id,summary,reporter,owner,description,type,status,priority,milestone,component,version,resolution,keywords,cc,uname,nginx_version 1257,Some nginx TLS tests started failing with LibreSSL 2.5.3,jirutka@…,,"After we updated LibreSSL from 2.4.4. to 2.5.3 in Alpine Linux, we have noticed that some TLS-related tests in nginx (both 1.10.3 and 1.12.0) started failing. Moreover, most of them fail because nginx accepted certificate that should be rejected! That’s pretty bad regression. We’re not sure if the problem is in LibreSSL, nginx or nginx-tests, so reporting it to both. People from VoidLinux has reproduced this issue too, on glibc. {{{ Test Summary Report ------------------- ./h2_ssl_verify_client.t (Wstat: 256 Tests: 5 Failed: 1) Failed test: 2 Non-zero exit status: 1 ./mail_imap_ssl.t (Wstat: 512 Tests: 14 Failed: 2) Failed tests: 4, 10 Non-zero exit status: 2 ./proxy_bind_transparent.t (Wstat: 512 Tests: 3 Failed: 2) Failed tests: 1-2 Non-zero exit status: 2 ./proxy_ssl_certificate.t (Wstat: 256 Tests: 7 Failed: 1) Failed test: 2 Non-zero exit status: 1 ./ssl_crl.t (Wstat: 512 Tests: 5 Failed: 2) Failed tests: 2-3 Non-zero exit status: 2 ./ssl_verify_client.t (Wstat: 512 Tests: 12 Failed: 2) Failed tests: 4-5 Non-zero exit status: 2 ./ssl_verify_depth.t (Wstat: 256 Tests: 4 Failed: 1) Failed test: 2 Non-zero exit status: 1 ./stream_proxy_ssl_certificate.t (Wstat: 256 Tests: 7 Failed: 1) Failed test: 2 Non-zero exit status: 1 ./stream_ssl_verify_client.t (Wstat: 512 Tests: 12 Failed: 2) Failed tests: 3, 5 Non-zero exit status: 2 Files=290, Tests=3628, 300 wallclock secs ( 1.91 usr 0.46 sys + 54.82 cusr 9.07 csys = 66.26 CPU) }}} Complete log: http://tpaste.us/Ynw6",defect,closed,critical,,nginx-core,,invalid,libressl tls security,ncopa@…,,"nginx version: nginx/1.10.3 built with LibreSSL 2.5.3 TLS SNI support enabled configure arguments: --prefix=/var/lib/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --pid-path=/run/nginx/nginx.pid --lock-path=/run/nginx/nginx.lock --http-client-body-temp-path=/var/lib/nginx/tmp/client_body --http-proxy-temp-path=/var/lib/nginx/tmp/proxy --http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi --http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi --http-scgi-temp-path=/var/lib/nginx/tmp/scgi --with-perl_modules_path=/usr/lib/perl5/vendor_perl --user=nginx --group=nginx --with-threads --with-file-aio --with-ipv6 --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_addition_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_auth_request_module --with-http_random_index_module --with-http_secure_link_module --with-http_slice_module --with-http_stub_status_module --with-http_perl_module=dynamic --with-http_realip_module --with-mail=dynamic --with-mail_ssl_module --with-stream=dynamic --with-stream_ssl_module"