[PATCH 4 of 5] Tests: sigalgs handling with Net::SSLeay with LibreSSL

Tue, 30 Apr 2024 18:24:27 -0700 

# HG changeset patch
# User Maxim Dounin <mdou...@mdounin.ru>
# Date 1714514801 -10800
#      Wed May 01 01:06:41 2024 +0300
# Node ID c271d34326938c0948edac4061a2290922200188
# Parent  68b3d0906228ccb5d6f721d776bf68cd6c7fbc3f
Tests: sigalgs handling with Net::SSLeay with LibreSSL.

LibreSSL does not provide a way to configure signature algorithms, and
this makes it impossible to request a particular server certificate
when using TLSv1.3.  As such, relevant tests fail if Net::SSLeay is compiled
with LibreSSL.  Notably, this affects macOS, where Net::SSLeay compiled
with LibreSSL is shipped with the OS.

Fix is to mark relevant tests as TODO if Net:SSLeay is compiled with
LibreSSL, similarly to what we already do for sigalg issues in LibreSSL
on the server side.

diff --git a/ssl_certificates.t b/ssl_certificates.t
--- a/ssl_certificates.t
+++ b/ssl_certificates.t
@@ -99,8 +99,14 @@ like(cert('RSA'), qr/CN=rsa/, 'ssl cert 
 
 }
 
+TODO: {
+local $TODO = 'no TLSv1.3 sigalgs in Net::SSLeay (LibreSSL)'
+       if Net::SSLeay::constant("LIBRESSL_VERSION_NUMBER") && test_tls13();
+
 like(cert('ECDSA'), qr/CN=ec/, 'ssl cert ECDSA');
 
+}
+
 ###############################################################################
 
 sub test_tls13 {
diff --git a/ssl_stapling.t b/ssl_stapling.t
--- a/ssl_stapling.t
+++ b/ssl_stapling.t
@@ -262,6 +262,8 @@ ok(!staple(8443, 'RSA'), 'staple revoked
 TODO: {
 local $TODO = 'broken TLSv1.3 sigalgs in LibreSSL'
        if $t->has_module('LibreSSL') && test_tls13();
+local $TODO = 'no TLSv1.3 sigalgs in Net::SSLeay (LibreSSL)'
+       if Net::SSLeay::constant("LIBRESSL_VERSION_NUMBER") && test_tls13();
 
 ok(staple(8443, 'ECDSA'), 'staple success');
 
@@ -272,6 +274,8 @@ ok(!staple(8444, 'RSA'), 'responder revo
 TODO: {
 local $TODO = 'broken TLSv1.3 sigalgs in LibreSSL'
        if $t->has_module('LibreSSL') && test_tls13();
+local $TODO = 'no TLSv1.3 sigalgs in Net::SSLeay (LibreSSL)'
+       if Net::SSLeay::constant("LIBRESSL_VERSION_NUMBER") && test_tls13();
 
 ok(staple(8444, 'ECDSA'), 'responder success');
 
@@ -288,7 +292,9 @@ ok(!staple(8449, 'ECDSA'), 'ocsp error')
 
 TODO: {
 local $TODO = 'broken TLSv1.3 sigalgs in LibreSSL'
-       if $t->has_module('LibreSSL') && test_tls13();
+       if $t->has_module('LibreSSL')
+       && !Net::SSLeay::constant("LIBRESSL_VERSION_NUMBER")
+       && test_tls13();
 
 like(`grep -F '[crit]' ${\($t->testdir())}/error.log`, qr/^$/s, 'no crit');
 

-- 
nginx-devel mailing list
nginx-devel@freenginx.org
https://freenginx.org/mailman/listinfo/nginx-devel

Reply via email to