Re: Test suite and OpenSSL 1.1.1
Plus r1844425 which simplifies TestRequest.pm since IO::Socket::SSL has a working getline(). Am 20.10.2018 um 09:59 schrieb Rainer Jung: I now also added r1844396 to allow setting the CA for peer cert verification and used it in echo.t and nttp-like.t to unbreak their ssl testing (r1844397). I didn't find more uses of the raw sockets. Regards, Rainer Am 20.10.2018 um 08:47 schrieb Rainer Jung: To make the raw TLS socket tests work I added r1844393. Both, r1844389 and r1844393 are part of the /perl/Apache-Test/trunk/ external which gets pulled into our test framework. Am 20.10.2018 um 06:28 schrieb Rainer Jung: Am 19.10.2018 um 23:31 schrieb Yann Ylavic: Could not make the test suite framework work with 1.1.1 (cpan -u didn't help). Although the ssl tests report SUCCESS, httpd actually timeouts on SSL_peek() (as already reported). Indeed I checked my test suite logs and until now all tests only used TLS 1.2. But what works for me now with TLS 1.3 is: - small fix in TestSSLCA.pm (r1844389), otherwise the geneated t/conf/ssl/ssl.conf always contains "SSLProtocol all -TLSv1.3" instead of "all" (unless you specifiy -sslproto explicitly). - Net::SSLeay 1.86_06 tag from Github https://github.com/radiator-software/p5-net-ssleay.git. Added "-ldl -pthread" to OTHERLDFLAGS in Makefile. It contains the plumbing needed for some new 1.1.1 APIs. - IO/Socket/SSL.pm recent version 2.060 plus patch https://github.com/noxxi/p5-io-socket-ssl/commit/e96b1c9e394011de4ee181cfa42b8021796bf7d4.patch (probably not needed) plus anti-hang patch to call Net::SSLeay::CTX_set_post_handshake_auth() --- IO/Socket/SSL.pm.orig 2018-08-15 18:03:29.0 + +++ IO/Socket/SSL.pm 2018-09-19 16:37:46.450281000 + @@ -2594,6 +2594,10 @@ "Failed to load key from file (no PEM or DER)"); } + if ($havecert && $havekey && Net::SSLeay::OPENSSL_VERSION_NUMBER() >= 0x1010100f) { + Net::SSLeay::CTX_set_post_handshake_auth($ctx, 1); + } + # replace arg_hash with created context $ctx{$host} = $ctx; } The PHA patch was stolen from Joe's explanation of the PHA issue. With this setup, I can see some TLSv1.3 entries in the t/logs/ssl_request_log. For instance when running t/ssl/varlookup.t. Regards, Rainer
Re: Test suite and OpenSSL 1.1.1
Am 20.10.2018 um 13:26 schrieb Christophe JAILLET: Le 20/10/2018 à 11:00, Rainer Jung a écrit : Am 20.10.2018 um 10:27 schrieb Christophe JAILLET: Le 20/10/2018 à 09:56, Rainer Jung a écrit : Am 20.10.2018 um 09:39 schrieb Christophe JAILLET: Le 20/10/2018 à 06:28, Rainer Jung a écrit : Am 19.10.2018 um 23:31 schrieb Yann Ylavic: Could not make the test suite framework work with 1.1.1 (cpan -u didn't help). Although the ssl tests report SUCCESS, httpd actually timeouts on SSL_peek() (as already reported). Indeed I checked my test suite logs and until now all tests only used TLS 1.2. But what works for me now with TLS 1.3 is: - small fix in TestSSLCA.pm (r1844389), otherwise the geneated t/conf/ssl/ssl.conf always contains "SSLProtocol all -TLSv1.3" instead of "all" (unless you specifiy -sslproto explicitly). I've just updated the test framework. make clean t/TEST --> ssl.conf rebuilt But I still have: SSLProtocol all -TLSv1.3 I didn't manage to rebuild ssl.conf using make, but what I did to rebuild was a "t/TEST -v -configure" and to make sure I removed the ssl.conf file before running that command. This resulted in a new file with "all" in it. Please also double check, that TestSSLCA.pm contains the line "use Net::SSLeay;". Does it work with that recipe? Thanks and regards, use Net::SSLeay; is there. Comment added in ssl.conf.in