httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ruediger Pluem <rpl...@apache.org>
Subject Re: Failures in SSL tests in test suite
Date Sun, 13 Dec 2009 18:04:12 GMT
On 12.12.2009 18:26, Jeff Trawick wrote:
> On Thu, Dec 10, 2009 at 3:28 PM, Ruediger Pluem <rpluem@apache.org> wrote:
>> Apparently because of the fix in openssl for the TLS renegotiation issue the following
>> failed tests now pop up in our test suite (trunk and 2.2.x the same):
>>
>>
>> Failed Test       Stat Wstat Total Fail  List of Failed
>> -------------------------------------------------------------------------------
>> t/ssl/basicauth.t                3    2  2-3
>> t/ssl/env.t                     30   15  16-30
>> t/ssl/extlookup.t                2    2  1-2
>> t/ssl/fakeauth.t                 3    2  2-3
>> t/ssl/pr12355.t                 10   10  1-10
>> t/ssl/pr43738.t                  4    4  1-4
>> t/ssl/proxy.t                  172   10  3-7 116-120
>> t/ssl/require.t                  5    2  2 5
>> t/ssl/varlookup.t               72   72  1-72
>> t/ssl/verify.t                   3    1  2
>> 4 tests and 2 subtests skipped.
> 
> I picked up almost identical failures on 2.2.14 on OpenSolaris when
> moving to a dev build with 0.9.8l from a dev build with 0.9.8k.  At
> least a few of those testcases mention renegotiation.  As I also
> picked up another failure that didn't seem to be related, I'll try to
> find time to perform before/after testing with just the OpenSSL k->l
> change.
> 
> It would be helpful to end up with some skip-renegotiation option to
> skip such tests.
> 
> Also, when the permanent enable-legacy-renegotiation API is in a
> released OpenSSL version do we expect to provide access to it from the
> config as a means for the admin to confirm that whatever
> server-initiated renegotiation is configured should be allowed?

IMHO yes, because otherwise we block server driven renegotiation completely
and would force some people to stick with old OpenSSL versions.
Better have them open this problem in a controlled manner than have them
sitting with old OpenSSL versions. Additionally, once we have Hartmut Keils
patch in we are also safe against splitting attacks and thus have one
important attack vector less.

Regards

RĂ¼diger



Mime
View raw message