-
Notifications
You must be signed in to change notification settings - Fork 29.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
test: fix test-https-ci-reneg-attack #25676
Conversation
With a recent OpenSSL update to core, a change in the behavior of `s_client` result in pummel test failures because they spam with renegotiation requests before the renegotiation is complete. Modify tests to reduce initial spamming. This fixes the TLS renegotiation test. While it fixes the bug in the HTTPS test too, that is still failing with the OpenSSL update for other (too-be-determined) reasons. Refs: nodejs#25381 (comment)
Custom pummel CI (same one that is now failing in node-daily-master because of the issues this fixes/works around): https://ci.nodejs.org/job/node-test-commit-custom-suites/837/ |
Unrelated failure in the CI run. Because pummel tests aren't run in regular CI, the lite CI should be sufficient. I'll now try to track down what caused the new pummel failure. (Aside: As pummel tests fail and then are fixed, it's my hope to move them to |
I confirmed that openssl/openssl#8081 resolved this issue. I think it is better to backport it when it is accepted. |
I agree that is the much better fix. Until then, the test is failing in our nightly CI. Hopefully the patch is accepted in OpenSSL upstream very soon. To fix the nightly CI, can we float the OpenSSL patch in Node.js immediately even though it's not in the OpenSSL code base yet? It should be a very low-risk thing to do, since it (I assume) only affects |
I don't have strong feelings about whether this is important enough to violate our "don't land patches that haven't been accepted upstream". @shigeki 's fix is only 4 hours old, is it possible to disable the test for the week to give them a chance to accept. I went through the git history. Since node has a |
Removing I am definitely 👍 on the suggestion from @sam-github that the test use |
Rewrite test-tls-ci-reneg-attack to use tls.renegotiate() instead of external (and potentially unpredictable/quirky/buggy) s_client. Refs: nodejs#25676 (comment)
Rewrite test-tls-ci-reneg-attack to use tls.renegotiate() instead of external (and potentially unpredictable/quirky/buggy) s_client. Refs: nodejs#25676 (comment) PR-URL: nodejs#25700 Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Rewrite test-tls-ci-reneg-attack to use tls.renegotiate() instead of external (and potentially unpredictable/quirky/buggy) s_client. Refs: #25676 (comment) PR-URL: #25700 Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Rewrite test-tls-ci-reneg-attack to use tls.renegotiate() instead of external (and potentially unpredictable/quirky/buggy) s_client. Refs: #25676 (comment) PR-URL: #25700 Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Refs: #25381 (comment)
First commit is just #25660. Once that and this land, then pummel tests should be working again. Please 👍 here to fast-track.
Checklist
make -j4 test
(UNIX), orvcbuild test
(Windows) passes