Hi Anatol On Thu, Mar 23, 2017 at 2:19 AM, Anatol Belski <a...@php.net> wrote:
> Hi Jakub, > > > > While working on the OpenSSL 1.1 integration, I’ve stumbled over this > issue with the sni server test ext/openssl/tests/sni_server.phpt which > fails with > > > > error:1416F086:SSL routines:tls_process_server_certificate:certificate > verify failed > > > > I debugged through it and in the end it turns out, that likely the test CA > might be not compatible with the latest OpenSSL, at least with the vanilla > build with the default options. I use the default OpenSSL build with static > engines, as usual. It excludes quite some weak functionality, so I guess > we’ve no actual bug. Please also see the checks I made with the console tool > > > > C:\php-sdk\php71\vc14\x64\php-src > > $ openssl version > > OpenSSL 1.0.2k 26 Jan 2017 > > > > C:\php-sdk\php71\vc14\x64\php-src > > $ openssl.exe verify -CAfile ext\openssl\tests\sni_server_ca.pem > ext\openssl\tests\sni_server_domain1.pem > > ext\openssl\tests\sni_server_domain1.pem: OK > > > > > > On master with OpenSSL 1.1 however, seems the CA is invalid > > > > C:\php-sdk\phpmaster\vc15\x64\php-src > > $ openssl version > > OpenSSL 1.1.0e 16 Feb 2017 > > > > C:\php-sdk\phpmaster\vc15\x64\php-src > > $ openssl verify -CAfile ext\openssl\tests\sni_server_ca.pem > ext\openssl\tests\sni_server_domain1.pem > > C = US, ST = SC, L = Myrtle Beach, O = php.tests subordinate, CN = > php.tests.subordinate > > error 24 at 1 depth lookup: invalid CA certificate > > error ext\openssl\tests\sni_server_domain1.pem: verification failed > > > > As mentioned, there’s likely no bug, but I think it were not bad to double > check this test. A fix to it could be to just produce another keys and CA > with stronger dependency. I currently added a skip to the aforementioned > test in master, mainly as I’m about to switch AppVeyor to newer deps and > vc15 and the test were producing the fails all the time. Also not sure, > which OpenSSL version Travis runs currently, but I had this test failing on > Linux with the vanilla OpenSSL 1.1 build as well. > > > Yep I have been looking a little bit and it really seems that it is about the CA cert and OpenSSL 1.1 is a bit more strict about verification of it. IIRC it was failing on extension part when I was quickly debugging it. When I check purpose using $ openssl x509 -in sni_server_ca.pem -purpose then it is visible that the cert is not a server CA which should probably be but not sure if that's the reason. I think we will need to use a different cert for that test. I have got it on my todo list so hopefully will add something more sensible that works soon unless you want to do it. Until then skip is fine ;) Cheers Jakub
