tests: add support for openssl3.0.

.travis.yml

@@ -63,9 +63,10 @@ env:
   jobs:
     #- NGINX_VERSION=1.21.4 OPENSSL_VER=1.1.0l OPENSSL_PATCH_VER=1.1.0d
     #- NGINX_VERSION=1.25.1 OPENSSL_VER=1.1.0l OPENSSL_PATCH_VER=1.1.0d
-    - NGINX_VERSION=1.21.4 OPENSSL_VER=1.1.1w OPENSSL_PATCH_VER=1.1.1f
-    - NGINX_VERSION=1.27.1 OPENSSL_VER=1.1.1w OPENSSL_PATCH_VER=1.1.1f USE_PCRE2=Y TEST_NGINX_TIMEOUT=5
-    - NGINX_VERSION=1.27.1 BORINGSSL=1 TEST_NGINX_USE_HTTP3=1 USE_PCRE2=Y TEST_NGINX_QUIC_IDLE_TIMEOUT=3
+    #- NGINX_VERSION=1.21.4 OPENSSL_VER=1.1.1w OPENSSL_PATCH_VER=1.1.1f
+    #- NGINX_VERSION=1.27.1 OPENSSL_VER=1.1.1w OPENSSL_PATCH_VER=1.1.1f USE_PCRE2=Y TEST_NGINX_TIMEOUT=5
+    #- NGINX_VERSION=1.27.1 BORINGSSL=1 TEST_NGINX_USE_HTTP3=1 USE_PCRE2=Y TEST_NGINX_QUIC_IDLE_TIMEOUT=3
+    - NGINX_VERSION=1.27.1 OPENSSL_VER=3.0.15 OPENSSL_PATCH_VER=3.0.12 USE_PCRE2=Y TEST_NGINX_TIMEOUT=5
     #- NGINX_VERSION=1.25.1 OPENSSL_VER=1.1.1w TEST_NGINX_USE_HTTP2=1
 
 services:
@@ -82,8 +83,7 @@ install:
   - if [ ! -f download-cache/drizzle7-$DRIZZLE_VER.tar.gz ]; then wget -P download-cache https://github.com/openresty/openresty-deps-prebuild/releases/download/v20230902/drizzle7-$DRIZZLE_VER.tar.gz; fi
   - if [ "$USE_PCRE2" != "Y" ] && [ ! -f download-cache/pcre-$PCRE_VER.tar.gz ]; then wget -P download-cache https://downloads.sourceforge.net/project/pcre/pcre/${PCRE_VER}/pcre-${PCRE_VER}.tar.gz; fi
   - if [ "$USE_PCRE2" = "Y" ] && [ ! -f download-cache/pcre2-$PCRE2_VER.tar.gz ]; then wget -P download-cache https://github.com/PCRE2Project/pcre2/releases/download/pcre2-${PCRE2_VER}/pcre2-${PCRE2_VER}.tar.gz; fi
-  - if [ -n "$OPENSSL_VER" ] && [ ! -f download-cache/openssl-$OPENSSL_VER.tar.gz ]; then wget -P download-cache https://www.openssl.org/source/openssl-$OPENSSL_VER.tar.gz || wget -P download-cache https://www.openssl.org/source/old/${OPENSSL_VER//[a-z]/}/openssl-$OPENSSL_VER.tar.gz; fi
-  - if [ -n "$OPENSSL_VER" ] && [ ! -f download-cache/openssl-$OPENSSL_VER.tar.gz ]; then wget -P download-cache https://www.openssl.org/source/openssl-$OPENSSL_VER.tar.gz || wget -P download-cache https://www.openssl.org/source/old/${OPENSSL_VER//[a-z]/}/openssl-$OPENSSL_VER.tar.gz; fi
+  - if [ -n "$OPENSSL_VER" ] && [ ! -f download-cache/openssl-$OPENSSL_VER.tar.gz ]; then wget -P download-cache https://github.com/openssl/openssl/releases/download/openssl-$OPENSSL_VER/openssl-$OPENSSL_VER.tar.gz || wget -P download-cache https://www.openssl.org/source/openssl-$OPENSSL_VER.tar.gz || wget -P download-cache https://www.openssl.org/source/old/${OPENSSL_VER//[a-z]/}/openssl-$OPENSSL_VER.tar.gz; fi
   - wget https://github.com/openresty/openresty-deps-prebuild/releases/download/v20230902/boringssl-20230902-x64-focal.tar.gz
   - wget https://github.com/openresty/openresty-deps-prebuild/releases/download/v20230902/curl-h3-x64-focal.tar.gz
   - git clone https://github.com/openresty/test-nginx.git

t/129-ssl-socket.t

@@ -1155,7 +1155,7 @@ SSL reused session
         server_name         test.com;
         ssl_certificate     $TEST_NGINX_CERT_DIR/cert/test.crt;
         ssl_certificate_key $TEST_NGINX_CERT_DIR/cert/test.key;
-        ssl_protocols       TLSv1;
+        ssl_protocols       TLSv1.2;
 
         location / {
             content_by_lua_block {
@@ -1165,7 +1165,7 @@ SSL reused session
     }
 --- config
     server_tokens off;
-    lua_ssl_ciphers ECDHE-RSA-AES256-SHA;
+    lua_ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384;
 
     location /t {
         content_by_lua '
@@ -1229,7 +1229,7 @@ lua ssl free session: ([0-9A-F]+)
 $/
 --- error_log eval
 ['lua ssl server name: "test.com"',
-qr/SSL: TLSv\d(?:\.\d)?, cipher: "ECDHE-RSA-AES256-SHA (SSLv3|TLSv1)/]
+qr/SSL: TLSv\d(?:\.\d)?, cipher: "ECDHE-RSA-AES256-GCM-SHA384 (SSLv3|TLSv1\.2)/]
 --- no_error_log
 SSL reused session
 [error]
@@ -1245,7 +1245,7 @@ SSL reused session
         server_name         test.com;
         ssl_certificate     $TEST_NGINX_CERT_DIR/cert/test.crt;
         ssl_certificate_key $TEST_NGINX_CERT_DIR/cert/test.key;
-        ssl_protocols       TLSv1;
+        ssl_protocols       TLSv1.2;
 
         location / {
             content_by_lua_block {
@@ -1255,7 +1255,7 @@ SSL reused session
     }
 --- config
     server_tokens off;
-    lua_ssl_protocols TLSv1;
+    lua_ssl_protocols TLSv1.2;
 
     location /t {
         content_by_lua '
@@ -1319,7 +1319,7 @@ lua ssl free session: ([0-9A-F]+)
 $/
 --- error_log eval
 ['lua ssl server name: "test.com"',
-qr/SSL: TLSv1, cipher: "ECDHE-RSA-AES256-SHA (SSLv3|TLSv1)/]
+qr/SSL: TLSv1\.2, cipher: "ECDHE-RSA-AES256-GCM-SHA384 TLSv1\.2/]
 --- no_error_log
 SSL reused session
 [error]
@@ -2614,10 +2614,10 @@ SSL reused session
 
 --- request
 GET /t
---- response_body
-connected: 1
-failed to do SSL handshake: 18: self signed certificate
-
+--- response_body eval
+qr/connected: 1
+failed to do SSL handshake: 18: self[- ]signed certificate
+/ms
 --- user_files eval
 ">>> test.key
 $::TestCertificateKey
@@ -2626,8 +2626,8 @@ $::TestCertificate"
 
 --- grep_error_log eval: qr/lua ssl (?:set|save|free) session: [0-9A-F]+/
 --- grep_error_log_out
---- error_log
-lua ssl certificate verify error: (18: self signed certificate)
+--- error_log eval
+qr/lua ssl certificate verify error: \(18: self[- ]signed certificate\)/
 --- no_error_log
 SSL reused session
 [alert]

t/140-ssl-c-api.t

@@ -954,8 +954,8 @@ client certificate subject: emailAddress=agentzh@gmail.com,CN=test.com
 
 --- request
 GET /t
---- response_body
-FAILED:self signed certificate
+--- response_body eval
+qr/FAILED:self[- ]signed certificate/
 
 --- error_log
 client certificate subject: emailAddress=agentzh@gmail.com,CN=test.com

t/143-ssl-session-fetch.t

@@ -1326,98 +1326,7 @@ close: 1 nil
 
 
 
-=== TEST 16: ssl_session_fetch_by_lua* always runs when using SSLv3 (SSLv3 does not support session tickets)
---- http_config
-    ssl_session_fetch_by_lua_block { print("ssl_session_fetch_by_lua* is running!") }
-    server {
-        listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl;
-        server_name test.com;
-        ssl_certificate $TEST_NGINX_CERT_DIR/cert/test.crt;
-        ssl_certificate_key $TEST_NGINX_CERT_DIR/cert/test.key;
-        ssl_protocols SSLv3;
-        server_tokens off;
-    }
---- config
-    server_tokens off;
-    lua_ssl_trusted_certificate $TEST_NGINX_CERT_DIR/cert/test.crt;
-    lua_ssl_protocols SSLv3;
-
-    location /t {
-        content_by_lua_block {
-            do
-                local sock = ngx.socket.tcp()
-
-                sock:settimeout(5000)
-
-                local ok, err = sock:connect("unix:$TEST_NGINX_HTML_DIR/nginx.sock")
-                if not ok then
-                    ngx.say("failed to connect: ", err)
-                    return
-                end
-
-                ngx.say("connected: ", ok)
-
-                local sess, err = sock:sslhandshake(package.loaded.session, "test.com", true)
-                if not sess then
-                    ngx.say("failed to do SSL handshake: ", err)
-                    return
-                end
-
-                ngx.say("ssl handshake: ", type(sess))
-
-                package.loaded.session = sess
-
-                local ok, err = sock:close()
-                ngx.say("close: ", ok, " ", err)
-            end  -- do
-            -- collectgarbage()
-        }
-    }
---- request
-GET /t
---- response_body
-connected: 1
-ssl handshake: cdata
-close: 1 nil
---- grep_error_log eval: qr/ssl_session_fetch_by_lua\(nginx\.conf:\d+\):.*?,|\bssl session fetch: connection reusable: \d+|\breusable connection: \d+/
---- grep_error_log_out eval
-# Since nginx version 1.17.9, nginx call ngx_reusable_connection(c, 0)
-# before call ssl callback function
-$Test::Nginx::Util::NginxVersion >= 1.017009 ?
-[
-qr/\A(?:reusable connection: [01]\n)+\z/s,
-qr/^reusable connection: 0
-ssl session fetch: connection reusable: 0
-ssl_session_fetch_by_lua\(nginx\.conf:\d+\):1: ssl_session_fetch_by_lua\* is running!,
-/m,
-qr/^reusable connection: 0
-ssl session fetch: connection reusable: 0
-ssl_session_fetch_by_lua\(nginx\.conf:\d+\):1: ssl_session_fetch_by_lua\* is running!,
-/m,
-]
-:
-[
-qr/\A(?:reusable connection: [01]\n)+\z/s,
-qr/^reusable connection: 1
-ssl session fetch: connection reusable: 1
-reusable connection: 0
-ssl_session_fetch_by_lua\(nginx\.conf:\d+\):1: ssl_session_fetch_by_lua\* is running!,
-/m,
-qr/^reusable connection: 1
-ssl session fetch: connection reusable: 1
-reusable connection: 0
-ssl_session_fetch_by_lua\(nginx\.conf:\d+\):1: ssl_session_fetch_by_lua\* is running!,
-/m,
-]
---- no_error_log
-[error]
-[alert]
-[emerg]
---- skip_eval: 6:$ENV{TEST_NGINX_USE_HTTP3}
-
-
-
-=== TEST 17: ssl_session_fetch_by_lua* can yield when reading early data
+=== TEST 16: ssl_session_fetch_by_lua* can yield when reading early data
 --- skip_openssl: 6: < 1.1.1
 --- http_config
     ssl_session_fetch_by_lua_block {
@@ -1494,7 +1403,7 @@ qr/elapsed in ssl_session_fetch_by_lua\*: 0\.(?:09|1[01])\d+,/,
 
 
 
-=== TEST 18: cosocket (UDP)
+=== TEST 17: cosocket (UDP)
 --- http_config
     ssl_session_fetch_by_lua_block {
         local sock = ngx.socket.udp()
@@ -1589,7 +1498,7 @@ close: 1 nil
 
 
 
-=== TEST 19: uthread (kill)
+=== TEST 18: uthread (kill)
 --- http_config
     ssl_session_fetch_by_lua_block {
         local function f()
@@ -1689,7 +1598,7 @@ uthread: failed to kill: already waited or killed
 
 
 
-=== TEST 20: uthread (wait)
+=== TEST 19: uthread (wait)
 --- http_config
     ssl_session_fetch_by_lua_block {
         local function f()