[PATCH 4 of 6] Tests: avoid specifying PSS in sigalgs unless in TLSv1.3

Sergey Kandaurov pluknet at nginx.com
Mon May 22 19:52:16 UTC 2023


# HG changeset patch
# User Sergey Kandaurov <pluknet at nginx.com>
# Date 1684774417 -14400
#      Mon May 22 20:53:37 2023 +0400
# Node ID 42066e126d2ca0f6d5095d818910559adf5d4bdc
# Parent  e60c76cbf2a5b0d9e1d235770d68f260cf1a4e3e
Tests: avoid specifying PSS in sigalgs unless in TLSv1.3.

It might happen that TLSv1.3 is disabled and PSS isn't supported as seen
on Amazon Linux (LTS).  The change restores old logic before 0e1865aa9b33.

diff --git a/ssl_certificates.t b/ssl_certificates.t
--- a/ssl_certificates.t
+++ b/ssl_certificates.t
@@ -120,8 +120,8 @@ sub get_socket {
 		return unless defined $type;
 		my $ssleay = Net::SSLeay::SSLeay();
 		return if ($ssleay < 0x1000200f || $ssleay == 0x20000000);
-		my $sigalgs = 'RSA+SHA256:PSS+SHA256';
-		$sigalgs = $type . '+SHA256' unless $type eq 'RSA';
+		my $sigalgs = $type eq 'RSA' && test_tls13()
+			? 'RSA+SHA256:PSS+SHA256' : $type . '+SHA256';
 		# SSL_CTRL_SET_SIGALGS_LIST
 		Net::SSLeay::CTX_ctrl($ctx, 98, 0, $sigalgs)
 			or die("Failed to set sigalgs");
diff --git a/ssl_stapling.t b/ssl_stapling.t
--- a/ssl_stapling.t
+++ b/ssl_stapling.t
@@ -321,8 +321,8 @@ sub staple {
 		return unless defined $ciphers;
 		my $ssleay = Net::SSLeay::SSLeay();
 		return if ($ssleay < 0x1000200f || $ssleay == 0x20000000);
-		my $sigalgs = 'RSA+SHA256:PSS+SHA256';
-		$sigalgs = $ciphers . '+SHA256' unless $ciphers eq 'RSA';
+		my $sigalgs = $ciphers eq 'RSA' && test_tls13()
+			? 'RSA+SHA256:PSS+SHA256' : $ciphers . '+SHA256';
 		# SSL_CTRL_SET_SIGALGS_LIST
 		Net::SSLeay::CTX_ctrl($ctx, 98, 0, $sigalgs)
 			or die("Failed to set sigalgs");


More information about the nginx-devel mailing list