GHA/macos: enable HTTPS tests with stunnel #14486
Closed
AkiSakurai wants to merge 5 commits intocurl:masterfrom
AkiSakurai:macos
Closed
GHA/macos: enable HTTPS tests with stunnel #14486AkiSakurai wants to merge 5 commits intocurl:masterfrom AkiSakurai:macos
AkiSakurai wants to merge 5 commits intocurl:masterfrom
AkiSakurai:macos
Conversation
vszakats
requested changes
Aug 11, 2024
vszakats
reviewed
Aug 12, 2024
vszakats
reviewed
Aug 12, 2024
vszakats
reviewed
Aug 12, 2024
Member
Contributor
|
• Regenerate Certificates (as SecureTransport requires a validity period less than 398 days).
This is going to be a problem. This implies that someone is going to have to
manually regenerate the certificates in the curl repo at least once a year?
Which, if not done, will cause not just macOS but ALL targets to fail? Which
will furthermore cause anyone running a curl test suite from a release that's
more than a year old (at most) also to fail? This just isn't going to fly.
Especially since SecureTransport seems to be on its way out.
|
Member
|
We can do the regeneration on each run, for Secure Transport jobs. |
AkiSakurai
changed the title
vszakats
reviewed
Aug 14, 2024
vszakats
reviewed
Aug 14, 2024
vszakats
reviewed
Aug 14, 2024
- Install Stunnel. - Regenerate Certificates (as SecureTransport requires a validity period less than 398 days). - Restart Server if It Is Unresponsive. - Do Not Hardcode the SHA-256 Base64 Public Pinned Key. - Ignore test 313 as SecureTransport does not support crl file. - Ignore tests 1631 and 1632 as SecureTransport is not yet able to shut down FTP over HTTPS gracefully. - Add a CMake Target for generating certificates.
Co-authored-by: Viktor Szakats <[email protected]>
Co-authored-by: Viktor Szakats <[email protected]>
vszakats
approved these changes
Aug 19, 2024
Member
|
Thank you @AkiSakurai, merged! |
vszakats
added a commit
to vszakats/curl
that referenced
this pull request
Aug 23, 2024
- FAIL 2037: 'simple HTTPS GET with PEM public key pinning' HTTPS, HTTP GET, PEM certificate https://github.com/curl/curl/actions/runs/10529314166/job/29176801513?pr=14658 - FAIL 2041: 'simple HTTPS GET with base64-sha256 public key pinning' HTTPS, HTTP GET, PEM certificate https://github.com/curl/curl/actions/runs/10529181645/job/29176408976#step:16:4363 https://github.com/curl/curl/actions/runs/10529019749/job/29175882809#step:13:5235 https://github.com/curl/curl/actions/runs/10528920874/job/29175559070#step:16:4363 https://github.com/curl/curl/actions/runs/10528759817/job/29175043048#step:16:4274 https://github.com/curl/curl/actions/runs/10525250422/job/29163662307#step:16:4366 https://github.com/curl/curl/actions/runs/10525250422/job/29163662602#step:13:3569 Happened with cmake, autotools, gcc, clang and various TLS backends. Follow-up to fa461b4 curl#14486
vszakats
added a commit
that referenced
this pull request
Aug 23, 2024
- FAIL 2037: 'simple HTTPS GET with PEM public key pinning' HTTPS, HTTP GET, PEM certificate https://github.com/curl/curl/actions/runs/10529314166/job/29176801513?pr=14658 - FAIL 2041: 'simple HTTPS GET with base64-sha256 public key pinning' HTTPS, HTTP GET, PEM certificate https://github.com/curl/curl/actions/runs/10529181645/job/29176408976#step:16:4363 https://github.com/curl/curl/actions/runs/10529019749/job/29175882809#step:13:5235 https://github.com/curl/curl/actions/runs/10528920874/job/29175559070#step:16:4363 https://github.com/curl/curl/actions/runs/10528759817/job/29175043048#step:16:4274 https://github.com/curl/curl/actions/runs/10525250422/job/29163662307#step:16:4366 https://github.com/curl/curl/actions/runs/10525250422/job/29163662602#step:13:3569 Happened with cmake, autotools, gcc, clang and various TLS backends. Follow-up to fa461b4 #14486 Closes #14667
vszakats
added a commit
to vszakats/curl
that referenced
this pull request
Oct 2, 2024
Fixes intermittend CI failure because the shell-based random generator generated the same number twice: ``` $ openssl ca -config EdelCurlRoot-ca.cnf -revoke Server-localhost0h-sv.crt Using configuration from EdelCurlRoot-ca.cnf ERROR:Already revoked, serial number 66FDB23A make: *** [../../../tests/certs/Server-localhost0h-sv.pem] Error 1 ``` https://github.com/curl/curl/actions/runs/11151401083/job/30994755798?pr=15128#step:10:498 Follow-up to fa461b4 curl#14486 Follow-up to fa69b41 curl#13307
