[PATCH 15 of 20] Tests: LibreSSL does not send CA lists with TLSv1.3

Maxim Dounin mdounin at mdounin.ru
Sat Mar 18 14:15:10 UTC 2023 

# HG changeset patch
# User Maxim Dounin <mdounin at mdounin.ru>
# Date 1679148737 -10800
#      Sat Mar 18 17:12:17 2023 +0300
# Node ID 6d5bede76a77ca86483f63088587913a61b8b18d
# Parent  230b9cadce9b57213bf529940ca04224f9f121eb
Tests: LibreSSL does not send CA lists with TLSv1.3.

diff --git a/ssl_verify_client.t b/ssl_verify_client.t
--- a/ssl_verify_client.t
+++ b/ssl_verify_client.t
@@ -55,6 +55,7 @@ http {
     %%TEST_GLOBALS_HTTP%%
 
     add_header X-Verify x$ssl_client_verify:${ssl_client_cert}x;
+    add_header X-Protocol $ssl_protocol;
 
     ssl_session_cache shared:SSL:1m;
     ssl_session_tickets off;
@@ -169,15 +170,24 @@ like(get('optional', '3.example.com'), q
 SKIP: {
 skip 'Net::SSLeay version >= 1.36 required', 1 if $Net::SSLeay::VERSION < 1.36;
 
+TODO: {
+local $TODO = 'broken TLSv1.3 CA list in LibreSSL'
+	if $t->has_module('LibreSSL') && test_tls13();
+
 my $ca = join ' ', get('optional', '3.example.com');
 is($ca, '/CN=2.example.com', 'no trusted sent');
 
 }
+}
 
 like(get('optional', undef, 'localhost'), qr/421 Misdirected/, 'misdirected');
 
 ###############################################################################
 
+sub test_tls13 {
+	get('optional') =~ /TLSv1.3/;
+}
+
 sub get {
 	my ($sni, $cert, $host) = @_;
 
diff --git a/stream_ssl_verify_client.t b/stream_ssl_verify_client.t
--- a/stream_ssl_verify_client.t
+++ b/stream_ssl_verify_client.t
@@ -86,6 +86,11 @@ stream {
         ssl_verify_client optional_no_ca;
         ssl_client_certificate 2.example.com.crt;
     }
+
+    server {
+        listen  127.0.0.1:8084 ssl;
+        return  $ssl_protocol;
+    }
 }
 
 EOF
@@ -126,10 +131,15 @@ like(get(8082, '3.example.com'), qr/SUCC
 SKIP: {
 skip 'Net::SSLeay version >= 1.36 required', 1 if $Net::SSLeay::VERSION < 1.36;
 
+TODO: {
+local $TODO = 'broken TLSv1.3 CA list in LibreSSL'
+	if $t->has_module('LibreSSL') && test_tls13();
+
 my $ca = join ' ', get(8082, '3.example.com');
 is($ca, '/CN=2.example.com', 'no trusted sent');
 
 }
+}
 
 $t->stop();
 
@@ -137,6 +147,10 @@ is($t->read_file('status.log'), "500\n20
 
 ###############################################################################
 
+sub test_tls13 {
+	get(8084) =~ /TLSv1.3/;
+}
+
 sub get {
 	my ($port, $cert) = @_;

More information about the nginx-devel mailing list