From levitte at openssl.org Tue May 1 04:09:13 2018 From: levitte at openssl.org (Richard Levitte) Date: Tue, 01 May 2018 06:09:13 +0200 (CEST) Subject: [openssl-project] Entropy seeding the DRBG In-Reply-To: <20180430162209.GA4439@roeckx.be> References: <20180430.164908.1424770216194967097.levitte@openssl.org> <20180430.180020.1402330384104485085.levitte@openssl.org> <20180430162209.GA4439@roeckx.be> Message-ID: <20180501.060913.811991315461935857.levitte@openssl.org> In message <20180430162209.GA4439 at roeckx.be> on Mon, 30 Apr 2018 18:22:09 +0200, Kurt Roeckx said: kurt> On Mon, Apr 30, 2018 at 06:00:20PM +0200, Richard Levitte wrote: kurt> > kurt> > So I'd like to have it confirmed that I'm reading this right, that's kurt> > about 0.08 entropy bits per 8 data bits? Or is it per data bit? kurt> kurt> Per symbol, being 8 bits for what you provided. kurt> kurt> > Depending on the interpretation, we either have 1 bit of entropy per kurt> > 12 data bits... or per 100 data bits... The latter has my heart kurt> > sinking... kurt> kurt> It's per 100 bits, and that's really still an overestimate. One kurt> of the models they used was able to predict it that well. That well? I'm not sure I understand, the final min-entropy value is the *lowest* of all different estimates. Also, I'm not sure what makes you say it's an overestimate... are you simply speculating? Either way, this is quite discouraging, because this means that with that estimate, I need to gather about 25 KiB of data to meet the requirements of our DRBG. Right? kurt> It might be possible to create a better model. I'm not sure I understand what you mean. -- Richard Levitte levitte at openssl.org OpenSSL Project http://www.openssl.org/~levitte/ From levitte at openssl.org Tue May 1 04:33:33 2018 From: levitte at openssl.org (Richard Levitte) Date: Tue, 01 May 2018 06:33:33 +0200 (CEST) Subject: [openssl-project] Entropy seeding the DRBG In-Reply-To: <20180501.060913.811991315461935857.levitte@openssl.org> References: <20180430.180020.1402330384104485085.levitte@openssl.org> <20180430162209.GA4439@roeckx.be> <20180501.060913.811991315461935857.levitte@openssl.org> Message-ID: <20180501.063333.138536851222442365.levitte@openssl.org> In message <20180501.060913.811991315461935857.levitte at openssl.org> on Tue, 01 May 2018 06:09:13 +0200 (CEST), Richard Levitte said: levitte> Either way, this is quite discouraging, because this means that with levitte> that estimate, I need to gather about 25 KiB of data to meet the levitte> requirements of our DRBG. Right? Gah! Too early in the morning to keep bits and bytes apart! So, err, about 3 KiB plus change... Still not the most encouraging thought... -- Richard Levitte levitte at openssl.org OpenSSL Project http://www.openssl.org/~levitte/ From kurt at roeckx.be Tue May 1 08:43:17 2018 From: kurt at roeckx.be (Kurt Roeckx) Date: Tue, 1 May 2018 10:43:17 +0200 Subject: [openssl-project] Entropy seeding the DRBG In-Reply-To: <20180501.060913.811991315461935857.levitte@openssl.org> References: <20180430.164908.1424770216194967097.levitte@openssl.org> <20180430.180020.1402330384104485085.levitte@openssl.org> <20180430162209.GA4439@roeckx.be> <20180501.060913.811991315461935857.levitte@openssl.org> Message-ID: <20180501084317.GA32265@roeckx.be> On Tue, May 01, 2018 at 06:09:13AM +0200, Richard Levitte wrote: > In message <20180430162209.GA4439 at roeckx.be> on Mon, 30 Apr 2018 18:22:09 +0200, Kurt Roeckx said: > > kurt> On Mon, Apr 30, 2018 at 06:00:20PM +0200, Richard Levitte wrote: > kurt> > > kurt> > So I'd like to have it confirmed that I'm reading this right, that's > kurt> > about 0.08 entropy bits per 8 data bits? Or is it per data bit? > kurt> > kurt> Per symbol, being 8 bits for what you provided. > kurt> > kurt> > Depending on the interpretation, we either have 1 bit of entropy per > kurt> > 12 data bits... or per 100 data bits... The latter has my heart > kurt> > sinking... > kurt> > kurt> It's per 100 bits, and that's really still an overestimate. One > kurt> of the models they used was able to predict it that well. > > That well? I'm not sure I understand, the final min-entropy value is > the *lowest* of all different estimates. Also, I'm not sure what > makes you say it's an overestimate... are you simply speculating? Those are all just tests to see how easy it is to predict the next value, but that really don't know anything about the data. It might be possible to generate a better predictor, one that has an even lower min-entropy value. That is why you should not rely on the tool to give you a good min-entropy value, it just shows that the maximum of the real value is the minimum reported by the tool. If you actually follow SP800-90B, you should make a theoretical model of how much entropy you expect, and then use the tool to verify that your model is correct. Kurt From matt at openssl.org Tue May 1 09:02:31 2018 From: matt at openssl.org (Matt Caswell) Date: Tue, 1 May 2018 10:02:31 +0100 Subject: [openssl-project] Travis is currently failing Message-ID: <6fb249a8-085a-07a1-9df7-5bdb386898b2@openssl.org> Can anyone shed any light on this error from travis (master branch is failing): /usr/bin/ld: unrecognized option '--push-state--no-as-needed' /usr/bin/ld: use the --help option for usage information collect2: error: ld returned 1 exit status make[1]: *** [libcrypto.so] Error 1 make[1]: Leaving directory `/home/travis/build/openssl/openssl' make: *** [tests] Error 2 +///// MAKE TEST FAILED This only seems to happen with one particular build. Matt From kurt at roeckx.be Tue May 1 09:52:46 2018 From: kurt at roeckx.be (Kurt Roeckx) Date: Tue, 1 May 2018 11:52:46 +0200 Subject: [openssl-project] Travis is currently failing In-Reply-To: <6fb249a8-085a-07a1-9df7-5bdb386898b2@openssl.org> References: <6fb249a8-085a-07a1-9df7-5bdb386898b2@openssl.org> Message-ID: <20180501095246.GA6644@roeckx.be> On Tue, May 01, 2018 at 10:02:31AM +0100, Matt Caswell wrote: > > Can anyone shed any light on this error from travis (master branch is > failing): > > /usr/bin/ld: unrecognized option '--push-state--no-as-needed' > /usr/bin/ld: use the --help option for usage information > collect2: error: ld returned 1 exit status > make[1]: *** [libcrypto.so] Error 1 > make[1]: Leaving directory `/home/travis/build/openssl/openssl' > make: *** [tests] Error 2 > +///// MAKE TEST FAILED We're also not the only one seeing that problem. We also have the problem in the 1.1.0-stable branch for the same configuration. I have no idea what changed. From matt at openssl.org Tue May 1 10:12:04 2018 From: matt at openssl.org (Matt Caswell) Date: Tue, 1 May 2018 11:12:04 +0100 Subject: [openssl-project] Travis is currently failing In-Reply-To: <20180501095246.GA6644@roeckx.be> References: <6fb249a8-085a-07a1-9df7-5bdb386898b2@openssl.org> <20180501095246.GA6644@roeckx.be> Message-ID: <74d05483-e1e1-2fcc-2075-6626713ebae7@openssl.org> On 01/05/18 10:52, Kurt Roeckx wrote: > On Tue, May 01, 2018 at 10:02:31AM +0100, Matt Caswell wrote: >> >> Can anyone shed any light on this error from travis (master branch is >> failing): >> >> /usr/bin/ld: unrecognized option '--push-state--no-as-needed' >> /usr/bin/ld: use the --help option for usage information >> collect2: error: ld returned 1 exit status >> make[1]: *** [libcrypto.so] Error 1 >> make[1]: Leaving directory `/home/travis/build/openssl/openssl' >> make: *** [tests] Error 2 >> +///// MAKE TEST FAILED > > We're also not the only one seeing that problem. We also have the > problem in the 1.1.0-stable branch for the same configuration. > I have no idea what changed. Looks like it could be a gcc problem: https://stackoverflow.com/questions/50024731/ld-unrecognized-option-push-state-no-as-needed Or rather possibly an ubuntu gcc problem? https://launchpad.net/ubuntu/+source/gcc-7/7.3.0-16ubuntu2 Matt From kurt at roeckx.be Tue May 1 10:12:10 2018 From: kurt at roeckx.be (Kurt Roeckx) Date: Tue, 1 May 2018 12:12:10 +0200 Subject: [openssl-project] Travis is currently failing In-Reply-To: <20180501095246.GA6644@roeckx.be> References: <6fb249a8-085a-07a1-9df7-5bdb386898b2@openssl.org> <20180501095246.GA6644@roeckx.be> Message-ID: <20180501101210.GB6644@roeckx.be> On Tue, May 01, 2018 at 11:52:46AM +0200, Kurt Roeckx wrote: > On Tue, May 01, 2018 at 10:02:31AM +0100, Matt Caswell wrote: > > > > Can anyone shed any light on this error from travis (master branch is > > failing): > > > > /usr/bin/ld: unrecognized option '--push-state--no-as-needed' > > /usr/bin/ld: use the --help option for usage information > > collect2: error: ld returned 1 exit status > > make[1]: *** [libcrypto.so] Error 1 > > make[1]: Leaving directory `/home/travis/build/openssl/openssl' > > make: *** [tests] Error 2 > > +///// MAKE TEST FAILED > > We're also not the only one seeing that problem. We also have the > problem in the 1.1.0-stable branch for the same configuration. > I have no idea what changed. And I can't reproduce it. Kurt From openssl at openssl.org Tue May 1 13:06:36 2018 From: openssl at openssl.org (OpenSSL) Date: Tue, 1 May 2018 13:06:36 +0000 Subject: [openssl-project] OpenSSL version 1.1.1 pre release 6 published Message-ID: <20180501130636.GA9299@openssl.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 OpenSSL version 1.1.1 pre release 6 (beta) =========================================== OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ OpenSSL 1.1.1 is currently in beta. OpenSSL 1.1.1 pre release 6 has now been made available. For details of changes and known issues see the release notes at: https://www.openssl.org/news/openssl-1.1.1-notes.html Note: This OpenSSL pre-release has been provided for testing ONLY. It should NOT be used for security critical purposes. The beta release is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.1.1-pre6.tar.gz Size: 8286337 SHA1 checksum: d9aa6121ea9e8bfc4632566c72b376620c68ece3 SHA256 checksum: 01f91c5370fe210f7172d863c5bdc5dee2450c3faa98b4af2627ee6f7e128d87 The checksums were calculated using the following commands: openssl sha1 openssl-1.1.1-pre6.tar.gz openssl sha256 openssl-1.1.1-pre6.tar.gz Please download and check this beta release as soon as possible. To report a bug, open an issue on GitHub: https://github.com/openssl/openssl/issues Please check the release notes and mailing lists to avoid duplicate reports of known issues. (Of course, the source is also available on GitHub.) Yours, The OpenSSL Project Team. -----BEGIN PGP SIGNATURE----- iQEcBAEBCAAGBQJa6GGbAAoJENnE0m0OYESRnqwH/jMNw6OXpGYriZphZxLNDBlR YGJcNypVPcW1y5aDPlhBp9GUTAot4NPtbYpbBegPdvWaI4tA5O3+2gnCRh3xoE9e k704SlJP+mmBOJSL2/9xSH1tJHNrSmXkHOpfZCr4nKJfayFDnl/H+vf6yNz3CzeB Oys/VDpLPrV2ev10QNpeypu37es4shNSIRU1OEjH+iDrmTBzt9LzU6dS1rYjtuiV QK/rdKV8ql0SFNIsrpLHNCT2EMfRqT/kbLcqObrczNBSunZXQF98W4XVhp7dlFBT GrE8gc/KY8YGfX6kF+1Vy+9vDDKNwaLyzRKXMKUZRLnxkSBbZBREerfwaQT7m0o= =O0aC -----END PGP SIGNATURE----- From matt at openssl.org Tue May 1 13:10:13 2018 From: matt at openssl.org (Matt Caswell) Date: Tue, 1 May 2018 14:10:13 +0100 Subject: [openssl-project] Freezing the repo In-Reply-To: References: <068239e0-7926-d877-6be5-98dfc5dbf737@openssl.org> Message-ID: <602ff81f-fea2-e968-5cf3-d03f82272bf9@openssl.org> Release is complete and the repo is unfrozen. Matt On 30/04/18 20:04, Salz, Rich wrote: > Done. > > ?On 4/30/18, 3:02 PM, "Matt Caswell" wrote: > > Please could someone freeze the repo for me for tomorrow's release: > > $ ssh openssl-git at git.openssl.org freeze openssl matt > > > Thanks > > Matt > _______________________________________________ > openssl-project mailing list > openssl-project at openssl.org > https://mta.openssl.org/mailman/listinfo/openssl-project > > > _______________________________________________ > openssl-project mailing list > openssl-project at openssl.org > https://mta.openssl.org/mailman/listinfo/openssl-project > From matt at openssl.org Tue May 1 15:06:30 2018 From: matt at openssl.org (Matt Caswell) Date: Tue, 1 May 2018 16:06:30 +0100 Subject: [openssl-project] Monthly Status Report (April) Message-ID: As well as normal reviews, responding to user queries, wiki user requests, OMC business, handling security reports, etc., key activities this month: - Performed the 1.1.1 pre-4 release - Supported the 1.1.1 pre-5 release - Liason with Billy Bob Brumley and team regarding various EC/constant time improvements - Various updates to the TLSv1.3 wiki article - Fixed a problem with the ordering of when libssl and libcrypto config was loaded - Fixed some problems with TLSv1.3 ciphersuite configuration - Fixed some documentation problems for the mem leak functions - Overhauled the genpkey documentation - Fixed the info callback in TLSv1.3 Also added new tests for this. - Fixed the command line tools to make Ed25519/Ed448 usable - Fixed logic around the status_request extension so that it is ignored on a resumption - Fixed a significant problem with the SRP base64 parsing code - Fixed an assertion failure in SSL_set_bio() - Co-ordinated activity around CVE-2018-0737 (Cache timing vulnerability in RSA Key Generation) - Investigated the feasibility of using constant time by default for BIGNUMs - Fixed a mem leak found by Coverity - Updated the EVP_DigestSignInit() docs to be more explicit about the algorithms they support - Fixed a no-ec build break - Investigated an issue with bad SRP group parameters when interoperating with tlslite - Fixed a return code issue with the ocsp command line app - Fixed return code issue in the DH derive code - Fixed a crash if X509_STORE_CTX_init() is called with a NULL X509_STORE and then X509_verify_cert() is called - Fix an incorrect alert that was being sent if there are no shared sig algs - Fixed the SSL_get_version() documentation - Fixed the behaviour of the info callback if SSL_in_init() is called - Fixed a bug in SSL_pending() when used with DTLS - Fixed a backwards compat issue with the ECDHParameters config directive - Fixed a problem in OpenSSL 1.1.0 which prevented intermediate CAs from using RSA-PSS - Updated the session docs to cover when a session gets removed from the cache - Fixed an issue preventing the use of compressed point EC certs in TLSv1.3 - Fixed a problem where AFALG was incorrectly built on Android - Fixed a behaviour change between 1.0.2 and 1.1.0 for the client version in a reneg handshake - Fixed the documentation for the "-showcerts" s_client option - Fixed the MAX_CURVELIST definition in libssl - Fixed a copy&paste error in the TLSv1.3 ciphersuites definition - Provided some updates for the various *use_certificate* functions - Created a fix for the SSL_get_shared_ciphers() function - Investigated a reported problem with PSKs in TLSv1.3 - Investigated a reported problem with DNS nameconstraints - Investigated a reported problem with the x509 app "-nameopt" option - Investigated a reported problem with implicit tagging - Fixed various errors in the CMS documentation - Clarified the use of BN_mod_exp combined with BN_FLG_CONSTTIME - Added the X509_PARAM_get_hostflags() function - Investigated and closed or re-assigned to a later milestone a large number of other issues (not listed above) that were against the 1.1.1 milestone Matt From levitte at openssl.org Wed May 2 03:52:19 2018 From: levitte at openssl.org (Richard Levitte) Date: Wed, 02 May 2018 05:52:19 +0200 (CEST) Subject: [openssl-project] Entropy seeding the DRBG In-Reply-To: <20180501084317.GA32265@roeckx.be> References: <20180430162209.GA4439@roeckx.be> <20180501.060913.811991315461935857.levitte@openssl.org> <20180501084317.GA32265@roeckx.be> Message-ID: <20180502.055219.400891360743110066.levitte@openssl.org> In message <20180501084317.GA32265 at roeckx.be> on Tue, 1 May 2018 10:43:17 +0200, Kurt Roeckx said: kurt> If you actually follow SP800-90B, you should make a theoretical