Hello!
On Wed, Mar 22, 2023 at 03:05:16PM +0400, Sergey Kandaurov wrote:
> > On 18 Mar 2023, at 18:15, Maxim Dounin <mdounin@mdounin.ru> wrote:
> >
> > # HG changeset patch
> > # User Maxim Dounin <mdounin@mdounin.ru>
> > # Date 1679148855 -10800
> > # Sat Mar 18 17:14:15 2023 +0300
> > # Node ID 782531c3cd79dcf700276e10bef00e524de009d1
> > # Parent c140f78fbc8f62c9694d3b969d1309570a96f2e7
> > Tests: removed multiple server certificates from ssl_ocsp.t.
> >
> > Multiple server certificates are not needed to test OCSP verification of
> > client certificates (in contrast to OCSP stapling, where server certificates
> > are verified, and different staples should be correctly returned with
> > different server certificates). And using multiple server certificates
> > causes issues when testing with LibreSSL due to broken sigalgs-based
> > server certificate selection in LibreSSL with TLSv1.3.
> >
> > Accordingly, the test is simplified to do not use multiple server
> > certificates.
> >
> > diff --git a/ssl_ocsp.t b/ssl_ocsp.t
> > --- a/ssl_ocsp.t
> > +++ b/ssl_ocsp.t
> > @@ -63,10 +63,7 @@ http {
> > ssl_verify_depth 2;
> > ssl_client_certificate trusted.crt;
> >
> > - ssl_ciphers DEFAULT:ECCdraft;
> > -
> > - ssl_certificate_key ec.key;
> > - ssl_certificate ec.crt;
> > +# ssl_ciphers DEFAULT:ECCdraft;
>
> This doesn't serve its purpose now and can be removed,
> now that you've removed multiple (ECC) certificates.
> It was used to run tests with ECC certificates/ciphers,
> as otherwise it would result in "no shared cipher" error.
>
> ECCdraft is an old alias used to enable ECC ciphersuites
> and run tests with ECC certificate on OpenSSL 0.9.8,
> before they became official in RFC 4492.
>
> - ECC ciphersuites were disabled by default in 0.9.8c,
> and ECCdraft alias was used to turn them back.
> - ECC ciphersuites were re-enabled in 0.9.9 (1.0.0)
Err, thanks for catching. I actually commented it out to make
sure it's safe to remove it now, but forgot to actually remove.
Removed.
> >
> > ssl_certificate_key rsa.key;
> > ssl_certificate rsa.crt;
> > @@ -273,13 +270,8 @@ system("openssl ocsp -index $d/certindex
> >
> > # server cert/key
> >
> > -system("openssl ecparam -genkey -out $d/ec.key -name prime256v1 "
> > - . ">>$d/openssl.out 2>&1") == 0 or die "Can't create EC pem: $!\n";
> > -system("openssl genrsa -out $d/rsa.key 2048 >>$d/openssl.out 2>&1") == 0
> > - or die "Can't create RSA pem: $!\n";
> > -
> > -foreach my $name ('ec', 'rsa') {
> > - system("openssl req -x509 -new -key $d/$name.key "
> > +foreach my $name ('rsa') {
> > + system('openssl req -x509 -new '
> > . "-config $d/openssl.conf -subj /CN=$name/ "
> > . "-out $d/$name.crt -keyout $d/$name.key "
> > . ">>$d/openssl.out 2>&1") == 0
> > @@ -288,7 +280,7 @@ foreach my $name ('ec', 'rsa') {
> >
> > $t->run_daemon(\&http_daemon, $t, port(8081));
> > $t->run_daemon(\&http_daemon, $t, port(8082));
> > -$t->run()->plan(14);
> > +$t->run()->plan(15);
> >
> > $t->waitforsocket("127.0.0.1:" . port(8081));
> > $t->waitforsocket("127.0.0.1:" . port(8082));
> > @@ -297,17 +289,17 @@ my $version = get_version();
> >
> > ###############################################################################
> >
> > -like(get('RSA', 'end'), qr/200 OK.*SUCCESS/s, 'ocsp leaf');
> > +like(get('end'), qr/200 OK.*SUCCESS/s, 'ocsp leaf');
> >
> > # demonstrate that ocsp int request is failed due to missing resolver
> >
> > -like(get('RSA', 'end', sni => 'resolver'),
> > +like(get('end', sni => 'resolver'),
> > qr/400 Bad.*FAILED:certificate status request failed/s,
> > 'ocsp many failed request');
> >
> > # demonstrate that ocsp int request is actually made by failing ocsp response
> >
> > -like(get('RSA', 'end', port => 8444),
> > +like(get('end', port => 8444),
> > qr/400 Bad.*FAILED:certificate status request failed/s,
> > 'ocsp many failed');
> >
> > @@ -323,11 +315,11 @@ system("openssl ocsp -index $d/certindex
> > . ">>$d/openssl.out 2>&1") == 0
> > or die "Can't create OCSP response: $!\n";
> >
> > -like(get('RSA', 'end', port => 8444), qr/200 OK.*SUCCESS/s, 'ocsp many');
> > +like(get('end', port => 8444), qr/200 OK.*SUCCESS/s, 'ocsp many');
> >
> > # store into ssl_ocsp_cache
> >
> > -like(get('RSA', 'end', port => 8446), qr/200 OK.*SUCCESS/s, 'cache store');
> > +like(get('end', port => 8446), qr/200 OK.*SUCCESS/s, 'cache store');
> >
> > # revoke
> >
> > @@ -346,23 +338,23 @@ system("openssl ocsp -index $d/certindex
> > . ">>$d/openssl.out 2>&1") == 0
> > or die "Can't create OCSP response: $!\n";
> >
> > -like(get('RSA', 'end'), qr/400 Bad.*FAILED:certificate revoked/s, 'revoked');
> > +like(get('end'), qr/400 Bad.*FAILED:certificate revoked/s, 'revoked');
> >
> > # with different responder where it's still valid
> >
> > -like(get('RSA', 'end', port => 8445), qr/200 OK.*SUCCESS/s, 'ocsp responder');
> > +like(get('end', port => 8445), qr/200 OK.*SUCCESS/s, 'ocsp responder');
> >
> > # with different context to responder where it's still valid
> >
> > -like(get('RSA', 'end', sni => 'sni'), qr/200 OK.*SUCCESS/s, 'ocsp context');
> > +like(get('end', sni => 'sni'), qr/200 OK.*SUCCESS/s, 'ocsp context');
> >
> > # with cached ocsp response it's still valid
> >
> > -like(get('RSA', 'end', port => 8446), qr/200 OK.*SUCCESS/s, 'cache lookup');
> > +like(get('end', port => 8446), qr/200 OK.*SUCCESS/s, 'cache lookup');
> >
> > # ocsp end response signed with invalid (root) cert, expect HTTP 400
> >
> > -like(get('ECDSA', 'ec-end'),
> > +like(get('ec-end'),
> > qr/400 Bad.*FAILED:certificate status request failed/s,
> > 'root ca not trusted');
> >
> > @@ -374,12 +366,12 @@ system("openssl ocsp -index $d/certindex
> > . ">>$d/openssl.out 2>&1") == 0
> > or die "Can't create EC OCSP response: $!\n";
> >
> > -like(get('ECDSA', 'ec-end'), qr/200 OK.*SUCCESS/s, 'ocsp ecdsa');
> > +like(get('ec-end'), qr/200 OK.*SUCCESS/s, 'ocsp ecdsa');
> >
> > -my ($s, $ssl) = get('ECDSA', 'ec-end');
> > +my ($s, $ssl) = get('ec-end');
> > my $ses = Net::SSLeay::get_session($ssl);
> >
> > -like(get('ECDSA', 'ec-end', ses => $ses),
> > +like(get('ec-end', ses => $ses),
> > qr/200 OK.*SUCCESS:r/s, 'session reused');
> >
> > # revoke with saved session
> > @@ -401,19 +393,22 @@ system("openssl ocsp -index $d/certindex
> >
> > # reusing session with revoked certificate
> >
> > -like(get('ECDSA', 'ec-end', ses => $ses),
> > +like(get('ec-end', ses => $ses),
> > qr/400 Bad.*FAILED:certificate revoked:r/s, 'session reused - revoked');
> >
> > # regression test for self-signed
> >
> > -like(get('RSA', 'root', port => 8447), qr/200 OK.*SUCCESS/s, 'ocsp one');
> > +like(get('root', port => 8447), qr/200 OK.*SUCCESS/s, 'ocsp one');
> > +
> > +# check for errors
> > +
> > +like(`grep -F '[crit]' ${\($t->testdir())}/error.log`, qr/^$/s, 'no crit');
> >
> > ###############################################################################
> >
> > sub get {
> > - my ($type, $cert, %extra) = @_;
> > - $type = 'PSS' if $type eq 'RSA' && $version > 0x0303;
> > - my ($s, $ssl) = get_ssl_socket($type, $cert, %extra);
> > + my ($cert, %extra) = @_;
> > + my ($s, $ssl) = get_ssl_socket($cert, %extra);
> > my $cipher = Net::SSLeay::get_cipher($ssl);
> > Test::Nginx::log_core('||', "cipher: $cipher");
> > my $host = $extra{sni} ? $extra{sni} : 'localhost';
> > @@ -428,7 +423,7 @@ sub get {
> > }
> >
> > sub get_ssl_socket {
> > - my ($type, $cert, %extra) = @_;
> > + my ($cert, %extra) = @_;
> > my $ses = $extra{ses};
> > my $sni = $extra{sni};
> > my $port = $extra{port} || 8443;
> > @@ -450,18 +445,6 @@ sub get_ssl_socket {
> >
> > my $ctx = Net::SSLeay::CTX_new() or die("Failed to create SSL_CTX $!");
> >
> > - if (defined $type) {
> > - my $ssleay = Net::SSLeay::SSLeay();
> > - if ($ssleay < 0x1000200f || $ssleay == 0x20000000) {
> > - Net::SSLeay::CTX_set_cipher_list($ctx, $type)
> > - or die("Failed to set cipher list");
> > - } else {
> > - # SSL_CTRL_SET_SIGALGS_LIST
> > - Net::SSLeay::CTX_ctrl($ctx, 98, 0, $type . '+SHA256')
> > - or die("Failed to set sigalgs");
> > - }
> > - }
> > -
> > Net::SSLeay::set_cert_and_key($ctx, "$d/$cert.crt", "$d/$cert.key")
> > or die if $cert;
> > my $ssl = Net::SSLeay::new($ctx) or die("Failed to create SSL $!");
--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx-devel
