main/nginx: fix tests compatibility with openssl 3.2.0HEADmaster

2 files changed, 115 insertions, 0 deletions

diff --git a/main/nginx/APKBUILD b/main/nginx/APKBUILD
index d6240bc1499..bcb29b82663 100644
--- a/main/nginx/APKBUILD
+++ b/main/nginx/APKBUILD
@@ -86,6 +86,7 @@ subpackages="$pkgname-debug $pkgname-doc $pkgname-openrc $pkgname-vim::noarch"
 source="https://nginx.org/download/nginx-$pkgver.tar.gz
 	CVE-2023-44487.patch
 	$pkgname-tests-$_tests_hgrev.tar.gz::https://hg.nginx.org/nginx-tests/archive/$_tests_hgrev.tar.gz
+	nginx-tests~fix-openssl-3.2.0-compatibility.patch
 	$pkgname-njs-$_njs_ver.tar.gz::https://hg.nginx.org/njs/archive/$_njs_ver.tar.gz
 	nginx-dav-ext-module~pr-56.patch::https://github.com/arut/nginx-dav-ext-module/pull/56.patch
 	nginx-dav-ext-module~pr-62.patch::https://github.com/arut/nginx-dav-ext-module/commit/bbf93f75ca58657fb0f8376b0898f854f13cef91.patch
@@ -498,6 +499,7 @@ sha512sums="
 1114e37de5664a8109c99cfb2faa1f42ff8ac63c932bcf3780d645e5ed32c0b2ac446f80305b4465994c8f9430604968e176ae464fd80f632d1cb2c8f6007ff3  nginx-1.24.0.tar.gz
 18b69643648119dfab45101bb9404be667aeb9d550aa3bc9706e63e7da1c2806106e9a6bbfb2d10bd57ef56b9b5b0b524059353ec30a51469b44641cb7dbd8a6  CVE-2023-44487.patch
 d882d7f79814bd5caf323099aef318a5f4c75c2eb81f13bbd9688fd5404f5a2e4dc653dbc23121f77cc5ccf59742f80fb34db38b8788030c54b376eb9a2065ff  nginx-tests-22f45bf99a9e.tar.gz
+ba3512c78007b666b38abd5fd84537c9f3c98816e168022e70f4eca90a55c2c9f5425384b5e1d8ebbb646006810cf9c38d2eda4cabe2ea4cba50f7059c1dbc43  nginx-tests~fix-openssl-3.2.0-compatibility.patch
 1cec9a322c40aa2b4ec6eb5bea78d7442880b0cff3a41ad171a3dc3157a6990baec6c8b9eda99ee02a9e51c0b933f13ef17431079a5ff409aaf84b912c7f4df7  nginx-njs-0.8.3.tar.gz
 4c7a94aaebbb69599b0067e74f9f3db54ec383ca9499292fec5b875bb0b5859aa11dc14cef5664c94dd54aba231f31e85feacddc49f7622aa4d0fdb38709b6e1  nginx-dav-ext-module~pr-56.patch
 fdd66e433126e194a3ef22737993191a04fcc4c8caa044b27cb22bea0e7f16c8fdbc900553507d2bb541cdb82b542845a297db2a48c2460a38dd772d0ebfca9d  nginx-dav-ext-module~pr-62.patch
diff --git a/main/nginx/nginx-tests~fix-openssl-3.2.0-compatibility.patch b/main/nginx/nginx-tests~fix-openssl-3.2.0-compatibility.patch
new file mode 100644
index 00000000000..495a8f496cd
--- /dev/null
+++ b/main/nginx/nginx-tests~fix-openssl-3.2.0-compatibility.patch
@@ -0,0 +1,113 @@
+Patch-Source: https://github.com/nginx/nginx-tests/commit/953461781bc0cd780bb5c4b3a3d727d7842e8d2e
+--
+From 953461781bc0cd780bb5c4b3a3d727d7842e8d2e Mon Sep 17 00:00:00 2001
+From: Maxim Dounin <mdounin@mdounin.ru>
+Date: Mon, 29 Jan 2024 00:34:16 +0300
+Subject: [PATCH] Tests: compatibility with "openssl" app from OpenSSL 3.2.0.
+
+OpenSSL 3.2.0's "openssl" app generates X.509v3 certificates unless explicitly
+asked not to.  Such certificates, even self-signed ones, cannot be used to sign
+other certificates without CA:TRUE explicitly set in the basicConstraints
+extension.  As a result, tests doing so are now failing.
+
+Fix is to provide basicConstraints with CA:TRUE for self-signed root
+certificates used in "openssl ca" calls.
+---
+ ssl.t                   | 3 +++
+ ssl_certificate_chain.t | 3 +++
+ ssl_crl.t               | 3 +++
+ ssl_ocsp.t              | 3 +++
+ ssl_stapling.t          | 3 +++
+ ssl_verify_depth.t      | 3 +++
+ 6 files changed, 18 insertions(+)
+
+diff --git a/ssl.t b/ssl.t
+index 13d3daef..6055e083 100644
+--- a/ssl.t
++++ b/ssl.t
+@@ -116,7 +116,10 @@ $t->write_file('openssl.conf', <<EOF);
+ default_bits = 2048
+ encrypt_key = no
+ distinguished_name = req_distinguished_name
++x509_extensions = myca_extensions
+ [ req_distinguished_name ]
++[ myca_extensions ]
++basicConstraints = critical,CA:TRUE
+ EOF
+ 
+ my $d = $t->testdir();
+diff --git a/ssl_certificate_chain.t b/ssl_certificate_chain.t
+index 0fce9378..764933f1 100644
+--- a/ssl_certificate_chain.t
++++ b/ssl_certificate_chain.t
+@@ -71,7 +71,10 @@ $t->write_file('openssl.conf', <<EOF);
+ default_bits = 2048
+ encrypt_key = no
+ distinguished_name = req_distinguished_name
++x509_extensions = myca_extensions
+ [ req_distinguished_name ]
++[ myca_extensions ]
++basicConstraints = critical,CA:TRUE
+ EOF
+ 
+ $t->write_file('ca.conf', <<EOF);
+diff --git a/ssl_crl.t b/ssl_crl.t
+index 8dad2d70..caaeec58 100644
+--- a/ssl_crl.t
++++ b/ssl_crl.t
+@@ -79,7 +79,10 @@ $t->write_file('openssl.conf', <<EOF);
+ default_bits = 2048
+ encrypt_key = no
+ distinguished_name = req_distinguished_name
++x509_extensions = myca_extensions
+ [ req_distinguished_name ]
++[ myca_extensions ]
++basicConstraints = critical,CA:TRUE
+ EOF
+ 
+ $t->write_file('ca.conf', <<EOF);
+diff --git a/ssl_ocsp.t b/ssl_ocsp.t
+index 3bc9af40..db88fbec 100644
+--- a/ssl_ocsp.t
++++ b/ssl_ocsp.t
+@@ -116,7 +116,10 @@ $t->write_file('openssl.conf', <<EOF);
+ default_bits = 2048
+ encrypt_key = no
+ distinguished_name = req_distinguished_name
++x509_extensions = myca_extensions
+ [ req_distinguished_name ]
++[ myca_extensions ]
++basicConstraints = critical,CA:TRUE
+ EOF
+ 
+ $t->write_file('ca.conf', <<EOF);
+diff --git a/ssl_stapling.t b/ssl_stapling.t
+index 575c167c..bcb36309 100644
+--- a/ssl_stapling.t
++++ b/ssl_stapling.t
+@@ -125,7 +125,10 @@ $t->write_file('openssl.conf', <<EOF);
+ default_bits = 2048
+ encrypt_key = no
+ distinguished_name = req_distinguished_name
++x509_extensions = myca_extensions
+ [ req_distinguished_name ]
++[ myca_extensions ]
++basicConstraints = critical,CA:TRUE
+ EOF
+ 
+ $t->write_file('ca.conf', <<EOF);
+diff --git a/ssl_verify_depth.t b/ssl_verify_depth.t
+index 7f2f37b2..89c6668e 100644
+--- a/ssl_verify_depth.t
++++ b/ssl_verify_depth.t
+@@ -76,7 +76,10 @@ $t->write_file('openssl.conf', <<EOF);
+ default_bits = 2048
+ encrypt_key = no
+ distinguished_name = req_distinguished_name
++x509_extensions = myca_extensions
+ [ req_distinguished_name ]
++[ myca_extensions ]
++basicConstraints = critical,CA:TRUE
+ EOF
+ 
+ $t->write_file('ca.conf', <<EOF);