Skip to content

Draft: Fix tests

Daniel Lenski requested to merge mark_obsolete-server-crypt_test_as_XFAIL_on_Fedora_GnuTLS into master

  • Mark juniper-sso-auth test as using LD_PRELOAD

    This will allow us to correctly detect it as broken-under-ASAN

  • Mark obsolete-server-crypto test as XFAIL in Fedora/GnuTLS/* CI

    The system-wide minimum crypto policy on Fedora prevents us from enabling 3DES and RC4 ciphers via GnuTLS priority strings, and the library-reinitialization hack added in !158 (merged) does not work reliably to disable system-wide minimum crypto policy. Its unreliability is perhaps due to insufficient testing of this code path (see #243 (comment 576194663)).

    Rather than pre-disable or delete the system-wide crypto policy in these CI builds, we should mark obsolete-server-crypto test as XFAIL for these builds. It's the most accurate description of the state of those tests: these environments do not provide OpenConnect with the capabilities to reliably enable obsolete/insecure crypto algorithms in a self-contained way.

    See https://bugzilla.redhat.com/show_bug.cgi?id=1960763 for ongoing discussions about how to come up with a more reliable, testable, and maintainable mechanism for OpenConnect to enable these algorithms without compromising the system-wide minimum crypto policy.

Edited by Daniel Lenski

Merge request reports