[PATCH 20 of 20] Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3

Sergey Kandaurov pluknet at nginx.com
Wed Mar 22 11:11:44 UTC 2023


> On 18 Mar 2023, at 18:15, Maxim Dounin <mdounin at mdounin.ru> wrote:
> 
> # HG changeset patch
> # User Maxim Dounin <mdounin at mdounin.ru>
> # Date 1679148869 -10800
> #      Sat Mar 18 17:14:29 2023 +0300
> # Node ID f6f6a21b1c2a0d88cb2a4993f4c0113a3fb1e019
> # Parent  782531c3cd79dcf700276e10bef00e524de009d1
> Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3.
> 
> LibreSSL does not support session reuse with TLSv1.3.

Since LibreSSL is so broken wrt TLSv1.3, I don't think
it deserves annotating every test in separate changed.
The LibreSSL changes could be easily combined:
this is at least p11, p12, p13, p16, p17, p20.

Other broken or missing functionality such as signature
algorithms and certificate authorities can be skipped
in separate commits, though.

> 
> diff --git a/ssl_ocsp.t b/ssl_ocsp.t
> --- a/ssl_ocsp.t
> +++ b/ssl_ocsp.t
> @@ -371,9 +371,15 @@ like(get('ec-end'), qr/200 OK.*SUCCESS/s
> my ($s, $ssl) = get('ec-end');
> my $ses = Net::SSLeay::get_session($ssl);
> 
> +TODO: {
> +local $TODO = 'no TLSv1.3 sessions in LibreSSL'
> +	if $t->has_module('LibreSSL') and $version > 0x303;
> +
> like(get('ec-end', ses => $ses),
> 	qr/200 OK.*SUCCESS:r/s, 'session reused');
> 
> +}
> +
> # revoke with saved session
> 
> system("openssl ca -config $d/ca.conf -revoke $d/ec-end.crt "
> @@ -393,9 +399,15 @@ system("openssl ocsp -index $d/certindex
> 
> # reusing session with revoked certificate
> 
> +TODO: {
> +local $TODO = 'no TLSv1.3 sessions in LibreSSL'
> +	if $t->has_module('LibreSSL') and $version > 0x303;
> +
> like(get('ec-end', ses => $ses),
> 	qr/400 Bad.*FAILED:certificate revoked:r/s, 'session reused - revoked');
> 
> +}
> +
> # regression test for self-signed
> 
> like(get('root', port => 8447), qr/200 OK.*SUCCESS/s, 'ocsp one');

-- 
Sergey Kandaurov


More information about the nginx-devel mailing list