Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:98609 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 95932 invoked from network); 23 Mar 2017 02:19:12 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 23 Mar 2017 02:19:12 -0000 Authentication-Results: pb1.pair.com header.from=weltling@outlook.de; sender-id=softfail Authentication-Results: pb1.pair.com smtp.mail=weltling@outlook.de; spf=softfail; sender-id=softfail Received-SPF: softfail (pb1.pair.com: domain outlook.de does not designate 40.92.65.99 as permitted sender) X-PHP-List-Original-Sender: weltling@outlook.de X-Host-Fingerprint: 40.92.65.99 mail-oln040092065099.outbound.protection.outlook.com Received: from [40.92.65.99] ([40.92.65.99:45058] helo=EUR01-HE1-obe.outbound.protection.outlook.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id CC/25-13893-D9033D85 for ; Wed, 22 Mar 2017 21:19:10 -0500 Received: from HE1EUR01FT015.eop-EUR01.prod.protection.outlook.com (10.152.0.59) by HE1EUR01HT169.eop-EUR01.prod.protection.outlook.com (10.152.1.155) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.977.7; Thu, 23 Mar 2017 02:19:06 +0000 Received: from HE1PR02MB1052.eurprd02.prod.outlook.com (10.152.0.56) by HE1EUR01FT015.mail.protection.outlook.com (10.152.0.154) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.977.7 via Frontend Transport; Thu, 23 Mar 2017 02:19:06 +0000 Received: from HE1PR02MB1052.eurprd02.prod.outlook.com ([10.163.172.158]) by HE1PR02MB1052.eurprd02.prod.outlook.com ([10.163.172.158]) with mapi id 15.01.0977.021; Thu, 23 Mar 2017 02:19:06 +0000 To: Jakub Zelenka , PHP internals list Thread-Topic: OpenSSL 1.1 test keys Thread-Index: AdKjeQxFgFhLeKt7SIeeissV+MmzoQ== Sender: Anatol Belski Date: Thu, 23 Mar 2017 02:19:05 +0000 Message-ID: Accept-Language: de-DE, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: php.net; dkim=none (message not signed) header.d=none;php.net; dmarc=none action=none header.from=php.net; x-incomingtopheadermarker: OriginalChecksum:E4101333264B4EE08DBCBBE4508F4849B1ABA9BBCA4DEE48D12706EBE4F45A2E;UpperCasedChecksum:D77A5AC08180AB8E78842E63B7F834577A77E655C23CB0A317B437DEAAF898A7;SizeAsReceived:2737;Count:40 x-ms-exchange-messagesentrepresentingtype: 2 x-tmn: [hGAUs40OlRqHf7PHSBs/S8lK+MGucHLeFD0CcwRkHE2MBgOa8RlNEf8ZvTnWbaQw] x-microsoft-exchange-diagnostics: 1;HE1EUR01HT169;7:is80ukX6kMx4O/FASB+3y9oJwYu7W9BPMwBVKBW0kCvSEewHzwmmeK3qRItVAsh8iLi12ovtrO129GbVAsZ/fK9Wn/gWrHHoMW34OblYxh7yofLSq48rnCEjGhM1wuno5HLF2W6E2IR1l6SbnBNzVIxXQ5EN0nsdTRTP6AcoqXVQhChuv0WFBT48JLnZSzEvZn/otkKQMzs/cjTk2opSSLXObFOXHogkpIqYsEMzs+5+jpYWcF3+h+ECnNH7DzEfO8ez26wccepiILhCgDPQxbgCJR4P6bhm0WUSyRa0JBEEd9BzoU8xuQegIpjhLfoZ x-incomingheadercount: 40 x-eopattributedmessage: 0 x-forefront-antispam-report: EFV:NLI;SFV:NSPM;SFS:(7070007)(98900017);DIR:OUT;SFP:1901;SCL:1;SRVR:HE1EUR01HT169;H:HE1PR02MB1052.eurprd02.prod.outlook.com;FPR:;SPF:None;LANG:en; x-ms-office365-filtering-correlation-id: adc5eca3-be80-427d-4a99-08d47192fb38 x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(22001)(2017031320250)(201702221075);SRVR:HE1EUR01HT169; x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(444000031);SRVR:HE1EUR01HT169;BCL:0;PCL:0;RULEID:;SRVR:HE1EUR01HT169; x-forefront-prvs: 0255DF69B9 spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: multipart/alternative; boundary="_000_HE1PR02MB1052277118D61A51B9A1311DBA3F0HE1PR02MB1052eurp_" MIME-Version: 1.0 X-OriginatorOrg: outlook.com X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Mar 2017 02:19:05.5485 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Internet X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1EUR01HT169 Subject: OpenSSL 1.1 test keys From: ab@php.net (Anatol Belski) --_000_HE1PR02MB1052277118D61A51B9A1311DBA3F0HE1PR02MB1052eurp_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hi Jakub, While working on the OpenSSL 1.1 integration, I've stumbled over this issue= with the sni server test ext/openssl/tests/sni_server.phpt which fails wit= h error:1416F086:SSL routines:tls_process_server_certificate:certificate veri= fy failed I debugged through it and in the end it turns out, that likely the test CA = might be not compatible with the latest OpenSSL, at least with the vanilla = build with the default options. I use the default OpenSSL build with static= engines, as usual. It excludes quite some weak functionality, so I guess w= e've no actual bug. Please also see the checks I made with the console tool C:\php-sdk\php71\vc14\x64\php-src $ openssl version OpenSSL 1.0.2k 26 Jan 2017 C:\php-sdk\php71\vc14\x64\php-src $ openssl.exe verify -CAfile ext\openssl\tests\sni_server_ca.pem ext\openss= l\tests\sni_server_domain1.pem ext\openssl\tests\sni_server_domain1.pem: OK On master with OpenSSL 1.1 however, seems the CA is invalid C:\php-sdk\phpmaster\vc15\x64\php-src $ openssl version OpenSSL 1.1.0e 16 Feb 2017 C:\php-sdk\phpmaster\vc15\x64\php-src $ openssl verify -CAfile ext\openssl\tests\sni_server_ca.pem ext\openssl\te= sts\sni_server_domain1.pem C =3D US, ST =3D SC, L =3D Myrtle Beach, O =3D php.tests subordinate, CN = =3D php.tests.subordinate error 24 at 1 depth lookup: invalid CA certificate error ext\openssl\tests\sni_server_domain1.pem: verification failed As mentioned, there's likely no bug, but I think it were not bad to double = check this test. A fix to it could be to just produce another keys and CA w= ith stronger dependency. I currently added a skip to the aforementioned tes= t in master, mainly as I'm about to switch AppVeyor to newer deps and vc15 = and the test were producing the fails all the time. Also not sure, which Op= enSSL version Travis runs currently, but I had this test failing on Linux w= ith the vanilla OpenSSL 1.1 build as well. Thanks Anatol --_000_HE1PR02MB1052277118D61A51B9A1311DBA3F0HE1PR02MB1052eurp_--