Merge pull request #10758 from julek-wolfssl/fix-ocsp-stapling-tls13multi-wait-timeout

Bound waited example servers with timeout to fix flaky CI test hangs
This commit is contained in:
Daniel Pouzzner
2026-07-03 00:43:55 -05:00
committed by GitHub
9 changed files with 94 additions and 31 deletions
+9 -2
View File
@@ -1,5 +1,12 @@
#!/usr/bin/env bash
# timeout(1) is GNU coreutils and absent on macOS; where it's missing, run the
# command unbounded (the flaky hang this guards against is Linux-only CI).
if ! command -v timeout >/dev/null 2>&1; then
timeout() { while [ "${1:-}" = "-s" ] || [ "${1:-}" = "-k" ]; do shift 2; done; shift; "$@"; }
fi
[ ! -x ./examples/client/client ] && printf '\n\n%s\n' "Client doesn't exist" \
&& exit 1
@@ -99,7 +106,7 @@ run_test() {
# starts the server on crl_port, -R generates ready file to be used as a
# mutex lock, -c loads the revoked certificate. We capture the processid
# into the variable server_pid
./examples/server/server -R "$ready_file" -p $crl_port \
timeout -s KILL 2m ./examples/server/server -R "$ready_file" -p $crl_port \
-c ${CERT_DIR}/server-revoked-cert.pem \
-k ${CERT_DIR}/server-revoked-key.pem &
server_pid=$!
@@ -176,7 +183,7 @@ run_hashdir_test() {
# starts the server on crl_port, -R generates ready file to be used as a
# mutex lock, -c loads the revoked certificate. We capture the processid
# into the variable server_pid
./examples/server/server -R "$ready_file" -p $crl_port \
timeout -s KILL 2m ./examples/server/server -R "$ready_file" -p $crl_port \
-c ${CERT_DIR}/server-revoked-cert.pem \
-k ${CERT_DIR}/server-revoked-key.pem &
server_pid=$!
+8 -1
View File
@@ -1,5 +1,12 @@
#!/usr/bin/env bash
# timeout(1) is GNU coreutils and absent on macOS; where it's missing, run the
# command unbounded (the flaky hang this guards against is Linux-only CI).
if ! command -v timeout >/dev/null 2>&1; then
timeout() { while [ "${1:-}" = "-s" ] || [ "${1:-}" = "-k" ]; do shift 2; done; shift; "$@"; }
fi
# dtlscid.test
# Copyright wolfSSL 2022-2024
@@ -54,7 +61,7 @@ test_cid () {
echo "Running test_cid"
SERVER_FILE=$(mktemp)
CLIENT_FILE=$(mktemp)
$WOLFSSL_ROOT/examples/server/server -v4 -u --cid $SCID 1> $SERVER_FILE &
timeout -s KILL 2m $WOLFSSL_ROOT/examples/server/server -v4 -u --cid $SCID 1> $SERVER_FILE &
SERVER_PID=$!
sleep 0.2
$WOLFSSL_ROOT/examples/client/client -v4 -u --cid $CCID 1> $CLIENT_FILE
@@ -1,5 +1,12 @@
#!/usr/bin/env bash
# timeout(1) is GNU coreutils and absent on macOS; where it's missing, run the
# command unbounded (the flaky hang this guards against is Linux-only CI).
if ! command -v timeout >/dev/null 2>&1; then
timeout() { while [ "${1:-}" = "-s" ] || [ "${1:-}" = "-k" ]; do shift 2; done; shift; "$@"; }
fi
# ocsp-stapling-with-wolfssl-responder.test
# Tests OCSP stapling using wolfSSL's own ocsp_responder example
# instead of the OpenSSL ocsp utility.
@@ -455,7 +462,7 @@ if [ "$stapling_v1" == "yes" ]; then
printf '%s\n\n' "------------- TEST CASE 1 SHOULD PASS -------------------------"
# client test against our own server - GOOD CERT
./examples/server/server -c certs/ocsp/server1-cert.pem \
timeout -s KILL 2m ./examples/server/server -c certs/ocsp/server1-cert.pem \
-k certs/ocsp/server1-key.pem -R $ready_file5 \
-p $port5 &
server_pid5=$!
@@ -468,7 +475,7 @@ if [ "$stapling_v1" == "yes" ]; then
printf '%s\n\n' "------------- TEST CASE 2 SHOULD REVOKE -----------------------"
# client test against our own server - REVOKED CERT
remove_single_rF $ready_file5
./examples/server/server -c certs/ocsp/server2-cert.pem \
timeout -s KILL 2m ./examples/server/server -c certs/ocsp/server2-cert.pem \
-k certs/ocsp/server2-key.pem -R $ready_file5 \
-p $port5 &
server_pid5=$!
