[Pkg-openssl-devel] Bug#1008056: buster-pu: package libnet-ssleay-perl/1.85-2.1

Adrian Bunk bunk at debian.org
Mon Mar 21 15:55:00 GMT 2022


On Mon, Mar 21, 2022 at 05:46:21PM +0200, Adrian Bunk wrote:
> Package: release.debian.org
> Severity: normal
> Tags: buster
> User: release.debian.org at packages.debian.org
> Usertags: pu
> X-Debbugs-Cc: Debian Perl Group <pkg-perl-maintainers at lists.alioth.debian.org>, Debian OpenSSL Team <pkg-openssl-devel at alioth-lists.debian.net>
> 
>   * Backport upstream fix for test failures with OpenSSL 1.1.1n.
>     (Closes: #1008055)
> 
> The fix touches only tests and documentation:
>  b/lib/Net/SSLeay.pod                        |    4 -
>  b/t/data/test_CA1_2048.crt.pem              |   20 ++++++
>  b/t/data/test_CA1_2048.key.pem              |   28 ++++++++
>  b/t/data/testcert_key_2048.pem.e            |   30 +++++++++
>  b/t/data/testcert_wildcard_CA1_2048.crt.pem |   89 ++++++++++++++++++++++++++++
>  b/t/local/05_passwd_cb.t                    |    2
>  b/t/local/07_sslecho.t                      |   52 +++++++++-------
>  b/t/local/08_pipe.t                         |    6 -
>  b/t/local/36_verify.t                       |    8 +-
>  b/t/local/40_npn_support.t                  |    4 -
>  b/t/local/41_alpn_support.t                 |    4 -
>  b/t/local/42_info_callback.t                |    4 -
>  b/t/local/50_digest.t                       |   24 +------
>  b/t/local/61_threads-cb-crash.t             |    2
>  b/t/local/64_ticket_sharing.t               |    9 +-
>  t/data/cert.pem                             |   23 -------
>  t/data/key.pem                              |   15 ----
>  t/data/key.pem.e                            |   17 -----
>  18 files changed, 221 insertions(+), 120 deletions(-)

And here comes the missing attachment with the diff.

cu
Adrian

-------------- next part --------------
diff -Nru libnet-ssleay-perl-1.85/debian/changelog libnet-ssleay-perl-1.85/debian/changelog
--- libnet-ssleay-perl-1.85/debian/changelog	2018-09-02 23:19:51.000000000 +0300
+++ libnet-ssleay-perl-1.85/debian/changelog	2022-03-21 17:36:31.000000000 +0200
@@ -1,3 +1,11 @@
+libnet-ssleay-perl (1.85-2.1) buster; urgency=medium
+
+  * Non-maintainer upload.
+  * Backport upstream fix for test failures with OpenSSL 1.1.1n.
+    (Closes: #1008055)
+
+ -- Adrian Bunk <bunk at debian.org>  Mon, 21 Mar 2022 17:36:31 +0200
+
 libnet-ssleay-perl (1.85-2) unstable; urgency=medium
 
   [ Damyan Ivanov ]
diff -Nru libnet-ssleay-perl-1.85/debian/patches/0001-Use-2048-bit-RSA-keys-certificates-in-tests.patch libnet-ssleay-perl-1.85/debian/patches/0001-Use-2048-bit-RSA-keys-certificates-in-tests.patch
--- libnet-ssleay-perl-1.85/debian/patches/0001-Use-2048-bit-RSA-keys-certificates-in-tests.patch	1970-01-01 02:00:00.000000000 +0200
+++ libnet-ssleay-perl-1.85/debian/patches/0001-Use-2048-bit-RSA-keys-certificates-in-tests.patch	2022-03-21 17:36:17.000000000 +0200
@@ -0,0 +1,714 @@
+From d7b8428e7810f5e1729a197a076df0226b509fab Mon Sep 17 00:00:00 2001
+From: Chris Novakovic <chris at chrisn.me.uk>
+Date: Wed, 1 May 2019 10:24:02 +0100
+Subject: Use 2048-bit RSA keys/certificates in tests
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The test suite makes heavy use of t/data/key.pem and t/data/cert.pem,
+which involves the use of 1024-bit RSA keys. Several Linux distributions
+now ship with an OpenSSL configuration file that sets the security level
+to 2 by default, which forbids the use of keys this short, causing tests
+that use them to fail.
+
+The test suite includes 2048-bit RSA keys and certificates
+(t/data/testcert_key_2048.pem and t/data/testcert_wildcard.crt.pem
+respectively), which are already in use in some (usually newer) tests.
+Retire the 1024-bit keys in favour of the 2048-bit keys:
+
+* Replace all remaining uses of t/data/key.pem in the test suite with
+  t/data/testcert_key_2048.pem.
+* Create t/data/testcert_key_2048.pem.e (testcert_key_2048.pem encrypted
+  with AES-256-CBC using the passphrase "secret") and replace all
+  remaining uses of t/data/key.pem.e in the test suite with
+  testcert_key_2048.pem.e.
+* Replace all remaining uses of t/data/cert.pem in the test suite with
+  t/data/testcert_wildcard.crt.pem.
+* Create 2048-bit CA key at t/data/test_CA1_2048.key.pem and
+  certificates at t/data/test_CA1_2048.crt.pem and
+  t/data/testcert_wildcard_CA1_2048.crt.pem, and use them in
+  t/local/07_sslecho.t and t/local/36_verify.t in place of the 1024-bit
+  CA keys/certificates. Thanks to Heikki Vatiainen for debugging and
+  fixing this.
+* Remove the digest check for t/data/cert.pem in t/local/50_digest.t
+  altogether: the same digests for t/data/binary-test.file are already
+  tested, and it's not clear what benefit another one provides.
+* In t/local/07_sslecho.t, don't make assumptions about the chain of
+  trust for the certificates being used; this breaks the tests when
+  keys/certificates other than the old 1024-bit ones are used. Thanks to
+  Heikki Vatiainen for debugging and fixing this.
+* Remove references to t/data/key.pem and t/data/cert.pem from the
+  Net::SSLeay documentation (they probably shouldn't have been there
+  anyway).
+* Remove the calls to Net::SSLeay::CTX_set_security_level(..., 1) from
+  all tests that used t/data/key.pem and t/data/cert.pem, since the new
+  key/certificate will work at security level 2, and no OS is currently
+  known to mandate a higher security level than this - setting the
+  security level in this way was a temporary fix for this problem, added
+  in commit d0ee5d91.
+
+This fixes RT#126270 and the remainder of RT#128025. Thanks to Petr
+Písař and Slaven Rezić for the reports.
+---
+ lib/Net/SSLeay.pod                        |  4 +-
+ t/data/cert.pem                           | 23 ------
+ t/data/key.pem                            | 15 ----
+ t/data/key.pem.e                          | 17 -----
+ t/data/test_CA1_2048.crt.pem              | 20 +++++
+ t/data/test_CA1_2048.key.pem              | 28 +++++++
+ t/data/testcert_key_2048.pem.e            | 30 ++++++++
+ t/data/testcert_wildcard_CA1_2048.crt.pem | 89 +++++++++++++++++++++++
+ t/local/05_passwd_cb.t                    |  2 +-
+ t/local/07_sslecho.t                      | 52 +++++++------
+ t/local/08_pipe.t                         |  6 +-
+ t/local/36_verify.t                       |  8 +-
+ t/local/40_npn_support.t                  |  4 +-
+ t/local/41_alpn_support.t                 |  4 +-
+ t/local/42_info_callback.t                |  4 +-
+ t/local/50_digest.t                       | 24 +-----
+ t/local/61_threads-cb-crash.t             |  2 +-
+ t/local/64_ticket_sharing.t               |  9 +--
+ 18 files changed, 221 insertions(+), 120 deletions(-)
+ delete mode 100644 t/data/cert.pem
+ delete mode 100644 t/data/key.pem
+ delete mode 100644 t/data/key.pem.e
+ create mode 100644 t/data/test_CA1_2048.crt.pem
+ create mode 100644 t/data/test_CA1_2048.key.pem
+ create mode 100644 t/data/testcert_key_2048.pem.e
+ create mode 100644 t/data/testcert_wildcard_CA1_2048.crt.pem
+
+diff --git a/lib/Net/SSLeay.pod b/lib/Net/SSLeay.pod
+index be3d665..1219535 100644
+--- a/lib/Net/SSLeay.pod
++++ b/lib/Net/SSLeay.pod
+@@ -8063,7 +8063,7 @@ Simple approach for using NPN support looks like this:
+  Net::SSLeay::initialize();
+  my $ctx = Net::SSLeay::CTX_tlsv1_new() or die;
+  Net::SSLeay::CTX_set_options($ctx, &Net::SSLeay::OP_ALL);
+- Net::SSLeay::set_cert_and_key($ctx, "t/data/cert.pem", "t/data/key.pem");
++ Net::SSLeay::set_cert_and_key($ctx, "cert.pem", "key.pem");
+  Net::SSLeay::CTX_set_next_protos_advertised_cb($ctx, ['spdy/2','http1.1']);
+  my $sock = IO::Socket::INET->new(LocalAddr=>'localhost', LocalPort=>5443, Proto=>'tcp', Listen=>20) or die;
+  
+@@ -8232,7 +8232,7 @@ With ALPN, the most basic implementation looks like this:
+  Net::SSLeay::initialize();
+  my $ctx = Net::SSLeay::CTX_tlsv1_new() or die;
+  Net::SSLeay::CTX_set_options($ctx, &Net::SSLeay::OP_ALL);
+- Net::SSLeay::set_cert_and_key($ctx, "t/data/cert.pem", "t/data/key.pem");
++ Net::SSLeay::set_cert_and_key($ctx, "cert.pem", "key.pem");
+  Net::SSLeay::CTX_set_alpn_select_cb($ctx, ['http/1.1', 'http/2.0', 'spdy/3]);
+  my $sock = IO::Socket::INET->new(LocalAddr=>'localhost', LocalPort=>5443, Proto=>'tcp', Listen=>20) or die;
+ 
+diff --git a/t/data/cert.pem b/t/data/cert.pem
+deleted file mode 100644
+index f9ebbf1..0000000
+--- a/t/data/cert.pem
++++ /dev/null
+@@ -1,23 +0,0 @@
+------BEGIN CERTIFICATE-----
+-MIID7DCCA1WgAwIBAgIJAMGt8vPHln6wMA0GCSqGSIb3DQEBBQUAMIGrMQswCQYD
+-VQQGEwJQTDEhMB8GA1UECBMYUGVvcGxlcyBSZXB1YmxpYyBvZiBQZXJsMQ4wDAYD
+-VQQHEwVOZXQ6OjEUMBIGA1UEChMLTmV0OjpTU0xlYXkxHzAdBgNVBAsTFk5ldDo6
+-U1NMZWF5IGRldmVsb3BlcnMxEjAQBgNVBAMTCTEyNy4wLjAuMTEeMBwGCSqGSIb3
+-DQEJARYPcmFmbEBkZWJpYW4ub3JnMB4XDTA2MDcxNDAyMjU0OFoXDTE2MDcxMTAy
+-MjU0OFowgasxCzAJBgNVBAYTAlBMMSEwHwYDVQQIExhQZW9wbGVzIFJlcHVibGlj
+-IG9mIFBlcmwxDjAMBgNVBAcTBU5ldDo6MRQwEgYDVQQKEwtOZXQ6OlNTTGVheTEf
+-MB0GA1UECxMWTmV0OjpTU0xlYXkgZGV2ZWxvcGVyczESMBAGA1UEAxMJMTI3LjAu
+-MC4xMR4wHAYJKoZIhvcNAQkBFg9yYWZsQGRlYmlhbi5vcmcwgZ8wDQYJKoZIhvcN
+-AQEBBQADgY0AMIGJAoGBALmepX0NR6d7PL576bH95Y4QYlMdbIB/AD8j1+Lb4t9s
+-xarNhUh1BeloaEktxIKhVIYW7F8NTQC852zULg9bJkKO9DOgr6AO6gBhu2+NCJsq
+-8oSUEDfAbUzbxdweMHzHjBrvNRaVyhHYebtok+/a+1rqACHRRjE06D2YLl3lW2uD
+-AgMBAAGjggEUMIIBEDAdBgNVHQ4EFgQUYL9/vBs4R9mn8bOgubigAZpN3KAwgeAG
+-A1UdIwSB2DCB1YAUYL9/vBs4R9mn8bOgubigAZpN3KChgbGkga4wgasxCzAJBgNV
+-BAYTAlBMMSEwHwYDVQQIExhQZW9wbGVzIFJlcHVibGljIG9mIFBlcmwxDjAMBgNV
+-BAcTBU5ldDo6MRQwEgYDVQQKEwtOZXQ6OlNTTGVheTEfMB0GA1UECxMWTmV0OjpT
+-U0xlYXkgZGV2ZWxvcGVyczESMBAGA1UEAxMJMTI3LjAuMC4xMR4wHAYJKoZIhvcN
+-AQkBFg9yYWZsQGRlYmlhbi5vcmeCCQDBrfLzx5Z+sDAMBgNVHRMEBTADAQH/MA0G
+-CSqGSIb3DQEBBQUAA4GBABBpVOWkoAuAdcYhd9FCbeXXluZ8eECV5x2tnCVl52F5
+-59M9r4C47Hacdx/B62YkrIo5i0Q7Ppjln+Iq4hdzoqAwnlqpm3hYs/W+BSh77P3b
+-3Tuzcp4K4nlidow/1/leUf9H/MJIbj0qS8ZNp6SvRt/D+PXl0TWKeQIgw3WkT+ea
+------END CERTIFICATE-----
+diff --git a/t/data/key.pem b/t/data/key.pem
+deleted file mode 100644
+index abc7faa..0000000
+--- a/t/data/key.pem
++++ /dev/null
+@@ -1,15 +0,0 @@
+------BEGIN RSA PRIVATE KEY-----
+-MIICXQIBAAKBgQC5nqV9DUenezy+e+mx/eWOEGJTHWyAfwA/I9fi2+LfbMWqzYVI
+-dQXpaGhJLcSCoVSGFuxfDU0AvOds1C4PWyZCjvQzoK+gDuoAYbtvjQibKvKElBA3
+-wG1M28XcHjB8x4wa7zUWlcoR2Hm7aJPv2vta6gAh0UYxNOg9mC5d5VtrgwIDAQAB
+-AoGBAIl4hoW0BSJz8gv9R5nMOWvalIeL3iTYaj1Y9XWNdlwUedzC83gzOxqfecTg
+-wY4hn7DjX1ISTrpCLX97MVWsIwuY4ltmPykoPtVShZvpVF48H8CUqeY9q8zUybpI
+-w1MS010A4+mvIJjbOukerKiIIueCEo+WmVaM9wnke4R3CRyJAkEA9tnCKwgm+EON
+-LMWdM7ANTWzBbp1K51fgyceGPfTurakXfivz7xFKaXWQwICj1cyvgKoXPYqkb+8C
+-vOu/qLbMXQJBAMB/5g5SaBJEbHWKGhB5bmwmota+LgZtRiJcsABCqm3Bvm+qMG12
+-U+/22Nv0b49LJGuj/2ZiZFGrG3oNXmjKmV8CQCeACvEF2e6KKLIMYS5fMpG8IGvJ
+-4a2JQ2AmfFW3tuW1FBxNfjg4JRchB+u16gGRQlgtX5CqecurjF2cv8uIjMUCQHyp
+-FwnFUgIqb3Z61cA/c0P0jVW12UZuM5IDJjM0+PuVEUdtFml8zITE/dELbceFKPPQ
+-Q5BBPagpv+R9jdsdAM8CQQDwsZea0tdwI1QevKCu0qoR/+Uu3MtoiyC3GGYoXMFK
+-CS+3apsVr26N555UngM+gk18N1wpiBY5L/rlPd6XiQ47
+------END RSA PRIVATE KEY-----
+diff --git a/t/data/key.pem.e b/t/data/key.pem.e
+deleted file mode 100644
+index 04d8745..0000000
+--- a/t/data/key.pem.e
++++ /dev/null
+@@ -1,17 +0,0 @@
+------BEGIN ENCRYPTED PRIVATE KEY-----
+-MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIFe4I0QEObHsCAggA
+-MBQGCCqGSIb3DQMHBAgHBvJrPU9U8wSCAoCkU4ujuUqqzCPpTCWMjdvohENVjF5p
+-bEt31lo+IP/eVCdJLd3sbQhmv0JjTAE2CGnYlapF28WS2ZCCZfSEkNyY4yI/1Cqa
+-VdHEJ+7QzVkDQJkYmgvXOFJbEXW7uY5TFsI4MFm1bXwAiU7ZXq1kQt3amMGKdUEG
+-uGNf1D3OH2RTRfdPZSZYI0WQjLbj4q2v1winMU4Kf0Y0LNNYEsiReFzyKAxwCZ0q
+-01aoNxga7cSWTnwzwXvzgev2rjx2t/0cxK/IrUyVAk97po7jYZ09ug8MRS7mXi0x
+-t9zsTK9GRKSazlUdJlHOn0QmC5deDBUmOdYWFSSsKGTTOZeBr29UtcdNzMPNVpOs
+-pHVUVZRBfLWUDeXSksTVhOAcf06NzkhTJ9mcKUqao++pTQgeKJke4/9QL+mqMDNL
+-4KKn0VQbAbaWupTYVLLG8V4WdSQOoCZQbD86Ss8mFX2oRoB9PBe4hbTrHkCdMuHm
+-XjfPAU8Z5ys+IQAcRbVAbOGPoFjGMEwFxl8bn1JTSWhbBDATdbyvstpmlTIsGuBH
+-7tRU68UFK8pIPCX9MNQkpdAq6Yzl3H05mKyoJqYrYnX9xlqOVhgkHv35RWkxfnyz
+-efnOMzAHn22h2hqCuxqLydyMSKlE0x9jDAgEChTKzwZCg0D461G3aj3b9MG7QvKz
+-+sOI5+28g+wpVuv+6DNFgizOlndyY6Y8+lU4k87UeL1Mc/lcZMB60hj4ZkEYoGyK
+-s0UHtqaq82XlZf3OL3aouQojGBw9DGo/1KWISuM1I3ZCxlqh1uEG3rMnaSTjI6Ao
+-yClYz274wOXPOhvfcoczs9++IXzltKzuFZeLJ0K+gsKTlk+eGhN0lzav
+------END ENCRYPTED PRIVATE KEY-----
+diff --git a/t/data/test_CA1_2048.crt.pem b/t/data/test_CA1_2048.crt.pem
+new file mode 100644
+index 0000000..60ff867
+--- /dev/null
++++ b/t/data/test_CA1_2048.crt.pem
+@@ -0,0 +1,20 @@
++-----BEGIN CERTIFICATE-----
++MIIDNzCCAh+gAwIBAgIUbhAOnOyiRbWO/M87lSQZ6BzQ2gswDQYJKoZIhvcNAQEL
++BQAwKzELMAkGA1UEBhMCVVMxDjAMBgNVBAoMBURlbW8xMQwwCgYDVQQDDANDQTEw
++HhcNMTkwNTAyMjEwODQ5WhcNMjkwNDI5MjEwODQ5WjArMQswCQYDVQQGEwJVUzEO
++MAwGA1UECgwFRGVtbzExDDAKBgNVBAMMA0NBMTCCASIwDQYJKoZIhvcNAQEBBQAD
++ggEPADCCAQoCggEBAM2TLF8rIUGq5WpimgA9/34IKQz69tekrTdyfNeBKEqvoMqh
++ssKtrUThB2dkJCRCh95OVskkDShKmvc/uskhXQj3E4bzK8JltCuR3F5iII0q+kRm
++rF6dixd3y83eFEHiCX7Br2QS5qZt3ctTIFjzJTUHYsoK76vVw3rRD0KH4VptyD4w
