To make the raw TLS socket tests work I added r1844393. Both, r1844389
and r1844393 are part of the /perl/Apache-Test/trunk/ external which
gets pulled into our test framework.
Regards,
Rainer
Am 20.10.2018 um 06:28 schrieb Rainer Jung:
Am 19.10.2018 um 23:31 schrieb Yann Ylavic:
Could not make the test suite framework work with 1.1.1 (cpan -u
didn't help).
Although the ssl tests report SUCCESS, httpd actually timeouts on
SSL_peek() (as already reported).
Indeed I checked my test suite logs and until now all tests only used
TLS 1.2. But what works for me now with TLS 1.3 is:
- small fix in TestSSLCA.pm (r1844389), otherwise the geneated
t/conf/ssl/ssl.conf always contains "SSLProtocol all -TLSv1.3" instead
of "all" (unless you specifiy -sslproto explicitly).
- Net::SSLeay 1.86_06 tag from Github
https://github.com/radiator-software/p5-net-ssleay.git. Added "-ldl
-pthread" to OTHERLDFLAGS in Makefile. It contains the plumbing needed
for some new 1.1.1 APIs.
- IO/Socket/SSL.pm recent version 2.060 plus patch
https://github.com/noxxi/p5-io-socket-ssl/commit/e96b1c9e394011de4ee181cfa42b8021796bf7d4.patch
(probably not needed) plus anti-hang patch to call
Net::SSLeay::CTX_set_post_handshake_auth()
--- IO/Socket/SSL.pm.orig 2018-08-15 18:03:29.000000000 +0000
+++ IO/Socket/SSL.pm 2018-09-19 16:37:46.450281000 +0000
@@ -2594,6 +2594,10 @@
"Failed to load key from file (no PEM or DER)");
}
+ if ($havecert && $havekey &&
Net::SSLeay::OPENSSL_VERSION_NUMBER() >= 0x1010100f) {
+ Net::SSLeay::CTX_set_post_handshake_auth($ctx, 1);
+ }
+
# replace arg_hash with created context
$ctx{$host} = $ctx;
}
The PHA patch was stolen from Joe's explanation of the PHA issue.
With this setup, I can see some TLSv1.3 entries in the
t/logs/ssl_request_log. For instance when running t/ssl/varlookup.t.
Regards,
Rainer