Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-87740

tst_networkselftest is still dependent on qt-test-server



    • Type: Bug
    • Status: Closed
    • Priority: P1: Critical
    • Resolution: Done
    • Affects Version/s: 6.0.0 Beta1
    • Fix Version/s: 6.0.0 RC
    • Component/s: Network
    • Labels:
    • Platform/s:
      Linux/Other display system
    • Commits:
      4f6c5d83d09881a8432873487eab44b88eabec9e (qt/qtbase/dev) 0c3dbbefd281377d7eb100aa88e20866d9268be1 (qt/qtbase/5.15)
    • Story Points:
    • Sprint:
      Qt6_Foundation_Sprint 21, Qt6_Foundation_Sprint 22


      tst_networkselftest httpsServer test is failing on Ubuntu 20.04. It is trying to connect via HTTPS to qt-test-server, which has an old openssl version that negotiates insecure DH key exchange.

      QDEBUG : tst_NetworkSelfTest::httpsServer() 0 Connecting to server on port 443
      QDEBUG : tst_NetworkSelfTest::httpsServer() 1 Starting client encryption
      FAIL!  : tst_NetworkSelfTest::httpsServer() 'socket.waitForEncrypted(5000)' returned FALSE. (Failed to start client 
          encryption in step 1: Error during SSL handshake: error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small)
          Loc: [tst_networkselftest.cpp(327)]

      EDIT: I was wondering why this issue does not happen on my OpenSUSE box with newer openssl 1.1.1g. This issue is showing up only on our Ubuntu 20.04 buildslaves with openssl 1.1.1f because Ubuntu has built openssl with -DOPENSSL_TLS_SECURITY_LEVEL=2, as seen here:

          - Set OPENSSL_TLS_SECURITY_LEVEL=2 as compiled-in minimum security
            level. Change meaning of SECURITY_LEVEL=2 to prohibit TLS versions
            below 1.2 and update documentation. Previous default of 1, can be set
            by calling SSL_CTX_set_security_level(), SSL_set_security_level() or
            using ':@SECLEVEL=1' CipherString value in openssl.cfg.

      What does security level 2 mean? Taken from here:

      Level 2
      Security level set to 112 bits of security. As a result RSA, DSA and DH keys shorter than 2048 bits and ECC keys shorter than 224 bits are prohibited. In addition to the level 1 exclusions any ciphersuite using RC4 is also prohibited. SSL version 3 is also not allowed. Compression is disabled.

      The Ubuntu client rejects the connection because the DH key parameters offered by the server are 1024 bits long.
      The RSA certificate is also 1024 bits long, but the test does not seem to care about that.

      Dependency on qt-test-server

      I believe this is the only test on Linux that still depends on qt-test-server. It should be changed to bring up the local docker containers and connect to them. At least the httpsServer test is trivial to be ported and I tested it's passing when connecting to the local docker container. Which is quite surprising since the certificate key length is also 1024 bits long.

      But it's not trivial to convert all of tst_networkselftest to docker, because the test is assuming multiple times that all services run on the same IP.

      This is currently blocking QTBUG-86187 which is P0, and I see 3 alternatives to move this forward:

      1. Change the test to use docker containers
      2. Fix the old and deprecated qt-test-server (still we'll have to fix the test, but at a later point)
      3. Change the openssl default on Ubuntu 20.04 to accept insecure key exchange (not recommended)

      I have started with (1) but I could use some help. It's not only needed to bring up the dockers, but the test itself needs many changes too.


          Issue Links

          No reviews matched the request. Check your Options in the drop-down menu of this sections header.



              tpochep Timur Pocheptsov
              jimis Dimitrios Apostolou
              PM Owner:
              Maurice Kalinowski Maurice Kalinowski
              RnD Owner:
              Alex Blasche Alex Blasche
              0 Vote for this issue
              3 Start watching this issue



                  Gerrit Reviews

                  There are no open Gerrit changes