Sergey Kandaurov
May 23, 2023 08:24AM
> On 23 May 2023, at 05:07, Maxim Dounin <mdounin@mdounin.ru> wrote:
>
> Hello!
>
> On Mon, May 22, 2023 at 11:52:16PM +0400, Sergey Kandaurov wrote:
>
>> # HG changeset patch
>> # User Sergey Kandaurov <pluknet@nginx.com>
>> # Date 1684774417 -14400
>> # Mon May 22 20:53:37 2023 +0400
>> # Node ID 42066e126d2ca0f6d5095d818910559adf5d4bdc
>> # Parent e60c76cbf2a5b0d9e1d235770d68f260cf1a4e3e
>> Tests: avoid specifying PSS in sigalgs unless in TLSv1.3.
>>
>> It might happen that TLSv1.3 is disabled and PSS isn't supported as seen
>> on Amazon Linux (LTS). The change restores old logic before 0e1865aa9b33.
>>
>> diff --git a/ssl_certificates.t b/ssl_certificates.t
>> --- a/ssl_certificates.t
>> +++ b/ssl_certificates.t
>> @@ -120,8 +120,8 @@ sub get_socket {
>> return unless defined $type;
>> my $ssleay = Net::SSLeay::SSLeay();
>> return if ($ssleay < 0x1000200f || $ssleay == 0x20000000);
>> - my $sigalgs = 'RSA+SHA256:PSS+SHA256';
>> - $sigalgs = $type . '+SHA256' unless $type eq 'RSA';
>> + my $sigalgs = $type eq 'RSA' && test_tls13()
>> + ? 'RSA+SHA256:PSS+SHA256' : $type . '+SHA256';
>> # SSL_CTRL_SET_SIGALGS_LIST
>> Net::SSLeay::CTX_ctrl($ctx, 98, 0, $sigalgs)
>> or die("Failed to set sigalgs");
>> diff --git a/ssl_stapling.t b/ssl_stapling.t
>> --- a/ssl_stapling.t
>> +++ b/ssl_stapling.t
>> @@ -321,8 +321,8 @@ sub staple {
>> return unless defined $ciphers;
>> my $ssleay = Net::SSLeay::SSLeay();
>> return if ($ssleay < 0x1000200f || $ssleay == 0x20000000);
>> - my $sigalgs = 'RSA+SHA256:PSS+SHA256';
>> - $sigalgs = $ciphers . '+SHA256' unless $ciphers eq 'RSA';
>> + my $sigalgs = $ciphers eq 'RSA' && test_tls13()
>> + ? 'RSA+SHA256:PSS+SHA256' : $ciphers . '+SHA256';
>> # SSL_CTRL_SET_SIGALGS_LIST
>> Net::SSLeay::CTX_ctrl($ctx, 98, 0, $sigalgs)
>> or die("Failed to set sigalgs");
>
> I would rather refrain from SSL connections as in test_tls13()
> when creating an SSL context, hence the change.

I don't like this as well and prefer to avoid if possible.

>
> But it looks like I was wrong assuming OpenSSL handles sigalgs
> similarly to ciphers, and ignores unknown ones. Looking through
> the code suggests it instead returns an error if it sees an
> unknown signature algorithm, so trying to set
> 'RSA+SHA256:PSS+SHA256' fails if OpenSSL does not support TLSv1.3.
>
> Something like this should be enough to address this without
> introducing additional TLSv1.3 tests:
>

Applied, tnx.

> diff -r a797d7428fa5 ssl_certificates.t
> --- a/ssl_certificates.t Thu May 18 18:07:19 2023 +0300
> +++ b/ssl_certificates.t Tue May 23 01:03:42 2023 +0000
> @@ -120,10 +120,11 @@
> return unless defined $type;
> my $ssleay = Net::SSLeay::SSLeay();
> return if ($ssleay < 0x1000200f || $ssleay == 0x20000000);
> - my $sigalgs = 'RSA+SHA256:PSS+SHA256';
> - $sigalgs = $type . '+SHA256' unless $type eq 'RSA';
> + my @sigalgs = ('RSA+SHA256:PSS+SHA256', 'RSA+SHA256');
> + @sigalgs = ($type . '+SHA256') unless $type eq 'RSA';
> # SSL_CTRL_SET_SIGALGS_LIST
> - Net::SSLeay::CTX_ctrl($ctx, 98, 0, $sigalgs)
> + Net::SSLeay::CTX_ctrl($ctx, 98, 0, $sigalgs[0])
> + or Net::SSLeay::CTX_ctrl($ctx, 98, 0, $sigalgs[1])
> or die("Failed to set sigalgs");
> };
>
> diff -r a797d7428fa5 ssl_stapling.t
> --- a/ssl_stapling.t Thu May 18 18:07:19 2023 +0300
> +++ b/ssl_stapling.t Tue May 23 01:03:42 2023 +0000
> @@ -319,10 +319,11 @@
> return unless defined $ciphers;
> my $ssleay = Net::SSLeay::SSLeay();
> return if ($ssleay < 0x1000200f || $ssleay == 0x20000000);
> - my $sigalgs = 'RSA+SHA256:PSS+SHA256';
> - $sigalgs = $ciphers . '+SHA256' unless $ciphers eq 'RSA';
> + my @sigalgs = ('RSA+SHA256:PSS+SHA256', 'RSA+SHA256');
> + @sigalgs = ($ciphers . '+SHA256') unless $ciphers eq 'RSA';
> # SSL_CTRL_SET_SIGALGS_LIST
> - Net::SSLeay::CTX_ctrl($ctx, 98, 0, $sigalgs)
> + Net::SSLeay::CTX_ctrl($ctx, 98, 0, $sigalgs[0])
> + or Net::SSLeay::CTX_ctrl($ctx, 98, 0, $sigalgs[1])
> or die("Failed to set sigalgs");
> };
>
>
> (The code basically retries with 'RSA+SHA256' if setting sigalgs
> to 'RSA+SHA256:PSS+SHA256'. If an error happens with ECDSA, it
> also retries with undefined, and then reports the error.)

--
Sergey Kandaurov
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx-devel
Subject Author Views Posted

[PATCH 00 of 11] SSL tests simplified

Maxim Dounin 589 April 16, 2023 11:46PM

[PATCH 01 of 11] Tests: SIGPIPE handling in mail tests

Maxim Dounin 106 April 16, 2023 11:46PM

[PATCH 03 of 11] Tests: added has_feature() tests for IO::Socket::SSL

Maxim Dounin 112 April 16, 2023 11:46PM

Re: [PATCH 03 of 11] Tests: added has_feature() tests for IO::Socket::SSL

Sergey Kandaurov 117 May 03, 2023 12:22PM

Re: [PATCH 03 of 11] Tests: added has_feature() tests for IO::Socket::SSL

Maxim Dounin 118 May 03, 2023 11:58PM

[PATCH 04 of 11] Tests: fixed server_tokens tests for build names with spaces

Maxim Dounin 112 April 16, 2023 11:46PM

Re: [PATCH 04 of 11] Tests: fixed server_tokens tests for build names with spaces

Sergey Kandaurov 80 May 11, 2023 07:50AM

Re: [PATCH 04 of 11] Tests: fixed server_tokens tests for build names with spaces

