Am 04.08.2019 um 23:14 schrieb Daniel Ruggeri:
On 8/4/2019 3:30 AM, Rainer Jung wrote:
Hi there,
this one fails for me when the server uses OpenSSL 1.1.1 (no other
variant tested yet) but the client uses something before 1.1.1. In
this case I get Status 500 instead of the expected 403 in the client.
Another older test t/security/CVE-2005-2700.t uses
ok !t_cmp($r->code, 200, "...
instead of
ok t_cmp($r->code, 403, "...
used in the new test. Do others observe the same problem? Should we
relax the condition on 403 or 500, or is it necessary to only relax if
client isn't using 1.1.1 (or maybe depending on effective TLS version)?
I also see the same problem. The 500 must be coming from the LWP client
rather than httpd, though, as httpd does log the 403. I would prefer to
skip the test for non-compatible clients rather than for the internal
client error to be treated as a "pass" of a test it cannot run.
As an intermediate solution I added a request to check, whether TLS 1.3
works and depending on that switch the expectation to status 403 or 500.
See r1864463.
I am undecided, whether skipping or allowing 500 is better for the non
TLS 1.3 case. More opinion? Joe (original author)?
Regards,
Rainer
