> Since this is a "forward" port of our system's outdated cURL (7.19.2) and
> axTLS (1.2.7), I'm not sure that I'll bother to test it much more. If anyone
> else
> tests and finds specific issues, I'll gladly take a look.
>
Alright, I re-read what I wrote here and decided it was very poor form to not
run the test suite. Upon running it, however, an error occurred comparing the
server certificate's alternative name ("localhost") against the hostname
("127.0.0.1").
For test 300, this seems reasonable enough, but for test 310, where both the
server cert and the client's CA cert are specified, this seems like an error.
I'm digging into this, but if anyone has already encountered this or has any
insight, please let me know. The full, verbose test-run output is attached.
Thanks,
Eric
eric@deed:~/work/curl/tests$ ./runtests.pl -v 310 -g
CMD (0): ../src/curl --version 1>log/curlverout.log 2>log/curlvererr.log
********* System characteristics ********
* curl 7.31.0-DEV (i686-pc-linux-gnu)
* libcurl/7.31.0-DEV axTLS/1.4.9 zlib/1.2.3.4
* Features: Debug TrackMemory IPv6 Largefile SSL libz
* Host: deed
* System: Linux deed 2.6.32-5-686 #1 SMP Sun Sep 23 09:49:36 UTC 2012 i686
GNU/Linux
* Server SSL: ON libcurl SSL: ON
* debug build: ON track memory: ON
* valgrind: OFF HTTP IPv6 ON
* FTP IPv6 ON Libtool lib: ON
* Shared build: yes
* SSL library: axTLS
* Ports:
* HTTP/8960 FTP/8962 FTP2/8965 RTSP/8977 FTPS/8963 HTTPS/8961
* TFTP/8967 HTTP-IPv6/8964 RTSP-IPv6/8978 FTP-IPv6/8966
* GOPHER/8979 GOPHER-IPv6/8979
* SSH/8969 SOCKS/8970 POP3/8971 IMAP/8973 SMTP/8975
* POP3-IPv6/8972 IMAP-IPv6/8974 SMTP-IPv6/8976
* HTTP-PIPE/8984
*****************************************
startnew: perl -I. ./httpserver.pl --pidfile ".http_server.pid" --logfile
"log/http_server.log" --ipv4 --port 8960 --srcdir "."
RUN: ../src/curl --max-time 13 --output log/http_verify.out --silent --verbose
--globoff -1 "http://127.0.0.1:8960/verifiedserver"; 2>log/http_verify.log
CMD (0): ../src/curl --max-time 13 --output log/http_verify.out --silent
--verbose --globoff -1 "http://127.0.0.1:8960/verifiedserver";
2>log/http_verify.log
RUN: HTTP server is now running PID 23294
* pid http => 23294 23295
startnew: perl -I. ./secureserver.pl --pidfile ".https_server.pid" --logfile
"log/https_stunnel.log" --ipv4 --proto https --certfile
"Server-localhost-sv.pem" --stunnel "/usr/bin/stunnel4" --srcdir "." --connect
8960 --accept 8961
RUN: ../src/curl --max-time 13 --output log/https_verify.out --silent --verbose
--globoff -1 --insecure "https://127.0.0.1:8961/verifiedserver";
2>log/https_verify.log
Error: Invalid X509 ASN.1 file (Unsupported digest)
Error: Invalid X509 ASN.1 file (Unsupported digest)
CMD (13056): ../src/curl --max-time 13 --output log/https_verify.out --silent
--verbose --globoff -1 --insecure "https://127.0.0.1:8961/verifiedserver";
2>log/https_verify.log
RUN: curl command returned 51
RUN: * STATE: INIT => CONNECT handle 0x8a9975c; line 1010 (connection #-5000)
RUN: * About to connect() to 127.0.0.1 port 8961 (#0)
RUN: * Trying 127.0.0.1...
RUN: * Adding handle: conn: 0x8aa2194
RUN: * Adding handle: send: 0
RUN: * Adding handle: recv: 0
RUN: * Curl_addHandleToPipeline: length: 1
RUN: * 0x8a90194 is at send pipe head!
RUN: * - Conn 0 (0x8aa2194) send_pipe: 1, recv_pipe: 0
RUN: * STATE: CONNECT => WAITCONNECT handle 0x8a9975c; line 1057 (connection
#0)
RUN: * Connected to 127.0.0.1 (127.0.0.1) port 8961 (#0)
RUN: * found certificates in /etc/ssl/certs/ca-certificates.crt
RUN: * STATE: WAITCONNECT => PROTOCONNECT handle 0x8a9975c; line 1170
(connection #0)
RUN: * handshake completed successfully
RUN: * server certificate verification SKIPPED
RUN: * Comparing subject alt name DNS with hostname: localhost <-> 127.0.0.1
RUN: * Curl_axtls_close
RUN: * subjectAltName(s) do not match 127.0.0.1
RUN: * Curl_axtls_close
RUN: * Closing connection 0
RUN: * The cache now contains 0 members
RUN: * Curl_axtls_close
RUN: * Curl_axtls_close
RUN: * Curl_axtls_close
RUN: * Expire cleared
RUN: * Curl_axtls_close_all
RUN: Unknown server on our https port: 8961 (51)
RUN: HTTPS server failed verification
RUN: Process with pid 23294 signalled to die
RUN: Process with pid 23295 signalled to die
RUN: Process with pid 23312 signalled to die
RUN: Process with pid 23315 signalled to die
RUN: Process with pid 23315 gracefully died
RUN: Process with pid 23295 gracefully died
RUN: Process with pid 23294 forced to die with SIGKILL
RUN: Process with pid 23312 forced to die with SIGKILL
== Contents of files in the log/ dir after test 310
=== Start of file curlverout.log
curl 7.31.0-DEV (i686-pc-linux-gnu) libcurl/7.31.0-DEV axTLS/1.4.9 zlib/1.2.3.4
Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp
smtp smtps telnet tftp
Features: Debug TrackMemory IPv6 Largefile SSL libz
=== End of file curlverout.log
=== Start of file http_server.log
11:49:24.118583 Running HTTP IPv4 version on port 8960
11:49:24.118980 Wrote pid 23295 to .http_server.pid
11:49:25.148947 ====> Client connect
11:49:25.149012 TCP_NODELAY set
11:49:25.149052 accept_connection 3 returned 4
11:49:25.149101 accept_connection 3 returned 0
11:49:25.149152 Read 96 bytes
11:49:25.149200 Process 96 bytes request
11:49:25.149274 Got request: GET /verifiedserver HTTP/1.1
11:49:25.149317 Are-we-friendly question received
11:49:25.149387 Wrote request (96 bytes) input to log/server.input
11:49:25.149455 Identifying ourselves as friends
11:49:25.149549 Sent off 56 bytes
11:49:25.149621 Response sent (56 bytes) and written to log/server.response
11:49:25.149664 special request received, no persistency
11:49:25.149704 ====> Client disconnect 0
11:49:28.637589 ====> Client connect
11:49:28.637778 TCP_NODELAY set
11:49:28.637881 accept_connection 3 returned 4
11:49:28.637999 accept_connection 3 returned 0
11:49:28.638500 Connection closed by client
11:49:28.638618 ====> Client disconnect 0
11:49:28.642687 select() failed with error: (4) Interrupted system call
11:49:28.642776 signalled to die
11:49:28.642864 ========> IPv4 sws (port: 8960 pid: 23295) exits with signal
(15)
=== End of file http_server.log
=== Start of file http_verify.log
* STATE: INIT => CONNECT handle 0x94e875c; line 1010 (connection #-5000)
* About to connect() to 127.0.0.1 port 8960 (#0)
* Trying 127.0.0.1...
* Adding handle: conn: 0x94f1194
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* 0x94df194 is at send pipe head
* - Conn 0 (0x94f1194) send_pipe: 1, recv_pipe: 0
* STATE: CONNECT => WAITCONNECT handle 0x94e875c; line 1057 (connection #0)
* Connected to 127.0.0.1 (127.0.0.1) port 8960 (#0)
* STATE: WAITCONNECT => DO handle 0x94e875c; line 1176 (connection #0)
> GET /verifiedserver HTTP/1.1
> User-Agent: curl/7.31.0-DEV
> Host: 127.0.0.1:8960
> Accept: */*
>
* STATE: DO => DO_DONE handle 0x94e875c; line 1262 (connection #0)
* STATE: DO_DONE => WAITPERFORM handle 0x94e875c; line 1379 (connection #0)
* STATE: WAITPERFORM => PERFORM handle 0x94e875c; line 1390 (connection #0)
* HTTP 1.1 or later with persistent connection, pipelining supported
< HTTP/1.1 200 OK
< Content-Length: 17
<
{ [data not shown]
* STATE: PERFORM => DONE handle 0x94e875c; line 1560 (connection #0)
* Connection #0 to host 127.0.0.1 left intact
* Expire cleared
* Curl_axtls_close_all
=== End of file http_verify.log
=== Start of file http_verify.out
WE ROOLZ: 23295
=== End of file http_verify.out
=== Start of file https_stunnel.log
2013.06.07 11:49:26 LOG5[23315:3074001104]: stunnel 4.29 on i486-pc-linux-gnu
with OpenSSL 0.9.8o 01 Jun 2010
2013.06.07 11:49:26 LOG5[23315:3074001104]: Threading:PTHREAD SSL:ENGINE
Sockets:POLL,IPv6 Auth:LIBWRAP
2013.06.07 11:49:26 LOG5[23315:3074001104]: 500 clients allowed
2013.06.07 11:49:27 LOG5[23315:3077495664]: curltest accepted connection from
127.0.0.1:43266
2013.06.07 11:49:29 LOG5[23315:3077495664]: connect_blocking: connected
127.0.0.1:8960
2013.06.07 11:49:29 LOG5[23315:3077495664]: curltest connected remote server
from 127.0.0.1:52199
2013.06.07 11:49:29 LOG5[23315:3077495664]: Connection closed: 0 bytes sent to
SSL, 0 bytes sent to socket
2013.06.07 11:49:29 LOG5[23315:3074001104]: Received signal 15; terminating
=== End of file https_stunnel.log
=== Start of file https_verify.log
* STATE: INIT => CONNECT handle 0x8a9975c; line 1010 (connection #-5000)
* About to connect() to 127.0.0.1 port 8961 (#0)
* Trying 127.0.0.1...
* Adding handle: conn: 0x8aa2194
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* 0x8a90194 is at send pipe head
* - Conn 0 (0x8aa2194) send_pipe: 1, recv_pipe: 0
* STATE: CONNECT => WAITCONNECT handle 0x8a9975c; line 1057 (connection #0)
* Connected to 127.0.0.1 (127.0.0.1) port 8961 (#0)
* found certificates in /etc/ssl/certs/ca-certificates.crt
* STATE: WAITCONNECT => PROTOCONNECT handle 0x8a9975c; line 1170 (connection
#0)
* handshake completed successfully
* server certificate verification SKIPPED
* Comparing subject alt name DNS with hostname: localhost <-> 127.0.0.1
* Curl_axtls_close
* subjectAltName(s) do not match 127.0.0.1
* Curl_axtls_close
* Closing connection 0
* The cache now contains 0 members
* Curl_axtls_close
* Curl_axtls_close
* Curl_axtls_close
* Expire cleared
* Curl_axtls_close_all
=== End of file https_verify.log
=== Start of file server.input
GET /verifiedserver HTTP/1.1
User-Agent: curl/7.31.0-DEV
Host: 127.0.0.1:8960
Accept: */*
=== End of file server.input
=== Start of file server.response
HTTP/1.1 200 OK
Content-Length: 17
WE ROOLZ: 23295
=== End of file server.response
test 310 SKIPPED: failed starting HTTPS server (stunnel)
TESTFAIL: No tests were performed
TESTDONE: 1 tests were considered during 10 seconds.
TESTINFO: 1 tests were skipped due to these restraints:
TESTINFO: "failed starting HTTPS server (stunnel)" 1 times (310)
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
