t/external/ocsp.t failing in 2.035

[pghmcfc]

$ make test
PERL_DL_NONLAZY=1 "/usr/bin/perl" "-MExtUtils::Command::MM" "-MTest::Harness" "-e" "undef *Test::Harness::Switches; test_harness(0, 'blib/lib', 'blib/arch')" t/*.t t/external/*.t
# openssl version=0x1000208f
# Net::SSLeay version=1.77
# parent IO::Socket::IP version=0.38
t/01loadmodule.t .................. ok
t/acceptSSL-timeout.t ............. ok
t/alpn.t .......................... ok
t/auto_verify_hostname.t .......... ok
t/cert_formats.t .................. ok
t/cert_no_file.t .................. ok
t/compatibility.t ................. ok
t/connectSSL-timeout.t ............ ok
t/core.t .......................... ok
t/dhe.t ........................... ok
t/ecdhe.t ......................... ok
# tcp connect to www.microsoft.com:443 ok
# fingerprint matches
# validation with default CA w/o OCSP ok

#   Failed test 'did not get expected OCSP response with stapling'
#   at t/external/ocsp.t line 93.
# tcp connect to www.spiegel.de:443 ok
# fingerprint matches
# validation with default CA w/o OCSP ok
# validation with default CA with OCSP defaults ok
# validation with default CA with OCSP full chain ok
# tcp connect to revoked.grc.com:443 ok
# fingerprint matches
# validation with default CA w/o OCSP ok

#   Failed test 'expected revoked but connection ok'
#   at t/external/ocsp.t line 128.
# Looks like you failed 2 tests of 3.
t/external/ocsp.t ................. 
Dubious, test returned 2 (wstat 512, 0x200)
Failed 2/3 subtests 
# found 167 CA certs
# have root CA for www.spiegel.de in store
#5 connections to www.spiegel.de ok
# fingerprint www.spiegel.de matches
# check www.spiegel.de against builtin CA store ok
# have root CA for www.yahoo.com in store
#5 connections to www.yahoo.com ok
# fingerprint www.yahoo.com matches
# check www.yahoo.com against builtin CA store ok
# have root CA for www.comdirect.de in store
#5 connections to www.comdirect.de ok
# fingerprint www.comdirect.de matches
# check www.comdirect.de against builtin CA store ok
# have root CA for meine.deutsche-bank.de in store
#5 connections to meine.deutsche-bank.de ok
# fingerprint meine.deutsche-bank.de matches
# check meine.deutsche-bank.de against builtin CA store ok
# have root CA for www.twitter.com in store
#5 connections to www.twitter.com ok
# have root CA for www.facebook.com in store
#5 connections to www.facebook.com ok
# fingerprint www.facebook.com matches
# check www.facebook.com against builtin CA store ok
# have root CA for www.live.com in store
#5 connections to www.live.com ok
# fingerprint www.live.com matches
# check www.live.com against builtin CA store ok
t/external/usable_ca.t ............ ok
t/io-socket-inet6.t ............... ok
t/io-socket-ip.t .................. ok
t/memleak_bad_handshake.t ......... ok
t/mitm.t .......................... ok
t/nonblock.t ...................... ok
t/npn.t ........................... ok
# -- test: newINET start_SSL stop_SSL start_SSL
# server accepted new client
# wait for initial data from client
# got 0x666f6f from client
# server: got plain data at start of connection
# server: TLS upgrade
# server: TLS downgrade
# server: TLS upgrade#2
# -- test: newSSL stop_SSL connect_SSL
# server accepted new client
# wait for initial data from client
# got 0x160301 from client
# server: TLS upgrade
# server: TLS downgrade
# server: TLS upgrade#2
# -- test: newSSL:0 connect_SSL stop_SSL connect_SSL
# server accepted new client
# wait for initial data from client
# got 0x666f6f from client
# server: got plain data at start of connection
# server: TLS upgrade
# server: TLS downgrade
# server: TLS upgrade#2
# -- test: newSSL:0 start_SSL stop_SSL connect_SSL
# server accepted new client
# wait for initial data from client
# got 0x666f6f from client
# server: got plain data at start of connection
# server: TLS upgrade
# server: TLS downgrade
# server: TLS upgrade#2
# server accepted new client
# wait for initial data from client
# got 0x656e64 from client
# client requested end of tests
t/plain_upgrade_downgrade.t ....... ok
t/protocol_version.t .............. ok
t/public_suffix_lib_encode_idn.t .. ok
t/public_suffix_lib_libidn.t ...... ok
t/public_suffix_lib_uri.t ......... ok
t/public_suffix_ssl.t ............. ok
t/readline.t ...................... ok
t/sessions.t ...................... ok
t/signal-readline.t ............... ok
t/sni.t ........................... ok
t/sni_verify.t .................... ok
t/start-stopssl.t ................. ok
t/startssl-failed.t ............... ok
t/startssl.t ...................... ok
t/sysread_write.t ................. ok
t/verify_fingerprint.t ............ ok
t/verify_hostname.t ............... ok
t/verify_hostname_standalone.t .... ok

Test Summary Report
-------------------
t/external/ocsp.t               (Wstat: 512 Tests: 3 Failed: 2)
  Failed tests:  1, 3
  Non-zero exit status: 2
Files=37, Tests=794, 48 wallclock secs ( 0.09 usr  0.02 sys +  3.28 cusr  0.33 csys =  3.72 CPU)
Result: FAIL
Failed 1/37 test programs. 2/794 subtests failed.
Makefile:791: recipe for target 'test_dynamic' failed
make: *** [test_dynamic] Error 255

That's on Fedora Rawhide and I get the same result on the much-older CentOS 6.

[noxxi]

That's actually not a bug in IO::Socket::SSL, but in recent Net::SSLeay (version 1.75+):

# Net::SSLeay version=1.77

The problem is known and a fix will probably be in a short time. If you need it faster you can take a patch from the bug report: https://rt.cpan.org/Public/Bug/Display.html?id=116795.

This problem (OCSP does not work) exists also with older versions of IO::Socket::SSL when used with a newer Net::SSLeay. It's only that the test does not fail because it assumes SSL interception because of certificate mismatch and thus skips the test. 2.035 fixed the expected fingerprints of the certificates so that the tests get not skipped any longer and thus they can fail.

[genehack]

FWIW, I'm seeing this same test failure with Net::SSLeay 1.78 when trying to install IO::Socket::SSL 2.037.

[noxxi]

I cannot reproduce your problem. Please add the following information so I can try to narrow down the problem and maybe reproduce it:

• Perl version and platform, i.e. output from perl -V
• build and test output from building Net::SSLeay. Please explicitly enable network tests so that I can see the output of the OCSP tests in Net::SSLeay.
• build and test output from IO::Socket::SSL
• run of t/external/ocsp.t with SSL debugging enabled, i.e. perl -Mblib -MIO::Socket::SSL=debug4 t/external/ocsp.t