You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Rainer Jung <ra...@kippdata.de> on 2018/10/20 04:28:06 UTC
Test suite and OpenSSL 1.1.1
Am 19.10.2018 um 23:31 schrieb Yann Ylavic:
> Could not make the test suite framework work with 1.1.1 (cpan -u didn't help).
> Although the ssl tests report SUCCESS, httpd actually timeouts on
> SSL_peek() (as already reported).
Indeed I checked my test suite logs and until now all tests only used
TLS 1.2. But what works for me now with TLS 1.3 is:
- small fix in TestSSLCA.pm (r1844389), otherwise the geneated
t/conf/ssl/ssl.conf always contains "SSLProtocol all -TLSv1.3" instead
of "all" (unless you specifiy -sslproto explicitly).
- Net::SSLeay 1.86_06 tag from Github
https://github.com/radiator-software/p5-net-ssleay.git. Added "-ldl
-pthread" to OTHERLDFLAGS in Makefile. It contains the plumbing needed
for some new 1.1.1 APIs.
- IO/Socket/SSL.pm recent version 2.060 plus patch
https://github.com/noxxi/p5-io-socket-ssl/commit/e96b1c9e394011de4ee181cfa42b8021796bf7d4.patch
(probably not needed) plus anti-hang patch to call
Net::SSLeay::CTX_set_post_handshake_auth()
--- IO/Socket/SSL.pm.orig 2018-08-15 18:03:29.000000000 +0000
+++ IO/Socket/SSL.pm 2018-09-19 16:37:46.450281000 +0000
@@ -2594,6 +2594,10 @@
"Failed to load key from file (no PEM or DER)");
}
+ if ($havecert && $havekey &&
Net::SSLeay::OPENSSL_VERSION_NUMBER() >= 0x1010100f) {
+ Net::SSLeay::CTX_set_post_handshake_auth($ctx, 1);
+ }
+
# replace arg_hash with created context
$ctx{$host} = $ctx;
}
The PHA patch was stolen from Joe's explanation of the PHA issue.
With this setup, I can see some TLSv1.3 entries in the
t/logs/ssl_request_log. For instance when running t/ssl/varlookup.t.
Regards,
Rainer
Re: Test suite and OpenSSL 1.1.1
Posted by Rainer Jung <ra...@kippdata.de>.
Am 20.10.2018 um 13:26 schrieb Christophe JAILLET:
> Le 20/10/2018 à 11:00, Rainer Jung a écrit :
>> Am 20.10.2018 um 10:27 schrieb Christophe JAILLET:
>>> Le 20/10/2018 à 09:56, Rainer Jung a écrit :
>>>> Am 20.10.2018 um 09:39 schrieb Christophe JAILLET:
>>>>> Le 20/10/2018 à 06:28, Rainer Jung a écrit :
>>>>>> Am 19.10.2018 um 23:31 schrieb Yann Ylavic:
>>>>>>> Could not make the test suite framework work with 1.1.1 (cpan -u
>>>>>>> didn't help).
>>>>>>> Although the ssl tests report SUCCESS, httpd actually timeouts on
>>>>>>> SSL_peek() (as already reported).
>>>>>>
>>>>>> Indeed I checked my test suite logs and until now all tests only
>>>>>> used TLS 1.2. But what works for me now with TLS 1.3 is:
>>>>>>
>>>>>> - small fix in TestSSLCA.pm (r1844389), otherwise the geneated
>>>>>> t/conf/ssl/ssl.conf always contains "SSLProtocol all -TLSv1.3"
>>>>>> instead of "all" (unless you specifiy -sslproto explicitly).
>>>>>>
>>>>>>
>>>>> I've just updated the test framework.
>>>>> make clean
>>>>> t/TEST
>>>>> --> ssl.conf rebuilt
>>>>>
>>>>> But I still have:
>>>>> SSLProtocol all -TLSv1.3
>>>>
>>>> I didn't manage to rebuild ssl.conf using make, but what I did to
>>>> rebuild was a "t/TEST -v -configure" and to make sure I removed the
>>>> ssl.conf file before running that command. This resulted in a new
>>>> file with "all" in it.
>>>>
>>>> Please also double check, that TestSSLCA.pm contains the line "use
>>>> Net::SSLeay;".
>>>>
>>>> Does it work with that recipe?
>>>>
>>>> Thanks and regards,
>>
>>> use Net::SSLeay;
>>> is there.
