Re: Running cipher-suite tests without failure

Mon, 28 Feb 2022 07:35:44 -0800 


Am 28.02.2022 um 15:34 schrieb Christopher Schultz:

Rainer,

On 2/25/22 23:22, Rainer Jung wrote:

I don't get any unit test failures. I set in build.properties:

test.apr.loc=/path/to/tcnative/lib
test.openssl.path=/path/to/openssl/bin/openssl


I have:


test.openssl.loc=/home/cschultz/projects/apache/apache-tomcat/openssl-1.1.1/target/bin/openssl 




I have not set test.apr.loc and use the local system APR library. Here 
are the effective versions, from my test build-test-suite report:


*  OpenSSL:  OpenSSL 1.1.1 11 Sep 2018
*  APR:      1.6.5

My OpenSSL version is locally-compiled.

Here are the testcase failures:

Testsuite: org.apache.tomcat.util.net.openssl.ciphers.TestCipher
Testcase: testOpenSSLCipherAvailability took 0.008 sec
         FAILED
Unavailable cipher suites: IDEA-CBC-SHA+SSLv3  expected:<0> but was:<1>


Same failures for NIO, NIO2, and APR (of course, since these tests are 
not related to the connector-type).


Also this:


Testsuite: 
org.apache.tomcat.util.net.openssl.ciphers.TestOpenSSLCipherConfigurationParser 


Tests run: 85, Failures: 11, Errors: 0, Skipped: 0, Time elapsed: 0.564 sec

Error in cipher list

140089009423488:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no 
cipher match:../ssl/ssl_lib.c:2564:


Error in cipher list

140161019962496:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no 
cipher match:../ssl/ssl_lib.c:2564:


[.. many times repeated...]


Testcase: testALL took 0.012 sec
         FAILED

Expected 143 ciphers but got 141 for the specification 'ALL' 
expected:<[SSL_RSA_WITH_IDEA_CBC_SHA, [... lots of additional cipher 
suites ...]


I am missing the following two cipher suites:

SSL_RSA_WITH_IDEA_CBC_SHA
TLS_RSA_WITH_IDEA_CBC_SHA


Is there a way to disable checking for the IDEA cipher suites or do I 
need to customize my OpenSSL build to include them?


Class TesterOpenSSL.java contains the following snippet:


        String skipCiphers = 
System.getProperty("tomcat.test.openssl.unimplemented", "");

        if (!skipCiphers.isEmpty()) {
            String[] skip = skipCiphers.split(",");
            for (Cipher c : Cipher.values()) {
                for (String s : skip) {
                    if (c.toString().contains(s)) {
                        unimplemented.add(c);
                    }
                }
            }
        }


So it seems you can add your own "unimplemented" ciphers as a comma 
separated list to the system property 
"tomcat.test.openssl.unimplemented" when running the unit tests.



And build.xml contains


<sysproperty key="tomcat.test.openssl.unimplemented" 
value="${test.openssl.unimplemented}" />



so you an set the system property from the property 
"test.openssl.unimplemented" in build.properties.


You might have to check, which form the expected cipher names have.

Best regards,

Rainer

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org























					Reply via email to