[PATCH 00 of 20] tests suite fixes for TLSv1.3
Sergey Kandaurov
pluknet at nginx.com
Thu Mar 23 16:01:09 UTC 2023
> On 23 Mar 2023, at 18:18, Maxim Dounin <mdounin at mdounin.ru> wrote:
>
> Hello!
>
> On Wed, Mar 22, 2023 at 03:43:12PM +0400, Sergey Kandaurov wrote:
>
>>> On 18 Mar 2023, at 18:14, Maxim Dounin <mdounin at mdounin.ru> wrote:
>>>
>>> Hello!
>>>
>>> Here are patch series for the test suite to address test failures
>>> observed with TLSv1.3 enabled with BoringSSL and LibreSSL.
>>>
>>> Short summary of the issues seen:
>>>
>>> - BoringSSL with TLSv1.3 does not support session reuse via server-side
>>> session cache, only with tickets.
>>>
>>> - BoringSSL with TLSv1.3 does not provide $ssl_session_id.
>>>
>>> - LibreSSL with TLSv1.3 does not support session reuse.
>>>
>>> - LibreSSL with TLSv1.3 fails to negotiate certificates based on
>>> signature algorithms supported by the client, and fails with
>>> "missing rsa certificate" and "unknown pkey type" errors.
>>>
>>> - LibreSSL with TLSv1.3 does not send CA lists to the client.
>>>
>>
>> Missing peaces that allow me to run with LibreSSL:
>>
>> # HG changeset patch
>> # User Sergey Kandaurov <pluknet at nginx.com>
>> # Date 1679485246 -14400
>> # Wed Mar 22 15:40:46 2023 +0400
>> # Node ID dfe434f295d3da7e3b67bbbafeab245bb591f397
>> # Parent 826e00e7c037d617781239963e8b868b6b0de225
>> Tests: fixed upstream zone tests with LibreSSL and TLSv1.3.
>>
>> LibreSSL does not support session reuse with TLSv1.3.
>>
>> diff --git a/stream_upstream_zone_ssl.t b/stream_upstream_zone_ssl.t
>> --- a/stream_upstream_zone_ssl.t
>> +++ b/stream_upstream_zone_ssl.t
>
> Thanks. I've happen to compile nginx without upstream zone
> modules as a leftover from some previous tests, and missed these.
> Added a similar change with TODOs.
>
> Full series with all the fixes:
Looks good, thanks for your work.
--
Sergey Kandaurov
More information about the nginx-devel
mailing list