* iotest 233 failing @ 2021-06-10 20:34 Eric Blake 2021-06-10 21:31 ` Daniel P. Berrangé 0 siblings, 1 reply; 4+ messages in thread From: Eric Blake @ 2021-06-10 20:34 UTC (permalink / raw) To: qemu-devel, qemu-block, berrange I'm now getting failures on iotest 233: 233 fail [15:26:01] [15:26:03] 2.1s (last: 1.3s) output mismatch (see 233.out.bad) --- /home/eblake/qemu/tests/qemu-iotests/233.out +++ 233.out.bad @@ -65,6 +65,6 @@ == final server log == qemu-nbd: option negotiation failed: Verify failed: No certificate was found. qemu-nbd: option negotiation failed: Verify failed: No certificate was found. -qemu-nbd: option negotiation failed: TLS x509 authz check for CN=localhost,O=Cthulhu Dark Lord Enterprises client1,L=R'lyeh,C=South Pacific is denied -qemu-nbd: option negotiation failed: TLS x509 authz check for CN=localhost,O=Cthulhu Dark Lord Enterprises client3,L=R'lyeh,C=South Pacific is denied +qemu-nbd: option negotiation failed: TLS x509 authz check for C=South Pacific,L=R'lyeh,O=Cthulhu Dark Lord Enterprises client1,CN=localhost is denied +qemu-nbd: option negotiation failed: TLS x509 authz check for C=South Pacific,L=R'lyeh,O=Cthulhu Dark Lord Enterprises client3,CN=localhost is denied *** done Failures: 233 Failed 1 of 1 iotests Looks like I recently updated to gnutls-3.7.2-1.fc34 on June 1, could that be the culprit for the error message being reordered? -- Eric Blake, Principal Software Engineer Red Hat, Inc. +1-919-301-3266 Virtualization: qemu.org | libvirt.org ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: iotest 233 failing 2021-06-10 20:34 iotest 233 failing Eric Blake @ 2021-06-10 21:31 ` Daniel P. Berrangé 2021-06-10 21:33 ` Daniel P. Berrangé 0 siblings, 1 reply; 4+ messages in thread From: Daniel P. Berrangé @ 2021-06-10 21:31 UTC (permalink / raw) To: Eric Blake; +Cc: qemu-devel, qemu-block On Thu, Jun 10, 2021 at 03:34:46PM -0500, Eric Blake wrote: > I'm now getting failures on iotest 233: > > 233 fail [15:26:01] [15:26:03] 2.1s (last: 1.3s) output mismatch (see 233.out.bad) > --- /home/eblake/qemu/tests/qemu-iotests/233.out > +++ 233.out.bad > @@ -65,6 +65,6 @@ > == final server log == > qemu-nbd: option negotiation failed: Verify failed: No certificate was found. > qemu-nbd: option negotiation failed: Verify failed: No certificate was found. > -qemu-nbd: option negotiation failed: TLS x509 authz check for CN=localhost,O=Cthulhu Dark Lord Enterprises client1,L=R'lyeh,C=South Pacific is denied > -qemu-nbd: option negotiation failed: TLS x509 authz check for CN=localhost,O=Cthulhu Dark Lord Enterprises client3,L=R'lyeh,C=South Pacific is denied > +qemu-nbd: option negotiation failed: TLS x509 authz check for C=South Pacific,L=R'lyeh,O=Cthulhu Dark Lord Enterprises client1,CN=localhost is denied > +qemu-nbd: option negotiation failed: TLS x509 authz check for C=South Pacific,L=R'lyeh,O=Cthulhu Dark Lord Enterprises client3,CN=localhost is denied > *** done > Failures: 233 > Failed 1 of 1 iotests > > Looks like I recently updated to gnutls-3.7.2-1.fc34 on June 1, could > that be the culprit for the error message being reordered? It is possible I guess. They have indeed made such a change in the past and reverted it when I pointed out that this is effectively an ABI for apps, because access control lists are based on matching the distinguish name string, as an opaque string. The cause certainly needs investigating as a matter of urgency because this is ABI for QEMU's authz access control lists. Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: iotest 233 failing 2021-06-10 21:31 ` Daniel P. Berrangé @ 2021-06-10 21:33 ` Daniel P. Berrangé 2021-06-11 9:17 ` Daniel P. Berrangé 0 siblings, 1 reply; 4+ messages in thread From: Daniel P. Berrangé @ 2021-06-10 21:33 UTC (permalink / raw) To: Eric Blake, qemu-devel, qemu-block On Thu, Jun 10, 2021 at 10:31:14PM +0100, Daniel P. Berrangé wrote: > On Thu, Jun 10, 2021 at 03:34:46PM -0500, Eric Blake wrote: > > I'm now getting failures on iotest 233: > > > > 233 fail [15:26:01] [15:26:03] 2.1s (last: 1.3s) output mismatch (see 233.out.bad) > > --- /home/eblake/qemu/tests/qemu-iotests/233.out > > +++ 233.out.bad > > @@ -65,6 +65,6 @@ > > == final server log == > > qemu-nbd: option negotiation failed: Verify failed: No certificate was found. > > qemu-nbd: option negotiation failed: Verify failed: No certificate was found. > > -qemu-nbd: option negotiation failed: TLS x509 authz check for CN=localhost,O=Cthulhu Dark Lord Enterprises client1,L=R'lyeh,C=South Pacific is denied > > -qemu-nbd: option negotiation failed: TLS x509 authz check for CN=localhost,O=Cthulhu Dark Lord Enterprises client3,L=R'lyeh,C=South Pacific is denied > > +qemu-nbd: option negotiation failed: TLS x509 authz check for C=South Pacific,L=R'lyeh,O=Cthulhu Dark Lord Enterprises client1,CN=localhost is denied > > +qemu-nbd: option negotiation failed: TLS x509 authz check for C=South Pacific,L=R'lyeh,O=Cthulhu