# HG changeset patch
# User Maxim Dounin <mdounin@mdounin.ru>
# Date 1679148737 -10800
# Sat Mar 18 17:12:17 2023 +0300
# Node ID 6d5bede76a77ca86483f63088587913a61b8b18d
# Parent 230b9cadce9b57213bf529940ca04224f9f121eb
Tests: LibreSSL does not send CA lists with TLSv1.3.

diff --git a/ssl_verify_client.t b/ssl_verify_client.t
--- a/ssl_verify_client.t
+++ b/ssl_verify_client.t
@@ -55,6 +55,7 @@ http {
%%TEST_GLOBALS_HTTP%%

add_header X-Verify x$ssl_client_verify:${ssl_client_cert}x;
+ add_header X-Protocol $ssl_protocol;

ssl_session_cache shared:SSL:1m;
ssl_session_tickets off;
@@ -169,15 +170,24 @@ like(get('optional', '3.example.com'), q
SKIP: {
skip 'Net::SSLeay version >= 1.36 required', 1 if $Net::SSLeay::VERSION < 1.36;

+TODO: {
+local $TODO = 'broken TLSv1.3 CA list in LibreSSL'
+ if $t->has_module('LibreSSL') && test_tls13();
+
my $ca = join ' ', get('optional', '3.example.com');
is($ca, '/CN=2.example.com', 'no trusted sent');

}
+}

like(get('optional', undef, 'localhost'), qr/421 Misdirected/, 'misdirected');

###############################################################################

+sub test_tls13 {
+ get('optional') =~ /TLSv1.3/;
+}
+
sub get {
my ($sni, $cert, $host) = @_;

diff --git a/stream_ssl_verify_client.t b/stream_ssl_verify_client.t
--- a/stream_ssl_verify_client.t
+++ b/stream_ssl_verify_client.t
@@ -86,6 +86,11 @@ stream {
ssl_verify_client optional_no_ca;
ssl_client_certificate 2.example.com.crt;
}
+
+ server {
+ listen 127.0.0.1:8084 ssl;
+ return $ssl_protocol;
+ }
}

EOF
@@ -126,10 +131,15 @@ like(get(8082, '3.example.com'), qr/SUCC
SKIP: {
skip 'Net::SSLeay version >= 1.36 required', 1 if $Net::SSLeay::VERSION < 1.36;

+TODO: {
+local $TODO = 'broken TLSv1.3 CA list in LibreSSL'
+ if $t->has_module('LibreSSL') && test_tls13();
+
my $ca = join ' ', get(8082, '3.example.com');
is($ca, '/CN=2.example.com', 'no trusted sent');

}
+}

$t->stop();

@@ -137,6 +147,10 @@ is($t->read_file('status.log'), "500\n20

###############################################################################

+sub test_tls13 {
+ get(8084) =~ /TLSv1.3/;
+}
+
sub get {
my ($port, $cert) = @_;

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx-devel