++ttqf+Bsi3ucVGkFAcwIBnMpmPirWPg86kjNqJ5dImiIq7LgHRWmwMXgL4sQmMEcP
++DiH26M36disHq1z1b4F40RJ69O3P0Vp8H6X0sMSZvKAfCB5do+B50PGU1lCtiipo
++thB+pWXpsQTL9G38Pg0qgr15Qx+oapoXvt7uWLcCAwEAAaNTMFEwHQYDVR0OBBYE
++FASq0tq6+Cc3H8zRXeY11hqw/6OeMB8GA1UdIwQYMBaAFASq0tq6+Cc3H8zRXeY1
++1hqw/6OeMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAJXU8o+Y
++G5eml1qHnzUDBEekfBQ3WDavXBrVaOlXQ1tPCErpjKYGwaIfhtvNYM+TNnZqoCJ4
++Bc1z/1ov+Vi/2RUXZefJL1ZrGk1Fr6+PzYQDrRWv9xQjKDquVTIwaD3raRd2rQ8j
++Av3y/4F2Ro2rWpjfw7Vd3wjcy6Nnh9WnGnaMw2wnNjtex4twSf04+qJflvd3LG+9
++BWxAiyu8iNYndn1eE/Wvqtu1Du3ksKTfF+1bfRL1KDGpvk1s9gwChyNj2goMwWkU
++GcWEnIVTMd/aHz++kve2I6QSUbdV4O5wt6WbY/tQ/9bcML6CfPzdK4GyItW6HeRF
++H5eAZT7iYP7G8Zg=
++-----END CERTIFICATE-----
+diff --git a/t/data/test_CA1_2048.key.pem b/t/data/test_CA1_2048.key.pem
+new file mode 100644
+index 0000000..c0e7b86
+--- /dev/null
++++ b/t/data/test_CA1_2048.key.pem
+@@ -0,0 +1,28 @@
++-----BEGIN PRIVATE KEY-----
++MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDNkyxfKyFBquVq
++YpoAPf9+CCkM+vbXpK03cnzXgShKr6DKobLCra1E4QdnZCQkQofeTlbJJA0oSpr3
++P7rJIV0I9xOG8yvCZbQrkdxeYiCNKvpEZqxenYsXd8vN3hRB4gl+wa9kEuambd3L
++UyBY8yU1B2LKCu+r1cN60Q9Ch+Fabcg+MLban/gbIt7nFRpBQHMCAZzKZj4q1j4P
++OpIzaieXSJoiKuy4B0VpsDF4C+LEJjBHDw4h9ujN+nYrB6tc9W+BeNESevTtz9Fa
++fB+l9LDEmbygHwgeXaPgedDxlNZQrYoqaLYQfqVl6bEEy/Rt/D4NKoK9eUMfqGqa
++F77e7li3AgMBAAECggEAbjUeLo7yrz+s6dGeec7C74/0Ye8Q8h5odjc8UlP9g7yP
++2NHDAbcWEr0IuRbogT/hkv4wbHiVTSph1Xcm7bijJbE/mLM4nGjlpA34M+krRkLq
++FE1uzvJqpNQmQGF0PrWtHXU8T8wKNuLjaqNPzh/brIgfH+2o+1gICgmVwrcRyuXl
++zAkAQPkFDabDwfy7c1JlJhA+LbZmUD6knuT/N4xpVly/D15i3CB8U8gGpuGvA8h8
++oUG107jJ/wN5WV7ILA8r01AbUOW1sT59bP6XtXtOrit40NVRJAeAeeUdxK/lTxeA
++mgpgHwefkXnsuOOGGro3qtbl+wX+iLs1EcUkVvSn4QKBgQDreN2ujEXJarjqK49q
++d4l4lQW2BlRUqIUkyylUGvdDP6ECExJAaaw2Lj+IAXS9nsr/0QwD7Qsrfg1y5pzq
++zj+YBI+rlZmyv8nklm8HfpGsVc7XwZbRSoL9IeRfgSQYGK6Rbo4usaWeTFJO6JFY
++ZzhUjMaX+tqdQUS+i4LCwRd1OQKBgQDffxPmrBqwR6qEh/1CqqWPcZB0XrKP8Ken
++mgF9EzhJ0lPkY+21+omwZ7lkPGYbw9MA8ObRrtyDVByxN2NSyga8b/S95a4LpDi8
++Oker+sWoxhjScnHf0XlcG2pTIRgVELdoLNgFZnTk0RhwNfZyAuL2vZANUBep2zqb
++gn4IKuOtbwKBgCCG8LB05gr9uA949vWxD4ddpo1PcITFRqcffVUF6JQcjQQ5WDMX
++pddSKiqCcPrknYwa93rvWrSmU/tESfbRiM1aC/Ka1sFvZtcxxKKXZE4XCFybfFbq
++4Q9QiDh9IVxGxI6IZBGlLoigaFpIHBPHJmvfimtiFqLUakecA/MdMz1ZAoGBANDR
++mhWPvkvwWfkEWnRcnt38nJyuEiZ9Exh8w2FKgPAwjWO6nlLGaLmi4EwwRrMwb0jU
++zMUjnTMzdq958dpbmpmb/U8kd063PK9ZwLeGUgIUPQL8HTujK8IMd3Z+WFLuUH8M
++TzYUeamFWFEXilESM1+Y1CwsJj/07rh33yvgbuQPAoGANM7ls/vt0i4qEhKBFZ/i
++kOhjnOruKPtWw/8Q3LYLIxlvAn8gJGnSADsGiENIoTwsYSoXRsYQ3X2vdzComeF4
++fI7uXB7pllosN5jeeTpReiOL+hF47j8R/kxqMOPn6VdfMrmlS26l6CF3gVJU2roR
++KcMQGzOuxPxshAH2bhdPR78=
++-----END PRIVATE KEY-----
+diff --git a/t/data/testcert_key_2048.pem.e b/t/data/testcert_key_2048.pem.e
+new file mode 100644
+index 0000000..271549e
+--- /dev/null
++++ b/t/data/testcert_key_2048.pem.e
+@@ -0,0 +1,30 @@
++-----BEGIN RSA PRIVATE KEY-----
++Proc-Type: 4,ENCRYPTED
++DEK-Info: AES-256-CBC,E28DC531E35ECB89F4E70551770E28DD
++
++JTfR0conc9awrr35SjVhrAC4KyiWRC1MlZYtVEJzKaeI22eYdJL2sIV3Xu2gbSNd
++kRZCnruHpjYfE35etNEZCb69Aj3qCCcb+UjMekH+uOk4JMxOzB75dVGc5DnCFQbu
++myHPiprL4ibQ3rs2mp9Dscl6YXMFhGdYa3XGc6hev7taqVykitWDKbMgb0Vgpdqq
++5q2yyZzKhQhckjY/NCKTYOY/PWKEKvftqOAZI8obG4HJF9f75JcSmpa1QVEy6Qau
++6e0lMSZ9D/le+VnZ4rqCOhU1WahhtpB6CQTuuRrUmr69cPiWltUiOUkoRziJhh8e
++rHiXVEPGci7Nox1sxlO3xWJAVrQW9P2bmoxXXmBr8Fm7ZjEwAICdRb70y3HLQsLZ
++6Zy9zdr5GUjVhGsm93snVvLJrm5pNuL68H17j05V2m0CT2RnS0q85iZQwJbuRkL/
++ukgHxZ6pXmS9IEJSUtjnekPEs4H+tKeZdSyyc35qTNZ5s1iCkpo3juTcy0wOEiOp
++kPCzGNn1VVq8LGIOlKAlAfjULi16BMN9M6/tABLK13e5Rxq9viosJYlQIrcUiUAa
++vxuGtCzFi3wyXmTKSa5dpBOOSDv9pzPcxQJyC8Ln+2YYAByF48hJQAK3jo6qAz1k
++94zD1AgSIkHwceQYOw/E8xHIpLFiScESOMYwOFKftLjUs3DD7BUWZArSPZ/32NbY
++2XtwWaXNvt2WozvGh0YMxjMI4ypEaVdxTLdi2Ejqbd6acYSOv/c+VTU3/Dbq4W+u
++9hKXTtwUjElQeKvjuAzIcYXRLZ53RO0rvijMw2F+O27ymVzgsJGSY1077bLOPN7e
++nOhIoCQanzAi89HvDYAPdcmUGCBhD0YE78lAxFQxlf3Rx408wwzl14TKjgFSJAVr
++CCC/4HSqjrgw1YtcKHYtdQBDVtOVQdkaIBlt+SFKf04Di4dcfD/xsU+mq/FxIwBd
++134tsQvOcEvouKPoHVLzFVcAw//1hUpLx4BPFE+dkdHX8AFECZDyTUks2j6NMJgb
++i2eRVVdxVVFLLTW4iuW3qXGCADk+kcn2l6/+dl+2fvsReHGzAD0Pt2yz63G3dFuL
++bOodcB6mrgAFqLtetldpc1ioX7KOJinZhtXw8+V7GQGno7GY9rbem77bbt1R1wCr
++BaQmUYly/9tEmjn4XJfvH21HX9yIUpfFpACzMbGhVeQ3qClsNAcqvluL/bkqudVM
++xrUn+iUiY1TM0toVS5+/w11nu9gn2IR0xGpmimE4cbiZRtxE/vFkm9Vtw1kdk0yR
++EPbV3Z7MXLKWc7jqQ/L6r/geUbW4P+Vl2bbPK1RKkxn1KtEMITK3ag2y19K1Uj+w
++0wpZi6YovC2ekNt/GjIvafbw1UOJb9L8fWxMflk2ndKmLMF4pF2G7C9+F1pdzTV0
++ouOQ28V6/7oxClBsH/UMKt/QJVRwOhEiriZfGH3OXWhZTnOCmmFjYpoNjVi3uXFl
++nNi4pP/RG5inbymPQHIs8wSyfzC2qwSxY1lSR8d/JT0wcwnaXD75SzWU3QiaQ1Mc
++1xQM4A9qp039QPmj2ENUzkma+917feEWYVyiQ2zw06zZfzA9WUodUdd+HwaemHSD
++-----END RSA PRIVATE KEY-----
+diff --git a/t/data/testcert_wildcard_CA1_2048.crt.pem b/t/data/testcert_wildcard_CA1_2048.crt.pem
+new file mode 100644
+index 0000000..bd7f916
+--- /dev/null
++++ b/t/data/testcert_wildcard_CA1_2048.crt.pem
+@@ -0,0 +1,89 @@
++Certificate:
++    Data:
++        Version: 3 (0x2)
++        Serial Number: 137858712322 (0x2019050302)
++        Signature Algorithm: sha256WithRSAEncryption
++        Issuer: C = US, O = Demo1, CN = CA1
++        Validity
++            Not Before: May  2 21:25:06 2019 GMT
++            Not After : May  3 21:25:06 2034 GMT
++        Subject: C = US, ST = State, L = City, O = Company, OU = Unit, CN = *.example.com, emailAddress = wildcard at example.com
++        Subject Public Key Info:
++            Public Key Algorithm: rsaEncryption
++                RSA Public-Key: (2048 bit)
++                Modulus:
++                    00:bd:5e:c6:d8:01:f5:cf:85:fe:eb:9b:60:dd:e8:
++                    8a:98:09:59:5a:71:fc:a2:ad:38:73:0a:cd:d9:5e:
++                    d5:6d:23:2e:01:4e:b0:c7:12:eb:8a:8e:08:80:9b:
++                    83:68:c0:b9:fd:b8:04:30:0b:15:fd:36:a9:a1:90:
++                    0a:30:8f:6d:5f:81:12:17:b7:90:1f:41:30:7a:85:
++                    29:07:69:56:ec:d3:58:9e:59:22:f6:38:20:0d:92:
++                    45:99:79:c4:1e:21:6a:53:1c:52:34:b1:d5:0c:4e:
++                    41:15:5a:41:93:75:13:e0:fd:01:8c:f8:e2:34:2d:
++                    70:9c:78:03:fb:26:a9:fe:c4:cb:5a:bc:1a:eb:9d:
++                    3f:7c:2e:3e:9a:2c:60:67:fe:49:6d:38:38:85:72:
++                    8d:ba:29:bb:cd:c9:98:67:a2:d6:e2:7c:11:07:99:
++                    89:37:2c:c3:c3:0e:54:fd:12:01:f8:9e:a0:1e:df:
++                    e9:8f:55:74:1a:2e:f6:1d:ce:57:a3:d5:65:be:af:
++                    f2:1a:8c:ea:42:e7:f8:ea:ab:45:10:e8:b2:1f:f7:
++                    af:64:8d:f5:b4:ca:86:24:d3:96:0b:83:f3:89:ff:
++                    3c:96:a7:56:25:59:2d:7c:e1:80:08:94:52:53:71:
++                    8a:d6:7e:2d:4e:5c:82:95:2f:a0:62:78:59:65:06:
++                    01:b7
++                Exponent: 65537 (0x10001)
++        X509v3 extensions:
++            X509v3 Basic Constraints: critical
++                CA:FALSE
++            X509v3 Extended Key Usage: 
++                TLS Web Server Authentication, TLS Web Client Authentication
++            X509v3 Certificate Policies: 
++                Policy: 1.2.4.5
++                Policy: 1.1.3.4
++
++            X509v3 Subject Alternative Name: 
++                DNS:*.example.com, email:wildcard at example.com, IP Address:10.20.30.40, IP Address:2001:DB8:148:100:0:0:0:31
++            X509v3 Subject Key Identifier: 
