Welcome! Log In Create A New Profile

Advanced

Re: [PATCH 03 of 11] Tests: added has_feature() tests for IO::Socket::SSL

Sergey Kandaurov
May 03, 2023 12:22PM
> On 17 Apr 2023, at 07:31, Maxim Dounin <mdounin@mdounin.ru> wrote:
>
> # HG changeset patch
> # User Maxim Dounin <mdounin@mdounin.ru>
> # Date 1681702252 -10800
> # Mon Apr 17 06:30:52 2023 +0300
> # Node ID f704912ed09f3494a815709710c3744b0adca50b
> # Parent 6f0148ef1991d92a003c8529c8cce9a8dd49e706
> Tests: added has_feature() tests for IO::Socket::SSL.
>
> The following distinct features supported:
>
> - "socket_ssl", which requires IO::Socket::SSL and also implies
> existance of the IO::Socket::SSL::SSL_VERIFY_NONE() symbol.
> It is used by most of the tests.
>

SSL_VERIFY_NONE was added in IO::Socket::SSL 1.31 (2009.09.25).
The check was added primarily for then supported CentOS 5.
Now CentOS 5 is long obsolete, SSL_VERIFY_NONE can be dropped.

Most popular modern distributions have something of IO::Socket::SSL 2.0xx,
the oldest still supported CentOS 7 has IO::Socket::SSL 1.94.

> - "socket_ssl_sni", which requires IO::Socket::SSL with the can_client_sni()
> function (1.84), and SNI support available in Net::SSLeay and the OpenSSL
> library being used. Used by ssl_sni.t, ssl_sni_sessions.t,
> stream_ssl_preread.t. Additional Net::SSLeay testing is believed to be
> unneeded and was removed.
>

I agree that Net::SSLeay is believed to be redundant: properly implemented
IO::Socket::SSL should detect Net::SSLeay is too old and behave accordingly.

Note that you removed can_client_sni() from h2_ssl_verify_client.t.
In fact, it is replaced with "socket_ssl_alpn". ALPN support was added
to IO::Socket::SSL after SNI, so it should work in practice, although not
evident. Formally, the "socket_ssl_sni" prerequisite needs to be added.

On the other way, can_client_sni() was added in 1.83, while SNI support
factually was added noticeably earlier - in version 1.56, via SSL_hostname.
Using IO::Socket::SSL 1.82 allowed me to run the following tests
that would be otherwise skipped due to socket_ssl_sni:

ssl_sni.t - replacing with "socket_ssl" is enough
stream_ssl_preread.t - replacing with "socket_ssl" is enough
ssl_sni_sessions.t - also needs SSL_VERIFY_NONE in get_ssl_socket()
to stop whining on old IO::Socket::SSL that presumably doesn't get it
from $ctx. It won't run anyway though due to IO::Socket::SSL version
is too old to support TLSv1.3 sessions.

If we tend to drop anything older than 1.94 (CentOS 7), then we can freely
drop "socket_ssl_sni" from the patch. SSL_hostname is already there.

diff --git a/lib/Test/Nginx.pm b/lib/Test/Nginx.pm
--- a/lib/Test/Nginx.pm
+++ b/lib/Test/Nginx.pm
@@ -244,15 +244,9 @@ sub has_feature($) {
if ($feature =~ /^socket_ssl/) {
eval { require IO::Socket::SSL; };
return 0 if $@;
- eval { IO::Socket::SSL::SSL_VERIFY_NONE(); };
- return 0 if $@;
if ($feature eq 'socket_ssl') {
return 1;
}
- if ($feature eq 'socket_ssl_sni') {
- eval { IO::Socket::SSL->can_client_sni() or die; };
- return !$@;
- }
if ($feature eq 'socket_ssl_alpn') {
eval { IO::Socket::SSL->can_alpn() or die; };
return !$@;
diff --git a/ssl_sni.t b/ssl_sni.t
--- a/ssl_sni.t
+++ b/ssl_sni.t
@@ -22,7 +22,7 @@ use Test::Nginx;
select STDERR; $| = 1;
select STDOUT; $| = 1;

-my $t = Test::Nginx->new()->has(qw/http http_ssl sni rewrite socket_ssl_sni/)
+my $t = Test::Nginx->new()->has(qw/http http_ssl sni rewrite socket_ssl/)
->has_daemon('openssl')->plan(8)
->write_file_expand('nginx.conf', <<'EOF');

diff --git a/ssl_sni_sessions.t b/ssl_sni_sessions.t
--- a/ssl_sni_sessions.t
+++ b/ssl_sni_sessions.t
@@ -21,7 +21,7 @@ use Test::Nginx;
select STDERR; $| = 1;
select STDOUT; $| = 1;

