aboutsummaryrefslogtreecommitdiffstats
path: root/lib/ssl
diff options
context:
space:
mode:
authorMagnus Henoch <[email protected]>2016-05-19 11:56:47 +0100
committerMagnus Henoch <[email protected]>2016-05-19 11:56:47 +0100
commitc3e06e575b06f25601fdc60f4142a0d6b9e6eb7a (patch)
tree04ac1ee2d6bc8340a1d9ef392e27f29221d9de3f /lib/ssl
parentb219dbd698c74cf3c904445d13bb3453be6e1ac8 (diff)
downloadotp-c3e06e575b06f25601fdc60f4142a0d6b9e6eb7a.tar.gz
otp-c3e06e575b06f25601fdc60f4142a0d6b9e6eb7a.tar.bz2
otp-c3e06e575b06f25601fdc60f4142a0d6b9e6eb7a.zip
Skip crl_hash_dir_expired test for LibreSSL
LibreSSL doesn't like it when we pass a negative number for the -crlhours argument. I'm not sure if there is another way to make it generate a CRL with expiry date in the past, so let's skip that test in this case.
Diffstat (limited to 'lib/ssl')
-rw-r--r--lib/ssl/test/make_certs.erl9
-rw-r--r--lib/ssl/test/ssl_crl_SUITE.erl2
2 files changed, 11 insertions, 0 deletions
diff --git a/lib/ssl/test/make_certs.erl b/lib/ssl/test/make_certs.erl
index ed1a6523ed..009bcd81ad 100644
--- a/lib/ssl/test/make_certs.erl
+++ b/lib/ssl/test/make_certs.erl
@@ -186,6 +186,15 @@ gencrl(Root, CA, C, CrlHours) ->
Env = [{"ROOTDIR", filename:absname(Root)}],
cmd(Cmd, Env).
+can_generate_expired_crls(C) ->
+ %% OpenSSL can generate CRLs with an expiration date in the past,
+ %% if we pass a negative number for -crlhours. However, LibreSSL
+ %% rejects this with the error "invalid argument -24: too small".
+ %% Let's check which one we have.
+ Cmd = [C#config.openssl_cmd, " ca -crlhours -24"],
+ Output = os:cmd(Cmd),
+ 0 =:= string:str(Output, "too small").
+
verify(Root, CA, User, C) ->
CAFile = filename:join([Root, User, "cacerts.pem"]),
CACRLFile = filename:join([Root, CA, "crl.pem"]),
diff --git a/lib/ssl/test/ssl_crl_SUITE.erl b/lib/ssl/test/ssl_crl_SUITE.erl
index 27005682e9..06f9f4d5a7 100644
--- a/lib/ssl/test/ssl_crl_SUITE.erl
+++ b/lib/ssl/test/ssl_crl_SUITE.erl
@@ -353,6 +353,8 @@ crl_hash_dir_expired(Config) when is_list(Config) ->
%% Add "issuing distribution point", to ensure that verification
%% fails if there is no valid CRL.
CertsConfig = make_certs:make_config([{issuing_distribution_point, true}]),
+ make_certs:can_generate_expired_crls(CertsConfig)
+ orelse throw({skip, "cannot generate CRLs with expiry date in the past"}),
make_certs:intermediateCA(PrivDir, CA, "erlangCA", CertsConfig),
EndUser = "CRL-maybe-expired",
make_certs:enduser(PrivDir, CA, EndUser, CertsConfig),