File 3971-ssl-Avoid-OpenSSL-versions-that-will-not-interop-wit.patch of Package erlang

From c832926095334ed95c49ce9c36afdee77600d6f6 Mon Sep 17 00:00:00 2001
From: Ingela Anderton Andin <ingela@erlang.org>
Date: Wed, 29 Mar 2023 13:53:46 +0200
Subject: [PATCH] ssl: Avoid OpenSSL versions that will not interop with
 {dsa,sha}

These are versions that pass normal interop test but still do not work.
---
 lib/ssl/test/openssl_client_cert_SUITE.erl |  4 +++-
 lib/ssl/test/openssl_server_cert_SUITE.erl |  4 +++-
 lib/ssl/test/ssl_test_lib.erl              | 17 +++++++++++++++++
 3 files changed, 23 insertions(+), 2 deletions(-)

diff --git a/lib/ssl/test/openssl_client_cert_SUITE.erl b/lib/ssl/test/openssl_client_cert_SUITE.erl
index 6348f4d110..36b098bd49 100644
--- a/lib/ssl/test/openssl_client_cert_SUITE.erl
+++ b/lib/ssl/test/openssl_client_cert_SUITE.erl
@@ -280,7 +280,9 @@ init_per_group(Group, Config0) when Group == dsa ->
     NVersion = ssl_test_lib:n_version(proplists:get_value(version, Config0)),
     SigAlgs = ssl_test_lib:sig_algs(dsa, NVersion),
     case lists:member(dss, PKAlg) andalso lists:member(dh, PKAlg)
-        andalso (ssl_test_lib:openssl_dsa_suites() =/= []) of
+        andalso (ssl_test_lib:openssl_dsa_suites() =/= [])
+        andalso (ssl_test_lib:check_sane_openssl_dsa(Config0))
+    of
         true ->
             Config = ssl_test_lib:make_dsa_cert(Config0),
             COpts = SigAlgs ++ proplists:get_value(client_dsa_opts, Config),
diff --git a/lib/ssl/test/openssl_server_cert_SUITE.erl b/lib/ssl/test/openssl_server_cert_SUITE.erl
index c4b09dbb37..03653ab0d6 100644
--- a/lib/ssl/test/openssl_server_cert_SUITE.erl
+++ b/lib/ssl/test/openssl_server_cert_SUITE.erl
@@ -312,7 +312,9 @@ init_per_group(eddsa_1_3, Config0) ->
 init_per_group(dsa = Group, Config0) ->
     PKAlg = crypto:supports(public_keys),
     case lists:member(dss, PKAlg) andalso lists:member(dh, PKAlg)  andalso 
-        (ssl_test_lib:openssl_dsa_suites() =/= [])  of
+        (ssl_test_lib:openssl_dsa_suites() =/= [])
+        andalso (ssl_test_lib:check_sane_openssl_dsa(Config0))
+    of
         true ->
             Config = ssl_test_lib:make_dsa_cert(Config0),    
             COpts = proplists:get_value(client_dsa_opts, Config),
diff --git a/lib/ssl/test/ssl_test_lib.erl b/lib/ssl/test/ssl_test_lib.erl
index eda86fe936..2c8827effe 100644
--- a/lib/ssl/test/ssl_test_lib.erl
+++ b/lib/ssl/test/ssl_test_lib.erl
@@ -44,6 +44,7 @@
          default_tls_version/1,
          check_sane_openssl_renegotiate/2,
          check_openssl_npn_support/1,
+         check_sane_openssl_dsa/1,
          start_server/1,
          start_server/2,
          start_client/1,
@@ -3357,6 +3358,22 @@ check_sane_openssl_version(Version, Config) ->
 	false ->
 	    false
     end.
+
+
+%% If other DSA checks have passed also check the following
+check_sane_openssl_dsa(Config) ->
+    case not is_fips(openssl, Config) of
+        true ->
+            case proplists:get_value(openssl_version, Config) of
+                "OpenSSL 1.0." ++ _ ->
+                    false;
+                _ ->
+                    true
+            end;
+        false ->
+            false
+    end.
+
 check_sane_openssl_renegotiate(Config, Version) when  Version == 'tlsv1';
                                                       Version == 'tlsv1.1';
                                                       Version == 'tlsv1.2' ->
-- 
2.35.3
Places

File 3971-ssl-Avoid-OpenSSL-versions-that-will-not-interop-wit.patch of Package erlang

Places
