diff options
author | Celeste <20312-Celeste@users.gitlab.alpinelinux.org> | 2024-04-23 03:04:33 +0000 |
---|---|---|
committer | Celeste <20312-Celeste@users.gitlab.alpinelinux.org> | 2024-04-23 03:33:59 +0000 |
commit | ca559d101dcd6032a2c4455652131111ccd42fa6 (patch) | |
tree | a49223a35f60b53aa8d089ef0451b57467230bde | |
parent | cc2f3e7cc9b46f7ac7a9695e83eb3572a1ebef4f (diff) |
-rw-r--r-- | main/nginx/APKBUILD | 2 | ||||
-rw-r--r-- | main/nginx/nginx-tests~fix-openssl-3.2.0-compatibility.patch | 113 |
2 files changed, 115 insertions, 0 deletions
diff --git a/main/nginx/APKBUILD b/main/nginx/APKBUILD index d6240bc1499..bcb29b82663 100644 --- a/main/nginx/APKBUILD +++ b/main/nginx/APKBUILD @@ -86,6 +86,7 @@ subpackages="$pkgname-debug $pkgname-doc $pkgname-openrc $pkgname-vim::noarch" source="https://nginx.org/download/nginx-$pkgver.tar.gz CVE-2023-44487.patch $pkgname-tests-$_tests_hgrev.tar.gz::https://hg.nginx.org/nginx-tests/archive/$_tests_hgrev.tar.gz + nginx-tests~fix-openssl-3.2.0-compatibility.patch $pkgname-njs-$_njs_ver.tar.gz::https://hg.nginx.org/njs/archive/$_njs_ver.tar.gz nginx-dav-ext-module~pr-56.patch::https://github.com/arut/nginx-dav-ext-module/pull/56.patch nginx-dav-ext-module~pr-62.patch::https://github.com/arut/nginx-dav-ext-module/commit/bbf93f75ca58657fb0f8376b0898f854f13cef91.patch @@ -498,6 +499,7 @@ sha512sums=" 1114e37de5664a8109c99cfb2faa1f42ff8ac63c932bcf3780d645e5ed32c0b2ac446f80305b4465994c8f9430604968e176ae464fd80f632d1cb2c8f6007ff3 nginx-1.24.0.tar.gz 18b69643648119dfab45101bb9404be667aeb9d550aa3bc9706e63e7da1c2806106e9a6bbfb2d10bd57ef56b9b5b0b524059353ec30a51469b44641cb7dbd8a6 CVE-2023-44487.patch d882d7f79814bd5caf323099aef318a5f4c75c2eb81f13bbd9688fd5404f5a2e4dc653dbc23121f77cc5ccf59742f80fb34db38b8788030c54b376eb9a2065ff nginx-tests-22f45bf99a9e.tar.gz +ba3512c78007b666b38abd5fd84537c9f3c98816e168022e70f4eca90a55c2c9f5425384b5e1d8ebbb646006810cf9c38d2eda4cabe2ea4cba50f7059c1dbc43 nginx-tests~fix-openssl-3.2.0-compatibility.patch 1cec9a322c40aa2b4ec6eb5bea78d7442880b0cff3a41ad171a3dc3157a6990baec6c8b9eda99ee02a9e51c0b933f13ef17431079a5ff409aaf84b912c7f4df7 nginx-njs-0.8.3.tar.gz 4c7a94aaebbb69599b0067e74f9f3db54ec383ca9499292fec5b875bb0b5859aa11dc14cef5664c94dd54aba231f31e85feacddc49f7622aa4d0fdb38709b6e1 nginx-dav-ext-module~pr-56.patch fdd66e433126e194a3ef22737993191a04fcc4c8caa044b27cb22bea0e7f16c8fdbc900553507d2bb541cdb82b542845a297db2a48c2460a38dd772d0ebfca9d nginx-dav-ext-module~pr-62.patch diff --git a/main/nginx/nginx-tests~fix-openssl-3.2.0-compatibility.patch b/main/nginx/nginx-tests~fix-openssl-3.2.0-compatibility.patch new file mode 100644 index 00000000000..495a8f496cd --- /dev/null +++ b/main/nginx/nginx-tests~fix-openssl-3.2.0-compatibility.patch @@ -0,0 +1,113 @@ +Patch-Source: https://github.com/nginx/nginx-tests/commit/953461781bc0cd780bb5c4b3a3d727d7842e8d2e +-- +From 953461781bc0cd780bb5c4b3a3d727d7842e8d2e Mon Sep 17 00:00:00 2001 +From: Maxim Dounin <mdounin@mdounin.ru> +Date: Mon, 29 Jan 2024 00:34:16 +0300 +Subject: [PATCH] Tests: compatibility with "openssl" app from OpenSSL 3.2.0. + +OpenSSL 3.2.0's "openssl" app generates X.509v3 certificates unless explicitly +asked not to. Such certificates, even self-signed ones, cannot be used to sign +other certificates without CA:TRUE explicitly set in the basicConstraints +extension. As a result, tests doing so are now failing. + +Fix is to provide basicConstraints with CA:TRUE for self-signed root +certificates used in "openssl ca" calls. +--- + ssl.t | 3 +++ + ssl_certificate_chain.t | 3 +++ + ssl_crl.t | 3 +++ + ssl_ocsp.t | 3 +++ + ssl_stapling.t | 3 +++ + ssl_verify_depth.t | 3 +++ + 6 files changed, 18 insertions(+) + +diff --git a/ssl.t b/ssl.t +index 13d3daef..6055e083 100644 +--- a/ssl.t ++++ b/ssl.t +@@ -116,7 +116,10 @@ $t->write_file('openssl.conf', <<EOF); + default_bits = 2048 + encrypt_key = no + distinguished_name = req_distinguished_name ++x509_extensions = myca_extensions + [ req_distinguished_name ] ++[ myca_extensions ] ++basicConstraints = critical,CA:TRUE + EOF + + my $d = $t->testdir(); +diff --git a/ssl_certificate_chain.t b/ssl_certificate_chain.t +index 0fce9378..764933f1 100644 +--- a/ssl_certificate_chain.t ++++ b/ssl_certificate_chain.t +@@ -71,7 +71,10 @@ $t->write_file('openssl.conf', <<EOF); + default_bits = 2048 + encrypt_key = no + distinguished_name = req_distinguished_name ++x509_extensions = myca_extensions + [ req_distinguished_name ] ++[ myca_extensions ] ++basicConstraints = critical,CA:TRUE + EOF + + $t->write_file('ca.conf', <<EOF); +diff --git a/ssl_crl.t b/ssl_crl.t +index 8dad2d70..caaeec58 100644 +--- a/ssl_crl.t ++++ b/ssl_crl.t +@@ -79,7 +79,10 @@ $t->write_file('openssl.conf', <<EOF); + default_bits = 2048 + encrypt_key = no + distinguished_name = req_distinguished_name ++x509_extensions = myca_extensions + [ req_distinguished_name ] ++[ myca_extensions ] ++basicConstraints = critical,CA:TRUE + EOF + + $t->write_file('ca.conf', <<EOF); +diff --git a/ssl_ocsp.t b/ssl_ocsp.t +index 3bc9af40..db88fbec 100644 +--- a/ssl_ocsp.t ++++ b/ssl_ocsp.t +@@ -116,7 +116,10 @@ $t->write_file('openssl.conf', <<EOF); + default_bits = 2048 + encrypt_key = no + distinguished_name = req_distinguished_name ++x509_extensions = myca_extensions + [ req_distinguished_name ] ++[ myca_extensions ] ++basicConstraints = critical,CA:TRUE + EOF + + $t->write_file('ca.conf', <<EOF); +diff --git a/ssl_stapling.t b/ssl_stapling.t +index 575c167c..bcb36309 100644 +--- a/ssl_stapling.t ++++ b/ssl_stapling.t +@@ -125,7 +125,10 @@ $t->write_file('openssl.conf', <<EOF); + default_bits = 2048 + encrypt_key = no + distinguished_name = req_distinguished_name ++x509_extensions = myca_extensions + [ req_distinguished_name ] ++[ myca_extensions ] ++basicConstraints = critical,CA:TRUE + EOF + + $t->write_file('ca.conf', <<EOF); +diff --git a/ssl_verify_depth.t b/ssl_verify_depth.t +index 7f2f37b2..89c6668e 100644 +--- a/ssl_verify_depth.t ++++ b/ssl_verify_depth.t +@@ -76,7 +76,10 @@ $t->write_file('openssl.conf', <<EOF); + default_bits = 2048 + encrypt_key = no + distinguished_name = req_distinguished_name ++x509_extensions = myca_extensions + [ req_distinguished_name ] ++[ myca_extensions ] ++basicConstraints = critical,CA:TRUE + EOF + + $t->write_file('ca.conf', <<EOF); |