[PATCH 00 of 20] tests suite fixes for TLSv1.3

Sergey Kandaurov pluknet at nginx.com
Wed Mar 22 11:43:12 UTC 2023 

> On 18 Mar 2023, at 18:14, Maxim Dounin <mdounin at mdounin.ru> wrote:
> 
> Hello!
> 
> Here are patch series for the test suite to address test failures
> observed with TLSv1.3 enabled with BoringSSL and LibreSSL.
> 
> Short summary of the issues seen:
> 
> - BoringSSL with TLSv1.3 does not support session reuse via server-side
>  session cache, only with tickets.
> 
> - BoringSSL with TLSv1.3 does not provide $ssl_session_id.
> 
> - LibreSSL with TLSv1.3 does not support session reuse.
> 
> - LibreSSL with TLSv1.3 fails to negotiate certificates based on
>  signature algorithms supported by the client, and fails with
>  "missing rsa certificate" and "unknown pkey type" errors.
> 
> - LibreSSL with TLSv1.3 does not send CA lists to the client.
> 

Missing peaces that allow me to run with LibreSSL:

# HG changeset patch
# User Sergey Kandaurov <pluknet at nginx.com>
# Date 1679485246 -14400
#      Wed Mar 22 15:40:46 2023 +0400
# Node ID dfe434f295d3da7e3b67bbbafeab245bb591f397
# Parent  826e00e7c037d617781239963e8b868b6b0de225
Tests: fixed upstream zone tests with LibreSSL and TLSv1.3.

LibreSSL does not support session reuse with TLSv1.3.

diff --git a/stream_upstream_zone_ssl.t b/stream_upstream_zone_ssl.t
--- a/stream_upstream_zone_ssl.t
+++ b/stream_upstream_zone_ssl.t
@@ -82,6 +82,19 @@ stream {
         ssl_certificate localhost.crt;
         ssl_session_cache builtin;
     }
+
+    server {
+        listen      127.0.0.1:8085;
+        proxy_pass  127.0.0.1:8086;
+    }
+
+    server {
+        listen      127.0.0.1:8086 ssl;
+        return      $ssl_protocol;
+
+        ssl_certificate_key localhost.key;
+        ssl_certificate localhost.crt;
+    }
 }
 
 EOF
@@ -112,13 +125,33 @@ is(stream('127.0.0.1:' . port(8080))->re
 is(stream('127.0.0.1:' . port(8080))->read(), '.', 'ssl 2');
 
 is(stream('127.0.0.1:' . port(8081))->read(), '.', 'ssl session new');
+
+SKIP: {
+skip 'no TLSv1.3 sessions in LibreSSL', 2
+	if $t->has_module('LibreSSL') && test_tls13();
+
 is(stream('127.0.0.1:' . port(8081))->read(), 'r', 'ssl session reused');
 is(stream('127.0.0.1:' . port(8081))->read(), 'r', 'ssl session reused 2');
 
+}
+
 is(stream('127.0.0.1:' . port(8082))->read(), '.', 'backup ssl');
 is(stream('127.0.0.1:' . port(8082))->read(), '.', 'backup ssl 2');
 
 is(stream('127.0.0.1:' . port(8083))->read(), '.', 'backup ssl session new');
+
+SKIP: {
+skip 'no TLSv1.3 sessions in LibreSSL', 1
+	if $t->has_module('LibreSSL') && test_tls13();
+
 is(stream('127.0.0.1:' . port(8083))->read(), 'r', 'backup ssl session reused');
 
+}
+
 ###############################################################################
+
+sub test_tls13 {
+	stream('127.0.0.1:' . port(8085))->read() eq 'TLSv1.3';
+}
+
+###############################################################################
diff --git a/upstream_zone_ssl.t b/upstream_zone_ssl.t
--- a/upstream_zone_ssl.t
+++ b/upstream_zone_ssl.t
@@ -56,6 +56,7 @@ http {
 
         location / {
             add_header X-Session $ssl_session_reused;
+            add_header X-Protocol $ssl_protocol;
         }
     }
 
@@ -114,12 +115,32 @@ foreach my $name ('localhost') {
 like(http_get('/ssl'), qr/200 OK.*X-Session: \./s, 'ssl');
 like(http_get('/ssl'), qr/200 OK.*X-Session: \./s, 'ssl 2');
 like(http_get('/ssl_reuse'), qr/200 OK.*X-Session: \./s, 'ssl session new');
+
+SKIP: {
+skip 'no TLSv1.3 sessions in LibreSSL', 2
+	if $t->has_module('LibreSSL') && test_tls13();
+
 like(http_get('/ssl_reuse'), qr/200 OK.*X-Session: r/s, 'ssl session reused');
 like(http_get('/ssl_reuse'), qr/200 OK.*X-Session: r/s, 'ssl session reused 2');
 
+}
+
 like(http_get('/backup'), qr/200 OK.*X-Session: \./s, 'backup');
 like(http_get('/backup'), qr/200 OK.*X-Session: \./s, 'backup 2');
 like(http_get('/backup_reuse'), qr/200 OK.*X-Session: \./s, 'backup new');
+
+SKIP: {
+skip 'no TLSv1.3 sessions in LibreSSL', 1
+	if $t->has_module('LibreSSL') && test_tls13();
+
 like(http_get('/backup_reuse'), qr/200 OK.*X-Session: r/s, 'backup reused');
 
+}
+
 ###############################################################################
+
+sub test_tls13 {
+	return http_get('/ssl') =~ /TLSv1.3/;
+}
+
+###############################################################################

-- 
Sergey Kandaurov

More information about the nginx-devel mailing list