Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

btest/x509_verify: Drop OpenSSL 1.0 hack

Browse source 
We do not have a distro in CI anymore that ships OpenSSL 1.0,
drop the hack.
This commit is contained in:
Arne Welzel 2025-02-03 14:12:18 +01:00
parent bb2e20d353
commit ad370c0c37
3 changed files with 2 additions and 19 deletions
Download patch file Download diff file Expand all files Collapse all files

0
testing/btest/Baseline/bifs.x509_verify/stdout-openssl-1.0 → testing/btest/Baseline/bifs.x509_verify/out
View file

8
testing/btest/Baseline/bifs.x509_verify/stdout-openssl-1.1
View file

@ -1,8 +0,0 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
Validation result: certificate has expired
Validation result: ok
Resulting chain:
Fingerprint: 70829f77ff4b6e908324a3f4e1940fce6c489098, Subject: CN=www.tobu-estate.com,OU=Terms of use at www.verisign.com/rpa (c)05,O=TOBU RAILWAY Co.\,Ltd.,L=Sumida-ku,ST=Tokyo,C=JP
Fingerprint: 5deb8f339e264c19f6686f5f8f32b54a4c46b476, Subject: CN=VeriSign Class 3 Secure Server CA - G3,OU=Terms of use at https://www.verisign.com/rpa (c)10,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US
Fingerprint: 32f30882622b87cf8856c63db873df0853b4dd27, Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=(c) 2006 VeriSign\, Inc. - For authorized use only,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US
Fingerprint: 742c3192e607e424eb4549542be1bbc53e6174e2, Subject: OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

13
testing/btest/bifs/x509_verify.zeek
View file

@ -1,16 +1,7 @@
# Fedora/RedHat have SHA1 disabled for certificate verification, re-enable it for testing by setting OPENSSL_ENABLE_SHA1_SIGNATURES=1
#
# @TEST-EXEC: OPENSSL_ENABLE_SHA1_SIGNATURES=1 zeek -b -r $TRACES/tls/tls-expired-cert.trace %INPUT
# This is a hack: the results of OpenSSL 1.1's vs 1.0's
# X509_verify_cert() -> X509_STORE_CTX_get1_chain() calls
# differ. Word seems to be that OpenSSL 1.1's cert-chain-building
# code is significantly different/rewritten so may be the reason...
# @TEST-EXEC: cp .stdout stdout-openssl-1.0
# @TEST-EXEC: cp .stdout stdout-openssl-1.1
# @TEST-EXEC: grep -q "ZEEK_HAVE_OPENSSL_1_1" $BUILD/CMakeCache.txt && btest-diff stdout-openssl-1.1 || btest-diff stdout-openssl-1.0
# @TEST-EXEC: OPENSSL_ENABLE_SHA1_SIGNATURES=1 zeek -b -r $TRACES/tls/tls-expired-cert.trace %INPUT >out
# @TEST-EXEC: btest-diff out
@load base/protocols/ssl