[PATCH 19 of 20] Tests: removed multiple server certificates from ssl_ocsp.t

Maxim Dounin mdounin at mdounin.ru
Thu Mar 23 14:17:29 UTC 2023 

Hello!

On Wed, Mar 22, 2023 at 03:05:16PM +0400, Sergey Kandaurov wrote:

> > On 18 Mar 2023, at 18:15, Maxim Dounin <mdounin at mdounin.ru> wrote:
> > 
> > # HG changeset patch
> > # User Maxim Dounin <mdounin at mdounin.ru>
> > # Date 1679148855 -10800
> > #      Sat Mar 18 17:14:15 2023 +0300
> > # Node ID 782531c3cd79dcf700276e10bef00e524de009d1
> > # Parent  c140f78fbc8f62c9694d3b969d1309570a96f2e7
> > Tests: removed multiple server certificates from ssl_ocsp.t.
> > 
> > Multiple server certificates are not needed to test OCSP verification of
> > client certificates (in contrast to OCSP stapling, where server certificates
> > are verified, and different staples should be correctly returned with
> > different server certificates).  And using multiple server certificates
> > causes issues when testing with LibreSSL due to broken sigalgs-based
> > server certificate selection in LibreSSL with TLSv1.3.
> > 
> > Accordingly, the test is simplified to do not use multiple server
> > certificates.
> > 
> > diff --git a/ssl_ocsp.t b/ssl_ocsp.t
> > --- a/ssl_ocsp.t
> > +++ b/ssl_ocsp.t
> > @@ -63,10 +63,7 @@ http {
> >     ssl_verify_depth 2;
> >     ssl_client_certificate trusted.crt;
> > 
> > -    ssl_ciphers DEFAULT:ECCdraft;
> > -
> > -    ssl_certificate_key ec.key;
> > -    ssl_certificate ec.crt;
> > +#    ssl_ciphers DEFAULT:ECCdraft;
> 
> This doesn't serve its purpose now and can be removed,
> now that you've removed multiple (ECC) certificates.
> It was used to run tests with ECC certificates/ciphers,
> as otherwise it would result in "no shared cipher" error.
> 
> ECCdraft is an old alias used to enable ECC ciphersuites
> and run tests with ECC certificate on OpenSSL 0.9.8,
> before they became official in RFC 4492.
> 
> - ECC ciphersuites were disabled by default in 0.9.8c,
>   and ECCdraft alias was used to turn them back.
> - ECC ciphersuites were re-enabled in 0.9.9 (1.0.0)

Err, thanks for catching.  I actually commented it out to make 
sure it's safe to remove it now, but forgot to actually remove.  
Removed.

