OCSP integrationv2 test with GnuTLS #3207
Conversation
|
Benchmark report |
|
Benchmark report |
|
Benchmark report |
|
Benchmark report |
| S2N_INTEG_TEST=1 \ | ||
| PATH="../../bin":$(LIBCRYPTO_ROOT)/bin:$(PATH) \ | ||
| PATH="$(S2N_ROOT)/bin":"$(S2N_ROOT)/test-deps/gnutls37/bin":"$(LIBCRYPTO_ROOT)/bin":$(PATH) \ |
There was a problem hiding this comment.
nice, relative paths are insidious
tests/integrationv2/providers.py
Outdated
| Signatures.RSA_SHA512: "SIGN-RSA-SHA512", | ||
|
|
||
| # GnuTLS only supports this signature in TLS 1.1 | ||
| # Signatures.RSA_SHA224: "SIGN-RSA-SHA224", |
There was a problem hiding this comment.
Maybe an overall summary comment here about where these came from?
There was a problem hiding this comment.
I added these comments because the other tests were using these signature algorithms. However, the v1 tests don't use them, so I just removed the comments for now: 5f221b0
| ) | ||
|
|
||
| if provider == GnuTLS: | ||
| # GnuTLS fails to validate the certificates. must run test in insecure mode. |
There was a problem hiding this comment.
Yeah, this seems weird, I don't know why Gnutls wouldn't be able to verify our certs. We probably need to at least know why this is the case.
There was a problem hiding this comment.
I get the following errors when running this without the insecure flag:
- issuer in verification was not found or insecure; trying against trust list
- Fatal error: Error in the certificate.
Could this be an issue with self signing? I switched the insecure flag with a --no-ca-verification flag: 10037a4. With this, the tests passed.
Openssl s_client has a setting that’s not enabled by default: -verify_return_error. From the docs:
Return verification errors instead of continuing. This will typically abort the handshake with a fatal error.
I added this flag, and the openssl client also aborted the handshake with the error: Verify return code: 19 (self signed certificate in certificate chain).
Could gnutls just be more strict than openssl by default?
There was a problem hiding this comment.
Okay gnutls not liking self-signed certs makes sense, I prefer the --no-ca-verification flag since it's more specific than 'insecure'.
| ) | ||
|
|
||
| if provider == GnuTLS: | ||
| # GnuTLS fails to validate the certificates. must run test in insecure mode. |
There was a problem hiding this comment.
Yeah, this seems weird, I don't know why Gnutls wouldn't be able to verify our certs. We probably need to at least know why this is the case.
kills the process when the kill marker is found in stdout or stderr
camshaft
force-pushed
the
gnutls-integv2
branch
from
efa04fe to
2c5e04b
Compare
Resolved issues:
resolves #2140
Description of changes:
Added tests to check that s2n clients accept OCSP responses from servers, and that clients accept OCSP responses from an s2n server. Adds a GnuTLS provider that's used in this test.
Additionally added GnutTLS to other existing tests:
Call-outs:
N/A
Testing:
Codebuild test: https://us-west-2.console.aws.amazon.com/codesuite/codebuild/024603541914/projects/SingleIntegrationV2/build/SingleIntegrationV2%3A1e2381bc-a68a-4256-8525-b581bd8757b0
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.