Bug 7807 - t/spamd_ssl.t fails due to small key size
Summary: t/spamd_ssl.t fails due to small key size
Status: RESOLVED FIXED
Alias: None
Product: Spamassassin
Classification: Unclassified
Component: Regression Tests (show other bugs)
Version: 3.4.4
Hardware: PC Linux
: P2 normal
Target Milestone: Undefined
Assignee: SpamAssassin Developer Mailing List
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-04-08 16:33 UTC by Ondřej Lysoněk
Modified: 2020-04-10 07:47 UTC (History)
3 users (show)


Attachment Type Modified Status Actions Submitter/CLA Status
proposed fix patch None Noah Meyerhans [NoCLA]
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ondřej Lysoněk 2020-04-08 16:33:05 UTC 
On RHEL/Centos 8, due to its default crypto policy, the 'tests t/spamd_ssl.t' and 't/spamd_ssl_accept_fail.t' fail, because the key in the certificate (t/data/etc/testhost.cert, t/data/etc/testhost.key) is too small.

I've confirmed this with a small sample program that loads the certificate. The program fails with the following error:
140561996314432:error:140AB18F:SSL routines:SSL_CTX_use_certificate:ee key too small:ssl/ssl_rsa.c:310

If I generate my own key/certificate using e.g. the following, the tests pass.
openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout testhost.key
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout testhost.key -out testhost.cert

Can you please generate a new test key/certificate that is larger and add it to the repository?

Thanks!
Comment 1 Noah Meyerhans 2020-04-08 16:58:34 UTC 
Created attachment 5695 [details]
proposed fix

The attached patch against the 3.4 branch includes a new certificate. It also updates the tests to use a unprivileged TCP port, allowing them to execute as non root users. (bz #7763)

I haven't tried to apply this against trunk.
Comment 2 Ondřej Lysoněk 2020-04-09 10:29:01 UTC 
Thanks! This fixes the problem for me with the 3.4 version.
Comment 3 Henrik Krohns 2020-04-10 07:47:46 UTC 
Cert updated

Sending        spamassassin-3.4/t/data/etc/testhost.cert
Sending        spamassassin-3.4/t/data/etc/testhost.key
Sending        trunk/t/data/etc/testhost.cert
Sending        trunk/t/data/etc/testhost.key
Transmitting file data ....done
Committing transaction...
Committed revision 1876347.