Skip to content

ci: workaround for nix + gnutls + ubuntu24 issue #5345

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jun 2, 2025
Merged

ci: workaround for nix + gnutls + ubuntu24 issue #5345

merged 1 commit into from
Jun 2, 2025

Conversation

lrstewart
Copy link
Contributor

@lrstewart lrstewart commented May 30, 2025
edited
Loading

Release Summary:

Resolved issues:

Description of changes:

@johubertj ran into an interesting issue where he couldn't run our integration tests even using Nix because GnuTLS flagged any priority string containing TLS1.0 or TLS1.1 as invalid. We traced the problem to the "etc/gnutls/config" file on his Ubuntu24 instance, which disabled TLS1.0 and TLS1.1. Nix wasn't overriding the config file when installing or running gnutls, so the system config file was used. See https://www.gnutls.org/manual/html_node/System_002dwide-configuration-of-the-library.html.

We should probably fix this in the upstream Nix repo, but we can work around the problem for now by setting the GNUTLS_SYSTEM_PRIORITY_FILE in our own Nix shell.

Testing:

I created an /etc/gnutls/config file on my EC2 instance:

[overrides]
disabled-version = tls1.0

GnuTLS run from nix develop then report no TLS1.0 support:

[nix openssl-3.0] $ gnutls-cli --list | grep Protocols
Protocols: VERS-TLS1.1, VERS-TLS1.2, VERS-TLS1.3, VERS-DTLS0.9, VERS-DTLS1.0, VERS-DTLS1.2

After applying this fix, even with the config file still in place, GnuTLS started reporting TLS1.0 support again:

[nix openssl-3.0] $ gnutls-cli --list | grep Protocols
Protocols: VERS-TLS1.0, VERS-TLS1.1, VERS-TLS1.2, VERS-TLS1.3, VERS-DTLS0.9, VERS-DTLS1.0, VERS-DTLS1.2

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@github-actions github-actions bot added the s2n-core team label May 30, 2025
@lrstewart lrstewart marked this pull request as ready for review May 30, 2025 23:34
@lrstewart lrstewart requested review from johubertj and dougch May 30, 2025 23:35
@dougch dougch added this pull request to the merge queue Jun 2, 2025
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks Jun 2, 2025
@lrstewart lrstewart added this pull request to the merge queue Jun 2, 2025
Merged via the queue into aws:main with commit a8d4e6d Jun 2, 2025
63 of 64 checks passed
@lrstewart lrstewart deleted the gnutls_fix branch June 2, 2025 18:31
@BrewTestBot BrewTestBot mentioned this pull request Jun 4, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@johubertj johubertj johubertj approved these changes

@dougch dougch dougch approved these changes

Assignees
No one assigned
Labels
s2n-core team
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@lrstewart @johubertj @dougch