nginx-tests: Some SSL tests are failing with openssl 3.2.0

Fri Jan 26 20:36:19 UTC 2024

Hello,

On Fri, 26 Jan 2024 16:28:15 -0300
Renato Botelho <garga at FreeBSD.org> wrote:

> Hello!
> 
> I'm building nginx on an environment with openssl 3.2.0 and some SSL 
> tests are failing.  I suspect it's related to openssl version because it 
> works on another env with older openssl.  But maybe I'm wrong.
> 
> Here are results

[..]

I was able to reproduce exact same result on Arch Linux (also Openssl 
3.2.0, so looks likely).

./ssl_certificate_chain.t .................. Dubious, test returned 2 (wstat 512, 0x200)
Failed 2/5 subtests
./ssl_certificate.t ........................ ok
./ssl_conf_command.t ....................... ok
./ssl_certificates.t ....................... ok
./ssl_engine_keys.t ........................ skipped: may not work, leaves coredump
./ssl_client_escaped_cert.t ................ ok
./ssl_proxy_protocol.t ..................... skipped: no realip available
===(    2096;27  1/3   4/23  1/5  1/3  0/?  0/5   0/32  0/9 )===========
#   Failed test 'crl - no revoked certs'
#   at ./ssl_crl.t line 157.
#                   'HTTP/1.1 400 Bad Request
# Server: nginx/1.25.4
# Date: Fri, 26 Jan 2024 20:26:41 GMT
# Content-Type: text/html
# Content-Length: 215
# Connection: close
# X-Verify: FAILED:unsuitable certificate purpose
#
# <html>
# <head><title>400 The SSL certificate error</title></head>
# <body>
# <center><h1>400 Bad Request</h1></center>
# <center>The SSL certificate error</center>
# <hr><center>nginx/1.25.4</center>
# </body>
# </html>
# '
#     doesn't match '(?^:SUCCESS)'
./ssl_curve.t .............................. ok
./ssi_delayed.t ............................ ok
===(    2105;27   4/23  3/5  0/?  1/5   2/32  0/9  0/?  0/? )===========# Looks like you failed 1 test of 5.
./ssl_crl.t ................................ Dubious, test returned 1 (wstat 256, 0x100)

...and so on....

Test Summary Report
-------------------
./ssl_certificate_chain.t                (Wstat: 512 (exited 2) Tests: 5 Failed: 2)
  Failed tests:  2-3
  Non-zero exit status: 2
./ssl_crl.t                              (Wstat: 256 (exited 1) Tests: 5 Failed: 1)
  Failed test:  1
  Non-zero exit status: 1
./ssl_ocsp.t                             (Wstat: 3328 (exited 13) Tests: 17 Failed: 13)
  Failed tests:  1-13
  Non-zero exit status: 13
./ssl_verify_depth.t                     (Wstat: 768 (exited 3) Tests: 11 Failed: 3)
  Failed tests:  5, 8-9
  Non-zero exit status: 3
Files=416, Tests=2505, 35 wallclock secs ( 1.43 usr  0.71 sys + 41.49 cusr  8.42 csys = 52.05 CPU)
Result: FAIL
[vagrant at archlinux nginx-tests]$ openssl version
OpenSSL 3.2.0 23 Nov 2023 (Library: OpenSSL 3.2.0 23 Nov 2023)
[vagrant at archlinux nginx-tests]$ uname -a
Linux archlinux 6.7.0-arch3-1 #1 SMP PREEMPT_DYNAMIC Sat, 13 Jan 2024 14:37:14 +0000 x86_64 GNU/Linux
[vagrant at archlinux nginx-tests]$ ../nginx/objs/nginx -V
nginx version: nginx/1.25.4
built by gcc 13.2.1 20230801 (GCC)
built with OpenSSL 3.2.0 23 Nov 2023
TLS SNI support enabled
configure arguments: --with-http_ssl_module