>>>
>>>
>>> Comment added in ssl.conf.in gets reflected in ssl.conf, so it is
>>> rebuilt.
>>>
>>>
>>> t/TEST -v -configure
>>> [warning] setting ulimit to allow core files
>>> ulimit -c unlimited; /usr/bin/perl
>>> /home/tititou36/svn_test_framework/t/TEST -v -configure
>>> [warning] cleaning out current configuration
>>> [warning] skipping rebuild of c-modules; run t/TEST -clean to force
>>> [warning] skipping regeneration of SSL CA; run t/TEST -clean to force
>>> make: rien à faire pour « all ».
>>> [warning] reconfiguration done
>>>
>>> But SSLProtocol all -TLSv1.3 is still there.
>>>
>>>
>>> t/TEST -clean
>>> doesn't help either.
>>
>> The check, wheher "all" or "all -TLSv1.3" is put into the file is done
>> in TestSSLCA.pm. The code there checks the following, which you can
>> also check in a test script to see, which condition fails:
>>
>> Apache::Test::normalize_vstring(Apache::Test::version()) >=
>> Apache::Test::normalize_vstring("1.1.1")
>>
>> and
>>
>> defined(&Net::SSLeay::CTX_set_post_handshake_auth)
>>
>> The first looks for the OpenSSL version caused by your test framework,
>> the second checks, whether Net::SSLeay is current (actually at least
>> developer snapshot 1.86_06). Both is needed to make TLS 1.3 work in
>> the test framework.
>>
>> To check standalone you can use a script like this:
>>
>> === SNIP ===
>>
>> #!/usr/bin/perl
>>
>> use strict;
>> use Net::SSLeay;
>> use IO::Socket::SSL;
>> use Apache::Test;
>> use Apache::TestSSLCA;
>>
>> my $version = Apache::TestSSLCA::version();
>> print "OpenSSL version: $version\n";
>> print "Normalized OpenSSL version: " .
>> Apache::Test::normalize_vstring($version) . "\n";
>> print "Normalized 1.1.1 version: " .
>> Apache::Test::normalize_vstring("1.1.1") . "\n";
>> print "Net::SSLeay::VERSION: $Net::SSLeay::VERSION\n";
>> print "IO::Socket::SSL::VERSION: $IO::Socket::SSL::VERSION\n";
>> print "Net::SSLeay::CTX_set_post_handshake_auth available: " .
>> (defined(&Net::SSLeay::CTX_set_post_handshake_auth) ?
>> "true" : "false") . "\n";
>> my $tls13 = (Apache::Test::normalize_vstring($version) >=
>> Apache::Test::normalize_vstring("1.1.1")) &&
>> defined(&Net::SSLeay::CTX_set_post_handshake_auth);
>> print "TLSv1.3 support: " . ($tls13 ? "true" : "false") . "\n";
>>
>> === SNIP ===
>>
>> To run it you must also provide the path to the test framework and if
>> you have installed the additional moduls needed by the framework in
>> some special place, you must also provide this one, both via "-I" flag:
>>
>> perl -I /path/to/bundle/lib/perl5 -I /path/to/Apache-Test/lib test.pl
>>
>> When I run this I get:
>>
>> OpenSSL version: 1.1.1
>> Normalized OpenSSL version: 001001001
>> Normalized 1.1.1 version: 001001001
>> Net::SSLeay::VERSION: 1.86_06
>> IO::Socket::SSL::VERSION: 2.060
>> Net::SSLeay::CTX_set_post_handshake_auth available: true
>> TLSv1.3 support: true
>>
>> Most likely your version of Net::SSLeay is to old.
>>
>> In adition, once the framework detects TLSv1.3 correct, you also need
>> IO::Socket::SSL 2.060 plus the one patch for its SSL.pm that I
>> mentioned at the beginning of this thread.
>>
>> Regards,
>>
>> Rainer
>>
> OpenSSL version: 1.1.1
> Normalized OpenSSL version: 001001001
> Normalized 1.1.1 version: 001001001
> Net::SSLeay::VERSION: 1.85 <-------------
> IO::Socket::SSL::VERSION: 2.060
> Net::SSLeay::CTX_set_post_handshake_auth available: false
> TLSv1.3 support: false <-------------
>
> When I try to update it using perl -MCPAN -e ..., I get:
>
> Net::SSLeay is up to date (1.85).
> which is in line with https://metacpan.org/pod/Net::SSLeay
>
>
> I will have to wait for cpan to have a more recent version, when
> released, I guess.
