Thread: SSL tests failing for channel_binding with OpenSSL <= 1.0.1
Hi all, (Jeff Davis in CC) As $subject tells, any version of OpenSSL not including X509_get_signature_nid() (version <= 1.0.1) causes the SSL tests to fail. This has been introduced by d6e612f. We need to do something similar to c3d41cc for the test, as per the attached. I have tested that with OpenSSL 1.0.1 and 1.0.2 to stress both scenarios. Any objections to this fix? Thanks, -- Michael
Attachment
On Fri, Sep 27, 2019 at 11:44:57AM +0900, Michael Paquier wrote: > We need to do something similar to c3d41cc for the test, as per the > attached. I have tested that with OpenSSL 1.0.1 and 1.0.2 to stress > both scenarios. > > Any objections to this fix? Committed as a12c75a1. -- Michael
Attachment
Michael Paquier <michael@paquier.xyz> writes: > On Fri, Sep 27, 2019 at 11:44:57AM +0900, Michael Paquier wrote: >> We need to do something similar to c3d41cc for the test, as per the >> attached. I have tested that with OpenSSL 1.0.1 and 1.0.2 to stress >> both scenarios. >> Any objections to this fix? > Committed as a12c75a1. The committed fix looks odd: isn't the number of executed tests the same in both code paths? (I didn't try it yet.) regards, tom lane
On Mon, 2019-09-30 at 09:37 -0400, Tom Lane wrote: > Michael Paquier <michael@paquier.xyz> writes: > > On Fri, Sep 27, 2019 at 11:44:57AM +0900, Michael Paquier wrote: > > > We need to do something similar to c3d41cc for the test, as per > > > the > > > attached. I have tested that with OpenSSL 1.0.1 and 1.0.2 to > > > stress > > > both scenarios. > > > Any objections to this fix? > > Committed as a12c75a1. > > The committed fix looks odd: isn't the number of executed tests the > same in both code paths? (I didn't try it yet.) test_connect_fails actually runs two tests, one for the failing exit code and one for the error message. Regards, Jeff Davis
On Mon, Sep 30, 2019 at 11:08:20AM -0700, Jeff Davis wrote: > On Mon, 2019-09-30 at 09:37 -0400, Tom Lane wrote: >> The committed fix looks odd: isn't the number of executed tests the >> same in both code paths? (I didn't try it yet.) > > test_connect_fails actually runs two tests, one for the failing exit > code and one for the error message. Yes. The committed code still works as I would expect. With OpenSSL <= 1.0.1, I get 10 tests, and 9 with OpenSSL >= 1.0.2. You can check the difference from test 5 "SCRAM with SSL and channel_binding=require". -- Michael