Closed michal-josef-spacek closed 3 years ago
Thanks for the input, but ... :)
The certificates including the *.p12 are created by certs/create-cert.pl. I've added the option -descert
to the p12 creation, so that it hopefully should work with OpenSSL versions from 0.9.8 until 3.0. The p12 you've provided did not work with 0.9.8.
Should be fixed in b410f80
@noxxi I understand your point, thank you for response. There will be algorithms which will be disabled in future and still we need them for backward compatibility. I am proposing to write tests in way, where i could disable group of functionalities. e.g. groups by algorithm which are in openssl 0.9.8 and not possible use in openssl 3.0.0. It's a matter for thought.
FYI: I am fixing packaging of this module for Fedora and RHEL and there are changes in policies between releases. Or there are changes in policy by some tool (e.g. crypto policy and enabling of FIPS).
I am proposing to write tests in way, ...
Tests are already written in this way where it was needed in the past, since different versions and installations of OpenSSL come with different SSL/TLS protocol support. In theory one could create the p12 files on demand while testing and thus make the tests more robust. In practice though this requires the openssl pkcs12
tool to be available which cannot be guaranteed, which adds another dependency and which if available might even be linked to a different version of OpenSSL. Therefore the current solution results in the best robustness I could come up with a reasonable effort.
@noxxi Great, thank you very much :-)
After update: