diff options
author | Péter Dimitrov <[email protected]> | 2019-01-09 16:40:15 +0100 |
---|---|---|
committer | Péter Dimitrov <[email protected]> | 2019-01-09 16:40:15 +0100 |
commit | 348483658478645e12127e888fd53aed45ad750f (patch) | |
tree | 9453ef33a550f03eb2ba61b4d8dc8b28c91d17aa /lib/ssl | |
parent | f0ea49125815ec9197ffb6c74e20ebb5f10732d4 (diff) | |
download | otp-348483658478645e12127e888fd53aed45ad750f.tar.gz otp-348483658478645e12127e888fd53aed45ad750f.tar.bz2 otp-348483658478645e12127e888fd53aed45ad750f.zip |
ssl: Fix CRL suite with openssl-1.1.1a
Later versions of openssl do not support negative integers for
CRL due time (used for negative testing).
As a workaround this commit implements a function that can set
CRL due time in seconds and makes the testcase
'crl_hash_dir_expired' sleep for one second.
Change-Id: I2ef8b3c6ee545bd09170fa6027cb9ca38cfb42c0
Diffstat (limited to 'lib/ssl')
-rw-r--r-- | lib/ssl/test/make_certs.erl | 12 | ||||
-rw-r--r-- | lib/ssl/test/ssl_crl_SUITE.erl | 7 |
2 files changed, 17 insertions, 2 deletions
diff --git a/lib/ssl/test/make_certs.erl b/lib/ssl/test/make_certs.erl index 8fe7c54549..7f3371da9a 100644 --- a/lib/ssl/test/make_certs.erl +++ b/lib/ssl/test/make_certs.erl @@ -189,6 +189,18 @@ gencrl(Root, CA, C, CrlHours) -> Env = [{"ROOTDIR", filename:absname(Root)}], cmd(Cmd, Env). +%% This function sets the number of seconds until the next CRL is due. +gencrl_sec(Root, CA, C, CrlSecs) -> + CACnfFile = filename:join([Root, CA, "ca.cnf"]), + CACRLFile = filename:join([Root, CA, "crl.pem"]), + Cmd = [C#config.openssl_cmd, " ca" + " -gencrl ", + " -crlsec ", integer_to_list(CrlSecs), + " -out ", CACRLFile, + " -config ", CACnfFile], + Env = [{"ROOTDIR", filename:absname(Root)}], + cmd(Cmd, Env). + can_generate_expired_crls(C) -> %% OpenSSL can generate CRLs with an expiration date in the past, %% if we pass a negative number for -crlhours. However, LibreSSL diff --git a/lib/ssl/test/ssl_crl_SUITE.erl b/lib/ssl/test/ssl_crl_SUITE.erl index 23c5eaf84d..c61039b5da 100644 --- a/lib/ssl/test/ssl_crl_SUITE.erl +++ b/lib/ssl/test/ssl_crl_SUITE.erl @@ -383,8 +383,11 @@ crl_hash_dir_expired(Config) when is_list(Config) -> {verify, verify_peer}], {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), - %% First make a CRL that expired yesterday. - make_certs:gencrl(PrivDir, CA, CertsConfig, -24), + %% First make a CRL that will expire in one second. + make_certs:gencrl_sec(PrivDir, CA, CertsConfig, 1), + %% Sleep until the next CRL is due + ct:sleep({seconds, 1}), + CrlDir = filename:join(PrivDir, "crls"), populate_crl_hash_dir(PrivDir, CrlDir, [{CA, "1627b4b0"}], |