Checkout Tools
  • last updated 3 hours ago
Constraints: committers
Constraints: files
Constraints: dates
Fix for OpenSSL 1.1 as suggested by jailletc36.

Fix success/failure checks for OpenSSL 1.1.1.

Handshake failures can also be signalled

later during SSL_read(). In these cases SSL_connect

seems to succeed and the alert will not become

part of the internal response generated by


Reenable ocsp tests for old OpenSSL.

This should work with the fix in 1844309.

Disabling based on OpenSSL version in test

framework also wasn't correct. Relevant would

be the OpenSSL version of the binary called

by the CGI script running in the server.

Missing semicolon (though works without...).
Add 'use Net::SSLeay' required by Net::SSLeay::OPENSSL_VERSION_NUMBER().
Disable OCSP test for Openssl < 1.0.2.

Long term one could try to fix the CGI script

t/htdocs/modules/cgi/ Currently the

script passes the OCSP request to openssl via

"-reqin -" which is not supported in OpenSSL

before 1.0.2.

The script could instead read the data, place

it in a temp file and let OpenSSL use the temp


For now we simply disable the test for the old

OpenSSL versions.

Revert r1832567, r1843476, r1843478

Restore jorton's detection from r1831398, and portably redirect stderr

to capture and evaluate the available command list,

from either stdout (1.1.0 and later) or stderr (1.0.2 and prior).

Better method... just check return status

Use this cli command

Only run OCSP test for >= 2.4.26.

  1. … 1 more file in changeset.
Send stderr to bitbucket so we don't see:

"t/ssl/ocsp.t .. openssl:Error: 'list' is an invalid command."

Revert debugging.

Be a bit more verbose and report the whole subtest as skipped if OCSP

support is not available, otherwise it's reported as three "oks".

Add basic OCSP client cert verification test using the "openssl ocsp" built-in

toy OCSP responder.

  1. … 3 more files in changeset.