> > 
> >     ssl_certificate_key rsa.key;
> >     ssl_certificate rsa.crt;
> > @@ -273,13 +270,8 @@ system("openssl ocsp -index $d/certindex
> > 
> > # server cert/key
> > 
> > -system("openssl ecparam -genkey -out $d/ec.key -name prime256v1 "
> > -	. ">>$d/openssl.out 2>&1") == 0 or die "Can't create EC pem: $!\n";
> > -system("openssl genrsa -out $d/rsa.key 2048 >>$d/openssl.out 2>&1") == 0
> > -	or die "Can't create RSA pem: $!\n";
> > -
> > -foreach my $name ('ec', 'rsa') {
> > -	system("openssl req -x509 -new -key $d/$name.key "
> > +foreach my $name ('rsa') {
> > +	system('openssl req -x509 -new '
> > 		. "-config $d/openssl.conf -subj /CN=$name/ "
> > 		. "-out $d/$name.crt -keyout $d/$name.key "
> > 		. ">>$d/openssl.out 2>&1") == 0
> > @@ -288,7 +280,7 @@ foreach my $name ('ec', 'rsa') {
> > 
> > $t->run_daemon(\&http_daemon, $t, port(8081));
> > $t->run_daemon(\&http_daemon, $t, port(8082));
> > -$t->run()->plan(14);
> > +$t->run()->plan(15);
> > 
> > $t->waitforsocket("127.0.0.1:" . port(8081));
> > $t->waitforsocket("127.0.0.1:" . port(8082));
> > @@ -297,17 +289,17 @@ my $version = get_version();
> > 
> > ###############################################################################
> > 
> > -like(get('RSA', 'end'), qr/200 OK.*SUCCESS/s, 'ocsp leaf');
> > +like(get('end'), qr/200 OK.*SUCCESS/s, 'ocsp leaf');
> > 
> > # demonstrate that ocsp int request is failed due to missing resolver
> > 
> > -like(get('RSA', 'end', sni => 'resolver'),
> > +like(get('end', sni => 'resolver'),
> > 	qr/400 Bad.*FAILED:certificate status request failed/s,
> > 	'ocsp many failed request');
> > 
> > # demonstrate that ocsp int request is actually made by failing ocsp response
> > 
> > -like(get('RSA', 'end', port => 8444),
> > +like(get('end', port => 8444),
> > 	qr/400 Bad.*FAILED:certificate status request failed/s,
> > 	'ocsp many failed');
> > 
> > @@ -323,11 +315,11 @@ system("openssl ocsp -index $d/certindex
> > 	. ">>$d/openssl.out 2>&1") == 0
> > 	or die "Can't create OCSP response: $!\n";
> > 
> > -like(get('RSA', 'end', port => 8444), qr/200 OK.*SUCCESS/s, 'ocsp many');
> > +like(get('end', port => 8444), qr/200 OK.*SUCCESS/s, 'ocsp many');
> > 
> > # store into ssl_ocsp_cache
> > 
> > -like(get('RSA', 'end', port => 8446), qr/200 OK.*SUCCESS/s, 'cache store');
> > +like(get('end', port => 8446), qr/200 OK.*SUCCESS/s, 'cache store');
> > 
> > # revoke
> > 
> > @@ -346,23 +338,23 @@ system("openssl ocsp -index $d/certindex
> > 	. ">>$d/openssl.out 2>&1") == 0
> > 	or die "Can't create OCSP response: $!\n";
> > 
> > -like(get('RSA', 'end'), qr/400 Bad.*FAILED:certificate revoked/s, 'revoked');
> > +like(get('end'), qr/400 Bad.*FAILED:certificate revoked/s, 'revoked');
> > 
> > # with different responder where it's still valid
> > 
> > -like(get('RSA', 'end', port => 8445), qr/200 OK.*SUCCESS/s, 'ocsp responder');
> > +like(get('end', port => 8445), qr/200 OK.*SUCCESS/s, 'ocsp responder');
> > 
> > # with different context to responder where it's still valid
> > 
> > -like(get('RSA', 'end', sni => 'sni'), qr/200 OK.*SUCCESS/s, 'ocsp context');
> > +like(get('end', sni => 'sni'), qr/200 OK.*SUCCESS/s, 'ocsp context');
> > 
> > # with cached ocsp response it's still valid
> > 
> > -like(get('RSA', 'end', port => 8446), qr/200 OK.*SUCCESS/s, 'cache lookup');
> > +like(get('end', port => 8446), qr/200 OK.*SUCCESS/s, 'cache lookup');
> > 
> > # ocsp end response signed with invalid (root) cert, expect HTTP 400
> > 
> > -like(get('ECDSA', 'ec-end'),
> > +like(get('ec-end'),
> > 	qr/400 Bad.*FAILED:certificate status request failed/s,
> > 	'root ca not trusted');
> > 
> > @@ -374,12 +366,12 @@ system("openssl ocsp -index $d/certindex
> > 	. ">>$d/openssl.out 2>&1") == 0
> > 	or die "Can't create EC OCSP response: $!\n";
> > 
> > -like(get('ECDSA', 'ec-end'), qr/200 OK.*SUCCESS/s, 'ocsp ecdsa');
> > +like(get('ec-end'), qr/200 OK.*SUCCESS/s, 'ocsp ecdsa');
> > 
> > -my ($s, $ssl) = get('ECDSA', 'ec-end');
> > +my ($s, $ssl) = get('ec-end');
> > my $ses = Net::SSLeay::get_session($ssl);
> > 
> > -like(get('ECDSA', 'ec-end', ses => $ses),
> > +like(get('ec-end', ses => $ses),
> > 	qr/200 OK.*SUCCESS:r/s, 'session reused');
> > 
> > # revoke with saved session
> > @@ -401,19 +393,22 @@ system("openssl ocsp -index $d/certindex
> > 
> > # reusing session with revoked certificate
> > 
> > -like(get('ECDSA', 'ec-end', ses => $ses),
> > +like(get('ec-end', ses => $ses),
> > 	qr/400 Bad.*FAILED:certificate revoked:r/s, 'session reused - revoked');
> > 
> > # regression test for self-signed
> > 
> > -like(get('RSA', 'root', port => 8447), qr/200 OK.*SUCCESS/s, 'ocsp one');
> > +like(get('root', port => 8447), qr/200 OK.*SUCCESS/s, 'ocsp one');
> > +
> > +# check for errors
> > +
> > +like(`grep -F '[crit]' ${\($t->testdir())}/error.log`, qr/^$/s, 'no crit');
> > 
> > ###############################################################################
> > 
> > sub get {
> > -	my ($type, $cert, %extra) = @_;
> > -	$type = 'PSS' if $type eq 'RSA' && $version > 0x0303;
> > -	my ($s, $ssl) = get_ssl_socket($type, $cert, %extra);
> > +	my ($cert, %extra) = @_;
> > +	my ($s, $ssl) = get_ssl_socket($cert, %extra);
> > 	my $cipher = Net::SSLeay::get_cipher($ssl);
> > 	Test::Nginx::log_core('||', "cipher: $cipher");
> > 	my $host = $extra{sni} ? $extra{sni} : 'localhost';
> > @@ -428,7 +423,7 @@ sub get {
> > }
> > 
> > sub get_ssl_socket {
> > -	my ($type, $cert, %extra) = @_;
> > +	my ($cert, %extra) = @_;
> > 	my $ses = $extra{ses};
> > 	my $sni = $extra{sni};
> > 	my $port = $extra{port} || 8443;
> > @@ -450,18 +445,6 @@ sub get_ssl_socket {
> > 
> > 	my $ctx = Net::SSLeay::CTX_new() or die("Failed to create SSL_CTX $!");
> > 
> > -	if (defined $type) {
> > -		my $ssleay = Net::SSLeay::SSLeay();
> > -		if ($ssleay < 0x1000200f || $ssleay == 0x20000000) {
> > -			Net::SSLeay::CTX_set_cipher_list($ctx, $type)
> > -				or die("Failed to set cipher list");
> > -		} else {
> > -			# SSL_CTRL_SET_SIGALGS_LIST
> > -			Net::SSLeay::CTX_ctrl($ctx, 98, 0, $type . '+SHA256')
> > -				or die("Failed to set sigalgs");
> > -		}
> > -	}
> > -
> > 	Net::SSLeay::set_cert_and_key($ctx, "$d/$cert.crt", "$d/$cert.key")
> > 		or die if $cert;
> > 	my $ssl = Net::SSLeay::new($ctx) or die("Failed to create SSL $!");

-- 
Maxim Dounin
http://mdounin.ru/

More information about the nginx-devel mailing list