vszakats
added a commit
that referenced
this pull request
Oct 2, 2024
Generate the certificate serial numbers automatically instead of doing from shell (or Perl earlier). Fixes intermittent CI failures due to the shell-based random generator generating the same serial number twice: ``` $ openssl ca -config EdelCurlRoot-ca.cnf -revoke Server-localhost0h-sv.crt Using configuration from EdelCurlRoot-ca.cnf ERROR:Already revoked, serial number 66FDB23A make: *** [../../../tests/certs/Server-localhost0h-sv.pem] Error 1 ``` https://github.com/curl/curl/actions/runs/11151401083/job/30994755798?pr=15128#step:10:498 Follow-up to fa461b4 #14486 Follow-up to fa69b41 #13307 Closes #15129
vszakats
added a commit
to vszakats/curl
that referenced
this pull request
Mar 6, 2025
https://github.com/curl/curl/actions/runs/13683996410/job/38262956317 with LibreSSL https://github.com/curl/curl/actions/runs/13680682695/job/38252047077 with wolfSSL Following GHA/macos. Ref: fa461b4 curl#14486
1 task
vszakats
added a commit
that referenced
this pull request
Mar 6, 2025
We already marked them flaky in GHA/macos CI. They are also flaky in other CI jobs, in other OSes, with multiple TLS backends: - MSVC/LibreSSL: https://github.com/curl/curl/actions/runs/13683996410/job/38262956317 - MSVC/wolfSSL: https://github.com/curl/curl/actions/runs/13680682695/job/38252047077 - FreeBSD/OpenSSL3: https://github.com/curl/curl/actions/runs/13690910863/job/38283867721#step:3:1 Ref: fa461b4 #14486 Closes #16584
4 tasks
vszakats
added a commit
that referenced
this pull request
Mar 27, 2025
Before this patch the curl repository and source tarball distribution contained test certificates as binary blobs. Used by runtests. Drop these certificates in favor of generating them dynamically as part of the build process. Both via autotools and CMake. As part of this, improve certificates, the generator script and process, file layout, and fix any issue to make it work fast and smooth both in CI and local builds. Note, cert generator scripts require OpenSSL >=1.0.2 (or LibreSSL >=3.1.0). Generation requires POSIX shell, also with CMake. Without a POSIX shell tests relying on TLS (and stunnel) will fail. Details: - build: generate certs as part of the test run process. - build, tests: generate certs in the build directory. - binarycheck: drop concept of known binary files with hashes. - binarycheck: move binary check logic into spacecheck and drop this separate checker tool. - build: fix to clean all cert files. - autotools: fix to not run leaf cert generators in parallel. To avoid confusion when updating the revocation database and counter. - scripts: drop `scripts` subdir, merge two scripts into one, auto-generate root cert, allow generating multiple leafs at once. - scripts: switch to EC-256 keys (was: RSA-2048). For key size and perf. - scripts: drop `-x` echo, text dumps, most other output. To avoid log noise and make it quicker in CI. - scripts: make it non-RSA-specific. - scripts: delete unused code. - scripts: use POSIX shell shebang. Some envs don't have bash (Alpine). - scripts: pass test pseudo-secrets via the command-line. To avoid: ``` + openssl genrsa -out test-ca.key -passout fd:0 2048 Invalid password argument, starting with "fd:" ``` - cmake: fix to launch generator scripts via the detected POSIX shell. - cmake: fix `build-certs` rule to not depend on `SRPFILES` (`srp-verifier-*`). - cmake: drop `EXCLUDE_FROM_ALL` for the cert subdir. It makes the Visual Studio generator miss to create the `clean-certs`, `build-certs` targets. No target depend on them, so they don't execute implicitly anyway. Fixes: ``` MSBUILD : error MSB1009: Project file does not exist. Switch: clean-certs.vcxproj ``` - cmake: add `VERBATIM USES_TERMINAL` to `build-certs` target. - GHA/linux: install openssl on Alpine, for the cert generator scripts. Follow-up to 556f722 #16593 Follow-up to fa461b4 #14486 Closes #16824