>
> Thanks for the explanations.
That will be easiest. I downloaded the source tarball from github,
extacted and then ran from the new directory:
perl Makefile.PL
make
make test
make install
But it might get slightly more complex if you want the install to go
into some special directory tree instead of into the system perl
installation.
Regards,
Rainer
Re: Test suite and OpenSSL 1.1.1
Posted by Christophe JAILLET <ch...@wanadoo.fr>.
Le 20/10/2018 à 11:00, Rainer Jung a écrit :
> Am 20.10.2018 um 10:27 schrieb Christophe JAILLET:
>> Le 20/10/2018 à 09:56, Rainer Jung a écrit :
>>> Am 20.10.2018 um 09:39 schrieb Christophe JAILLET:
>>>> Le 20/10/2018 à 06:28, Rainer Jung a écrit :
>>>>> Am 19.10.2018 um 23:31 schrieb Yann Ylavic:
>>>>>> Could not make the test suite framework work with 1.1.1 (cpan -u
>>>>>> didn't help).
>>>>>> Although the ssl tests report SUCCESS, httpd actually timeouts on
>>>>>> SSL_peek() (as already reported).
>>>>>
>>>>> Indeed I checked my test suite logs and until now all tests only
>>>>> used TLS 1.2. But what works for me now with TLS 1.3 is:
>>>>>
>>>>> - small fix in TestSSLCA.pm (r1844389), otherwise the geneated
>>>>> t/conf/ssl/ssl.conf always contains "SSLProtocol all -TLSv1.3"
>>>>> instead of "all" (unless you specifiy -sslproto explicitly).
>>>>>
>>>>>
>>>> I've just updated the test framework.
>>>> make clean
>>>> t/TEST
>>>> --> ssl.conf rebuilt
>>>>
>>>> But I still have:
>>>> SSLProtocol all -TLSv1.3
>>>
>>> I didn't manage to rebuild ssl.conf using make, but what I did to
>>> rebuild was a "t/TEST -v -configure" and to make sure I removed the
>>> ssl.conf file before running that command. This resulted in a new
>>> file with "all" in it.
>>>
>>> Please also double check, that TestSSLCA.pm contains the line "use
>>> Net::SSLeay;".
>>>
>>> Does it work with that recipe?
>>>
>>> Thanks and regards,
>
>> use Net::SSLeay;
>> is there.
>>
>>
>> Comment added in ssl.conf.in gets reflected in ssl.conf, so it is
>> rebuilt.
>>
>>
>> t/TEST -v -configure
>> [warning] setting ulimit to allow core files
>> ulimit -c unlimited; /usr/bin/perl
>> /home/tititou36/svn_test_framework/t/TEST -v -configure
>> [warning] cleaning out current configuration
>> [warning] skipping rebuild of c-modules; run t/TEST -clean to force
>> [warning] skipping regeneration of SSL CA; run t/TEST -clean to force
>> make: rien à faire pour « all ».
>> [warning] reconfiguration done
>>
>> But SSLProtocol all -TLSv1.3 is still there.
>>
>>
>> t/TEST -clean
>> doesn't help either.
>
> The check, wheher "all" or "all -TLSv1.3" is put into the file is done
> in TestSSLCA.pm. The code there checks the following, which you can
> also check in a test script to see, which condition fails:
>
> Apache::Test::normalize_vstring(Apache::Test::version()) >=
> Apache::Test::normalize_vstring("1.1.1")
>
> and
>
> defined(&Net::SSLeay::CTX_set_post_handshake_auth)
>
> The first looks for the OpenSSL version caused by your test framework,
> the second checks, whether Net::SSLeay is current (actually at least
> developer snapshot 1.86_06). Both is needed to make TLS 1.3 work in
> the test framework.
>
> To check standalone you can use a script like this:
>
> === SNIP ===
>
> #!/usr/bin/perl
>
> use strict;
> use Net::SSLeay;
> use IO::Socket::SSL;
> use Apache::Test;
> use Apache::TestSSLCA;
>
> my $version = Apache::TestSSLCA::version();
> print "OpenSSL version: $version\n";
> print "Normalized OpenSSL version: " .
> Apache::Test::normalize_vstring($version) . "\n";
> print "Normalized 1.1.1 version: " .