gets reflected in ssl.conf, so it is rebuilt. t/TEST -v -configure [warning] setting ulimit to allow core files ulimit -c unlimited; /usr/bin/perl /home/tititou36/svn_test_framework/t/TEST -v -configure [warning] cleaning out current configuration [warning] skipping rebuild of c-modules; run t/TEST -clean to force [warning] skipping regeneration of SSL CA; run t/TEST -clean to force make: rien à faire pour « all ». [warning] reconfiguration done But SSLProtocol all -TLSv1.3 is still there. t/TEST -clean doesn't help either. The check, wheher "all" or "all -TLSv1.3" is put into the file is done in TestSSLCA.pm. The code there checks the following, which you can also check in a test script to see, which condition fails: Apache::Test::normalize_vstring(Apache::Test::version()) >= Apache::Test::normalize_vstring("1.1.1") and defined(::SSLeay::CTX_set_post_handshake_auth) The first looks for the OpenSSL version caused by your test framework, the second checks, whether Net::SSLeay is current (actually at least developer snapshot 1.86_06). Both is needed to make TLS 1.3 work in the test framework. To check standalone you can use a script like this: === SNIP === #!/usr/bin/perl use strict; use Net::SSLeay; use IO::Socket::SSL; use Apache::Test; use Apache::TestSSLCA; my $version = Apache::TestSSLCA::version(); print "OpenSSL version: $version\n"; print "Normalized OpenSSL version: " . Apache::Test::normalize_vstring($version) . "\n"; print "Normalized 1.1.1 version: " . Apache::Test::normalize_vstring("1.1.1") . "\n"; print "Net::SSLeay::VERSION: $Net::SSLeay::VERSION\n"; print "IO::Socket::SSL::VERSION: $IO::Socket::SSL::VERSION\n"; print "Net::SSLeay::CTX_set_post_handshake_auth available: " . (defined(::SSLeay::CTX_set_post_handshake_auth) ? "true" : "false") . "\n"; my $tls13 = (Apache::Test::normalize_vstring($version) >= Apache::Test::normalize_vstring("1.1.1")) && defined(::SSLeay::CTX_set_post_handshake_auth); print "TLSv1.3 support: " . ($tls13 ? "true" : "false") . "\n"; === SNIP === To run it you must also provide the path to the test framework and if you have installed the additional moduls needed by the framework in some special place, you must also provide this one, both via "-I" flag: perl -I /path/to/bundle/lib/perl5 -I /path/to/Apache-Test/lib test.pl When I run this I get: OpenSSL version: 1.1.1 Normalized OpenSSL version: 001001001 Normalized 1.1.1 version: 001001001 Net::SSLeay::VERSION: 1.86_06 IO::Socket::SSL::VERSION: 2.060 Net::SSLeay::CTX_set_post_handshake_auth available: true TLSv1.3 support: true Most likely your version of Net::SSLeay is to old. In adition, once the framework detects TLSv1.3 correct, you also need IO::Socket::SSL 2.060 plus the one patch for its SSL.pm that I mentioned at the beginning of this thread. Regards, Rainer OpenSSL version: 1.1.1 Normalized OpenSSL version: 001001001 Normalized 1.1.1 version: 001001001 Net::SSLeay::VERSION: 1.85 <- IO::Socket::SSL::VERSION: 2.060 Net::SSLeay::CTX_set_post_handshake_auth available: false TLSv1.3 support: false <- When I try to update it using perl -MCPAN -e ..., I get: Net::SSLeay is up to date (1.85). which is in line with https://metacpan.org/pod/Net::SSLeay I will have to wait for cpan to have a more recent version, when released, I guess. Thanks for the explanations. That will be easiest. I downloaded the source tarball from github, extacted and then ran from the new directory: perl Makefile.PL make make test make install But it might get slightly
Re: Test suite and OpenSSL 1.1.1
Le 20/10/2018 à 11:00, Rainer Jung a écrit : Am 20.10.2018 um 10:27 schrieb Christophe JAILLET: Le 20/10/2018 à 09:56, Rainer Jung a écrit : Am 20.10.2018 um 09:39 schrieb Christophe JAILLET: Le 20/10/2018 à 06:28, Rainer Jung a écrit : Am 19.10.2018 um 23:31 schrieb Yann Ylavic: Could not make the test suite framework work with 1.1.1 (cpan -u didn't help). Although the ssl tests report SUCCESS, httpd actually timeouts on SSL_peek() (as already reported). Indeed I checked my test suite logs and until now all tests only used TLS 1.2. But what works for me now with TLS 1.3 is: - small fix in TestSSLCA.pm (r1844389), otherwise the geneated t/conf/ssl/ssl.conf always contains "SSLProtocol all -TLSv1.3" instead of "all" (unless you specifiy -sslproto explicitly). I've just updated the test framework. make clean t/TEST --> ssl.conf rebuilt But I still have: SSLProtocol all -TLSv1.3 I didn't manage to rebuild ssl.conf using make, but what I did to rebuild was a "t/TEST -v -configure" and to make sure I removed the ssl.conf file before running that command. This resulted in a new file with "all" in it. Please also double check, that TestSSLCA.pm contains the line "use Net::SSLeay;". Does it work with that recipe? Thanks and regards, use Net::SSLeay; is there. Comment added in ssl.conf.in gets reflected in ssl.conf, so it is rebuilt. t/TEST -v -configure [warning] setting ulimit to allow core files ulimit -c unlimited; /usr/bin/perl /home/tititou36/svn_test_framework/t/TEST -v -configure [warning] cleaning out current configuration [warning] skipping rebuild of c-modules; run t/TEST -clean to force [warning] skipping regeneration of SSL CA; run t/TEST -clean to force make: rien à faire pour « all ». [warning] reconfiguration done But SSLProtocol all -TLSv1.3 is still there. t/TEST -clean doesn't help either. The check, wheher "all" or "all -TLSv1.3" is put into the file is done in TestSSLCA.pm. The code there checks the following, which you can also check in a test script to see, which condition fails: Apache::Test::normalize_vstring(Apache::Test::version()) >= Apache::Test::normalize_vstring("1.1.1") and defined(::SSLeay::CTX_set_post_handshake_auth) The first looks for the OpenSSL version caused by your test framework, the second checks, whether Net::SSLeay is current (actually at least developer snapshot 1.86_06). Both is needed to make TLS 1.3 work in the test framework. To check standalone you can use a script like this: === SNIP === #!/usr/bin/perl use strict; use Net::SSLeay; use IO::Socket::SSL; use Apache::Test; use Apache::TestSSLCA; my $version = Apache::TestSSLCA::version(); print "OpenSSL version: $version\n"; print "Normalized OpenSSL version: " . Apache::Test::normalize_vstring($version) . "\n"; print "Normalized 1.1.1 version: " . Apache::Test::normalize_vstring("1.1.1") . "\n"; print "Net::SSLeay::VERSION: $Net::SSLeay::VERSION\n"; print "IO::Socket::SSL::VERSION: $IO::Socket::SSL::VERSION\n"; print "Net::SSLeay::CTX_set_post_handshake_auth available: " . (defined(::SSLeay::CTX_set_post_handshake_auth) ? "true" : "false") . "\n"; my $tls13 = (Apache::Test::normalize_vstring($version) >= Apache::Test::normalize_vstring("1.1.1")) && defined(::SSLeay::CTX_set_post_handshake_auth); print "TLSv1.3 support: " . ($tls13 ? "true" : "false") . "\n"; === SNIP === To run it you must also provide the path to the test framework and if you have installed the additional moduls needed by the framework in some special place, you must also provide this one, both via "-I" flag: perl -I /path/to/bundle/lib/perl5 -I /path/to/Apache-Test/lib test.pl When I run this I get: OpenSSL version: 1.1.1 Normalized