[nginx-tests] Tests: improved ssl_verify_depth.t error reporting.

Maxim Dounin mdounin at mdounin.ru
Sun May 24 21:30:26 UTC 2026 

details:   http://freenginx.org/hg/nginx-tests/rev/2688ca1e99fb
branches:  
changeset: 2060:2688ca1e99fb
user:      Maxim Dounin <mdounin at mdounin.ru>
date:      Sat May 23 19:44:39 2026 +0300
description:
Tests: improved ssl_verify_depth.t error reporting.

Previously, the test was skipped with LibreSSL due to issues with verify
depth handling introduced in LibreSSL 3.4.0, and depth (mis)handling in
OpenSSL 1.1.0+ was silently accepted.  With this change, tests that are
expected to fail with the particular library version are marked as TODO
with an explanation.

diffstat:

 ssl_verify_depth.t |  41 +++++++++++++++++++++++++++++++++++++----
 1 files changed, 37 insertions(+), 4 deletions(-)

diffs (76 lines):

diff --git a/ssl_verify_depth.t b/ssl_verify_depth.t
--- a/ssl_verify_depth.t
+++ b/ssl_verify_depth.t
@@ -1,5 +1,6 @@
 #!/usr/bin/perl
 
+# (C) Maxim Dounin
 # (C) Sergey Kandaurov
 # (C) Nginx, Inc.
 
@@ -25,8 +26,6 @@ select STDOUT; $| = 1;
 my $t = Test::Nginx->new()->has(qw/http http_ssl socket_ssl/)
 	->has_daemon('openssl');
 
-plan(skip_all => 'LibreSSL') if $t->has_module('LibreSSL');
-
 $t->plan(9)->write_file_expand('nginx.conf', <<'EOF');
 
 %%TEST_GLOBALS%%
@@ -148,10 +147,28 @@ system("openssl ca -batch -config $d/ca.
 # as a result, it is not possible to limit certificate checking
 # to self-signed certificates only when using OpenSSL 1.1.0+
 
+# LibreSSL 3.4.0+ interprets verify depth 0 as no limit
+
 like(get(8080, 'root'), qr/SUCCESS/, 'verify depth 0 - root');
-like(get(8080, 'int'),  qr/FAI|SUC/, 'verify depth 0 - no int');
+
+TODO: {
+local $TODO = 'off-by-one depth in OpenSSL 1.1.0+'
+	if $t->has_feature('openssl:1.1.0');
+local $TODO = 'no zero depth in LibreSSL 3.4.0+'
+	if $t->has_feature('libressl:3.4.0');
+
+like(get(8080, 'int'),  qr/FAILED/, 'verify depth 0 - no int');
+
+}
+
+TODO: {
+local $TODO = 'no zero depth in LibreSSL 3.4.0+'
+	if $t->has_feature('libressl:3.4.0');
+
 like(get(8080, 'end'),  qr/FAILED/,  'verify depth 0 - no end');
 
+}
+
 # with verify depth 1 (the default), one signature is
 # expected to be checked, so certificates directly signed
 # by the root cert are allowed, but nothing more
@@ -160,9 +177,25 @@ like(get(8080, 'end'),  qr/FAILED/,  've
 # so with depth 1 it is possible to validate not only directly signed
 # certificates, but also chains with one intermediate certificate
 
+# LibreSSL 3.4.0+ ignores depth limit as long as verify callback returns 1;
+# fixed in LibreSSL 4.3.0, broken again in master after LibreSSL 4.3.1
+# (as seen on OpenBSD 7.9, with LibreSSL version reported as 4.3.0)
+
 like(get(8081, 'root'), qr/SUCCESS/, 'verify depth 1 - root');
 like(get(8081, 'int'),  qr/SUCCESS/, 'verify depth 1 - int');
-like(get(8081, 'end'),  qr/FAI|SUC/, 'verify depth 1 - no end');
+
+TODO: {
+local $TODO = 'off-by-one depth in OpenSSL 1.1.0+'
+	if $t->has_feature('openssl:1.1.0');
+local $TODO = 'ignored depth in LibreSSL 3.4.0+'
+	if $t->has_feature('libressl:3.4.0')
+	and not $t->has_feature('libressl:4.3.0')
+	or $t->has_feature('libressl:4.3.0')
+	and $^O eq 'openbsd';
+
+like(get(8081, 'end'),  qr/FAILED/, 'verify depth 1 - no end');
+
+}
 
 # with verify depth 2 it is also possible to validate up to two signatures,
 # so chains with one intermediate certificate are allowed

More information about the nginx-devel mailing list