#2491 closed enhancement (invalid)

ssl_stapling.t test uses multiple certificates

Reported by: samuel40791765@… Owned by:
Priority: minor Milestone:
Component: other Version: 1.20.x
Keywords: Cc: samuel40791765@…
uname -a: Linux ip-172-31-63-232 5.15.0-1035-aws #39~20.04.1-Ubuntu SMP Wed Apr 19 15:34:33 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.20.1

Description

We've been testing nginx integration with AWS-LC and had ran into some issues running OCSP related tests (ssl_stapling & ssl_ocsp) in nginx-tests.
I noticed that the ssl_ocsp.t test used to depend on "multiple server certificate" functionality, but this was fixed in this commit: https://github.com/nginx/nginx-tests/commit/40f0ae0b8c03e7fd1064a79dcb1c08294c0c6edf

The new change makes much more sense and makes testing clearer. I may be misunderstanding some things, but it seems like ssl_stapling.t still seems to be relying on "multiple server certificate" functionality, which makes specific OCSP stapling functionality harder to test. Is it possible to apply the same improvement to ssl_stapling as well?

If there's any error in my judgement, let me know. Thank you.

Change History (1)

comment:1 by Maxim Dounin, 20 months ago

Resolution: invalid
Status: newclosed

The ssl_stapling.t test uses multiple server certificates to verify that OCSP stapling properly works with multiple server certificates: it tests that correct OCSP response is stapled to each server certificate. It is certainly wrong to remove multiple server certificates from the ssl_stapling.t test.

Since AWS-LC is a fork of BoringSSL, it does not support multiple certificates, much like BoringSSL. Normally, nginx tests which require multiple server certificates are disabled for BoringSSL. Unfortunately, AWS-LC identifies itself as OpenSSL 1.1.1 (compatible; AWS-LC), so nginx tests won't be able to tell that a variant of BoringSSL is used, and won't be able to disable corresponding tests.

If you want to run nginx tests with AWS-LC, consider either providing an identification which clarifies that a fork of BoringSSL is being used, or teach nginx tests to recognize AWS-LC and disable appropriate tests.

Alternatively, configuring nginx with something like ./configure --build=BoringSSL ... should make nginx tests to think that nginx is built with BoringSSL, and might be good enough for your testing.

Note: See TracTickets for help on using tickets.