OpenSSL version: 001001001 Normalized 1.1.1 version: 001001001 Net::SSLeay::VERSION: 1.86_06 IO::Socket::SSL::VERSION: 2.060 Net::SSLeay::CTX_set_post_handshake_auth available: true TLSv1.3 support: true Most likely your version of Net::SSLeay is to old. In adition, once the framework detects TLSv1.3 correct, you also need IO::Socket::SSL 2.060 plus the one patch for its SSL.pm that I mentioned at the beginning of this thread. Regards, Rainer OpenSSL version: 1.1.1 Normalized OpenSSL version: 001001001 Normalized 1.1.1 version: 001001001 Net::SSLeay::VERSION: 1.85 <- IO::Socket::SSL::VERSION: 2.060 Net::SSLeay::CTX_set_post_handshake_auth available: false TLSv1.3 support: false <- When I try to update it using perl -MCPAN -e ..., I get: Net::SSLeay is up to date (1.85). which is in line with https://metacpan.org/pod/Net::SSLeay I will have to wait for cpan to have a more recent version, when released, I guess. Thanks for the explanations. CJ
Re: Test suite and OpenSSL 1.1.1
Am 20.10.2018 um 10:27 schrieb Christophe JAILLET: Le 20/10/2018 à 09:56, Rainer Jung a écrit : Am 20.10.2018 um 09:39 schrieb Christophe JAILLET: Le 20/10/2018 à 06:28, Rainer Jung a écrit : Am 19.10.2018 um 23:31 schrieb Yann Ylavic: Could not make the test suite framework work with 1.1.1 (cpan -u didn't help). Although the ssl tests report SUCCESS, httpd actually timeouts on SSL_peek() (as already reported). Indeed I checked my test suite logs and until now all tests only used TLS 1.2. But what works for me now with TLS 1.3 is: - small fix in TestSSLCA.pm (r1844389), otherwise the geneated t/conf/ssl/ssl.conf always contains "SSLProtocol all -TLSv1.3" instead of "all" (unless you specifiy -sslproto explicitly). I've just updated the test framework. make clean t/TEST --> ssl.conf rebuilt But I still have: SSLProtocol all -TLSv1.3 I didn't manage to rebuild ssl.conf using make, but what I did to rebuild was a "t/TEST -v -configure" and to make sure I removed the ssl.conf file before running that command. This resulted in a new file with "all" in it. Please also double check, that TestSSLCA.pm contains the line "use Net::SSLeay;". Does it work with that recipe? Thanks and regards, use Net::SSLeay; is there. Comment added in ssl.conf.in gets reflected in ssl.conf, so it is rebuilt. t/TEST -v -configure [warning] setting ulimit to allow core files ulimit -c unlimited; /usr/bin/perl /home/tititou36/svn_test_framework/t/TEST -v -configure [warning] cleaning out current configuration [warning] skipping rebuild of c-modules; run t/TEST -clean to force [warning] skipping regeneration of SSL CA; run t/TEST -clean to force make: rien à faire pour « all ». [warning] reconfiguration done But SSLProtocol all -TLSv1.3 is still there. t/TEST -clean doesn't help either. The check, wheher "all" or "all -TLSv1.3" is put into the file is done in TestSSLCA.pm. The code there checks the following, which you can also check in a test script to see, which condition fails: Apache::Test::normalize_vstring(Apache::Test::version()) >= Apache::Test::normalize_vstring("1.1.1") and defined(::SSLeay::CTX_set_post_handshake_auth) The first looks for the OpenSSL version caused by your test framework, the second checks, whether Net::SSLeay is current (actually at least developer snapshot 1.86_06). Both is needed to make TLS 1.3 work in the test framework. To check standalone you can use a script like this: === SNIP === #!/usr/bin/perl use strict; use Net::SSLeay; use IO::Socket::SSL; use Apache::Test; use Apache::TestSSLCA; my $version = Apache::TestSSLCA::version(); print "OpenSSL version: $version\n"; print "Normalized OpenSSL version: " . Apache::Test::normalize_vstring($version) . "\n"; print "Normalized 1.1.1 version: " . Apache::Test::normalize_vstring("1.1.1") . "\n"; print "Net::SSLeay::VERSION: $Net::SSLeay::VERSION\n"; print "IO::Socket::SSL::VERSION: $IO::Socket::SSL::VERSION\n"; print "Net::SSLeay::CTX_set_post_handshake_auth available: " . (defined(::SSLeay::CTX_set_post_handshake_auth) ? "true" : "false") . "\n"; my $tls13 = (Apache::Test::normalize_vstring($version) >= Apache::Test::normalize_vstring("1.1.1")) && defined(::SSLeay::CTX_set_post_handshake_auth); print "TLSv1.3 support: " . ($tls13 ? "true" : "false") . "\n"; === SNIP === To run it you must also provide the path to the test framework and if you have installed the additional moduls needed by the framework in some special place, you must also provide this one, both via "-I" flag: perl -I /path/to/bundle/lib/perl5 -I /path/to/Apache-Test/lib test.pl When I run this I get: OpenSSL version: 1.1.1 Normalized OpenSSL version: 001001001 Normalized 1.1.1 version: 001001001 Net::SSLeay::VERSION: 1.86_06 IO::Socket::SSL::VERSION: 2.060 Net::SSLeay::CTX_set_post_handshake_auth available: true TLSv1.3 support: true Most likely your version of Net::SSLeay is to old. In adition, once the framework detects TLSv1.3 correct, you also need IO::Socket::SSL 2.060 plus the one patch for its SSL.pm that I mentioned at the beginning of this thread. Regards, Rainer
Re: Test suite and OpenSSL 1.1.1
Le 20/10/2018 à 09:56, Rainer Jung a écrit : Hi, Am 20.10.2018 um 09:39 schrieb Christophe JAILLET: Le 20/10/2018 à 06:28, Rainer Jung a écrit : Am 19.10.2018 um 23:31 schrieb Yann Ylavic: Could not make the test suite framework work with 1.1.1 (cpan -u didn't help). Although the ssl tests report SUCCESS, httpd actually timeouts on SSL_peek() (as already reported). Indeed I checked my test suite logs and until now all tests only used TLS 1.2. But what works for me now with TLS 1.3 is: - small fix in TestSSLCA.pm (r1844389), otherwise the geneated t/conf/ssl/ssl.conf always contains "SSLProtocol all -TLSv1.3" instead of "all" (unless you specifiy -sslproto explicitly). I've just updated the test framework. make clean t/TEST --> ssl.conf rebuilt But I still have: SSLProtocol all -TLSv1.3 I didn't manage to rebuild ssl.conf using make, but what I did to rebuild was a "t/TEST -v -configure" and to make sure I removed the ssl.conf file before running that command. This resulted in a new file with "all" in it. Please also double check, that TestSSLCA.pm contains the line "use Net::SSLeay;". Does it work with that recipe? Thanks and regards, Rainer use Net::SSLeay; is there. Comment added in ssl.conf.in gets reflected in ssl.conf, so it is rebuilt. t/TEST -v -configure [warning] setting ulimit to allow core files ulimit -c unlimited; /usr/bin/perl /home/tititou36/svn_test_framework/t/TEST -v -configure [warning] cleaning out current configuration [warning] skipping rebuild of c-modules; run t/TEST -clean to force [warning] skipping regeneration of SSL CA; run t/TEST -clean to force make: rien à faire pour « all ». [warning] reconfiguration done But SSLProtocol all -TLSv1.3 is still there. t/TEST -clean doesn't help either. CJ
Re: Test suite and OpenSSL 1.1.1
I now also added r1844396 to allow setting the CA for peer cert verification and used it in echo.t and nttp-like.t to unbreak their ssl testing (r1844397). I didn't find more uses of the raw sockets. Regards, Rainer Am 20.10.2018 um 08:47 schrieb Rainer Jung: To make the raw TLS socket tests work I added r1844393. Both, r1844389 and r1844393 are part of the /perl/Apache-Test/trunk/ external which gets pulled into our test framework. Am 20.10.2018 um 06:28 schrieb Rainer Jung: Am 19.10.2018 um 23:31 schrieb Yann Ylavic: Could not make the test suite framework work with 1.1.1 (cpan -u didn't help). Although the ssl tests report SUCCESS, httpd actually timeouts on SSL_peek() (as already reported). Indeed I checked my test suite logs and until now all tests only used TLS 1.2. But what works for me now with TLS 1.3 is: - small fix in TestSSLCA.pm (r1844389), otherwise the geneated t/conf/ssl/ssl.conf always contains "SSLProtocol all -TLSv1.3" instead of "all" (unless you specifiy -sslproto explicitly). - Net::SSLeay 1.86_06 tag from Github https://github.com/radiator-software/p5-net-ssleay.git. Added "-ldl -pthread" to OTHERLDFLAGS in Makefile. It contains the plumbing needed for some new 1.1.1 APIs. - IO/Socket/SSL.pm recent version 2.060 plus patch https://github.com/noxxi/p5-io-socket-ssl/commit/e96b1c9e394011de4ee181cfa42b8021796bf7d4.patch (probably not needed) plus anti-hang patch to call Net::SSLeay::CTX_set_post_handshake_auth() --- IO/Socket/SSL.pm.orig 2018-08-15 18:03:29.0 + +++ IO/Socket/SSL.pm 2018-09-19 16:37:46.450281000 + @@ -2594,6 +2594,10 @@ "Failed to load key from file (no PEM or DER)"); } + if ($havecert && $havekey && Net::SSLeay::OPENSSL_VERSION_NUMBER() >= 0x1010100f) { + Net::SSLeay::CTX_set_post_handshake_auth($ctx, 1); + } + # replace arg_hash with created context $ctx{$host} = $ctx; } The PHA patch was stolen from Joe's explanation of the PHA issue. With this setup, I can see some TLSv1.3 entries in the t/logs/ssl_request_log. For instance when running t/ssl/varlookup.t. Regards, Rainer
Re: Test suite and OpenSSL 1.1.1
Hi, Am 20.10.2018 um 09:39 schrieb Christophe JAILLET: Le 20/10/2018 à 06:28, Rainer Jung a écrit : Am 19.10.2018 um 23:31 schrieb Yann Ylavic: Could not make the test suite framework work with 1.1.1 (cpan -u didn't help). Although the ssl tests report SUCCESS, httpd actually timeouts on SSL_peek() (as already reported). Indeed I checked my test suite logs and until now all tests only used TLS 1.2. But what works for me now with TLS 1.3 is: - small fix in TestSSLCA.pm (r1844389), otherwise the geneated t/conf/ssl/ssl.conf always contains "SSLProtocol all -TLSv1.3" instead of "all" (unless you specifiy -sslproto explicitly). I've just updated the test framework. make clean t/TEST --> ssl.conf rebuilt But I still have: SSLProtocol all -TLSv1.3 I didn't manage to rebuild ssl.conf using make, but what I did to rebuild was a "t/TEST -v -configure" and to make sure I removed the ssl.conf file before running that command. This resulted in a new file with "all" in it. Please also double check, that TestSSLCA.pm contains the line "use Net::SSLeay;". Does it work with that recipe? Thanks and regards, Rainer
Re: Test suite and OpenSSL 1.1.1
Le 20/10/2018 à 06:28, Rainer Jung a écrit : Am 19.10.2018 um 23:31 schrieb Yann Ylavic: Could not make the test suite framework work with 1.1.1 (cpan -u didn't help). Although the ssl tests report SUCCESS, httpd actually timeouts on SSL_peek() (as already reported). Indeed I checked my test suite logs and until now all tests only used TLS 1.2. But what works for me now with TLS 1.3 is: - small fix in TestSSLCA.pm (r1844389), otherwise the geneated t/conf/ssl/ssl.conf always contains "SSLProtocol all -TLSv1.3" instead of "all" (unless you specifiy -sslproto explicitly). I've just updated the test framework. make clean t/TEST --> ssl.conf rebuilt But I still have: SSLProtocol all -TLSv1.3 CJ
