[v18.x backport] test: update TLS tests for OpenSSL 3.2 #55101
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Review requested:
|
nodejs-github-bot
added
c++
|
aduh95
force-pushed
the
openssl32-backports
branch
from
b14e997
to
6d97f00
Compare
For me, with |
|
https://ci.nodejs.org/job/richardlau-node-test-commit-linux-containered/66/nodes=ubuntu2204_sharedlibs_openssl32_x64/ passed with the branch for this PR. (except for flaky |
github-actions
bot
removed
the
request-ci
|
In the end, there were no conflicts to solve (just a few lint errors to address). Should I close this PR and mark the other PRs with
lts-watch-v18.x
|
Report the version of OpenSSL that Node.js is running with instead of the version of OpenSSL that Node.js was compiled against. PR-URL: nodejs#53456 Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Update the following TLS tests to account for error code changes in OpenSSL 3.2 and later. - `parallel/test-tls-empty-sni-context` - `parallel/test-tls-psk-circuit` PR-URL: nodejs#53384 Refs: nodejs#53382 Refs: openssl/openssl#19950 Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Mohammed Keyvanzadeh <mohammadkeyvanzade94@gmail.com> Reviewed-By: Yagiz Nizipli <yagiz.nizipli@sentry.io>
Update `common.hasOpenSSL3*` to check against the run-time version of OpenSSL instead of the version of OpenSSL that Node.js was compiled against. Add a generalized `common.hasOpenSSL()` so we do not need to keep adding new checks for each new major/minor of OpenSSL. PR-URL: nodejs#53456 Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Update tests to allow for a slight change to the TLS trace messages starting from OpenSSL 3.2. Refs: openssl/openssl@45aac10 PR-URL: nodejs#53229 Reviewed-By: Tim Perry <pimterry@gmail.com> Reviewed-By: Yagiz Nizipli <yagiz.nizipli@sentry.io> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Moshe Atlow <moshe@atlow.co.il> Reviewed-By: Ulises Gascón <ulisesgascongonzalez@gmail.com>
Use `asset.strictEqual()` and `asset.deepStrictEqual()` in `test/parallel/test-tls-set-sigalgs.js`. PR-URL: nodejs#54208 Reviewed-By: Jake Yuesong Li <jake.yuesong@gmail.com> Reviewed-By: Daeyeon Jeong <daeyeon.dev@gmail.com> Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com> Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Refs: nodejs#53382 Refs: nodejs#53384 Same change as in 53384 where OpenSSL32 returns a slightly different error but for a different test. Signed-off-by: Michael Dawson <midawson@redhat.com> PR-URL: nodejs#54610 Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Update `parallel/test-tls-set-sigalgs` to account for error code changes in OpenSSL 3.2 and later. PR-URL: nodejs#54612 Refs: nodejs#53384 Reviewed-By: Filip Skokan <panva.ip@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Refs: nodejs#44498 Refs: nodejs#53382 Key sizes were increased to 2048 in PR 44498 including the configuration file for the generation of ca2-cert.pem. However, it seems like updating ca2-cert.pem and related files themselves were missed as they were not updated in the PR and the ca2-cert.pem reported as being associated with a 1024 bit key. I believe that was the cause of some of the failures mentioned in nodejs#53382 as OpenSSL 3.2 increased the default security level from 1 to 2 and that would mean that certificates associated with keys of 1024 bits would no longer be accepted. This PR updates the key size for ca2-cert.pem. It was not necessary to change the config, only run the generation for the ca2-cert.pem and related files. Signed-off-by: Michael Dawson <midawson@redhat.com> PR-URL: nodejs#54599 Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: James M Snell <jasnell@gmail.com>
Refs: nodejs#53382 - OpenSSL32 has a minimum dh key size by 2048 by default. - Create larter 3072 dh key needed for testing and adjust tests to use it for builds with OpenSSL32 Signed-off-by: Michael Dawson <midawson@redhat.com> PR-URL: nodejs#54739 Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
Refs: nodejs#53382 - OpenSSL32 has a minimum dh key size by 2048 by default. - Adjust test to use larger 3072 key instead of 1024 when OpenSSL32 is present. Signed-off-by: Michael Dawson <midawson@redhat.com> PR-URL: nodejs#54903 Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: James M Snell <jasnell@gmail.com>
Refs: nodejs#53382 Looks like test is forcing an error through bad data and the error code we get is different for OpenSSL32. Adjust test to cope with the variation across versions. Signed-off-by: Michael Dawson <midawson@redhat.com> PR-URL: nodejs#54909 Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: James M Snell <jasnell@gmail.com>
Refs: nodejs#53382 OpenSSL32 returns different error text. Looking through the test it seems like the expected error text has been adjusted for different OpenSSL versions in the past and what the test is testing is not related to the error being returned. Update test to allow for error returned by OpenSSL32 Signed-off-by: Michael Dawson <midawson@redhat.com> PR-URL: nodejs#54926 Refs: nodejs#53382 Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
fixes: nodejs#52097 PR-URL: nodejs#52340 Fixes: nodejs#52097 Reviewed-By: Tobias Nießen <tniessen@tnie.de> Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Fixes: nodejs#53742 PR-URL: nodejs#53774 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Refs: nodejs#53382 This test fails on OpenSSL32 because it complains the key being used is too short. It seems to have been missed when the test suite was udpated to have a Makefile to generate key material as the keys are hard coded in the test as opposed to being read in from the fixtures/key directory. Update the test to use keys/certs from the fixtures directory and to remove newlines at the end of the key and cert to retain the inteded test. Signed-off-by: Michael Dawson <midawson@redhat.com> PR-URL: nodejs#54968 Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Richard Lau <rlau@redhat.com>
Refs: nodejs#53382 This test fails on OpenSSL32 because it complains the key being used is too short. Adjust the key sizes so that they will pass on OpenSSL32 in addition to other OpenSSL3 versions. Since the keys are not public key related I don't think the increase in key size will be too bad in terms of performance so I've just increased versus guarding for OpenSSL32 Signed-off-by: Michael Dawson <midawson@redhat.com> PR-URL: nodejs#54972 Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Refs: nodejs#54968 Refs: nodejs#53382 Add additional asserts as suggestd by Richard in: nodejs#54968 Signed-off-by: Michael Dawson <midawson@redhat.com> PR-URL: nodejs#54997 Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Refs: nodejs#53382 The test failed as it was using AES128 which is not supported in OpenSSL32 due to default security level and because some error messages have changed. Adjusted to use AES256 where it made sense and not run tests on OpenSSL32 where test was specific to AES128. Adjust to use the expected error messages based on version. Signed-off-by: Michael Dawson <midawson@redhat.com> PR-URL: nodejs#55016 Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
Refs: nodejs#53382 OpenSSL32 does not support AES128 and DH 1024 to update test to use newer algorithms. Signed-off-by: Michael Dawson <midawson@redhat.com> PR-URL: nodejs#55030 Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: James M Snell <jasnell@gmail.com>
As per the original pull request that introduced the OpenSSL version check in `parallel/test-crypto-dh`: ``` Error message change is test-only and uses the right error message for versions >=3.0.12 in 3.0.x and >= 3.1.4 in 3.1.x series. ``` Fix the check so that: - The older message is expected for OpenSSL 3.1.0. - The newer message is expected for OpenSSL from 3.1.4 (e.g. 3.2.x). Refs: nodejs#50395 PR-URL: nodejs#53503 Refs: nodejs#53382 Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Refs: nodejs#53382 TLS spec seems to indicate there should should be a response sent when TLS handshake fails. See https://datatracker.ietf.org/doc/html/rfc8446#page-85 When compiled with OpenSSL32 we see the the following response '15 03 03 00 02 02 16' which decodes as a fatal (0x02) TLS error alert number 22 (0x16). which corresponds to TLS1_AD_RECORD_OVERFLOW which matches the error we see if NODE_DEBUG is turned on once you get through the define aliases. If there is a response from the server the test used to hang because the end event will not be emitted until after the response is consumed. This PR fixes the test so it consumes the response. Some earlier OpenSSL versions did not seem to send a response but the error handling seems to have been re-written/improved in OpenSSL32. Signed-off-by: Michael Dawson <midawson@redhat.com> PR-URL: nodejs#55089 Refs: nodejs#52482 Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> Reviewed-By: Jithil P Ponnan <jithil@outlook.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
richardlau
force-pushed
the
openssl32-backports
branch
from
6d97f00
to
ac3a390
Compare
I was flitting between just cherry-picking the commits across (due to no conflicts to solve) vs landing the backport PR (minor lint issues) -- in the end I decided to just cherry pick. This has had the side effect of merging this PR, as I'd pushed to this PR to rebase it to pick up 627d399 and since the commit hashes lined up GH decided this PR was merged. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
We should add #55089 as well.EDIT: that's done!The only test that's still failing for me is
test-tls-multi-key(on v20.x and v18.x) with the following stack: