Issue #6089 has been updated by bkabrda (Bohuslav Kabrda).


MartinBosslet (Martin Bosslet) wrote:
> bkabrda (Bohuslav Kabrda) wrote:
> > Hi Martin,
> > so OpenSSL v 1.0.1 is now public [1] and the problem seems to stay. I myself am not SSL expert, but why exactly should signing DSS1 with RSA2048 be a mismatch? I think that it's actually the right behaviour that it doesn't.
> 
> Sorry, I didn't respond clearly to your question. The only reason why DSS1 is not a match with RSA is that OpenSSL aliased SHA-1 as DSS1 and initially only allowed DSS1 to be used within contexts of DSA signatures. The DSA standard seems to state something along those lines, although DSS1 is really exactly the same thing. So in a way, yes, we were asserting quirky behavior of OpenSSL with those tests rather than asserting "bare truths" :)
>  
> @Vit: To fix this quickly, I will only enable those tests for OpenSSL versions strictly smaller than 1.0.1.
> 
> @Bohuslav: As for drb, Masatoshi Seki is the maintainer, could you please open a separate ticket and assign it to him, while probably referencing this one?

David, thank you very much. I opened the issue for drb: https://bugs.ruby-lang.org/issues/6221.
----------------------------------------
Bug #6089: Test suite fails with OpenSSL 1.0.1
https://bugs.ruby-lang.org/issues/6089#change-25354

Author: vo.x (Vit Ondruch)
Status: Closed
Priority: Normal
Assignee: MartinBosslet (Martin Bosslet)
Category: 
Target version: 
ruby -v: 	ruby 1.9.3p125 (2012-02-16 revision 34643) [x86_64-linux]


It seems that the patch [1] changes the behavior of openssl and makes the test_x509cert.rb fail:

  1) Failure:
test_dsig_algorithm_mismatch(OpenSSL::TestX509Certificate) [test/openssl/test_x509cert.rb:175]:
OpenSSL::X509::CertificateError expected but nothing was raised.


I also notified Fedora's openssl maintainer about these issues [2].


[1] http://cvs.openssl.org/filediff?f=openssl/crypto/asn1/a_sign.c&v1=1.21.4.1&v2=1.21.4.2
[2] https://bugzilla.redhat.com/show_bug.cgi?id=797217


-- 
http://bugs.ruby-lang.org/