search

nginx / unit

NGINX Unit - universal web app server - a lightweight and versatile open source server that simplifies the application stack by natively executing application code across eight different programming language runtimes.
https://unit.nginx.org
Apache License 2.0
5.25k stars 322 forks source link

Tests: compatibility with OpenSSL 3.2.0 #1215

Closed andrey-zelenkov closed 2 months ago

andrey-zelenkov commented 2 months ago

OpenSSL 3.2.0 generates X.509v3 certificates by default. These certificates, even self-signed, cannot sign other certificates unless "CA:TRUE" is explicitly set in the basicConstraints extension. As a result, tests attempting this are currently failing.

Fix is to provide "CA:TRUE" in the basicConstraints for self-signed root certificates used in "openssl ca" commands.

ac000 commented 2 months ago

Could do with a

Closes: https://github.com/nginx/unit/issues/1202

commit tag...

andrey-zelenkov commented 2 months ago

Rebased and updated commit message:

% git range-diff e4e47795...8923ec76
-:  -------- > 1:  d494d2eb Wasm-wc: Bump the h2 crate from 0.4.2 to 0.4.4
-:  -------- > 2:  e6d8fc66 njs (lowercase) is more preferred way to mention
-:  -------- > 3:  6e79da47 Docs: njs (lowercase) is more preferred way to mention
-:  -------- > 4:  5f606742 Tests: added $request_uri tests with proxy
1:  e4e47795 ! 5:  8923ec76 Tests: compatibility with OpenSSL 3.2.0
    @@ Metadata
      ## Commit message ##
         Tests: compatibility with OpenSSL 3.2.0

    -    OpenSSL 3.2.0 generates X.509v3 certificates by default. These certificates,
    -    even self-signed, cannot sign other certificates unless "CA:TRUE" is
    -    explicitly set in the basicConstraints extension. As a result, tests
    -    attempting this are currently failing.
    +    OpenSSL 3.2.0 generates X.509v3 certificates by default. These
    +    certificates, even self-signed, cannot sign other certificates unless
    +    "CA:TRUE" is explicitly set in the basicConstraints extension.
    +    As a result, tests attempting this are currently failing.

         Fix is to provide "CA:TRUE" in the basicConstraints for self-signed root
         certificates used in "openssl ca" commands.

    +    Closes: https://github.com/nginx/unit/issues/1202
    +    Tested-by: Andrew Clayton <a.clayton@nginx.com>
    +    Reviewed-by: Andrew Clayton <a.clayton@nginx.com>
    +
      ## test/unit/applications/tls.py ##
     @@ test/unit/applications/tls.py: subjectAltName = @alt_names
      default_bits = 2048