[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Test suite and OpenSSL 1.1.1

To make the raw TLS socket tests work I added r1844393. Both, r1844389 and r1844393 are part of the /perl/Apache-Test/trunk/ external which gets pulled into our test framework.



Am 20.10.2018 um 06:28 schrieb Rainer Jung:
Am 19.10.2018 um 23:31 schrieb Yann Ylavic:
Could not make the test suite framework work with 1.1.1 (cpan -u didn't help).
Although the ssl tests report SUCCESS, httpd actually timeouts on
SSL_peek() (as already reported).

Indeed I checked my test suite logs and until now all tests only used TLS 1.2. But what works for me now with TLS 1.3 is:

- small fix in (r1844389), otherwise the geneated t/conf/ssl/ssl.conf always contains "SSLProtocol all -TLSv1.3" instead of "all" (unless you specifiy -sslproto explicitly).

- Net::SSLeay 1.86_06 tag from Github Added "-ldl -pthread" to OTHERLDFLAGS in Makefile. It contains the plumbing needed for some new 1.1.1 APIs.

- IO/Socket/ recent version 2.060 plus patch (probably not needed) plus anti-hang patch to call Net::SSLeay::CTX_set_post_handshake_auth()

--- IO/Socket/  2018-08-15 18:03:29.000000000 +0000
+++ IO/Socket/       2018-09-19 16:37:46.450281000 +0000
@@ -2594,6 +2594,10 @@
                 "Failed to load key from file (no PEM or DER)");

+        if ($havecert && $havekey && Net::SSLeay::OPENSSL_VERSION_NUMBER() >= 0x1010100f) {
+            Net::SSLeay::CTX_set_post_handshake_auth($ctx, 1);
+        }
         # replace arg_hash with created context
         $ctx{$host} = $ctx;

The PHA patch was stolen from Joe's explanation of the PHA issue.

With this setup, I can see some TLSv1.3 entries in the t/logs/ssl_request_log. For instance when running t/ssl/varlookup.t.