Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-87740

tst_networkselftest is still dependent on qt-test-server

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: P1: Critical
    • Resolution: Done
    • Affects Version/s: 6.0.0 Beta1
    • Fix Version/s: 6.0.0 RC
    • Component/s: Network
    • Labels:
      None
    • Platform/s:
      Linux/Other display system
    • Commits:
      4f6c5d83d09881a8432873487eab44b88eabec9e (qt/qtbase/dev) 0c3dbbefd281377d7eb100aa88e20866d9268be1 (qt/qtbase/5.15)
    • Story Points:
      5
    • Sprint:
      Qt6_Foundation_Sprint 21, Qt6_Foundation_Sprint 22

      Description

      tst_networkselftest httpsServer test is failing on Ubuntu 20.04. It is trying to connect via HTTPS to qt-test-server, which has an old openssl version that negotiates insecure DH key exchange.

      QDEBUG : tst_NetworkSelfTest::httpsServer() 0 Connecting to server on port 443
      QDEBUG : tst_NetworkSelfTest::httpsServer() 1 Starting client encryption
      FAIL!  : tst_NetworkSelfTest::httpsServer() 'socket.waitForEncrypted(5000)' returned FALSE. (Failed to start client 
          encryption in step 1: Error during SSL handshake: error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small)
          Loc: [tst_networkselftest.cpp(327)]

      EDIT: I was wondering why this issue does not happen on my OpenSUSE box with newer openssl 1.1.1g. This issue is showing up only on our Ubuntu 20.04 buildslaves with openssl 1.1.1f because Ubuntu has built openssl with -DOPENSSL_TLS_SECURITY_LEVEL=2, as seen here:

          - Set OPENSSL_TLS_SECURITY_LEVEL=2 as compiled-in minimum security
            level. Change meaning of SECURITY_LEVEL=2 to prohibit TLS versions
            below 1.2 and update documentation. Previous default of 1, can be set
            by calling SSL_CTX_set_security_level(), SSL_set_security_level() or
            using ':@SECLEVEL=1' CipherString value in openssl.cfg.
      

      What does security level 2 mean? Taken from here:

      Level 2
      Security level set to 112 bits of security. As a result RSA, DSA and DH keys shorter than 2048 bits and ECC keys shorter than 224 bits are prohibited. In addition to the level 1 exclusions any ciphersuite using RC4 is also prohibited. SSL version 3 is also not allowed. Compression is disabled.

      The Ubuntu client rejects the connection because the DH key parameters offered by the server are 1024 bits long.
      The RSA certificate is also 1024 bits long, but the test does not seem to care about that.

      Dependency on qt-test-server

      I believe this is the only test on Linux that still depends on qt-test-server. It should be changed to bring up the local docker containers and connect to them. At least the httpsServer test is trivial to be ported and I tested it's passing when connecting to the local docker container. Which is quite surprising since the certificate key length is also 1024 bits long.

      But it's not trivial to convert all of tst_networkselftest to docker, because the test is assuming multiple times that all services run on the same IP.

      This is currently blocking QTBUG-86187 which is P0, and I see 3 alternatives to move this forward:

      1. Change the test to use docker containers
      2. Fix the old and deprecated qt-test-server (still we'll have to fix the test, but at a later point)
      3. Change the openssl default on Ubuntu 20.04 to accept insecure key exchange (not recommended)

      I have started with (1) but I could use some help. It's not only needed to bring up the dockers, but the test itself needs many changes too.

        Attachments

          Issue Links

          For Gerrit Dashboard: QTBUG-87740
          # Subject Branch Project Status CR V

            Activity

              People

              Assignee:
              tpochep Timur Pocheptsov
              Reporter:
              jimis Dimitrios Apostolou
              PM Owner:
              Maurice Kalinowski
              RnD Owner:
              Alex Blasche
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Gerrit Reviews

                  There are no open Gerrit changes