# HG changeset patch
# User Sergey Kandaurov <pluknet@nginx.com>
# Date 1684774417 -14400
# Mon May 22 20:53:37 2023 +0400
# Node ID 42066e126d2ca0f6d5095d818910559adf5d4bdc
# Parent e60c76cbf2a5b0d9e1d235770d68f260cf1a4e3e
Tests: avoid specifying PSS in sigalgs unless in TLSv1.3.
It might happen that TLSv1.3 is disabled and PSS isn't supported as seen
on Amazon Linux (LTS). The change restores old logic before 0e1865aa9b33.
diff --git a/ssl_certificates.t b/ssl_certificates.t
--- a/ssl_certificates.t
+++ b/ssl_certificates.t
@@ -120,8 +120,8 @@ sub get_socket {
return unless defined $type;
my $ssleay = Net::SSLeay::SSLeay();
return if ($ssleay < 0x1000200f || $ssleay == 0x20000000);
- my $sigalgs = 'RSA+SHA256:PSS+SHA256';
- $sigalgs = $type . '+SHA256' unless $type eq 'RSA';
+ my $sigalgs = $type eq 'RSA' && test_tls13()
+ ? 'RSA+SHA256:PSS+SHA256' : $type . '+SHA256';
# SSL_CTRL_SET_SIGALGS_LIST
Net::SSLeay::CTX_ctrl($ctx, 98, 0, $sigalgs)
or die("Failed to set sigalgs");
diff --git a/ssl_stapling.t b/ssl_stapling.t
--- a/ssl_stapling.t
+++ b/ssl_stapling.t
@@ -321,8 +321,8 @@ sub staple {
return unless defined $ciphers;
my $ssleay = Net::SSLeay::SSLeay();
return if ($ssleay < 0x1000200f || $ssleay == 0x20000000);
- my $sigalgs = 'RSA+SHA256:PSS+SHA256';
- $sigalgs = $ciphers . '+SHA256' unless $ciphers eq 'RSA';
+ my $sigalgs = $ciphers eq 'RSA' && test_tls13()
+ ? 'RSA+SHA256:PSS+SHA256' : $ciphers . '+SHA256';
# SSL_CTRL_SET_SIGALGS_LIST
Net::SSLeay::CTX_ctrl($ctx, 98, 0, $sigalgs)
or die("Failed to set sigalgs");
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx-devel