Tests failing in Void Linux build [help wanted]

[MIvanchev]

Hey, I'm working on updating Node for Void Linux and some tests are failing. Some I've identified as "flaking" (regarding the issues here) but some are a mystery, for example https://github.com/void-linux/void-packages/actions/runs/9210435171/job/25337434027?pr=50485#step:7:11059

=== release test-https-client-checkServerIdentity ===
Path: parallel/test-https-client-checkServerIdentity
/builddir/nodejs-20.13.1/test/parallel/test-https-client-checkServerIdentity.js:71
    throw err;
    ^

Error: CA certificate key too weak
    at TLSSocket.onConnectSecure (node:_tls_wrap:1674:34)
    at TLSSocket.emit (node:events:519:28)
    at TLSSocket._finishInit (node:_tls_wrap:1085:8)
    at ssl.onhandshakedone (node:_tls_wrap:871:12) {
  code: 'UNSPECIFIED'
}

Node.js v20.13.1
Command: out/Release/node /builddir/nodejs-20.13.1/test/parallel/test-https-client-checkServerIdentity.js

Could someone provide insights what might be going on?

[zC4sTr0]

Hey MIvanchev,

Looks like you're hitting a common snag with the test-https-client-checkServerIdentity test. The error "CA certificate key too weak" typically points to an issue with the strength of the CA certificate being used during the TLS handshake. Here's a breakdown of what's likely happening and some steps to get you past this:

What's Happening?

The error message suggests that the CA certificate used in the test has a key that's too weak according to current Node.js security policies. This could be due to recent changes in OpenSSL or Node.js itself, which have stricter requirements for key strengths.

Steps to Resolve

Update CA Certificates:
Make sure your CA certificates are up to date. On Void Linux, you can update them with:

sudo xbps-install -S ca-certificates

Check OpenSSL Version:

Node.js relies heavily on OpenSSL for its cryptographic operations. Make sure the OpenSSL version in your build environment matches the one Node.js expects. You can check the OpenSSL version used by Node.js with:

node -p "process.versions.openssl"

Ensure that your system’s OpenSSL is not outdated.

Generate Stronger Certificates:

If the test uses custom or self-signed certificates, they might need to be regenerated with stronger keys. For instance, you can generate a new CA certificate with a 2048-bit key:

openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout ca.key -out ca.crt

Please feel free to ask if the answer does not solve your problem.