test.sh: Fixed renogotiation tests for newer OpenSSL

This commit is contained in:
Gerhard Rieger 2020-10-29 13:38:45 +01:00
parent f2d17f0949
commit f8985bc1ab
2 changed files with 14 additions and 2 deletions

View file

@ -10,6 +10,11 @@ Testing:
OPENSSLCERTSERVER, OPENSSL_CN_CLIENT_SECURITY, and OPENSSLCERTSERVER, OPENSSL_CN_CLIENT_SECURITY, and
OPENSSL_CN_SERVER_SECURITY now tolerate this. OPENSSL_CN_SERVER_SECURITY now tolerate this.
OpenSSL no longer allows explicit renegotiation with TLSv1.3, thus the
appropriate tests failed.
Fix: use TLSv1.2 for renegotiation tests
Tests: OPENSSLRENEG1 OPENSSLRENEG2
####################### V 1.7.3.4: ####################### V 1.7.3.4:
Corrections: Corrections:

11
test.sh
View file

@ -11238,8 +11238,14 @@ PORT=$((PORT+1))
N=$((N+1)) N=$((N+1))
if type openssl >/dev/null 2>&1; then
OPENSSL_METHOD=$(openssl s_client -help 2>&1 |egrep -o -e '-tls1(_[012])?' |sort -V |tail -n 1)
[ -z "$OPENSSL_METHOD" ] && OPENSSL_METHOD="-tls1" # just so
fi
# socat up to 1.7.1.1 (and 2.0.0-b3) terminated with error when an openssl peer # socat up to 1.7.1.1 (and 2.0.0-b3) terminated with error when an openssl peer
# performed a renegotiation. Test if this is fixed. # performed a renegotiation. Test if this is fixed.
# Note: the renegotiation feature in OpenSSL exists only up to TLSv1.2
NAME=OPENSSLRENEG1 NAME=OPENSSLRENEG1
case "$TESTS" in case "$TESTS" in
*%$N%*|*%functions%*|*%bugs%*|*%openssl%*|*%socket%*|*%$NAME%*) *%$N%*|*%functions%*|*%bugs%*|*%openssl%*|*%socket%*|*%$NAME%*)
@ -11267,7 +11273,7 @@ tdiff="$td/test$N.diff"
da="test$N $(date) $RANDOM" da="test$N $(date) $RANDOM"
CMD0="$TRACE $SOCAT $opts OPENSSL-LISTEN:$PORT,$REUSEADDR,cert=testsrv.crt,key=testsrv.key,verify=0 PIPE" CMD0="$TRACE $SOCAT $opts OPENSSL-LISTEN:$PORT,$REUSEADDR,cert=testsrv.crt,key=testsrv.key,verify=0 PIPE"
#CMD1="openssl s_client -port $PORT -verify 0" # not with openssl 1.1.0g #CMD1="openssl s_client -port $PORT -verify 0" # not with openssl 1.1.0g
CMD1="openssl s_client -port $PORT" CMD1="openssl s_client $OPENSSL_METHOD -port $PORT"
printf "test $F_n $TEST... " $N printf "test $F_n $TEST... " $N
$CMD0 >/dev/null 2>"${te}0" & $CMD0 >/dev/null 2>"${te}0" &
pid0=$! pid0=$!
@ -11298,6 +11304,7 @@ N=$((N+1))
# socat up to 1.7.1.1 (and 2.0.0-b3) terminated with error when an openssl peer # socat up to 1.7.1.1 (and 2.0.0-b3) terminated with error when an openssl peer
# performed a renegotiation. The first temporary fix to this problem might # performed a renegotiation. The first temporary fix to this problem might
# leave socat in a blocking ssl-read state. Test if this has been fixed. # leave socat in a blocking ssl-read state. Test if this has been fixed.
# Note: the renegotiation feature in OpenSSL exists only up to TLSv1.2
NAME=OPENSSLRENEG2 NAME=OPENSSLRENEG2
case "$TESTS" in case "$TESTS" in
*%$N%*|*%functions%*|*%bugs%*|*%openssl%*|*%socket%*|*%$NAME%*) *%$N%*|*%functions%*|*%bugs%*|*%openssl%*|*%socket%*|*%$NAME%*)
@ -11326,7 +11333,7 @@ tdiff="$td/test$N.diff"
da="test$N $(date) $RANDOM" da="test$N $(date) $RANDOM"
CMD0="$TRACE $SOCAT $opts OPENSSL-LISTEN:$PORT,$REUSEADDR,cert=testsrv.crt,key=testsrv.key,verify=0 SYSTEM:\"sleep 1; echo \\\\\\\"\\\"$da\\\"\\\\\\\"; sleep 1\"!!STDIO" CMD0="$TRACE $SOCAT $opts OPENSSL-LISTEN:$PORT,$REUSEADDR,cert=testsrv.crt,key=testsrv.key,verify=0 SYSTEM:\"sleep 1; echo \\\\\\\"\\\"$da\\\"\\\\\\\"; sleep 1\"!!STDIO"
#CMD1="openssl s_client -port $PORT -verify 0" # not with openssl 1.1.0g #CMD1="openssl s_client -port $PORT -verify 0" # not with openssl 1.1.0g
CMD1="openssl s_client -port $PORT" CMD1="openssl s_client $OPENSSL_METHOD -port $PORT"
printf "test $F_n $TEST... " $N printf "test $F_n $TEST... " $N
eval "$CMD0 >/dev/null 2>\"${te}0\" &" eval "$CMD0 >/dev/null 2>\"${te}0\" &"
pid0=$! pid0=$!