generate more certs, and more test coverage using them #24374
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Update of #10747, which was approved by @bnoordhuis and @mhdawson Tests pass locally, lets see what ci thinks: https://ci.nodejs.org/job/node-test-pull-request/18621/ |
|
Mostly passed, some problems with with windows-binary on vs2017... shouldn't be related, but I'm rebuilding. |
danbev
approved these changes
Nov 15, 2018
There was a single problematic Windows host on CI that I just took offline several minutes ago, so you may need to do one more rebuild to get to green. Sorry. |
|
Resume Build: https://ci.nodejs.org/job/node-test-pull-request/18641/ ✅ |
sam-github
force-pushed
the
generate-more-certs
branch
from
401cb33
to
7e5c877
Compare
bnoordhuis
approved these changes
Nov 15, 2018
fhinkel
approved these changes
Nov 16, 2018
PFX is not PEM, its binary DER. Use the same .pfx extension as test/fixtures/test_cert.pfx does.
sam-github
force-pushed
the
generate-more-certs
branch
from
7e5c877
to
dcfdfba
Compare
agent6 was the only cert that had a chain (an intermediate certificate), and there were no non-RSA certs other than a single self-signed one. This makes it impossible to test cert-chain scenarios with multiple identities which require chains to prove chain completion, and multi-algorithm because OpenSSL doesn't support multiple identities unless they are multi-algorithm. PFX files were also missing for most identities, making it difficult to test multi-PFX and PFX interactions with cert-chain+key and CA options. New server cert chains: - ECC: ca5 signs ca6 signs ec10, CN=agent10.example.com - RSA: ca2 signs ca4 signs agent10, CN=agent10.example.com PFX added for: - agent6 - agent10 - ec10 All pem and pfx regenerated from scratch to test that the Makefile is actually working as intended.
Prove that cert and key options do not have to be ordered, and that the pfx option can be used at the same time as the cert/key option (which was claimed to be impossible by some pre-existing documentation).
When honorCipherOrder is not explicitly set, it defaults to true, cover this condition in the test. Also, run all tests in parallel, instead of sequentially.
sam-github
force-pushed
the
generate-more-certs
branch
from
dcfdfba
to
27af1b0
Compare
|
Regenerated certs after |
|
Landed in a569686...13a6798 |
sam-github
added a commit
that referenced
this pull request
Nov 17, 2018
PFX is not PEM, its binary DER. Use the same .pfx extension as test/fixtures/test_cert.pfx does. PR-URL: #24374 Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Franziska Hinkelmann <franziska.hinkelmann@gmail.com>
sam-github
added a commit
that referenced
this pull request
Nov 17, 2018
agent6 was the only cert that had a chain (an intermediate certificate), and there were no non-RSA certs other than a single self-signed one. This makes it impossible to test cert-chain scenarios with multiple identities which require chains to prove chain completion, and multi-algorithm because OpenSSL doesn't support multiple identities unless they are multi-algorithm. PFX files were also missing for most identities, making it difficult to test multi-PFX and PFX interactions with cert-chain+key and CA options. New server cert chains: - ECC: ca5 signs ca6 signs ec10, CN=agent10.example.com - RSA: ca2 signs ca4 signs agent10, CN=agent10.example.com PFX added for: - agent6 - agent10 - ec10 All pem and pfx regenerated from scratch to test that the Makefile is actually working as intended. PR-URL: #24374 Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Franziska Hinkelmann <franziska.hinkelmann@gmail.com>
sam-github
added a commit
that referenced
this pull request
Nov 17, 2018
Prove that cert and key options do not have to be ordered, and that the pfx option can be used at the same time as the cert/key option (which was claimed to be impossible by some pre-existing documentation). PR-URL: #24374 Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Franziska Hinkelmann <franziska.hinkelmann@gmail.com>
sam-github
added a commit
that referenced
this pull request
Nov 17, 2018
When honorCipherOrder is not explicitly set, it defaults to true, cover this condition in the test. Also, run all tests in parallel, instead of sequentially. PR-URL: #24374 Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Franziska Hinkelmann <franziska.hinkelmann@gmail.com>
