[PATCH 00 of 20] tests suite fixes for TLSv1.3

Maxim Dounin mdounin at mdounin.ru
Thu Mar 23 16:52:38 UTC 2023 

Hello!

On Thu, Mar 23, 2023 at 08:01:09PM +0400, Sergey Kandaurov wrote:

> > On 23 Mar 2023, at 18:18, Maxim Dounin <mdounin at mdounin.ru> wrote:
> > 
> > Hello!
> > 
> > On Wed, Mar 22, 2023 at 03:43:12PM +0400, Sergey Kandaurov wrote:
> > 
> >>> On 18 Mar 2023, at 18:14, Maxim Dounin <mdounin at mdounin.ru> wrote:
> >>> 
> >>> Hello!
> >>> 
> >>> Here are patch series for the test suite to address test failures
> >>> observed with TLSv1.3 enabled with BoringSSL and LibreSSL.
> >>> 
> >>> Short summary of the issues seen:
> >>> 
> >>> - BoringSSL with TLSv1.3 does not support session reuse via server-side
> >>> session cache, only with tickets.
> >>> 
> >>> - BoringSSL with TLSv1.3 does not provide $ssl_session_id.
> >>> 
> >>> - LibreSSL with TLSv1.3 does not support session reuse.
> >>> 
> >>> - LibreSSL with TLSv1.3 fails to negotiate certificates based on
> >>> signature algorithms supported by the client, and fails with
> >>> "missing rsa certificate" and "unknown pkey type" errors.
> >>> 
> >>> - LibreSSL with TLSv1.3 does not send CA lists to the client.
> >>> 
> >> 
> >> Missing peaces that allow me to run with LibreSSL:
> >> 
> >> # HG changeset patch
> >> # User Sergey Kandaurov <pluknet at nginx.com>
> >> # Date 1679485246 -14400
> >> #      Wed Mar 22 15:40:46 2023 +0400
> >> # Node ID dfe434f295d3da7e3b67bbbafeab245bb591f397
> >> # Parent  826e00e7c037d617781239963e8b868b6b0de225
> >> Tests: fixed upstream zone tests with LibreSSL and TLSv1.3.
> >> 
> >> LibreSSL does not support session reuse with TLSv1.3.
> >> 
> >> diff --git a/stream_upstream_zone_ssl.t b/stream_upstream_zone_ssl.t
> >> --- a/stream_upstream_zone_ssl.t
> >> +++ b/stream_upstream_zone_ssl.t
> > 
> > Thanks.  I've happen to compile nginx without upstream zone 
> > modules as a leftover from some previous tests, and missed these.  
> > Added a similar change with TODOs.
> > 
> > Full series with all the fixes:
> 
> Looks good, thanks for your work.

Pushed to http://mdounin.ru/hg/nginx-tests, thanks for the review.

-- 
Maxim Dounin
http://mdounin.ru/

More information about the nginx-devel mailing list