-my $t = Test::Nginx->new()->has(qw/http http_ssl sni rewrite socket_ssl_sni/)
+my $t = Test::Nginx->new()->has(qw/http http_ssl sni rewrite socket_ssl/)
->has_daemon('openssl')
->write_file_expand('nginx.conf', <<'EOF');

@@ -177,6 +177,7 @@ sub get_ssl_socket {
PeerPort => $port,
SSL_hostname => $host,
SSL_reuse_ctx => $ctx,
+ SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE(),
SSL_error_trap => sub { die $_[1] }
);
alarm(0);
diff --git a/stream_ssl_preread.t b/stream_ssl_preread.t
--- a/stream_ssl_preread.t
+++ b/stream_ssl_preread.t
@@ -24,7 +24,7 @@ select STDERR; $| = 1;
select STDOUT; $| = 1;

my $t = Test::Nginx->new()->has(qw/stream stream_map stream_ssl_preread/)
- ->has(qw/stream_ssl stream_return socket_ssl_sni/)
+ ->has(qw/stream_ssl stream_return socket_ssl/)
->has_daemon('openssl')->plan(13)
->write_file_expand('nginx.conf', <<'EOF');


> - "socket_ssl_alpn", which requires IO::Socket::SSL with ALPN support (2.009),
> and ALPN support in Net::SSLeay and the OpenSSL library being used.
> Used by h2_ssl.t, h2_ssl_verify_client.t, stream_ssl_alpn.t,
> stream_ssl_preread_alpn.t.
>
> - "socket_ssl_sslversion", which requires IO::Socket::SSL with
> the get_sslversion() and get_sslversion_int() methods (1.964).
> Used by mail_imap_ssl.t.

I don't like that the whole mail_imap_ssl.t is skipped on < 1.964
(even though it is not quite new and most distributions have it now),
because of a minor optional feature that could not be tested.
In principle, we can rewrite the test similar to $ssl_protocol
to avoid dependency on 1.964:

diff --git a/mail_imap_ssl.t b/mail_imap_ssl.t
--- a/mail_imap_ssl.t
+++ b/mail_imap_ssl.t
@@ -29,7 +29,7 @@ select STDOUT; $| = 1;
local $SIG{PIPE} = 'IGNORE';

my $t = Test::Nginx->new()
- ->has(qw/mail mail_ssl imap http rewrite socket_ssl_sslversion/)
+ ->has(qw/mail mail_ssl imap http rewrite socket_ssl/)
->has_daemon('openssl')->plan(13)
->write_file_expand('nginx.conf', <<'EOF');

@@ -209,12 +209,9 @@ my $s = Test::Nginx::IMAP->new(PeerAddr

# Auth-SSL-Protocol and Auth-SSL-Cipher headers

-my ($cipher, $sslversion);
+$s = get_ssl_socket(8143);

-$s = get_ssl_socket(8143);
-$cipher = $s->get_cipher();
-$sslversion = $s->get_sslversion();
-$sslversion =~ s/_/./;
+my $cipher = $s->get_cipher();

undef $s;

@@ -237,7 +234,7 @@ TODO: {
local $TODO = 'not yet' unless $t->has_version('1.21.2');

$f = $t->read_file('auth2.log');
-like($f, qr|^$cipher:$sslversion$|m, 'log - cipher sslversion');
+like($f, qr/^$cipher:(TLS|SSL)v(\d|\.)+$/m, 'log - cipher sslversion');

}


>
> - "socket_ssl_reused", which requires IO::Socket::SSL with
> the get_session_reused() method (2.057). To be used in the following
> patches.
>
> This makes it possible to simplify and unify various SSL tests.

[..]

--
Sergey Kandaurov
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx-devel
Subject Author Views Posted

[PATCH 00 of 11] SSL tests simplified

Maxim Dounin 565 April 16, 2023 11:46PM

[PATCH 01 of 11] Tests: SIGPIPE handling in mail tests

Maxim Dounin 96 April 16, 2023 11:46PM

[PATCH 03 of 11] Tests: added has_feature() tests for IO::Socket::SSL

Maxim Dounin 99 April 16, 2023 11:46PM

Re: [PATCH 03 of 11] Tests: added has_feature() tests for IO::Socket::SSL

Sergey Kandaurov 105 May 03, 2023 12:22PM

Re: [PATCH 03 of 11] Tests: added has_feature() tests for IO::Socket::SSL

Maxim Dounin 107 May 03, 2023 11:58PM

[PATCH 04 of 11] Tests: fixed server_tokens tests for build names with spaces

Maxim Dounin 100 April 16, 2023 11:46PM

Re: [PATCH 04 of 11] Tests: fixed server_tokens tests for build names with spaces

Sergey Kandaurov 73 May 11, 2023 07:50AM

Re: [PATCH 04 of 11] Tests: fixed server_tokens tests for build names with spaces

