[re]building SLES 12 RPM for nss-3.90, tests failing
14 views
Skip to first unread message
Brian Reichert
Sep 28, 2023, 5:06:18 PM9/28/23
to dev-tec...@lists.mozilla.org
I'm rebuilding SLES 12's mozilla-nss-3.90-58.104.1 from a source
RPM.
This successfully builds binaries, but logic in the SPEC file triggers
a bunch of self-tests to run. Some of these tests are failing, and
I was hoping to get some guidance about correcting, or selectively
ignoring these errors.
This, of course means stock nss-3.90, but modified by SLES's ~40
patches. I acknowledge that this makes this question not at all
appropriate for this forum, but all of SLES's support forums a
patently useless, in my experience.
Anyway:
I have retained full logs of the build and test run, which I could
provide to anyone who's curious.
It ends with this:
Tests summary:
--------------
Passed: 11550
Failed: 24
Failed with core: 0
ASan failures: 0
Unknown status: 25
TinderboxPrint:Unknown: 25
The first reported failure is, (I think) is:
chains.sh: #1039: TrustAnchors: Verifying certificate(s)
NameConstraints.server2.cert NameConstraints.intermediate.cert with flags -d trustanchorsDB -pp - PASSED
chains.sh: Verifying certificate(s) NameConstraints.server3.cert
NameConstraints.intermediate.cert with flags -d trustanchorsDB -pp vfychain -d trustanchorsDB -pp -vv /home/breichert/testing/rpmbuild/mozilla-nss_new /BUILD/nss-3.90/nss/tests/libpkix/certs/NameConstraints.server3.cert /home/breichert/testing/rpmbuild/mozilla-nss_new/BUILD/nss-3.90/nss/tests/libpkix/certs/NameConstraints.intermediate.cert
Chain is bad!
PROBLEM WITH THE CERT CHAIN:
CERT 0. CN=test.example,O=BOGUS NSS,L=Mountain View,ST=California,C=US :
ERROR -8181: Peer's Certificate has expired.
Returned value is 1, expected result is pass
chains.sh: #1040: TrustAnchors: Verifying certificate(s)
NameConstraints.server3.cert NameConstraints.intermediate.cert with flags -d trustanchorsDB -pp - FAILED
If I look for all of the FAILED messages, they're all related to
'TrustAnchors: Verifying certificate(s)'.
Does this sound like an environmental issue? Do these tests pass
with a stock 3.90 install? (I would hope so...)
I'm happy to provide more information, and will accept any advice offered.
--
Brian Reichert <reic...@numachi.com>
BSD admin/developer at large
RPM.
This successfully builds binaries, but logic in the SPEC file triggers
a bunch of self-tests to run. Some of these tests are failing, and
I was hoping to get some guidance about correcting, or selectively
ignoring these errors.
This, of course means stock nss-3.90, but modified by SLES's ~40
patches. I acknowledge that this makes this question not at all
appropriate for this forum, but all of SLES's support forums a
patently useless, in my experience.
Anyway:
I have retained full logs of the build and test run, which I could
provide to anyone who's curious.
It ends with this:
Tests summary:
--------------
Passed: 11550
Failed: 24
Failed with core: 0
ASan failures: 0
Unknown status: 25
TinderboxPrint:Unknown: 25
The first reported failure is, (I think) is:
chains.sh: #1039: TrustAnchors: Verifying certificate(s)
NameConstraints.server2.cert NameConstraints.intermediate.cert with flags -d trustanchorsDB -pp - PASSED
chains.sh: Verifying certificate(s) NameConstraints.server3.cert
NameConstraints.intermediate.cert with flags -d trustanchorsDB -pp vfychain -d trustanchorsDB -pp -vv /home/breichert/testing/rpmbuild/mozilla-nss_new /BUILD/nss-3.90/nss/tests/libpkix/certs/NameConstraints.server3.cert /home/breichert/testing/rpmbuild/mozilla-nss_new/BUILD/nss-3.90/nss/tests/libpkix/certs/NameConstraints.intermediate.cert
Chain is bad!
PROBLEM WITH THE CERT CHAIN:
CERT 0. CN=test.example,O=BOGUS NSS,L=Mountain View,ST=California,C=US :
ERROR -8181: Peer's Certificate has expired.
Returned value is 1, expected result is pass
chains.sh: #1040: TrustAnchors: Verifying certificate(s)
NameConstraints.server3.cert NameConstraints.intermediate.cert with flags -d trustanchorsDB -pp - FAILED
If I look for all of the FAILED messages, they're all related to
'TrustAnchors: Verifying certificate(s)'.
Does this sound like an environmental issue? Do these tests pass
with a stock 3.90 install? (I would hope so...)
I'm happy to provide more information, and will accept any advice offered.
--
Brian Reichert <reic...@numachi.com>
BSD admin/developer at large
John Schanck
Sep 28, 2023, 5:27:42 PM9/28/23
to Brian Reichert, dev-tec...@lists.mozilla.org
Hi Brian,
You can ignore those errors. NSS 3.90 shipped with a few test
certificates that expired in September. See also:
https://bugzilla.mozilla.org/show_bug.cgi?id=1813401
John
> --
> You received this message because you are subscribed to the Google Groups "dev-tec...@mozilla.org" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to dev-tech-cryp...@mozilla.org.
> To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-tech-crypto/20230928210614.GT365%40numachi.com.
You can ignore those errors. NSS 3.90 shipped with a few test
certificates that expired in September. See also:
https://bugzilla.mozilla.org/show_bug.cgi?id=1813401
John
> You received this message because you are subscribed to the Google Groups "dev-tec...@mozilla.org" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to dev-tech-cryp...@mozilla.org.
> To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-tech-crypto/20230928210614.GT365%40numachi.com.
Brian Reichert
Sep 29, 2023, 9:42:37 AM9/29/23
to John Schanck, Brian Reichert, dev-tec...@lists.mozilla.org
On Thu, Sep 28, 2023 at 02:27:14PM -0700, John Schanck wrote:
> Hi Brian,
>
> You can ignore those errors. NSS 3.90 shipped with a few test
> certificates that expired in September. See also:
> https://bugzilla.mozilla.org/show_bug.cgi?id=1813401
Thank you for a succinct and informative response; that helps me
> Hi Brian,
>
> You can ignore those errors. NSS 3.90 shipped with a few test
> certificates that expired in September. See also:
> https://bugzilla.mozilla.org/show_bug.cgi?id=1813401
calm down. :)
I can modify this packaging to build a more recent release. I think
3.93 is the latest; is that correct?
>
> John
Martin Sirringhaus
Oct 2, 2023, 2:47:06 AM10/2/23
to Brian Reichert, dev-tec...@lists.mozilla.org
Hi Brian,
sorry for the late response! I was away the last few days.
I have backported the fix for this to SLE, but forgot to push it to our
github-page. Sorry about that.
The updated version is now here:
https://github.com/openSUSE/firefox-maintenance/tree/115esr/nss
Also, sorry that you find our forums unhelpful for these kinds of
problems. But feel free to open a bugreport on that github-page, or ping
me directly, if something like this comes up again!
Cheers,
Martin
sorry for the late response! I was away the last few days.
I have backported the fix for this to SLE, but forgot to push it to our
github-page. Sorry about that.
The updated version is now here:
https://github.com/openSUSE/firefox-maintenance/tree/115esr/nss
Also, sorry that you find our forums unhelpful for these kinds of
problems. But feel free to open a bugreport on that github-page, or ping
me directly, if something like this comes up again!
Cheers,
Martin
Reply all
Reply to author
Forward
0 new messages