kurt> model of how much entropy you expect, and then use the tool kurt> to verify that your model is correct. Errrr... look, I'm kind of a rookie in this particular area, so errr, I'm not sure I have the knowledge to think of a theoretical model. Given a crash course, I can probably come up with *something*, but at this moment, I don't know where to start. A side note to this discussion, the way the rand pool routines are currently implemented, specifically rand_pool_bytes_needed(), we cannot handle a source with less than 1 entropy bit per 8 bits of data. Or well, it can, if that particular routine isn't used, but considering it's a fairly crucial routine for entropy acquisition, I'd say it needs a small change. PR coming up. Cheers, Richard -- Richard Levitte levitte at openssl.org OpenSSL Project http://www.openssl.org/~levitte/ From levitte at openssl.org Wed May 2 06:17:28 2018 From: levitte at openssl.org (Richard Levitte) Date: Wed, 02 May 2018 08:17:28 +0200 (CEST) Subject: [openssl-project] Monthly Status Report (April) Message-ID: <20180502.081728.1022233216684071925.levitte@openssl.org> Apart from normal business, such as normal reviews, OMC business, normal system administration tasks, etc., key activities this month: Development: - Supported the 1.1.1-pre4 release - Performed the 1.1.1-pre5 release - Made an extensive regression test of 1.1.0 against 1.1.1 libraries - Fixed build and testing problems (see #5833, #5872, #5928, #5930, #5754, #6033, #6100) - Fixed 'openssl rehash' defaults and documentation - Fixed the OpenSSL_init_crypto documentation - Fixed 'openssl ca' to open the output file in binary mode for -spkac - Fixed 'openssl rehash' to behave like c_rehash on warnings - Fixed PEM_def_callback() to stop looping around too short password check (which was dead code in practice) - Stopped our dists from including internal / team member config targets - Adapted the scrypt and RSA-PSS for the man-page directory layout - Worked on the issues surrounding the creation of output files (-out) - Worked on details surrounding the new DRBG, mostly centered around VMS support - Helped testing and reviewing the Windows OneCore effort - Updated and documented the list of digest commands that can be used as aliases for 'openssl dgst' - Notable participation (reviewing and/or merging): the effort to have TLSProxy use random ports; DRBG related PRs; SM2 related issues and PRs Admin: - Updates and occasional reboot - Set up of XYMON monitoring of our machinery (only available through firewall SSH tunnel proxy) - Authoring and installing XYMON client to check the backup logs - Set up of experimental Buildbot, intended for participatory builds by external parties - Added support at openssl.org, forwarding to osf-contact at openssl.org - Updated the deploy script Others: - Fixed minor release tool issue - Fixed web site scripts to recognise 1.1.1 - Restarted code style change proposals -- Richard Levitte levitte at openssl.org OpenSSL Project http://www.openssl.org/~levitte/ From rsalz at akamai.com Wed May 2 11:51:52 2018 From: rsalz at akamai.com (Salz, Rich) Date: Wed, 2 May 2018 11:51:52 +0000 Subject: [openssl-project] Entropy seeding the DRBG In-Reply-To: <20180502.055219.400891360743110066.levitte@openssl.org> References: <20180430162209.GA4439@roeckx.be> <20180501.060913.811991315461935857.levitte@openssl.org> <20180501084317.GA32265@roeckx.be> <20180502.055219.400891360743110066.levitte@openssl.org> Message-ID: <4416FE90-8BE8-45EC-A988-101F0E16DE6A@akamai.com> We have not committed to being FIPS/NIST capable with our RNG this release. We have committed to other things, and we seem to be falling behind on those. From rsalz at akamai.com Wed May 2 17:36:54 2018 From: rsalz at akamai.com (Salz, Rich) Date: Wed, 2 May 2018 17:36:54 +0000 Subject: [openssl-project] Tags for draft-21 and draft-23? Message-ID: Do we have tags or branches for draft-21 and draft-23? I see only 18 and 19 ? -------------- next part -------------- An HTML attachment was scrubbed... URL: From rsalz at akamai.com Fri May 4 13:46:47 2018 From: rsalz at akamai.com (Salz, Rich) Date: Fri, 4 May 2018 13:46:47 +0000 Subject: [openssl-project] FW: [openssl-commits] FAILED build of OpenSSL branch master with options -d --strict-warnings no-tls1_2-method In-Reply-To: <1525428553.781571.12443.nullmailer@run.openssl.org> References: <1525428553.781571.12443.nullmailer@run.openssl.org> Message-ID: Been failing for two days now ... ?On 5/4/18, 6:09 AM, "OpenSSL run-checker" wrote: Platform and configuration command: $ uname -a Linux run 4.4.0-119-generic #143-Ubuntu SMP Mon Apr 2 16:08:24 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-tls1_2-method Commit log since last time: bc624bd v3_purp.c: add locking to x509v3_cache_extensions() 463e6ef VMS: modernise rand_pool_acquire_entropy, step 2 ce147f7 VMS: modernise rand_pool_acquire_entropy, step 1 b1860d6 Return an error from BN_mod_inverse if n is 1 (or -1) 4db296d Make X509_VERIFY_PARAM_get_hostflags() take a const arg e401389 Add a test for SSL_get_shared_ciphers() 6021d8e Fix a bug in create_ssl_ctx_pair() 3bfa475 Add some documentation for SSL_get_shared_ciphers() f054160 Fix comment in ssl_locl.h a216df5 Fix SSL_get_shared_ciphers() Build log ended with (last 100 lines): ../../openssl/test/recipes/30-test_evp.t ...................... ok ../../openssl/test/recipes/30-test_evp_extra.t ................ ok ../../openssl/test/recipes/30-test_pbelu.t .................... ok ../../openssl/test/recipes/30-test_pkey_meth.t ................ ok ../../openssl/test/recipes/30-test_pkey_meth_kdf.t ............ ok ../../openssl/test/recipes/40-test_rehash.t ................... ok ../../openssl/test/recipes/60-test_x509_check_cert_pkey.t ..... ok ../../openssl/test/recipes/60-test_x509_dup_cert.t ............ ok ../../openssl/test/recipes/60-test_x509_store.t ............... ok ../../openssl/test/recipes/60-test_x509_time.t ................ ok ../../openssl/test/recipes/70-test_asyncio.t .................. ok ../../openssl/test/recipes/70-test_bad_dtls.t ................. ok ../../openssl/test/recipes/70-test_clienthello.t .............. ok ../../openssl/test/recipes/70-test_comp.t ..................... ok ../../openssl/test/recipes/70-test_key_share.t ................ ok ../../openssl/test/recipes/70-test_packet.t ................... ok ../../openssl/test/recipes/70-test_recordlen.t ................ ok ../../openssl/test/recipes/70-test_renegotiation.t ............ skipped: test_renegotiation needs TLS <= 1.2 enabled ../../openssl/test/recipes/70-test_servername.t ............... ok ../../openssl/test/recipes/70-test_sslcbcpadding.t ............ skipped: test_sslcbcpadding needs TLSv1.2 enabled ../../openssl/test/recipes/70-test_sslcertstatus.t ............ skipped: test_sslcertstatus needs TLS enabled ../../openssl/test/recipes/70-test_sslextension.t ............. ok ../../openssl/test/recipes/70-test_sslmessages.t .............. skipped: test_sslmessages needs TLS enabled ../../openssl/test/recipes/70-test_sslrecords.t ............... skipped: test_sslrecords needs TLSv1.2 enabled ../../openssl/test/recipes/70-test_sslsessiontick.t ........... skipped: test_sslsessiontick needs SSLv3, TLSv1, TLSv1.1 or TLSv1.2 enabled ../../openssl/test/recipes/70-test_sslsigalgs.t ............... ok ../../openssl/test/recipes/70-test_sslsignature.t ............. ok ../../openssl/test/recipes/70-test_sslskewith0p.t ............. ok ../../openssl/test/recipes/70-test_sslversions.t .............. skipped: test_sslversions needs TLS1.3, TLS1.2 and TLS1.1 enabled ../../openssl/test/recipes/70-test_sslvertol.t ................ ok ../../openssl/test/recipes/70-test_tls13cookie.t .............. ok ../../openssl/test/recipes/70-test_tls13downgrade.t ........... skipped: test_tls13downgrade needs TLS1.3 and TLS1.2 enabled ../../openssl/test/recipes/70-test_tls13hrr.t ................. ok ../../openssl/test/recipes/70-test_tls13kexmodes.t ............ ok ../../openssl/test/recipes/70-test_tls13messages.t ............ ok ../../openssl/test/recipes/70-test_tls13psk.t ................. ok ../../openssl/test/recipes/70-test_tlsextms.t ................. skipped: test_tlsextms needs TLSv1.0, TLSv1.1 or TLSv1.2 enabled ../../openssl/test/recipes/70-test_verify_extra.t ............. ok ../../openssl/test/recipes/70-test_wpacket.t .................. ok ../../openssl/test/recipes/80-test_ca.t ....................... ok ../../openssl/test/recipes/80-test_cipherbytes.t .............. ok ../../openssl/test/recipes/80-test_cipherlist.t ............... ok ../../openssl/test/recipes/80-test_ciphername.t ............... ok ../../openssl/test/recipes/80-test_cms.t ...................... ok ../../openssl/test/recipes/80-test_ct.t ....................... ok ../../openssl/test/recipes/80-test_dane.t ..................... ok ../../openssl/test/recipes/80-test_dtls.t ..................... ok ../../openssl/test/recipes/80-test_dtls_mtu.t ................. ok ../../openssl/test/recipes/80-test_dtlsv1listen.t ............. ok ../../openssl/test/recipes/80-test_ocsp.t ..................... ok ../../openssl/test/recipes/80-test_pkcs12.t ................... ok ../../openssl/test/recipes/80-test_ssl_new.t .................. ok ../../openssl/test/recipes/80-test_ssl_old.t .................. ok ../../openssl/test/recipes/80-test_ssl_test_ctx.t ............. ok ../../openssl/test/recipes/80-test_sslcorrupt.t ............... ok ../../openssl/test/recipes/80-test_tsa.t ...................... ok ../../openssl/test/recipes/80-test_x509aux.t .................. ok ../../openssl/test/recipes/90-test_asn1_time.t ................ ok ../../openssl/test/recipes/90-test_async.t .................... ok ../../openssl/test/recipes/90-test_bio_enc.t .................. ok ../../openssl/test/recipes/90-test_constant_time.t ............ ok ../../openssl/test/recipes/90-test_fatalerr.t ................. ok ../../openssl/test/recipes/90-test_gmdiff.t ................... ok ../../openssl/test/recipes/90-test_ige.t ...................... ok ../../openssl/test/recipes/90-test_includes.t ................. ok ../../openssl/test/recipes/90-test_memleak.t .................. ok ../../openssl/test/recipes/90-test_overhead.t ................. skipped: Only supported in no-shared builds ../../openssl/test/recipes/90-test_secmem.t ................... ok ../../openssl/test/recipes/90-test_shlibload.t ................ ok ../../openssl/test/recipes/90-test_srp.t ...................... ok ../../openssl/test/recipes/90-test_sslapi.t ................... Dubious, test returned 1 (wstat 256, 0x100) Failed 1/1 subtests ../../openssl/test/recipes/90-test_sslbuffers.t ............... ok ../../openssl/test/recipes/90-test_store.t .................... ok ../../openssl/test/recipes/90-test_sysdefault.t ............... skipped: test_sysdefault is not supported in this build ../../openssl/test/recipes/90-test_threads.t .................. ok ../../openssl/test/recipes/90-test_time_offset.t .............. ok ../../openssl/test/recipes/90-test_tls13ccs.t ................. ok ../../openssl/test/recipes/90-test_tls13encryption.t .......... ok ../../openssl/test/recipes/90-test_tls13secrets.t ............. ok ../../openssl/test/recipes/90-test_v3name.t ................... ok ../../openssl/test/recipes/95-test_external_boringssl.t ....... skipped: No external tests in this configuration ../../openssl/test/recipes/95-test_external_krb5.t ............ skipped: No external tests in this configuration ../../openssl/test/recipes/95-test_external_pyca.t ............ skipped: No external tests in this configuration ../../openssl/test/recipes/99-test_ecstress.t ................. ok ../../openssl/test/recipes/99-test_fuzz.t ..................... ok Test Summary Report ------------------- ../../openssl/test/recipes/90-test_sslapi.t (Wstat: 256 Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 Files=146, Tests=1261, 179 wallclock secs ( 1.75 usr 0.32 sys + 153.54 cusr 9.28 csys = 164.89 CPU) Result: FAIL Makefile:204: recipe for target '_tests' failed make[1]: *** [_tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/no-tls1_2-method' Makefile:202: recipe for target 'tests' failed make: *** [tests] Error 2 _____ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits From rsalz at akamai.com Mon May 7 01:37:00 2018 From: rsalz at akamai.com (Salz, Rich) Date: Mon, 7 May 2018 01:37:00 +0000 Subject: [openssl-project] Current votes FYI Message-ID: <504DAF06-51AC-494D-9768-C50E897F7B1E@akamai.com> Greetings OpenSSL folks! The OMC met this past weekend. Much was accomplished. Per our policy, we?re telling the project that the following votes are now active among the OMC. As the votes are concluded, more information (blog posts, website updates, whatever?s appropriate) will be made available. VOTE: openssl-web and tools repositories shall be under the same review policy as per the openssl repository where the reviewers are OMC members VOTE: That we remove "We strongly believe that the right to advance patches/info should not be based in any way on paid membership to some forum. You cannot pay us to get security patches in advance" from the security policy and Mark posts a blog entry to explain the change including that we have no current such service. VOTE: 1.1.1 beta release schedule changed so that the next two beta releases are now 29th May, 19 June and we will re-review release readiness after that. We will also ensure that there is at least one beta release post TLS-1.3 RFC publication prior to the final release. VOTE: Remove the entire "Forthcoming Features" section from the Roadmap Policy and open github issues for those items listed which have not yet been completed and do not currently have issues raised or PR submitted. VOTE: We don't intend to be involved in adding any additional platforms to the OpenSSL FIPS validation; instead we will work to enable other parties to meet this need. VOTE: The next LTS release will be 1.1.1 and the LTS expiry date for 1.0.2 will not be changed. -------------- next part -------------- An HTML attachment was scrubbed... URL: From paul.dale at oracle.com Tue May 8 16:26:59 2018 From: paul.dale at oracle.com (Oracle) Date: Tue, 8 May 2018 12:26:59 -0400 Subject: [openssl-project] Entropy seeding the DRBG In-Reply-To: <20180430.180020.1402330384104485085.levitte@openssl.org> References: <20180430131000.GA25216@roeckx.be> <20180430.152609.587396153749337701.levitte@openssl.org> <20180430.164908.1424770216194967097.levitte@openssl.org> <20180430.180020.1402330384104485085.levitte@openssl.org> Message-ID: I can conform that it is measured in bits per sample size (in this case bytes). The estimate is very low and this is not a great source. We can explore other options and I should be able to spare some time over ICMC to assist. I?m not well versed in VMS though. Pauli > On 30 Apr 2018, at 12:00 pm, Richard Levitte wrote: > > In message <20180430.164908.1424770216194967097.levitte at openssl.org> on Mon, 30 Apr 2018 16:49:08 +0200 (CEST), Richard Levitte said: > > levitte> In message <20180430.152609.587396153749337701.levitte at openssl.org> on Mon, 30 Apr 2018 15:26:09 +0200 (CEST), Richard Levitte said: > levitte> > levitte> levitte> In message <20180430131000.GA25216 at roeckx.be> on Mon, 30 Apr 2018 15:10:01 +0200, Kurt Roeckx said: > levitte> levitte> > levitte> levitte> kurt> The comment about not hashing it is if you want to use the tool to > levitte> levitte> kurt> do entropy estimation. Hashing it will not increase the entropy, > levitte> levitte> kurt> but the estimation will be totally wrong. > levitte> levitte> kurt> > levitte> levitte> kurt> Passing the hashed data to the drbg as entropy input is fine if > levitte> levitte> kurt> you already know how much entropy that it contains. > levitte> levitte> > levitte> levitte> Thanks, that's what I suspected. Ok, on to the next step > levitte> > levitte> Not done running, but does show some promise... > levitte> > levitte> : ; ./a.out ../../../levitte/vms-experiments/entropy-gathering/entropy-stats.bin 8 -v > levitte> Opening file: ../../../levitte/vms-experiments/entropy-gathering/entropy-stats.bin > levitte> > levitte> Running non-IID tests... > levitte> > levitte> Entropic statistic estimates: > levitte> Most Common Value Estimate = 0.975224 > levitte> Collision Test Estimate = 0.902997 > levitte> Markov Test Estimate = 0.410808 > levitte> Compression Test Estimate = 0.811274 > levitte> > levitte> I assume that estimate is per "word" (i.e. per 8 bits of data in this > levitte> case). > > Ok, done running... suffice to say, the first tests left me ever so > hopeful... > > : ; ./a.out ../../../levitte/vms-experiments/entropy-gathering/entropy-stats.bin 8 -v > Opening file: ../../../levitte/vms-experiments/entropy-gathering/entropy-stats.bin > > Running non-IID tests... > > Entropic statistic estimates: > Most Common Value Estimate = 0.975224 > Collision Test Estimate = 0.902997 > Markov Test Estimate = 0.410808 > Compression Test Estimate = 0.811274 > t-Tuple Test Estimate = 0.0818796 > Longest Reapeated Substring Test Estimate = 0.0818772 > > Predictor estimates: > Multi Most Common in Window (MultiMCW) Test: 100% complete > Correct: 507351 > P_avg (global): 0.508671 > P_run (local): 0.587891 > Multi Most Common in Window (Multi MCW) Test = 0.76638 > Lag Test: 100% complete > Correct: 269907 > P_avg (global): 0.271051 > P_run (local): 0.347168 > Lag Prediction Test = 1.52629 > MultiMMC Test: 100% complete > Correct: 11700 > P_avg (global): 0.011977 > P_run (local): 0.444824 > Multi Markov Model with Counting (MultiMMC) Prediction Test = 1.16869 > LZ78Y Test: 99% complete > Correct: 572107 > P_avg (global): 0.573391 > P_run (local): 0.615723 > LZ78Y Prediction Test = 0.699647 > Min Entropy: 0.0818772 > > So I'd like to have it confirmed that I'm reading this right, that's > about 0.08 entropy bits per 8 data bits? Or is it per data bit? > Depending on the interpretation, we either have 1 bit of entropy per > 12 data bits... or per 100 data bits... The latter has my heart > sinking... > > -- > Richard Levitte levitte at openssl.org > OpenSSL Project http://www.openssl.org/~levitte/ > _______________________________________________ > openssl-project mailing list > openssl-project at openssl.org > https://mta.openssl.org/mailman/listinfo/openssl-project From rsalz at akamai.com Tue May 8 16:36:23 2018 From: rsalz at akamai.com (Salz, Rich) Date: Tue, 8 May 2018 16:36:23 +0000 Subject: [openssl-project] FW: [TLS] WGLC for draft-ietf-tls-tls13-vectors In-Reply-To: <5F30CC9E-EFFC-4A36-801F-A17B9DDF85E0@sn3rd.com> References: <5F30CC9E-EFFC-4A36-801F-A17B9DDF85E0@sn3rd.com> Message-ID: <5953B84D-6F03-411B-A520-7A5D4786D2E5@akamai.com> Anyone want to take a look at wedging this into our test suite? ?On 5/8/18, 12:31 PM, "Sean Turner" wrote: All, This is the working group last call for the "Example Handshake Traces for TLS 1.3" draft available at https://datatracker.ietf.org/doc/draft-ietf-tls-tls13-vectors/. Please review the document and send your comments to the list by 2359 UTC on 22 May 2018. Thanks - J&S _______________________________________________ TLS mailing list TLS at ietf.org https://www.ietf.org/mailman/listinfo/tls From matt at openssl.org Tue May 8 16:44:50 2018 From: matt at openssl.org (Matt Caswell) Date: Tue, 8 May 2018 17:44:50 +0100 Subject: [openssl-project] FW: [TLS] WGLC for draft-ietf-tls-tls13-vectors In-Reply-To: <5953B84D-6F03-411B-A520-7A5D4786D2E5@akamai.com> References: <5F30CC9E-EFFC-4A36-801F-A17B9DDF85E0@sn3rd.com> <5953B84D-6F03-411B-A520-7A5D4786D2E5@akamai.com> Message-ID: <44c8f1e8-e3ed-3389-9a57-717ac1ccc7e8@openssl.org> tls13secretstest was originally based on these vectors: https://github.com/openssl/openssl/blob/master/test/tls13secretstest.c However, because we were moving faster with updating the vectors to match all the latest changes to the secrets calculations in the main spec, and because it's a major pain to update the test to match the latest vectors, I have not kept up-to-date with the latest version. Instead we swapped to self-generated vectors. It should still be possible to swap back to the official vectors though now things have settled down. Matt On 08/05/18 17:36, Salz, Rich wrote: > Anyone want to take a look at wedging this into our test suite? > > ?On 5/8/18, 12:31 PM, "Sean Turner" wrote: > > All, > > This is the working group last call for the "Example Handshake Traces for TLS 1.3" draft available at https://datatracker.ietf.org/doc/draft-ietf-tls-tls13-vectors/. Please review the document and send your comments to the list by 2359 UTC on 22 May 2018. > > Thanks - J&S > _______________________________________________ > TLS mailing list > TLS at ietf.org > https://www.ietf.org/mailman/listinfo/tls > > > _______________________________________________ > openssl-project mailing list > openssl-project at openssl.org > https://mta.openssl.org/mailman/listinfo/openssl-project > From levitte at openssl.org Tue May 8 18:24:19 2018 From: levitte at openssl.org (Richard Levitte) Date: Tue, 08 May 2018 20:24:19 +0200 (CEST) Subject: [openssl-project] Entropy seeding the DRBG In-Reply-To: References: <20180430.164908.1424770216194967097.levitte@openssl.org> <20180430.180020.1402330384104485085.levitte@openssl.org> Message-ID: <20180508.202419.551774525074577026.levitte@openssl.org> In message on Tue, 8 May 2018 12:26:59 -0400, Oracle said: paul.dale> I can conform that it is measured in bits per sample size paul.dale> (in this case bytes). The estimate is very low and this is paul.dale> not a great source. Note that this is on a fairly inactive machine, and it's not *one* source, but rather the concatenation of diverse counters all at once (700+ bytes worth of data each time). Also, I've had other suggestions from the folks on comp.os.vms that I'm gonna try as well as time allows. paul.dale> We can explore other options and I should be able to spare paul.dale> some time over ICMC to assist. I?m not well versed in VMS paul.dale> though. Unfortunately, I'm not present there... But I would see no problem having a conversation directly with you, by email or by video link. Cheers, Richard -- Richard Levitte levitte at openssl.org OpenSSL Project http://www.openssl.org/~levitte/ From paul.dale at oracle.com Tue May 8 23:33:24 2018 From: paul.dale at oracle.com (Oracle) Date: Tue, 8 May 2018 19:33:24 -0400 Subject: [openssl-project] Entropy seeding the DRBG In-Reply-To: <20180430131000.GA25216@roeckx.be> References: <6f707b9d-3a18-4912-9685-bc23a0714a5e@default> <20180424172439.GA8068@roeckx.be> <20180430.144253.1714680705314385876.levitte@openssl.org> <20180430131000.GA25216@roeckx.be> Message-ID: Kurt wrote: > The comment about not hashing it is if you want to use the tool to > do entropy estimation. Hashing it will not increase the entropy, > but the estimation will be totally wrong. > Passing the hashed data to the drbg as entropy input is fine if > you already know how much entropy that it contains. This is spot on. Hash the data and it will appear to have eight bits per byte of entropy regardless of the input. The estimate output from NIST?s suite will be around 7.8 bits per byte but that?s close enough. The standards refer to this as ?whitening?. It is fine to whiten the entropy data before passing it to the DRBG but the entropy estimate must be based on the pre-whitened data. Pauli From paul.dale at oracle.com Wed May 9 01:09:58 2018 From: paul.dale at oracle.com (Dr Paul Dale) Date: Tue, 8 May 2018 21:09:58 -0400 Subject: [openssl-project] Entropy seeding the DRBG In-Reply-To: References: <6f707b9d-3a18-4912-9685-bc23a0714a5e@default> <20180424172439.GA8068@roeckx.be> <20180430.144253.1714680705314385876.levitte@openssl.org> <20180430131000.GA25216@roeckx.be> Message-ID: <4A8DA9A9-5906-4FA0-A2C9-241BB08FEE3E@oracle.com> Apologies for the name I?ve been sending under. I don?t represent Oracle of course. A temporary new MUA that isn?t quite doing what I expected. Pauli > On 8 May 2018, at 7:33 pm, Oracle wrote: > > Kurt wrote: > >> The comment about not hashing it is if you want to use the tool to >> do entropy estimation. Hashing it will not increase the entropy, >> but the estimation will be totally wrong. > > >> Passing the hashed data to the drbg as entropy input is fine if >> you already know how much entropy that it contains. > > > This is spot on. Hash the data and it will appear to have eight bits per byte of entropy regardless of the input. The estimate output from NIST?s suite will be around 7.8 bits per byte but that?s close enough. The standards refer to this as ?whitening?. It is fine to whiten the entropy data before passing it to the DRBG but the entropy estimate must be based on the pre-whitened data. > > > Pauli > > > > > _______________________________________________ > openssl-project mailing list > openssl-project at openssl.org > https://mta.openssl.org/mailman/listinfo/openssl-project From rsalz at akamai.com Wed May 9 11:30:46 2018 From: rsalz at akamai.com (Salz, Rich) Date: Wed, 9 May 2018 11:30:46 +0000 Subject: [openssl-project] FW: [openssl-commits] Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-tls1_2 In-Reply-To: <1525858357.436708.25025.nullmailer@run.openssl.org> References: <1525858357.436708.25025.nullmailer@run.openssl.org> Message-ID: <5B1ED117-2985-43D6-BF1B-2DD58EF3EFB4@akamai.com> I think it's been more than a week now ?On 5/9/18, 5:32 AM, "OpenSSL run-checker" wrote: Platform and configuration command: $ uname -a Linux run 4.4.0-119-generic #143-Ubuntu SMP Mon Apr 2 16:08:24 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-tls1_2 Commit log since last time: 06e0950 VMS rand: assign before check, not the other way around 8c8fbca Fix --strict-warnings build of ppc-linux target 7d859d1 ec/ec_mult.c: get BN_CTX_start,end sequence right. 61e9655 Add a DTLS test for dropped records f750641 Keep the DTLS timer running after the end of the handshake if appropriate ad96225 Only auto-retry for DTLS if configured to do so 6f6da2f Fix s_client and s_server so that they correctly handle the DTLS timer f20404f Don't fail on an out-of-order CCS in DTLS e15e92d Add a CMS API test 3d551b2 Fix a mem leak in CMS Build log ended with (last 100 lines): ../../openssl/test/recipes/30-test_evp_extra.t ................ ok ../../openssl/test/recipes/30-test_pbelu.t .................... ok ../../openssl/test/recipes/30-test_pkey_meth.t ................ ok ../../openssl/test/recipes/30-test_pkey_meth_kdf.t ............ ok ../../openssl/test/recipes/40-test_rehash.t ................... ok ../../openssl/test/recipes/60-test_x509_check_cert_pkey.t ..... ok ../../openssl/test/recipes/60-test_x509_dup_cert.t ............ ok ../../openssl/test/recipes/60-test_x509_store.t ............... ok ../../openssl/test/recipes/60-test_x509_time.t ................ ok ../../openssl/test/recipes/70-test_asyncio.t .................. ok ../../openssl/test/recipes/70-test_bad_dtls.t ................. ok ../../openssl/test/recipes/70-test_clienthello.t .............. ok ../../openssl/test/recipes/70-test_comp.t ..................... ok ../../openssl/test/recipes/70-test_key_share.t ................ ok ../../openssl/test/recipes/70-test_packet.t ................... ok ../../openssl/test/recipes/70-test_recordlen.t ................ ok ../../openssl/test/recipes/70-test_renegotiation.t ............ skipped: test_renegotiation needs TLS <= 1.2 enabled ../../openssl/test/recipes/70-test_servername.t ............... ok ../../openssl/test/recipes/70-test_sslcbcpadding.t ............ skipped: test_sslcbcpadding needs TLSv1.2 enabled ../../openssl/test/recipes/70-test_sslcertstatus.t ............ skipped: test_sslcertstatus needs TLS enabled ../../openssl/test/recipes/70-test_sslextension.t ............. ok ../../openssl/test/recipes/70-test_sslmessages.t .............. skipped: test_sslmessages needs TLS enabled ../../openssl/test/recipes/70-test_sslrecords.t ............... skipped: test_sslrecords needs TLSv1.2 enabled ../../openssl/test/recipes/70-test_sslsessiontick.t ........... skipped: test_sslsessiontick needs SSLv3, TLSv1, TLSv1.1 or TLSv1.2 enabled ../../openssl/test/recipes/70-test_sslsigalgs.t ............... ok ../../openssl/test/recipes/70-test_sslsignature.t ............. ok ../../openssl/test/recipes/70-test_sslskewith0p.t ............. ok ../../openssl/test/recipes/70-test_sslversions.t .............. skipped: test_sslversions needs TLS1.3, TLS1.2 and TLS1.1 enabled ../../openssl/test/recipes/70-test_sslvertol.t ................ ok ../../openssl/test/recipes/70-test_tls13cookie.t .............. ok ../../openssl/test/recipes/70-test_tls13downgrade.t ........... skipped: test_tls13downgrade needs TLS1.3 and TLS1.2 enabled ../../openssl/test/recipes/70-test_tls13hrr.t ................. ok ../../openssl/test/recipes/70-test_tls13kexmodes.t ............ ok ../../openssl/test/recipes/70-test_tls13messages.t ............ ok ../../openssl/test/recipes/70-test_tls13psk.t ................. ok ../../openssl/test/recipes/70-test_tlsextms.t ................. skipped: test_tlsextms needs TLSv1.0, TLSv1.1 or TLSv1.2 enabled ../../openssl/test/recipes/70-test_verify_extra.t ............. ok ../../openssl/test/recipes/70-test_wpacket.t .................. ok ../../openssl/test/recipes/80-test_ca.t ....................... ok ../../openssl/test/recipes/80-test_cipherbytes.t .............. ok ../../openssl/test/recipes/80-test_cipherlist.t ............... ok ../../openssl/test/recipes/80-test_ciphername.t ............... ok ../../openssl/test/recipes/80-test_cms.t ...................... ok ../../openssl/test/recipes/80-test_cmsapi.t ................... ok ../../openssl/test/recipes/80-test_ct.t ....................... ok ../../openssl/test/recipes/80-test_dane.t ..................... ok ../../openssl/test/recipes/80-test_dtls.t ..................... ok ../../openssl/test/recipes/80-test_dtls_mtu.t ................. ok ../../openssl/test/recipes/80-test_dtlsv1listen.t ............. ok ../../openssl/test/recipes/80-test_ocsp.t ..................... ok ../../openssl/test/recipes/80-test_pkcs12.t ................... ok ../../openssl/test/recipes/80-test_ssl_new.t .................. ok ../../openssl/test/recipes/80-test_ssl_old.t .................. ok ../../openssl/test/recipes/80-test_ssl_test_ctx.t ............. ok ../../openssl/test/recipes/80-test_sslcorrupt.t ............... ok ../../openssl/test/recipes/80-test_tsa.t ...................... ok ../../openssl/test/recipes/80-test_x509aux.t .................. ok ../../openssl/test/recipes/90-test_asn1_time.t ................ ok ../../openssl/test/recipes/90-test_async.t .................... ok ../../openssl/test/recipes/90-test_bio_enc.t .................. ok ../../openssl/test/recipes/90-test_constant_time.t ............ ok ../../openssl/test/recipes/90-test_fatalerr.t ................. ok ../../openssl/test/recipes/90-test_gmdiff.t ................... ok ../../openssl/test/recipes/90-test_ige.t ...................... ok ../../openssl/test/recipes/90-test_includes.t ................. ok ../../openssl/test/recipes/90-test_memleak.t .................. ok ../../openssl/test/recipes/90-test_overhead.t ................. skipped: Only supported in no-shared builds ../../openssl/test/recipes/90-test_secmem.t ................... ok ../../openssl/test/recipes/90-test_shlibload.t ................ ok ../../openssl/test/recipes/90-test_srp.t ...................... ok ../../openssl/test/recipes/90-test_sslapi.t ................... Dubious, test returned 1 (wstat 256, 0x100) Failed 1/1 subtests ../../openssl/test/recipes/90-test_sslbuffers.t ............... ok ../../openssl/test/recipes/90-test_store.t .................... ok ../../openssl/test/recipes/90-test_sysdefault.t ............... skipped: test_sysdefault is not supported in this build ../../openssl/test/recipes/90-test_threads.t .................. ok ../../openssl/test/recipes/90-test_time_offset.t .............. ok ../../openssl/test/recipes/90-test_tls13ccs.t ................. ok ../../openssl/test/recipes/90-test_tls13encryption.t .......... ok ../../openssl/test/recipes/90-test_tls13secrets.t ............. ok ../../openssl/test/recipes/90-test_v3name.t ................... ok ../../openssl/test/recipes/95-test_external_boringssl.t ....... skipped: No external tests in this configuration ../../openssl/test/recipes/95-test_external_krb5.t ............ skipped: No external tests in this configuration ../../openssl/test/recipes/95-test_external_pyca.t ............ skipped: No external tests in this configuration ../../openssl/test/recipes/99-test_ecstress.t ................. ok ../../openssl/test/recipes/99-test_fuzz.t ..................... ok Test Summary Report ------------------- ../../openssl/test/recipes/90-test_sslapi.t (Wstat: 256 Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 Files=147, Tests=1262, 186 wallclock secs ( 1.73 usr 0.33 sys + 160.14 cusr 9.34 csys = 171.54 CPU) Result: FAIL Makefile:204: recipe for target '_tests' failed make[1]: *** [_tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/no-tls1_2' Makefile:202: recipe for target 'tests' failed make: *** [tests] Error 2 _____ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits From levitte at openssl.org Wed May 9 11:48:42 2018 From: levitte at openssl.org (Richard Levitte) Date: Wed, 09 May 2018 13:48:42 +0200 (CEST) Subject: [openssl-project] FW: [openssl-commits] Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-tls1_2 In-Reply-To: <5B1ED117-2985-43D6-BF1B-2DD58EF3EFB4@akamai.com> References: <1525858357.436708.25025.nullmailer@run.openssl.org> <5B1ED117-2985-43D6-BF1B-2DD58EF3EFB4@akamai.com> Message-ID: <20180509.134842.973840512960602147.levitte@openssl.org> Cannot reproduce on my machine, that test goes through smoothly there. So I tried again on the machine that runs run-checker (verbose test), and here's where things go wrong: ok 33 - test_ssl_pending # Subtest: test_ssl_get_shared_ciphers 1..5 # INFO: @ ../openssl/test/ssltestlib.c:697 # SSL_connect() failed -1, 1 # INFO: @ ../openssl/test/ssltestlib.c:711 # SSL_accept() failed -1, 1 # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:4538 # false # 140218663200512:error:141FC044:SSL routines:tls_setup_handshake:internal error:../openssl/ssl/statem/statem_lib.c:110: not ok 1 - iteration 1 # INFO: @ ../openssl/test/ssltestlib.c:697 # SSL_connect() failed -1, 1 # INFO: @ ../openssl/test/ssltestlib.c:711 # SSL_accept() failed -1, 1 # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:4538 # false # 140218663200512:error:141FC044:SSL routines:tls_setup_handshake:internal error:../openssl/ssl/statem/statem_lib.c:110: not ok 2 - iteration 2 # INFO: @ ../openssl/test/ssltestlib.c:697 # SSL_connect() failed -1, 1 # INFO: @ ../openssl/test/ssltestlib.c:711 # SSL_accept() failed -1, 1 # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:4538 # false # 140218663200512:error:141FC044:SSL routines:tls_setup_handshake:internal error:../openssl/ssl/statem/statem_lib.c:110: not ok 3 - iteration 3 # ERROR: (int) 'strcmp(buf, shared_ciphers_data[tst].shared) == 0' failed @ ../openssl/test/sslapitest.c:4542 # [-58] compared to [0] # INFO: @ ../openssl/test/sslapitest.c:4543 # Shared ciphers are: TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 # not ok 4 - iteration 4 ok 5 - iteration 5 not ok 34 - test_ssl_get_shared_ciphers ../../util/shlib_wrap.sh ../../test/sslapitest ../../../openssl/apps/server.pem ../../../openssl/apps/server.pem ../../../openssl/test/recipes/90-test_sslapi_data/passwd.txt /tmp/luFFon5Hte => 1 not ok 1 - running sslapitest # Failed test 'running sslapitest' # at ../../openssl/test/recipes/90-test_sslapi.t line 23. # Looks like you failed 1 test of 1. Dubious, test returned 1 (wstat 256, 0x100) Failed 1/1 subtests I'll see if I can figure out what's happening... Among the differences between my machine (lapdog [*]) and the run-checkers runner (run): lapdog: Debian GNU/Linux [sid] run: Ubuntu 16.04 lapdog: clang 4.0.1-10 run: 3.8.0-2ubuntu4 Cheers, Richard In message <5B1ED117-2985-43D6-BF1B-2DD58EF3EFB4 at akamai.com> on Wed, 9 May 2018 11:30:46 +0000, "Salz, Rich" said: rsalz> I think it's been more than a week now rsalz> rsalz> ?On 5/9/18, 5:32 AM, "OpenSSL run-checker" wrote: rsalz> rsalz> Platform and configuration command: rsalz> rsalz> $ uname -a rsalz> Linux run 4.4.0-119-generic #143-Ubuntu SMP Mon Apr 2 16:08:24 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux rsalz> $ CC=clang ../openssl/config -d --strict-warnings no-tls1_2 rsalz> rsalz> Commit log since last time: rsalz> rsalz> 06e0950 VMS rand: assign before check, not the other way around rsalz> 8c8fbca Fix --strict-warnings build of ppc-linux target rsalz> 7d859d1 ec/ec_mult.c: get BN_CTX_start,end sequence right. rsalz> 61e9655 Add a DTLS test for dropped records rsalz> f750641 Keep the DTLS timer running after the end of the handshake if appropriate rsalz> ad96225 Only auto-retry for DTLS if configured to do so rsalz> 6f6da2f Fix s_client and s_server so that they correctly handle the DTLS timer rsalz> f20404f Don't fail on an out-of-order CCS in DTLS rsalz> e15e92d Add a CMS API test rsalz> 3d551b2 Fix a mem leak in CMS rsalz> rsalz> Build log ended with (last 100 lines): rsalz> rsalz> ../../openssl/test/recipes/30-test_evp_extra.t ................ ok rsalz> ../../openssl/test/recipes/30-test_pbelu.t .................... ok rsalz> ../../openssl/test/recipes/30-test_pkey_meth.t ................ ok rsalz> ../../openssl/test/recipes/30-test_pkey_meth_kdf.t ............ ok rsalz> ../../openssl/test/recipes/40-test_rehash.t ................... ok rsalz> ../../openssl/test/recipes/60-test_x509_check_cert_pkey.t ..... ok rsalz> ../../openssl/test/recipes/60-test_x509_dup_cert.t ............ ok rsalz> ../../openssl/test/recipes/60-test_x509_store.t ............... ok rsalz> ../../openssl/test/recipes/60-test_x509_time.t ................ ok rsalz> ../../openssl/test/recipes/70-test_asyncio.t .................. ok rsalz> ../../openssl/test/recipes/70-test_bad_dtls.t ................. ok rsalz> ../../openssl/test/recipes/70-test_clienthello.t .............. ok rsalz> ../../openssl/test/recipes/70-test_comp.t ..................... ok rsalz> ../../openssl/test/recipes/70-test_key_share.t ................ ok rsalz> ../../openssl/test/recipes/70-test_packet.t ................... ok rsalz> ../../openssl/test/recipes/70-test_recordlen.t ................ ok rsalz> ../../openssl/test/recipes/70-test_renegotiation.t ............ skipped: test_renegotiation needs TLS <= 1.2 enabled rsalz> ../../openssl/test/recipes/70-test_servername.t ............... ok rsalz> ../../openssl/test/recipes/70-test_sslcbcpadding.t ............ skipped: test_sslcbcpadding needs TLSv1.2 enabled rsalz> ../../openssl/test/recipes/70-test_sslcertstatus.t ............ skipped: test_sslcertstatus needs TLS enabled rsalz> ../../openssl/test/recipes/70-test_sslextension.t ............. ok rsalz> ../../openssl/test/recipes/70-test_sslmessages.t .............. skipped: test_sslmessages needs TLS enabled rsalz> ../../openssl/test/recipes/70-test_sslrecords.t ............... skipped: test_sslrecords needs TLSv1.2 enabled rsalz> ../../openssl/test/recipes/70-test_sslsessiontick.t ........... skipped: test_sslsessiontick needs SSLv3, TLSv1, TLSv1.1 or TLSv1.2 enabled rsalz> ../../openssl/test/recipes/70-test_sslsigalgs.t ............... ok rsalz> ../../openssl/test/recipes/70-test_sslsignature.t ............. ok rsalz> ../../openssl/test/recipes/70-test_sslskewith0p.t ............. ok rsalz> ../../openssl/test/recipes/70-test_sslversions.t .............. skipped: test_sslversions needs TLS1.3, TLS1.2 and TLS1.1 enabled rsalz> ../../openssl/test/recipes/70-test_sslvertol.t ................ ok rsalz> ../../openssl/test/recipes/70-test_tls13cookie.t .............. ok rsalz> ../../openssl/test/recipes/70-test_tls13downgrade.t ........... skipped: test_tls13downgrade needs TLS1.3 and TLS1.2 enabled rsalz> ../../openssl/test/recipes/70-test_tls13hrr.t ................. ok rsalz> ../../openssl/test/recipes/70-test_tls13kexmodes.t ............ ok rsalz> ../../openssl/test/recipes/70-test_tls13messages.t ............ ok rsalz> ../../openssl/test/recipes/70-test_tls13psk.t ................. ok rsalz> ../../openssl/test/recipes/70-test_tlsextms.t ................. skipped: test_tlsextms needs TLSv1.0, TLSv1.1 or TLSv1.2 enabled rsalz> ../../openssl/test/recipes/70-test_verify_extra.t ............. ok rsalz> ../../openssl/test/recipes/70-test_wpacket.t .................. ok rsalz> ../../openssl/test/recipes/80-test_ca.t ....................... ok rsalz> ../../openssl/test/recipes/80-test_cipherbytes.t .............. ok rsalz> ../../openssl/test/recipes/80-test_cipherlist.t ............... ok rsalz> ../../openssl/test/recipes/80-test_ciphername.t ............... ok rsalz> ../../openssl/test/recipes/80-test_cms.t ...................... ok rsalz> ../../openssl/test/recipes/80-test_cmsapi.t ................... ok rsalz> ../../openssl/test/recipes/80-test_ct.t ....................... ok rsalz> ../../openssl/test/recipes/80-test_dane.t ..................... ok rsalz> ../../openssl/test/recipes/80-test_dtls.t ..................... ok rsalz> ../../openssl/test/recipes/80-test_dtls_mtu.t ................. ok rsalz> ../../openssl/test/recipes/80-test_dtlsv1listen.t ............. ok rsalz> ../../openssl/test/recipes/80-test_ocsp.t ..................... ok rsalz> ../../openssl/test/recipes/80-test_pkcs12.t ................... ok rsalz> ../../openssl/test/recipes/80-test_ssl_new.t .................. ok rsalz> ../../openssl/test/recipes/80-test_ssl_old.t .................. ok rsalz> ../../openssl/test/recipes/80-test_ssl_test_ctx.t ............. ok rsalz> ../../openssl/test/recipes/80-test_sslcorrupt.t ............... ok rsalz> ../../openssl/test/recipes/80-test_tsa.t ...................... ok rsalz> ../../openssl/test/recipes/80-test_x509aux.t .................. ok rsalz> ../../openssl/test/recipes/90-test_asn1_time.t ................ ok rsalz> ../../openssl/test/recipes/90-test_async.t .................... ok rsalz> ../../openssl/test/recipes/90-test_bio_enc.t .................. ok rsalz> ../../openssl/test/recipes/90-test_constant_time.t ............ ok rsalz> ../../openssl/test/recipes/90-test_fatalerr.t ................. ok rsalz> ../../openssl/test/recipes/90-test_gmdiff.t ................... ok rsalz> ../../openssl/test/recipes/90-test_ige.t ...................... ok rsalz> ../../openssl/test/recipes/90-test_includes.t ................. ok rsalz> ../../openssl/test/recipes/90-test_memleak.t .................. ok rsalz> ../../openssl/test/recipes/90-test_overhead.t ................. skipped: Only supported in no-shared builds rsalz> ../../openssl/test/recipes/90-test_secmem.t ................... ok rsalz> ../../openssl/test/recipes/90-test_shlibload.t ................ ok rsalz> ../../openssl/test/recipes/90-test_srp.t ...................... ok rsalz> ../../openssl/test/recipes/90-test_sslapi.t ................... rsalz> Dubious, test returned 1 (wstat 256, 0x100) rsalz> Failed 1/1 subtests rsalz> ../../openssl/test/recipes/90-test_sslbuffers.t ............... ok rsalz> ../../openssl/test/recipes/90-test_store.t .................... ok rsalz> ../../openssl/test/recipes/90-test_sysdefault.t ............... skipped: test_sysdefault is not supported in this build rsalz> ../../openssl/test/recipes/90-test_threads.t .................. ok rsalz> ../../openssl/test/recipes/90-test_time_offset.t .............. ok rsalz> ../../openssl/test/recipes/90-test_tls13ccs.t ................. ok rsalz> ../../openssl/test/recipes/90-test_tls13encryption.t .......... ok rsalz> ../../openssl/test/recipes/90-test_tls13secrets.t ............. ok rsalz> ../../openssl/test/recipes/90-test_v3name.t ................... ok rsalz> ../../openssl/test/recipes/95-test_external_boringssl.t ....... skipped: No external tests in this configuration rsalz> ../../openssl/test/recipes/95-test_external_krb5.t ............ skipped: No external tests in this configuration rsalz> ../../openssl/test/recipes/95-test_external_pyca.t ............ skipped: No external tests in this configuration rsalz> ../../openssl/test/recipes/99-test_ecstress.t ................. ok rsalz> ../../openssl/test/recipes/99-test_fuzz.t ..................... ok rsalz> rsalz> Test Summary Report rsalz> ------------------- rsalz> ../../openssl/test/recipes/90-test_sslapi.t (Wstat: 256 Tests: 1 Failed: 1) rsalz> Failed test: 1 rsalz> Non-zero exit status: 1 rsalz> Files=147, Tests=1262, 186 wallclock secs ( 1.73 usr 0.33 sys + 160.14 cusr 9.34 csys = 171.54 CPU) rsalz> Result: FAIL rsalz> Makefile:204: recipe for target '_tests' failed rsalz> make[1]: *** [_tests] Error 1 rsalz> make[1]: Leaving directory '/home/openssl/run-checker/no-tls1_2' rsalz> Makefile:202: recipe for target 'tests' failed rsalz> make: *** [tests] Error 2 rsalz> _____ rsalz> openssl-commits mailing list rsalz> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits rsalz> rsalz> rsalz> _______________________________________________ rsalz> openssl-project mailing list rsalz> openssl-project at openssl.org rsalz> https://mta.openssl.org/mailman/listinfo/openssl-project From rsalz at akamai.com Thu May 10 12:57:42 2018 From: rsalz at akamai.com (Salz, Rich) Date: Thu, 10 May 2018 12:57:42 +0000 Subject: [openssl-project] FW: [openssl-commits] Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-tls1_2 In-Reply-To: <1525949829.951873.423.nullmailer@run.openssl.org> References: <1525949829.951873.423.nullmailer@run.openssl.org> Message-ID: <44193246-B7C4-4EF7-96C2-057EB9EAFFBB@akamai.com> sigh ?On 5/10/18, 6:57 AM, "OpenSSL run-checker" wrote: Platform and configuration command: $ uname -a Linux run 4.4.0-119-generic #143-Ubuntu SMP Mon Apr 2 16:08:24 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-tls1_2 Commit log since last time: 7f35627 Fix typos in x509 documentation 60845a0 Add CHANGES entry for PR#6009 0dae8ba Add blinding in BN_GF2m_mod_inv for binary field inversions a7b0b69 ECC: unify generic ec2 and ecp scalar multiplication, deprecate ec2_mult.c fe2d397 ECDSA: remove nonce padding (delegated to EC_POINT_mul) Build log ended with (last 100 lines): ../../openssl/test/recipes/30-test_evp_extra.t ................ ok ../../openssl/test/recipes/30-test_pbelu.t .................... ok ../../openssl/test/recipes/30-test_pkey_meth.t ................ ok ../../openssl/test/recipes/30-test_pkey_meth_kdf.t ............ ok ../../openssl/test/recipes/40-test_rehash.t ................... ok ../../openssl/test/recipes/60-test_x509_check_cert_pkey.t ..... ok ../../openssl/test/recipes/60-test_x509_dup_cert.t ............ ok ../../openssl/test/recipes/60-test_x509_store.t ............... ok ../../openssl/test/recipes/60-test_x509_time.t ................ ok ../../openssl/test/recipes/70-test_asyncio.t .................. ok ../../openssl/test/recipes/70-test_bad_dtls.t ................. ok ../../openssl/test/recipes/70-test_clienthello.t .............. ok ../../openssl/test/recipes/70-test_comp.t ..................... ok ../../openssl/test/recipes/70-test_key_share.t ................ ok ../../openssl/test/recipes/70-test_packet.t ................... ok ../../openssl/test/recipes/70-test_recordlen.t ................ ok ../../openssl/test/recipes/70-test_renegotiation.t ............ skipped: test_renegotiation needs TLS <= 1.2 enabled ../../openssl/test/recipes/70-test_servername.t ............... ok ../../openssl/test/recipes/70-test_sslcbcpadding.t ............ skipped: test_sslcbcpadding needs TLSv1.2 enabled ../../openssl/test/recipes/70-test_sslcertstatus.t ............ skipped: test_sslcertstatus needs TLS enabled ../../openssl/test/recipes/70-test_sslextension.t ............. ok ../../openssl/test/recipes/70-test_sslmessages.t .............. skipped: test_sslmessages needs TLS enabled ../../openssl/test/recipes/70-test_sslrecords.t ............... skipped: test_sslrecords needs TLSv1.2 enabled ../../openssl/test/recipes/70-test_sslsessiontick.t ........... skipped: test_sslsessiontick needs SSLv3, TLSv1, TLSv1.1 or TLSv1.2 enabled ../../openssl/test/recipes/70-test_sslsigalgs.t ............... ok ../../openssl/test/recipes/70-test_sslsignature.t ............. ok ../../openssl/test/recipes/70-test_sslskewith0p.t ............. ok ../../openssl/test/recipes/70-test_sslversions.t .............. skipped: test_sslversions needs TLS1.3, TLS1.2 and TLS1.1 enabled ../../openssl/test/recipes/70-test_sslvertol.t ................ ok ../../openssl/test/recipes/70-test_tls13cookie.t .............. ok ../../openssl/test/recipes/70-test_tls13downgrade.t ........... skipped: test_tls13downgrade needs TLS1.3 and TLS1.2 enabled ../../openssl/test/recipes/70-test_tls13hrr.t ................. ok ../../openssl/test/recipes/70-test_tls13kexmodes.t ............ ok ../../openssl/test/recipes/70-test_tls13messages.t ............ ok ../../openssl/test/recipes/70-test_tls13psk.t ................. ok ../../openssl/test/recipes/70-test_tlsextms.t ................. skipped: test_tlsextms needs TLSv1.0, TLSv1.1 or TLSv1.2 enabled ../../openssl/test/recipes/70-test_verify_extra.t ............. ok ../../openssl/test/recipes/70-test_wpacket.t .................. ok ../../openssl/test/recipes/80-test_ca.t ....................... ok ../../openssl/test/recipes/80-test_cipherbytes.t .............. ok ../../openssl/test/recipes/80-test_cipherlist.t ............... ok ../../openssl/test/recipes/80-test_ciphername.t ............... ok ../../openssl/test/recipes/80-test_cms.t ...................... ok ../../openssl/test/recipes/80-test_cmsapi.t ................... ok ../../openssl/test/recipes/80-test_ct.t ....................... ok ../../openssl/test/recipes/80-test_dane.t ..................... ok ../../openssl/test/recipes/80-test_dtls.t ..................... ok ../../openssl/test/recipes/80-test_dtls_mtu.t ................. ok ../../openssl/test/recipes/80-test_dtlsv1listen.t ............. ok ../../openssl/test/recipes/80-test_ocsp.t ..................... ok ../../openssl/test/recipes/80-test_pkcs12.t ................... ok ../../openssl/test/recipes/80-test_ssl_new.t .................. ok ../../openssl/test/recipes/80-test_ssl_old.t .................. ok ../../openssl/test/recipes/80-test_ssl_test_ctx.t ............. ok ../../openssl/test/recipes/80-test_sslcorrupt.t ............... ok ../../openssl/test/recipes/80-test_tsa.t ...................... ok ../../openssl/test/recipes/80-test_x509aux.t .................. ok ../../openssl/test/recipes/90-test_asn1_time.t ................ ok ../../openssl/test/recipes/90-test_async.t .................... ok ../../openssl/test/recipes/90-test_bio_enc.t .................. ok ../../openssl/test/recipes/90-test_constant_time.t ............ ok ../../openssl/test/recipes/90-test_fatalerr.t ................. ok ../../openssl/test/recipes/90-test_gmdiff.t ................... ok ../../openssl/test/recipes/90-test_ige.t ...................... ok ../../openssl/test/recipes/90-test_includes.t ................. ok ../../openssl/test/recipes/90-test_memleak.t .................. ok ../../openssl/test/recipes/90-test_overhead.t ................. skipped: Only supported in no-shared builds ../../openssl/test/recipes/90-test_secmem.t ................... ok ../../openssl/test/recipes/90-test_shlibload.t ................ ok ../../openssl/test/recipes/90-test_srp.t ...................... ok ../../openssl/test/recipes/90-test_sslapi.t ................... Dubious, test returned 1 (wstat 256, 0x100) Failed 1/1 subtests ../../openssl/test/recipes/90-test_sslbuffers.t ............... ok ../../openssl/test/recipes/90-test_store.t .................... ok ../../openssl/test/recipes/90-test_sysdefault.t ............... skipped: test_sysdefault is not supported in this build ../../openssl/test/recipes/90-test_threads.t .................. ok ../../openssl/test/recipes/90-test_time_offset.t .............. ok ../../openssl/test/recipes/90-test_tls13ccs.t ................. ok ../../openssl/test/recipes/90-test_tls13encryption.t .......... ok ../../openssl/test/recipes/90-test_tls13secrets.t ............. ok ../../openssl/test/recipes/90-test_v3name.t ................... ok ../../openssl/test/recipes/95-test_external_boringssl.t ....... skipped: No external tests in this configuration ../../openssl/test/recipes/95-test_external_krb5.t ............ skipped: No external tests in this configuration ../../openssl/test/recipes/95-test_external_pyca.t ............ skipped: No external tests in this configuration ../../openssl/test/recipes/99-test_ecstress.t ................. ok ../../openssl/test/recipes/99-test_fuzz.t ..................... ok Test Summary Report ------------------- ../../openssl/test/recipes/90-test_sslapi.t (Wstat: 256 Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 Files=147, Tests=1262, 221 wallclock secs ( 1.65 usr 0.33 sys + 195.60 cusr 9.50 csys = 207.08 CPU) Result: FAIL Makefile:204: recipe for target '_tests' failed make[1]: *** [_tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/no-tls1_2' Makefile:202: recipe for target 'tests' failed make: *** [tests] Error 2 _____ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits From matt at openssl.org Thu May 10 12:59:35 2018 From: matt at openssl.org (Matt Caswell) Date: Thu, 10 May 2018 13:59:35 +0100 Subject: [openssl-project] FW: [openssl-commits] Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-tls1_2 In-Reply-To: <44193246-B7C4-4EF7-96C2-057EB9EAFFBB@akamai.com> References: <1525949829.951873.423.nullmailer@run.openssl.org> <44193246-B7C4-4EF7-96C2-057EB9EAFFBB@akamai.com> Message-ID: <7ff17149-3390-86d9-5d8f-3cfc9e77dc26@openssl.org> It should be fixed already - but the fixes didn't go in in time for the latest run-checker run. By tomorrow it should be ok (hopefully). Matt On 10/05/18 13:57, Salz, Rich wrote: > sigh > > ?On 5/10/18, 6:57 AM, "OpenSSL run-checker" wrote: > > Platform and configuration command: > > $ uname -a > Linux run 4.4.0-119-generic #143-Ubuntu SMP Mon Apr 2 16:08:24 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux > $ CC=clang ../openssl/config -d --strict-warnings no-tls1_2 > > Commit log since last time: > > 7f35627 Fix typos in x509 documentation > 60845a0 Add CHANGES entry for PR#6009 > 0dae8ba Add blinding in BN_GF2m_mod_inv for binary field inversions > a7b0b69 ECC: unify generic ec2 and ecp scalar multiplication, deprecate ec2_mult.c > fe2d397 ECDSA: remove nonce padding (delegated to EC_POINT_mul) > > Build log ended with (last 100 lines): > > ../../openssl/test/recipes/30-test_evp_extra.t ................ ok > ../../openssl/test/recipes/30-test_pbelu.t .................... ok > ../../openssl/test/recipes/30-test_pkey_meth.t ................ ok > ../../openssl/test/recipes/30-test_pkey_meth_kdf.t ............ ok > ../../openssl/test/recipes/40-test_rehash.t ................... ok > ../../openssl/test/recipes/60-test_x509_check_cert_pkey.t ..... ok > ../../openssl/test/recipes/60-test_x509_dup_cert.t ............ ok > ../../openssl/test/recipes/60-test_x509_store.t ............... ok > ../../openssl/test/recipes/60-test_x509_time.t ................ ok > ../../openssl/test/recipes/70-test_asyncio.t .................. ok > ../../openssl/test/recipes/70-test_bad_dtls.t ................. ok > ../../openssl/test/recipes/70-test_clienthello.t .............. ok > ../../openssl/test/recipes/70-test_comp.t ..................... ok > ../../openssl/test/recipes/70-test_key_share.t ................ ok > ../../openssl/test/recipes/70-test_packet.t ................... ok > ../../openssl/test/recipes/70-test_recordlen.t ................ ok > ../../openssl/test/recipes/70-test_renegotiation.t ............ skipped: test_renegotiation needs TLS <= 1.2 enabled > ../../openssl/test/recipes/70-test_servername.t ............... ok > ../../openssl/test/recipes/70-test_sslcbcpadding.t ............ skipped: test_sslcbcpadding needs TLSv1.2 enabled > ../../openssl/test/recipes/70-test_sslcertstatus.t ............ skipped: test_sslcertstatus needs TLS enabled > ../../openssl/test/recipes/70-test_sslextension.t ............. ok > ../../openssl/test/recipes/70-test_sslmessages.t .............. skipped: test_sslmessages needs TLS enabled > ../../openssl/test/recipes/70-test_sslrecords.t ............... skipped: test_sslrecords needs TLSv1.2 enabled > ../../openssl/test/recipes/70-test_sslsessiontick.t ........... skipped: test_sslsessiontick needs SSLv3, TLSv1, TLSv1.1 or TLSv1.2 enabled > ../../openssl/test/recipes/70-test_sslsigalgs.t ............... ok > ../../openssl/test/recipes/70-test_sslsignature.t ............. ok > ../../openssl/test/recipes/70-test_sslskewith0p.t ............. ok > ../../openssl/test/recipes/70-test_sslversions.t .............. skipped: test_sslversions needs TLS1.3, TLS1.2 and TLS1.1 enabled > ../../openssl/test/recipes/70-test_sslvertol.t ................ ok > ../../openssl/test/recipes/70-test_tls13cookie.t .............. ok > ../../openssl/test/recipes/70-test_tls13downgrade.t ........... skipped: test_tls13downgrade needs TLS1.3 and TLS1.2 enabled > ../../openssl/test/recipes/70-test_tls13hrr.t ................. ok > ../../openssl/test/recipes/70-test_tls13kexmodes.t ............ ok > ../../openssl/test/recipes/70-test_tls13messages.t ............ ok > ../../openssl/test/recipes/70-test_tls13psk.t ................. ok > ../../openssl/test/recipes/70-test_tlsextms.t ................. skipped: test_tlsextms needs TLSv1.0, TLSv1.1 or TLSv1.2 enabled > ../../openssl/test/recipes/70-test_verify_extra.t ............. ok > ../../openssl/test/recipes/70-test_wpacket.t .................. ok > ../../openssl/test/recipes/80-test_ca.t ....................... ok > ../../openssl/test/recipes/80-test_cipherbytes.t .............. ok > ../../openssl/test/recipes/80-test_cipherlist.t ............... ok > ../../openssl/test/recipes/80-test_ciphername.t ............... ok > ../../openssl/test/recipes/80-test_cms.t ...................... ok > ../../openssl/test/recipes/80-test_cmsapi.t ................... ok > ../../openssl/test/recipes/80-test_ct.t ....................... ok > ../../openssl/test/recipes/80-test_dane.t ..................... ok > ../../openssl/test/recipes/80-test_dtls.t ..................... ok > ../../openssl/test/recipes/80-test_dtls_mtu.t ................. ok > ../../openssl/test/recipes/80-test_dtlsv1listen.t ............. ok > ../../openssl/test/recipes/80-test_ocsp.t ..................... ok > ../../openssl/test/recipes/80-test_pkcs12.t ................... ok > ../../openssl/test/recipes/80-test_ssl_new.t .................. ok > ../../openssl/test/recipes/80-test_ssl_old.t .................. ok > ../../openssl/test/recipes/80-test_ssl_test_ctx.t ............. ok > ../../openssl/test/recipes/80-test_sslcorrupt.t ............... ok > ../../openssl/test/recipes/80-test_tsa.t ...................... ok > ../../openssl/test/recipes/80-test_x509aux.t .................. ok > ../../openssl/test/recipes/90-test_asn1_time.t ................ ok > ../../openssl/test/recipes/90-test_async.t .................... ok > ../../openssl/test/recipes/90-test_bio_enc.t .................. ok > ../../openssl/test/recipes/90-test_constant_time.t ............ ok > ../../openssl/test/recipes/90-test_fatalerr.t ................. ok > ../../openssl/test/recipes/90-test_gmdiff.t ................... ok > ../../openssl/test/recipes/90-test_ige.t ...................... ok > ../../openssl/test/recipes/90-test_includes.t ................. ok > ../../openssl/test/recipes/90-test_memleak.t .................. ok > ../../openssl/test/recipes/90-test_overhead.t ................. skipped: Only supported in no-shared builds > ../../openssl/test/recipes/90-test_secmem.t ................... ok > ../../openssl/test/recipes/90-test_shlibload.t ................ ok > ../../openssl/test/recipes/90-test_srp.t ...................... ok > ../../openssl/test/recipes/90-test_sslapi.t ................... > Dubious, test returned 1 (wstat 256, 0x100) > Failed 1/1 subtests > ../../openssl/test/recipes/90-test_sslbuffers.t ............... ok > ../../openssl/test/recipes/90-test_store.t .................... ok > ../../openssl/test/recipes/90-test_sysdefault.t ............... skipped: test_sysdefault is not supported in this build > ../../openssl/test/recipes/90-test_threads.t .................. ok > ../../openssl/test/recipes/90-test_time_offset.t .............. ok > ../../openssl/test/recipes/90-test_tls13ccs.t ................. ok > ../../openssl/test/recipes/90-test_tls13encryption.t .......... ok > ../../openssl/test/recipes/90-test_tls13secrets.t ............. ok > ../../openssl/test/recipes/90-test_v3name.t ................... ok > ../../openssl/test/recipes/95-test_external_boringssl.t ....... skipped: No external tests in this configuration > ../../openssl/test/recipes/95-test_external_krb5.t ............ skipped: No external tests in this configuration > ../../openssl/test/recipes/95-test_external_pyca.t ............ skipped: No external tests in this configuration > ../../openssl/test/recipes/99-test_ecstress.t ................. ok > ../../openssl/test/recipes/99-test_fuzz.t ..................... ok > > Test Summary Report > ------------------- > ../../openssl/test/recipes/90-test_sslapi.t (Wstat: 256 Tests: 1 Failed: 1) > Failed test: 1 > Non-zero exit status: 1 > Files=147, Tests=1262, 221 wallclock secs ( 1.65 usr 0.33 sys + 195.60 cusr 9.50 csys = 207.08 CPU) > Result: FAIL > Makefile:204: recipe for target '_tests' failed > make[1]: *** [_tests] Error 1 > make[1]: Leaving directory '/home/openssl/run-checker/no-tls1_2' > Makefile:202: recipe for target 'tests' failed > make: *** [tests] Error 2 > _____ > openssl-commits mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits > > > _______________________________________________ > openssl-project mailing list > openssl-project at openssl.org > https://mta.openssl.org/mailman/listinfo/openssl-project > From levitte at openssl.org Thu May 10 17:28:10 2018 From: levitte at openssl.org (Richard Levitte) Date: Thu, 10 May 2018 19:28:10 +0200 (CEST) Subject: [openssl-project] FW: [openssl-commits] Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-tls1_2 In-Reply-To: <7ff17149-3390-86d9-5d8f-3cfc9e77dc26@openssl.org> References: <1525949829.951873.423.nullmailer@run.openssl.org> <44193246-B7C4-4EF7-96C2-057EB9EAFFBB@akamai.com> <7ff17149-3390-86d9-5d8f-3cfc9e77dc26@openssl.org> Message-ID: <20180510.192810.745367931451519332.levitte@openssl.org> A simple 'got log --oneline' confirms this: 13f6857db1 PPC assembly pack: add POWER9 results. 41b77d5447 .travis.yml: add pair of linux-ppc64le targets. a01b9cd5a7 Fix no-cms 60155b9ae1 Fix no-tls1_2, no-tls1_2-method, no-chacha and no-poly1305 7f35627c79 Fix typos in x509 documentation 60845a0aa4 Add CHANGES entry for PR#6009 Cheers, Richard In message <7ff17149-3390-86d9-5d8f-3cfc9e77dc26 at openssl.org> on Thu, 10 May 2018 13:59:35 +0100, Matt Caswell said: matt> It should be fixed already - but the fixes didn't go in in time for the matt> latest run-checker run. By tomorrow it should be ok (hopefully). matt> matt> Matt matt> matt> matt> On 10/05/18 13:57, Salz, Rich wrote: matt> > sigh matt> > matt> > ?On 5/10/18, 6:57 AM, "OpenSSL run-checker" wrote: matt> > matt> > Platform and configuration command: matt> > matt> > $ uname -a matt> > Linux run 4.4.0-119-generic #143-Ubuntu SMP Mon Apr 2 16:08:24 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux matt> > $ CC=clang ../openssl/config -d --strict-warnings no-tls1_2 matt> > matt> > Commit log since last time: matt> > matt> > 7f35627 Fix typos in x509 documentation matt> > 60845a0 Add CHANGES entry for PR#6009 matt> > 0dae8ba Add blinding in BN_GF2m_mod_inv for binary field inversions matt> > a7b0b69 ECC: unify generic ec2 and ecp scalar multiplication, deprecate ec2_mult.c matt> > fe2d397 ECDSA: remove nonce padding (delegated to EC_POINT_mul) matt> > matt> > Build log ended with (last 100 lines): matt> > matt> > ../../openssl/test/recipes/30-test_evp_extra.t ................ ok matt> > ../../openssl/test/recipes/30-test_pbelu.t .................... ok matt> > ../../openssl/test/recipes/30-test_pkey_meth.t ................ ok matt> > ../../openssl/test/recipes/30-test_pkey_meth_kdf.t ............ ok matt> > ../../openssl/test/recipes/40-test_rehash.t ................... ok matt> > ../../openssl/test/recipes/60-test_x509_check_cert_pkey.t ..... ok matt> > ../../openssl/test/recipes/60-test_x509_dup_cert.t ............ ok matt> > ../../openssl/test/recipes/60-test_x509_store.t ............... ok matt> > ../../openssl/test/recipes/60-test_x509_time.t ................ ok matt> > ../../openssl/test/recipes/70-test_asyncio.t .................. ok matt> > ../../openssl/test/recipes/70-test_bad_dtls.t ................. ok matt> > ../../openssl/test/recipes/70-test_clienthello.t .............. ok matt> > ../../openssl/test/recipes/70-test_comp.t ..................... ok matt> > ../../openssl/test/recipes/70-test_key_share.t ................ ok matt> > ../../openssl/test/recipes/70-test_packet.t ................... ok matt> > ../../openssl/test/recipes/70-test_recordlen.t ................ ok matt> > ../../openssl/test/recipes/70-test_renegotiation.t ............ skipped: test_renegotiation needs TLS <= 1.2 enabled matt> > ../../openssl/test/recipes/70-test_servername.t ............... ok matt> > ../../openssl/test/recipes/70-test_sslcbcpadding.t ............ skipped: test_sslcbcpadding needs TLSv1.2 enabled matt> > ../../openssl/test/recipes/70-test_sslcertstatus.t ............ skipped: test_sslcertstatus needs TLS enabled matt> > ../../openssl/test/recipes/70-test_sslextension.t ............. ok matt> > ../../openssl/test/recipes/70-test_sslmessages.t .............. skipped: test_sslmessages needs TLS enabled matt> > ../../openssl/test/recipes/70-test_sslrecords.t ............... skipped: test_sslrecords needs TLSv1.2 enabled matt> > ../../openssl/test/recipes/70-test_sslsessiontick.t ........... skipped: test_sslsessiontick needs SSLv3, TLSv1, TLSv1.1 or TLSv1.2 enabled matt> > ../../openssl/test/recipes/70-test_sslsigalgs.t ............... ok matt> > ../../openssl/test/recipes/70-test_sslsignature.t ............. ok matt> > ../../openssl/test/recipes/70-test_sslskewith0p.t ............. ok matt> > ../../openssl/test/recipes/70-test_sslversions.t .............. skipped: test_sslversions needs TLS1.3, TLS1.2 and TLS1.1 enabled matt> > ../../openssl/test/recipes/70-test_sslvertol.t ................ ok matt> > ../../openssl/test/recipes/70-test_tls13cookie.t .............. ok matt> > ../../openssl/test/recipes/70-test_tls13downgrade.t ........... skipped: test_tls13downgrade needs TLS1.3 and TLS1.2 enabled matt> > ../../openssl/test/recipes/70-test_tls13hrr.t ................. ok matt> > ../../openssl/test/recipes/70-test_tls13kexmodes.t ............ ok matt> > ../../openssl/test/recipes/70-test_tls13messages.t ............ ok matt> > ../../openssl/test/recipes/70-test_tls13psk.t ................. ok matt> > ../../openssl/test/recipes/70-test_tlsextms.t ................. skipped: test_tlsextms needs TLSv1.0, TLSv1.1 or TLSv1.2 enabled matt> > ../../openssl/test/recipes/70-test_verify_extra.t ............. ok matt> > ../../openssl/test/recipes/70-test_wpacket.t .................. ok matt> > ../../openssl/test/recipes/80-test_ca.t ....................... ok matt> > ../../openssl/test/recipes/80-test_cipherbytes.t .............. ok matt> > ../../openssl/test/recipes/80-test_cipherlist.t ............... ok matt> > ../../openssl/test/recipes/80-test_ciphername.t ............... ok matt> > ../../openssl/test/recipes/80-test_cms.t ...................... ok matt> > ../../openssl/test/recipes/80-test_cmsapi.t ................... ok matt> > ../../openssl/test/recipes/80-test_ct.t ....................... ok matt> > ../../openssl/test/recipes/80-test_dane.t ..................... ok matt> > ../../openssl/test/recipes/80-test_dtls.t ..................... ok matt> > ../../openssl/test/recipes/80-test_dtls_mtu.t ................. ok matt> > ../../openssl/test/recipes/80-test_dtlsv1listen.t ............. ok matt> > ../../openssl/test/recipes/80-test_ocsp.t ..................... ok matt> > ../../openssl/test/recipes/80-test_pkcs12.t ................... ok matt> > ../../openssl/test/recipes/80-test_ssl_new.t .................. ok matt> > ../../openssl/test/recipes/80-test_ssl_old.t .................. ok matt> > ../../openssl/test/recipes/80-test_ssl_test_ctx.t ............. ok matt> > ../../openssl/test/recipes/80-test_sslcorrupt.t ............... ok matt> > ../../openssl/test/recipes/80-test_tsa.t ...................... ok matt> > ../../openssl/test/recipes/80-test_x509aux.t .................. ok matt> > ../../openssl/test/recipes/90-test_asn1_time.t ................ ok matt> > ../../openssl/test/recipes/90-test_async.t .................... ok matt> > ../../openssl/test/recipes/90-test_bio_enc.t .................. ok matt> > ../../openssl/test/recipes/90-test_constant_time.t ............ ok matt> > ../../openssl/test/recipes/90-test_fatalerr.t ................. ok matt> > ../../openssl/test/recipes/90-test_gmdiff.t ................... ok matt> > ../../openssl/test/recipes/90-test_ige.t ...................... ok matt> > ../../openssl/test/recipes/90-test_includes.t ................. ok matt> > ../../openssl/test/recipes/90-test_memleak.t .................. ok matt> > ../../openssl/test/recipes/90-test_overhead.t ................. skipped: Only supported in no-shared builds matt> > ../../openssl/test/recipes/90-test_secmem.t ................... ok matt> > ../../openssl/test/recipes/90-test_shlibload.t ................ ok matt> > ../../openssl/test/recipes/90-test_srp.t ...................... ok matt> > ../../openssl/test/recipes/90-test_sslapi.t ................... matt> > Dubious, test returned 1 (wstat 256, 0x100) matt> > Failed 1/1 subtests matt> > ../../openssl/test/recipes/90-test_sslbuffers.t ............... ok matt> > ../../openssl/test/recipes/90-test_store.t .................... ok matt> > ../../openssl/test/recipes/90-test_sysdefault.t ............... skipped: test_sysdefault is not supported in this build matt> > ../../openssl/test/recipes/90-test_threads.t .................. ok matt> > ../../openssl/test/recipes/90-test_time_offset.t .............. ok matt> > ../../openssl/test/recipes/90-test_tls13ccs.t ................. ok matt> > ../../openssl/test/recipes/90-test_tls13encryption.t .......... ok matt> > ../../openssl/test/recipes/90-test_tls13secrets.t ............. ok matt> > ../../openssl/test/recipes/90-test_v3name.t ................... ok matt> > ../../openssl/test/recipes/95-test_external_boringssl.t ....... skipped: No external tests in this configuration matt> > ../../openssl/test/recipes/95-test_external_krb5.t ............ skipped: No external tests in this configuration matt> > ../../openssl/test/recipes/95-test_external_pyca.t ............ skipped: No external tests in this configuration matt> > ../../openssl/test/recipes/99-test_ecstress.t ................. ok matt> > ../../openssl/test/recipes/99-test_fuzz.t ..................... ok matt> > matt> > Test Summary Report matt> > ------------------- matt> > ../../openssl/test/recipes/90-test_sslapi.t (Wstat: 256 Tests: 1 Failed: 1) matt> > Failed test: 1 matt> > Non-zero exit status: 1 matt> > Files=147, Tests=1262, 221 wallclock secs ( 1.65 usr 0.33 sys + 195.60 cusr 9.50 csys = 207.08 CPU) matt> > Result: FAIL matt> > Makefile:204: recipe for target '_tests' failed matt> > make[1]: *** [_tests] Error 1 matt> > make[1]: Leaving directory '/home/openssl/run-checker/no-tls1_2' matt> > Makefile:202: recipe for target 'tests' failed matt> > make: *** [tests] Error 2 matt> > _____ matt> > openssl-commits mailing list matt> > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits matt> > matt> > matt> > _______________________________________________ matt> > openssl-project mailing list matt> > openssl-project at openssl.org matt> > https://mta.openssl.org/mailman/listinfo/openssl-project matt> > matt> _______________________________________________ matt> openssl-project mailing list matt> openssl-project at openssl.org matt> https://mta.openssl.org/mailman/listinfo/openssl-project From rsalz at akamai.com Tue May 15 15:38:25 2018 From: rsalz at akamai.com (Salz, Rich) Date: Tue, 15 May 2018 15:38:25 +0000 Subject: [openssl-project] FW: [openssl-omc] VOTE on removing rationale for binary compatibility Message-ID: <785BD30B-F00B-4967-968B-83BCEA45FD79@akamai.com> FYI From: Rich Salz Reply-To: "openssl-omc at openssl.org" Date: Tuesday, May 15, 2018 at 11:36 AM To: "openssl-omc at openssl.org" Subject: [openssl-omc] VOTE on removing rationale for binary compatibility Matt raised the issue that since this paragraph is in the release strategy, we need a vote to remove it. In policies/releasestrat.html: > @@ -34,20 +34,6 @@

performance improvements and so on. There is no need to recompile applications to benefit from these features.
-
Binary compatibility also allows other possibilities. For - example, consider an application that wishes to utilize - a new cipher provided in a specific 1.0.x release, but it - is also desirable to maintain the application in a 1.0.0 - context. Customarily this would be resolved at compile time - resulting in two binary packages targeting different OpenSSL - versions. However, depending on the feature, it might be - possible to check for its availability at run-time, thus cutting - down on the maintenance of multiple binary packages. Admittedly - it takes a certain discipline and some extra coding, but we - would like to encourage such practice. This is because we - want to see later releases being adopted faster, because new - features can improve security.
- Mark?s pointed out that when he removed rationale from the security policy, it was with a vote. So here?s a vote. ---------------- topic: Remove the second paragraph ("Binary compatibility...improve security") from the release strategy. Proposed by Rich Public: yes opened: 2018-05-15 closed: yyyy-mm-dd ONE WEEK VOTE -------------- next part -------------- An HTML attachment was scrubbed... URL: From rsalz at akamai.com Wed May 16 17:14:29 2018 From: rsalz at akamai.com (Salz, Rich) Date: Wed, 16 May 2018 17:14:29 +0000 Subject: [openssl-project] About efail Message-ID: <327D5DAF-19F8-4F58-A8F8-9CE6BEC0251B@akamai.com> Doesn?t all this make you very glad that we have resisted added AEAD support to the enc command, for streaming especially? -------------- next part -------------- An HTML attachment was scrubbed... URL: From rsalz at akamai.com Mon May 21 12:15:49 2018 From: rsalz at akamai.com (Salz, Rich) Date: Mon, 21 May 2018 12:15:49 +0000 Subject: [openssl-project] build/test before merging Message-ID: <21C57A0E-558D-40B5-96D0-DB5F297C4374@akamai.com> The ghmerge script has a commented-out call to ?opensslbuild? to build+test before submitting. I would like to enable that, and add either ?build or ?nobuild flags. Thoughts? -------------- next part -------------- An HTML attachment was scrubbed... URL: From openssl-users at dukhovni.org Wed May 23 00:25:25 2018 From: openssl-users at dukhovni.org (Viktor Dukhovni) Date: Tue, 22 May 2018 20:25:25 -0400 Subject: [openssl-project] build/test before merging In-Reply-To: <21C57A0E-558D-40B5-96D0-DB5F297C4374@akamai.com> References: <21C57A0E-558D-40B5-96D0-DB5F297C4374@akamai.com> Message-ID: <227913D1-E509-4F46-B774-865A001C500F@dukhovni.org> > On May 21, 2018, at 8:15 AM, Salz, Rich wrote: > > The ghmerge script has a commented-out call to ?opensslbuild? to build+test before submitting. > I would like to enable that, and add either ?build or ?nobuild flags. Thoughts? It probably does not know how/where I prefer to do builds... -- Viktor. From rsalz at akamai.com Wed May 23 00:37:24 2018 From: rsalz at akamai.com (Salz, Rich) Date: Wed, 23 May 2018 00:37:24 +0000 Subject: [openssl-project] build/test before merging In-Reply-To: <227913D1-E509-4F46-B774-865A001C500F@dukhovni.org> References: <21C57A0E-558D-40B5-96D0-DB5F297C4374@akamai.com> <227913D1-E509-4F46-B774-865A001C500F@dukhovni.org> Message-ID: <05572D78-146C-448B-B3D0-66542ADDE5F7@akamai.com> > It probably does not know how/where I prefer to do builds... No, I'm sure it does not. I think the safer thing is to do a full build, to catch things like make update errors, and such. I also run the test suite before I submit. YMMV. From openssl-users at dukhovni.org Wed May 23 00:39:21 2018 From: openssl-users at dukhovni.org (Viktor Dukhovni) Date: Tue, 22 May 2018 20:39:21 -0400 Subject: [openssl-project] build/test before merging In-Reply-To: <05572D78-146C-448B-B3D0-66542ADDE5F7@akamai.com> References: <21C57A0E-558D-40B5-96D0-DB5F297C4374@akamai.com> <227913D1-E509-4F46-B774-865A001C500F@dukhovni.org> <05572D78-146C-448B-B3D0-66542ADDE5F7@akamai.com> Message-ID: > On May 22, 2018, at 8:37 PM, Salz, Rich wrote: > > No, I'm sure it does not. I think the safer thing is to do a full build, to catch things like make update errors, and such. I also run the test suite before I submit. I do the same, but I am reluctant having a script doing it for me using some fixed recipe... -- Viktor. From kaduk at mit.edu Wed May 23 00:41:59 2018 From: kaduk at mit.edu (Benjamin Kaduk) Date: Tue, 22 May 2018 19:41:59 -0500 Subject: [openssl-project] build/test before merging In-Reply-To: References: <21C57A0E-558D-40B5-96D0-DB5F297C4374@akamai.com> <227913D1-E509-4F46-B774-865A001C500F@dukhovni.org> <05572D78-146C-448B-B3D0-66542ADDE5F7@akamai.com> Message-ID: <20180523004158.GH10597@kduck.kaduk.org> On Tue, May 22, 2018 at 08:39:21PM -0400, Viktor Dukhovni wrote: > > > > On May 22, 2018, at 8:37 PM, Salz, Rich wrote: > > > > No, I'm sure it does not. I think the safer thing is to do a full build, to catch things like make update errors, and such. I also run the test suite before I submit. > > I do the same, but I am reluctant having a script doing it for me using some fixed recipe... I'm happy doing the build/test manually before merging, too. -Ben From rsalz at akamai.com Wed May 23 00:43:58 2018 From: rsalz at akamai.com (Salz, Rich) Date: Wed, 23 May 2018 00:43:58 +0000 Subject: [openssl-project] build/test before merging In-Reply-To: <20180523004158.GH10597@kduck.kaduk.org> References: <21C57A0E-558D-40B5-96D0-DB5F297C4374@akamai.com> <227913D1-E509-4F46-B774-865A001C500F@dukhovni.org> <05572D78-146C-448B-B3D0-66542ADDE5F7@akamai.com> <20180523004158.GH10597@kduck.kaduk.org> Message-ID: <25FEB2A8-B363-443D-BAE8-C47D1AD92F2D@akamai.com> > I do the same, but I am reluctant having a script doing it for me using some fixed recipe... > I'm happy doing the build/test manually before merging, too. So do you guys use the ghmerge script or own procedures? I'm curious. From openssl-users at dukhovni.org Wed May 23 00:46:51 2018 From: openssl-users at dukhovni.org (Viktor Dukhovni) Date: Tue, 22 May 2018 20:46:51 -0400 Subject: [openssl-project] build/test before merging In-Reply-To: <25FEB2A8-B363-443D-BAE8-C47D1AD92F2D@akamai.com> References: <21C57A0E-558D-40B5-96D0-DB5F297C4374@akamai.com> <227913D1-E509-4F46-B774-865A001C500F@dukhovni.org> <05572D78-146C-448B-B3D0-66542ADDE5F7@akamai.com> <20180523004158.GH10597@kduck.kaduk.org> <25FEB2A8-B363-443D-BAE8-C47D1AD92F2D@akamai.com> Message-ID: > On May 22, 2018, at 8:43 PM, Salz, Rich wrote: > > So do you guys use the ghmerge script or own procedures? I'm curious. Good point, I've not yet had a chance to look at ghmerge and figure out how/whether to use it. If that continues, ... my preferences for its implementation don't carry much weight! [ Though some changes might prolong my state of indifference... ] -- Viktor. From kaduk at mit.edu Wed May 23 01:00:26 2018 From: kaduk at mit.edu (Benjamin Kaduk) Date: Tue, 22 May 2018 20:00:26 -0500 Subject: [openssl-project] build/test before merging In-Reply-To: <25FEB2A8-B363-443D-BAE8-C47D1AD92F2D@akamai.com> References: <21C57A0E-558D-40B5-96D0-DB5F297C4374@akamai.com> <227913D1-E509-4F46-B774-865A001C500F@dukhovni.org> <05572D78-146C-448B-B3D0-66542ADDE5F7@akamai.com> <20180523004158.GH10597@kduck.kaduk.org> <25FEB2A8-B363-443D-BAE8-C47D1AD92F2D@akamai.com> Message-ID: <20180523010025.GI10597@kduck.kaduk.org> On Wed, May 23, 2018 at 12:43:58AM +0000, Salz, Rich wrote: > > I do the same, but I am reluctant having a script doing it for me using some fixed recipe... > > > I'm happy doing the build/test manually before merging, too. > > > So do you guys use the ghmerge script or own procedures? I'm curious. My own procedures (the addrev script and push by hand). -Ben From levitte at openssl.org Wed May 23 06:03:44 2018 From: levitte at openssl.org (Richard Levitte) Date: Wed, 23 May 2018 08:03:44 +0200 (CEST) Subject: [openssl-project] build/test before merging In-Reply-To: <25FEB2A8-B363-443D-BAE8-C47D1AD92F2D@akamai.com> References: <20180523004158.GH10597@kduck.kaduk.org> <25FEB2A8-B363-443D-BAE8-C47D1AD92F2D@akamai.com> Message-ID: <20180523.080344.290952061342669193.levitte@openssl.org> In message <25FEB2A8-B363-443D-BAE8-C47D1AD92F2D at akamai.com> on Wed, 23 May 2018 00:43:58 +0000, "Salz, Rich" said: rsalz> > I do the same, but I am reluctant having a script doing it for me using some fixed recipe... rsalz> rsalz> > I'm happy doing the build/test manually before merging, too. rsalz> rsalz> rsalz> So do you guys use the ghmerge script or own procedures? I'm curious. I use addrev and git commands. ghmerge does too much for my taste. -- Richard Levitte levitte at openssl.org OpenSSL Project http://www.openssl.org/~levitte/ From matt at openssl.org Wed May 23 08:19:48 2018 From: matt at openssl.org (Matt Caswell) Date: Wed, 23 May 2018 09:19:48 +0100 Subject: [openssl-project] build/test before merging In-Reply-To: <25FEB2A8-B363-443D-BAE8-C47D1AD92F2D@akamai.com> References: <21C57A0E-558D-40B5-96D0-DB5F297C4374@akamai.com> <227913D1-E509-4F46-B774-865A001C500F@dukhovni.org> <05572D78-146C-448B-B3D0-66542ADDE5F7@akamai.com> <20180523004158.GH10597@kduck.kaduk.org> <25FEB2A8-B363-443D-BAE8-C47D1AD92F2D@akamai.com> Message-ID: On 23/05/18 01:43, Salz, Rich wrote: > > I do the same, but I am reluctant having a script doing it for me using some fixed recipe... > >> I'm happy doing the build/test manually before merging, too. > > > So do you guys use the ghmerge script or own procedures? I'm curious. I tried it once. Didn't like it, so I always do my own procedure. Matt From matt at openssl.org Wed May 23 08:34:19 2018 From: matt at openssl.org (Matt Caswell) Date: Wed, 23 May 2018 09:34:19 +0100 Subject: [openssl-project] Current votes FYI In-Reply-To: <504DAF06-51AC-494D-9768-C50E897F7B1E@akamai.com> References: <504DAF06-51AC-494D-9768-C50E897F7B1E@akamai.com> Message-ID: FYI, all of these votes are now closed. The final vote results are inserted below. On 07/05/18 02:37, Salz, Rich wrote: > VOTE: openssl-web and tools repositories shall be under the same review > policy as per the openssl repository where the reviewers are OMC members +1: 5 0: 1 -1: 1 No vote: 1 The vote passed. > VOTE: That we remove "We strongly believe that the right to advance > patches/info should not be based in any way on paid membership to ?some > forum. You cannot pay us to get security patches in advance" from the > security policy and Mark posts a blog entry to explain the change > including that we have no current such service. +1: 4 0: 2 -1: 1 No vote: 1 The vote passed. > VOTE: 1.1.1 beta release schedule changed so that the next two beta > releases are now 29th May, 19 June and we will re-review release > readiness after that. We will also ensure that there is at least one > beta release post TLS-1.3 RFC publication prior to the final release. +1: 7 0: 0 -1: 0 No vote: 1 The vote passed. > VOTE: Remove the entire "Forthcoming Features" section from the Roadmap > Policy and open github issues for those items listed which have not yet > been completed and do not currently have issues raised or PR submitted.? +1: 4 0: 3 -1: 0 No vote: 1 The vote passed. > VOTE: We don't intend to be involved in adding any additional platforms > to the OpenSSL FIPS validation; instead we will work to enable other > parties to meet this need. +1: 5 0: 2 -1: 0 No vote: 1 The vote passed. > VOTE: The next LTS release will be 1.1.1 and the LTS expiry date for > 1.0.2 will not be changed.? +1: 7 0: 0 -1: 0 No vote: 1 The vote passed. From rsalz at akamai.com Wed May 23 14:58:58 2018 From: rsalz at akamai.com (Salz, Rich) Date: Wed, 23 May 2018 14:58:58 +0000 Subject: [openssl-project] Current votes FYI In-Reply-To: References: <504DAF06-51AC-494D-9768-C50E897F7B1E@akamai.com> Message-ID: Another update VOTE: Remove the second paragraph ("Binary compatibility...improve security") from the release strategy. +1: 2 0: 1 -1: 0 No vote: 5 The vote passed. From Matthias.St.Pierre at ncp-e.com Wed May 23 15:12:30 2018 From: Matthias.St.Pierre at ncp-e.com (Dr. Matthias St. Pierre) Date: Wed, 23 May 2018 15:12:30 +0000 Subject: [openssl-project] build/test before merging In-Reply-To: <25FEB2A8-B363-443D-BAE8-C47D1AD92F2D@akamai.com> References: <21C57A0E-558D-40B5-96D0-DB5F297C4374@akamai.com> <227913D1-E509-4F46-B774-865A001C500F@dukhovni.org> <05572D78-146C-448B-B3D0-66542ADDE5F7@akamai.com> <20180523004158.GH10597@kduck.kaduk.org> <25FEB2A8-B363-443D-BAE8-C47D1AD92F2D@akamai.com> Message-ID: > So do you guys use the ghmerge script or own procedures? I'm curious. At the beginnning, I tried to use ghmerge but it was not flexible enough for my needs. In particular, it only gives me the choice between squashing everything or leaving everything as it is. Most notably, it does not support partial squashing by interactive rebasing. Or alternatively: pausing + letting me fix something + resuming. What I also dislike is that it uses a lot of GitHub API overhead, for example it pulls the commits from the pr owner's repository, instead of pulling the branch directly from openssl/openssl using the refs/pull//head references (which wouldn't require the github api). Currently, I use only addrev and raw git commands. As an aid, I have a fetch rule fetch = +refs/pull//head:refs/remotes/github/pr-* which enables me to do a simple 'git checkout pr-xxxx'. Matthias From Matthias.St.Pierre at ncp-e.com Wed May 23 15:35:07 2018 From: Matthias.St.Pierre at ncp-e.com (Dr. Matthias St. Pierre) Date: Wed, 23 May 2018 15:35:07 +0000 Subject: [openssl-project] build/test before merging In-Reply-To: References: <21C57A0E-558D-40B5-96D0-DB5F297C4374@akamai.com> <227913D1-E509-4F46-B774-865A001C500F@dukhovni.org> <05572D78-146C-448B-B3D0-66542ADDE5F7@akamai.com> <20180523004158.GH10597@kduck.kaduk.org> <25FEB2A8-B363-443D-BAE8-C47D1AD92F2D@akamai.com> Message-ID: My vision is a more versatile tool (say: ghtool) with separate subcommands as building blocks to simplify common subtasks: ghtool {checkout,rebase,squash,addrev,push} ... This tool could support the concept of a "current pull request" by using a naming convention for the local branches: 'ghtool checkout xxxx' could fetch and checkout to branch pr-xxxx, after which the following commands 'git rebase', 'git addrev', etc. could use the branch name as indicator for the current branch. This would make it possible to implement 'ghtool addrev' such that one neither has to provide --prnum=xxxx nor a commit range. Unfortunately, I didn't have time to follow my vision yet. Also, it would have been easier for me to do it in Python than in Perl. Matthias From openssl-users at dukhovni.org Wed May 23 15:36:11 2018 From: openssl-users at dukhovni.org (Viktor Dukhovni) Date: Wed, 23 May 2018 11:36:11 -0400 Subject: [openssl-project] Some failing builds in travis? Message-ID: https://travis-ci.org/openssl/openssl/jobs/382694134 https://api.travis-ci.org/v3/job/382694134/log.txt Test Summary Report ------------------- ../test/recipes/70-test_comp.t (Wstat: 26624 Tests: 0 Failed: 0) Non-zero exit status: 104 Parse errors: No plan found in TAP output ../test/recipes/70-test_key_share.t (Wstat: 26624 Tests: 0 Failed: 0) Non-zero exit status: 104 Parse errors: No plan found in TAP output ../test/recipes/70-test_sslrecords.t (Wstat: 26624 Tests: 17 Failed: 0) Non-zero exit status: 104 Parse errors: Bad plan. You planned 18 tests but ran 17. ../test/recipes/70-test_sslsigalgs.t (Wstat: 26624 Tests: 0 Failed: 0) Non-zero exit status: 104 Parse errors: No plan found in TAP output ../test/recipes/70-test_sslsignature.t (Wstat: 26624 Tests: 0 Failed: 0) Non-zero exit status: 104 Parse errors: No plan found in TAP output ../test/recipes/70-test_sslversions.t (Wstat: 26624 Tests: 4 Failed: 0) Non-zero exit status: 104 Parse errors: Bad plan. You planned 7 tests but ran 4. ../test/recipes/70-test_tls13cookie.t (Wstat: 26624 Tests: 0 Failed: 0) Non-zero exit status: 104 Parse errors: No plan found in TAP output ../test/recipes/70-test_tls13kexmodes.t (Wstat: 19712 Tests: 0 Failed: 0) Non-zero exit status: 77 Parse errors: No plan found in TAP output ../test/recipes/70-test_tls13messages.t (Wstat: 8192 Tests: 1 Failed: 0) Non-zero exit status: 32 Parse errors: Bad plan. You planned 16 tests but ran 1. ../test/recipes/70-test_tls13psk.t (Wstat: 19712 Tests: 0 Failed: 0) Non-zero exit status: 77 Parse errors: No plan found in TAP output ../test/recipes/70-test_tlsextms.t (Wstat: 26624 Tests: 9 Failed: 0) Non-zero exit status: 104 Parse errors: Bad plan. You planned 10 tests but ran 9. Files=147, Tests=1249, 358 wallclock secs ( 5.94 usr 1.09 sys + 287.60 cusr 53.16 csys = 347.79 CPU) Result: FAIL make[1]: * [_tests] Error 1 make[1]: Leaving directory `/home/travis/build/openssl/openssl' make: * [tests] Error 2 +///// MAKE TEST FAILED -- Viktor. From rsalz at akamai.com Wed May 23 15:37:03 2018 From: rsalz at akamai.com (Salz, Rich) Date: Wed, 23 May 2018 15:37:03 +0000 Subject: [openssl-project] build/test before merging In-Reply-To: References: <21C57A0E-558D-40B5-96D0-DB5F297C4374@akamai.com> <227913D1-E509-4F46-B774-865A001C500F@dukhovni.org> <05572D78-146C-448B-B3D0-66542ADDE5F7@akamai.com> <20180523004158.GH10597@kduck.kaduk.org> <25FEB2A8-B363-443D-BAE8-C47D1AD92F2D@akamai.com> Message-ID: > Unfortunately, I didn't have time to follow my vision yet. Also, it would have been easier for me to do it in Python than in Perl. +1 for python! :) From Matthias.St.Pierre at ncp-e.com Wed May 23 15:48:43 2018 From: Matthias.St.Pierre at ncp-e.com (Dr. Matthias St. Pierre) Date: Wed, 23 May 2018 15:48:43 +0000 Subject: [openssl-project] build/test before merging In-Reply-To: References: <21C57A0E-558D-40B5-96D0-DB5F297C4374@akamai.com> <227913D1-E509-4F46-B774-865A001C500F@dukhovni.org> <05572D78-146C-448B-B3D0-66542ADDE5F7@akamai.com> <20180523004158.GH10597@kduck.kaduk.org> <25FEB2A8-B363-443D-BAE8-C47D1AD92F2D@akamai.com> Message-ID: <5fc7b93aa39248bf9c2b852a76117b3e@Ex13.ncp.local> > +1 for python! :) Well, if this is a "go for it"... ;-) Oh, and I forgot to mention 'ghtool cherry-pick {110,102}' From kaduk at mit.edu Wed May 23 15:50:07 2018 From: kaduk at mit.edu (Benjamin Kaduk) Date: Wed, 23 May 2018 10:50:07 -0500 Subject: [openssl-project] build/test before merging In-Reply-To: References: <21C57A0E-558D-40B5-96D0-DB5F297C4374@akamai.com> <227913D1-E509-4F46-B774-865A001C500F@dukhovni.org> <05572D78-146C-448B-B3D0-66542ADDE5F7@akamai.com> <20180523004158.GH10597@kduck.kaduk.org> <25FEB2A8-B363-443D-BAE8-C47D1AD92F2D@akamai.com> Message-ID: <20180523155007.GC32807@kduck.kaduk.org> On Wed, May 23, 2018 at 03:12:30PM +0000, Dr. Matthias St. Pierre wrote: > > So do you guys use the ghmerge script or own procedures? I'm curious. > > At the beginnning, I tried to use ghmerge but it was not flexible > enough for my needs. In particular, it only gives me the choice > between squashing everything or leaving everything as it is. Most > notably, it does not support partial squashing by interactive > rebasing. Or alternatively: pausing + letting me fix something + > resuming. What I also dislike is that it uses a lot of GitHub API Sorry for partially hijacking the thread, but this reminds me that several people have started using the "git commit --fixup" tooling, which is in general helpful for the reviewer (to know what the squashing intention is). But I am curious if we currently do and/or should have a commit hook on git.openssl.org to reject commits that start with "!fixup". -Ben From Matthias.St.Pierre at ncp-e.com Wed May 23 15:52:03 2018 From: Matthias.St.Pierre at ncp-e.com (Dr. Matthias St. Pierre) Date: Wed, 23 May 2018 15:52:03 +0000 Subject: [openssl-project] build/test before merging In-Reply-To: <20180523155007.GC32807@kduck.kaduk.org> References: <21C57A0E-558D-40B5-96D0-DB5F297C4374@akamai.com> <227913D1-E509-4F46-B774-865A001C500F@dukhovni.org> <05572D78-146C-448B-B3D0-66542ADDE5F7@akamai.com> <20180523004158.GH10597@kduck.kaduk.org> <25FEB2A8-B363-443D-BAE8-C47D1AD92F2D@akamai.com> <20180523155007.GC32807@kduck.kaduk.org> Message-ID: > But I am curious if we currently do and/or should have a commit hook on git.openssl.org to reject commits that start with "!fixup". We probably don't, but it's a good idea to have it. Matthias From matt at openssl.org Wed May 23 15:54:23 2018 From: matt at openssl.org (Matt Caswell) Date: Wed, 23 May 2018 16:54:23 +0100 Subject: [openssl-project] build/test before merging In-Reply-To: <20180523155007.GC32807@kduck.kaduk.org> References: <21C57A0E-558D-40B5-96D0-DB5F297C4374@akamai.com> <227913D1-E509-4F46-B774-865A001C500F@dukhovni.org> <05572D78-146C-448B-B3D0-66542ADDE5F7@akamai.com> <20180523004158.GH10597@kduck.kaduk.org> <25FEB2A8-B363-443D-BAE8-C47D1AD92F2D@akamai.com> <20180523155007.GC32807@kduck.kaduk.org> Message-ID: <6d5b206f-a0f1-8b60-fbf5-5f08c7c269d7@openssl.org> On 23/05/18 16:50, Benjamin Kaduk wrote: > On Wed, May 23, 2018 at 03:12:30PM +0000, Dr. Matthias St. Pierre wrote: >>> So do you guys use the ghmerge script or own procedures? I'm curious. >> >> At the beginnning, I tried to use ghmerge but it was not flexible >> enough for my needs. In particular, it only gives me the choice >> between squashing everything or leaving everything as it is. Most >> notably, it does not support partial squashing by interactive >> rebasing. Or alternatively: pausing + letting me fix something + >> resuming. What I also dislike is that it uses a lot of GitHub API > > Sorry for partially hijacking the thread, but this reminds me that > several people have started using the "git commit --fixup" tooling, > which is in general helpful for the reviewer (to know what the > squashing intention is). It's also helpful because it preserves the history of the review (you can see what changed since the last time you looked at it). > > But I am curious if we currently do and/or should have a commit hook > on git.openssl.org to reject commits that start with "!fixup". Not that I know of. We probably should have. A quick check reveals two such commits that have made it into master...both mine unfortunately :-( Matt From levitte at openssl.org Wed May 23 16:01:48 2018 From: levitte at openssl.org (Richard Levitte) Date: Wed, 23 May 2018 18:01:48 +0200 (CEST) Subject: [openssl-project] build/test before merging In-Reply-To: <6d5b206f-a0f1-8b60-fbf5-5f08c7c269d7@openssl.org> References: <20180523155007.GC32807@kduck.kaduk.org> <6d5b206f-a0f1-8b60-fbf5-5f08c7c269d7@openssl.org> Message-ID: <20180523.180148.154491224151456127.levitte@openssl.org> In message <6d5b206f-a0f1-8b60-fbf5-5f08c7c269d7 at openssl.org> on Wed, 23 May 2018 16:54:23 +0100, Matt Caswell said: matt> On 23/05/18 16:50, Benjamin Kaduk wrote: matt> > But I am curious if we currently do and/or should have a commit hook matt> > on git.openssl.org to reject commits that start with "!fixup". That's "fixup! ", and "squash! " (for --squash) should be added as well. matt> Not that I know of. We probably should have. A quick check reveals two matt> such commits that have made it into master...both mine unfortunately :-( I've been close a couple of times... But yeah, good idea, I'll go ahead and craft that together. Gitolite makes it quite easy to configure. Cheers, Richard -- Richard Levitte levitte at openssl.org OpenSSL Project http://www.openssl.org/~levitte/ From levitte at openssl.org Wed May 23 17:02:48 2018 From: levitte at openssl.org (Richard Levitte) Date: Wed, 23 May 2018 19:02:48 +0200 (CEST) Subject: [openssl-project] build/test before merging In-Reply-To: <20180523.180148.154491224151456127.levitte@openssl.org> References: <20180523155007.GC32807@kduck.kaduk.org> <6d5b206f-a0f1-8b60-fbf5-5f08c7c269d7@openssl.org> <20180523.180148.154491224151456127.levitte@openssl.org> Message-ID: <20180523.190248.1692957295860583944.levitte@openssl.org> In message <20180523.180148.154491224151456127.levitte at openssl.org> on Wed, 23 May 2018 18:01:48 +0200 (CEST), Richard Levitte said: levitte> In message <6d5b206f-a0f1-8b60-fbf5-5f08c7c269d7 at openssl.org> on Wed, 23 May 2018 16:54:23 +0100, Matt Caswell said: levitte> levitte> matt> On 23/05/18 16:50, Benjamin Kaduk wrote: levitte> matt> > But I am curious if we currently do and/or should have a commit hook levitte> matt> > on git.openssl.org to reject commits that start with "!fixup". levitte> levitte> That's "fixup! ", and "squash! " (for --squash) should be added as well. levitte> levitte> matt> Not that I know of. We probably should have. A quick check reveals two levitte> matt> such commits that have made it into master...both mine unfortunately :-( levitte> levitte> I've been close a couple of times... levitte> levitte> But yeah, good idea, I'll go ahead and craft that together. Gitolite levitte> makes it quite easy to configure. Quick script added. The quick tests I made seem to work right. If something strange happens, tell me ASAP. -- Richard Levitte levitte at openssl.org OpenSSL Project http://www.openssl.org/~levitte/ From tjh at cryptsoft.com Wed May 23 20:59:56 2018 From: tjh at cryptsoft.com (Tim Hudson) Date: Thu, 24 May 2018 06:59:56 +1000 Subject: [openssl-project] Current votes FYI In-Reply-To: References: <504DAF06-51AC-494D-9768-C50E897F7B1E@akamai.com> Message-ID: No that vote does not pass. All votes require participation by a majority of active members. Failure to have a majority participation causes a vote to fail. With only three out of eight members voting this vote simply did not pass. Tim. On Thu, 24 May 2018, 12:59 am Salz, Rich, wrote: > Another update > > VOTE: Remove the second paragraph ("Binary compatibility...improve > security") > from the release strategy. > > +1: 2 > 0: 1 > -1: 0 > No vote: 5 > > The vote passed. > > > _______________________ > openssl-project mailing list > openssl-project at openssl.org > https://mta.openssl.org/mailman/listinfo/openssl-project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rsalz at akamai.com Wed May 23 23:58:55 2018 From: rsalz at akamai.com (Salz, Rich) Date: Wed, 23 May 2018 23:58:55 +0000 Subject: [openssl-project] Current votes FYI In-Reply-To: References: <504DAF06-51AC-494D-9768-C50E897F7B1E@akamai.com> Message-ID: <098D5826-ADE5-4AFA-9101-8CDDB7D2336D@akamai.com> Dang, you?re right. I?ll re-run the vote. But for now I reverted the website commit. From: Tim Hudson Reply-To: "openssl-project at openssl.org" Date: Wednesday, May 23, 2018 at 5:00 PM To: "openssl-project at openssl.org" Subject: Re: [openssl-project] Current votes FYI No that vote does not pass. All votes require participation by a majority of active members. Failure to have a majority participation causes a vote to fail. With only three out of eight members voting this vote simply did not pass. Tim. On Thu, 24 May 2018, 12:59 am Salz, Rich, > wrote: Another update VOTE: Remove the second paragraph ("Binary compatibility...improve security") from the release strategy. +1: 2 0: 1 -1: 0 No vote: 5 The vote passed. _ openssl-project mailing list openssl-project at openssl.org https://mta.openssl.org/mailman/listinfo/openssl-project -------------- next part -------------- An HTML attachment was scrubbed... URL: From Matthias.St.Pierre at ncp-e.com Thu May 24 20:32:38 2018 From: Matthias.St.Pierre at ncp-e.com (Dr. Matthias St. Pierre) Date: Thu, 24 May 2018 20:32:38 +0000 Subject: [openssl-project] build/test before merging In-Reply-To: <20180523.180148.154491224151456127.levitte@openssl.org> References: <20180523155007.GC32807@kduck.kaduk.org> <6d5b206f-a0f1-8b60-fbf5-5f08c7c269d7@openssl.org> <20180523.180148.154491224151456127.levitte@openssl.org> Message-ID: <475e9e0fa3e54ce6a1088b853e8bc8db@Ex13.ncp.local> There is also the custom to add something like "(to be squashed)" or "(fixup)" in round or square brackets to the end oft he commit title. So maybe also add a regex for "squash" or "fixup" inside round or square brackets? -----Urspr?ngliche Nachricht----- Von: openssl-project Im Auftrag von Richard Levitte Gesendet: Mittwoch, 23. Mai 2018 18:02 An: openssl-project at openssl.org Betreff: Re: [openssl-project] build/test before merging In message <6d5b206f-a0f1-8b60-fbf5-5f08c7c269d7 at openssl.org> on Wed, 23 May 2018 16:54:23 +0100, Matt Caswell said: matt> On 23/05/18 16:50, Benjamin Kaduk wrote: matt> > But I am curious if we currently do and/or should have a commit matt> > hook on git.openssl.org to reject commits that start with "!fixup". That's "fixup! ", and "squash! " (for --squash) should be added as well. matt> Not that I know of. We probably should have. A quick check reveals matt> two such commits that have made it into master...both mine matt> unfortunately :-( I've been close a couple of times... But yeah, good idea, I'll go ahead and craft that together. Gitolite makes it quite easy to configure. Cheers, Richard -- Richard Levitte levitte at openssl.org OpenSSL Project http://www.openssl.org/~levitte/ _________________________ openssl-project mailing list openssl-project at openssl.org https://mta.openssl.org/mailman/listinfo/openssl-project From levitte at openssl.org Thu May 24 20:42:52 2018 From: levitte at openssl.org (Richard Levitte) Date: Thu, 24 May 2018 22:42:52 +0200 Subject: [openssl-project] build/test before merging In-Reply-To: <475e9e0fa3e54ce6a1088b853e8bc8db@Ex13.ncp.local> References: <20180523155007.GC32807@kduck.kaduk.org> <6d5b206f-a0f1-8b60-fbf5-5f08c7c269d7@openssl.org> <20180523.180148.154491224151456127.levitte@openssl.org> <475e9e0fa3e54ce6a1088b853e8bc8db@Ex13.ncp.local> Message-ID: Those are non-standard and a matter of personal taste. I used those before I discovered --fixup and --squash. How many variants should we support? (I'm not totally against the idea, mind you...) Cheers Richard "Dr. Matthias St. Pierre" skrev: (24 maj 2018 22:32:38 CEST) >There is also the custom to add something like "(to be squashed)" or >"(fixup)" in round or square brackets to the end oft he commit title. >So maybe also add a regex for "squash" or "fixup" inside round or >square brackets? > >-----Urspr?ngliche Nachricht----- >Von: openssl-project Im Auftrag >von Richard Levitte >Gesendet: Mittwoch, 23. Mai 2018 18:02 >An: openssl-project at openssl.org >Betreff: Re: [openssl-project] build/test before merging > >In message <6d5b206f-a0f1-8b60-fbf5-5f08c7c269d7 at openssl.org> on Wed, >23 May 2018 16:54:23 +0100, Matt Caswell said: > >matt> On 23/05/18 16:50, Benjamin Kaduk wrote: >matt> > But I am curious if we currently do and/or should have a commit > >matt> > hook on git.openssl.org to reject commits that start with >"!fixup". > >That's "fixup! ", and "squash! " (for --squash) should be added as >well. > >matt> Not that I know of. We probably should have. A quick check >reveals >matt> two such commits that have made it into master...both mine >matt> unfortunately :-( > >I've been close a couple of times... > >But yeah, good idea, I'll go ahead and craft that together. Gitolite >makes it quite easy to configure. > >Cheers, >Richard -- Skickat fr?n min Android-enhet med K-9 Mail. Urs?kta min f?ordighet. From Matthias.St.Pierre at ncp-e.com Thu May 24 20:49:16 2018 From: Matthias.St.Pierre at ncp-e.com (Dr. Matthias St. Pierre) Date: Thu, 24 May 2018 20:49:16 +0000 Subject: [openssl-project] build/test before merging In-Reply-To: References: <20180523155007.GC32807@kduck.kaduk.org> <6d5b206f-a0f1-8b60-fbf5-5f08c7c269d7@openssl.org> <20180523.180148.154491224151456127.levitte@openssl.org> <475e9e0fa3e54ce6a1088b853e8bc8db@Ex13.ncp.local> Message-ID: Well, I use --fixup and --squash mostly nowadays, but I'm not sure everybody switched. It was not a feature request, only a remark. -----Urspr?ngliche Nachricht----- Von: openssl-project Im Auftrag von Richard Levitte Gesendet: Donnerstag, 24. Mai 2018 22:43 An: openssl-project at openssl.org Betreff: Re: [openssl-project] build/test before merging Those are non-standard and a matter of personal taste. I used those before I discovered --fixup and --squash. How many variants should we support? (I'm not totally against the idea, mind you...) Cheers Richard From openssl-users at dukhovni.org Thu May 24 21:03:39 2018 From: openssl-users at dukhovni.org (Viktor Dukhovni) Date: Thu, 24 May 2018 17:03:39 -0400 Subject: [openssl-project] build/test before merging In-Reply-To: References: <20180523155007.GC32807@kduck.kaduk.org> <6d5b206f-a0f1-8b60-fbf5-5f08c7c269d7@openssl.org> <20180523.180148.154491224151456127.levitte@openssl.org> <475e9e0fa3e54ce6a1088b853e8bc8db@Ex13.ncp.local> Message-ID: <847A64B6-FEA5-432C-97F5-BF7AB3364517@dukhovni.org> > On May 24, 2018, at 4:42 PM, Richard Levitte wrote: > > Those are non-standard and a matter of personal taste. I used those before I discovered --fixup and --squash. How many variants should we support? > > (I'm not totally against the idea, mind you...) Let's stick with the standard versions. -- Viktor. From Matthias.St.Pierre at ncp-e.com Tue May 29 05:45:08 2018 From: Matthias.St.Pierre at ncp-e.com (Dr. Matthias St. Pierre) Date: Tue, 29 May 2018 05:45:08 +0000 Subject: [openssl-project] Current votes FYI In-Reply-To: <504DAF06-51AC-494D-9768-C50E897F7B1E@akamai.com> References: <504DAF06-51AC-494D-9768-C50E897F7B1E@akamai.com> Message-ID: > VOTE: 1.1.1 beta release schedule changed so that the next two beta releases are now 29th May, 19 June and we will re-review release readiness after that. We will also ensure that there is at least one beta release post TLS-1.3 RFC publication prior to the final release. Note: I just had a look at https://www.openssl.org/policies/releasestrat.html because I recalled that a beta release was scheduled for today and noticed that the beta release plan has not been updated to reflect your last vote. Matthias From levitte at openssl.org Tue May 29 06:25:06 2018 From: levitte at openssl.org (Richard Levitte) Date: Tue, 29 May 2018 08:25:06 +0200 (CEST) Subject: [openssl-project] OpenSSL repo frozen Message-ID: <20180529.082506.1179117302266834943.levitte@openssl.org> This should have been done yesterday... the openssl repo is now frozen pending the beta release that's happening later today. Cheers, Richard -- Richard Levitte levitte at openssl.org OpenSSL Project http://www.openssl.org/~levitte/ From matt at openssl.org Tue May 29 08:31:07 2018 From: matt at openssl.org (Matt Caswell) Date: Tue, 29 May 2018 09:31:07 +0100 Subject: [openssl-project] Current votes FYI In-Reply-To: References: <504DAF06-51AC-494D-9768-C50E897F7B1E@akamai.com> Message-ID: On 29/05/18 06:45, Dr. Matthias St. Pierre wrote: >> VOTE: 1.1.1 beta release schedule changed so that the next two beta releases are now 29th May, 19 June and we will re-review release readiness after that. We will also ensure that there is at least one beta release post TLS-1.3 RFC publication prior to the final release. > > Note: I just had a look at https://www.openssl.org/policies/releasestrat.html because I recalled that a beta release was scheduled for today and noticed that the beta release plan has not been updated to reflect your last vote. > I thought it had been updated! So, https://github.com/openssl/web/pull/55 P.S. Ah! It was updated and then the change was reverted! From openssl at openssl.org Tue May 29 12:38:25 2018 From: openssl at openssl.org (OpenSSL) Date: Tue, 29 May 2018 12:38:25 +0000 Subject: [openssl-project] OpenSSL version 1.1.1 pre release 7 published Message-ID: <20180529123825.GA8160@openssl.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 OpenSSL version 1.1.1 pre release 7 (beta) =========================================== OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ OpenSSL 1.1.1 is currently in beta. OpenSSL 1.1.1 pre release 7 has now been made available. For details of changes and known issues see the release notes at: https://www.openssl.org/news/openssl-1.1.1-notes.html Note: This OpenSSL pre-release has been provided for testing ONLY. It should NOT be used for security critical purposes. The beta release is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.1.1-pre7.tar.gz Size: 8308876 SHA1 checksum: 1879b688f9e36665f82bda8cac4f392029683bd0 SHA256 checksum: e4a54e1eba2900004a2e39cde62aeaf1f1fa0442169f849faf14e735136ad6cc The checksums were calculated using the following commands: openssl sha1 openssl-1.1.1-pre7.tar.gz openssl sha256 openssl-1.1.1-pre7.tar.gz Please download and check this beta release as soon as possible. To report a bug, open an issue on GitHub: https://github.com/openssl/openssl/issues Please check the release notes and mailing lists to avoid duplicate reports of known issues. (Of course, the source is also available on GitHub.) Yours, The OpenSSL Project Team. -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAlsNRX8ACgkQ2cTSbQ5g RJG5OwgAhQ1fmHrG57u3jCfhKn7r2t1c6CxnSfZRn7hRc1He772R3iwi9A3i6AO3 9BlEj16V8bQ/2DF6vH31FzBnPjfnP8QENDC3btwdQOdufkQLyeqvgMIjdj42VFS6 E803eCRE1fN6w0LZzVoP8TarWCIifD+Wb3c9VfFsTDWzfQ2TMQz3SKsVqhRA9m0e +xKpkFkJNHw7MQw5B7EomuJYwCVZpERDQAJMlh78uQK5SCoLFw3f14+2C0IzLIBn 6fKVbC546TJgflWoR2uGjOSgYKZqxysya1ZcKfGTOuRy4YiBMkCxX/n0GNEEJFoy gKxJYtMXHCmudlcEjvqcXqO0schzRw== =HTbt -----END PGP SIGNATURE----- From matt at openssl.org Tue May 29 12:41:54 2018 From: matt at openssl.org (Matt Caswell) Date: Tue, 29 May 2018 13:41:54 +0100 Subject: [openssl-project] OpenSSL repo frozen In-Reply-To: <20180529.082506.1179117302266834943.levitte@openssl.org> References: <20180529.082506.1179117302266834943.levitte@openssl.org> Message-ID: <1c375589-2e2e-9951-95b1-55eeeb57e3c5@openssl.org> The release is complete and the repo is now unfrozen. Thanks to Richard for his help during the release. Matt On 29/05/18 07:25, Richard Levitte wrote: > This should have been done yesterday... the openssl repo is now > frozen pending the beta release that's happening later today. > > Cheers, > Richard >