[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Test suite and OpenSSL 1.1.1

I now also added r1844396 to allow setting the CA for peer cert verification and used it in echo.t and nttp-like.t to unbreak their ssl testing (r1844397).

I didn't find more uses of the raw sockets.



Am 20.10.2018 um 08:47 schrieb Rainer Jung:
To make the raw TLS socket tests work I added r1844393. Both, r1844389 and r1844393 are part of the /perl/Apache-Test/trunk/ external which gets pulled into our test framework.

Am 20.10.2018 um 06:28 schrieb Rainer Jung:
Am 19.10.2018 um 23:31 schrieb Yann Ylavic:
Could not make the test suite framework work with 1.1.1 (cpan -u didn't help).
Although the ssl tests report SUCCESS, httpd actually timeouts on
SSL_peek() (as already reported).

Indeed I checked my test suite logs and until now all tests only used TLS 1.2. But what works for me now with TLS 1.3 is:

- small fix in TestSSLCA.pm (r1844389), otherwise the geneated t/conf/ssl/ssl.conf always contains "SSLProtocol all -TLSv1.3" instead of "all" (unless you specifiy -sslproto explicitly).

- Net::SSLeay 1.86_06 tag from Github https://github.com/radiator-software/p5-net-ssleay.git. Added "-ldl -pthread" to OTHERLDFLAGS in Makefile. It contains the plumbing needed for some new 1.1.1 APIs.

- IO/Socket/SSL.pm recent version 2.060 plus patch https://github.com/noxxi/p5-io-socket-ssl/commit/e96b1c9e394011de4ee181cfa42b8021796bf7d4.patch (probably not needed) plus anti-hang patch to call Net::SSLeay::CTX_set_post_handshake_auth()

--- IO/Socket/SSL.pm.orig  2018-08-15 18:03:29.000000000 +0000
+++ IO/Socket/SSL.pm       2018-09-19 16:37:46.450281000 +0000
@@ -2594,6 +2594,10 @@
                 "Failed to load key from file (no PEM or DER)");

+        if ($havecert && $havekey && Net::SSLeay::OPENSSL_VERSION_NUMBER() >= 0x1010100f) {
+            Net::SSLeay::CTX_set_post_handshake_auth($ctx, 1);
+        }
         # replace arg_hash with created context
         $ctx{$host} = $ctx;

The PHA patch was stolen from Joe's explanation of the PHA issue.

With this setup, I can see some TLSv1.3 entries in the t/logs/ssl_request_log. For instance when running t/ssl/varlookup.t.