Broken openssl tests on Travis

5 years ago by Stanislav Malyshev — view source

unread

Hi!

I am seeing tons of broken openssl tests on Travis CI. Example:
https://travis-ci.org/php/php-src/jobs/462367522

All errors seem to be the same:
001+ Warning: stream_socket_client(): SSL operation failed with code 1.
OpenSSL Error messages:
002+ error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
verify failed in
/home/travis/build/php/php-src/ext/openssl/tests/ServerClientTestCase.inc(96)
: eval()'d code on line 10

Anybody knows anything about this?

Stas Malyshev
smalyshev@gmail.com

5 years ago by Alexander Kurilo via internals — view source

unread

Hi!

I am seeing tons of broken openssl tests on Travis CI. Example:
https://travis-ci.org/php/php-src/jobs/462367522

All errors seem to be the same:
001+ Warning: stream_socket_client(): SSL operation failed with code 1.
OpenSSL Error messages:
002+ error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
verify failed in
/home/travis/build/php/php-src/ext/openssl/tests/ServerClientTestCase.inc(96)
: eval()'d code on line 10

Anybody knows anything about this?

Certificated that had been used for openssl tests, expired yesterday.
There are 2 ways to proceed, as I see it:

generate new ones ASAP to get rid of false alarms;
check if there's anything to be done to avoid this in the future.

To address the latter, certificates can be generated for each test run
to make sure their expiration dates are never in the past but I'm not
sure openssl binary has been a requirement for running tests, so maybe
we're better off just generating another certificate for an upcoming
decade or two.

5 years ago by Jakub Zelenka — view source

unread

Hi!

I am seeing tons of broken openssl tests on Travis CI. Example:
https://travis-ci.org/php/php-src/jobs/462367522

All errors seem to be the same:
001+ Warning: stream_socket_client(): SSL operation failed with code 1.
OpenSSL Error messages:
002+ error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
verify failed in

/home/travis/build/php/php-src/ext/openssl/tests/ServerClientTestCase.inc(96)

I'll try to find some time to sort it out today.

5 years ago by Alexander Kurilo via internals — view source

unread

Hi!

I am seeing tons of broken openssl tests on Travis CI. Example:
https://travis-ci.org/php/php-src/jobs/462367522

All errors seem to be the same:
001+ Warning: stream_socket_client(): SSL operation failed with code 1.
OpenSSL Error messages:
002+ error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
verify failed in
/home/travis/build/php/php-src/ext/openssl/tests/ServerClientTestCase.inc(96)
: eval()'d code on line 10

Anybody knows anything about this?

Ladies and gentlemen,

The day after tomorrow this is going to happen again.

There are 2 ways out:

This PR https://github.com/php/php-src/pull/3698 aims to solve the
root cause: it modifies tests in order to make them generate
certificates on the fly and always be sure that their expiration date is
in the future (and also unties lots of tests from single certificate)
If the former doesn't work or not going to be merged (tomorrow or
ever), I can prepare another PR like this
https://github.com/php/php-src/pull/3693 with the same certificate
extended for a decade rather than a month (well, I thought a month would
be sufficient to come to a decision but I was wrong).

Let me know if I can help.

Cheers,
Alex.

5 years ago by Stanislav Malyshev — view source

unread

Hi!

There are 2 ways out:

This PR https://github.com/php/php-src/pull/3698 aims to solve the
root cause: it modifies tests in order to make them generate
certificates on the fly and always be sure that their expiration date is
in the future (and also unties lots of tests from single certificate)

This one looks like a bit large, probably reviewing it is going to take
time, especially given as we have holiday season now when people are
offline a lot. So I'd suggest to make a patch with a cert extended for
another 3-4 months and continue to work on this patch to fix it once and
for all.

--
Stas Malyshev
smalyshev@gmail.com

5 years ago by Alexander Kurilo via internals — view source

unread

Hi!

There are 2 ways out:

This PR https://github.com/php/php-src/pull/3698 aims to solve the
root cause: it modifies tests in order to make them generate
certificates on the fly and always be sure that their expiration date is
in the future (and also unties lots of tests from single certificate)

This one looks like a bit large, probably reviewing it is going to take
time, especially given as we have holiday season now when people are
offline a lot. So I'd suggest to make a patch with a cert extended for
another 3-4 months and continue to work on this patch to fix it once and
for all.

That's reasonable. I'll create a PR with extended certs in 12 hours or so.

Thanks,
Alex.