Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

spike: test for pkcs12 #73

Draft
wants to merge 12 commits into
base: develop
Choose a base branch
from
Draft

spike: test for pkcs12 #73

wants to merge 12 commits into from

Conversation

filfreire
Copy link
Member

@filfreire filfreire commented Nov 26, 2024

Related to INS-4508

Trying to have a reproduction on the tests.

Investigation

image

Related to image above, maybe we are close ? The legacy related ciphers seem to be included now in the build when openssl is being built, but it doesn't seem to be useful for curl itself

  • MacOS and Windows both fail
  • MacOS Electron one doesn't fail because tests are skipped for that one
  • Electron+Windows test run - it's not possible to setup the NODE_OPTIONS flag required for the test express server - but if the test passes on the NodeJS + Windows build - it should be ok

Ideas to explore

  • Find where in the curl codebase the openssl calls to parse the certificate file happen, and see if there's extra work we need to do to include the built legacy openssl files
  • Try with a different .P12 file for the test server and client; the current on in this PR (example.p12) is using an old RC2 cipher, which limits what we can test on electron side since it requires the special NODE_OPTIONS flag; maybe modern ciphers work and we just concede the format working with modern versions

Suggestion

We should go with Option B and C of INS-4508

Even if we find a way to enable legacy and weak ciphers on openssl and make it work for libcurl - we are going down a path where we need to maintain curl-for-windows submodule - and on top of that - keep each submodule in that repository, like curl, openssl, brotli, .... up-to-date on Windows, just to have parity between curl version used for MacOS and Linux and the one used for Windows.

Not even curl supports this it seems, looking at curl/curl#8966 - so we should probably avoid going this route.

related research

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant