[nginx-tests] Tests: sigalgs handling with Net::SSLeay with Libr...

Sun May 5 21:02:55 UTC 2024

details:   http://freenginx.org/hg/nginx-tests/rev/0a93f101925a
branches:  
changeset: 1967:0a93f101925a
user:      Maxim Dounin <mdounin at mdounin.ru>
date:      Mon May 06 00:01:53 2024 +0300
description:
Tests: sigalgs handling with Net::SSLeay with LibreSSL.

LibreSSL does not provide a way to configure signature algorithms, and
this makes it impossible to request a particular server certificate
when using TLSv1.3.  As such, relevant tests fail if Net::SSLeay is compiled
with LibreSSL.  Notably, this affects macOS, where Net::SSLeay compiled
with LibreSSL is shipped with the OS.

Fix is to mark relevant tests as TODO if Net:SSLeay is compiled with
LibreSSL, similarly to what we already do for sigalg issues in LibreSSL
on the server side.

diffstat:

 ssl_certificates.t |  8 ++++++++
 ssl_stapling.t     |  8 +++++++-
 2 files changed, 15 insertions(+), 1 deletions(-)

diffs (52 lines):

diff --git a/ssl_certificates.t b/ssl_certificates.t
--- a/ssl_certificates.t
+++ b/ssl_certificates.t
@@ -99,8 +99,16 @@ like(cert('RSA'), qr/CN=rsa/, 'ssl cert 
 
 }
 
+TODO: {
+local $TODO = 'no TLSv1.3 sigalgs in Net::SSLeay (LibreSSL)'
+	if Net::SSLeay::constant("LIBRESSL_VERSION_NUMBER")
+	&& !$t->has_module('LibreSSL')
+	&& test_tls13();
+
 like(cert('ECDSA'), qr/CN=ec/, 'ssl cert ECDSA');
 
+}
+
 ###############################################################################
 
 sub test_tls13 {
diff --git a/ssl_stapling.t b/ssl_stapling.t
--- a/ssl_stapling.t
+++ b/ssl_stapling.t
@@ -262,6 +262,8 @@ ok(!staple(8443, 'RSA'), 'staple revoked
 TODO: {
 local $TODO = 'broken TLSv1.3 sigalgs in LibreSSL'
 	if $t->has_module('LibreSSL') && test_tls13();
+local $TODO = 'no TLSv1.3 sigalgs in Net::SSLeay (LibreSSL)'
+	if Net::SSLeay::constant("LIBRESSL_VERSION_NUMBER") && test_tls13();
 
 ok(staple(8443, 'ECDSA'), 'staple success');
 
@@ -272,6 +274,8 @@ ok(!staple(8444, 'RSA'), 'responder revo
 TODO: {
 local $TODO = 'broken TLSv1.3 sigalgs in LibreSSL'
 	if $t->has_module('LibreSSL') && test_tls13();
+local $TODO = 'no TLSv1.3 sigalgs in Net::SSLeay (LibreSSL)'
+	if Net::SSLeay::constant("LIBRESSL_VERSION_NUMBER") && test_tls13();
 
 ok(staple(8444, 'ECDSA'), 'responder success');
 
@@ -288,7 +292,9 @@ ok(!staple(8449, 'ECDSA'), 'ocsp error')
 
 TODO: {
 local $TODO = 'broken TLSv1.3 sigalgs in LibreSSL'
-	if $t->has_module('LibreSSL') && test_tls13();
+	if $t->has_module('LibreSSL')
+	&& !Net::SSLeay::constant("LIBRESSL_VERSION_NUMBER")
+	&& test_tls13();
 
 like(`grep -F '[crit]' ${\($t->testdir())}/error.log`, qr/^$/s, 'no crit');
 