Re: [VOTE] Release httpd-2.4.37
+1 FreeBSD 11.2-RELEASE-p4 amd64 openssl111-1.1.1_1 perl5-5.28.0 php72-7.2.11 Tested both prefork and event MPM -- Dennis
Re: Test suite and OpenSSL 1.1.1
To make the raw TLS socket tests work I added r1844393. Both, r1844389 and r1844393 are part of the /perl/Apache-Test/trunk/ external which gets pulled into our test framework. Regards, Rainer Am 20.10.2018 um 06:28 schrieb Rainer Jung: Am 19.10.2018 um 23:31 schrieb Yann Ylavic: Could not make the test suite framework work with 1.1.1 (cpan -u didn't help). Although the ssl tests report SUCCESS, httpd actually timeouts on SSL_peek() (as already reported). Indeed I checked my test suite logs and until now all tests only used TLS 1.2. But what works for me now with TLS 1.3 is: - small fix in TestSSLCA.pm (r1844389), otherwise the geneated t/conf/ssl/ssl.conf always contains "SSLProtocol all -TLSv1.3" instead of "all" (unless you specifiy -sslproto explicitly). - Net::SSLeay 1.86_06 tag from Github https://github.com/radiator-software/p5-net-ssleay.git. Added "-ldl -pthread" to OTHERLDFLAGS in Makefile. It contains the plumbing needed for some new 1.1.1 APIs. - IO/Socket/SSL.pm recent version 2.060 plus patch https://github.com/noxxi/p5-io-socket-ssl/commit/e96b1c9e394011de4ee181cfa42b8021796bf7d4.patch (probably not needed) plus anti-hang patch to call Net::SSLeay::CTX_set_post_handshake_auth() --- IO/Socket/SSL.pm.orig 2018-08-15 18:03:29.0 + +++ IO/Socket/SSL.pm 2018-09-19 16:37:46.450281000 + @@ -2594,6 +2594,10 @@ "Failed to load key from file (no PEM or DER)"); } + if ($havecert && $havekey && Net::SSLeay::OPENSSL_VERSION_NUMBER() >= 0x1010100f) { + Net::SSLeay::CTX_set_post_handshake_auth($ctx, 1); + } + # replace arg_hash with created context $ctx{$host} = $ctx; } The PHA patch was stolen from Joe's explanation of the PHA issue. With this setup, I can see some TLSv1.3 entries in the t/logs/ssl_request_log. For instance when running t/ssl/varlookup.t. Regards, Rainer
t/security/CVE-2009-3555.t fails in 2.4.37 with TLS 1.3 - also false positive?
Test t/security/CVE-2009-3555.t (hardening against MITM SSL-renegotiation) fails in 2.4.37 when actually using TLS 1.3. It is not that easy to use TLS 1.3 for this test. The test uses a raw SSL socket created by Net::SSL, but that module is outdated and does not support TLS 1.3. I patched TestRequest.pm to use IO::Socket::SSL instead and can see, that it actually uses TLS 1.3 and the test fails at the critical last check. With TLS 1.2 the request that triggers a reneg but also has a pipelined request behind it triggers a "Connection: close" and that is tested in this last test. With 1.3 the server handles both the request that triggers the reneg as well as the pipelined on after it. That one fails with 400, because it does not have a host header, but it I add the host header, it results in a 404 not found due to the garbage URL. What I am not sure about: CVE-2009-3555 ist mostly about a MITM attack for SSL renegotiations. The fix should have gone into OpenSSL itself, at least as far as I understand it. So it seems that our CVE-2009-3555.t test only checks, whether we have our workaround for non-safe OpenSSL in place. Because I expect TLS1.3 and any OpenSSL version supporting it not being affected by CVE-2009-3555, that would be a false positive as well. Does that sound reasonable? I will commit my TLS 1.3 patches for the test framework. I hope I doesn't break stuff, but it seems important to be able to run tests with the new protocol. Regards, Rainer
OCSP with TLS 1.3 in 2.4.37 false positive?
