apache /
serf /
70c9d83f7e013199b53b2c2fd11dcb2d90749c69 Fix test_ssl_handshake() and test_ssl_alpn_negotiate() failures with OpenSSL
1.1.1i+.
OpenSSL 1.1.1i changed behavior when verifying certificates with an unknown CA
[1][2]. Now verification continues if user callback does not consider unknown CA
as an error. The change causes ssl_server_cert_cb_expect_failures() to be called
one more time with failures = 0, which results in REPORT_TEST_SUITE_ERROR().
To fix the problem, change the way cert failures are handled. Switch ssl tests
to a new cert callback that logs its every invocation into a string with the
following format:
cert_cb: failures = ..., cert = (CN=..., depth=...)
cert_cb: failures = ..., cert = (CN=..., depth=...)
[...]
This approach has the following advantages:
1. being explicit,
2. being able to detect changes in how the callbacks are called,
3. understandable error messages, and
4. easier debugging of the related failures.
Add expectations for OpenSSL 1.1.1i+ in test_ssl_handshake() and
test_ssl_alpn_negotiate() tests.
test_ssl_renegotiate() revealed historical difference in certificate
verification behavior between OpenSSL 1.0.2 and OpenSSL 1.1.0. Unfortunately,
the true reasons for the difference are unknown.
[1] https://github.com/openssl/openssl/issues/11297
[2] https://github.com/openssl/openssl/commit/2e06150e3928daa06d5ff70c32bffad8088ebe58
Patch by: Denis Kovalchuk <denis.kovalchuk{_AT_}visualsvn.com>
* test/test_ssl.c
(format_cert_failures): New.
(ssl_server_cert_cb_log): New. Logs failures and cert info into a string log.
(test_ssl_handshake): Use ssl_server_cert_cb_log and add expectation for
OpenSSL 1.1.1i+.
(test_ssl_alpn_negotiate): Use ssl_server_cert_cb_log and add expectation for
OpenSSL 1.1.1i+.
(test_ssl_renegotiate): Use ssl_server_cert_cb_log and add expectation for
OpenSSL 1.1.0+.
(chain_rootca_callback_conn_setup,
chain_callback_conn_setup,
test_ssl_handshake_nosslv2,
test_ssl_trust_rootca,
test_ssl_certificate_chain_with_anchor,
test_ssl_certificate_chain_all_from_server,
test_ssl_expired_server_cert,
test_ssl_future_server_cert,
test_ssl_revoked_server_cert,
test_setup_ssltunnel,
test_ssl_ocsp_response_error_and_override,
test_ssl_server_cert_with_cn_nul_byte,
test_ssl_server_cert_with_san_nul_byte,
test_ssl_server_cert_with_cnsan_nul_byte,
test_ssl_server_cert_with_san_and_empty_cb): Use ssl_server_cert_cb_log.
(ssl_server_cert_cb_expect_failures,
ssl_server_cert_cb_expect_allok,
ssl_server_cert_cb_log_failures,
ocsp_response_cb_expect_failures): Removed.
* test/test_serf.h
(TEST_RESULT_OCSP_CHECK_SUCCESSFUL): Removed.
git-svn-id: https://svn.apache.org/repos/asf/serf/trunk@1901040 13f79535-47bb-0310-9956-ffa450edef68
2 files changed
