From 633a74e9fb2e4de84d05575206e33f8c9a3ce2d6 Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Wed, 13 Oct 2021 18:31:07 +0100 Subject: [PATCH 1/5] Backport OPENSSL_NEXT to ssl-opt.sh Add support for a newer version of OpenSSL, as well as a legacy version. Signed-off-by: Paul Elliott --- tests/ssl-opt.sh | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index f17f2fd39..4472646e8 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -77,6 +77,14 @@ else O_LEGACY_CLI=false fi +if [ -n "${OPENSSL_NEXT:-}" ]; then + O_NEXT_SRV="$OPENSSL_NEXT s_server -www -cert data_files/server5.crt -key data_files/server5.key" + O_NEXT_CLI="echo 'GET / HTTP/1.0' | $OPENSSL_NEXT s_client" +else + O_NEXT_SRV=false + O_NEXT_CLI=false +fi + if [ -n "${GNUTLS_NEXT_SERV:-}" ]; then G_NEXT_SRV="$GNUTLS_NEXT_SERV --x509certfile data_files/server5.crt --x509keyfile data_files/server5.key" else @@ -355,6 +363,19 @@ requires_openssl_legacy() { fi } +requires_openssl_next() { + if [ -z "${OPENSSL_NEXT_AVAILABLE:-}" ]; then + if which "${OPENSSL_NEXT:-}" >/dev/null 2>&1; then + OPENSSL_NEXT_AVAILABLE="YES" + else + OPENSSL_NEXT_AVAILABLE="NO" + fi + fi + if [ "$OPENSSL_NEXT_AVAILABLE" = "NO" ]; then + SKIP_NEXT="YES" + fi +} + # skip next test if IPv6 isn't available on this host requires_ipv6() { if [ -z "${HAS_IPV6:-}" ]; then @@ -1225,6 +1246,11 @@ if [ -n "${OPENSSL_LEGACY:-}" ]; then O_LEGACY_CLI="$O_LEGACY_CLI -connect localhost:+SRV_PORT" fi +if [ -n "${OPENSSL_NEXT:-}" ]; then + O_NEXT_SRV="$O_NEXT_SRV -accept $SRV_PORT" + O_NEXT_CLI="$O_NEXT_CLI -connect localhost:+SRV_PORT" +fi + if [ -n "${GNUTLS_NEXT_SERV:-}" ]; then G_NEXT_SRV="$G_NEXT_SRV -p $SRV_PORT" fi From d76c47d74d16272e1c3b62b67b62f499869f2205 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 13 Oct 2021 13:12:47 +0200 Subject: [PATCH 2/5] Use newer OpenSSL for tests failing with the old MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- tests/ssl-opt.sh | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 4472646e8..d42ec3c85 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -2964,10 +2964,13 @@ run_test "Session resume using tickets, DTLS: openssl server" \ -c "parse new session ticket" \ -c "a session has been resumed" +# For reasons that aren't fully understood, this test randomly fails with high +# probabiliby with OpenSSL 1.0.2g on the CI, see #5012. +requires_openssl_next run_test "Session resume using tickets, DTLS: openssl client" \ "$P_SRV dtls=1 debug_level=3 tickets=1" \ - "( $O_CLI -dtls1 -sess_out $SESSION; \ - $O_CLI -dtls1 -sess_in $SESSION; \ + "( $O_NEXT_CLI -dtls1 -sess_out $SESSION; \ + $O_NEXT_CLI -dtls1 -sess_in $SESSION; \ rm -f $SESSION )" \ 0 \ -s "found session ticket extension" \ @@ -3164,10 +3167,13 @@ run_test "Session resume using cache, DTLS: session copy" \ -s "a session has been resumed" \ -c "a session has been resumed" +# For reasons that aren't fully understood, this test randomly fails with high +# probabiliby with OpenSSL 1.0.2g on the CI, see #5012. +requires_openssl_next run_test "Session resume using cache, DTLS: openssl client" \ "$P_SRV dtls=1 debug_level=3 tickets=0" \ - "( $O_CLI -dtls1 -sess_out $SESSION; \ - $O_CLI -dtls1 -sess_in $SESSION; \ + "( $O_NEXT_CLI -dtls1 -sess_out $SESSION; \ + $O_NEXT_CLI -dtls1 -sess_in $SESSION; \ rm -f $SESSION )" \ 0 \ -s "found session ticket extension" \ From 7ca2f39d919b601318b2367e9bf4297aa250381f Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Wed, 13 Oct 2021 16:13:44 +0100 Subject: [PATCH 3/5] Spelling fix Signed-off-by: Paul Elliott --- tests/ssl-opt.