Merge remote-tracking branch 'origin/topic/awelzel/4035-btest-openssl-sha1-certs'

* origin/topic/awelzel/4035-btest-openssl-sha1-certs: external/subdir-btest.cfg: Set OPENSSL_ENABLE_SHA1_SIGNATURES=1 btest/x509_verify: Drop OpenSSL 1.0 hack testing/btest: Use OPENSSL_ENABLE_SHA1_SIGNATURES
2025-10-02 14:48:21 +00:00 · 2025-02-04 09:52:29 +01:00 · 2025-02-04 09:52:29 +01:00 · 280e7acc6e
commit 280e7acc6e
parent 0290a73544 8b645243cb
10 changed files with 38 additions and 29 deletions
--- a/20
+++ b/20
@ -1,3 +1,23 @@
 7.2.0-dev.148 | 2025-02-04 09:52:29 +0100
  * external/subdir-btest.cfg: Set OPENSSL_ENABLE_SHA1_SIGNATURES=1 (Arne Welzel, Corelight)
    We already do something similar for OPENSSL_ENABLE_MD5_VERIFY=1
  * btest/x509_verify: Drop OpenSSL 1.0 hack (Arne Welzel, Corelight)
    We do not have a distro in CI anymore that ships OpenSSL 1.0,
    drop the hack.
  * GH-4035: testing/btest: Use OPENSSL_ENABLE_SHA1_SIGNATURES (Arne Welzel, Corelight)
    This reverts the call to update-crypto-policies in the Fedora 41 image
    and instead sets OPENSSL_ENABLE_SHA1_SIGNATURES in the individual tests.
    This allows RHEL 10 or Fedora 41 users to run the tests in question
    without needing to fiddle with system settings.
    Fixes #4035
 7.2.0-dev.144 | 2025-02-04 09:18:25 +0100
  * Add ZAM baseline for new scripts.base.protocols.quic.analyzer-confirmations btest (Tim Wojtulewicz, Corelight)
--- a/2
+++ b/2
@ -1 +1 @@
-7.2.0-dev.144
+7.2.0-dev.148
--- a/ci/fedora-41/Dockerfile
+++ b/ci/fedora-41/Dockerfile
@ -2,7 +2,7 @@ FROM fedora:41
 # A version field to invalidate Cirrus's build cache when needed, as suggested in
 # https://github.com/cirruslabs/cirrus-ci-docs/issues/544#issuecomment-566066822
-ENV DOCKERFILE_VERSION 20241115
+ENV DOCKERFILE_VERSION 20250203
 RUN dnf -y install \
    bison \
@ -33,7 +33,3 @@ RUN dnf -y install \
  && dnf clean all && rm -rf /var/cache/dnf
 RUN pip3 install websockets junit2html
 # Required to allow validation of certificates with SHA1 signatures
 # See: https://fedoraproject.org/wiki/Changes/OpenSSLDistrustSHA1SigVer
 RUN update-crypto-policies --set FEDORA40
--- a/testing/btest/Baseline/bifs.x509_verify/stdout-openssl-1.0
+++ b/testing/btest/Baseline/bifs.x509_verify/stdout-openssl-1.0
--- a/testing/btest/Baseline/bifs.x509_verify/stdout-openssl-1.1
+++ b/testing/btest/Baseline/bifs.x509_verify/stdout-openssl-1.1
@ -1,8 +0,0 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 Validation result: certificate has expired
 Validation result: ok
 Resulting chain:
 Fingerprint: 70829f77ff4b6e908324a3f4e1940fce6c489098, Subject: CN=www.tobu-estate.com,OU=Terms of use at www.verisign.com/rpa (c)05,O=TOBU RAILWAY Co.\,Ltd.,L=Sumida-ku,ST=Tokyo,C=JP
 Fingerprint: 5deb8f339e264c19f6686f5f8f32b54a4c46b476, Subject: CN=VeriSign Class 3 Secure Server CA - G3,OU=Terms of use at https://www.verisign.com/rpa (c)10,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US
 Fingerprint: 32f30882622b87cf8856c63db873df0853b4dd27, Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=(c) 2006 VeriSign\, Inc. - For authorized use only,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US
 Fingerprint: 742c3192e607e424eb4549542be1bbc53e6174e2, Subject: OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
--- a/testing/btest/bifs/x509_verify.zeek
+++ b/testing/btest/bifs/x509_verify.zeek
@ -1,14 +1,7 @@
-# @TEST-EXEC: zeek -b -r $TRACES/tls/tls-expired-cert.trace %INPUT
+# Fedora/RedHat have SHA1 disabled for certificate verification, re-enable it for testing by setting OPENSSL_ENABLE_SHA1_SIGNATURES=1
-
+#
-# This is a hack: the results of OpenSSL 1.1's vs 1.0's
+# @TEST-EXEC: OPENSSL_ENABLE_SHA1_SIGNATURES=1 zeek -b -r $TRACES/tls/tls-expired-cert.trace %INPUT >out
-# X509_verify_cert() -> X509_STORE_CTX_get1_chain() calls
+# @TEST-EXEC: btest-diff out
 # differ.  Word seems to be that OpenSSL 1.1's cert-chain-building
 # code is significantly different/rewritten so may be the reason...
 # @TEST-EXEC: cp .stdout stdout-openssl-1.0
 # @TEST-EXEC: cp .stdout stdout-openssl-1.1
 # @TEST-EXEC: grep -q "ZEEK_HAVE_OPENSSL_1_1" $BUILD/CMakeCache.txt && btest-diff stdout-openssl-1.1 || btest-diff stdout-openssl-1.0
@load base/protocols/ssl
--- a/testing/btest/scripts/base/protocols/ssl/ocsp-stapling.test
+++ b/testing/btest/scripts/base/protocols/ssl/ocsp-stapling.test
@ -1,4 +1,6 @@
-# @TEST-EXEC: zeek -b -C -r $TRACES/tls/ocsp-stapling.trace %INPUT
+# Fedora/RedHat have SHA1 disabled for certificate verification, re-enable it for testing by setting OPENSSL_ENABLE_SHA1_SIGNATURES=1
 #
 # @TEST-EXEC: OPENSSL_ENABLE_SHA1_SIGNATURES=1 zeek -b -C -r $TRACES/tls/ocsp-stapling.trace %INPUT
 # @TEST-EXEC: btest-diff .stdout
@load base/protocols/ssl
--- a/testing/btest/scripts/policy/protocols/ssl/validate-certs.zeek
+++ b/testing/btest/scripts/policy/protocols/ssl/validate-certs.zeek
@ -1,4 +1,6 @@
-# @TEST-EXEC: zeek -b -r $TRACES/tls/tls-expired-cert.trace $SCRIPTS/external-ca-list.zeek %INPUT
+# Fedora/RedHat have SHA1 disabled for certificate verification, re-enable it for testing by setting OPENSSL_ENABLE_SHA1_SIGNATURES=1
 #
 # @TEST-EXEC: OPENSSL_ENABLE_SHA1_SIGNATURES=1 zeek -b -r $TRACES/tls/tls-expired-cert.trace $SCRIPTS/external-ca-list.zeek %INPUT
 # @TEST-EXEC: cat ssl.log > ssl-all.log
 # @TEST-EXEC: zeek -b -C -r $TRACES/tls/missing-intermediate.pcap $SCRIPTS/external-ca-list.zeek %INPUT
 # @TEST-EXEC: cat ssl.log >> ssl-all.log
--- a/testing/btest/scripts/policy/protocols/ssl/validate-ocsp.zeek
+++ b/testing/btest/scripts/policy/protocols/ssl/validate-ocsp.zeek
@ -1,6 +1,8 @@
-# @TEST-EXEC: zeek -b $SCRIPTS/external-ca-list.zeek -C -r $TRACES/tls/ocsp-stapling.trace %INPUT
+# Fedora/RedHat have SHA1 disabled for certificate verification, re-enable it for testing by setting OPENSSL_ENABLE_SHA1_SIGNATURES=1
 #
 # @TEST-EXEC: OPENSSL_ENABLE_SHA1_SIGNATURES=1 zeek -b $SCRIPTS/external-ca-list.zeek -C -r $TRACES/tls/ocsp-stapling.trace %INPUT
 # @TEST-EXEC: TEST_DIFF_CANONIFIER="$SCRIPTS/diff-remove-x509-names | $SCRIPTS/diff-remove-timestamps" btest-diff ssl.log
-# @TEST-EXEC: zeek -b $SCRIPTS/external-ca-list.zeek -C -r $TRACES/tls/ocsp-stapling-twimg.trace %INPUT
+# @TEST-EXEC: OPENSSL_ENABLE_SHA1_SIGNATURES=1 zeek -b $SCRIPTS/external-ca-list.zeek -C -r $TRACES/tls/ocsp-stapling-twimg.trace %INPUT
 # @TEST-EXEC: mv ssl.log ssl-twimg.log
 # @TEST-EXEC: TEST_DIFF_CANONIFIER="$SCRIPTS/diff-remove-x509-names | $SCRIPTS/diff-remove-timestamps" btest-diff ssl-twimg.log
 # @TEST-EXEC: zeek -b $SCRIPTS/external-ca-list.zeek -C -r $TRACES/tls/ocsp-stapling-digicert.trace %INPUT
--- a/testing/external/subdir-btest.cfg
+++ b/testing/external/subdir-btest.cfg
@ -25,4 +25,6 @@ BUILD=%(testbase)s/../../../%(build_dir)s
 ZEEK_DNS_FAKE=1
 # Fedora/CentOS/RedHat have MD5 disabled for certificate verification and need setting an environment variable to permit it:
 OPENSSL_ENABLE_MD5_VERIFY=1
 # Fedora/RedHat have SHA1 disabled for certificate verification and need setting an environment variable to permit it:
 OPENSSL_ENABLE_SHA1_SIGNATURES=1
 UBSAN_OPTIONS=print_stacktrace=1