Hello! On Sat, Jan 27, 2024 at 07:19:45AM +0300, Maxim Dounin wrote:
> Hello! > > On Fri, Jan 26, 2024 at 09:29:58PM +0400, Sergey Kandaurov wrote: > > > On Thu, Jan 25, 2024 at 11:38:57PM +0300, Maxim Dounin wrote: > > > Hello! > > > > > > On Thu, Jan 25, 2024 at 06:59:36PM +0000, Mayerhofer, Austin via > > > nginx-devel wrote: > > > > > > > Hi all, > > > > > > > > I have not made any changes to NGINX. Vanilla NGINX (./configure with > > > > no flags) passes all tests that run, but when compiling with SSL, not > > > > all SSL tests are passing. Is this expected, or do I need to configure > > > > nginx further aside from adding the --with-http_ssl_module flag? Do > > > > each of the failing tests below require separate fixes, or is there a > > > > one-size-fits-all solution for all of them? > > > > > > > > OS: MacOS 12.6.3 > > > > Chip: Apple M1 Max > > > > NGINX: 1.24.0 built from source code with ./configure --with-debug > > > > --with-http_ssl_module > > > > Nginx-tests: > > > > https://github.com/nginx/nginx-tests/tree/4c2ad8093952706f327d04887c5546bad91b75a6 > > > > OpenSSL: 3.2.0 (/opt/homebrew/bin/openssl) > > > > Perl: 5.30.3 (/usr/bin/perl) > > > > > > > > When I run > > > > > > > > ``` > > > > TEST_NGINX_BINARY=/usr/local/nginx/sbin/nginx prove -v ssl.t > > > > ``` > > > > > > > > I see > > > > > > > > ``` > > > > not ok 2 - session reused > > > > > > > > # Failed test 'session reused' > > > > # at ssl.t line 187. > > > > # 'HTTP/1.1 200 OK > > > > # Server: nginx/1.24.0 > > > > # Date: Thu, 25 Jan 2024 18:50:10 GMT > > > > # Content-Type: text/plain > > > > # Content-Length: 6 > > > > # Connection: close > > > > # > > > > # body .' > > > > # doesn't match '(?^m:^body r$)' > > > > ``` > > > > > > [...] > > > > > > It looks like SSL session reuse is broken in Perl you are > > > using. This might be the case if, for example, Net::SSLeay in > > > your installation was compiled with system LibreSSL as an SSL > > > library - at least on the server side LibreSSL simply does not > > > support session reuse with TLSv1.3. > > > > > > Test suite checks if nginx was compiled with LibreSSL and marks > > > appropriate tests as TODO, but if the Perl module is broken > > > instead, the test will fail. > > > > > > > Well, technically, we could test this and skip appropriately: > > > > diff --git a/ssl_session_reuse.t b/ssl_session_reuse.t > > --- a/ssl_session_reuse.t > > +++ b/ssl_session_reuse.t > > @@ -166,7 +166,9 @@ local $TODO = 'no TLSv1.3 sessions, old > > local $TODO = 'no TLSv1.3 sessions, old IO::Socket::SSL' > > if $IO::Socket::SSL::VERSION < 2.061 && test_tls13(); > > local $TODO = 'no TLSv1.3 sessions in LibreSSL' > > - if $t->has_module('LibreSSL') && test_tls13(); > > + if ($t->has_module('LibreSSL') > > + || Net::SSLeay::constant("LIBRESSL_VERSION_NUMBER")) > > + && test_tls13(); > > > > is(test_reuse(8443), 1, 'tickets reused'); > > is(test_reuse(8444), 1, 'tickets and cache reused'); > > > > But I see little to no purpose: if the testing tool is broken > > in various unexpected ways (another example is X509_V_ERR_INVALID_PURPOSE > > in peer certificate verification as reported in the adjacent thread), > > I think we barely can handle this in general. > > I generally agree. > > Still, the X509_V_ERR_INVALID_PURPOSE seems to be an OpenSSL > 3.2.0-related issue: for tests using CA root certificates without > CA:TRUE it now generates X509_V_ERR_INVALID_CA on the root > certificate, which then changed to X509_V_ERR_INVALID_PURPOSE. > > Given the list of incompatible changes from NEWS.md, and the fact > that the same tests work fine with OpenSSL 3.2.0 but with > "openssl" binary from older versions, it seems to be this: > > * The `x509`, `ca`, and `req` apps now always produce X.509v3 certificates. > > This needs to be addressed. Patch: # HG changeset patch # User Maxim Dounin <mdou...