Priority: P1: Critical
Affects Version/s: 6.0.0 Beta1
Fix Version/s: 6.0.0 RC
Commits:4f6c5d83d09881a8432873487eab44b88eabec9e (qt/qtbase/dev) 0c3dbbefd281377d7eb100aa88e20866d9268be1 (qt/qtbase/5.15)
Sprint:Qt6_Foundation_Sprint 21, Qt6_Foundation_Sprint 22
tst_networkselftest httpsServer test is failing on Ubuntu 20.04. It is trying to connect via HTTPS to qt-test-server, which has an old openssl version that negotiates insecure DH key exchange.
EDIT: I was wondering why this issue does not happen on my OpenSUSE box with newer openssl 1.1.1g. This issue is showing up only on our Ubuntu 20.04 buildslaves with openssl 1.1.1f because Ubuntu has built openssl with -DOPENSSL_TLS_SECURITY_LEVEL=2, as seen here:
What does security level 2 mean? Taken from here:
Security level set to 112 bits of security. As a result RSA, DSA and DH keys shorter than 2048 bits and ECC keys shorter than 224 bits are prohibited. In addition to the level 1 exclusions any ciphersuite using RC4 is also prohibited. SSL version 3 is also not allowed. Compression is disabled.
The Ubuntu client rejects the connection because the DH key parameters offered by the server are 1024 bits long.
The RSA certificate is also 1024 bits long, but the test does not seem to care about that.
I believe this is the only test on Linux that still depends on qt-test-server. It should be changed to bring up the local docker containers and connect to them. At least the httpsServer test is trivial to be ported and I tested it's passing when connecting to the local docker container. Which is quite surprising since the certificate key length is also 1024 bits long.
But it's not trivial to convert all of tst_networkselftest to docker, because the test is assuming multiple times that all services run on the same IP.
This is currently blocking
QTBUG-86187 which is P0, and I see 3 alternatives to move this forward:
- Change the test to use docker containers
- Fix the old and deprecated qt-test-server (still we'll have to fix the test, but at a later point)
- Change the openssl default on Ubuntu 20.04 to accept insecure key exchange (not recommended)
I have started with (1) but I could use some help. It's not only needed to bring up the dockers, but the test itself needs many changes too.