pps83
pushed a commit
to pps83/curl
that referenced
this pull request
Apr 26, 2025
Generate the certificate serial numbers automatically instead of doing from shell (or Perl earlier). Fixes intermittent CI failures due to the shell-based random generator generating the same serial number twice: ``` $ openssl ca -config EdelCurlRoot-ca.cnf -revoke Server-localhost0h-sv.crt Using configuration from EdelCurlRoot-ca.cnf ERROR:Already revoked, serial number 66FDB23A make: *** [../../../tests/certs/Server-localhost0h-sv.pem] Error 1 ``` https://github.com/curl/curl/actions/runs/11151401083/job/30994755798?pr=15128#step:10:498 Follow-up to fa461b4 curl#14486 Follow-up to fa69b41 curl#13307 Closes curl#15129
pps83
pushed a commit
to pps83/curl
that referenced
this pull request
Apr 26, 2025
We already marked them flaky in GHA/macos CI. They are also flaky in other CI jobs, in other OSes, with multiple TLS backends: - MSVC/LibreSSL: https://github.com/curl/curl/actions/runs/13683996410/job/38262956317 - MSVC/wolfSSL: https://github.com/curl/curl/actions/runs/13680682695/job/38252047077 - FreeBSD/OpenSSL3: https://github.com/curl/curl/actions/runs/13690910863/job/38283867721#step:3:1 Ref: fa461b4 curl#14486 Closes curl#16584
pps83
pushed a commit
to pps83/curl
that referenced
this pull request
Apr 26, 2025
Before this patch the curl repository and source tarball distribution contained test certificates as binary blobs. Used by runtests. Drop these certificates in favor of generating them dynamically as part of the build process. Both via autotools and CMake. As part of this, improve certificates, the generator script and process, file layout, and fix any issue to make it work fast and smooth both in CI and local builds. Note, cert generator scripts require OpenSSL >=1.0.2 (or LibreSSL >=3.1.0). Generation requires POSIX shell, also with CMake. Without a POSIX shell tests relying on TLS (and stunnel) will fail. Details: - build: generate certs as part of the test run process. - build, tests: generate certs in the build directory. - binarycheck: drop concept of known binary files with hashes. - binarycheck: move binary check logic into spacecheck and drop this separate checker tool. - build: fix to clean all cert files. - autotools: fix to not run leaf cert generators in parallel. To avoid confusion when updating the revocation database and counter. - scripts: drop `scripts` subdir, merge two scripts into one, auto-generate root cert, allow generating multiple leafs at once. - scripts: switch to EC-256 keys (was: RSA-2048). For key size and perf. - scripts: drop `-x` echo, text dumps, most other output. To avoid log noise and make it quicker in CI. - scripts: make it non-RSA-specific. - scripts: delete unused code. - scripts: use POSIX shell shebang. Some envs don't have bash (Alpine). - scripts: pass test pseudo-secrets via the command-line. To avoid: ``` + openssl genrsa -out test-ca.key -passout fd:0 2048 Invalid password argument, starting with "fd:" ``` - cmake: fix to launch generator scripts via the detected POSIX shell. - cmake: fix `build-certs` rule to not depend on `SRPFILES` (`srp-verifier-*`). - cmake: drop `EXCLUDE_FROM_ALL` for the cert subdir. It makes the Visual Studio generator miss to create the `clean-certs`, `build-certs` targets. No target depend on them, so they don't execute implicitly anyway. Fixes: ``` MSBUILD : error MSB1009: Project file does not exist. Switch: clean-certs.vcxproj ``` - cmake: add `VERBATIM USES_TERMINAL` to `build-certs` target. - GHA/linux: install openssl on Alpine, for the cert generator scripts. Follow-up to 556f722 curl#16593 Follow-up to fa461b4 curl#14486 Closes curl#16824
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Install Stunnel.
Regenerate Certificates (as SecureTransport requires a validity period less than 398 days).
Restart Server if It Is Unresponsive.
Do Not Hardcode the SHA-256 Base64 Public Pinned Key.
Ignore test 313 as SecureTransport does not support crl file.
Ignore tests 1631 and 1632 as SecureTransport is not yet able to shut down FTP over HTTPS gracefully.
Add a CMake Target for generating certificates.