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index d42ec3c85..48a7d8038 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -2965,7 +2965,7 @@ run_test "Session resume using tickets, DTLS: openssl server" \ -c "a session has been resumed" # For reasons that aren't fully understood, this test randomly fails with high -# probabiliby with OpenSSL 1.0.2g on the CI, see #5012. +# probability with OpenSSL 1.0.2g on the CI, see #5012. requires_openssl_next run_test "Session resume using tickets, DTLS: openssl client" \ "$P_SRV dtls=1 debug_level=3 tickets=1" \ @@ -3168,7 +3168,7 @@ run_test "Session resume using cache, DTLS: session copy" \ -c "a session has been resumed" # For reasons that aren't fully understood, this test randomly fails with high -# probabiliby with OpenSSL 1.0.2g on the CI, see #5012. +# probability with OpenSSL 1.0.2g on the CI, see #5012. requires_openssl_next run_test "Session resume using cache, DTLS: openssl client" \ "$P_SRV dtls=1 debug_level=3 tickets=0" \ From 405fcccf75395fc3d150186f6c370de056517829 Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Tue, 12 Oct 2021 16:02:55 +0100 Subject: [PATCH 4/5] Fix incorrect check for DTLS Missing wildcards meant that some servers were not identified as DTLS, which lead to port checking on TCP rather than UDP, and thus mistakenly cancelling tests as the server had not come up. Signed-off-by: Paul Elliott --- tests/ssl-opt.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 48a7d8038..e08dbec51 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -686,7 +686,7 @@ wait_client_done() { # check if the given command uses dtls and sets global variable DTLS detect_dtls() { case "$1" in - *dtls=1*|-dtls|-u) DTLS=1;; + *dtls=1*|*-dtls*|*-u*) DTLS=1;; *) DTLS=0;; esac } From ccba129c5a514db853de4ba961d24f179d3b1c86 Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Tue, 12 Oct 2021 16:10:37 +0100 Subject: [PATCH 5/5] Use 127.0.0.1 rather than localhost This was causing some tests using the openssl s_client to not connect - I suspect this was due to localhost (at least on my machine) resolving to ::1 rather than 127.0.0.1. Note that the error seen would have been that the session file specified with -sess_out did not get created. Signed-off-by: Paul Elliott --- tests/ssl-opt.sh | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index e08dbec51..724d62791 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -1233,22 +1233,24 @@ SRV_DELAY_SECONDS=0 # fix commands to use this port, force IPv4 while at it # +SRV_PORT will be replaced by either $SRV_PORT or $PXY_PORT later +# Note: Using 'localhost' rather than 127.0.0.1 here is unwise, as on many +# machines that will resolve to ::1, and we don't want ipv6 here. P_SRV="$P_SRV server_addr=127.0.0.1 server_port=$SRV_PORT" P_CLI="$P_CLI server_addr=127.0.0.1 server_port=+SRV_PORT" P_PXY="$P_PXY server_addr=127.0.0.1 server_port=$SRV_PORT listen_addr=127.0.0.1 listen_port=$PXY_PORT ${SEED:+"seed=$SEED"}" O_SRV="$O_SRV -accept $SRV_PORT" -O_CLI="$O_CLI -connect localhost:+SRV_PORT" +O_CLI="$O_CLI -connect 127.0.0.1:+SRV_PORT" G_SRV="$G_SRV -p $SRV_PORT" G_CLI="$G_CLI -p +SRV_PORT" if [ -n "${OPENSSL_LEGACY:-}" ]; then O_LEGACY_SRV="$O_LEGACY_SRV -accept $SRV_PORT -dhparam data_files/dhparams.pem" - O_LEGACY_CLI="$O_LEGACY_CLI -connect localhost:+SRV_PORT" + O_LEGACY_CLI="$O_LEGACY_CLI -connect 127.0.0.1:+SRV_PORT" fi if [ -n "${OPENSSL_NEXT:-}" ]; then O_NEXT_SRV="$O_NEXT_SRV -accept $SRV_PORT" - O_NEXT_CLI="$O_NEXT_CLI -connect localhost:+SRV_PORT" + O_NEXT_CLI="$O_NEXT_CLI -connect 127.0.0.1:+SRV_PORT" fi if [ -n "${GNUTLS_NEXT_SERV:-}" ]; then