Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Tests: compatibility with OpenSSL 3.2.0 #1215

Merged
merged 1 commit into from
Apr 10, 2024
Merged

Tests: compatibility with OpenSSL 3.2.0 #1215

merged 1 commit into from
Apr 10, 2024

Conversation

andrey-zelenkov
Copy link
Contributor

OpenSSL 3.2.0 generates X.509v3 certificates by default. These certificates, even self-signed, cannot sign other certificates unless "CA:TRUE" is explicitly set in the basicConstraints extension. As a result, tests attempting this are currently failing.

Fix is to provide "CA:TRUE" in the basicConstraints for self-signed root certificates used in "openssl ca" commands.

@ac000
Copy link
Member

ac000 commented Apr 9, 2024
edited
Loading

Could do with a

Closes: https://github.com/nginx/unit/issues/1202

commit tag...

@ac000 ac000 linked an issue Apr 9, 2024 that may be closed by this pull request
OpenSSL 3.2.1 breaks TLS related pytests #1202
Closed
@ac000 ac000 self-requested a review April 9, 2024 19:30
ac000
ac000 approved these changes Apr 9, 2024
View reviewed changes
Copy link
Member

@ac000 ac000 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could do with re-flowing the first paragraph of the commit message, the first line is just a tad long...

Other than that and the missing Closes: tag

Tested-by: Andrew Clayton <[email protected]>
Reviewed-by: Andrew Clayton <[email protected]>

(Tested on the upcoming Fedora 40 with OpenSSL 3.2.1)

@andrey-zelenkov
Tests: compatibility with OpenSSL 3.2.0
8923ec7 
OpenSSL 3.2.0 generates X.509v3 certificates by default. These
certificates, even self-signed, cannot sign other certificates unless
"CA:TRUE" is explicitly set in the basicConstraints extension.
As a result, tests attempting this are currently failing.

Fix is to provide "CA:TRUE" in the basicConstraints for self-signed root
certificates used in "openssl ca" commands.

Closes: nginx#1202
Tested-by: Andrew Clayton <[email protected]>
Reviewed-by: Andrew Clayton <[email protected]>
@andrey-zelenkov
Copy link
Contributor Author

Rebased and updated commit message:

% git range-diff e4e47795...8923ec76
-:  -------- > 1:  d494d2eb Wasm-wc: Bump the h2 crate from 0.4.2 to 0.4.4
-:  -------- > 2:  e6d8fc66 njs (lowercase) is more preferred way to mention
-:  -------- > 3:  6e79da47 Docs: njs (lowercase) is more preferred way to mention
-:  -------- > 4:  5f606742 Tests: added $request_uri tests with proxy
1:  e4e47795 ! 5:  8923ec76 Tests: compatibility with OpenSSL 3.2.0
    @@ Metadata
      ## Commit message ##
         Tests: compatibility with OpenSSL 3.2.0
     
    -    OpenSSL 3.2.0 generates X.509v3 certificates by default. These certificates,
    -    even self-signed, cannot sign other certificates unless "CA:TRUE" is
    -    explicitly set in the basicConstraints extension. As a result, tests
    -    attempting this are currently failing.
    +    OpenSSL 3.2.0 generates X.509v3 certificates by default. These
    +    certificates, even self-signed, cannot sign other certificates unless
    +    "CA:TRUE" is explicitly set in the basicConstraints extension.
    +    As a result, tests attempting this are currently failing.
     
         Fix is to provide "CA:TRUE" in the basicConstraints for self-signed root
         certificates used in "openssl ca" commands.
     
    +    Closes: https://github.com/nginx/unit/issues/1202
    +    Tested-by: Andrew Clayton <[email protected]>
    +    Reviewed-by: Andrew Clayton <[email protected]>
    +
      ## test/unit/applications/tls.py ##
     @@ test/unit/applications/tls.py: subjectAltName = @alt_names
      default_bits = 2048

@andrey-zelenkov andrey-zelenkov merged commit a625a0b into nginx:master Apr 10, 2024
18 checks passed
@andrey-zelenkov andrey-zelenkov mentioned this pull request Apr 10, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ac000 ac000 ac000 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

OpenSSL 3.2.1 breaks TLS related pytests
2 participants
@andrey-zelenkov @ac000