Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MacOS unit tests fail with MbedTLS #2694

Closed
scaprile opened this issue Apr 8, 2024 · 9 comments
Closed

MacOS unit tests fail with MbedTLS #2694

scaprile opened this issue Apr 8, 2024 · 9 comments
Assignees
@cpq

Comments

@scaprile
Copy link
Collaborator

scaprile commented Apr 8, 2024
edited 

FAILURE test/unit_test.c:1188: fetch(&mgr, buf, url, "GET /a.txt HTTP/1.0\n\n") == 200
@scaprile scaprile changed the title MacOS unit tests fail with MbedTLS and POLL, pass with SELECT MacOS unit tests fail with MbedTLS Apr 8, 2024
@cpq
Copy link
Member

cpq commented Apr 17, 2024
edited

@scaprile Any pointer to the failing test?
Works fine on my local Mac workstation

@scaprile
Copy link
Collaborator Author

@cpq This is the test log. Fails consistently every night:

Warning: jq 1.7.1 is already installed and up-to-date.
To reinstall 1.7.1, run:
  brew reinstall jq
Warning: openssl@3 3.2.1 is already installed and up-to-date.
To reinstall 3.2.1, run:
  brew reinstall openssl@3
==> Downloading https://ghcr.io/v2/homebrew/core/mbedtls/manifests/3.6.0
==> Fetching mbedtls
==> Downloading https://ghcr.io/v2/homebrew/core/mbedtls/blobs/sha256:9133411777538739ca2650304d440cc1ae16884e3b601835cf2d2429c3063f39
==> Pouring mbedtls--3.6.0.monterey.bottle.tar.gz
🍺  /usr/local/Cellar/mbedtls/3.6.0: 198 files, 13MB
24s
Run make test ASAN_OPTIONS= MBEDTLS=`echo /usr/local/Cellar/mbedtls*/*` OPENSSL=`echo /usr/local/Cellar/openssl*/*`
[...]
235d1  3 net.c:202:mg_listen            1 4 https://localhost:12347
235d1  3 net.c:177:mg_connect           2 -1 https://localhost:12347
235d1  3 sock.c:386:mg_connect_resolved 2 5 -> 127.0.0.1:12347 pend
235d1  3 tls_mbed.c:107:mg_tls_init     2 Setting TLS
235d1  3 tls_mbed.c:135:mg_tls_init     2 hostname verification: localhost
235d4  1 event.c:31:mg_error            2 5 TLS handshake: -0x6c00
235d4  3 net.c:151:mg_close_conn        2 5 closed
235d4  3 sock.c:441:accept_conn         3 5 accepted 127.0.0.1:49190 -> 127.0.0.1:12347
235d4  3 tls_mbed.c:107:mg_tls_init     3 Setting TLS
235d5  3 sock.c:296:read_conn           3 5 0:0:0 -1 err 25
235d5  3 net.c:151:mg_close_conn        3 5 closed
FAILURE test/unit_test.c:1191: fetch(&mgr, buf, url, "GET /a.txt HTTP/1.0\n\n") == 200

@scaprile
Copy link
Collaborator Author

While cleaning up str.h, I noticed a failure on my machine, maybe it shines some light. I added an MG_INFO to show the path taken in mg_tls_init():

15e1c930 3 net.c:202:mg_listen          1 4 https://localhost:12347
15e1c930 3 net.c:177:mg_connect         2 -1 https://localhost:12347
15e1c930 3 sock.c:386:mg_connect_resolv 2 5 -> 127.0.0.1:12347 pend
15e1c930 3 tls_mbed.c:107:mg_tls_init   2 Setting TLS
15e1c930 2 tls_mbed.c:131:mg_tls_init   LOAD CERT
15e1c930 3 tls_mbed.c:137:mg_tls_init   2 hostname verification: localhost
15e1c931 3 sock.c:441:accept_conn       3 6 accepted 127.0.0.1:55006 -> 127.0.0.1:12347
15e1c931 3 tls_mbed.c:107:mg_tls_init   3 Setting TLS
15e1c931 2 tls_mbed.c:128:mg_tls_init   VERIFY_NONE
15e1c949 1 event.c:31:mg_error          2 5 TLS handshake: -0x2700
15e1c949 3 net.c:151:mg_close_conn      2 5 closed
15e1c949 1 event.c:31:mg_error          3 6 TLS handshake: -0x7780
15e1c949 3 net.c:151:mg_close_conn      3 6 closed
FAILURE unit_test.c:1193: fetch(&mgr, buf, url, "GET /a.txt HTTP/1.0\n\n") == 200

@hotraygroup
Copy link

hotraygroup commented May 6, 2024
edited

when use mbedtls 3.x and tls1.3, must call psa_crypto_init before tls handshake, otherwise should occur error: TLS handshake: -0x6c00

like this: ihotray/libiot@3e7bf9f

@scaprile
Copy link
Collaborator Author

scaprile commented May 7, 2024
edited

@hotraygroup Thank you, can you please explain why and how this is related to this issue ? We are not using PSA and there is no such error in the log above.
https://mbed-tls.readthedocs.io/en/latest/getting_started/psa/
Can you also explain why tests on Ubuntu 22.04 pass ?

@cpq
Copy link
Member

cpq commented May 8, 2024

Yes, apparently this psa init is required for the newer versions of mbedTLS.
The reason tests pass on ubuntu - I guess - because of the differences in mbedTLS versions used on mac vs linux.

@hotraygroup
Copy link

@hotraygroup Thank you, can you please explain why and how this is related to this issue ? We are not using PSA and there is no such error in the log above. https://mbed-tls.readthedocs.io/en/latest/getting_started/psa/ Can you also explain why tests on Ubuntu 22.04 pass ?

Mbed-TLS/mbedtls#9072 (comment)

maybe this issue only in 3.6lts

a8jan added a commit to a8jan/fujinet-firmware that referenced this issue May 16, 2024
@a8jan
[fujinet-pc] fix mongoose with mbedtls 3.6
aa1ce16 
changes taken from:
cesanta/mongoose#2694
cesanta/mongoose#2745
@a8jan
Copy link

a8jan commented May 16, 2024

I can confirm only Mbed-TLS 3.6 (default version via brew on macOS) was not working with mongoose (TLS handshake: -0x6c00), previous 3.5.2 worked fine.
It was fixed with changes taken from #2745
Thank you!

@cpq
Copy link
Member

cpq commented May 17, 2024

Apparently the root cause for it is this:
Mbed-TLS/mbedtls#7075 : If the connection to the target server uses TLS 1.3, then MBEDTLS_SSL_VERIFY_NONE (i.e. no CA) does not work. mbedTLS still fails with "CA required".

Closing this.

@cpq cpq closed this as completed May 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@cpq cpq

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@cpq @hotraygroup @scaprile @a8jan