Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1794814 - [FTBFS] jss: FTBFS on rawhide
Summary: [FTBFS] jss: FTBFS on rawhide
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: nss
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Daiki Ueno
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: F31FTBFS F32FTBFS F30FTBFS
TreeView+ depends on / blocked
 
Reported: 2020-01-24 18:35 UTC by Robbie Harwood
Modified: 2020-07-28 18:56 UTC (History)
14 users (show)

Fixed In Version: nss-3.49.2-1.fc31
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-02-01 01:30:56 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Mozilla Foundation 1561637 0 P2 RESOLVED TLS 1.3 does not work in FIPS mode 2020-07-28 18:55:32 UTC

Description Robbie Harwood 2020-01-24 18:35:15 UTC
Looks like a test suite failure of some kind:

57/67 Test #57: Enable_FipsMODE ...................................   Passed    0.19 sec
      Start 58: check_FipsMODE
58/67 Test #58: check_FipsMODE ....................................   Passed    0.18 sec
      Start 59: SSLClientAuth_FIPSMODE
59/67 Test #59: SSLClientAuth_FIPSMODE ............................***Failed    6.23 sec
Jan 24, 2020 6:33:57 PM org.mozilla.jss.CryptoManager <clinit>
INFO: CryptoManager: loading JSS library
Jan 24, 2020 6:33:57 PM org.mozilla.jss.CryptoManager <clinit>
INFO: CryptoManager: loaded JSS library from java.library.path
Jan 24, 2020 6:33:57 PM org.mozilla.jss.CryptoManager initialize
INFO: CryptoManager: initializing NSS database at /builddir/build/BUILD/jss-4.6.2/build/results/fips
***FilePasswordCallback returns m1oZilla
using port:2877
The NSS database is configured in FIPSmode.
Enable ony FIPS ciphersuites.
Server about to create socket
Server created socket
Server specified cert directly
Server about to accept
client about to connect
Client specified cert directly
client connected
Server accepted
Server about to read
Exception in thread "main" org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed: (-12188) Peer reports it experienced an internal error.
	at org.mozilla.jss.ssl.SSLSocket.forceHandshake(Native Method)
	at org.mozilla.jss.tests.SSLClientAuth.testConnection(SSLClientAuth.java:345)
	at org.mozilla.jss.tests.SSLClientAuth.doIt(SSLClientAuth.java:157)
	at org.mozilla.jss.tests.SSLClientAuth.main(SSLClientAuth.java:90)
java.io.IOException: SocketException cannot read on socket
	at org.mozilla.jss.ssl.SSLSocket.read(SSLSocket.java:1493)
	at org.mozilla.jss.ssl.SSLInputStream.read(SSLInputStream.java:38)
	at org.mozilla.jss.ssl.SSLInputStream.read(SSLInputStream.java:25)
	at org.mozilla.jss.tests.SSLClientAuth.run(SSLClientAuth.java:435)
	at java.lang.Thread.run(Thread.java:748)
Server exiting

      Start 60: HMAC_FIPSMODE
60/67 Test #60: HMAC_FIPSMODE .....................................   Passed    0.21 sec
      Start 61: KeyWrapping_FIPSMODE
61/67 Test #61: KeyWrapping_FIPSMODE ..............................   Passed    1.59 sec
      Start 62: Mozilla_JSS_JCA_Signature_FIPSMODE
62/67 Test #62: Mozilla_JSS_JCA_Signature_FIPSMODE ................   Passed    2.10 sec
      Start 63: JSS_Signature_test_FipsMODE
63/67 Test #63: JSS_Signature_test_FipsMODE .......................   Passed    0.99 sec
      Start 64: Disable_FipsMODE
64/67 Test #64: Disable_FipsMODE ..................................   Passed    0.19 sec
      Start 65: JUnit_GenericValueConverterTest
65/67 Test #65: JUnit_GenericValueConverterTest ...................   Passed    0.18 sec
      Start 66: JUnit_IA5StringConverterTest
66/67 Test #66: JUnit_IA5StringConverterTest ......................   Passed    0.16 sec
      Start 67: JUnit_PrintableConverterTest
67/67 Test #67: JUnit_PrintableConverterTest ......................   Passed    0.16 sec

99% tests passed, 1 tests failed out of 67

Total Test time (real) =  50.90 sec

The following tests FAILED:
	 59 - SSLClientAuth_FIPSMODE (Failed)
Errors while running CTest


RPM build errors:
error: Bad exit status from /var/tmp/rpm-tmp.JSSDZx (%build)
    Bad exit status from /var/tmp/rpm-tmp.JSSDZx (%build)
Finish: rpmbuild jss-4.6.2-2.fc32.src.rpm
Finish: build phase for jss-4.6.2-2.fc32.src.rpm
ERROR: Exception(/home/rharwood/jss.fedora/master/jss-4.6.2-2.fc32.src.rpm) Config(fedora-rawhide-x86_64) 2 minutes 49 seconds
INFO: Results and/or logs in: /home/rharwood/jss.fedora/master/results_jss/4.6.2/2.fc32
INFO: Cleaning up build root ('cleanup_on_failure=True')
Start: clean chroot
Finish: clean chroot
ERROR: Command failed: 
 # bash --login -c /usr/bin/rpmbuild -bb --target x86_64 --nodeps /builddir/build/SPECS/jss.spec

Could not execute mockbuild: Failed to execute command.
{1} (177) rharwood@seton:~/jss.fedora/master FEDORA $

Comment 1 Alex Scheel 2020-01-24 18:40:55 UTC
This looks to be a bug in NSS's handling of FIPS mode with TLS 1.3.

Changing component to NSS and adding upstream tracking bug.

Comment 2 Alex Scheel 2020-01-24 18:52:13 UTC
According to Kosechi, this was caused by rebasing NSS from 3.47 to 3.48 -- across all Fedora releases.

https://koschei.fedoraproject.org/build/7470014 - Rawhide
https://koschei.fedoraproject.org/build/7479536 - F31
https://koschei.fedoraproject.org/build/7479509 - F30

Perhaps this change should be reverted or NSS patched to not advertise TLS 1.3 support in FIPS mode?

It isn't good to break shipped Fedora releases...

Comment 3 Fedora Release Engineering 2020-01-26 04:23:27 UTC
Dear Maintainer,

your package has not been built successfully in 31. Action is required from you.

If you can fix your package to build, perform a build in koji, and either create
an update in bodhi, or close this bug without creating an update, if updating is
not appropriate [1]. If you are working on a fix, set the status to ASSIGNED to
acknowledge this. Following the latest policy for such packages [2], your package
will be orphaned if this bug remains in NEW state more than 8 weeks.

A week before the mass branching of Fedora 32 according to the schedule [3],
any packages not successfully rebuilt at least on Fedora 30 will be
retired regardless of the status of this bug.

[1] https://fedoraproject.org/wiki/Updates_Policy
[2] https://docs.fedoraproject.org/en-US/fesco/Fails_to_build_from_source_Fails_to_install/
[3] https://fedoraproject.org/wiki/Releases/32/Schedule

Comment 4 Daiki Ueno 2020-01-27 09:14:46 UTC
(In reply to Alex Scheel from comment #2)
> According to Kosechi, this was caused by rebasing NSS from 3.47 to 3.48 --
> across all Fedora releases.
> 
> https://koschei.fedoraproject.org/build/7470014 - Rawhide
> https://koschei.fedoraproject.org/build/7479536 - F31
> https://koschei.fedoraproject.org/build/7479509 - F30
> 
> Perhaps this change should be reverted or NSS patched to not advertise TLS
> 1.3 support in FIPS mode?
> 
> It isn't good to break shipped Fedora releases...

OK, let me revert the change until the HKDF is really implemented in PKCS #11.
(It would also be possible to disable TLS 1.3 in FIPS mode, but it's not trivial and would remove the capability to detect misconfiguration)

Comment 6 Fedora Update System 2020-01-31 01:29:20 UTC
nss-3.49.2-1.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-edf1518315

Comment 7 Fedora Update System 2020-02-01 01:30:56 UTC
nss-3.49.2-1.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.