Re: Test suite and OpenSSL 1.1.1

Sat, 20 Oct 2018 09:13:39 -0700

Plus r1844425 which simplifies TestRequest.pm since IO::Socket::SSL has a working getline(). 

Am 20.10.2018 um 09:59 schrieb Rainer Jung:
I now also added r1844396 to allow setting the CA for peer cert verification and used it in echo.t and nttp-like.t to unbreak their ssl testing (r1844397). 

I didn't find more uses of the raw sockets.

Regards,

Rainer

Am 20.10.2018 um 08:47 schrieb Rainer Jung:

To make the raw TLS socket tests work I added r1844393. Both, r1844389 
and r1844393 are part of the /perl/Apache-Test/trunk/ external which 
gets pulled into our test framework.


Am 20.10.2018 um 06:28 schrieb Rainer Jung:

Am 19.10.2018 um 23:31 schrieb Yann Ylavic:

Could not make the test suite framework work with 1.1.1 (cpan -u 
didn't help).

Although the ssl tests report SUCCESS, httpd actually timeouts on
SSL_peek() (as already reported).



Indeed I checked my test suite logs and until now all tests only used 
TLS 1.2. But what works for me now with TLS 1.3 is:



- small fix in TestSSLCA.pm (r1844389), otherwise the geneated 
t/conf/ssl/ssl.conf always contains "SSLProtocol all -TLSv1.3" 
instead of "all" (unless you specifiy -sslproto explicitly).



- Net::SSLeay 1.86_06 tag from Github 
https://github.com/radiator-software/p5-net-ssleay.git. Added "-ldl 
-pthread" to OTHERLDFLAGS in Makefile. It contains the plumbing 
needed for some new 1.1.1 APIs.



- IO/Socket/SSL.pm recent version 2.060 plus patch 
https://github.com/noxxi/p5-io-socket-ssl/commit/e96b1c9e394011de4ee181cfa42b8021796bf7d4.patch 
(probably not needed) plus anti-hang patch to call 
Net::SSLeay::CTX_set_post_handshake_auth()


--- IO/Socket/SSL.pm.orig  2018-08-15 18:03:29.000000000 +0000
+++ IO/Socket/SSL.pm       2018-09-19 16:37:46.450281000 +0000
@@ -2594,6 +2594,10 @@
                 "Failed to load key from file (no PEM or DER)");
         }


+        if ($havecert && $havekey && 
Net::SSLeay::OPENSSL_VERSION_NUMBER() >= 0x1010100f) {

+            Net::SSLeay::CTX_set_post_handshake_auth($ctx, 1);
+        }
+
         # replace arg_hash with created context
         $ctx{$host} = $ctx;
      }

The PHA patch was stolen from Joe's explanation of the PHA issue.


With this setup, I can see some TLSv1.3 entries in the 
t/logs/ssl_request_log. For instance when running t/ssl/varlookup.t.


Regards,

Rainer























					Reply via email to