search

noxxi / p5-io-socket-ssl

IO::Socket::SSL Perl Module
36 stars 59 forks source link

Version 2.057 fails tests t/session_ticket.t #72

Closed jmaslak closed 6 years ago

jmaslak commented 6 years ago

I believe commit 111eccde5cc1f42fcaeb544176b05caa4a049c47, "add use of client certificates to t/session_ticket.t", is preventing the most recent version of IO::Socket::SSL from passing tests on my machine. If I revert this one commit, all tests pass.

Let me know what additional debugging information will be useful for you, if any. I'm also glad to test any fixes.

Test output:

$ make test
Skip blib/lib/IO/Socket/SSL/Intercept.pm (unchanged)
Skip blib/lib/IO/Socket/SSL/PublicSuffix.pm (unchanged)
Skip blib/lib/IO/Socket/SSL/Utils.pm (unchanged)
Skip blib/lib/IO/Socket/SSL.pm (unchanged)
Skip blib/lib/IO/Socket/SSL.pod (unchanged)
PERL_DL_NONLAZY=1 "/data/home/jmaslak/perl5/perlbrew/perls/perl-5.28.0/bin/perl" "-MExtUtils::Command::MM" "-MTest::Harness" "-e" "undef *Test::Harness::Switches; test_harness(0, 'blib/lib', 'blib/arch')" t/*.t t/external/*.t
t/01loadmodule.t .................. 1/3 # openssl version compiled=0x1010007f linked=0x1010007f -- OpenSSL 1.1.0g  2 Nov 2017
# Net::SSLeay version=1.85
# parent IO::Socket::IP version=0.39
t/01loadmodule.t .................. ok
t/acceptSSL-timeout.t ............. ok
t/alpn.t .......................... ok
t/auto_verify_hostname.t .......... ok
t/cert_formats.t .................. ok
t/cert_no_file.t .................. ok
t/compatibility.t ................. ok
t/connectSSL-timeout.t ............ ok
t/core.t .......................... ok
t/dhe.t ........................... ok
t/ecdhe.t ......................... ok
t/external/ocsp.t ................. # tcp connect to www.chksum.de:443 ok
# fingerprint matches
# validation with default CA w/o OCSP ok
# got stapled response as expected
# validation with default CA with OCSP defaults ok
# validation with default CA with OCSP full chain ok
t/external/ocsp.t ................. 1/3 # tcp connect to www.bild.de:443 ok
# tcp connect to revoked.grc.com:443 ok
# fingerprint matches
# validation with default CA w/o OCSP ok
t/external/ocsp.t ................. ok
t/external/usable_ca.t ............ # found 149 CA certs
# have root CA for www.bild.de in store
# 5 connections to www.bild.de ok
t/external/usable_ca.t ............ 1/21 # have root CA for www.yahoo.com in store
# 5 connections to www.yahoo.com ok
t/external/usable_ca.t ............ 4/21 # have root CA for www.comdirect.de in store
# 5 connections to www.comdirect.de ok
t/external/usable_ca.t ............ 7/21 # have root CA for meine.deutsche-bank.de in store
# 5 connections to meine.deutsche-bank.de ok
t/external/usable_ca.t ............ 10/21 # have root CA for www.twitter.com in store
# 5 connections to www.twitter.com ok
t/external/usable_ca.t ............ 13/21 # have root CA for www.facebook.com in store
# 5 connections to www.facebook.com ok
# fingerprint www.facebook.com matches
# check www.facebook.com against builtin CA store ok
# have root CA for www.live.com in store
# 5 connections to www.live.com ok
t/external/usable_ca.t ............ ok
t/io-socket-inet6.t ............... ok
t/io-socket-ip.t .................. ok
t/memleak_bad_handshake.t ......... ok
t/mitm.t .......................... ok
t/nonblock.t ...................... ok
t/npn.t ........................... ok
t/plain_upgrade_downgrade.t ....... # -- test: newINET start_SSL stop_SSL start_SSL
# server accepted new client
# wait for initial data from client
# got 0x666f6f from client
# server: got plain data at start of connection
t/plain_upgrade_downgrade.t ....... 1/15 # server: TLS upgrade
# server: TLS downgrade
# server: TLS upgrade#2
# -- test: newSSL stop_SSL connect_SSL
# server accepted new client
# wait for initial data from client
# got 0x160301 from client
# server: TLS upgrade
# server: TLS downgrade
# server: TLS upgrade#2
# -- test: newSSL:0 connect_SSL stop_SSL connect_SSL
# server accepted new client
# wait for initial data from client
# got 0x666f6f from client
# server: got plain data at start of connection
# server: TLS upgrade
# server: TLS downgrade
# server: TLS upgrade#2
# -- test: newSSL:0 start_SSL stop_SSL connect_SSL
# server accepted new client
# wait for initial data from client
# got 0x666f6f from client
# server: got plain data at start of connection
# server: TLS upgrade
# server: TLS downgrade
# server: TLS upgrade#2
# server accepted new client
# wait for initial data from client
# got 0x656e64 from client
# client requested end of tests
t/plain_upgrade_downgrade.t ....... ok
t/protocol_version.t .............. 1/? # looks like OpenSSL was compiled without SSLv3 support
t/protocol_version.t .............. ok
t/public_suffix_lib_encode_idn.t .. ok
t/public_suffix_lib_libidn.t ...... ok
t/public_suffix_lib_uri.t ......... ok
t/public_suffix_ssl.t ............. ok
t/readline.t ...................... ok
t/session_ticket.t ................ # listen at 127.0.0.1:45027
# listen at 127.0.0.1:47497
# connect to 0: error: ,SSL connect attempt failed error:14094413:SSL routines:ssl3_read_bytes:sslv3 alert unsupported certificate
t/session_ticket.t ................ 1/6
#   Failed test 'no initial session -> no reuse'
#   at t/session_ticket.t line 67.
#          got: undef
#     expected: '0'

#   Failed test 'Can't use an undefined value as a symbol reference at t/session_ticket.t line 68.
# '
#   at ./t/testlib.pl line 39.
# Looks like your test exited with 1 just after 2.
t/session_ticket.t ................ Dubious, test returned 1 (wstat 256, 0x100)
Failed 6/6 subtests
t/sessions.t ...................... ok
t/signal-readline.t ............... ok
t/sni.t ........................... ok
t/sni_verify.t .................... ok
t/start-stopssl.t ................. ok
t/startssl-failed.t ............... ok
t/startssl.t ...................... ok
t/sysread_write.t ................. ok
t/verify_fingerprint.t ............ ok
t/verify_hostname.t ............... ok
t/verify_hostname_standalone.t .... ok

Test Summary Report
-------------------
t/session_ticket.t              (Wstat: 256 Tests: 2 Failed: 2)
  Failed tests:  1-2
  Non-zero exit status: 1
  Parse errors: Bad plan.  You planned 6 tests but ran 2.
Files=38, Tests=796, 74 wallclock secs ( 0.21 usr  0.10 sys +  6.00 cusr  1.04 csys =  7.35 CPU)
Result: FAIL
Failed 1/38 test programs. 2/796 subtests failed.
Makefile:879: recipe for target 'test_dynamic' failed
make: *** [test_dynamic] Error 255
noxxi commented 6 years ago

The problem was in the unexpected masking of extKeyUsage of the client certificate by the extKeyUsage of the CA certificate which was introduced with OpenSSL 1.1.0. Test fixed in 2.058.