[PATCH 2 of 6] Tests: unbreak tests with IO::Socket:SSL lacking SSL_session_key
Maxim Dounin
mdounin at mdounin.ru
Tue May 23 13:31:46 UTC 2023
Hello!
On Tue, May 23, 2023 at 02:34:54PM +0400, Sergey Kandaurov wrote:
> > On 23 May 2023, at 03:43, Maxim Dounin <mdounin at mdounin.ru> wrote:
> >
> > Hello!
> >
> > On Mon, May 22, 2023 at 11:52:14PM +0400, Sergey Kandaurov wrote:
> >
> >> # HG changeset patch
> >> # User Sergey Kandaurov <pluknet at nginx.com>
> >> # Date 1684773874 -14400
> >> # Mon May 22 20:44:34 2023 +0400
> >> # Node ID 4a3a451716ba26f8fc4be1ccc88dd8596101a6b2
> >> # Parent 231b14e2041afed10f5c2e6f62aad298854a6379
> >> Tests: unbreak tests with IO::Socket:SSL lacking SSL_session_key.
> >>
> >> diff --git a/ssl_certificate.t b/ssl_certificate.t
> >> --- a/ssl_certificate.t
> >> +++ b/ssl_certificate.t
> >> @@ -171,6 +171,8 @@ local $TODO = 'no TLSv1.3 sessions, old
> >> if $Net::SSLeay::VERSION < 1.88 && test_tls13();
> >> local $TODO = 'no TLSv1.3 sessions, old IO::Socket::SSL'
> >> if $IO::Socket::SSL::VERSION < 2.061 && test_tls13();
> >> +local $TODO = 'no SSL_session_key, old IO::Socket::SSL'
> >> + if $IO::Socket::SSL::VERSION < 1.965;
> >>
> >> like(get('default', 8080, $s), qr/default:r/, 'session reused');
> >>
> >
> > Should be:
> >
> > diff -r a797d7428fa5 ssl_certificate.t
> > --- a/ssl_certificate.t Thu May 18 18:07:19 2023 +0300
> > +++ b/ssl_certificate.t Mon May 22 22:20:59 2023 +0000
> > @@ -177,6 +177,8 @@
> > TODO: {
> > # ticket key name mismatch prevents session resumption
> > local $TODO = 'not yet' unless $t->has_version('1.23.2');
> > +local $TODO = 'no SSL_session_key, old IO::Socket::SSL'
> > + if $IO::Socket::SSL::VERSION < 1.965;
> >
> > like(get('default', 8081, $s), qr/default:r/, 'session id context match');
> >
> > as the "session reused" is passed regardless of SSL_session_key
> > presence.
>
> I agree. The reason why it was done so is to cover an unrelated
> issue with TLSv1.2 session reuse that happens in ssl_certificate.t
> with IO::Socket::SSL < 1.963, which results in inability to restore
> the session. Probably that is because of improper behavior in stop_SSL.
> Well, it doesn't happen if remove http_end() to stop closing a client socket.
> Though, given that this bug doesn't appear on real distros that have
> IO::Socket::SSL [1.84..1.963] (inclusive), the range where it manifests,
> so that it doesn't annoy in real life, then we can simply ignore it.
We can use SKIP instead if there are unexpected issues with older
IO::Socket::SSL versions, or even introduce socket_ssl_session_key
feature and skip the entire test.
But if this does not happen on real distros, this probably don't
worth the effort. For sure there are IO::Socket::SSL (as well as
Net::SSLeay and OpenSSL) versions with bugs, but trying to work
around all possible bugs is certainly not the goal.
> >
> >> diff --git a/stream_ssl_certificate.t b/stream_ssl_certificate.t
> >> --- a/stream_ssl_certificate.t
> >> +++ b/stream_ssl_certificate.t
> >> @@ -148,6 +148,8 @@ local $TODO = 'no TLSv1.3 sessions, old
> >> if $Net::SSLeay::VERSION < 1.88 && test_tls13();
> >> local $TODO = 'no TLSv1.3 sessions, old IO::Socket::SSL'
> >> if $IO::Socket::SSL::VERSION < 2.061 && test_tls13();
> >> +local $TODO = 'no SSL_session_key, old IO::Socket::SSL'
> >> + if $IO::Socket::SSL::VERSION < 1.965;
> >>
> >> like(get('default', 8080, $s), qr/default:r/, 'session reused');
> >>
> >
> > The same here.