targos
pushed a commit
that referenced
this pull request
Nov 18, 2018
PFX is not PEM, its binary DER. Use the same .pfx extension as test/fixtures/test_cert.pfx does. PR-URL: #24374 Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Franziska Hinkelmann <franziska.hinkelmann@gmail.com>
targos
pushed a commit
that referenced
this pull request
Nov 18, 2018
agent6 was the only cert that had a chain (an intermediate certificate), and there were no non-RSA certs other than a single self-signed one. This makes it impossible to test cert-chain scenarios with multiple identities which require chains to prove chain completion, and multi-algorithm because OpenSSL doesn't support multiple identities unless they are multi-algorithm. PFX files were also missing for most identities, making it difficult to test multi-PFX and PFX interactions with cert-chain+key and CA options. New server cert chains: - ECC: ca5 signs ca6 signs ec10, CN=agent10.example.com - RSA: ca2 signs ca4 signs agent10, CN=agent10.example.com PFX added for: - agent6 - agent10 - ec10 All pem and pfx regenerated from scratch to test that the Makefile is actually working as intended. PR-URL: #24374 Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Franziska Hinkelmann <franziska.hinkelmann@gmail.com>
targos
pushed a commit
that referenced
this pull request
Nov 18, 2018
Prove that cert and key options do not have to be ordered, and that the pfx option can be used at the same time as the cert/key option (which was claimed to be impossible by some pre-existing documentation). PR-URL: #24374 Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Franziska Hinkelmann <franziska.hinkelmann@gmail.com>
This was referenced Dec 8, 2018
|
@sam-github do you think this is worth backporting to |
sam-github
added a commit
to sam-github/node
that referenced
this pull request
Feb 4, 2019
PFX is not PEM, its binary DER. Use the same .pfx extension as test/fixtures/test_cert.pfx does. Backport-PR-URL: nodejs#25501 PR-URL: nodejs#24374 Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Franziska Hinkelmann <franziska.hinkelmann@gmail.com>
sam-github
added a commit
to sam-github/node
that referenced
this pull request
Feb 4, 2019
agent6 was the only cert that had a chain (an intermediate certificate), and there were no non-RSA certs other than a single self-signed one. This makes it impossible to test cert-chain scenarios with multiple identities which require chains to prove chain completion, and multi-algorithm because OpenSSL doesn't support multiple identities unless they are multi-algorithm. PFX files were also missing for most identities, making it difficult to test multi-PFX and PFX interactions with cert-chain+key and CA options. New server cert chains: - ECC: ca5 signs ca6 signs ec10, CN=agent10.example.com - RSA: ca2 signs ca4 signs agent10, CN=agent10.example.com PFX added for: - agent6 - agent10 - ec10 All pem and pfx regenerated from scratch to test that the Makefile is actually working as intended. Backport-PR-URL: nodejs#25501 PR-URL: nodejs#24374 Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Franziska Hinkelmann <franziska.hinkelmann@gmail.com>
sam-github
added a commit
to sam-github/node
that referenced
this pull request
Feb 4, 2019
Prove that cert and key options do not have to be ordered, and that the pfx option can be used at the same time as the cert/key option (which was claimed to be impossible by some pre-existing documentation). Backport-PR-URL: nodejs#25501 PR-URL: nodejs#24374 Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Franziska Hinkelmann <franziska.hinkelmann@gmail.com>
sam-github
added a commit
to sam-github/node
that referenced
this pull request
Feb 4, 2019
When honorCipherOrder is not explicitly set, it defaults to true, cover this condition in the test. Also, run all tests in parallel, instead of sequentially. Backport-PR-URL: nodejs#25501 PR-URL: nodejs#24374 Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Franziska Hinkelmann <franziska.hinkelmann@gmail.com>
BethGriggs
pushed a commit
that referenced
this pull request
Feb 5, 2019