Maxim Dounin 103 May 14, 2023 02:54PM

[PATCH 05 of 11] Tests: added has_feature() test for SSL libraries

Maxim Dounin 108 April 16, 2023 11:46PM

[PATCH 09 of 11] Tests: simplified stream SSL tests with IO::Socket::SSL

Maxim Dounin 111 April 16, 2023 11:46PM

[PATCH 06 of 11] Tests: reworked mail SSL tests to use IO::Socket::SSL

Maxim Dounin 124 April 16, 2023 11:46PM

Re: [PATCH 06 of 11] Tests: reworked mail SSL tests to use IO::Socket::SSL

Sergey Kandaurov 173 May 11, 2023 10:40AM

Re: [PATCH 06 of 11] Tests: reworked mail SSL tests to use IO::Socket::SSL

Maxim Dounin 106 May 14, 2023 05:12PM

[PATCH 08 of 11] Tests: reworked stream SSL tests to use IO::Socket::SSL

Maxim Dounin 114 April 16, 2023 11:46PM

[PATCH 07 of 11] Tests: simplified mail_imap_ssl.t

Maxim Dounin 108 April 16, 2023 11:46PM

[PATCH 10 of 11] Tests: reworked http SSL tests to use IO::Socket::SSL

Maxim Dounin 112 April 16, 2023 11:46PM

Re: [PATCH 10 of 11] Tests: reworked http SSL tests to use IO::Socket::SSL

Sergey Kandaurov 107 May 11, 2023 10:28AM

Re: [PATCH 10 of 11] Tests: reworked http SSL tests to use IO::Socket::SSL

Maxim Dounin 125 May 18, 2023 11:18AM

[PATCH 11 of 11] Tests: simplified http SSL tests with IO::Socket::SSL

Maxim Dounin 113 April 16, 2023 11:46PM

[PATCH 0 of 6] SSL tests refactoring fixes

Sergey Kandaurov 89 May 22, 2023 03:58PM

[PATCH 1 of 6] Tests: unbreak ssl_stapling.t after IO::Socket::SSL refactoring

Sergey Kandaurov 105 May 22, 2023 03:58PM

Re: [PATCH 1 of 6] Tests: unbreak ssl_stapling.t after IO::Socket::SSL refactoring

Maxim Dounin 81 May 22, 2023 04:38PM

[PATCH 2 of 6] Tests: unbreak tests with IO::Socket:SSL lacking SSL_session_key

Sergey Kandaurov 89 May 22, 2023 03:58PM

Re: [PATCH 2 of 6] Tests: unbreak tests with IO::Socket:SSL lacking SSL_session_key

Maxim Dounin 81 May 22, 2023 07:44PM

Re: [PATCH 2 of 6] Tests: unbreak tests with IO::Socket:SSL lacking SSL_session_key

Sergey Kandaurov 100 May 23, 2023 06:36AM

Re: [PATCH 2 of 6] Tests: unbreak tests with IO::Socket:SSL lacking SSL_session_key

Maxim Dounin 144 May 23, 2023 09:32AM

[PATCH 3 of 6] Tests: unbreak stream_ssl_variables.t with old IO::Socket::SSL

Sergey Kandaurov 86 May 22, 2023 04:00PM

Re: [PATCH 3 of 6] Tests: unbreak stream_ssl_variables.t with old IO::Socket::SSL

Maxim Dounin 86 May 22, 2023 07:52PM

[PATCH 4 of 6] Tests: avoid specifying PSS in sigalgs unless in TLSv1.3

Sergey Kandaurov 88 May 22, 2023 04:00PM

Re: [PATCH 4 of 6] Tests: avoid specifying PSS in sigalgs unless in TLSv1.3

Maxim Dounin 84 May 22, 2023 09:08PM

Re: [PATCH 4 of 6] Tests: avoid specifying PSS in sigalgs unless in TLSv1.3

Sergey Kandaurov 159 May 23, 2023 08:24AM

[PATCH 5 of 6] Tests: added missing socket_ssl_alpn guard in mail_ssl.t

Sergey Kandaurov 92 May 22, 2023 04:00PM

Re: [PATCH 5 of 6] Tests: added missing socket_ssl_alpn guard in mail_ssl.t

Maxim Dounin 84 May 22, 2023 10:18PM

Re: [PATCH 5 of 6] Tests: added missing socket_ssl_alpn guard in mail_ssl.t

Sergey Kandaurov 151 May 23, 2023 08:56AM

[PATCH 6 of 6] Tests: added missing socket_ssl_reused prerequisites

Sergey Kandaurov 90 May 22, 2023 04:00PM

Re: [PATCH 6 of 6] Tests: added missing socket_ssl_reused prerequisites

Maxim Dounin 78 May 22, 2023 10:40PM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 254
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready