Test suite using OpenSSL 0.9.8 client against OpenSSL 3.0.0 server

Mon, 24 May 2021 02:53:08 -0700

FYI: the problems I observed when running the httpd test suite using an OpenSSL 0.9.8zh based client against a server build using OpenSSL 3.0.0 originated in the fact, that OpenSSL 3.0.0 by default no longer allows RSA SHA1 and DSA SHA1 as signature algorithms. But 0.9.8 only support TLS 1.0 which in turn only supports these signature algorithms. So although 3.0.0 still supports TLS 1.0, with a default configuration such handshakes no longer work (which is a good thing, except for this testing).
The fix to make the test suite pass was to add "@SECLEVEL=0" to the end of the CipherSuite lines in t/conf/ssl/ssl.conf and t/conf/http2.conf (directly attached to the end of the existing config values). 


Then the handshakes complete and the tests behave as expected, e.g. the 
http2 test no longer complains about the wrong number of tests and skips 
those needing SNI and ALPN etc.



Of course this addition doesn't make sense as a general change to the 
test suite.



One remaining minor nit: 3.0.0 has narrowed down the allowed DH 
parameters. I think that's the reason I sporadically get not strictly 
reproducible faults logged in the server as:



[Mon May 24 11:15:23.944579 2021] [ssl:trace3] [pid 3787] 
ssl_engine_kernel.c(2223): [client 127.0.0.1:36883] OpenSSL: Write: error
[Mon May 24 11:15:23.944586 2021] [ssl:trace3] [pid 3787] 
ssl_engine_kernel.c(2242): [client 127.0.0.1:36883] OpenSSL: Exit: error 
in error
[Mon May 24 11:15:23.944611 2021] [ssl:info] [pid 3787] [client 
127.0.0.1:36883] AH02008: SSL library error 1 in handshake (server 
localhost:8564)
[Mon May 24 11:15:23.944635 2021] [ssl:info] [pid 3787] SSL Library 
Error: error:02800066:Diffie-Hellman routines::invalid public key ()
[Mon May 24 11:15:23.944647 2021] [ssl:info] [pid 3787] SSL Library 
Error: error:0A0C0103:SSL routines::internal error ()
[Mon May 24 11:15:23.944655 2021] [ssl:info] [pid 3787] [client 
127.0.0.1:36883] AH01998: Connection closed to child 7 with abortive 
shutdown (server localhost:8564)



Especially tests in t/ssl/proxy.t fail every now and then, because that 
test file makes a lot of connections. Very rarely also t/ssl/fakeauth.t.



These sporadic failures seem not to occur with OpenSSL up to 1.1.1k-1 in 
the server and also not with OpenSSL 1.0.1 and later in the client.


Regards,

Rainer























					Reply via email to