• Version: v13.0.0-pre 5b8df5e
• Platform: Linux alexaub.svl.corp.google.com 4.19.37-2rodete1-amd64 deps: update openssl to 1.0.1j #1 SMP Debian 4.19.37-2rodete1 (2019-05-15 > 2018) x86_64 GNU/Linux
• Subsystem: test

In Debian testing, the latest openssl sets the default required security level to 2 in /etc/ssl/openssl.cnf (link). This requires (among other things, described here) that certs/keys be at least of a certain length depending on cipher.

Some of the keys under test/fixtures/ don't satisfy seclevel 2, and cause tests to fail when node's openssl reads that openssl.cnf.

Here's the output of python tools/test.py -J -p tap --logfile=test.log. 180 tests fail due to errors like ERR_SSL_EE_KEY_TOO_SMALL.

The issue can be avoided by changing the line CipherString = DEFAULT@SECLEVEL=2 to CipherString = DEFAULT@SECLEVEL=1 in /etc/ssl/openssl.cnf. However beware that this is globally reducing the required security on your machine.

I figure that this issue can be solved by regenerating the troublesome keys/certs with a greater size -- probably 2048 bits for RSA/DSA/DH and 256 for ECC. I've been looking into this, and I would be happy to take a crack at it! The changes would be similar to #3759, and I think that it would also be good to move the certs under test/fixtures/ to be under test/fixtures/keys/ and generate them in the Makefile.