[PATCH 15 of 20] Tests: LibreSSL does not send CA lists with TLSv1.3

Sergey Kandaurov pluknet at nginx.com
Wed Mar 22 10:39:12 UTC 2023


> On 18 Mar 2023, at 18:15, Maxim Dounin <mdounin at mdounin.ru> wrote:
> 
> # HG changeset patch
> # User Maxim Dounin <mdounin at mdounin.ru>
> # Date 1679148737 -10800
> #      Sat Mar 18 17:12:17 2023 +0300
> # Node ID 6d5bede76a77ca86483f63088587913a61b8b18d
> # Parent  230b9cadce9b57213bf529940ca04224f9f121eb
> Tests: LibreSSL does not send CA lists with TLSv1.3.

Specifically, it doesn't implement the "certificate_authorities" extension
used in TLSv1.3 to carry CA lists in the CertificateRequest message.

> 
> diff --git a/ssl_verify_client.t b/ssl_verify_client.t
> --- a/ssl_verify_client.t
> +++ b/ssl_verify_client.t
> @@ -55,6 +55,7 @@ http {
>     %%TEST_GLOBALS_HTTP%%
> 
>     add_header X-Verify x$ssl_client_verify:${ssl_client_cert}x;
> +    add_header X-Protocol $ssl_protocol;
> 
>     ssl_session_cache shared:SSL:1m;
>     ssl_session_tickets off;
> @@ -169,15 +170,24 @@ like(get('optional', '3.example.com'), q
> SKIP: {
> skip 'Net::SSLeay version >= 1.36 required', 1 if $Net::SSLeay::VERSION < 1.36;
> 
> +TODO: {
> +local $TODO = 'broken TLSv1.3 CA list in LibreSSL'
> +	if $t->has_module('LibreSSL') && test_tls13();
> +
> my $ca = join ' ', get('optional', '3.example.com');
> is($ca, '/CN=2.example.com', 'no trusted sent');
> 
> }
> +}
> 
> like(get('optional', undef, 'localhost'), qr/421 Misdirected/, 'misdirected');
> 
> ###############################################################################
> 
> +sub test_tls13 {
> +	get('optional') =~ /TLSv1.3/;
> +}
> +
> sub get {
> 	my ($sni, $cert, $host) = @_;
> 
> diff --git a/stream_ssl_verify_client.t b/stream_ssl_verify_client.t
> --- a/stream_ssl_verify_client.t
> +++ b/stream_ssl_verify_client.t
> @@ -86,6 +86,11 @@ stream {
>         ssl_verify_client optional_no_ca;
>         ssl_client_certificate 2.example.com.crt;
>     }
> +
> +    server {
> +        listen  127.0.0.1:8084 ssl;
> +        return  $ssl_protocol;
> +    }
> }
> 
> EOF
> @@ -126,10 +131,15 @@ like(get(8082, '3.example.com'), qr/SUCC
> SKIP: {
> skip 'Net::SSLeay version >= 1.36 required', 1 if $Net::SSLeay::VERSION < 1.36;
> 
> +TODO: {
> +local $TODO = 'broken TLSv1.3 CA list in LibreSSL'
> +	if $t->has_module('LibreSSL') && test_tls13();
> +
> my $ca = join ' ', get(8082, '3.example.com');
> is($ca, '/CN=2.example.com', 'no trusted sent');
> 
> }
> +}
> 
> $t->stop();
> 
> @@ -137,6 +147,10 @@ is($t->read_file('status.log'), "500\n20
> 
> ###############################################################################
> 
> +sub test_tls13 {
> +	get(8084) =~ /TLSv1.3/;
> +}
> +
> sub get {
> 	my ($port, $cert) = @_;
> 

-- 
Sergey Kandaurov


More information about the nginx-devel mailing list