Re: Failures in SSL tests in test suite
On Thu, Dec 10, 2009 at 3:28 PM, Ruediger Pluem wrote: > Apparently because of the fix in openssl for the TLS renegotiation issue the > following > failed tests now pop up in our test suite (trunk and 2.2.x the same): > > > Failed Test Stat Wstat Total Fail List of Failed > --- > t/ssl/basicauth.t 3 2 2-3 > t/ssl/env.t 30 15 16-30 > t/ssl/extlookup.t 2 2 1-2 > t/ssl/fakeauth.t 3 2 2-3 > t/ssl/pr12355.t 10 10 1-10 > t/ssl/pr43738.t 4 4 1-4 > t/ssl/proxy.t 172 10 3-7 116-120 > t/ssl/require.t 5 2 2 5 > t/ssl/varlookup.t 72 72 1-72 > t/ssl/verify.t 3 1 2 > 4 tests and 2 subtests skipped. I picked up almost identical failures on 2.2.14 on OpenSolaris when moving to a dev build with 0.9.8l from a dev build with 0.9.8k. At least a few of those testcases mention renegotiation. As I also picked up another failure that didn't seem to be related, I'll try to find time to perform before/after testing with just the OpenSSL k->l change. It would be helpful to end up with some skip-renegotiation option to skip such tests. Also, when the permanent enable-legacy-renegotiation API is in a released OpenSSL version do we expect to provide access to it from the config as a means for the admin to confirm that whatever server-initiated renegotiation is configured should be allowed?
Re: Failures in SSL tests in test suite
On 12.12.2009 18:26, Jeff Trawick wrote: > On Thu, Dec 10, 2009 at 3:28 PM, Ruediger Pluem wrote: >> Apparently because of the fix in openssl for the TLS renegotiation issue the >> following >> failed tests now pop up in our test suite (trunk and 2.2.x the same): >> >> >> Failed Test Stat Wstat Total Fail List of Failed >> --- >> t/ssl/basicauth.t32 2-3 >> t/ssl/env.t 30 15 16-30 >> t/ssl/extlookup.t22 1-2 >> t/ssl/fakeauth.t 32 2-3 >> t/ssl/pr12355.t 10 10 1-10 >> t/ssl/pr43738.t 44 1-4 >> t/ssl/proxy.t 172 10 3-7 116-120 >> t/ssl/require.t 52 2 5 >> t/ssl/varlookup.t 72 72 1-72 >> t/ssl/verify.t 31 2 >> 4 tests and 2 subtests skipped. > > I picked up almost identical failures on 2.2.14 on OpenSolaris when > moving to a dev build with 0.9.8l from a dev build with 0.9.8k. At > least a few of those testcases mention renegotiation. As I also > picked up another failure that didn't seem to be related, I'll try to > find time to perform before/after testing with just the OpenSSL k->l > change. > > It would be helpful to end up with some skip-renegotiation option to > skip such tests. > > Also, when the permanent enable-legacy-renegotiation API is in a > released OpenSSL version do we expect to provide access to it from the > config as a means for the admin to confirm that whatever > server-initiated renegotiation is configured should be allowed? IMHO yes, because otherwise we block server driven renegotiation completely and would force some people to stick with old OpenSSL versions. Better have them open this problem in a controlled manner than have them sitting with old OpenSSL versions. Additionally, once we have Hartmut Keils patch in we are also safe against splitting attacks and thus have one important attack vector less. Regards Rüdiger
Re: Failures in SSL tests in test suite
On Sat, Dec 12, 2009 at 12:26 PM, Jeff Trawick wrote: > On Thu, Dec 10, 2009 at 3:28 PM, Ruediger Pluem wrote: >> Apparently because of the fix in openssl for the TLS renegotiation issue the >> following >> failed tests now pop up in our test suite (trunk and 2.2.x the same): >> >> >> Failed Test Stat Wstat Total Fail List of Failed >> --- >> t/ssl/basicauth.t 3 2 2-3 >> t/ssl/env.t 30 15 16-30 >> t/ssl/extlookup.t 2 2 1-2 >> t/ssl/fakeauth.t 3 2 2-3 >> t/ssl/pr12355.t 10 10 1-10 >> t/ssl/pr43738.t 4 4 1-4 >> t/ssl/proxy.t 172 10 3-7 116-120 >> t/ssl/require.t 5 2 2 5 >> t/ssl/varlookup.t 72 72 1-72 >> t/ssl/verify.t 3 1 2 >> 4 tests and 2 subtests skipped. > > I picked up almost identical failures on 2.2.14 on OpenSolaris when > moving to a dev build with 0.9.8l from a dev build with 0.9.8k. At > least a few of those testcases mention renegotiation. As I also > picked up another failure that didn't seem to be related, I'll try to > find time to perform before/after testing with just the OpenSSL k->l > change. A straight k->l comparison shows exactly the same failures as you with httpd trunk/apr[-util] 1.4 HEAD on a recent OpenSolaris dev build.
Re: Failures in SSL tests in test suite
Jeff Trawick wrote: > On Sat, Dec 12, 2009 at 12:26 PM, Jeff Trawick wrote: >> On Thu, Dec 10, 2009 at 3:28 PM, Ruediger Pluem wrote: >>> Apparently because of the fix in openssl for the TLS renegotiation issue >>> the following >>> failed tests now pop up in our test suite (trunk and 2.2.x the same): >>> >>> >>> Failed Test Stat Wstat Total Fail List of Failed >>> --- >>> t/ssl/basicauth.t32 2-3 >>> t/ssl/env.t 30 15 16-30 >>> t/ssl/extlookup.t22 1-2 >>> t/ssl/fakeauth.t 32 2-3 >>> t/ssl/pr12355.t 10 10 1-10 >>> t/ssl/pr43738.t 44 1-4 >>> t/ssl/proxy.t 172 10 3-7 116-120 >>> t/ssl/require.t 52 2 5 >>> t/ssl/varlookup.t 72 72 1-72 >>> t/ssl/verify.t 31 2 >>> 4 tests and 2 subtests skipped. >> I picked up almost identical failures on 2.2.14 on OpenSolaris when >> moving to a dev build with 0.9.8l from a dev build with 0.9.8k. At >> least a few of those testcases mention renegotiation. As I also >> picked up another failure that didn't seem to be related, I'll try to >> find time to perform before/after testing with just the OpenSSL k->l >> change. > > A straight k->l comparison shows exactly the same failures as you with > httpd trunk/apr[-util] 1.4 HEAD on a recent OpenSolaris dev build. > I'd suggest you try OpenSSL 0.9.8-dev (i.e. a recent snapshot). Renegotiation is now possible but only with itself (which presumably that tests). The only thing that is not allowed is renegotiation with the deprecated SSLv2. If there are still any problems I'll check them. Steve. -- Dr Stephen N. Henson. Senior Technical/Cryptography Advisor, Open Source Software Institute: www.oss-institute.org OpenSSL Core team: www.openssl.org