> Apache::Test::normalize_vstring("1.1.1") . "\n";
> print "Net::SSLeay::VERSION: $Net::SSLeay::VERSION\n";
> print "IO::Socket::SSL::VERSION: $IO::Socket::SSL::VERSION\n";
> print "Net::SSLeay::CTX_set_post_handshake_auth available: " .
> (defined(&Net::SSLeay::CTX_set_post_handshake_auth) ?
> "true" : "false") . "\n";
> my $tls13 = (Apache::Test::normalize_vstring($version) >=
> Apache::Test::normalize_vstring("1.1.1")) &&
> defined(&Net::SSLeay::CTX_set_post_handshake_auth);
> print "TLSv1.3 support: " . ($tls13 ? "true" : "false") . "\n";
>
> === SNIP ===
>
> To run it you must also provide the path to the test framework and if
> you have installed the additional moduls needed by the framework in
> some special place, you must also provide this one, both via "-I" flag:
>
> perl -I /path/to/bundle/lib/perl5 -I /path/to/Apache-Test/lib test.pl
>
> When I run this I get:
>
> OpenSSL version: 1.1.1
> Normalized OpenSSL version: 001001001
> Normalized 1.1.1 version: 001001001
> Net::SSLeay::VERSION: 1.86_06
> IO::Socket::SSL::VERSION: 2.060
> Net::SSLeay::CTX_set_post_handshake_auth available: true
> TLSv1.3 support: true
>
> Most likely your version of Net::SSLeay is to old.
>
> In adition, once the framework detects TLSv1.3 correct, you also need
> IO::Socket::SSL 2.060 plus the one patch for its SSL.pm that I
> mentioned at the beginning of this thread.
>
> Regards,
>
> Rainer
>
OpenSSL version: 1.1.1
Normalized OpenSSL version: 001001001
Normalized 1.1.1 version: 001001001
Net::SSLeay::VERSION: 1.85 <-------------
IO::Socket::SSL::VERSION: 2.060
Net::SSLeay::CTX_set_post_handshake_auth available: false
TLSv1.3 support: false <-------------
When I try to update it using perl -MCPAN -e ..., I get:
Net::SSLeay is up to date (1.85).
which is in line with https://metacpan.org/pod/Net::SSLeay
I will have to wait for cpan to have a more recent version, when
released, I guess.
Thanks for the explanations.
CJ
Re: Test suite and OpenSSL 1.1.1
Posted by Rainer Jung <ra...@kippdata.de>.
Am 20.10.2018 um 10:27 schrieb Christophe JAILLET:
> Le 20/10/2018 à 09:56, Rainer Jung a écrit :
>> Am 20.10.2018 um 09:39 schrieb Christophe JAILLET:
>>> Le 20/10/2018 à 06:28, Rainer Jung a écrit :
>>>> Am 19.10.2018 um 23:31 schrieb Yann Ylavic:
>>>>> Could not make the test suite framework work with 1.1.1 (cpan -u
>>>>> didn't help).
>>>>> Although the ssl tests report SUCCESS, httpd actually timeouts on
>>>>> SSL_peek() (as already reported).
>>>>
>>>> Indeed I checked my test suite logs and until now all tests only
>>>> used TLS 1.2. But what works for me now with TLS 1.3 is:
>>>>
>>>> - small fix in TestSSLCA.pm (r1844389), otherwise the geneated
>>>> t/conf/ssl/ssl.conf always contains "SSLProtocol all -TLSv1.3"
>>>> instead of "all" (unless you specifiy -sslproto explicitly).
>>>>
>>>>
>>> I've just updated the test framework.
>>> make clean
>>> t/TEST
>>> --> ssl.conf rebuilt
>>>
>>> But I still have:
>>> SSLProtocol all -TLSv1.3
>>
>> I didn't manage to rebuild ssl.conf using make, but what I did to
>> rebuild was a "t/TEST -v -configure" and to make sure I removed the
>> ssl.conf file before running that command. This resulted in a new file
>> with "all" in it.
>>
>> Please also double check, that TestSSLCA.pm contains the line "use
>> Net::SSLeay;".
>>
>> Does it work with that recipe?
>>
>> Thanks and regards,
> use Net::SSLeay;
> is there.
>
>
> Comment added in ssl.conf.in gets reflected in ssl.conf, so it is rebuilt.
