On Mon, Feb 13, 2023 at 09:44:03AM -0800, Jacob Champion wrote:
> LGTM too, thanks Michael! I tested against LibreSSL 3.5.3 to
> double-check the fallback.
Thanks for checking with this one, I don't have LibreSSL in my
environment, at least not now. Perhaps I should.. So, I have spent a
couple of hours on that, and backpatched the fix down to 11. There
were different conflicts for each branch.
The new tests have been added in 15~, where the generation of the cert
and key files is more straight-forward than ~14. Actually, make
sslfiles fails on these branches when using OpenSSL 1.1.1~. Perhaps
that may be worth addressing, but the existing tests pass anyway when
relying on X509_get_signature_info(), as much as they pass with older
versions of OpenSSL. I have done some manual checks with RSA-PSS
certs and keys to make sure that channel binding works correctly for
these versions (one can just reuse the ones generated on HEAD or
REL_15_STABLE in src/test/ssl/ for that).
--
Michael