Maxim Dounin 87 May 14, 2023 02:54PM

[PATCH 05 of 11] Tests: added has_feature() test for SSL libraries

Maxim Dounin 95 April 16, 2023 11:46PM

[PATCH 09 of 11] Tests: simplified stream SSL tests with IO::Socket::SSL

Maxim Dounin 101 April 16, 2023 11:46PM

[PATCH 06 of 11] Tests: reworked mail SSL tests to use IO::Socket::SSL

Maxim Dounin 113 April 16, 2023 11:46PM

Re: [PATCH 06 of 11] Tests: reworked mail SSL tests to use IO::Socket::SSL

Sergey Kandaurov 100 May 11, 2023 10:40AM

Re: [PATCH 06 of 11] Tests: reworked mail SSL tests to use IO::Socket::SSL

Maxim Dounin 90 May 14, 2023 05:12PM

[PATCH 08 of 11] Tests: reworked stream SSL tests to use IO::Socket::SSL

Maxim Dounin 103 April 16, 2023 11:46PM

[PATCH 07 of 11] Tests: simplified mail_imap_ssl.t

Maxim Dounin 100 April 16, 2023 11:46PM

[PATCH 10 of 11] Tests: reworked http SSL tests to use IO::Socket::SSL

Maxim Dounin 100 April 16, 2023 11:46PM

Re: [PATCH 10 of 11] Tests: reworked http SSL tests to use IO::Socket::SSL

Sergey Kandaurov 95 May 11, 2023 10:28AM

Re: [PATCH 10 of 11] Tests: reworked http SSL tests to use IO::Socket::SSL

Maxim Dounin 116 May 18, 2023 11:18AM

[PATCH 11 of 11] Tests: simplified http SSL tests with IO::Socket::SSL

Maxim Dounin 101 April 16, 2023 11:46PM

[PATCH 0 of 6] SSL tests refactoring fixes

Sergey Kandaurov 80 May 22, 2023 03:58PM

[PATCH 1 of 6] Tests: unbreak ssl_stapling.t after IO::Socket::SSL refactoring

Sergey Kandaurov 91 May 22, 2023 03:58PM

Re: [PATCH 1 of 6] Tests: unbreak ssl_stapling.t after IO::Socket::SSL refactoring

Maxim Dounin 71 May 22, 2023 04:38PM

[PATCH 2 of 6] Tests: unbreak tests with IO::Socket:SSL lacking SSL_session_key

Sergey Kandaurov 79 May 22, 2023 03:58PM

Re: [PATCH 2 of 6] Tests: unbreak tests with IO::Socket:SSL lacking SSL_session_key

Maxim Dounin 69 May 22, 2023 07:44PM

Re: [PATCH 2 of 6] Tests: unbreak tests with IO::Socket:SSL lacking SSL_session_key

Sergey Kandaurov 90 May 23, 2023 06:36AM

Re: [PATCH 2 of 6] Tests: unbreak tests with IO::Socket:SSL lacking SSL_session_key

Maxim Dounin 137 May 23, 2023 09:32AM

[PATCH 3 of 6] Tests: unbreak stream_ssl_variables.t with old IO::Socket::SSL

Sergey Kandaurov 77 May 22, 2023 04:00PM

Re: [PATCH 3 of 6] Tests: unbreak stream_ssl_variables.t with old IO::Socket::SSL

Maxim Dounin 75 May 22, 2023 07:52PM

[PATCH 4 of 6] Tests: avoid specifying PSS in sigalgs unless in TLSv1.3

Sergey Kandaurov 78 May 22, 2023 04:00PM

Re: [PATCH 4 of 6] Tests: avoid specifying PSS in sigalgs unless in TLSv1.3

Maxim Dounin 73 May 22, 2023 09:08PM

Re: [PATCH 4 of 6] Tests: avoid specifying PSS in sigalgs unless in TLSv1.3

Sergey Kandaurov 91 May 23, 2023 08:24AM

[PATCH 5 of 6] Tests: added missing socket_ssl_alpn guard in mail_ssl.t

Sergey Kandaurov 84 May 22, 2023 04:00PM

Re: [PATCH 5 of 6] Tests: added missing socket_ssl_alpn guard in mail_ssl.t

Maxim Dounin 73 May 22, 2023 10:18PM

Re: [PATCH 5 of 6] Tests: added missing socket_ssl_alpn guard in mail_ssl.t

Sergey Kandaurov 130 May 23, 2023 08:56AM

[PATCH 6 of 6] Tests: added missing socket_ssl_reused prerequisites

Sergey Kandaurov 81 May 22, 2023 04:00PM

Re: [PATCH 6 of 6] Tests: added missing socket_ssl_reused prerequisites

Maxim Dounin 69 May 22, 2023 10:40PM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 277
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready