Welcome! Log In Create A New Profile

Re: [PATCH 15 of 20] Tests: LibreSSL does not send CA lists with TLSv1.3

Forum List Message List New Topic Print View

Sergey Kandaurov

March 22, 2023 06:40AM

> On 18 Mar 2023, at 18:15, Maxim Dounin <mdounin@mdounin.ru> wrote:
>
> # HG changeset patch
> # User Maxim Dounin <mdounin@mdounin.ru>
> # Date 1679148737 -10800
> # Sat Mar 18 17:12:17 2023 +0300
> # Node ID 6d5bede76a77ca86483f63088587913a61b8b18d
> # Parent 230b9cadce9b57213bf529940ca04224f9f121eb
> Tests: LibreSSL does not send CA lists with TLSv1.3.

Specifically, it doesn't implement the "certificate_authorities" extension
used in TLSv1.3 to carry CA lists in the CertificateRequest message.

>
> diff --git a/ssl_verify_client.t b/ssl_verify_client.t
> --- a/ssl_verify_client.t
> +++ b/ssl_verify_client.t
> @@ -55,6 +55,7 @@ http {
> %%TEST_GLOBALS_HTTP%%
>
> add_header X-Verify x$ssl_client_verify:${ssl_client_cert}x;
> + add_header X-Protocol $ssl_protocol;
>
> ssl_session_cache shared:SSL:1m;
> ssl_session_tickets off;
> @@ -169,15 +170,24 @@ like(get('optional', '3.example.com'), q
> SKIP: {
> skip 'Net::SSLeay version >= 1.36 required', 1 if $Net::SSLeay::VERSION < 1.36;
>
> +TODO: {
> +local $TODO = 'broken TLSv1.3 CA list in LibreSSL'
> + if $t->has_module('LibreSSL') && test_tls13();
> +
> my $ca = join ' ', get('optional', '3.example.com');
> is($ca, '/CN=2.example.com', 'no trusted sent');
>
> }
> +}
>
> like(get('optional', undef, 'localhost'), qr/421 Misdirected/, 'misdirected');
>
> ###############################################################################
>
> +sub test_tls13 {
> + get('optional') =~ /TLSv1.3/;
> +}
> +
> sub get {
> my ($sni, $cert, $host) = @_;
>
> diff --git a/stream_ssl_verify_client.t b/stream_ssl_verify_client.t
> --- a/stream_ssl_verify_client.t
> +++ b/stream_ssl_verify_client.t
> @@ -86,6 +86,11 @@ stream {
> ssl_verify_client optional_no_ca;
> ssl_client_certificate 2.example.com.crt;
> }
> +
> + server {
> + listen 127.0.0.1:8084 ssl;
> + return $ssl_protocol;
> + }
> }
>
> EOF
> @@ -126,10 +131,15 @@ like(get(8082, '3.example.com'), qr/SUCC
> SKIP: {
> skip 'Net::SSLeay version >= 1.36 required', 1 if $Net::SSLeay::VERSION < 1.36;
>
> +TODO: {
> +local $TODO = 'broken TLSv1.3 CA list in LibreSSL'
> + if $t->has_module('LibreSSL') && test_tls13();
> +
> my $ca = join ' ', get(8082, '3.example.com');
> is($ca, '/CN=2.example.com', 'no trusted sent');
>
> }
> +}
>
> $t->stop();
>
> @@ -137,6 +147,10 @@ is($t->read_file('status.log'), "500\n20
>
> ###############################################################################
>
> +sub test_tls13 {
> + get(8084) =~ /TLSv1.3/;
> +}
> +
> sub get {
> my ($port, $cert) = @_;
>