> >
> > Additionally, ssl_session_ticket_key.t also uses SSL_session_key,
> > but it currently happens to be skipped at least on CentOS 7 due to
> > old Net::SSLeay. Given IO::Socket::SSL changes, appropriate
> > version for it is probably 2.029.
> >
> > diff --git a/ssl_session_ticket_key.t b/ssl_session_ticket_key.t
> > --- a/ssl_session_ticket_key.t
> > +++ b/ssl_session_ticket_key.t
> > @@ -24,6 +24,8 @@ select STDOUT; $| = 1;
> >
> > eval { require Net::SSLeay; die if $Net::SSLeay::VERSION < 1.86; };
> > plan(skip_all => 'Net::SSLeay version => 1.86 required') if $@;
> > +eval { require IO::Socket::SSL; die if $IO::Socket::SSL::VERSION < 2.029; };
> > +plan(skip_all => 'IO::Socket::SSL version => 2.029 required') if $@;
> >
> > my $t = Test::Nginx->new()->has(qw/http http_ssl socket_ssl/)
> > ->has_daemon('openssl')->plan(2)
> >
>
> Indeed, it doesn't happen to work with old IO::Socket::SSL versions,
> thanks for catching this.
> By manual testing, it appears that 2.030 is required to work.
> The relevant git log:
> remove internal sub session_cache and access cache directly (faster)
> This also fixes a problem when SSL_session_key was used, which was
> introduced in 2.029
>
> Additionally, if TLSv1.3 was negotiated, for session reuse to work,
> 2.061 is required (same as for rest TLSv1.3 session reuse tests).
>
> Moved this part to the separate change:
>
> # HG changeset patch
> # User Sergey Kandaurov <pluknet at nginx.com>
> # Date 1684835827 -14400
> # Tue May 23 13:57:07 2023 +0400
> # Node ID 5dc8aa4446484456eb1310e63b092f1d08258574
> # Parent d570dbcad925499d968006ea509798234df09248
> Tests: unbreak ssl_session_ticket_key.t with old IO::Socket::SSL.
>
> Once ssl_session_ticket_key.t was rewritten using IO::Socket::SSL,
> it requires checks for SSL_session_key and TLSv1.3 session reuse support.
> While SSL_session_key has been introduced in IO::Socket::SSL 1.965,
> further improvements appeared in 2.030 are needed for tests to work.
>
> diff --git a/ssl_session_ticket_key.t b/ssl_session_ticket_key.t
> --- a/ssl_session_ticket_key.t
> +++ b/ssl_session_ticket_key.t
> @@ -24,6 +24,8 @@ select STDOUT; $| = 1;
>
> eval { require Net::SSLeay; die if $Net::SSLeay::VERSION < 1.86; };
> plan(skip_all => 'Net::SSLeay version => 1.86 required') if $@;
> +eval { require IO::Socket::SSL; die if $IO::Socket::SSL::VERSION < 2.030; };
> +plan(skip_all => 'IO::Socket::SSL version => 2.030 required') if $@;
>
> my $t = Test::Nginx->new()->has(qw/http http_ssl socket_ssl/)
> ->has_daemon('openssl')->plan(2)
> @@ -99,6 +101,8 @@ select undef, undef, undef, 2.5;
>
> local $TODO = 'no TLSv1.3 sessions in LibreSSL'
> if $t->has_module('LibreSSL') && test_tls13();
> +local $TODO = 'no TLSv1.3 sessions, old IO::Socket::SSL'
> + if $IO::Socket::SSL::VERSION < 2.061 && test_tls13();
>
> cmp_ok(get_ticket_key_name(), 'ne', $key, 'ticket key next');
>
This needs Net::SSLeay 1.88 also then?
The usual pattern is:
local $TODO = 'no TLSv1.3 sessions, old Net::SSLeay'
if $Net::SSLeay::VERSION < 1.88 && test_tls13();
local $TODO = 'no TLSv1.3 sessions, old IO::Socket::SSL'
if $IO::Socket::SSL::VERSION < 2.061 && test_tls13();
local $TODO = 'no TLSv1.3 sessions in LibreSSL'
if $t->has_module('LibreSSL') && test_tls13();
--
Maxim Dounin
http://mdounin.ru/
More information about the nginx-devel
mailing list