Tests failing with LibreSSL 4.1.0

Maxim Dounin mdounin at mdounin.ru
Tue Jul 8 20:50:53 UTC 2025 

Hello!

On Tue, Jul 08, 2025 at 06:43:46PM +0200, Christoph Liebender via nginx wrote:

> Hello,
> 
> I am the maintainer of the somewhat niche Arch Linux PKGBUILD of
> freenginx-libressl [1], and the upgrade to 1.29.0 causes tests to fail when
> built against LibreSSL 4.1.0:
> 
> ===(    5030;59   3/11   1/11  4/7  5/8  4/8  0/9  1/8  0/? )===========
> #   Failed test 'ssl server name empty'
> #   at ./stream_ssl_variables.t line 137.
> #          got: undef
> #     expected: ''
> ./stream_ssl_realip.t ...................... ok
> ===(    5043;59   3/11   1/11  5/7  5/8  1/9  8/8  0/? )================#
> Looks like you failed 1 test of 8.
> ./stream_ssl_variables.t ................... Dubious, test returned 1 (wstat
> 256, 0x100)
> Failed 1/8 subtests
> ./stream_proxy.t ........................... ok
> ===(    5048;59   3/11   1/11  5/8  3/9   1/12  0/?  0/?  0/? )=========
> #   Failed test 'no cert'
> #   at ./stream_ssl_verify_client.t line 114.
> #          got: undef
> #     expected: ''
> 
> #   Failed test 'bad optional cert'
> #   at ./stream_ssl_verify_client.t line 115.
> #          got: undef
> #     expected: ''
> ===(    5060;59   3/11   1/11  5/8  6/9   9/12  0/8  1/4   0/11 )=======#
> Looks like you failed 2 tests of 12.
> ./stream_ssl_verify_client.t ............... Dubious, test returned 2 (wstat
> 512, 0x200)
> Failed 2/12 subtests
> 
> Do these errors tell you anything? I don't have the PKGBUILD for 1.29.0
> commited, but the respective diff only increments the version as well as the
> tests' commit.

All the errors seems to be reported for test cases when an SSL 
connection is closed by the server without sending anything.  
The client is expected to see a clean connection close, yet 
instead an error is returned (hence "undef").

I'm able to reproduce exactly the same errors on Arch Linux with 
previous freenginx mainline version, 1.27.6 (which is exactly the 
same as stable 1.28.0).

And I don't see such errors with LibreSSL 4.1.0 neither on FreeBSD 
nor on Alpine Linux.

Further, I observe exactly the same errors on Arch Linux with 
freenginx compiled with OpenSSL library, OpenSSL 3.5.1.

That is, LibreSSL is certainly not the problem here.

And likely it's something in IO::Socket::SSL (2.094) and/or 
Net::SSLeay (1.94) and/or OpenSSL 3.5.1 it uses.

Given IO::Socket::SSL changes, I tend to think it's IO::Socket::SSL
(https://metacpan.org/dist/IO-Socket-SSL/changes):

2.094 2025/06/18
- fixed memory leak introduced in 2.092
2.093 2025/06/17
- Another rework for one-sided SSL shutdown, to a) implement a useful and secure
  behavior and b) without affecting existing applications. 2.092 had still
  unwanted side effects
2.092 2025/06/16
- rework implementation and behavior for one-sided SSL shutdown. Implementation
  in 2.091 lead to some problems with Net::FTP and others.
2.091 2025/06/11
- fix behavior on one-sided SSL shutdown. If the application continued
  to read after half-closing the SSL connection this could result in reading
  encrypted data (i.e. close notify, SSL session tickets ...).
  See documentation of stop_SSL for detailed description of handling
  half-closed SSL connections.

Both on FreeBSD and Alpine IO::Socket::SSL is at version 2.089, 
which predates all this "one-sided SSL shutdown" hassle.

Quick test with IO::Socket::SSL manually downgraded to 2.089 
suggests it's indeed the case: with IO::Socket::SSL 2.089 
everything works.

Hope this helps.

-- 
Maxim Dounin
http://mdounin.ru/

More information about the nginx mailing list