Closed michal-josef-spacek closed 3 years ago
noxxi
commented
3 years ago Thanks for the input, but ... :)
The certificates including the *.p12 are created by certs/create-cert.pl. I've added the option -descert to the p12 creation, so that it hopefully should work with OpenSSL versions from 0.9.8 until 3.0. The p12 you've provided did not work with 0.9.8.
Should be fixed in b410f80
michal-josef-spacek
commented
3 years ago @noxxi I understand your point, thank you for response. There will be algorithms which will be disabled in future and still we need them for backward compatibility. I am proposing to write tests in way, where i could disable group of functionalities. e.g. groups by algorithm which are in openssl 0.9.8 and not possible use in openssl 3.0.0. It's a matter for thought.
FYI: I am fixing packaging of this module for Fedora and RHEL and there are changes in policies between releases. Or there are changes in policy by some tool (e.g. crypto policy and enabling of FIPS).
noxxi
commented
3 years ago I am proposing to write tests in way, ...
Tests are already written in this way where it was needed in the past, since different versions and installations of OpenSSL come with different SSL/TLS protocol support. In theory one could create the p12 files on demand while testing and thus make the tests more robust. In practice though this requires the openssl pkcs12 tool to be available which cannot be guaranteed, which adds another dependency and which if available might even be linked to a different version of OpenSSL. Therefore the current solution results in the best robustness I could come up with a reasonable effort.
michal-josef-spacek
commented
3 years ago @noxxi Great, thank you very much :-)
After update: