[PATCH 20 of 20] Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3

Maxim Dounin mdounin at mdounin.ru
Thu Mar 23 14:18:14 UTC 2023


Hello!

On Wed, Mar 22, 2023 at 03:11:44PM +0400, Sergey Kandaurov wrote:

> > On 18 Mar 2023, at 18:15, Maxim Dounin <mdounin at mdounin.ru> wrote:
> > 
> > # HG changeset patch
> > # User Maxim Dounin <mdounin at mdounin.ru>
> > # Date 1679148869 -10800
> > #      Sat Mar 18 17:14:29 2023 +0300
> > # Node ID f6f6a21b1c2a0d88cb2a4993f4c0113a3fb1e019
> > # Parent  782531c3cd79dcf700276e10bef00e524de009d1
> > Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3.
> > 
> > LibreSSL does not support session reuse with TLSv1.3.
> 
> Since LibreSSL is so broken wrt TLSv1.3, I don't think
> it deserves annotating every test in separate changed.
> The LibreSSL changes could be easily combined:
> this is at least p11, p12, p13, p16, p17, p20.

That's more about logic of the patch series, see previous 
responses.  Combining some patches is certainly possible, though 
it will be much harder to manage without per-test logic 
universally applied to all changes.

> 
> Other broken or missing functionality such as signature
> algorithms and certificate authorities can be skipped
> in separate commits, though.
> 
> > 
> > diff --git a/ssl_ocsp.t b/ssl_ocsp.t
> > --- a/ssl_ocsp.t
> > +++ b/ssl_ocsp.t
> > @@ -371,9 +371,15 @@ like(get('ec-end'), qr/200 OK.*SUCCESS/s
> > my ($s, $ssl) = get('ec-end');
> > my $ses = Net::SSLeay::get_session($ssl);
> > 
> > +TODO: {
> > +local $TODO = 'no TLSv1.3 sessions in LibreSSL'
> > +	if $t->has_module('LibreSSL') and $version > 0x303;
> > +
> > like(get('ec-end', ses => $ses),
> > 	qr/200 OK.*SUCCESS:r/s, 'session reused');
> > 
> > +}
> > +
> > # revoke with saved session
> > 
> > system("openssl ca -config $d/ca.conf -revoke $d/ec-end.crt "
> > @@ -393,9 +399,15 @@ system("openssl ocsp -index $d/certindex
> > 
> > # reusing session with revoked certificate
> > 
> > +TODO: {
> > +local $TODO = 'no TLSv1.3 sessions in LibreSSL'
> > +	if $t->has_module('LibreSSL') and $version > 0x303;
> > +
> > like(get('ec-end', ses => $ses),
> > 	qr/400 Bad.*FAILED:certificate revoked:r/s, 'session reused - revoked');
> > 
> > +}
> > +
> > # regression test for self-signed
> > 
> > like(get('root', port => 8447), qr/200 OK.*SUCCESS/s, 'ocsp one');

-- 
Maxim Dounin
http://mdounin.ru/


More information about the nginx-devel mailing list