[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Test suite and OpenSSL 1.1.1

Am 20.10.2018 um 13:26 schrieb Christophe JAILLET:
Le 20/10/2018 à 11:00, Rainer Jung a écrit :
Am 20.10.2018 um 10:27 schrieb Christophe JAILLET:
Le 20/10/2018 à 09:56, Rainer Jung a écrit :
Am 20.10.2018 um 09:39 schrieb Christophe JAILLET:
Le 20/10/2018 à 06:28, Rainer Jung a écrit :
Am 19.10.2018 um 23:31 schrieb Yann Ylavic:
Could not make the test suite framework work with 1.1.1 (cpan -u didn't help).
Although the ssl tests report SUCCESS, httpd actually timeouts on
SSL_peek() (as already reported).

Indeed I checked my test suite logs and until now all tests only used TLS 1.2. But what works for me now with TLS 1.3 is:

- small fix in (r1844389), otherwise the geneated t/conf/ssl/ssl.conf always contains "SSLProtocol all -TLSv1.3" instead of "all" (unless you specifiy -sslproto explicitly).

I've just updated the test framework.
make clean
--> ssl.conf rebuilt

But I still have:
    SSLProtocol all -TLSv1.3

I didn't manage to rebuild ssl.conf using make, but what I did to rebuild was a "t/TEST -v -configure" and to make sure I removed the ssl.conf file before running that command. This resulted in a new file with "all" in it.

Please also double check, that contains the line "use Net::SSLeay;".

Does it work with that recipe?

Thanks and regards,

use Net::SSLeay;
is there.

Comment added in gets reflected in ssl.conf, so it is rebuilt.

t/TEST -v -configure
[warning] setting ulimit to allow core files
ulimit -c unlimited; /usr/bin/perl /home/tititou36/svn_test_framework/t/TEST -v -configure
[warning] cleaning out current configuration
[warning] skipping rebuild of c-modules; run t/TEST -clean to force
[warning] skipping regeneration of SSL CA; run t/TEST -clean to force
make: rien à faire pour « all ».
[warning] reconfiguration done

But SSLProtocol all -TLSv1.3 is still there.

t/TEST -clean
doesn't help either.

The check, wheher "all" or "all -TLSv1.3" is put into the file is done in The code there checks the following, which you can also check in a test script to see, which condition fails:

Apache::Test::normalize_vstring(Apache::Test::version()) >=



The first looks for the OpenSSL version caused by your test framework, the second checks, whether Net::SSLeay is current (actually at least developer snapshot 1.86_06). Both is needed to make TLS 1.3 work in the test framework.

To check standalone you can use a script like this:

=== SNIP ===


use strict;
use Net::SSLeay;
use IO::Socket::SSL;
use Apache::Test;
use Apache::TestSSLCA;

my $version = Apache::TestSSLCA::version();
print "OpenSSL version: $version\n";
print "Normalized OpenSSL version: " .
    Apache::Test::normalize_vstring($version) . "\n";
print "Normalized 1.1.1 version: " .
    Apache::Test::normalize_vstring("1.1.1") . "\n";
print "Net::SSLeay::VERSION: $Net::SSLeay::VERSION\n";
print "IO::Socket::SSL::VERSION: $IO::Socket::SSL::VERSION\n";
print "Net::SSLeay::CTX_set_post_handshake_auth available: " .
    (defined(&Net::SSLeay::CTX_set_post_handshake_auth) ?
        "true" : "false") . "\n";
my $tls13 = (Apache::Test::normalize_vstring($version) >=
    Apache::Test::normalize_vstring("1.1.1")) &&
print "TLSv1.3 support: " . ($tls13 ? "true" : "false") . "\n";

=== SNIP ===

To run it you must also provide the path to the test framework and if you have installed the additional moduls needed by the framework in some special place, you must also provide this one, both via "-I" flag:

perl -I /path/to/bundle/lib/perl5 -I /path/to/Apache-Test/lib

When I run this I get:

OpenSSL version: 1.1.1
Normalized OpenSSL version: 001001001
Normalized 1.1.1 version: 001001001
Net::SSLeay::VERSION: 1.86_06
IO::Socket::SSL::VERSION: 2.060
Net::SSLeay::CTX_set_post_handshake_auth available: true
TLSv1.3 support: true

Most likely your version of Net::SSLeay is to old.

In adition, once the framework detects TLSv1.3 correct, you also need IO::Socket::SSL 2.060 plus the one patch for its that I mentioned at the beginning of this thread.



OpenSSL version: 1.1.1
Normalized OpenSSL version: 001001001
Normalized 1.1.1 version: 001001001
Net::SSLeay::VERSION: 1.85 <-------------
IO::Socket::SSL::VERSION: 2.060
Net::SSLeay::CTX_set_post_handshake_auth available: false
TLSv1.3 support: false <-------------

When I try to update it using perl -MCPAN -e ..., I get:

Net::SSLeay is up to date (1.85).
which is in line with

I will have to wait for cpan to have a more recent version, when released, I guess.

Thanks for the explanations.

That will be easiest. I downloaded the source tarball from github, extacted and then ran from the new directory:

perl Makefile.PL
make test
make install

But it might get slightly more complex if you want the install to go into some special directory tree instead of into the system perl installation.