currently in beta. OpenSSL 1.1.1 pre release 7 has now
been made available. For details of changes and known issues see the
release notes at:
https://www.openssl.org/news/openssl-1.1.1-notes.html
Note: This OpenSSL pre-release has been provided for testing ONLY.
It should NOT be used for security critical purposes.
The beta release is available for download via HTTP and FTP from the
following master locations (you can find the various FTP mirrors under
https://www.openssl.org/source/mirror.html):
* https://www.openssl.org/source/
* ftp://ftp.openssl.org/source/
The distribution file name is:
o openssl-1.1.1-pre7.tar.gz
Size: 8308876
SHA1 checksum: 1879b688f9e36665f82bda8cac4f392029683bd0
SHA256 checksum: e4a54e1eba2900004a2e39cde62aeaf1f1fa0442169f849faf14e735136ad6cc
The checksums were calculated using the following commands:
openssl sha1 openssl-1.1.1-pre7.tar.gz
openssl sha256 openssl-1.1.1-pre7.tar.gz
Please download and check this beta release as soon as possible.
To report a bug, open an issue on GitHub:
https://github.com/openssl/openssl/issues
Please check the release notes and mailing lists to avoid duplicate
reports of known issues. (Of course, the source is also available
on GitHub.)
Yours,
The OpenSSL Project Team.
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCgAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAlsNRX8ACgkQ2cTSbQ5g
RJG5OwgAhQ1fmHrG57u3jCfhKn7r2t1c6CxnSfZRn7hRc1He772R3iwi9A3i6AO3
9BlEj16V8bQ/2DF6vH31FzBnPjfnP8QENDC3btwdQOdufkQLyeqvgMIjdj42VFS6
E803eCRE1fN6w0LZzVoP8TarWCIifD+Wb3c9VfFsTDWzfQ2TMQz3SKsVqhRA9m0e
+xKpkFkJNHw7MQw5B7EomuJYwCVZpERDQAJMlh78uQK5SCoLFw3f14+2C0IzLIBn
6fKVbC546TJgflWoR2uGjOSgYKZqxysya1ZcKfGTOuRy4YiBMkCxX/n0GNEEJFoy
gKxJYtMXHCmudlcEjvqcXqO0schzRw==
=HTbt
-----END PGP SIGNATURE-----
From matt at openssl.org Tue May 29 12:41:54 2018
From: matt at openssl.org (Matt Caswell)
Date: Tue, 29 May 2018 13:41:54 +0100
Subject: [openssl-project] OpenSSL repo frozen
In-Reply-To: <20180529.082506.1179117302266834943.levitte@openssl.org>
References: <20180529.082506.1179117302266834943.levitte@openssl.org>
Message-ID: <1c375589-2e2e-9951-95b1-55eeeb57e3c5@openssl.org>
The release is complete and the repo is now unfrozen.
Thanks to Richard for his help during the release.
Matt
On 29/05/18 07:25, Richard Levitte wrote:
> This should have been done yesterday... the openssl repo is now
> frozen pending the beta release that's happening later today.
>
> Cheers,
> Richard
>