Welcome! Log In Create A New Profile

Re: [PATCH 00 of 20] tests suite fixes for TLSv1.3

Forum List Message List New Topic Print View

Sergey Kandaurov

March 22, 2023 07:44AM

> On 18 Mar 2023, at 18:14, Maxim Dounin <mdounin@mdounin.ru> wrote:
>
> Hello!
>
> Here are patch series for the test suite to address test failures
> observed with TLSv1.3 enabled with BoringSSL and LibreSSL.
>
> Short summary of the issues seen:
>
> - BoringSSL with TLSv1.3 does not support session reuse via server-side
> session cache, only with tickets.
>
> - BoringSSL with TLSv1.3 does not provide $ssl_session_id.
>
> - LibreSSL with TLSv1.3 does not support session reuse.
>
> - LibreSSL with TLSv1.3 fails to negotiate certificates based on
> signature algorithms supported by the client, and fails with
> "missing rsa certificate" and "unknown pkey type" errors.
>
> - LibreSSL with TLSv1.3 does not send CA lists to the client.
>

Missing peaces that allow me to run with LibreSSL:

# HG changeset patch
# User Sergey Kandaurov <pluknet@nginx.com>
# Date 1679485246 -14400
# Wed Mar 22 15:40:46 2023 +0400
# Node ID dfe434f295d3da7e3b67bbbafeab245bb591f397
# Parent 826e00e7c037d617781239963e8b868b6b0de225
Tests: fixed upstream zone tests with LibreSSL and TLSv1.3.

LibreSSL does not support session reuse with TLSv1.3.

diff --git a/stream_upstream_zone_ssl.t b/stream_upstream_zone_ssl.t
--- a/stream_upstream_zone_ssl.t
+++ b/stream_upstream_zone_ssl.t
@@ -82,6 +82,19 @@ stream {
ssl_certificate localhost.crt;
ssl_session_cache builtin;
}
+
+ server {
+ listen 127.0.0.1:8085;
+ proxy_pass 127.0.0.1:8086;
+ }
+
+ server {
+ listen 127.0.0.1:8086 ssl;
+ return $ssl_protocol;
+
+ ssl_certificate_key localhost.key;
+ ssl_certificate localhost.crt;
+ }
}

EOF
@@ -112,13 +125,33 @@ is(stream('127.0.0.1:' . port(8080))->re
is(stream('127.0.0.1:' . port(8080))->read(), '.', 'ssl 2');

is(stream('127.0.0.1:' . port(8081))->read(), '.', 'ssl session new');
+
+SKIP: {
+skip 'no TLSv1.3 sessions in LibreSSL', 2
+ if $t->has_module('LibreSSL') && test_tls13();
+
is(stream('127.0.0.1:' . port(8081))->read(), 'r', 'ssl session reused');
is(stream('127.0.0.1:' . port(8081))->read(), 'r', 'ssl session reused 2');

+}
+
is(stream('127.0.0.1:' . port(8082))->read(), '.', 'backup ssl');
is(stream('127.0.0.1:' . port(8082))->read(), '.', 'backup ssl 2');

is(stream('127.0.0.1:' . port(8083))->read(), '.', 'backup ssl session new');
+
+SKIP: {
+skip 'no TLSv1.3 sessions in LibreSSL', 1
+ if $t->has_module('LibreSSL') && test_tls13();
+
is(stream('127.0.0.1:' . port(8083))->read(), 'r', 'backup ssl session reused');

+}
+
###############################################################################
+
+sub test_tls13 {
+ stream('127.0.0.1:' . port(8085))->read() eq 'TLSv1.3';
+}
+
+###############################################################################
diff --git a/upstream_zone_ssl.t b/upstream_zone_ssl.t
--- a/upstream_zone_ssl.t
+++ b/upstream_zone_ssl.t
@@ -56,6 +56,7 @@ http {

location / {
add_header X-Session $ssl_session_reused;
+ add_header X-Protocol $ssl_protocol;
}
}

@@ -114,12 +115,32 @@ foreach my $name ('localhost') {
like(http_get('/ssl'), qr/200 OK.*X-Session: \./s, 'ssl');
like(http_get('/ssl'), qr/200 OK.*X-Session: \./s, 'ssl 2');
like(http_get('/ssl_reuse'), qr/200 OK.*X-Session: \./s, 'ssl session new');
+
+SKIP: {
+skip 'no TLSv1.3 sessions in LibreSSL', 2
+ if $t->has_module('LibreSSL') && test_tls13();
+
like(http_get('/ssl_reuse'), qr/200 OK.*X-Session: r/s, 'ssl session reused');
like(http_get('/ssl_reuse'), qr/200 OK.*X-Session: r/s, 'ssl session reused 2');

+}
+
like(http_get('/backup'), qr/200 OK.*X-Session: \./s, 'backup');
like(http_get('/backup'), qr/200 OK.*X-Session: \./s, 'backup 2');
like(http_get('/backup_reuse'), qr/200 OK.*X-Session: \./s, 'backup new');
+
+SKIP: {
+skip 'no TLSv1.3 sessions in LibreSSL', 1
+ if $t->has_module('LibreSSL') && test_tls13();
+
like(http_get('/backup_reuse'), qr/200 OK.*X-Session: r/s, 'backup reused');

+}
+
###############################################################################
+
+sub test_tls13 {
+ return http_get('/ssl') =~ /TLSv1.3/;
+}
+
+###############################################################################

--
Sergey Kandaurov
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx-devel

Reply Quote

RSS

Subject	Author	Views	Posted
[PATCH 00 of 20] tests suite fixes for TLSv1.3	Maxim Dounin	534	March 18, 2023 10:18AM
[PATCH 03 of 20] Tests: separate SSL session reuse tests in mail	Maxim Dounin	154	March 18, 2023 10:18AM
Re: [PATCH 03 of 20] Tests: separate SSL session reuse tests in mail	Sergey Kandaurov	130	March 22, 2023 05:22AM
Re: [PATCH 03 of 20] Tests: separate SSL session reuse tests in mail	Maxim Dounin	122	March 23, 2023 10:18AM
Re: [PATCH 03 of 20] Tests: separate SSL session reuse tests in mail	Sergey Kandaurov	144	March 22, 2023 05:48AM
Re: [PATCH 03 of 20] Tests: separate SSL session reuse tests in mail	Maxim Dounin	129	March 23, 2023 10:16AM
Re: [PATCH 03 of 20] Tests: separate SSL session reuse tests in mail	Sergey Kandaurov	124	March 23, 2023 12:00PM
[PATCH 01 of 20] Tests: separate SSL session reuse tests	Maxim Dounin	203	March 18, 2023 10:18AM
Re: [PATCH 01 of 20] Tests: separate SSL session reuse tests	Sergey Kandaurov	189	March 22, 2023 04:58AM
Re: [PATCH 01 of 20] Tests: separate SSL session reuse tests	Maxim Dounin	131	March 23, 2023 10:12AM
Re: [PATCH 01 of 20] Tests: separate SSL session reuse tests	Sergey Kandaurov	123	March 23, 2023 12:00PM
Re: [PATCH 01 of 20] Tests: separate SSL session reuse tests	Maxim Dounin	172	March 23, 2023 01:26PM
Re: [PATCH 01 of 20] Tests: separate SSL session reuse tests	Sergey Kandaurov	185	March 24, 2023 08:40AM
[PATCH 08 of 20] Tests: enabled session reuse via TLS session tickets	Maxim Dounin	130	March 18, 2023 10:20AM
[PATCH 07 of 20] Tests: BoringSSL does not provide session ids with TLSv1.3	Maxim Dounin	139	March 18, 2023 10:20AM
[PATCH 09 of 20] Tests: restored proper port numbers in ssl_sni_sessions.t	Maxim Dounin	132	March 18, 2023 10:20AM
[PATCH 10 of 20] Tests: disabled ssl_sni_sessions.t with LibreSSL and BoringSSL	Maxim Dounin	149	March 18, 2023 10:20AM
[PATCH 05 of 20] Tests: separate SSL session reuse tests in stream	Maxim Dounin	144	March 18, 2023 10:20AM
Re: [PATCH 05 of 20] Tests: separate SSL session reuse tests in stream	Sergey Kandaurov	141	March 22, 2023 05:56AM
Re: [PATCH 05 of 20] Tests: separate SSL session reuse tests in stream	Maxim Dounin	122	March 23, 2023 10:18AM
[PATCH 06 of 20] Tests: LibreSSL and BoringSSL session reuse with TLSv1.3 in mail	Maxim Dounin	131	March 18, 2023 10:20AM
Re: [PATCH 06 of 20] Tests: LibreSSL and BoringSSL session reuse with TLSv1.3 in mail	Sergey Kandaurov	129	March 22, 2023 06:00AM
Re: [PATCH 06 of 20] Tests: LibreSSL and BoringSSL session reuse with TLSv1.3 in mail	Maxim Dounin	118	March 23, 2023 10:18AM
[PATCH 12 of 20] Tests: fixed ssl_session_ticket_key.t with LibreSSL and TLSv1.3	Maxim Dounin	113	March 18, 2023 10:20AM
[PATCH 13 of 20] Tests: fixed ssl_sni.t with LibreSSL and TLSv1.3	Maxim Dounin	170	March 18, 2023 10:20AM
[PATCH 11 of 20] Tests: fixed proxy_ssl.t with LibreSSL and TLSv1.3	Maxim Dounin	161	March 18, 2023 10:20AM
[PATCH 14 of 20] Tests: LibreSSL certificate negotiation with TLSv1.3	Maxim Dounin	200	March 18, 2023 10:20AM
[PATCH 15 of 20] Tests: LibreSSL does not send CA lists with TLSv1.3	Maxim Dounin	160	March 18, 2023 10:20AM
Re: [PATCH 15 of 20] Tests: LibreSSL does not send CA lists with TLSv1.3	Sergey Kandaurov	144	March 22, 2023 06:40AM
[PATCH 16 of 20] Tests: fixed stream_proxy_ssl.t with LibreSSL and TLSv1.3	Maxim Dounin	193	March 18, 2023 10:20AM
[PATCH 18 of 20] Tests: cleaned up ssl_ocsp.t	Maxim Dounin	159	March 18, 2023 10:20AM
[PATCH 20 of 20] Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3	Maxim Dounin	165	March 18, 2023 10:20AM
Re: [PATCH 20 of 20] Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3	Sergey Kandaurov	152	March 22, 2023 07:12AM
Re: [PATCH 20 of 20] Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3	Maxim Dounin	134	March 23, 2023 10:20AM
[PATCH 19 of 20] Tests: removed multiple server certificates from ssl_ocsp.t	Maxim Dounin	150	March 18, 2023 10:20AM
Re: [PATCH 19 of 20] Tests: removed multiple server certificates from ssl_ocsp.t	Sergey Kandaurov	135	March 22, 2023 07:06AM
Re: [PATCH 19 of 20] Tests: removed multiple server certificates from ssl_ocsp.t	Maxim Dounin	126	March 23, 2023 10:18AM
[PATCH 17 of 20] Tests: fixed stream_ssl_variables.t.t with LibreSSL and TLSv1.3	Maxim Dounin	138	March 18, 2023 10:20AM
Re: [PATCH 00 of 20] tests suite fixes for TLSv1.3	Sergey Kandaurov	119	March 22, 2023 07:44AM
Re: [PATCH 00 of 20] tests suite fixes for TLSv1.3	Maxim Dounin	143	March 23, 2023 10:20AM
Re: [PATCH 00 of 20] tests suite fixes for TLSv1.3	Sergey Kandaurov	119	March 23, 2023 12:02PM
Re: [PATCH 00 of 20] tests suite fixes for TLSv1.3	Maxim Dounin	116	March 23, 2023 12:54PM

Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 231

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018