neon icon indicating copy to clipboard operation
neon copied to clipboard

Published 20 hours ago verified publisher icon notroj

Test ssl:pkcs11 fails with GnuTLS and enabled support for PKCS#11

Open Arfrever opened this issue 3 years ago • 1 comments

Neon 0.32.2 + GnuTLS 3.7.3 + PaKChoiS 0.4 fails test ssl:pkcs11: (Gentoo GNU/Linux, x86_64)

uri-tests............. 15/15 passed 
util-tests............  9/ 9 passed 
string-tests.......... 31/32 SKIPPED - strhash_sha_512_256 (SHA-2-512/256 not supported)
string-tests.......... 31/32 passed (1 skipped) 
socket................  8/47 WARNING: reverse lookup for 127.0.0.1 got '...'
socket................ 47/47 passed (1 warning)
session...............  8/ 8 passed 
request............... 92/92 passed 
auth..................  9/21 SKIPPED - digest_sha512_256 (SHA-512/256 not supported)
auth.................. 20/21 passed (1 skipped) 
basic................. 11/11 passed 
stubs.................  1/ 1 passed 
redirect..............  6/ 6 passed 
socket-ssl............  9/48 WARNING: reverse lookup for 127.0.0.1 got '...'
socket-ssl............ 48/48 passed (1 warning)
ssl................... 13/63 WARNING: no friendly name given
ssl................... 62/63 server child failed (pkcs11): SSL accept failed: SSL error: Certificate is required.
ssl................... 62/63 FAIL - pkcs11 (line 277: HTTP error:
Could not read status line: connection was closed by server)
ssl................... 63/63 server child failed (pkcs11_dsa): SSL accept failed: SSL error: Certificate is required.
ssl................... 63/63 XFAIL - pkcs11_dsa (line 277: HTTP error:
Could not read status line: connection was closed by server)
ssl................... 62/63 passed, 1 failed (1 warning)
compress.............. 22/22 passed 
xml...................  5/ 5 passed 
xmlreq................  3/ 3 passed 
oldacl................  4/ 4 passed 
acl3744...............  4/ 4 passed 
props.................  7/ 7 passed 
lock.................. 16/16 passed 
make[1]: *** [Makefile:74: check] Error 1

When using GnuTLS 3.7.3 and support for PKCS#11 is disabled, then test ssl:pkcs11 and another test are skipped:

uri-tests............. 15/15 passed 
util-tests............  9/ 9 passed 
string-tests.......... 31/32 SKIPPED - strhash_sha_512_256 (SHA-2-512/256 not supported)
string-tests.......... 31/32 passed (1 skipped) 
socket................  8/47 WARNING: reverse lookup for 127.0.0.1 got '...'
socket................ 47/47 passed (1 warning)
session...............  8/ 8 passed 
request............... 92/92 passed 
auth..................  9/21 SKIPPED - digest_sha512_256 (SHA-512/256 not supported)
auth.................. 20/21 passed (1 skipped) 
basic................. 11/11 passed 
stubs.................  1/ 1 passed 
redirect..............  6/ 6 passed 
socket-ssl............  9/48 WARNING: reverse lookup for 127.0.0.1 got '...'
socket-ssl............ 48/48 passed (1 warning)
ssl................... 13/63 WARNING: no friendly name given
ssl................... 62/63 SKIPPED - pkcs11 (pakchois library required for PKCS#11 support)
ssl................... 63/63 SKIPPED - pkcs11_dsa (pakchois library required for PKCS#11 support)
ssl................... 61/63 passed (2 skipped) (1 warning)
compress.............. 22/22 passed 
xml...................  5/ 5 passed 
xmlreq................  3/ 3 passed 
oldacl................  4/ 4 passed 
acl3744...............  4/ 4 passed 
props.................  7/ 7 passed 
lock.................. 16/16 passed

When using OpenSSL 1.1.1m + PaKChoiS 0.4, then test ssl:pkcs11 passes:

uri-tests............. 15/15 passed 
util-tests............  9/ 9 passed 
string-tests.......... 32/32 passed 
socket................  8/47 WARNING: reverse lookup for 127.0.0.1 got '...'
socket................ 47/47 passed (1 warning)
session...............  8/ 8 passed 
request............... 92/92 passed 
auth.................. 21/21 passed 
basic................. 11/11 passed 
stubs.................  1/ 1 passed 
redirect..............  6/ 6 passed 
socket-ssl............  9/48 WARNING: reverse lookup for 127.0.0.1 got '...'
socket-ssl............ 22/48 SKIPPED - ssl_session_id (zero-length session ID, cannot test further)
socket-ssl............ 47/48 passed (1 skipped) (1 warning)
ssl................... 63/63 server child failed (pkcs11_dsa): SSL accept failed: SSL error: peer did not return a certificate
ssl................... 63/63 XFAIL - pkcs11_dsa (line 277: HTTP error:
Could not read status line (TLS client certificate was requested): SSL error: tlsv13 alert certificate required)
ssl................... 63/63 passed 
compress.............. 22/22 passed 
xml...................  5/ 5 passed 
xmlreq................  3/ 3 passed 
oldacl................  4/ 4 passed 
acl3744...............  4/ 4 passed 
props.................  7/ 7 passed 
lock.................. 16/16 passed

Arfrever avatar Feb 01 '22 10:02 Arfrever

I'm aware of this but haven't worked out how to fix it. I recommend using OpenSSL if you need the PKCS#11 API.

notroj avatar Jul 21 '22 10:07 notroj