Am 20.10.2018 um 10:27 schrieb Christophe JAILLET:
Le 20/10/2018 à 09:56, Rainer Jung a écrit :
Am 20.10.2018 um 09:39 schrieb Christophe JAILLET:
Le 20/10/2018 à 06:28, Rainer Jung a écrit :
Am 19.10.2018 um 23:31 schrieb Yann Ylavic:
Could not make the test suite framework work with 1.1.1 (cpan -u
didn't help).
Although the ssl tests report SUCCESS, httpd actually timeouts on
SSL_peek() (as already reported).
Indeed I checked my test suite logs and until now all tests only
used TLS 1.2. But what works for me now with TLS 1.3 is:
- small fix in TestSSLCA.pm (r1844389), otherwise the geneated
t/conf/ssl/ssl.conf always contains "SSLProtocol all -TLSv1.3"
instead of "all" (unless you specifiy -sslproto explicitly).
I've just updated the test framework.
make clean
t/TEST
--> ssl.conf rebuilt
But I still have:
SSLProtocol all -TLSv1.3
I didn't manage to rebuild ssl.conf using make, but what I did to
rebuild was a "t/TEST -v -configure" and to make sure I removed the
ssl.conf file before running that command. This resulted in a new
file with "all" in it.
Please also double check, that TestSSLCA.pm contains the line "use
Net::SSLeay;".
Does it work with that recipe?
Thanks and regards,
use Net::SSLeay;
is there.
Comment added in ssl.conf.in gets reflected in ssl.conf, so it is
rebuilt.
t/TEST -v -configure
[warning] setting ulimit to allow core files
ulimit -c unlimited; /usr/bin/perl
/home/tititou36/svn_test_framework/t/TEST -v -configure
[warning] cleaning out current configuration
[warning] skipping rebuild of c-modules; run t/TEST -clean to force
[warning] skipping regeneration of SSL CA; run t/TEST -clean to force
make: rien à faire pour « all ».
[warning] reconfiguration done
But SSLProtocol all -TLSv1.3 is still there.
t/TEST -clean
doesn't help either.
The check, wheher "all" or "all -TLSv1.3" is put into the file is done
in TestSSLCA.pm. The code there checks the following, which you can
also check in a test script to see, which condition fails:
Apache::Test::normalize_vstring(Apache::Test::version()) >=
Apache::Test::normalize_vstring("1.1.1")
and
defined(&Net::SSLeay::CTX_set_post_handshake_auth)
The first looks for the OpenSSL version caused by your test framework,
the second checks, whether Net::SSLeay is current (actually at least
developer snapshot 1.86_06). Both is needed to make TLS 1.3 work in
the test framework.
To check standalone you can use a script like this:
=== SNIP ===
#!/usr/bin/perl
use strict;
use Net::SSLeay;
use IO::Socket::SSL;
use Apache::Test;
use Apache::TestSSLCA;
my $version = Apache::TestSSLCA::version();
print "OpenSSL version: $version\n";
print "Normalized OpenSSL version: " .
Apache::Test::normalize_vstring($version) . "\n";
print "Normalized 1.1.1 version: " .
Apache::Test::normalize_vstring("1.1.1") . "\n";
print "Net::SSLeay::VERSION: $Net::SSLeay::VERSION\n";
print "IO::Socket::SSL::VERSION: $IO::Socket::SSL::VERSION\n";
print "Net::SSLeay::CTX_set_post_handshake_auth available: " .
(defined(&Net::SSLeay::CTX_set_post_handshake_auth) ?
"true" : "false") . "\n";
my $tls13 = (Apache::Test::normalize_vstring($version) >=
Apache::Test::normalize_vstring("1.1.1")) &&
defined(&Net::SSLeay::CTX_set_post_handshake_auth);
print "TLSv1.3 support: " . ($tls13 ? "true" : "false") . "\n";
=== SNIP ===
To run it you must also provide the path to the test framework and if
you have installed the additional moduls needed by the framework in
some special place, you must also provide this one, both via "-I" flag:
perl -I /path/to/bundle/lib/perl5 -I /path/to/Apache-Test/lib test.pl
When I run this I get:
OpenSSL version: 1.1.1
Normalized OpenSSL version: 001001001
Normalized 1.1.1 version: 001001001
Net::SSLeay::VERSION: 1.86_06
IO::Socket::SSL::VERSION: 2.060
Net::SSLeay::CTX_set_post_handshake_auth available: true
TLSv1.3 support: true
Most likely your version of Net::SSLeay is to old.
In adition, once the framework detects TLSv1.3 correct, you also need
IO::Socket::SSL 2.060 plus the one patch for its SSL.pm that I
mentioned at the beginning of this thread.
Regards,
Rainer