mirror of
https://github.com/wolfSSL/wolfssl.git
synced 2026-07-05 14:30:49 +02:00
Merge pull request #10646 from ColtonWilley/openwrt-ci-tls-reset
Docker/OpenWrt: accept exit 4 or 5 in negative TLS tests
This commit is contained in:
+23
-12
@@ -1,14 +1,20 @@
|
||||
#!/bin/sh
|
||||
|
||||
runCMD() { # usage: runCMD "<command>" "<retVal>"
|
||||
runCMD() { # usage: runCMD "<command>" "<retVal>[ <retVal> ...]"
|
||||
TMP_FILE=$(mktemp)
|
||||
eval $1 > $TMP_FILE 2>&1
|
||||
eval $1 > "$TMP_FILE" 2>&1
|
||||
RETVAL=$?
|
||||
if [ "$RETVAL" != "$2" ]; then
|
||||
echo "Command ($1) returned ${RETVAL}, but expected $2. Error output:"
|
||||
cat $TMP_FILE
|
||||
exit 1
|
||||
fi
|
||||
# Accept any code in the space-separated list "$2" (e.g. "4 5").
|
||||
case " $2 " in
|
||||
*" $RETVAL "*)
|
||||
rm -f "$TMP_FILE"
|
||||
return 0
|
||||
;;
|
||||
esac
|
||||
echo "Command ($1) returned ${RETVAL}, but expected one of: $2. Error output:"
|
||||
cat "$TMP_FILE"
|
||||
rm -f "$TMP_FILE"
|
||||
exit 1
|
||||
}
|
||||
|
||||
# Successful tests
|
||||
@@ -18,10 +24,15 @@ runCMD "ldd /lib/libustream-ssl.so" 0
|
||||
runCMD "sed '\/src\/gz openwrt_kmods https:\/\/downloads.openwrt.org\/releases\/21.02-SNAPSHOT\/targets\/x86\/64\/kmods\/5.4.238-1-5a722da41bc36de95a7195be6fce1b45/s//#&/' -i /etc/opkg/distfeeds.conf" 0
|
||||
runCMD "opkg update" 0
|
||||
runCMD "uclient-fetch 'https://letsencrypt.org'" 0
|
||||
# Negative tests
|
||||
runCMD "uclient-fetch --ca-certificate=/dev/null 'https://letsencrypt.org'" 5
|
||||
runCMD "uclient-fetch 'https://self-signed.badssl.com/'" 5
|
||||
runCMD "uclient-fetch 'https://untrusted-root.badssl.com/'" 5
|
||||
runCMD "uclient-fetch 'https://expired.badssl.com/'" 5
|
||||
# Negative tests: each must fail TLS verification, so a non-zero exit is expected.
|
||||
# BAND-AID: accept exit 4 OR 5. 5 = clean "invalid certificate"; 4 = "connection
|
||||
# reset prematurely". Since wolfSSL enabled ML-KEM by default the TLS ClientHello
|
||||
# grew (~1.8 KB) and some servers/load balancers intermittently RST it before the
|
||||
# cert is evaluated (seen with badssl.com, ~1 in 3) -> exit 4 on any of these.
|
||||
# TODO: proper fix (retry-on-reset, or a local bad-cert server).
|
||||
runCMD "uclient-fetch --ca-certificate=/dev/null 'https://letsencrypt.org'" "4 5"
|
||||
runCMD "uclient-fetch 'https://self-signed.badssl.com/'" "4 5"
|
||||
runCMD "uclient-fetch 'https://untrusted-root.badssl.com/'" "4 5"
|
||||
runCMD "uclient-fetch 'https://expired.badssl.com/'" "4 5"
|
||||
|
||||
echo "All tests passed."
|
||||
|
||||
Reference in New Issue
Block a user