On 26/04/2020 10:36, Michael Osipov wrote:
> Am 2020-04-24 um 18:30 schrieb Christopher Schultz:


>> This comes down to algorithms which have been compiled-out of the
>> library, right? So we just need to automatically skip tests which
>> attempt to use those algorithms.

Not entirely. We are affected both by algorithms being removed and
algorithms being added.

>> Unfortunately, the whole point of the unit tests is to make sure we
>> haven't missed anything. In order to both remove unsupported
>> algorithms AND test whether the remaining algorithms are
>> properly-mapped, we need ANOTHER implementation of the mapping, or
>> something similar to cross-check the two.

I think I agree with this. If you mean that somewhere we would need to
maintain a list of algorithms there were supported by the vendor
modified package then, yes I agree. The tricky part being that we can't
always identify what is a vendor modified package.

>> Somewhere, we have a /complete/ list of OpenSSL-specified names that
>> we support.

Ciphers is an enumeration of all the Ciphers OpenSSL supports or has
supported in the past.

In TesterOpenSSL we modify that list to remove Ciphers we know are not
supported in the version we are testing.

>> That can easily be dumped somewhere and sorted
>> alphabetically. Then, "openssl ciphers 'ALL'" can be run, sorted, and
>> compared to the sorted list we have.

"ALL" does not return all supported ciphers. Sigh. You need to use

>> Anything which isn't in the
>> "openssl ciphers 'ALL'" list can be removed from the list of cipher
>> suites we test.

The problem is, that is how we detected that the list of supported
Cipher suites has changed for a given OpenSSL branch (yes it can change
between point releases).

>> AIUI, it's possible to individually-remove a cipher suite from the
>> unit tests if it's known to be missing on the platform. We just need
>> to make that process automated, right?
> Up to the point! That's exactly the route one should go.

We would need to clearly separate (from memory I don't recall how clear
the separation is right now):

- Tests that compare the ciphers we think a version of OpenSSL supports
  with the ciphers it reports it supports. These only need to run when
  testing with an unmodified OpenSSL from openssl.org
- Tests just need to know which ciphers OpenSSL supports and, as long as
  they have the correct list, will always pass


To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to