> On 18 Mar 2023, at 18:14, Maxim Dounin <mdou...@mdounin.ru> wrote:
>
> Hello!
>
> Here are patch series for the test suite to address test failures
> observed with TLSv1.3 enabled with BoringSSL and LibreSSL.
>
> Short summary of the issues seen:
>
> - BoringSSL with TLSv1.3 does not support session reuse via server-side
> session cache, only with tickets.
>
> - BoringSSL with TLSv1.3 does not provide $ssl_session_id.
>
> - LibreSSL with TLSv1.3 does not support session reuse.
>
> - LibreSSL with TLSv1.3 fails to negotiate certificates based on
> signature algorithms supported by the client, and fails with
> "missing rsa certificate" and "unknown pkey type" errors.
>
> - LibreSSL with TLSv1.3 does not send CA lists to the client.
>
Missing peaces that allow me to run with LibreSSL:
# HG changeset patch
# User Sergey Kandaurov <pluk...@nginx.com>
# Date 1679485246 -14400
# Wed Mar 22 15:40:46 2023 +0400
# Node ID dfe434f295d3da7e3b67bbbafeab245bb591f397
# Parent 826e00e7c037d617781239963e8b868b6b0de225
Tests: fixed upstream zone tests with LibreSSL and TLSv1.3.
LibreSSL does not support session reuse with TLSv1.3.
diff --git a/stream_upstream_zone_ssl.t b/stream_upstream_zone_ssl.t
--- a/stream_upstream_zone_ssl.t
+++ b/stream_upstream_zone_ssl.t
@@ -82,6 +82,19 @@ stream {
ssl_certificate localhost.crt;
ssl_session_cache builtin;
}
+
+ server {
+ listen 127.0.0.1:8085;
+ proxy_pass 127.0.0.1:8086;
+ }
+
+ server {
+ listen 127.0.0.1:8086 ssl;
+ return $ssl_protocol;
+
+ ssl_certificate_key localhost.key;
+ ssl_certificate localhost.crt;
+ }
}
EOF
@@ -112,13 +125,33 @@ is(stream('127.0.0.1:' . port(8080))->re
is(stream('127.0.0.1:' . port(8080))->read(), '.', 'ssl 2');
is(stream('127.0.0.1:' . port(8081))->read(), '.', 'ssl session new');
+
+SKIP: {
+skip 'no TLSv1.3 sessions in LibreSSL', 2
+ if $t->has_module('LibreSSL') && test_tls13();
+
is(stream('127.0.0.1:' . port(8081))->read(), 'r', 'ssl session reused');
is(stream('127.0.0.1:' . port(8081))->read(), 'r', 'ssl session reused 2');
+}
+
is(stream('127.0.0.1:' . port(8082))->read(), '.', 'backup ssl');
is(stream('127.0.0.1:' . port(8082))->read(), '.', 'backup ssl 2');
is(stream('127.0.0.1:' . port(8083))->read(), '.', 'backup ssl session new');
+
+SKIP: {
+skip 'no TLSv1.3 sessions in LibreSSL', 1
+ if $t->has_module('LibreSSL') && test_tls13();
+
is(stream('127.0.0.1:' . port(8083))->read(), 'r', 'backup ssl session
reused');
+}
+
###############################################################################
+
+sub test_tls13 {
+ stream('127.0.0.1:' . port(8085))->read() eq 'TLSv1.3';
+}
+
+###############################################################################
diff --git a/upstream_zone_ssl.t b/upstream_zone_ssl.t
--- a/upstream_zone_ssl.t
+++ b/upstream_zone_ssl.t
@@ -56,6 +56,7 @@ http {
location / {
add_header X-Session $ssl_session_reused;
+ add_header X-Protocol $ssl_protocol;
}
}
@@ -114,12 +115,32 @@ foreach my $name ('localhost') {
like(http_get('/ssl'), qr/200 OK.*X-Session: \./s, 'ssl');
like(http_get('/ssl'), qr/200 OK.*X-Session: \./s, 'ssl 2');
like(http_get('/ssl_reuse'), qr/200 OK.*X-Session: \./s, 'ssl session new');
+
+SKIP: {
+skip 'no TLSv1.3 sessions in LibreSSL', 2
+ if $t->has_module('LibreSSL') && test_tls13();
+
like(http_get('/ssl_reuse'), qr/200 OK.*X-Session: r/s, 'ssl session reused');
like(http_get('/ssl_reuse'), qr/200 OK.*X-Session: r/s, 'ssl session reused
2');
+}
+
like(http_get('/backup'), qr/200 OK.*X-Session: \./s, 'backup');
like(http_get('/backup'), qr/200 OK.*X-Session: \./s, 'backup 2');
like(http_get('/backup_reuse'), qr/200 OK.*X-Session: \./s, 'backup new');
+
+SKIP: {
+skip 'no TLSv1.3 sessions in LibreSSL', 1
+ if $t->has_module('LibreSSL') && test_tls13();
+
like(http_get('/backup_reuse'), qr/200 OK.*X-Session: r/s, 'backup reused');
+}
+
###############################################################################
+
+sub test_tls13 {
+ return http_get('/ssl') =~ /TLSv1.3/;
+}
+
+###############################################################################
--
Sergey Kandaurov
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx-devel