++                4B:42:86:BA:E2:BE:3D:40:0D:11:1D:66:E7:BE:94:39:B2:84:D3:06
++            X509v3 Authority Key Identifier: 
++                keyid:04:AA:D2:DA:BA:F8:27:37:1F:CC:D1:5D:E6:35:D6:1A:B0:FF:A3:9E
++
++    Signature Algorithm: sha256WithRSAEncryption
++         41:ac:0b:fc:0c:dc:8c:d7:85:3e:53:56:79:ce:c0:21:dc:0a:
++         d4:ac:f5:82:2e:fb:3e:b2:6c:3f:b7:dd:c4:7c:f8:03:d5:df:
++         4c:b0:38:b9:4d:85:5f:92:8e:ce:c4:b9:97:38:86:51:b4:4c:
++         46:5d:87:34:df:ae:c0:42:df:0c:dc:7b:16:19:08:88:70:2c:
++         27:e8:4c:b7:9b:0a:07:a9:ee:39:94:0d:a3:21:fe:e0:da:ff:
++         f6:67:cd:9d:fc:f8:a8:32:5b:14:c9:aa:b2:f6:17:1a:74:06:
++         f8:46:67:de:5d:b4:63:e7:31:c6:7e:89:af:67:cc:c2:2c:f8:
++         82:4a:a4:df:63:5d:e4:0f:22:d6:17:33:07:f6:9b:cb:82:23:
++         38:ad:9c:6f:f3:28:8b:90:62:26:a1:ab:41:bf:28:9b:8f:cf:
++         30:9f:ff:41:47:ad:f9:88:91:97:e7:de:5c:3f:61:90:65:b7:
++         29:15:e5:72:fb:41:37:d9:3c:d7:ed:a4:9e:63:66:70:c9:f9:
++         29:c6:63:da:87:cd:80:0f:a3:54:57:20:db:d8:10:6a:69:da:
++         e2:57:9e:24:1e:1a:36:0f:4b:a6:4f:8d:dc:4c:a4:8c:16:52:
++         a1:4d:71:9a:f8:f0:4d:9b:d9:7f:76:51:74:40:9d:68:21:0a:
++         09:2c:9f:1c
++-----BEGIN CERTIFICATE-----
++MIIEBzCCAu+gAwIBAgIFIBkFAwIwDQYJKoZIhvcNAQELBQAwKzELMAkGA1UEBhMC
++VVMxDjAMBgNVBAoMBURlbW8xMQwwCgYDVQQDDANDQTEwHhcNMTkwNTAyMjEyNTA2
++WhcNMzQwNTAzMjEyNTA2WjCBijELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVN0YXRl
++MQ0wCwYDVQQHDARDaXR5MRAwDgYDVQQKDAdDb21wYW55MQ0wCwYDVQQLDARVbml0
++MRYwFAYDVQQDDA0qLmV4YW1wbGUuY29tMSMwIQYJKoZIhvcNAQkBFhR3aWxkY2Fy
++ZEBleGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL1e
++xtgB9c+F/uubYN3oipgJWVpx/KKtOHMKzdle1W0jLgFOsMcS64qOCICbg2jAuf24
++BDALFf02qaGQCjCPbV+BEhe3kB9BMHqFKQdpVuzTWJ5ZIvY4IA2SRZl5xB4halMc
++UjSx1QxOQRVaQZN1E+D9AYz44jQtcJx4A/smqf7Ey1q8GuudP3wuPposYGf+SW04
++OIVyjbopu83JmGei1uJ8EQeZiTcsw8MOVP0SAfieoB7f6Y9VdBou9h3OV6PVZb6v
++8hqM6kLn+OqrRRDosh/3r2SN9bTKhiTTlguD84n/PJanViVZLXzhgAiUUlNxitZ+
++LU5cgpUvoGJ4WWUGAbcCAwEAAaOB0TCBzjAMBgNVHRMBAf8EAjAAMB0GA1UdJQQW
++MBQGCCsGAQUFBwMBBggrBgEFBQcDAjAXBgNVHSAEEDAOMAUGAyoEBTAFBgMpAwQw
++RgYDVR0RBD8wPYINKi5leGFtcGxlLmNvbYEUd2lsZGNhcmRAZXhhbXBsZS5jb22H
++BAoUHiiHECABDbgBSAEAAAAAAAAAADEwHQYDVR0OBBYEFEtChrrivj1ADREdZue+
++lDmyhNMGMB8GA1UdIwQYMBaAFASq0tq6+Cc3H8zRXeY11hqw/6OeMA0GCSqGSIb3
++DQEBCwUAA4IBAQBBrAv8DNyM14U+U1Z5zsAh3ArUrPWCLvs+smw/t93EfPgD1d9M
++sDi5TYVfko7OxLmXOIZRtExGXYc0367AQt8M3HsWGQiIcCwn6Ey3mwoHqe45lA2j
++If7g2v/2Z82d/PioMlsUyaqy9hcadAb4RmfeXbRj5zHGfomvZ8zCLPiCSqTfY13k
++DyLWFzMH9pvLgiM4rZxv8yiLkGImoatBvyibj88wn/9BR635iJGX595cP2GQZbcp
++FeVy+0E32TzX7aSeY2ZwyfkpxmPah82AD6NUVyDb2BBqadriV54kHho2D0umT43c
++TKSMFlKhTXGa+PBNm9l/dlF0QJ1oIQoJLJ8c
++-----END CERTIFICATE-----
+diff --git a/t/local/05_passwd_cb.t b/t/local/05_passwd_cb.t
+index ea317db..e9388d2 100644
+--- a/t/local/05_passwd_cb.t
++++ b/t/local/05_passwd_cb.t
+@@ -11,7 +11,7 @@ Net::SSLeay::load_error_strings();
+ Net::SSLeay::add_ssl_algorithms();
+ Net::SSLeay::OpenSSL_add_all_algorithms();
+ 
+-my $key_pem = File::Spec->catfile('t', 'data', 'key.pem.e');
++my $key_pem = File::Spec->catfile('t', 'data', 'testcert_key_2048.pem.e');
+ my $key_password = 'secret';
+ my $cb_1_calls = 0;
+ my $cb_2_calls = 0;
+diff --git a/t/local/07_sslecho.t b/t/local/07_sslecho.t
+index 99f2dba..c2b2ae2 100644
+--- a/t/local/07_sslecho.t
++++ b/t/local/07_sslecho.t
+@@ -13,7 +13,7 @@ BEGIN {
+   plan skip_all => "fork() not supported on $^O" unless $Config{d_fork};
+ }
+ 
+-plan tests => 79;
++plan tests => 81;
+ $SIG{'PIPE'} = 'IGNORE';
+ 
+ my $sock;
+@@ -25,12 +25,15 @@ my $dest_serv_params  = sockaddr_in($port, $dest_ip);
+ my $port_trials = 1000;
+ 
+ my $msg = 'ssleay-test';
