[re]building SLES 12 RPM for nss-3.90, tests failing

14 views
Skip to first unread message

Brian Reichert

unread,
Sep 28, 2023, 5:06:18 PM9/28/23
to dev-tec...@lists.mozilla.org
I'm rebuilding SLES 12's mozilla-nss-3.90-58.104.1 from a source
RPM.

This successfully builds binaries, but logic in the SPEC file triggers
a bunch of self-tests to run. Some of these tests are failing, and
I was hoping to get some guidance about correcting, or selectively
ignoring these errors.

This, of course means stock nss-3.90, but modified by SLES's ~40
patches. I acknowledge that this makes this question not at all
appropriate for this forum, but all of SLES's support forums a
patently useless, in my experience.

Anyway:

I have retained full logs of the build and test run, which I could
provide to anyone who's curious.

It ends with this:

Tests summary:
--------------
Passed: 11550
Failed: 24
Failed with core: 0
ASan failures: 0
Unknown status: 25
TinderboxPrint:Unknown: 25

The first reported failure is, (I think) is:

chains.sh: #1039: TrustAnchors: Verifying certificate(s)
NameConstraints.server2.cert NameConstraints.intermediate.cert with flags -d trustanchorsDB -pp - PASSED
chains.sh: Verifying certificate(s) NameConstraints.server3.cert
NameConstraints.intermediate.cert with flags -d trustanchorsDB -pp vfychain -d trustanchorsDB -pp -vv /home/breichert/testing/rpmbuild/mozilla-nss_new /BUILD/nss-3.90/nss/tests/libpkix/certs/NameConstraints.server3.cert /home/breichert/testing/rpmbuild/mozilla-nss_new/BUILD/nss-3.90/nss/tests/libpkix/certs/NameConstraints.intermediate.cert
Chain is bad!
PROBLEM WITH THE CERT CHAIN:
CERT 0. CN=test.example,O=BOGUS NSS,L=Mountain View,ST=California,C=US :
ERROR -8181: Peer's Certificate has expired.
Returned value is 1, expected result is pass
chains.sh: #1040: TrustAnchors: Verifying certificate(s)
NameConstraints.server3.cert NameConstraints.intermediate.cert with flags -d trustanchorsDB -pp - FAILED

If I look for all of the FAILED messages, they're all related to
'TrustAnchors: Verifying certificate(s)'.

Does this sound like an environmental issue? Do these tests pass
with a stock 3.90 install? (I would hope so...)

I'm happy to provide more information, and will accept any advice offered.

--
Brian Reichert <reic...@numachi.com>
BSD admin/developer at large

John Schanck

unread,
Sep 28, 2023, 5:27:42 PM9/28/23
to Brian Reichert, dev-tec...@lists.mozilla.org
Hi Brian,

You can ignore those errors. NSS 3.90 shipped with a few test
certificates that expired in September. See also:
https://bugzilla.mozilla.org/show_bug.cgi?id=1813401

John
> --
> You received this message because you are subscribed to the Google Groups "dev-tec...@mozilla.org" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to dev-tech-cryp...@mozilla.org.
> To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-tech-crypto/20230928210614.GT365%40numachi.com.

Brian Reichert

unread,
Sep 29, 2023, 9:42:37 AM9/29/23
to John Schanck, Brian Reichert, dev-tec...@lists.mozilla.org
On Thu, Sep 28, 2023 at 02:27:14PM -0700, John Schanck wrote:
> Hi Brian,
>
> You can ignore those errors. NSS 3.90 shipped with a few test
> certificates that expired in September. See also:
> https://bugzilla.mozilla.org/show_bug.cgi?id=1813401

Thank you for a succinct and informative response; that helps me
calm down. :)

I can modify this packaging to build a more recent release. I think
3.93 is the latest; is that correct?

>
> John
> To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-tech-crypto/CAFgAd7EStBc0kq8CEvajakHZuGVNS-8OvX%2BJdS2b-VMh6jm1wA%40mail.gmail.com.

Martin Sirringhaus

unread,
Oct 2, 2023, 2:47:06 AM10/2/23
to Brian Reichert, dev-tec...@lists.mozilla.org
Hi Brian,

sorry for the late response! I was away the last few days.

I have backported the fix for this to SLE, but forgot to push it to our
github-page. Sorry about that.

The updated version is now here:
https://github.com/openSUSE/firefox-maintenance/tree/115esr/nss

Also, sorry that you find our forums unhelpful for these kinds of
problems. But feel free to open a bugreport on that github-page, or ping
me directly, if something like this comes up again!

Cheers,
Martin
Reply all
Reply to author
Forward
0 new messages