--
Sergey Kandaurov
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx-devel

Reply Quote

RSS

Subject	Author	Views	Posted
[PATCH 00 of 20] tests suite fixes for TLSv1.3	Maxim Dounin	535	March 18, 2023 10:18AM
[PATCH 03 of 20] Tests: separate SSL session reuse tests in mail	Maxim Dounin	154	March 18, 2023 10:18AM
Re: [PATCH 03 of 20] Tests: separate SSL session reuse tests in mail	Sergey Kandaurov	130	March 22, 2023 05:22AM
Re: [PATCH 03 of 20] Tests: separate SSL session reuse tests in mail	Maxim Dounin	123	March 23, 2023 10:18AM
Re: [PATCH 03 of 20] Tests: separate SSL session reuse tests in mail	Sergey Kandaurov	145	March 22, 2023 05:48AM
Re: [PATCH 03 of 20] Tests: separate SSL session reuse tests in mail	Maxim Dounin	129	March 23, 2023 10:16AM
Re: [PATCH 03 of 20] Tests: separate SSL session reuse tests in mail	Sergey Kandaurov	125	March 23, 2023 12:00PM
[PATCH 01 of 20] Tests: separate SSL session reuse tests	Maxim Dounin	203	March 18, 2023 10:18AM
Re: [PATCH 01 of 20] Tests: separate SSL session reuse tests	Sergey Kandaurov	190	March 22, 2023 04:58AM
Re: [PATCH 01 of 20] Tests: separate SSL session reuse tests	Maxim Dounin	131	March 23, 2023 10:12AM
Re: [PATCH 01 of 20] Tests: separate SSL session reuse tests	Sergey Kandaurov	123	March 23, 2023 12:00PM
Re: [PATCH 01 of 20] Tests: separate SSL session reuse tests	Maxim Dounin	172	March 23, 2023 01:26PM
Re: [PATCH 01 of 20] Tests: separate SSL session reuse tests	Sergey Kandaurov	189	March 24, 2023 08:40AM
[PATCH 08 of 20] Tests: enabled session reuse via TLS session tickets	Maxim Dounin	131	March 18, 2023 10:20AM
[PATCH 07 of 20] Tests: BoringSSL does not provide session ids with TLSv1.3	Maxim Dounin	139	March 18, 2023 10:20AM
[PATCH 09 of 20] Tests: restored proper port numbers in ssl_sni_sessions.t	Maxim Dounin	133	March 18, 2023 10:20AM
[PATCH 10 of 20] Tests: disabled ssl_sni_sessions.t with LibreSSL and BoringSSL	Maxim Dounin	149	March 18, 2023 10:20AM
[PATCH 05 of 20] Tests: separate SSL session reuse tests in stream	Maxim Dounin	145	March 18, 2023 10:20AM
Re: [PATCH 05 of 20] Tests: separate SSL session reuse tests in stream	Sergey Kandaurov	141	March 22, 2023 05:56AM
Re: [PATCH 05 of 20] Tests: separate SSL session reuse tests in stream	Maxim Dounin	123	March 23, 2023 10:18AM
[PATCH 06 of 20] Tests: LibreSSL and BoringSSL session reuse with TLSv1.3 in mail	Maxim Dounin	132	March 18, 2023 10:20AM
Re: [PATCH 06 of 20] Tests: LibreSSL and BoringSSL session reuse with TLSv1.3 in mail	Sergey Kandaurov	129	March 22, 2023 06:00AM
Re: [PATCH 06 of 20] Tests: LibreSSL and BoringSSL session reuse with TLSv1.3 in mail	Maxim Dounin	119	March 23, 2023 10:18AM
[PATCH 12 of 20] Tests: fixed ssl_session_ticket_key.t with LibreSSL and TLSv1.3	Maxim Dounin	114	March 18, 2023 10:20AM
[PATCH 13 of 20] Tests: fixed ssl_sni.t with LibreSSL and TLSv1.3	Maxim Dounin	171	March 18, 2023 10:20AM
[PATCH 11 of 20] Tests: fixed proxy_ssl.t with LibreSSL and TLSv1.3	Maxim Dounin	161	March 18, 2023 10:20AM
[PATCH 14 of 20] Tests: LibreSSL certificate negotiation with TLSv1.3	Maxim Dounin	200	March 18, 2023 10:20AM
[PATCH 15 of 20] Tests: LibreSSL does not send CA lists with TLSv1.3	Maxim Dounin	161	March 18, 2023 10:20AM
Re: [PATCH 15 of 20] Tests: LibreSSL does not send CA lists with TLSv1.3	Sergey Kandaurov	144	March 22, 2023 06:40AM
[PATCH 16 of 20] Tests: fixed stream_proxy_ssl.t with LibreSSL and TLSv1.3	Maxim Dounin	193	March 18, 2023 10:20AM
[PATCH 18 of 20] Tests: cleaned up ssl_ocsp.t	Maxim Dounin	160	March 18, 2023 10:20AM
[PATCH 20 of 20] Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3	Maxim Dounin	166	March 18, 2023 10:20AM
Re: [PATCH 20 of 20] Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3	Sergey Kandaurov	152	March 22, 2023 07:12AM
Re: [PATCH 20 of 20] Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3	Maxim Dounin	135	March 23, 2023 10:20AM
[PATCH 19 of 20] Tests: removed multiple server certificates from ssl_ocsp.t	Maxim Dounin	150	March 18, 2023 10:20AM
Re: [PATCH 19 of 20] Tests: removed multiple server certificates from ssl_ocsp.t	Sergey Kandaurov	136	March 22, 2023 07:06AM
Re: [PATCH 19 of 20] Tests: removed multiple server certificates from ssl_ocsp.t	Maxim Dounin	127	March 23, 2023 10:18AM
[PATCH 17 of 20] Tests: fixed stream_ssl_variables.t.t with LibreSSL and TLSv1.3	Maxim Dounin	139	March 18, 2023 10:20AM
Re: [PATCH 00 of 20] tests suite fixes for TLSv1.3	Sergey Kandaurov	120	March 22, 2023 07:44AM
Re: [PATCH 00 of 20] tests suite fixes for TLSv1.3	Maxim Dounin	143	March 23, 2023 10:20AM
Re: [PATCH 00 of 20] tests suite fixes for TLSv1.3	Sergey Kandaurov	120	March 23, 2023 12:02PM
Re: [PATCH 00 of 20] tests suite fixes for TLSv1.3	Maxim Dounin	117	March 23, 2023 12:54PM

Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 302

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018