>
>
> t/TEST -v -configure
> [warning] setting ulimit to allow core files
> ulimit -c unlimited; /usr/bin/perl
> /home/tititou36/svn_test_framework/t/TEST -v -configure
> [warning] cleaning out current configuration
> [warning] skipping rebuild of c-modules; run t/TEST -clean to force
> [warning] skipping regeneration of SSL CA; run t/TEST -clean to force
> make: rien à faire pour « all ».
> [warning] reconfiguration done
>
> But SSLProtocol all -TLSv1.3 is still there.
>
>
> t/TEST -clean
> doesn't help either.
The check, wheher "all" or "all -TLSv1.3" is put into the file is done
in TestSSLCA.pm. The code there checks the following, which you can also
check in a test script to see, which condition fails:
Apache::Test::normalize_vstring(Apache::Test::version()) >=
Apache::Test::normalize_vstring("1.1.1")
and
defined(&Net::SSLeay::CTX_set_post_handshake_auth)
The first looks for the OpenSSL version caused by your test framework,
the second checks, whether Net::SSLeay is current (actually at least
developer snapshot 1.86_06). Both is needed to make TLS 1.3 work in the
test framework.
To check standalone you can use a script like this:
=== SNIP ===
#!/usr/bin/perl
use strict;
use Net::SSLeay;
use IO::Socket::SSL;
use Apache::Test;
use Apache::TestSSLCA;
my $version = Apache::TestSSLCA::version();
print "OpenSSL version: $version\n";
print "Normalized OpenSSL version: " .
Apache::Test::normalize_vstring($version) . "\n";
print "Normalized 1.1.1 version: " .
Apache::Test::normalize_vstring("1.1.1") . "\n";
print "Net::SSLeay::VERSION: $Net::SSLeay::VERSION\n";
print "IO::Socket::SSL::VERSION: $IO::Socket::SSL::VERSION\n";
print "Net::SSLeay::CTX_set_post_handshake_auth available: " .
(defined(&Net::SSLeay::CTX_set_post_handshake_auth) ?
"true" : "false") . "\n";
my $tls13 = (Apache::Test::normalize_vstring($version) >=
Apache::Test::normalize_vstring("1.1.1")) &&
defined(&Net::SSLeay::CTX_set_post_handshake_auth);
print "TLSv1.3 support: " . ($tls13 ? "true" : "false") . "\n";
=== SNIP ===
To run it you must also provide the path to the test framework and if
you have installed the additional moduls needed by the framework in some
special place, you must also provide this one, both via "-I" flag:
perl -I /path/to/bundle/lib/perl5 -I /path/to/Apache-Test/lib test.pl
When I run this I get:
OpenSSL version: 1.1.1
Normalized OpenSSL version: 001001001
Normalized 1.1.1 version: 001001001
Net::SSLeay::VERSION: 1.86_06
IO::Socket::SSL::VERSION: 2.060
Net::SSLeay::CTX_set_post_handshake_auth available: true
TLSv1.3 support: true
Most likely your version of Net::SSLeay is to old.
In adition, once the framework detects TLSv1.3 correct, you also need
IO::Socket::SSL 2.060 plus the one patch for its SSL.pm that I mentioned
at the beginning of this thread.
Regards,
Rainer
Re: Test suite and OpenSSL 1.1.1
Posted by Christophe JAILLET <ch...@wanadoo.fr>.
Le 20/10/2018 à 09:56, Rainer Jung a écrit :
> Hi,
>
> Am 20.10.2018 um 09:39 schrieb Christophe JAILLET:
>> Le 20/10/2018 à 06:28, Rainer Jung a écrit :
>>> Am 19.10.2018 um 23:31 schrieb Yann Ylavic:
>>>> Could not make the test suite framework work with 1.1.1 (cpan -u
>>>> didn't help).
>>>> Although the ssl tests report SUCCESS, httpd actually timeouts on
>>>> SSL_peek() (as already reported).
>>>
>>> Indeed I checked my test suite logs and until now all tests only
>>> used TLS 1.2. But what works for me now with TLS 1.3 is:
>>>
>>> - small fix in TestSSLCA.pm (r1844389), otherwise the geneated
>>> t/conf/ssl/ssl.conf always contains "SSLProtocol all -TLSv1.3"
>>> instead of "all" (unless you specifiy -sslproto explicitly).
>>>
>>>
>> I've just updated the test framework.
>> make clean
>> t/TEST
>> --> ssl.conf rebuilt
>>
>> But I still have:
>> SSLProtocol all -TLSv1.3
>
> I didn't manage to rebuild ssl.conf using make, but what I did to
> rebuild was a "t/TEST -v -configure" and to make sure I removed the
> ssl.conf file before running that command. This resulted in a new file
> with "all" in it.
>
> Please also double check, that TestSSLCA.pm contains the line "use
> Net::SSLeay;".
>
> Does it work with that recipe?
>
> Thanks and regards,
>
> Rainer
>
>
use Net::SSLeay;
is there.
Comment added in ssl.conf.in gets reflected in ssl.conf, so it is rebuilt.
t/TEST -v -configure
[warning] setting ulimit to allow core files
ulimit -c unlimited; /usr/bin/perl
/home/tititou36/svn_test_framework/t/TEST -v -configure
[warning] cleaning out current configuration
[warning] skipping rebuild of c-modules; run t/TEST -clean to force
[warning] skipping regeneration of SSL CA; run t/TEST -clean to force
make: rien à faire pour « all ».
[warning] reconfiguration done
But SSLProtocol all -TLSv1.3 is still there.
t/TEST -clean
doesn't help either.
CJ
Re: Test suite and OpenSSL 1.1.1
Posted by Rainer Jung <ra...@kippdata.de>.
Hi,
Am 20.10.2018 um 09:39 schrieb Christophe JAILLET:
> Le 20/10/2018 à 06:28, Rainer Jung a écrit :
>> Am 19.10.2018 um 23:31 schrieb Yann Ylavic:
>>> Could not make the test suite framework work with 1.1.1 (cpan -u
>>> didn't help).
>>> Although the ssl tests report SUCCESS, httpd actually timeouts on
>>> SSL_peek() (as already reported).
>>
>> Indeed I checked my test suite logs and until now all tests only used
>> TLS 1.2. But what works for me now with TLS 1.3 is:
>>
>> - small fix in TestSSLCA.pm (r1844389), otherwise the geneated
>> t/conf/ssl/ssl.conf always contains "SSLProtocol all -TLSv1.3" instead
>> of "all" (unless you specifiy -sslproto explicitly).
>>
>>
> I've just updated the test framework.
> make clean
> t/TEST
> --> ssl.conf rebuilt
>
> But I still have:
> SSLProtocol all -TLSv1.3
I didn't manage to rebuild ssl.conf using make, but what I did to
rebuild was a "t/TEST -v -configure" and to make sure I removed the
ssl.conf file before running that command. This resulted in a new file
with "all" in it.
Please also double check, that TestSSLCA.pm contains the line "use
Net::SSLeay;".
Does it work with that recipe?
Thanks and regards,
Rainer
Re: Test suite and OpenSSL 1.1.1
Posted by Christophe JAILLET <ch...@wanadoo.fr>.
Le 20/10/2018 à 06:28, Rainer Jung a écrit :
> Am 19.10.2018 um 23:31 schrieb Yann Ylavic:
>> Could not make the test suite framework work with 1.1.1 (cpan -u
>> didn't help).
>> Although the ssl tests report SUCCESS, httpd actually timeouts on
>> SSL_peek() (as already reported).
>
> Indeed I checked my test suite logs and until now all tests only used
> TLS 1.2. But what works for me now with TLS 1.3 is:
>
> - small fix in TestSSLCA.pm (r1844389), otherwise the geneated
> t/conf/ssl/ssl.conf always contains "SSLProtocol all -TLSv1.3" instead
> of "all" (unless you specifiy -sslproto explicitly).
>
>
I've just updated the test framework.
make clean
t/TEST
--> ssl.conf rebuilt
But I still have:
SSLProtocol all -TLSv1.3
CJ
Re: Test suite and OpenSSL 1.1.1
Posted by Rainer Jung <ra...@kippdata.de>.
Plus r1844425 which simplifies TestRequest.pm since IO::Socket::SSL has
a working getline().
Am 20.10.2018 um 09:59 schrieb Rainer Jung:
> I now also added r1844396 to allow setting the CA for peer cert
> verification and used it in echo.t and nttp-like.t to unbreak their ssl
> testing (r1844397).
>
> I didn't find more uses of the raw sockets.
>
> Regards,
>
> Rainer
>
> Am 20.10.2018 um 08:47 schrieb Rainer Jung:
>> To make the raw TLS socket tests work I added r1844393. Both, r1844389
>> and r1844393 are part of the /perl/Apache-Test/trunk/ external which
>> gets pulled into our test framework.
