On 26/04/2020 10:36, Michael Osipov wrote: > Am 2020-04-24 um 18:30 schrieb Christopher Schultz:
<snip/> >> This comes down to algorithms which have been compiled-out of the >> library, right? So we just need to automatically skip tests which >> attempt to use those algorithms. Not entirely. We are affected both by algorithms being removed and algorithms being added. >> Unfortunately, the whole point of the unit tests is to make sure we >> haven't missed anything. In order to both remove unsupported >> algorithms AND test whether the remaining algorithms are >> properly-mapped, we need ANOTHER implementation of the mapping, or >> something similar to cross-check the two. I think I agree with this. If you mean that somewhere we would need to maintain a list of algorithms there were supported by the vendor modified package then, yes I agree. The tricky part being that we can't always identify what is a vendor modified package. >> Somewhere, we have a /complete/ list of OpenSSL-specified names that >> we support. Ciphers is an enumeration of all the Ciphers OpenSSL supports or has supported in the past. In TesterOpenSSL we modify that list to remove Ciphers we know are not supported in the version we are testing. >> That can easily be dumped somewhere and sorted >> alphabetically. Then, "openssl ciphers 'ALL'" can be run, sorted, and >> compared to the sorted list we have. "ALL" does not return all supported ciphers. Sigh. You need to use "ALL:eNULL" >> Anything which isn't in the >> "openssl ciphers 'ALL'" list can be removed from the list of cipher >> suites we test. The problem is, that is how we detected that the list of supported Cipher suites has changed for a given OpenSSL branch (yes it can change between point releases). >> AIUI, it's possible to individually-remove a cipher suite from the >> unit tests if it's known to be missing on the platform. We just need >> to make that process automated, right? > > Up to the point! That's exactly the route one should go. We would need to clearly separate (from memory I don't recall how clear the separation is right now): - Tests that compare the ciphers we think a version of OpenSSL supports with the ciphers it reports it supports. These only need to run when testing with an unmodified OpenSSL from openssl.org - Tests just need to know which ciphers OpenSSL supports and, as long as they have the correct list, will always pass Mark --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
