Opened 4 weeks ago
Closed 3 weeks ago
#2491 closed enhancement (invalid)
ssl_stapling.t test uses multiple certificates
|Reported by:||Owned by:|
|uname -a:||Linux ip-172-31-63-232 5.15.0-1035-aws #39~20.04.1-Ubuntu SMP Wed Apr 19 15:34:33 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux|
|nginx -V:||nginx version: nginx/1.20.1|
We've been testing nginx integration with AWS-LC and had ran into some issues running OCSP related tests (ssl_stapling & ssl_ocsp) in nginx-tests.
I noticed that the ssl_ocsp.t test used to depend on "multiple server certificate" functionality, but this was fixed in this commit: https://github.com/nginx/nginx-tests/commit/40f0ae0b8c03e7fd1064a79dcb1c08294c0c6edf
The new change makes much more sense and makes testing clearer. I may be misunderstanding some things, but it seems like ssl_stapling.t still seems to be relying on "multiple server certificate" functionality, which makes specific OCSP stapling functionality harder to test. Is it possible to apply the same improvement to ssl_stapling as well?
If there's any error in my judgement, let me know. Thank you.
Change History (1)
comment:1 by , 3 weeks ago
|Status:||new → closed|
The ssl_stapling.t test uses multiple server certificates to verify that OCSP stapling properly works with multiple server certificates: it tests that correct OCSP response is stapled to each server certificate. It is certainly wrong to remove multiple server certificates from the ssl_stapling.t test.
Since AWS-LC is a fork of BoringSSL, it does not support multiple certificates, much like BoringSSL. Normally, nginx tests which require multiple server certificates are disabled for BoringSSL. Unfortunately, AWS-LC identifies itself as
OpenSSL 1.1.1 (compatible; AWS-LC), so nginx tests won't be able to tell that a variant of BoringSSL is used, and won't be able to disable corresponding tests.
If you want to run nginx tests with AWS-LC, consider either providing an identification which clarifies that a fork of BoringSSL is being used, or teach nginx tests to recognize AWS-LC and disable appropriate tests.
Alternatively, configuring nginx with something like
./configure --build=BoringSSL ...should make nginx tests to think that nginx is built with BoringSSL, and might be good enough for your testing.