>>
>> Am 20.10.2018 um 06:28 schrieb Rainer Jung:
>>> Am 19.10.2018 um 23:31 schrieb Yann Ylavic:
>>>> Could not make the test suite framework work with 1.1.1 (cpan -u
>>>> didn't help).
>>>> Although the ssl tests report SUCCESS, httpd actually timeouts on
>>>> SSL_peek() (as already reported).
>>>
>>> Indeed I checked my test suite logs and until now all tests only used
>>> TLS 1.2. But what works for me now with TLS 1.3 is:
>>>
>>> - small fix in TestSSLCA.pm (r1844389), otherwise the geneated
>>> t/conf/ssl/ssl.conf always contains "SSLProtocol all -TLSv1.3"
>>> instead of "all" (unless you specifiy -sslproto explicitly).
>>>
>>> - Net::SSLeay 1.86_06 tag from Github
>>> https://github.com/radiator-software/p5-net-ssleay.git. Added "-ldl
>>> -pthread" to OTHERLDFLAGS in Makefile. It contains the plumbing
>>> needed for some new 1.1.1 APIs.
>>>
>>> - IO/Socket/SSL.pm recent version 2.060 plus patch
>>> https://github.com/noxxi/p5-io-socket-ssl/commit/e96b1c9e394011de4ee181cfa42b8021796bf7d4.patch
>>> (probably not needed) plus anti-hang patch to call
>>> Net::SSLeay::CTX_set_post_handshake_auth()
>>>
>>> --- IO/Socket/SSL.pm.orig 2018-08-15 18:03:29.000000000 +0000
>>> +++ IO/Socket/SSL.pm 2018-09-19 16:37:46.450281000 +0000
>>> @@ -2594,6 +2594,10 @@
>>> "Failed to load key from file (no PEM or DER)");
>>> }
>>>
>>> + if ($havecert && $havekey &&
>>> Net::SSLeay::OPENSSL_VERSION_NUMBER() >= 0x1010100f) {
>>> + Net::SSLeay::CTX_set_post_handshake_auth($ctx, 1);
>>> + }
>>> +
>>> # replace arg_hash with created context
>>> $ctx{$host} = $ctx;
>>> }
>>>
>>> The PHA patch was stolen from Joe's explanation of the PHA issue.
>>>
>>> With this setup, I can see some TLSv1.3 entries in the
>>> t/logs/ssl_request_log. For instance when running t/ssl/varlookup.t.
>>>
>>> Regards,
>>>
>>> Rainer
Re: Test suite and OpenSSL 1.1.1
Posted by Rainer Jung <ra...@kippdata.de>.
I now also added r1844396 to allow setting the CA for peer cert
verification and used it in echo.t and nttp-like.t to unbreak their ssl
testing (r1844397).
I didn't find more uses of the raw sockets.
Regards,
Rainer
Am 20.10.2018 um 08:47 schrieb Rainer Jung:
> To make the raw TLS socket tests work I added r1844393. Both, r1844389
> and r1844393 are part of the /perl/Apache-Test/trunk/ external which
> gets pulled into our test framework.
>
> Am 20.10.2018 um 06:28 schrieb Rainer Jung:
>> Am 19.10.2018 um 23:31 schrieb Yann Ylavic:
>>> Could not make the test suite framework work with 1.1.1 (cpan -u
>>> didn't help).
>>> Although the ssl tests report SUCCESS, httpd actually timeouts on
>>> SSL_peek() (as already reported).
>>
>> Indeed I checked my test suite logs and until now all tests only used
>> TLS 1.2. But what works for me now with TLS 1.3 is:
>>
>> - small fix in TestSSLCA.pm (r1844389), otherwise the geneated
>> t/conf/ssl/ssl.conf always contains "SSLProtocol all -TLSv1.3" instead
>> of "all" (unless you specifiy -sslproto explicitly).
>>
>> - Net::SSLeay 1.86_06 tag from Github
>> https://github.com/radiator-software/p5-net-ssleay.git. Added "-ldl
>> -pthread" to OTHERLDFLAGS in Makefile. It contains the plumbing needed
>> for some new 1.1.1 APIs.
