Tests failing with LibreSSL 4.1.0

Maxim Dounin mdounin at mdounin.ru
Wed Jul 9 03:06:11 UTC 2025 

Hello!

On Tue, Jul 08, 2025 at 11:50:53PM +0300, Maxim Dounin wrote:

> Hello!
> 
> On Tue, Jul 08, 2025 at 06:43:46PM +0200, Christoph Liebender via nginx wrote:
> 
> > Hello,
> > 
> > I am the maintainer of the somewhat niche Arch Linux PKGBUILD of
> > freenginx-libressl [1], and the upgrade to 1.29.0 causes tests to fail when
> > built against LibreSSL 4.1.0:
> > 
> > ===(    5030;59   3/11   1/11  4/7  5/8  4/8  0/9  1/8  0/? )===========
> > #   Failed test 'ssl server name empty'
> > #   at ./stream_ssl_variables.t line 137.
> > #          got: undef
> > #     expected: ''
> > ./stream_ssl_realip.t ...................... ok
> > ===(    5043;59   3/11   1/11  5/7  5/8  1/9  8/8  0/? )================#
> > Looks like you failed 1 test of 8.
> > ./stream_ssl_variables.t ................... Dubious, test returned 1 (wstat
> > 256, 0x100)
> > Failed 1/8 subtests
> > ./stream_proxy.t ........................... ok
> > ===(    5048;59   3/11   1/11  5/8  3/9   1/12  0/?  0/?  0/? )=========
> > #   Failed test 'no cert'
> > #   at ./stream_ssl_verify_client.t line 114.
> > #          got: undef
> > #     expected: ''
> > 
> > #   Failed test 'bad optional cert'
> > #   at ./stream_ssl_verify_client.t line 115.
> > #          got: undef
> > #     expected: ''
> > ===(    5060;59   3/11   1/11  5/8  6/9   9/12  0/8  1/4   0/11 )=======#
> > Looks like you failed 2 tests of 12.
> > ./stream_ssl_verify_client.t ............... Dubious, test returned 2 (wstat
> > 512, 0x200)
> > Failed 2/12 subtests
> > 
> > Do these errors tell you anything? I don't have the PKGBUILD for 1.29.0
> > commited, but the respective diff only increments the version as well as the
> > tests' commit.
> 
> All the errors seems to be reported for test cases when an SSL 
> connection is closed by the server without sending anything.  
> The client is expected to see a clean connection close, yet 
> instead an error is returned (hence "undef").
> 
> I'm able to reproduce exactly the same errors on Arch Linux with 
> previous freenginx mainline version, 1.27.6 (which is exactly the 
> same as stable 1.28.0).
> 
> And I don't see such errors with LibreSSL 4.1.0 neither on FreeBSD 
> nor on Alpine Linux.
> 
> Further, I observe exactly the same errors on Arch Linux with 
> freenginx compiled with OpenSSL library, OpenSSL 3.5.1.
> 
> That is, LibreSSL is certainly not the problem here.
> 
> And likely it's something in IO::Socket::SSL (2.094) and/or 
> Net::SSLeay (1.94) and/or OpenSSL 3.5.1 it uses.
> 
> Given IO::Socket::SSL changes, I tend to think it's IO::Socket::SSL
> (https://metacpan.org/dist/IO-Socket-SSL/changes):
> 
> 2.094 2025/06/18
> - fixed memory leak introduced in 2.092
> 2.093 2025/06/17
> - Another rework for one-sided SSL shutdown, to a) implement a useful and secure
>   behavior and b) without affecting existing applications. 2.092 had still
>   unwanted side effects
> 2.092 2025/06/16
> - rework implementation and behavior for one-sided SSL shutdown. Implementation
>   in 2.091 lead to some problems with Net::FTP and others.
> 2.091 2025/06/11
> - fix behavior on one-sided SSL shutdown. If the application continued
>   to read after half-closing the SSL connection this could result in reading
>   encrypted data (i.e. close notify, SSL session tickets ...).
>   See documentation of stop_SSL for detailed description of handling
>   half-closed SSL connections.
> 
> Both on FreeBSD and Alpine IO::Socket::SSL is at version 2.089, 
> which predates all this "one-sided SSL shutdown" hassle.
> 
> Quick test with IO::Socket::SSL manually downgraded to 2.089 
> suggests it's indeed the case: with IO::Socket::SSL 2.089 
> everything works.

For the record:
https://github.com/noxxi/p5-io-socket-ssl/issues/171

-- 
Maxim Dounin
http://mdounin.ru/

More information about the nginx mailing list