ssl_stapling.t test uses multiple certificates

[samuel40791765@…]

We've been testing nginx integration with AWS-LC and had ran into some issues running OCSP related tests (ssl_stapling & ssl_ocsp) in nginx-tests.
I noticed that the ssl_ocsp.t test used to depend on "multiple server certificate" functionality, but this was fixed in this commit: ​https://github.com/nginx/nginx-tests/commit/40f0ae0b8c03e7fd1064a79dcb1c08294c0c6edf

The new change makes much more sense and makes testing clearer. I may be misunderstanding some things, but it seems like ssl_stapling.t still seems to be relying on "multiple server certificate" functionality, which makes specific OCSP stapling functionality harder to test. Is it possible to apply the same improvement to ssl_stapling as well?

If there's any error in my judgement, let me know. Thank you.

[Maxim Dounin]

The ssl_stapling.t test uses multiple server certificates to verify that OCSP stapling properly works with multiple server certificates: it tests that correct OCSP response is stapled to each server certificate. It is certainly wrong to remove multiple server certificates from the ssl_stapling.t test.

Since AWS-LC is a fork of BoringSSL, it does not support multiple certificates, much like BoringSSL. Normally, nginx tests which require multiple server certificates are disabled for BoringSSL. Unfortunately, AWS-LC identifies itself as OpenSSL 1.1.1 (compatible; AWS-LC), so nginx tests won't be able to tell that a variant of BoringSSL is used, and won't be able to disable corresponding tests.

If you want to run nginx tests with AWS-LC, consider either providing an identification which clarifies that a fork of BoringSSL is being used, or teach nginx tests to recognize AWS-LC and disable appropriate tests.

Alternatively, configuring nginx with something like ./configure --build=BoringSSL ... should make nginx tests to think that nginx is built with BoringSSL, and might be good enough for your testing.