Prove that cert and key options do not have to be ordered, and that the pfx option can be used at the same time as the cert/key option (which was claimed to be impossible by some pre-existing documentation). Backport-PR-URL: #25501 PR-URL: #24374 Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Franziska Hinkelmann <franziska.hinkelmann@gmail.com>
BethGriggs
pushed a commit
that referenced
this pull request
Feb 5, 2019
agent6 was the only cert that had a chain (an intermediate certificate), and there were no non-RSA certs other than a single self-signed one. This makes it impossible to test cert-chain scenarios with multiple identities which require chains to prove chain completion, and multi-algorithm because OpenSSL doesn't support multiple identities unless they are multi-algorithm. PFX files were also missing for most identities, making it difficult to test multi-PFX and PFX interactions with cert-chain+key and CA options. New server cert chains: - ECC: ca5 signs ca6 signs ec10, CN=agent10.example.com - RSA: ca2 signs ca4 signs agent10, CN=agent10.example.com PFX added for: - agent6 - agent10 - ec10 All pem and pfx regenerated from scratch to test that the Makefile is actually working as intended. Backport-PR-URL: #25501 PR-URL: #24374 Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Franziska Hinkelmann <franziska.hinkelmann@gmail.com>
BethGriggs
pushed a commit
that referenced
this pull request
Feb 5, 2019
PFX is not PEM, its binary DER. Use the same .pfx extension as test/fixtures/test_cert.pfx does. Backport-PR-URL: #25501 PR-URL: #24374 Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Franziska Hinkelmann <franziska.hinkelmann@gmail.com>
BethGriggs
pushed a commit
that referenced
this pull request
Feb 5, 2019
When honorCipherOrder is not explicitly set, it defaults to true, cover this condition in the test. Also, run all tests in parallel, instead of sequentially. Backport-PR-URL: #25501 PR-URL: #24374 Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Franziska Hinkelmann <franziska.hinkelmann@gmail.com>
Merged
rvagg
pushed a commit
that referenced
this pull request
Feb 28, 2019
Prove that cert and key options do not have to be ordered, and that the pfx option can be used at the same time as the cert/key option (which was claimed to be impossible by some pre-existing documentation). Backport-PR-URL: #25501 PR-URL: #24374 Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Franziska Hinkelmann <franziska.hinkelmann@gmail.com>
rvagg
pushed a commit
that referenced
this pull request
Feb 28, 2019
agent6 was the only cert that had a chain (an intermediate certificate), and there were no non-RSA certs other than a single self-signed one. This makes it impossible to test cert-chain scenarios with multiple identities which require chains to prove chain completion, and multi-algorithm because OpenSSL doesn't support multiple identities unless they are multi-algorithm. PFX files were also missing for most identities, making it difficult to test multi-PFX and PFX interactions with cert-chain+key and CA options. New server cert chains: - ECC: ca5 signs ca6 signs ec10, CN=agent10.example.com - RSA: ca2 signs ca4 signs agent10, CN=agent10.example.com PFX added for: - agent6 - agent10 - ec10 All pem and pfx regenerated from scratch to test that the Makefile is actually working as intended. Backport-PR-URL: #25501 PR-URL: #24374 Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Franziska Hinkelmann <franziska.hinkelmann@gmail.com>
rvagg
pushed a commit
that referenced
this pull request
Feb 28, 2019
PFX is not PEM, its binary DER. Use the same .pfx extension as test/fixtures/test_cert.pfx does. Backport-PR-URL: #25501 PR-URL: #24374 Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Franziska Hinkelmann <franziska.hinkelmann@gmail.com>
rvagg
pushed a commit
that referenced
this pull request
Feb 28, 2019
When honorCipherOrder is not explicitly set, it defaults to true, cover this condition in the test. Also, run all tests in parallel, instead of sequentially. Backport-PR-URL: #25501 PR-URL: #24374 Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Franziska Hinkelmann <franziska.hinkelmann@gmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Checklist
make -j4 test(UNIX), orvcbuild test(Windows) passes