> On 18 Mar 2023, at 18:15, Maxim Dounin <mdounin@mdounin.ru> wrote:
>
> # HG changeset patch
> # User Maxim Dounin <mdounin@mdounin.ru>
> # Date 1679148869 -10800
> # Sat Mar 18 17:14:29 2023 +0300
> # Node ID f6f6a21b1c2a0d88cb2a4993f4c0113a3fb1e019
> # Parent 782531c3cd79dcf700276e10bef00e524de009d1
> Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3.
>
> LibreSSL does not support session reuse with TLSv1.3.

Since LibreSSL is so broken wrt TLSv1.3, I don't think
it deserves annotating every test in separate changed.
The LibreSSL changes could be easily combined:
this is at least p11, p12, p13, p16, p17, p20.

Other broken or missing functionality such as signature
algorithms and certificate authorities can be skipped
in separate commits, though.

>
> diff --git a/ssl_ocsp.t b/ssl_ocsp.t
> --- a/ssl_ocsp.t
> +++ b/ssl_ocsp.t
> @@ -371,9 +371,15 @@ like(get('ec-end'), qr/200 OK.*SUCCESS/s
> my ($s, $ssl) = get('ec-end');
> my $ses = Net::SSLeay::get_session($ssl);
>
> +TODO: {
> +local $TODO = 'no TLSv1.3 sessions in LibreSSL'
> + if $t->has_module('LibreSSL') and $version > 0x303;
> +
> like(get('ec-end', ses => $ses),
> qr/200 OK.*SUCCESS:r/s, 'session reused');
>
> +}
> +
> # revoke with saved session
>
> system("openssl ca -config $d/ca.conf -revoke $d/ec-end.crt "
> @@ -393,9 +399,15 @@ system("openssl ocsp -index $d/certindex
>
> # reusing session with revoked certificate
>
> +TODO: {
> +local $TODO = 'no TLSv1.3 sessions in LibreSSL'
> + if $t->has_module('LibreSSL') and $version > 0x303;
> +
> like(get('ec-end', ses => $ses),
> qr/400 Bad.*FAILED:certificate revoked:r/s, 'session reused - revoked');
>
> +}
> +
> # regression test for self-signed
>
> like(get('root', port => 8447), qr/200 OK.*SUCCESS/s, 'ocsp one');

--
Sergey Kandaurov
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx-devel