Rainer,
On 2/28/22 10:35, Rainer Jung wrote:
Am 28.02.2022 um 15:34 schrieb Christopher Schultz:
Rainer,
On 2/25/22 23:22, Rainer Jung wrote:
I don't get any unit test failures. I set in build.properties:
test.apr.loc=/path/to/tcnative/lib
test.openssl.path=/path/to/openssl/bin/openssl
I have:
test.openssl.loc=/home/cschultz/projects/apache/apache-tomcat/openssl-1.1.1/target/bin/openssl
I have not set test.apr.loc and use the local system APR library. Here
are the effective versions, from my test build-test-suite report:
* OpenSSL: OpenSSL 1.1.1 11 Sep 2018
* APR: 1.6.5
My OpenSSL version is locally-compiled.
Here are the testcase failures:
Testsuite: org.apache.tomcat.util.net.openssl.ciphers.TestCipher
Testcase: testOpenSSLCipherAvailability took 0.008 sec
FAILED
Unavailable cipher suites: IDEA-CBC-SHA+SSLv3 expected:<0> but was:<1>
Same failures for NIO, NIO2, and APR (of course, since these tests are
not related to the connector-type).
Also this:
Testsuite:
org.apache.tomcat.util.net.openssl.ciphers.TestOpenSSLCipherConfigurationParser
Tests run: 85, Failures: 11, Errors: 0, Skipped: 0, Time elapsed:
0.564 sec
Error in cipher list
140089009423488:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no
cipher match:../ssl/ssl_lib.c:2564:
Error in cipher list
140161019962496:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no
cipher match:../ssl/ssl_lib.c:2564:
[.. many times repeated...]
Testcase: testALL took 0.012 sec
FAILED
Expected 143 ciphers but got 141 for the specification 'ALL'
expected:<[SSL_RSA_WITH_IDEA_CBC_SHA, [... lots of additional cipher
suites ...]
I am missing the following two cipher suites:
SSL_RSA_WITH_IDEA_CBC_SHA
TLS_RSA_WITH_IDEA_CBC_SHA
Is there a way to disable checking for the IDEA cipher suites or do I
need to customize my OpenSSL build to include them?
Class TesterOpenSSL.java contains the following snippet:
String skipCiphers =
System.getProperty("tomcat.test.openssl.unimplemented", "");
if (!skipCiphers.isEmpty()) {
String[] skip = skipCiphers.split(",");
for (Cipher c : Cipher.values()) {
for (String s : skip) {
if (c.toString().contains(s)) {
unimplemented.add(c);
}
}
}
}
So it seems you can add your own "unimplemented" ciphers as a comma
separated list to the system property
"tomcat.test.openssl.unimplemented" when running the unit tests.
And build.xml contains
<sysproperty key="tomcat.test.openssl.unimplemented"
value="${test.openssl.unimplemented}" />
so you an set the system property from the property
"test.openssl.unimplemented" in build.properties.
You might have to check, which form the expected cipher names have.
Amusingly enough, I was watching this fine presentation the other day
and this guy covers this question exactly, around the 17:35 mark:
https://youtu.be/O2wXAldxQWA?t=1056
:)
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