@mdounin.ru> # Date 1706477656 -10800 # Mon Jan 29 00:34:16 2024 +0300 # Node ID 156665421f83a054cf331e8f9a27dd4d2f86114d # Parent 27a79d3a8658794d7c0f8c246bcd92a9861da468 Tests: compatibility with "openssl" app from OpenSSL 3.2.0. OpenSSL 3.2.0's "openssl" app generates X.509v3 certificates unless explicitly asked not to. Such certificates, even self-signed ones, cannot be used to sign other certificates without CA:TRUE explicitly set in the basicConstraints extension. As a result, tests doing so are now failing. Fix is to provide basicConstraints with CA:TRUE for self-signed root certificates used in "openssl ca" calls. diff -r 27a79d3a8658 -r 156665421f83 ssl.t --- a/ssl.t Sun Jan 28 23:12:26 2024 +0300 +++ b/ssl.t Mon Jan 29 00:34:16 2024 +0300 @@ -119,7 +119,10 @@ EOF default_bits = 2048 encrypt_key = no distinguished_name = req_distinguished_name +x509_extensions = myca_extensions [ req_distinguished_name ] +[ myca_extensions ] +basicConstraints = critical,CA:TRUE EOF my $d = $t->testdir(); diff -r 27a79d3a8658 -r 156665421f83 ssl_certificate_chain.t --- a/ssl_certificate_chain.t Sun Jan 28 23:12:26 2024 +0300 +++ b/ssl_certificate_chain.t Mon Jan 29 00:34:16 2024 +0300 @@ -71,7 +71,10 @@ my $d = $t->testdir(); default_bits = 2048 encrypt_key = no distinguished_name = req_distinguished_name +x509_extensions = myca_extensions [ req_distinguished_name ] +[ myca_extensions ] +basicConstraints = critical,CA:TRUE EOF $t->write_file('ca.conf', <<EOF); diff -r 27a79d3a8658 -r 156665421f83 ssl_crl.t --- a/ssl_crl.t Sun Jan 28 23:12:26 2024 +0300 +++ b/ssl_crl.t Mon Jan 29 00:34:16 2024 +0300 @@ -79,7 +79,10 @@ my $d = $t->testdir(); default_bits = 2048 encrypt_key = no distinguished_name = req_distinguished_name +x509_extensions = myca_extensions [ req_distinguished_name ] +[ myca_extensions ] +basicConstraints = critical,CA:TRUE EOF $t->write_file('ca.conf', <<EOF); diff -r 27a79d3a8658 -r 156665421f83 ssl_ocsp.t --- a/ssl_ocsp.t Sun Jan 28 23:12:26 2024 +0300 +++ b/ssl_ocsp.t Mon Jan 29 00:34:16 2024 +0300 @@ -116,7 +116,10 @@ my $p = port(8081); default_bits = 2048 encrypt_key = no distinguished_name = req_distinguished_name +x509_extensions = myca_extensions [ req_distinguished_name ] +[ myca_extensions ] +basicConstraints = critical,CA:TRUE EOF $t->write_file('ca.conf', <<EOF); diff -r 27a79d3a8658 -r 156665421f83 ssl_stapling.t --- a/ssl_stapling.t Sun Jan 28 23:12:26 2024 +0300 +++ b/ssl_stapling.t Mon Jan 29 00:34:16 2024 +0300 @@ -125,7 +125,10 @@ my $p = port(8081); default_bits = 2048 encrypt_key = no distinguished_name = req_distinguished_name +x509_extensions = myca_extensions [ req_distinguished_name ] +[ myca_extensions ] +basicConstraints = critical,CA:TRUE EOF $t->write_file('ca.conf', <<EOF); diff -r 27a79d3a8658 -r 156665421f83 ssl_verify_depth.t --- a/ssl_verify_depth.t Sun Jan 28 23:12:26 2024 +0300 +++ b/ssl_verify_depth.t Mon Jan 29 00:34:16 2024 +0300 @@ -76,7 +76,10 @@ my $d = $t->testdir(); default_bits = 2048 encrypt_key = no distinguished_name = req_distinguished_name +x509_extensions = myca_extensions [ req_distinguished_name ] +[ myca_extensions ] +basicConstraints = critical,CA:TRUE EOF $t->write_file('ca.conf', <<EOF); -- Maxim Dounin http://mdounin.ru/ _______________________________________________ nginx-devel mailing list nginx-devel@nginx.org https://mailman.nginx.org/mailman/listinfo/nginx-devel