Dark Lord Enterprises client3,CN=localhost is denied > > *** done > > Failures: 233 > > Failed 1 of 1 iotests > > > > Looks like I recently updated to gnutls-3.7.2-1.fc34 on June 1, could > > that be the culprit for the error message being reordered? > > It is possible I guess. They have indeed made such a change in the past > and reverted it when I pointed out that this is effectively an ABI for > apps, because access control lists are based on matching the distinguish > name string, as an opaque string. The cause certainly needs investigating > as a matter of urgency because this is ABI for QEMU's authz access control > lists. There is an ominous sounding NEWS item in 3.7.2 ** certtool: When producing certificates and certificate requests, subject DN components that are provided individually will now be ordered by assumed scale (e.g. Country before State, Organization before OrganizationalUnit). This change also affects the order in which certtool prompts interactively. Please rely on the template mechanism for automated use of certtool! (#1243) This ordering change in certtool seems to correspond with the new order you see above in the distinguished name, so I wonder if the certtool change had accidental side effects. Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: iotest 233 failing 2021-06-10 21:33 ` Daniel P. Berrangé @ 2021-06-11 9:17 ` Daniel P. Berrangé 0 siblings, 0 replies; 4+ messages in thread From: Daniel P. Berrangé @ 2021-06-11 9:17 UTC (permalink / raw) To: Eric Blake, qemu-devel, qemu-block On Thu, Jun 10, 2021 at 10:33:40PM +0100, Daniel P. Berrangé wrote: > On Thu, Jun 10, 2021 at 10:31:14PM +0100, Daniel P. Berrangé wrote: > > On Thu, Jun 10, 2021 at 03:34:46PM -0500, Eric Blake wrote: > > > I'm now getting failures on iotest 233: > > > > > > 233 fail [15:26:01] [15:26:03] 2.1s (last: 1.3s) output mismatch (see 233.out.bad) > > > --- /home/eblake/qemu/tests/qemu-iotests/233.out > > > +++ 233.out.bad > > > @@ -65,6 +65,6 @@ > > > == final server log == > > > qemu-nbd: option negotiation failed: Verify failed: No certificate was found. > > > qemu-nbd: option negotiation failed: Verify failed: No certificate was found. > > > -qemu-nbd: option negotiation failed: TLS x509 authz check for CN=localhost,O=Cthulhu Dark Lord Enterprises client1,L=R'lyeh,C=South Pacific is denied > > > -qemu-nbd: option negotiation failed: TLS x509 authz check for CN=localhost,O=Cthulhu Dark Lord Enterprises client3,L=R'lyeh,C=South Pacific is denied > > > +qemu-nbd: option negotiation failed: TLS x509 authz check for C=South Pacific,L=R'lyeh,O=Cthulhu Dark Lord Enterprises client1,CN=localhost is denied > > > +qemu-nbd: option negotiation failed: TLS x509 authz check for C=South Pacific,L=R'lyeh,O=Cthulhu Dark Lord Enterprises client3,CN=localhost is denied > > > *** done > > > Failures: 233 > > > Failed 1 of 1 iotests > > > > > > Looks like I recently updated to gnutls-3.7.2-1.fc34 on June 1, could > > > that be the culprit for the error message being reordered? > > > > It is possible I guess. They have indeed made such a change in the past > > and reverted it when I pointed out that this is effectively an ABI for > > apps, because access control lists are based on matching the distinguish > > name string, as an opaque string. The cause certainly needs investigating > > as a matter of urgency because this is ABI for QEMU's authz access control > > lists. > > There is an ominous sounding NEWS item in 3.7.2 > > ** certtool: When producing certificates and certificate requests, subject DN > components that are provided individually will now be ordered by > assumed scale (e.g. Country before State, Organization before > OrganizationalUnit). This change also affects the order in which > certtool prompts interactively. Please rely on the template > mechanism for automated use of certtool! (#1243) > > This ordering change in certtool seems to correspond with the new order > you see above in the distinguished name, so I wonder if the certtool > change had accidental side effects. Right so iotest 233 of course creates a new certificate, and so it picks up the new certtool behaviour, which means the certificate it generates has the distinguished name in the new order. This is good because it means the gnutls API for querying the distinguished name is still using the same ordering as before. This is bad because the iotest is obviously susceptible to changes it the way the certificate is created. I think we might just need to apply a filter to strip the distinguished name from the output. Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-06-11 9:18 UTC | newest] Thread overview: 4+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2021-06-10 20:34 iotest 233 failing Eric Blake 2021-06-10 21:31 ` Daniel P. Berrangé 2021-06-10 21:33 ` Daniel P. Berrangé 2021-06-11 9:17 ` Daniel P. Berrangé
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).