Package: h2o / 2.2.5+dfsg2-3~bpo9+1

tests-force-TLSv1.2-on-s_client-invocations.patch Patch series | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
 
From 752caaf33bf5a752bf2926aa32a1f8851a023fbf Mon Sep 17 00:00:00 2001
From: Apollon Oikonomopoulos <apoikos@debian.org>
Date: Fri, 14 Sep 2018 16:44:34 +0300
Subject: [PATCH] Tests: force TLSv1.2 on s_client invocations

The tests are not ready (yet) to handle TLSv1.3 support in OpenSSL, so
make s_client use TLSv1.2 explicitly.

Note that we could pass -no_tls1_3 instead, but this would break with
older (pre-1.1.1) OpenSSL versions.
---
 t/40memcached-session-resumption.t | 2 +-
 t/40session-ticket.t               | 2 +-
 t/40ssl-cipher-suite.t             | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/t/40memcached-session-resumption.t b/t/40memcached-session-resumption.t
index 129affbe..6774bece 100644
--- a/t/40memcached-session-resumption.t
+++ b/t/40memcached-session-resumption.t
@@ -47,7 +47,7 @@ hosts:
         file.dir: @{[ DOC_ROOT ]}
 EOT
             my $lines = do {
-                open my $fh, "-|", "openssl s_client -no_ticket $opts -connect 127.0.0.1:$server->{tls_port} 2>&1 < /dev/null"
+                open my $fh, "-|", "openssl s_client -tls1_2 -no_ticket $opts -connect 127.0.0.1:$server->{tls_port} 2>&1 < /dev/null"
                     or die "failed to open pipe:$!";
                 local $/;
                 <$fh>;
diff --git a/t/40session-ticket.t b/t/40session-ticket.t
index 2e5d5e4a..e712ef18 100644
--- a/t/40session-ticket.t
+++ b/t/40session-ticket.t
@@ -122,7 +122,7 @@ EOT
 sub test {
     my $lines = do {
         my $cmd_opts = (-e "$tempdir/session" ? "-sess_in $tempdir/session" : "") . " -sess_out $tempdir/session";
-        open my $fh, "-|", "openssl s_client $cmd_opts -connect 127.0.0.1:$server->{tls_port} 2>&1 < /dev/null"
+        open my $fh, "-|", "openssl s_client -tls1_2 $cmd_opts -connect 127.0.0.1:$server->{tls_port} 2>&1 < /dev/null"
             or die "failed to open pipe:$!";
         local $/;
         <$fh>;
diff --git a/t/40ssl-cipher-suite.t b/t/40ssl-cipher-suite.t
index bda71842..71bdcf53 100644
--- a/t/40ssl-cipher-suite.t
+++ b/t/40ssl-cipher-suite.t
@@ -32,7 +32,7 @@ my ($guard, $pid) = spawn_server(
 );
 
 # connect to the server with AES256-SHA as the first choice, and check that AES128-SHA was selected
-my $log = `openssl s_client -cipher AES256-SHA:AES128-SHA -host 127.0.0.1 -port $port < /dev/null 2>&1`;
+my $log = `openssl s_client -tls1_2 -cipher AES256-SHA:AES128-SHA -host 127.0.0.1 -port $port < /dev/null 2>&1`;
 like $log, qr/^\s*Cipher\s*:\s*AES128-SHA\s*$/m;
 
 done_testing;
-- 
2.18.0