Interop tests for openssl 3.3 and 3.4, retire 3.2, 1.1 (and 3.1 remnants)

OpenSSL 1.1 and 3.2 will be removed from the ports tree, so test the two
remaining versions. Unfortunately, this requires a

Interop tests for openssl 3.3 and 3.4, retire 3.2, 1.1 (and 3.1 remnants)

OpenSSL 1.1 and 3.2 will be removed from the ports tree, so test the two
remaining versions. Unfortunately, this requires a lot more manual
massaging than there should be.

show more ...

Drop OpenSSL 3.0 interop testing infrastructure

The openssl 3.0 port was removed nearly a year ago shortly after the 7.4
release.

Add support for openssl32 in interop test

Remove GOST and STREEBOG support from libssl.

This version of GOST is old and not anywhere close to compliant with
modern GOST standards. It is also very intrusive in libssl and
makes a mess everywh

Remove GOST and STREEBOG support from libssl.

This version of GOST is old and not anywhere close to compliant with
modern GOST standards. It is also very intrusive in libssl and
makes a mess everywhere. Efforts to entice a suitably minded anyone
to care about it have been unsuccessful.

At this point it is probably best to remove this, and if someone
ever showed up who truly needed a working version, it should be
a clean implementation from scratch, and have it use something
closer to the typical API in libcrypto so it would integrate less
painfully here.

This removes it from libssl in preparation for it's removal from
libcrypto with a future major bump

ok tb@

show more ...

Add support for OpenSSL 3.1 interop tests

Until OpenSSL 3.1 has replaced OpenSSL 3.0 on most architectures, run
both tests. Installed packages of OpenSSL 3.0 will update automatically
to 3.1, so reg

Add support for OpenSSL 3.1 interop tests

Until OpenSSL 3.1 has replaced OpenSSL 3.0 on most architectures, run
both tests. Installed packages of OpenSSL 3.0 will update automatically
to 3.1, so regress runners should not need to do anything.

show more ...

interop: work around extreme REGRESS_SKIP_SLOW slowness

A few years back beck introduced REGRESS_SKIP_SLOW dances with the idea
that this should speed up the interop tests for us devs because this a

interop: work around extreme REGRESS_SKIP_SLOW slowness

A few years back beck introduced REGRESS_SKIP_SLOW dances with the idea
that this should speed up the interop tests for us devs because this also
checked interop between opensslX and opensslY, which we don't particularly
care about. This never really worked. On a mac m1 mini the result is this:

REGRESS_SKIP_SLOW unset
9m56.69s real 3m42.24s user 3m00.70s system
REGRESS_SKIP_SLOW=yes
11m04.61s real 7m29.61s user 1m40.29s system

The problem is that REGRESS_SKIP_SLOW simply wasn't designed to handle
the huge number of tests we have here. There are many nested .for loops
resulting in several thousand tests. Each test has a name of length ~80.
REGRESS_SKIP_SLOW concatenates them into a several hundred kilobytes
long string in REGRESS_SKIP_TARGETS, iterates over all regress targets and
tests with ".if ${REGRESS_SKIP_TARGETS:M${RT}}" if it should skip them.
This means that during a regress run, make spends a lot of time linearly
scanning a huge string.

I ran into this when I added OpenSSL 3.0 tests to the already existing
1.0.2 and 1.1 tests with the result that with REGRESS_SLOW_TARGTS set
it took the better part of an hour while without it it took about 15 min.

The hack here is simply to avoid using REGRESS_SLOW_TARGTES here and
handle the situation differently.

patch, REGRESS_SKIP_SLOW=yes
5m42.32s real 2m09.98s user 1m45.21s system

The real solution would be to fix this in bsd.regress.mk, which someone
who understands make well is very welcome to do. For now, I'm happy with
this.

Debugged with jsing a few months ago

show more ...

Retire OpenSSL 1.0.2 interop

Now that the OpenSSL 1.0.2 port is gone, there's no need to keep the
interop tests anymore. anton's and bluhm's regress tests will switch
to testing interoperability wit

Retire OpenSSL 1.0.2 interop

Now that the OpenSSL 1.0.2 port is gone, there's no need to keep the
interop tests anymore. anton's and bluhm's regress tests will switch
to testing interoperability with OpenSSL 3.0.

show more ...

Add openssl 3.0 interop tests

The plan is to retire the 1.0.2 interop tests soon so as to be able to
drop the dead and dangerous OpenSSL 1.0.2 port.

The cert part is extremely slow on arm64: the wh

Add openssl 3.0 interop tests

The plan is to retire the 1.0.2 interop tests soon so as to be able to
drop the dead and dangerous OpenSSL 1.0.2 port.

The cert part is extremely slow on arm64: the whole interop test on an m1
is about 10x slower (~45 min!) than on a modern amd64 laptop, so people
running regress may want to wait a bit with adding OpenSSL 3 to their test
boxes until this is sorted out.

show more ...

Add a workaround due to OpenSSL's limitation of SSL_CTX_set_cipher_list

SSL_CTX_set_cipher_list() in OpenSSL 1.1 does not accept TLSv1.3 ciphers.
This wasn't a problem until now since the AEAD- ciph

Add a workaround due to OpenSSL's limitation of SSL_CTX_set_cipher_list

SSL_CTX_set_cipher_list() in OpenSSL 1.1 does not accept TLSv1.3 ciphers.
This wasn't a problem until now since the AEAD- ciphers were counted as
distinct from TLS_ ciphers by the regress test, so they were never used
in the {run,check}-cipher-${cipher}-client-${clib}-server-${slib} tests

With the renaming, the TLSv1.3 ciphers are now considered as common
ciphers, so they're tested. With openssl11 this results in

0:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:ssl/ssl_lib.c:2573:

The design of these tests doesn't allow easily adding a call to
SSL_CTX_set_ciphersuites (since they also need to work with openssl 1.0.2)
so skip the TLS_* ciphers for the time being.

show more ...

Mechanically adjust from AEAD- to TLS_ to adjust to the new cipher names.

Remove echo headlines.

1) Move the interop tests to the end so we see tlsfuzzer first
2) Reorder the interop tests so the really slow "cert" test is at the end
3) Change the cert tests to use REGRESS_SLOW_TARGETS when test

1) Move the interop tests to the end so we see tlsfuzzer first
2) Reorder the interop tests so the really slow "cert" test is at the end
3) Change the cert tests to use REGRESS_SLOW_TARGETS when testing combination
of client and server that does not involve libressl. This way we can
skip testing openssl to openssl11 when running these manually by
setting REGRESS_SKIP_SLOW to "yet" in mk.conf

ok jsing@

show more ...

If CPU does not support AES-NI, LibreSSL TLS 1.3 client prefers
chacha-poly over aes-gcm. Expect both fallbacks for non 1.3 ciphers.

Enable cert and cipher interop tests. cert just works. cipher has
been fixed to work with libressl TLS 1.3. Both libressl and openssl11
replace obsolete TLS 1.2 ciphers with AEAD-AES256-GCM-SHA384

Enable cert and cipher interop tests. cert just works. cipher has
been fixed to work with libressl TLS 1.3. Both libressl and openssl11
replace obsolete TLS 1.2 ciphers with AEAD-AES256-GCM-SHA384 or
TLS_AES_256_GCM_SHA384 in TLS 1.3 respectively. The test expects
that now. Currently GOST does not work with libressl and TLS 1.3
and is disabled.

show more ...

Enable GOST cipher selection test after libssl has been fixed.

Fix typo in usage and comment.

Test that all supported TLS ciphers actually work. Establish
connections between client and server implemented with LibreSSL or
OpenSSL with a fixed cipher on each side. Check the used cipher
in th

Test that all supported TLS ciphers actually work. Establish
connections between client and server implemented with LibreSSL or
OpenSSL with a fixed cipher on each side. Check the used cipher
in the session print out.

show more ...