Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:98611 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 41797 invoked from network); 23 Mar 2017 20:18:46 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 23 Mar 2017 20:18:46 -0000 Authentication-Results: pb1.pair.com header.from=jakub.php@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=jakub.php@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.161.174 as permitted sender) X-PHP-List-Original-Sender: jakub.php@gmail.com X-Host-Fingerprint: 209.85.161.174 mail-yw0-f174.google.com Received: from [209.85.161.174] ([209.85.161.174:34473] helo=mail-yw0-f174.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 5C/00-40046-5AD24D85 for ; Thu, 23 Mar 2017 15:18:46 -0500 Received: by mail-yw0-f174.google.com with SMTP id p77so154761080ywg.1 for ; Thu, 23 Mar 2017 13:18:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=0DGu/xXZiegQ3QgFGVHeARavbH5moyT+okdLi6ocz44=; b=ZHrKcBrD8xhWKjBeqF6w6FhILTBucwASRYEI9frxkYEKrJBjNIW/WJxvem9xoEMUJ7 MP4TQKkOwZGcXuMTVXZoiJu3yUjmjHiPzg8qP2qdUo4O67fyFhYxeNQE/8fHPgRvE3kb blSyKcsWovDDbIhXMh8Ltwyj0ssbwYheVnmLKy6v5Z+rShOpYkXT+7kXFIFTe/+UxcC9 mW8K1P2OWU+RrblMFgIbCjbEKpjaPN90UEL6d3mFMXpO0PNaoiEuFVacC9EqHKgL8/Md gy4YchK32VCDBpqIutDdMflgLGnfBy6y19g/un7lmwWRm6qTSkvO4QA0SCGaJKf6jteR ljcw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=0DGu/xXZiegQ3QgFGVHeARavbH5moyT+okdLi6ocz44=; b=dbUpOVzhimozcnWSPsFbJ+sTsoSUHrO+aTJ9ETAuvUUtKdut8Usg3en71p5u0t28/J G8G5OP1mf14WoHo+32t5pxWrcRHHCIupux8hyp7KcyTDa7yxpklabyKMERo00c1E9VEB Cw6QZSMb9d2zOXQp4p0JLPXaudPqcvj+C8Q1O3CqnPcVU/aJBnLecq3vbCBe5ckFSHnD RtR2tDxlcjEVYDF5jPCCqCxGIucYPlo2ift6jTF1JYCTX6l9PwgglOqYxghEj/Uwdm3c jSwz2aV+GTx3soRqvAaAyGeVu30NzcX2/F2Pcin+FoMNl4IoLb/ejTHQ0OVBo6/NHebp qdqg== X-Gm-Message-State: AFeK/H3LSX1y1B+i2JxN34kiSKI2dVQ/AWJ28V+FVg1wi7td2RCaYGMXqaZd5PkJjQot372dIb5C3i16kJQbAQ== X-Received: by 10.13.202.212 with SMTP id m203mr3222373ywd.282.1490300323267; Thu, 23 Mar 2017 13:18:43 -0700 (PDT) MIME-Version: 1.0 Sender: jakub.php@gmail.com Received: by 10.129.72.201 with HTTP; Thu, 23 Mar 2017 13:18:42 -0700 (PDT) In-Reply-To: References: Date: Thu, 23 Mar 2017 20:18:42 +0000 X-Google-Sender-Auth: Hc5ZZREKsWVgp_YTXRqOEorLv8w Message-ID: To: Anatol Belski Cc: PHP internals list Content-Type: multipart/alternative; boundary=001a114f3c0060af36054b6b952f Subject: Re: OpenSSL 1.1 test keys From: bukka@php.net (Jakub Zelenka) --001a114f3c0060af36054b6b952f Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Hi Anatol On Thu, Mar 23, 2017 at 2:19 AM, Anatol Belski wrote: > Hi Jakub, > > > > While working on the OpenSSL 1.1 integration, I=E2=80=99ve stumbled over = this > issue with the sni server test ext/openssl/tests/sni_server.phpt which > fails with > > > > error:1416F086:SSL routines:tls_process_server_certificate:certificate > verify failed > > > > I debugged through it and in the end it turns out, that likely the test C= A > might be not compatible with the latest OpenSSL, at least with the vanill= a > build with the default options. I use the default OpenSSL build with stat= ic > engines, as usual. It excludes quite some weak functionality, so I guess > we=E2=80=99ve no actual bug. Please also see the checks I made with the c= onsole tool > > > > C:\php-sdk\php71\vc14\x64\php-src > > $ openssl version > > OpenSSL 1.0.2k 26 Jan 2017 > > > > C:\php-sdk\php71\vc14\x64\php-src > > $ openssl.exe verify -CAfile ext\openssl\tests\sni_server_ca.pem > ext\openssl\tests\sni_server_domain1.pem > > ext\openssl\tests\sni_server_domain1.pem: OK > > > > > > On master with OpenSSL 1.1 however, seems the CA is invalid > > > > C:\php-sdk\phpmaster\vc15\x64\php-src > > $ openssl version > > OpenSSL 1.1.0e 16 Feb 2017 > > > > C:\php-sdk\phpmaster\vc15\x64\php-src > > $ openssl verify -CAfile ext\openssl\tests\sni_server_ca.pem > ext\openssl\tests\sni_server_domain1.pem > > C =3D US, ST =3D SC, L =3D Myrtle Beach, O =3D php.tests subordinate, CN = =3D > php.tests.subordinate > > error 24 at 1 depth lookup: invalid CA certificate > > error ext\openssl\tests\sni_server_domain1.pem: verification failed > > > > As mentioned, there=E2=80=99s likely no bug, but I think it were not bad = to double > check this test. A fix to it could be to just produce another keys and CA > with stronger dependency. I currently added a skip to the aforementioned > test in master, mainly as I=E2=80=99m about to switch AppVeyor to newer d= eps and > vc15 and the test were producing the fails all the time. Also not sure, > which OpenSSL version Travis runs currently, but I had this test failing = on > Linux with the vanilla OpenSSL 1.1 build as well. > > > Yep I have been looking a little bit and it really seems that it is about the CA cert and OpenSSL 1.1 is a bit more strict about verification of it. IIRC it was failing on extension part when I was quickly debugging it. When I check purpose using $ openssl x509 -in sni_server_ca.pem -purpose then it is visible that the cert is not a server CA which should probably be but not sure if that's the reason. I think we will need to use a different cert for that test. I have got it on my todo list so hopefully will add something more sensible that works soon unless you want to do it. Until then skip is fine ;) Cheers Jakub --001a114f3c0060af36054b6b952f--