From 19f1f786fc511012fdce072de7fb0c49d1030616 Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Wed, 13 Oct 2021 18:31:07 +0100 Subject: [PATCH 1/5] Backport OPENSSL_NEXT to ssl-opt.sh Add support for a newer version of OpenSSL, as well as a legacy version. Signed-off-by: Paul Elliott --- tests/ssl-opt.sh | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 6fa85f71d9..bfd13721d7 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -93,6 +93,14 @@ else O_LEGACY_CLI=false fi +if [ -n "${OPENSSL_NEXT:-}" ]; then + O_NEXT_SRV="$OPENSSL_NEXT s_server -www -cert data_files/server5.crt -key data_files/server5.key" + O_NEXT_CLI="echo 'GET / HTTP/1.0' | $OPENSSL_NEXT s_client" +else + O_NEXT_SRV=false + O_NEXT_CLI=false +fi + if [ -n "${GNUTLS_NEXT_SERV:-}" ]; then G_NEXT_SRV="$GNUTLS_NEXT_SERV --x509certfile data_files/server5.crt --x509keyfile data_files/server5.key" else @@ -322,6 +330,19 @@ requires_openssl_legacy() { fi } +requires_openssl_next() { + if [ -z "${OPENSSL_NEXT_AVAILABLE:-}" ]; then + if which "${OPENSSL_NEXT:-}" >/dev/null 2>&1; then + OPENSSL_NEXT_AVAILABLE="YES" + else + OPENSSL_NEXT_AVAILABLE="NO" + fi + fi + if [ "$OPENSSL_NEXT_AVAILABLE" = "NO" ]; then + SKIP_NEXT="YES" + fi +} + # skip next test if IPv6 isn't available on this host requires_ipv6() { if [ -z "${HAS_IPV6:-}" ]; then @@ -980,6 +1001,11 @@ if [ -n "${OPENSSL_LEGACY:-}" ]; then O_LEGACY_CLI="$O_LEGACY_CLI -connect localhost:+SRV_PORT" fi +if [ -n "${OPENSSL_NEXT:-}" ]; then + O_NEXT_SRV="$O_NEXT_SRV -accept $SRV_PORT" + O_NEXT_CLI="$O_NEXT_CLI -connect localhost:+SRV_PORT" +fi + if [ -n "${GNUTLS_NEXT_SERV:-}" ]; then G_NEXT_SRV="$G_NEXT_SRV -p $SRV_PORT" fi From a4700756a4cdbcfdb10bd26eb36e765bda9ab330 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 13 Oct 2021 13:12:47 +0200 Subject: [PATCH 2/5] Use newer OpenSSL for tests failing with the old MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- tests/ssl-opt.sh | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index bfd13721d7..f1e6cf42c1 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -1771,10 +1771,13 @@ run_test "Session resume using tickets, DTLS: openssl server" \ -c "parse new session ticket" \ -c "a session has been resumed" +# For reasons that aren't fully understood, this test randomly fails with high +# probabiliby with OpenSSL 1.0.2g on the CI, see #5012. +requires_openssl_next run_test "Session resume using tickets, DTLS: openssl client" \ "$P_SRV dtls=1 debug_level=3 tickets=1" \ - "( $O_CLI -dtls1 -sess_out $SESSION; \ - $O_CLI -dtls1 -sess_in $SESSION; \ + "( $O_NEXT_CLI -dtls1 -sess_out $SESSION; \ + $O_NEXT_CLI -dtls1 -sess_in $SESSION; \ rm -f $SESSION )" \ 0 \ -s "found session ticket extension" \ @@ -1953,10 +1956,13 @@ run_test "Session resume using cache, DTLS: no timeout" \ -s "a session has been resumed" \ -c "a session has been resumed" +# For reasons that aren't fully understood, this test randomly fails with high +# probabiliby with OpenSSL 1.0.2g on the CI, see #5012. +requires_openssl_next run_test "Session resume using cache, DTLS: openssl client" \ "$P_SRV dtls=1 debug_level=3 tickets=0" \ - "( $O_CLI -dtls1 -sess_out $SESSION; \ - $O_CLI -dtls1 -sess_in $SESSION; \ + "( $O_NEXT_CLI -dtls1 -sess_out $SESSION; \ + $O_NEXT_CLI -dtls1 -sess_in $SESSION; \ rm -f $SESSION )" \ 0 \ -s "found session ticket extension" \ From 6c64983e324cd3509b6d79143ad3fff41285332a Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Wed, 13 Oct 2021 16:13:44 +0100 Subject: [PATCH 3/5] Spelling fix Signed-off-by: Paul Elliott --- tests/ssl-opt.