@@ -486,7 +493,7 @@ if [ "$stapling_v1" == "yes" ]; then
printf '%s\n\n' "------------- TEST CASE 3 TLS13 SHOULD PASS -----------------"
# client test against our own server - GOOD CERT
remove_single_rF $ready_file5
./examples/server/server -c certs/ocsp/server1-cert.pem \
timeout -s KILL 2m ./examples/server/server -c certs/ocsp/server1-cert.pem \
-k certs/ocsp/server1-key.pem -v 4 \
-R $ready_file5 -p $port5 &
server_pid5=$!
@@ -500,7 +507,7 @@ if [ "$stapling_v1" == "yes" ]; then
printf '%s\n\n' "------------- TEST CASE 4 TLS13 MUST-STAPLE SHOULD PASS -----"
# client test against our own server, must staple - GOOD CERT
remove_single_rF $ready_file5
./examples/server/server -c certs/ocsp/server1-cert.pem \
timeout -s KILL 2m ./examples/server/server -c certs/ocsp/server1-cert.pem \
-k certs/ocsp/server1-key.pem -v 4 \
-R $ready_file5 -p $port5 &
server_pid5=$!
@@ -514,7 +521,7 @@ if [ "$stapling_v1" == "yes" ]; then
printf '%s\n\n' "------------- TEST CASE 5 TLS13 SHOULD REVOKE ---------------"
# client test against our own server - REVOKED CERT
remove_single_rF $ready_file5
./examples/server/server -c certs/ocsp/server2-cert.pem \
timeout -s KILL 2m ./examples/server/server -c certs/ocsp/server2-cert.pem \
-k certs/ocsp/server2-key.pem -v 4 \
-R $ready_file5 -p $port5 &
server_pid5=$!
@@ -533,7 +540,7 @@ if [ "$stapling_v1" == "yes" ]; then
if [[ "$dtls12" == "yes" ]]; then
printf '%s\n\n' "------------- TEST CASE DTLS12-1 SHOULD PASS ----------------"
remove_single_rF $ready_file5
./examples/server/server -c certs/ocsp/server1-cert.pem -R $ready_file5 \
timeout -s KILL 2m ./examples/server/server -c certs/ocsp/server1-cert.pem -R $ready_file5 \
-k certs/ocsp/server1-key.pem -u -v 3 \
-p $port5 &
server_pid5=$!
@@ -549,7 +556,7 @@ if [ "$stapling_v1" == "yes" ]; then
if [ "$dtls13" == "yes" ]; then
printf '%s\n\n' "------------- TEST CASE DTLS13-1 SHOULD PASS ----------------"
remove_single_rF $ready_file5
./examples/server/server -c certs/ocsp/server1-cert.pem -R $ready_file5 \
timeout -s KILL 2m ./examples/server/server -c certs/ocsp/server1-cert.pem -R $ready_file5 \
-k certs/ocsp/server1-key.pem -u -v 4 \
-p $port5 &
server_pid5=$!
@@ -575,7 +582,7 @@ if [ "$stapling_v2" == "yes" ]; then
printf '%s\n\n' "------------- TEST CASE V2-1 SHOULD PASS ----------------------"
# client test against our own server - GOOD CERTS
remove_single_rF $ready_file5
./examples/server/server -c certs/ocsp/server3-cert.pem \
timeout -s KILL 2m ./examples/server/server -c certs/ocsp/server3-cert.pem \
-k certs/ocsp/server3-key.pem -R $ready_file5 \
-p $port5 &
server_pid5=$!
@@ -588,7 +595,7 @@ if [ "$stapling_v2" == "yes" ]; then
printf '%s\n\n' "------------- TEST CASE V2-2 SHOULD PASS ----------------------"
remove_single_rF $ready_file5
./examples/server/server -c certs/ocsp/server3-cert.pem \
timeout -s KILL 2m ./examples/server/server -c certs/ocsp/server3-cert.pem \
-k certs/ocsp/server3-key.pem -R $ready_file5 \
-p $port5 &
server_pid5=$!
@@ -602,7 +609,7 @@ if [ "$stapling_v2" == "yes" ]; then
printf '%s\n\n' "------------- TEST CASE V2-3 SHOULD REVOKE --------------------"
# client test against our own server - REVOKED SERVER CERT
remove_single_rF $ready_file5
./examples/server/server -c certs/ocsp/server4-cert.pem \
timeout -s KILL 2m ./examples/server/server -c certs/ocsp/server4-cert.pem \
-k certs/ocsp/server4-key.pem -R $ready_file5 \
-p $port5 &
server_pid5=$!
@@ -616,7 +623,7 @@ if [ "$stapling_v2" == "yes" ]; then
printf '%s\n\n' "------------- TEST CASE V2-4 SHOULD REVOKE --------------------"
remove_single_rF $ready_file5
./examples/server/server -c certs/ocsp/server4-cert.pem \
timeout -s KILL 2m ./examples/server/server -c certs/ocsp/server4-cert.pem \
-k certs/ocsp/server4-key.pem -R $ready_file5 \
-p $port5 &
sleep 0.1
@@ -630,7 +637,7 @@ if [ "$stapling_v2" == "yes" ]; then
printf '%s\n\n' "------------- TEST CASE V2-5 SHOULD PASS ----------------------"
# client test against our own server - REVOKED INTERMEDIATE CERT
remove_single_rF $ready_file5
./examples/server/server -c certs/ocsp/server5-cert.pem \
timeout -s KILL 2m ./examples/server/server -c certs/ocsp/server5-cert.pem \
-k certs/ocsp/server5-key.pem -R $ready_file5 \
-p $port5 &
server_pid5=$!
@@ -643,7 +650,7 @@ if [ "$stapling_v2" == "yes" ]; then
printf '%s\n\n' "------------- TEST CASE V2-6 SHOULD REVOKE --------------------"
remove_single_rF $ready_file5
./examples/server/server -c certs/ocsp/server5-cert.pem \
timeout -s KILL 2m ./examples/server/server -c certs/ocsp/server5-cert.pem \
-k certs/ocsp/server5-key.pem -R $ready_file5 \
-p $port5 &
server_pid5=$!
@@ -659,7 +666,7 @@ if [ "$stapling_v2" == "yes" ]; then
if [[ "$dtls12" == "yes" ]]; then
printf '%s\n\n' "------------- TEST CASE DTLS12-V2 SHOULD PASS ----------------"
remove_single_rF $ready_file5
./examples/server/server -c certs/ocsp/server3-cert.pem \
timeout -s KILL 2m ./examples/server/server -c certs/ocsp/server3-cert.pem \
-k certs/ocsp/server3-key.pem -R $ready_file5 \
-p $port5 -u -v 3 &
server_pid5=$!
@@ -685,7 +692,7 @@ if [ "$tls13" == "yes" ] && [ "$stapling_v1" == "yes" ]; then
printf '%s\n\n' "------------- TEST CASE T13-1 SHOULD PASS --------------------"
# client test against our own server - GOOD CERTS
remove_single_rF $ready_file5
./examples/server/server -c certs/ocsp/server3-cert.pem \
timeout -s KILL 2m ./examples/server/server -c certs/ocsp/server3-cert.pem \
-k certs/ocsp/server3-key.pem -R $ready_file5 \
-p $port5 -v 4 &
server_pid5=$!
@@ -699,7 +706,7 @@ if [ "$tls13" == "yes" ] && [ "$stapling_v1" == "yes" ]; then
printf '%s\n\n' "------------- TEST CASE T13-2 SHOULD REVOKE ------------------"
# client test against our own server - REVOKED SERVER CERT
remove_single_rF $ready_file5
./examples/server/server -c certs/ocsp/server4-cert.pem \
timeout -s KILL 2m ./examples/server/server -c certs/ocsp/server4-cert.pem \
-k certs/ocsp/server4-key.pem -R $ready_file5 \
-p $port5 -v 4 &
server_pid5=$!
@@ -714,7 +721,7 @@ if [ "$tls13" == "yes" ] && [ "$stapling_v1" == "yes" ]; then
printf '%s\n\n' "------------- TEST CASE T13-3 SHOULD REVOKE ------------------"
# client test against our own server - REVOKED INTERMEDIATE CERT
remove_single_rF $ready_file5
./examples/server/server -c certs/ocsp/server5-cert.pem \
timeout -s KILL 2m ./examples/server/server -c certs/ocsp/server5-cert.pem \
-k certs/ocsp/server5-key.pem -R $ready_file5 \
-p $port5 -v 4 &
server_pid5=$!
@@ -730,7 +737,7 @@ if [ "$tls13" == "yes" ] && [ "$stapling_v1" == "yes" ]; then
if [ "$dtls13" == "yes" ]; then
printf '%s\n\n' "------------- TEST CASE DTLS13-V2 SHOULD PASS ----------------"
remove_single_rF $ready_file5
./examples/server/server -c certs/ocsp/server3-cert.pem \
timeout -s KILL 2m ./examples/server/server -c certs/ocsp/server3-cert.pem \
-k certs/ocsp/server3-key.pem -R $ready_file5 \
-p $port5 -u -v 4 &
server_pid5=$!
@@ -743,7 +750,7 @@ if [ "$tls13" == "yes" ] && [ "$stapling_v1" == "yes" ]; then
printf '%s\n\n' "------------- TEST CASE DTLS13-V2-REVOKE SHOULD REVOKE -------"
remove_single_rF $ready_file5
./examples/server/server -c certs/ocsp/server4-cert.pem \
timeout -s KILL 2m ./examples/server/server -c certs/ocsp/server4-cert.pem \
-k certs/ocsp/server4-key.pem -R $ready_file5 \
-p $port5 -v 4 &
server_pid5=$!
+8 -1
View File
@@ -1,5 +1,12 @@
#!/usr/bin/env bash
# timeout(1) is GNU coreutils and absent on macOS; where it's missing, run the
# command unbounded (the flaky hang this guards against is Linux-only CI).
if ! command -v timeout >/dev/null 2>&1; then
timeout() { while [ "${1:-}" = "-s" ] || [ "${1:-}" = "-k" ]; do shift 2; done; shift; "$@"; }
fi
# ocsp-stapling.test
# Test requires HAVE_OCSP and HAVE_CERTIFICATE_STATUS_REQUEST
@@ -290,7 +297,7 @@ port3=$(get_first_free_port $((port2 + 1)))
# test interop fail case
ready_file=$PWD/wolf_ocsp_readyF$$
printf '%s\n' "ready file: \"$ready_file\""
./examples/server/server -b -p "$port1" -o -R "$ready_file" &
timeout -s KILL 2m ./examples/server/server -b -p "$port1" -o -R "$ready_file" &
wolf_pid=$!
wait_for_readyFile "$ready_file" "$wolf_pid" "$port1"
if [ ! -f "$ready_file" ]; then
+9 -2
View File
@@ -1,5 +1,12 @@
#!/usr/bin/env bash
# timeout(1) is GNU coreutils and absent on macOS; where it's missing, run the
# command unbounded (the flaky hang this guards against is Linux-only CI).
if ! command -v timeout >/dev/null 2>&1; then
timeout() { while [ "${1:-}" = "-s" ] || [ "${1:-}" = "-k" ]; do shift 2; done; shift; "$@"; }
fi
# ocsp-stapling2.test
# Test requires HAVE_OCSP and HAVE_CERTIFICATE_STATUS_REQUEST_V2
@@ -447,7 +454,7 @@ RESULT=$?
printf '%s\n\n' "Test successfully REVOKED!"
printf '%s\n\n' "------------- TEST CASE 7 LOAD CERT IN SSL -------------------"
remove_single_rF "$ready_file5"
./examples/server/server -c certs/ocsp/server1-cert.pem \
timeout -s KILL 2m ./examples/server/server -c certs/ocsp/server1-cert.pem \
-k certs/ocsp/server1-key.pem -R "$ready_file5" \
-p "$port5" -H loadSSL &
server_pid5=$!
@@ -462,7 +469,7 @@ fi
printf '%s\n\n' "Test successful"
printf '%s\n\n' "------------- TEST CASE 8 SHOULD REVOKE ----------------------"
remove_single_rF "$ready_file5"
./examples/server/server -c certs/ocsp/server4-cert.pem \
timeout -s KILL 2m ./examples/server/server -c certs/ocsp/server4-cert.pem \
-k certs/ocsp/server4-key.pem -R "$ready_file5" \
-p "$port5" -H loadSSL &
server_pid5=$!
+9 -2
View File
@@ -1,5 +1,12 @@
#!/bin/bash
# timeout(1) is GNU coreutils and absent on macOS; where it's missing, run the
# command unbounded (the flaky hang this guards against is Linux-only CI).
if ! command -v timeout >/dev/null 2>&1; then
timeout() { while [ "${1:-}" = "-s" ] || [ "${1:-}" = "-k" ]; do shift 2; done; shift; "$@"; }
fi
# ocsp-stapling_tls13multi.test
# Test requires HAVE_OCSP and HAVE_CERTIFICATE_STATUS_REQUEST_V2
@@ -455,7 +462,7 @@ if [ "$tls13" == "yes" ]; then
printf '%s\n\n' "------------- TEST CASE 6 LOAD CERT IN SSL -------------------"
remove_single_rF "$ready_file5"
./examples/server/server -c certs/ocsp/server1-cert.pem \
timeout -s KILL 2m ./examples/server/server -c certs/ocsp/server1-cert.pem \
-k certs/ocsp/server1-key.pem -R "$ready_file5" -v 4 \
-p "$port5" -H loadSSL &
server_pid5=$!
