You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Christopher Schultz <ch...@christopherschultz.net> on 2022/03/13 19:49:41 UTC
Re: Running cipher-suite tests without failure
Rainer,
On 2/28/22 10:35, Rainer Jung wrote:
>
> Am 28.02.2022 um 15:34 schrieb Christopher Schultz:
>> Rainer,
>>
>> On 2/25/22 23:22, Rainer Jung wrote:
>>> I don't get any unit test failures. I set in build.properties:
>>>
>>> test.apr.loc=/path/to/tcnative/lib
>>> test.openssl.path=/path/to/openssl/bin/openssl
>>
>> I have:
>>
>> test.openssl.loc=/home/cschultz/projects/apache/apache-tomcat/openssl-1.1.1/target/bin/openssl
>>
>>
>> I have not set test.apr.loc and use the local system APR library. Here
>> are the effective versions, from my test build-test-suite report:
>>
>> * OpenSSL: OpenSSL 1.1.1 11 Sep 2018
>> * APR: 1.6.5
>>
>> My OpenSSL version is locally-compiled.
>>
>> Here are the testcase failures:
>>
>> Testsuite: org.apache.tomcat.util.net.openssl.ciphers.TestCipher
>> Testcase: testOpenSSLCipherAvailability took 0.008 sec
>> FAILED
>> Unavailable cipher suites: IDEA-CBC-SHA+SSLv3 expected:<0> but was:<1>
>>
>> Same failures for NIO, NIO2, and APR (of course, since these tests are
>> not related to the connector-type).
>>
>> Also this:
>>
>> Testsuite:
>> org.apache.tomcat.util.net.openssl.ciphers.TestOpenSSLCipherConfigurationParser
>>
>> Tests run: 85, Failures: 11, Errors: 0, Skipped: 0, Time elapsed:
>> 0.564 sec
>>
>> Error in cipher list
>> 140089009423488:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no
>> cipher match:../ssl/ssl_lib.c:2564:
>>
>> Error in cipher list
>> 140161019962496:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no
>> cipher match:../ssl/ssl_lib.c:2564:
>>
>> [.. many times repeated...]
>>
>>
>> Testcase: testALL took 0.012 sec
>> FAILED
>> Expected 143 ciphers but got 141 for the specification 'ALL'
>> expected:<[SSL_RSA_WITH_IDEA_CBC_SHA, [... lots of additional cipher
>> suites ...]
>>
>> I am missing the following two cipher suites:
>>
>> SSL_RSA_WITH_IDEA_CBC_SHA
>> TLS_RSA_WITH_IDEA_CBC_SHA
>>
>> Is there a way to disable checking for the IDEA cipher suites or do I
>> need to customize my OpenSSL build to include them?
>
> Class TesterOpenSSL.java contains the following snippet:
>
> String skipCiphers =
> System.getProperty("tomcat.test.openssl.unimplemented", "");
> if (!skipCiphers.isEmpty()) {
> String[] skip = skipCiphers.split(",");
> for (Cipher c : Cipher.values()) {
> for (String s : skip) {
> if (c.toString().contains(s)) {
> unimplemented.add(c);
> }
> }
> }
> }
>
> So it seems you can add your own "unimplemented" ciphers as a comma
> separated list to the system property
> "tomcat.test.openssl.unimplemented" when running the unit tests.
>
>
> And build.xml contains
>
> <sysproperty key="tomcat.test.openssl.unimplemented"
> value="${test.openssl.unimplemented}" />
>
> so you an set the system property from the property
> "test.openssl.unimplemented" in build.properties.
>
> You might have to check, which form the expected cipher names have.
Amusingly enough, I was watching this fine presentation the other day
and this guy covers this question exactly, around the 17:35 mark:
https://youtu.be/O2wXAldxQWA?t=1056
:)
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org