Fedora 44 test fixes#13198
Open
bneradt wants to merge 3 commits into
Open
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates ATS test harnesses and unit tests to remain compatible with newer Fedora 44 container/crypto-policy behavior, focusing on TLS legacy-protocol detection, curl output expectations, and JSONRPC Unix-domain socket placement.
Changes:
- Update TLS legacy protocol test gating to probe real OpenSSL handshakes instead of relying on flag acceptance / closed-port behavior.
- Adjust TLS cert-select gold test expectations to match newer curl/OpenSSL verification output.
- Move JSONRPC unit test socket/lock paths into a per-run temporary directory to avoid bind-mount UDS issues.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
| tests/gold_tests/tls/tls_check_cert_select_plugin.test.py | Updates curl failure-output matching for the bad-CA cert selection scenario. |
| tests/gold_tests/autest-site/conditions.test.ext | Adds an OpenSSL s_server-based probe to gate legacy TLS tests on actual handshake capability. |
| src/mgmt/rpc/server/unit_tests/test_rpcserver.cc | Uses a temp directory for JSONRPC socket/lock files and cleans it up at test-run end. |
bneradt
force-pushed
the
address-fedora-44-issues
branch
from
2256b3c to
55ad6ca
Compare
bneradt
force-pushed
the
address-fedora-44-issues
branch
from
55ad6ca to
33cb73b
Compare
bneradt
force-pushed
the
address-fedora-44-issues
branch
from
33cb73b to
c88d9ac
Compare
bneradt
force-pushed
the
address-fedora-44-issues
branch
from
c88d9ac to
72f4576
Compare
added 3 commits
May 23, 2026 22:10
Fedora 44 crypto policy can accept legacy TLS command-line flags while rejecting real TLS 1.0 and 1.1 handshakes. Closed-port probes therefore let legacy TLS AuTests run in environments where the protocol cannot actually negotiate. This uses the AuTest port allocator to start a local OpenSSL server and probe a real handshake before enabling those tests. The same helper also gates curl TLS-version checks so both probes reflect runtime policy rather than option parsing.
Newer curl and OpenSSL versions still return 60 for the bad-CA case, but their verbose output includes the presented certificate and uses different verification text. The old expectation made the cert-selection AuTest depend on wording that varies by toolchain. This keeps the assertion on the stable certificate-verification failure and checks that the selected certificate is for bar.com, while still rejecting the foo.com certificate in that failure path.
Docker bind mounts can reject Unix-domain socket connects even after the socket inode is created. The JSONRPC Catch test hit that behavior in the Fedora 44 container when its socket was under the bind-mounted tree. This moves the socket and lock into a per-run temporary directory and defers setup to Catch startup so failures are reported by the test framework. This also falls back to a short /tmp path when the temp path would exceed Unix socket limits.
bneradt
force-pushed
the
address-fedora-44-issues
branch
from
72f4576 to
2ceab59
Compare
Comment on lines
+266
to
+275
| Get a port number from the same allocator used by get_port(). | ||
|
|
||
| This is useful for helper code that needs a temporary listening port but | ||
| does not have an AuTest object with Setup hooks for recycling it. | ||
|
|
||
| Returns: | ||
| A port value. | ||
| """ | ||
| port, _ = _reserve_port() | ||
| return port |
Comment on lines
+94
to
+99
|
|
||
| port = get_port_number() | ||
| server = subprocess.Popen( | ||
| [ | ||
| "openssl", | ||
| "s_server", |
Comment on lines
+43
to
+44
| process.kill() | ||
| process.wait(timeout=2) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This collects the remaining Fedora 44 test compatibility fixes after the build-only changes were split out.
Probe legacy TLS handshakes in tests: Fedora 44 crypto policy can accept OpenSSL TLS version flags while still rejecting real TLS 1.0 and 1.1 handshakes. The AuTest condition now probes an actual local OpenSSL handshake before enabling legacy TLS tests, so the tests only run when the environment can complete the requested protocol.Update cert select curl expectation: newer curl/OpenSSL still returns the same certificate verification failure code for the bad CA case, but the output includes the presented certificate and uses different verification text. The test now checks the stable verification failure and confirms that the selected certificate is forbar.com.Use temp socket path in JSONRPC test: Fedora 44 container bind mounts can reject Unix-domain socket connects even after the socket inode exists. The JSONRPC Catch test now places its server socket and lock in the local temporary directory so it works in the Fedora 44 container while remaining compatible with earlier environments.