[erlang-patches] SSL Next Protocol Negotiation Patch

Ingela Anderton Andin ingela@REDACTED
Mon Dec 12 11:17:35 CET 2011 

Hi!

Thank you for you contribution. We think it is interesting for 
inclusion, we will take a closer
look and come back to you with more feedback ( see also comments below).

Ben Murphy wrote:
> I have a branch that implements Next Protocol Negotiation for SSL
> (http://technotes.googlecode.com/git/nextprotoneg.html). The protocol
> is requirement for SPDY which is an alternative to HTTP that google is
> pushing.
>
> git fetch git://github.com/benmmurphy/otp.git ssl_npn
> https://github.com/benmmurphy/otp/compare/ssl_npn
> https://github.com/benmmurphy/otp/compare/ssl_npn.patch
>
> I ran the SSL tests against 'OpenSSL 0.9.8r 8 Feb 2011' and they all
> passed but my npn tests were skipped because that version does not
> support npn. When i ran my tests against 'OpenSSL SNAP-20111130' my
> npn tests ran fine but another test failed
> (erlang_server_openssl_client_no_wrap_sequence_number). 
Yes apparently the behavior of openssl has changed and the test case should
be rewritten.  Our  corresponding test case for erlang client vs erlang 
server
will explicitly turn of the reuse_session capability in the client.  It 
is also possible
to make the erlang-server reject the suggested reuse of the session 
maybe that will
be the best way.  The reason we do not want to reuse sessions here is to 
make the
test case code simpler. As this is not related to your pach we will see 
to this.

> If i run
> master against that version of OpenSSL that test fails as well. It
> appears that OpenSSL client for that version will send the current
> session id as the suggested session id and this results in the session
> id not changing during renegotiation. Also, some of the openssl NPN
> tests will fail if they are run with a version of openssl that
> supports NPN and has a broken NPN renegotiation implementation. I
> think the 1.0.x series is like this. (change set where it was fixed in
> openssl: http://cvs.openssl.org/chngview?cn=21760)
> ______________________________________________
>   

The sane thing to do here is to skip the test cases for those 
openssl-versions.
It would not be the first time.

Regards Ingela Erlang/OTP team - Ericsson AB

More information about the erlang-patches mailing list