After Yann's mail I double checked and fixed my setup to actually use TLS 1.3 in the test suite when OpenSSL 1.1.1 is available. I now see a new OCSP test failure, namely test 3 (revoked certificate). The revocation is correctly detected [Sat Oct 20 06:14:46.492343 2018] [ssl:error] [pid 13631:tid 140131235235584] [client 127.0.0.1:43881] AH03239: OCSP validation completed, certificate status: revoked (1, -1) [subject: emailAddress=test-...@httpd.apache.org,CN=client_revoked,OU=httpd-test,O=ASF,L=San Francisco,ST=California,C=US / issuer: emailAddress=test-...@httpd.apache.org,CN=ca,OU=httpd-test,O=ASF,L=San Francisco,ST=California,C=US / serial: 09 / notbefore: Oct 20 04:04:52 2018 GMT / notafter: Oct 20 04:04:52 2019 GMT] [Sat Oct 20 06:14:46.492452 2018] [ssl:info] [pid 13631:tid 140131235235584] [client 127.0.0.1:43881] AH02276: Certificate Verification: Error (23): certificate revoked [subject: emailAddress=test-...@httpd.apache.org,CN=client_revoked,OU=httpd-test,O=ASF,L=San Francisco,ST=California,C=US / issuer: emailAddress=test-...@httpd.apache.org,CN=ca,OU=httpd-test,O=ASF,L=San Francisco,ST=California,C=US / serial: 09 / notbefore: Oct 20 04:04:52 2018 GMT / notafter: Oct 20 04:04:52 2019 GMT] and the signaling looks OK: [Sat Oct 20 06:14:46.492666 2018] [ssl:trace3] [pid 13631:tid 140131235235584] ssl_engine_kernel.c(2210): [client 127.0.0.1:43881] OpenSSL: Write: error [Sat Oct 20 06:14:46.492691 2018] [ssl:trace3] [pid 13631:tid 140131235235584] ssl_engine_kernel.c(2229): [client 127.0.0.1:43881] OpenSSL: Exit: error in error [Sat Oct 20 06:14:46.492708 2018] [ssl:info] [pid 13631:tid 140131235235584] [client 127.0.0.1:43881] AH02008: SSL library error 1 in handshake (server localhost:8535) [Sat Oct 20 06:14:46.492873 2018] [ssl:info] [pid 13631:tid 140131235235584] SSL Library Error: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed [Sat Oct 20 06:14:46.492903 2018] [ssl:info] [pid 13631:tid 140131235235584] [client 127.0.0.1:43881] AH01998: Connection closed to child 136 with abortive shutdown (server localhost:8535) That looks very similar to what gets logged for TLSv1.2. But the client shows: 500 Status read failed: Content-Type: text/plain Client-Date: Sat, 20 Oct 2018 04:33:39 GMT Client-Warning: Internal response Status read failed: at .../lib/perl5/Net/HTTP/Methods.pm line 282. not ok 3 instead of /500 Can't connect to localhost:8535 (SSL connect attempt failed error:14094414:SSL routines:ssl3_read_bytes:sslv3 alert certificate revoked) Content-Type: text/plain Client-Date: Sat, 20 Oct 2018 04:32:14 GMT Client-Warning: Internal response Can't connect to localhost:8535 (SSL connect attempt failed error:14094414:SSL routines:ssl3_read_bytes:sslv3 alert certificate revoked) SSL connect attempt failed error:14094414:SSL routines:ssl3_read_bytes:sslv3 alert certificate revoked at .../lib/perl5/LWP/Protocol/http.pm line 50. ok 3 That looks to me as a change in behavior of the underlying client side TLS layer in how it signals the alert to the HTTP layer. Regards, Rainer