[nginx-tests] Tests: sigalgs handling with Net::SSLeay with Libr...

Sun, 05 May 2024 14:03:06 -0700 

details:   http://freenginx.org/hg/nginx-tests/rev/0a93f101925a
branches:  
changeset: 1967:0a93f101925a
user:      Maxim Dounin <mdou...@mdounin.ru>
date:      Mon May 06 00:01:53 2024 +0300
description:
Tests: sigalgs handling with Net::SSLeay with LibreSSL.

LibreSSL does not provide a way to configure signature algorithms, and
this makes it impossible to request a particular server certificate
when using TLSv1.3.  As such, relevant tests fail if Net::SSLeay is compiled
with LibreSSL.  Notably, this affects macOS, where Net::SSLeay compiled
with LibreSSL is shipped with the OS.

Fix is to mark relevant tests as TODO if Net:SSLeay is compiled with
LibreSSL, similarly to what we already do for sigalg issues in LibreSSL
on the server side.

diffstat:

 ssl_certificates.t |  8 ++++++++
 ssl_stapling.t     |  8 +++++++-
 2 files changed, 15 insertions(+), 1 deletions(-)

diffs (52 lines):

diff --git a/ssl_certificates.t b/ssl_certificates.t
--- a/ssl_certificates.t
+++ b/ssl_certificates.t
@@ -99,8 +99,16 @@ like(cert('RSA'), qr/CN=rsa/, 'ssl cert 
 
 }
 
+TODO: {
+local $TODO = 'no TLSv1.3 sigalgs in Net::SSLeay (LibreSSL)'
+       if Net::SSLeay::constant("LIBRESSL_VERSION_NUMBER")
+       && !$t->has_module('LibreSSL')
+       && test_tls13();
+
 like(cert('ECDSA'), qr/CN=ec/, 'ssl cert ECDSA');
 
+}
+
 ###############################################################################
 
 sub test_tls13 {
diff --git a/ssl_stapling.t b/ssl_stapling.t
--- a/ssl_stapling.t
+++ b/ssl_stapling.t
@@ -262,6 +262,8 @@ ok(!staple(8443, 'RSA'), 'staple revoked
 TODO: {
 local $TODO = 'broken TLSv1.3 sigalgs in LibreSSL'
        if $t->has_module('LibreSSL') && test_tls13();
+local $TODO = 'no TLSv1.3 sigalgs in Net::SSLeay (LibreSSL)'
+       if Net::SSLeay::constant("LIBRESSL_VERSION_NUMBER") && test_tls13();
 
 ok(staple(8443, 'ECDSA'), 'staple success');
 
@@ -272,6 +274,8 @@ ok(!staple(8444, 'RSA'), 'responder revo
 TODO: {
 local $TODO = 'broken TLSv1.3 sigalgs in LibreSSL'
        if $t->has_module('LibreSSL') && test_tls13();
+local $TODO = 'no TLSv1.3 sigalgs in Net::SSLeay (LibreSSL)'
+       if Net::SSLeay::constant("LIBRESSL_VERSION_NUMBER") && test_tls13();
 
 ok(staple(8444, 'ECDSA'), 'responder success');
 
@@ -288,7 +292,9 @@ ok(!staple(8449, 'ECDSA'), 'ocsp error')
 
 TODO: {
 local $TODO = 'broken TLSv1.3 sigalgs in LibreSSL'
-       if $t->has_module('LibreSSL') && test_tls13();
+       if $t->has_module('LibreSSL')
+       && !Net::SSLeay::constant("LIBRESSL_VERSION_NUMBER")
+       && test_tls13();
 
 like(`grep -F '[crit]' ${\($t->testdir())}/error.log`, qr/^$/s, 'no crit');
 
-- 
nginx-devel mailing list
nginx-devel@freenginx.org
https://freenginx.org/mailman/listinfo/nginx-devel

Reply via email to