git.net

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Test suite and OpenSSL 1.1.1


Am 20.10.2018 um 10:27 schrieb Christophe JAILLET:
Le 20/10/2018 à 09:56, Rainer Jung a écrit :
Am 20.10.2018 um 09:39 schrieb Christophe JAILLET:
Le 20/10/2018 à 06:28, Rainer Jung a écrit :
Am 19.10.2018 um 23:31 schrieb Yann Ylavic:
Could not make the test suite framework work with 1.1.1 (cpan -u didn't help).
Although the ssl tests report SUCCESS, httpd actually timeouts on
SSL_peek() (as already reported).

Indeed I checked my test suite logs and until now all tests only used TLS 1.2. But what works for me now with TLS 1.3 is:

- small fix in TestSSLCA.pm (r1844389), otherwise the geneated t/conf/ssl/ssl.conf always contains "SSLProtocol all -TLSv1.3" instead of "all" (unless you specifiy -sslproto explicitly).


I've just updated the test framework.
make clean
t/TEST
--> ssl.conf rebuilt

But I still have:
    SSLProtocol all -TLSv1.3

I didn't manage to rebuild ssl.conf using make, but what I did to rebuild was a "t/TEST -v -configure" and to make sure I removed the ssl.conf file before running that command. This resulted in a new file with "all" in it.

Please also double check, that TestSSLCA.pm contains the line "use Net::SSLeay;".

Does it work with that recipe?

Thanks and regards,

use Net::SSLeay;
is there.


Comment added in ssl.conf.in gets reflected in ssl.conf, so it is rebuilt.


t/TEST -v -configure
[warning] setting ulimit to allow core files
ulimit -c unlimited; /usr/bin/perl /home/tititou36/svn_test_framework/t/TEST -v -configure
[warning] cleaning out current configuration
[warning] skipping rebuild of c-modules; run t/TEST -clean to force
[warning] skipping regeneration of SSL CA; run t/TEST -clean to force
make: rien à faire pour « all ».
[warning] reconfiguration done

But SSLProtocol all -TLSv1.3 is still there.


t/TEST -clean
doesn't help either.

The check, wheher "all" or "all -TLSv1.3" is put into the file is done in TestSSLCA.pm. The code there checks the following, which you can also check in a test script to see, which condition fails:

Apache::Test::normalize_vstring(Apache::Test::version()) >=
Apache::Test::normalize_vstring("1.1.1")

and

defined(&Net::SSLeay::CTX_set_post_handshake_auth)

The first looks for the OpenSSL version caused by your test framework, the second checks, whether Net::SSLeay is current (actually at least developer snapshot 1.86_06). Both is needed to make TLS 1.3 work in the test framework.

To check standalone you can use a script like this:

=== SNIP ===

#!/usr/bin/perl

use strict;
use Net::SSLeay;
use IO::Socket::SSL;
use Apache::Test;
use Apache::TestSSLCA;

my $version = Apache::TestSSLCA::version();
print "OpenSSL version: $version\n";
print "Normalized OpenSSL version: " .
    Apache::Test::normalize_vstring($version) . "\n";
print "Normalized 1.1.1 version: " .
    Apache::Test::normalize_vstring("1.1.1") . "\n";
print "Net::SSLeay::VERSION: $Net::SSLeay::VERSION\n";
print "IO::Socket::SSL::VERSION: $IO::Socket::SSL::VERSION\n";
print "Net::SSLeay::CTX_set_post_handshake_auth available: " .
    (defined(&Net::SSLeay::CTX_set_post_handshake_auth) ?
        "true" : "false") . "\n";
my $tls13 = (Apache::Test::normalize_vstring($version) >=
    Apache::Test::normalize_vstring("1.1.1")) &&
    defined(&Net::SSLeay::CTX_set_post_handshake_auth);
print "TLSv1.3 support: " . ($tls13 ? "true" : "false") . "\n";

=== SNIP ===

To run it you must also provide the path to the test framework and if you have installed the additional moduls needed by the framework in some special place, you must also provide this one, both via "-I" flag:

perl -I /path/to/bundle/lib/perl5 -I /path/to/Apache-Test/lib test.pl

When I run this I get:

OpenSSL version: 1.1.1
Normalized OpenSSL version: 001001001
Normalized 1.1.1 version: 001001001
Net::SSLeay::VERSION: 1.86_06
IO::Socket::SSL::VERSION: 2.060
Net::SSLeay::CTX_set_post_handshake_auth available: true
TLSv1.3 support: true

Most likely your version of Net::SSLeay is to old.

In adition, once the framework detects TLSv1.3 correct, you also need IO::Socket::SSL 2.060 plus the one patch for its SSL.pm that I mentioned at the beginning of this thread.

Regards,

Rainer