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index f1e6cf42c1..fc781eaeee 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -1772,7 +1772,7 @@ run_test "Session resume using tickets, DTLS: openssl server" \ -c "a session has been resumed" # For reasons that aren't fully understood, this test randomly fails with high -# probabiliby with OpenSSL 1.0.2g on the CI, see #5012. +# probability with OpenSSL 1.0.2g on the CI, see #5012. requires_openssl_next run_test "Session resume using tickets, DTLS: openssl client" \ "$P_SRV dtls=1 debug_level=3 tickets=1" \ @@ -1957,7 +1957,7 @@ run_test "Session resume using cache, DTLS: no timeout" \ -c "a session has been resumed" # For reasons that aren't fully understood, this test randomly fails with high -# probabiliby with OpenSSL 1.0.2g on the CI, see #5012. +# probability with OpenSSL 1.0.2g on the CI, see #5012. requires_openssl_next run_test "Session resume using cache, DTLS: openssl client" \ "$P_SRV dtls=1 debug_level=3 tickets=0" \ From 316a6aaae403a2c4ab06e6c5fe94b74cbd263af9 Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Tue, 12 Oct 2021 16:02:55 +0100 Subject: [PATCH 4/5] Fix incorrect check for DTLS Missing wildcards meant that some servers were not identified as DTLS, which lead to port checking on TCP rather than UDP, and thus mistakenly cancelling tests as the server had not come up. Signed-off-by: Paul Elliott --- tests/ssl-opt.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index fc781eaeee..ba39aa6fdf 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -601,7 +601,7 @@ wait_client_done() { # check if the given command uses dtls and sets global variable DTLS detect_dtls() { case "$1" in - *dtls=1*|-dtls|-u) DTLS=1;; + *dtls=1*|*-dtls*|*-u*) DTLS=1;; *) DTLS=0;; esac } From 0ab794103d3db6a6a6186dedb4e89c8276879816 Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Tue, 12 Oct 2021 16:10:37 +0100 Subject: [PATCH 5/5] Use 127.0.0.1 rather than localhost This was causing some tests using the openssl s_client to not connect - I suspect this was due to localhost (at least on my machine) resolving to ::1 rather than 127.0.0.1. Note that the error seen would have been that the session file specified with -sess_out did not get created. Signed-off-by: Paul Elliott --- tests/ssl-opt.sh | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index ba39aa6fdf..f3e0f05c19 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -988,22 +988,24 @@ SRV_DELAY_SECONDS=0 # fix commands to use this port, force IPv4 while at it # +SRV_PORT will be replaced by either $SRV_PORT or $PXY_PORT later +# Note: Using 'localhost' rather than 127.0.0.1 here is unwise, as on many +# machines that will resolve to ::1, and we don't want ipv6 here. P_SRV="$P_SRV server_addr=127.0.0.1 server_port=$SRV_PORT" P_CLI="$P_CLI server_addr=127.0.0.1 server_port=+SRV_PORT" P_PXY="$P_PXY server_addr=127.0.0.1 server_port=$SRV_PORT listen_addr=127.0.0.1 listen_port=$PXY_PORT ${SEED:+"seed=$SEED"}" O_SRV="$O_SRV -accept $SRV_PORT" -O_CLI="$O_CLI -connect localhost:+SRV_PORT" +O_CLI="$O_CLI -connect 127.0.0.1:+SRV_PORT" G_SRV="$G_SRV -p $SRV_PORT" G_CLI="$G_CLI -p +SRV_PORT" if [ -n "${OPENSSL_LEGACY:-}" ]; then O_LEGACY_SRV="$O_LEGACY_SRV -accept $SRV_PORT -dhparam data_files/dhparams.pem" - O_LEGACY_CLI="$O_LEGACY_CLI -connect localhost:+SRV_PORT" + O_LEGACY_CLI="$O_LEGACY_CLI -connect 127.0.0.1:+SRV_PORT" fi if [ -n "${OPENSSL_NEXT:-}" ]; then O_NEXT_SRV="$O_NEXT_SRV -accept $SRV_PORT" - O_NEXT_CLI="$O_NEXT_CLI -connect localhost:+SRV_PORT" + O_NEXT_CLI="$O_NEXT_CLI -connect 127.0.0.1:+SRV_PORT" fi if [ -n "${GNUTLS_NEXT_SERV:-}" ]; then