@@ -470,7 +477,7 @@ if [ "$tls13" == "yes" ]; then
printf '%s\n\n' "Test successful"
printf '%s\n\n' "------------- TEST CASE 7 SHOULD REVOKE ----------------------"
remove_single_rF "$ready_file5"
./examples/server/server -c certs/ocsp/server4-cert.pem \
timeout -s KILL 2m ./examples/server/server -c certs/ocsp/server4-cert.pem \
-k certs/ocsp/server4-key.pem -R "$ready_file5" \
-p "$port5" -H loadSSL -v 4 &
server_pid5=$!
+8 -1
View File
@@ -1,5 +1,12 @@
#!/usr/bin/env bash
# timeout(1) is GNU coreutils and absent on macOS; where it's missing, run the
# command unbounded (the flaky hang this guards against is Linux-only CI).
if ! command -v timeout >/dev/null 2>&1; then
timeout() { while [ "${1:-}" = "-s" ] || [ "${1:-}" = "-k" ]; do shift 2; done; shift; "$@"; }
fi
#pkcallbacks.test
[ ! -x ./examples/client/client ] && printf '\n\n%s\n' "Client doesn't exist" \
@@ -101,7 +108,7 @@ run_test() {
# starts the server on pk_port, -R generates ready file to be used as a
# mutex lock, -P does pkcallbacks. We capture the processid
# into the variable server_pid
./examples/server/server -P -R "$ready_file" -p $pk_port &
timeout -s KILL 2m ./examples/server/server -P -R "$ready_file" -p $pk_port &
server_pid=$!
while [ ! -s "$ready_file" -a "$counter" -lt 20 ]; do
+8 -1
View File
@@ -1,5 +1,12 @@
#!/usr/bin/env bash
# timeout(1) is GNU coreutils and absent on macOS; where it's missing, run the
# command unbounded (the flaky hang this guards against is Linux-only CI).
if ! command -v timeout >/dev/null 2>&1; then
timeout() { while [ "${1:-}" = "-s" ] || [ "${1:-}" = "-k" ]; do shift 2; done; shift; "$@"; }
fi
#resume.test
# if we can, isolate the network namespace to eliminate port collisions.
@@ -77,7 +84,7 @@ do_test() {
remove_ready_file
echo "./examples/server/server -r -R \"$ready_file\" -p $resume_port"
./examples/server/server -r -R "$ready_file" -p $resume_port &
timeout -s KILL 2m ./examples/server/server -r -R "$ready_file" -p $resume_port &
server_pid=$!
while [ ! -s "$ready_file" -a "$counter" -lt 20 ]; do
+9 -2
View File
@@ -1,5 +1,12 @@
#!/usr/bin/env bash
# timeout(1) is GNU coreutils and absent on macOS; where it's missing, run the
# command unbounded (the flaky hang this guards against is Linux-only CI).
if ! command -v timeout >/dev/null 2>&1; then
timeout() { while [ "${1:-}" = "-s" ] || [ "${1:-}" = "-k" ]; do shift 2; done; shift; "$@"; }
fi
# tls13.test
# Copyright wolfSSL 2016-2021
@@ -260,7 +267,7 @@ if [ "$early_data" = "yes" ]; then
echo -e "\n\nTLS v1.3 Early Data - session ticket"
port=0
(./examples/server/server -v 4 -r -0 -R "$ready_file" -p $port 2>&1 | \
(timeout -s KILL 2m ./examples/server/server -v 4 -r -0 -R "$ready_file" -p $port 2>&1 | \
tee "$server_out_file") &
server_pid=$!
create_port
@@ -308,7 +315,7 @@ if [ "$early_data" = "yes" -a "$psk" = "yes" ]; then
early_data_try_num=1
while :; do
(./examples/server/server -v 4 -s -0 -R "$ready_file" -p $port 2>&1 | \
(timeout -s KILL 2m ./examples/server/server -v 4 -s -0 -R "$ready_file" -p $port 2>&1 | \
tee "$server_out_file") &
server_pid=$!
create_port