On Fri, Mar 1, 2024 at 1:24 PM Joe Orton <jor...@redhat.com> wrote: > > On Fri, Mar 01, 2024 at 12:59:10PM +0100, Yann Ylavic wrote: > > On Fri, Mar 1, 2024 at 11:15 AM <jor...@apache.org> wrote: > > > > > > Author: jorton > > > Date: Fri Mar 1 10:15:13 2024 > > > New Revision: 1916068 > > > > > > URL: http://svn.apache.org/viewvc?rev=1916068&view=rev > > > Log: > > > CI: add OpenSSL 3.2, test OpenSSL 3.x using Apache::Test > > > trunk to pick up r1916067. > > > > I had to modify Apache-Test too when running the perl test framework > > with openssl >= 3.0 and proposed a patch here [1] (not enough karma to > > commit on perl.a.o). > > It was an issue with mod_proxy's client certs IIRC, which r1916067 is > > possibly fixing too, but just in case you are still fighting with this > > ;) > > Ah, interesting, thanks. I should read dev@perl more often! > > I haven't seen that particularly failure, and trunk seems to now be > working (touch wood) with 3.1 and 3.2. The Ubuntu runners are all on > OpenSSL 3.0 anyway, and r1916058 ensures that TestSSLCA.pm is using the > bin/openssl from the installed version of OpenSSL rather than a > possibly-mismatched system /usr/bin/openssl. Do you still want that > TestSSLCA.pm change merged?
I think it can be useful for those who test httpd with openssl1 still (not maintained anymore, but we have to keep compatibility in 2.4 at least). > > Also - I guess the note about *not* accepting PKCS#8 format keys in > https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslproxymachinecertificatefile > is now wrong then? OpenSSL >= 3 can surely load keys in pkcs#8 format since it's the default for genrsa now, hopefully it can still load the pkcs#1 ones still (I didn't try that) or it would be a mess for mod_proxy (and the docs).. Let me try that first and if it's ok I think we can simply say that the note applies to openssl < 3 only.