# HG changeset patch
# User Maxim Dounin <mdounin@mdounin.ru>
# Date 1679148657 -10800
# Sat Mar 18 17:10:57 2023 +0300
# Node ID 230b9cadce9b57213bf529940ca04224f9f121eb
# Parent c6a91e9fa97e2c99ddaa26471364f2345837e698
Tests: LibreSSL certificate negotiation with TLSv1.3.

LibreSSL fails to negotiate certificates based on signature algorithms
when using TLSv1.3, and fails with "missing rsa certificate" and
"unknown pkey type" errors.

diff --git a/ssl_stapling.t b/ssl_stapling.t
--- a/ssl_stapling.t
+++ b/ssl_stapling.t
@@ -38,7 +38,7 @@ my $t = Test::Nginx->new()->has(qw/http

plan(skip_all => 'no OCSP stapling') if $t->has_module('BoringSSL');

-$t->plan(9)->write_file_expand('nginx.conf', <<'EOF');
+$t->plan(10)->write_file_expand('nginx.conf', <<'EOF');

%%TEST_GLOBALS%%

@@ -259,11 +259,25 @@ staple(8449, 'ECDSA');
sleep 1;

ok(!staple(8443, 'RSA'), 'staple revoked');
+
+TODO: {
+local $TODO = 'broken TLSv1.3 sigalgs in LibreSSL'
+ if $t->has_module('LibreSSL') && $version > 0x303;
+
ok(staple(8443, 'ECDSA'), 'staple success');

+}
+
ok(!staple(8444, 'RSA'), 'responder revoked');
+
+TODO: {
+local $TODO = 'broken TLSv1.3 sigalgs in LibreSSL'
+ if $t->has_module('LibreSSL') && $version > 0x303;
+
ok(staple(8444, 'ECDSA'), 'responder success');

+}
+
ok(!staple(8445, 'ECDSA'), 'verify - root not trusted');

ok(staple(8446, 'ECDSA', "$d/int.crt"), 'cert store');
@@ -273,6 +287,14 @@ is(staple(8448, 'ECDSA'), '1 0', 'file s

ok(!staple(8449, 'ECDSA'), 'ocsp error');

+TODO: {
+local $TODO = 'broken TLSv1.3 sigalgs in LibreSSL'
+ if $t->has_module('LibreSSL') && $version > 0x303;
+
+like(`grep -F '[crit]' ${\($t->testdir())}/error.log`, qr/^$/s, 'no crit');
+
+}
+
###############################################################################

sub staple {
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx-devel