A Couple of snakeoil CA tests fail using OpenSSL 1.0.2a
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Barbican |
Fix Released
|
Medium
|
Juan Antonio Osorio Robles |
Bug Description
While running the unit tests I'm getting the following error:
=======
FAIL: barbican.
tags: worker-3
-------
Empty attachments:
stderr
stdout
Traceback (most recent call last):
File "/home/
order_meta, {}, {})
File "/home/
csr = crypto.
File "/home/
_raise_
File "/home/
raise exceptionType(
OpenSSL.
=======
FAIL: barbican.
tags: worker-1
-------
Empty attachments:
stderr
stdout
Traceback (most recent call last):
File "/home/
order_meta, {}, {})
File "/home/
csr = crypto.
File "/home/
_raise_
File "/home/
raise exceptionType(
OpenSSL.
Which on further investigation turns it it happens due to some changes that happened in OpenSSL recently. So, what happens now is that certain OIDs from the ASN.1 structure have been removed with the aim of only being able to load valid CSRs. It can be reproduced in OpenSSL 1.0.2a by generating a CSR without either the public key or the signature.
Upon reporting the behaviour to the OpenSSL developers, I got the response that this is indeed the desired behaviour:
http://<email address hidden>
http://<email address hidden>
The OpenStack gate is using OpenStack 1.0.1f, so in this version loading CSRs generated without a signature actually works.
Changed in barbican: | |
assignee: | nobody → Juan Antonio Osorio Robles (juan-osorio-robles) |
Changed in barbican: | |
milestone: | none → kilo-rc1 |
importance: | Undecided → Medium |
Changed in barbican: | |
status: | Fix Committed → Fix Released |
Changed in barbican: | |
milestone: | kilo-rc1 → 2015.1.0 |
Fix proposed to branch: master /review. openstack. org/172714
Review: https:/