>>
>> - IO/Socket/SSL.pm recent version 2.060 plus patch
>> https://github.com/noxxi/p5-io-socket-ssl/commit/e96b1c9e394011de4ee181cfa42b8021796bf7d4.patch
>> (probably not needed) plus anti-hang patch to call
>> Net::SSLeay::CTX_set_post_handshake_auth()
>>
>> --- IO/Socket/SSL.pm.orig 2018-08-15 18:03:29.000000000 +0000
>> +++ IO/Socket/SSL.pm 2018-09-19 16:37:46.450281000 +0000
>> @@ -2594,6 +2594,10 @@
>> "Failed to load key from file (no PEM or DER)");
>> }
>>
>> + if ($havecert && $havekey &&
>> Net::SSLeay::OPENSSL_VERSION_NUMBER() >= 0x1010100f) {
>> + Net::SSLeay::CTX_set_post_handshake_auth($ctx, 1);
>> + }
>> +
>> # replace arg_hash with created context
>> $ctx{$host} = $ctx;
>> }
>>
>> The PHA patch was stolen from Joe's explanation of the PHA issue.
>>
>> With this setup, I can see some TLSv1.3 entries in the
>> t/logs/ssl_request_log. For instance when running t/ssl/varlookup.t.
>>
>> Regards,
>>
>> Rainer
Re: Test suite and OpenSSL 1.1.1
Posted by Rainer Jung <ra...@kippdata.de>.
To make the raw TLS socket tests work I added r1844393. Both, r1844389
and r1844393 are part of the /perl/Apache-Test/trunk/ external which
gets pulled into our test framework.
Regards,
Rainer
Am 20.10.2018 um 06:28 schrieb Rainer Jung:
> Am 19.10.2018 um 23:31 schrieb Yann Ylavic:
>> Could not make the test suite framework work with 1.1.1 (cpan -u
>> didn't help).
>> Although the ssl tests report SUCCESS, httpd actually timeouts on
>> SSL_peek() (as already reported).
>
> Indeed I checked my test suite logs and until now all tests only used
> TLS 1.2. But what works for me now with TLS 1.3 is:
>
> - small fix in TestSSLCA.pm (r1844389), otherwise the geneated
> t/conf/ssl/ssl.conf always contains "SSLProtocol all -TLSv1.3" instead
> of "all" (unless you specifiy -sslproto explicitly).
>
> - Net::SSLeay 1.86_06 tag from Github
> https://github.com/radiator-software/p5-net-ssleay.git. Added "-ldl
> -pthread" to OTHERLDFLAGS in Makefile. It contains the plumbing needed
> for some new 1.1.1 APIs.
>
> - IO/Socket/SSL.pm recent version 2.060 plus patch
> https://github.com/noxxi/p5-io-socket-ssl/commit/e96b1c9e394011de4ee181cfa42b8021796bf7d4.patch
> (probably not needed) plus anti-hang patch to call
> Net::SSLeay::CTX_set_post_handshake_auth()
>
> --- IO/Socket/SSL.pm.orig 2018-08-15 18:03:29.000000000 +0000
> +++ IO/Socket/SSL.pm 2018-09-19 16:37:46.450281000 +0000
> @@ -2594,6 +2594,10 @@
> "Failed to load key from file (no PEM or DER)");
> }
>
> + if ($havecert && $havekey &&
> Net::SSLeay::OPENSSL_VERSION_NUMBER() >= 0x1010100f) {
> + Net::SSLeay::CTX_set_post_handshake_auth($ctx, 1);
> + }
> +
> # replace arg_hash with created context
> $ctx{$host} = $ctx;
> }
>
> The PHA patch was stolen from Joe's explanation of the PHA issue.
>
> With this setup, I can see some TLSv1.3 entries in the
> t/logs/ssl_request_log. For instance when running t/ssl/varlookup.t.
>
> Regards,
>
> Rainer
Re: Test suite and OpenSSL 1.1.1
Posted by Yann Ylavic <yl...@gmail.com>.
On Sat, Oct 20, 2018 at 6:28 AM Rainer Jung <ra...@kippdata.de> wrote:
>
> - Net::SSLeay 1.86_06 tag from Github
> https://github.com/radiator-software/p5-net-ssleay.git. Added "-ldl
> -pthread" to OTHERLDFLAGS in Makefile. It contains the plumbing needed
> for some new 1.1.1 APIs.
With this change (and all the others checked out with test suite),
everything works for me.
(Actually I had to s/1.86_06/1.86/g at several places in p5-net-ssleay
to avoid 'Argument "1.86_06" isn't numeric in numeric lt (<) at
/usr/local/share/perl/5.26.2/IO/Socket/SSL.pm line 94' from test
suite).
Thanks Rainer!
Regards,
Yann.