server icon indicating copy to clipboard operation
server copied to clipboard

Published 20 hours ago verified publisher icon MariaDB

Refine OpenSSL test names and allow more complete OpenSSL version coverage

Open DarrenZhang01 opened this issue 10 months ago • 2 comments

Description

  • Remove "6975" from the OpenSSL test and result file names. "6975" refers to https://jira.mariadb.org/browse/MDEV-6975 about implementing TLS support in general, which is not a bug report. In this case, this is a generic OpenSSL test set, so update the test file names for better clarification.
  • Remove the upper bound of the OpenSSL version check to allow the tests to also run with latest OpenSSL versions given that this is a generic set of OpenSSL tests.
  • Update the tests and result files such that they are compatible with new error messages for OpenSSL 3.2.0 and later versions ("https://github.com/openssl/openssl/commit/81b741f68984").
  • Update the configuration name from "tlsv10" to "sslv3" when SSL cipher used is "SSLv3".

How can this PR be tested?

by running the updated OpenSSL tests.

Basing the PR against the correct MariaDB version

  • [x] This is a bug fix and the PR is based against the earliest maintained branch in which the bug can be reproduced.

PR quality check

Copyright

All new code of the whole pull request, including one or several files that are either new files or modified ones, are contributed under the BSD-new license. I am contributing on behalf of my employer Amazon Web Services, Inc.

DarrenZhang01 avatar Apr 15 '24 21:04 DarrenZhang01

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

CLAassistant avatar Apr 15 '24 21:04 CLAassistant

Secondly, this test is known buggy anyway (MDEV-16902).

Yes but nothing has been done for MDEV-16902 in since 2018. Fixing the test now is useful still, right?

Finally I'm not sure I'm comfortable still supporting SSLv3 ciphers as an option.

That can be dropped if you think that supporting older versions is not relevant anymore. The biggest fix here is however cleaning up a OpenSSL 1.1.0 -only test to something that has value and actually runs on any modern system.

As for the PR, it looks like the test was for 1.0.1d - 1.1.0, but now it is open for all current versions. Is that correct? I don't know the history of this test to know why 1.1.0 was the cut-off.

This was discovered while working on #3154. Commit messages and Jira descriptions from MDEV-6975 are thin and thus rewriting the test to something more sensible now is based on best guess. For sure it was stupid to have a test named openssl_6975 and MDEV-6975 is not a bug, but Jira to implement OpenSSL in general. Thus the test should probably test OpenSSL in general, right? If you think such a test is not needed, then the test should be deleted.

ottok avatar Apr 25 '24 05:04 ottok