+-my $cert_pem = File::Spec->catfile('t', 'data', 'cert.pem');
+-my $key_pem = File::Spec->catfile('t', 'data', 'key.pem');
++my $ca_cert_pem = File::Spec->catfile('t', 'data', 'test_CA1_2048.crt.pem');
++my $cert_pem = File::Spec->catfile('t', 'data', 'testcert_wildcard_CA1_2048.crt.pem');
++my $key_pem = File::Spec->catfile('t', 'data', 'testcert_key_2048.pem');
+ 
+ my $cert_name = (Net::SSLeay::SSLeay >= 0x0090700f) ?
+-                '/C=PL/ST=Peoples Republic of Perl/L=Net::/O=Net::SSLeay/OU=Net::SSLeay developers/CN=127.0.0.1/emailAddress=rafl at debian.org' :
+-                '/C=PL/ST=Peoples Republic of Perl/L=Net::/O=Net::SSLeay/OU=Net::SSLeay developers/CN=127.0.0.1/Email=rafl at debian.org';
++                '/C=US/ST=State/L=City/O=Company/OU=Unit/CN=*.example.com/emailAddress=wildcard at example.com' :
++                '/C=US/ST=State/L=City/O=Company/OU=Unit/CN=*.example.com/Email=wildcard at example.com';
++my $cert_issuer = '/C=US/O=Demo1/CN=CA1';
++my $cert_sha1_fp = '91:41:FD:7D:99:02:2E:70:91:53:EF:C6:F3:F8:9D:E2:CF:B0:5F:0C';
+ 
+ $ENV{RND_SEED} = '1234567890123456789012345678901234567890';
+ 
+@@ -59,7 +62,6 @@ Net::SSLeay::library_init();
+ 
+     my $ctx = Net::SSLeay::CTX_new();
+     ok($ctx, 'CTX_new');
+-    Net::SSLeay::CTX_set_security_level($ctx, 1) if exists &Net::SSLeay::CTX_set_security_level;
+     ok(Net::SSLeay::CTX_set_cipher_list($ctx, 'ALL'), 'CTX_set_cipher_list');
+     my ($dummy, $errs) = Net::SSLeay::set_cert_and_key($ctx, $cert_pem, $key_pem);
+     ok($errs eq '', "set_cert_and_key: $errs");
+@@ -87,7 +89,6 @@ Net::SSLeay::library_init();
+ 
+             my $ssl = Net::SSLeay::new($ctx);
+             ok($ssl, 'new');
+-            Net::SSLeay::set_security_level($ssl, 1) if exists &Net::SSLeay::set_security_level;
+ 
+             ok(Net::SSLeay::set_fd($ssl, fileno($ns)), 'set_fd using fileno');
+             ok(Net::SSLeay::accept($ssl), 'accept');
+@@ -155,10 +156,8 @@ my @results;
+     my $verify_cb_2_called = 0;
+     my $verify_cb_3_called = 0;
+     {
+-        my $cert_dir = 't/data';
+-
+         my $ctx = Net::SSLeay::CTX_new();
+-        push @results, [ Net::SSLeay::CTX_load_verify_locations($ctx, '', $cert_dir), 'CTX_load_verify_locations' ];
++        push @results, [ Net::SSLeay::CTX_load_verify_locations($ctx, $ca_cert_pem, ''), 'CTX_load_verify_locations' ];
+         Net::SSLeay::CTX_set_verify($ctx, &Net::SSLeay::VERIFY_PEER, \&verify);
+ 
+         my $ctx2 = Net::SSLeay::CTX_new();
+@@ -264,13 +263,13 @@ my @results;
+ 
+     sub verify {
+         my ($ok, $x509_store_ctx) = @_;
+-	return 1 unless $ok; # openssl 1.0 calls us twice with ok = 0 then ok = 1
+ 
++        # Skip intermediate certs but propagate possible not ok condition
++        my $depth = Net::SSLeay::X509_STORE_CTX_get_error_depth($x509_store_ctx);
++        return $ok unless $depth == 0;
+ 
+         $verify_cb_1_called++;
+ 
+-        push @results, [ $ok, 'verify cb' ];
+-
+         my $cert = Net::SSLeay::X509_STORE_CTX_get_current_cert($x509_store_ctx);
+         push @results, [ $cert, 'verify cb cert' ];
+ 
+@@ -284,31 +283,40 @@ my @results;
+ 
+ 	my $fingerprint =  Net::SSLeay::X509_get_fingerprint($cert, 'SHA-1');
+ 
+-        push @results, [ $issuer  eq $cert_name, 'cert issuer'  ];
++        push @results, [ $ok == 1, 'verify is ok' ];
++        push @results, [ $issuer eq $cert_issuer, 'cert issuer' ];
+         push @results, [ $subject eq $cert_name, 'cert subject' ];
+         push @results, [ substr($cn, length($cn) - 1, 1) ne "\0", 'tailing 0 character is not returned from get_text_by_NID' ];
+-        push @results, [ $fingerprint  eq '96:9F:25:FD:42:A7:FC:4D:8B:FF:14:76:7F:2E:07:AF:F6:A4:10:96', 'SHA-1 fingerprint'  ];
++        push @results, [ $fingerprint eq $cert_sha1_fp, 'SHA-1 fingerprint' ];
+ 
+         return 1;
+     }
+ 
+     sub verify2 {
+         my ($ok, $x509_store_ctx) = @_;
+-	return 1 unless $ok;# openssl 1.0 calls us twice with ok = 0 then ok = 1
++
++        # Skip intermediate certs but propagate possible not ok condition
++        my $depth = Net::SSLeay::X509_STORE_CTX_get_error_depth($x509_store_ctx);
++        return $ok unless $depth == 0;
++
+         $verify_cb_2_called++;
+-        return 1;
++        push @results, [ $ok == 1, 'verify 2 is ok' ];
++        return $ok;
+     }
+ 
+     sub verify3 {
+         my ($ok, $x509_store_ctx) = @_;
+-	return 1 unless $ok;# openssl 1.0 calls us twice with ok = 0 then ok = 1
++
++        # Skip intermediate certs but propagate possible not ok condition
++        my $depth = Net::SSLeay::X509_STORE_CTX_get_error_depth($x509_store_ctx);
++        return $ok unless $depth == 0;
++
+         $verify_cb_3_called++;
+-        return 1;
++        push @results, [ $ok == 1, 'verify 3 is ok' ];
++        return $ok;
+     }
+ 
+     sub verify4 {
+-        my ($ok, $x509_store_ctx) = @_;
+-	return 1 unless $ok;# openssl 1.0 calls us twice with ok = 0 then ok = 1
+         my ($cert_store, $userdata) = @_;
+         push @results, [$userdata == 1, 'CTX_set_cert_verify_callback'];
+         return $userdata;
+@@ -343,7 +351,7 @@ my @results;
+     );
+ 
+     push @results, [ $subject eq $cert_name, 'get_peer_certificate subject' ];
+-    push @results, [ $issuer  eq $cert_name, 'get_peer_certificate issuer'  ];
++    push @results, [ $issuer eq $cert_issuer, 'get_peer_certificate issuer' ];
+ 
+     my $data = 'a' x 1024 ** 2;
+     my $written = Net::SSLeay::ssl_write_all($ssl, \$data);
+diff --git a/t/local/08_pipe.t b/t/local/08_pipe.t
+index 8e6ee18..f34e8b2 100644
+--- a/t/local/08_pipe.t
++++ b/t/local/08_pipe.t
+@@ -20,8 +20,8 @@ Net::SSLeay::randomize();
+ Net::SSLeay::load_error_strings();
+ Net::SSLeay::OpenSSL_add_ssl_algorithms();
+ 
+-my $cert = File::Spec->catfile(qw( t data cert.pem ));
+-my $key  = File::Spec->catfile(qw( t data key.pem  ));
++my $cert = File::Spec->catfile('t', 'data', 'testcert_wildcard.crt.pem');
++my $key  = File::Spec->catfile('t', 'data', 'testcert_key_2048.pem');
+ 
+ my $how_much = 1024 ** 2;
+ 
+@@ -44,7 +44,6 @@ die unless defined $pid;
+ 
+ if ($pid == 0) {
+     my $ctx = Net::SSLeay::CTX_new();
+-    Net::SSLeay::CTX_set_security_level($ctx, 1) if exists &Net::SSLeay::CTX_set_security_level;
+     Net::SSLeay::set_server_cert_and_key($ctx, $cert, $key);
+ 
+     my $ssl = Net::SSLeay::new($ctx);
+@@ -69,7 +68,6 @@ if ($pid == 0) {
+ my @results;
+ {
+     my $ctx = Net::SSLeay::CTX_new();
+-    Net::SSLeay::CTX_set_security_level($ctx, 1) if exists &Net::SSLeay::CTX_set_security_level;
+     my $ssl = Net::SSLeay::new($ctx);
+ 
+     my $rc_handle = IO::Handle->new_from_fd( fileno($rc), 'r' );
+diff --git a/t/local/36_verify.t b/t/local/36_verify.t
+index a839eeb..23bc9b3 100644
+--- a/t/local/36_verify.t
++++ b/t/local/36_verify.t
+@@ -17,9 +17,10 @@ Net::SSLeay::add_ssl_algorithms();
+ Net::SSLeay::OpenSSL_add_all_algorithms();
+ 
+ # Our CA cert and a cert signed with it
+-my $ca_pem = File::Spec->catfile('t', 'data', 'test_CA1.crt.pem');
+-my $ca_dir =  File::Spec->catfile('t', 'data');
+-my $cert_pem = File::Spec->catfile('t', 'data', 'testcert_wildcard.crt.pem');
++my $ca_pem = File::Spec->catfile('t', 'data', 'test_CA1_2048.crt.pem');
++#my $ca_dir =  File::Spec->catfile('t', 'data');
++my $ca_dir =  '';
++my $cert_pem = File::Spec->catfile('t', 'data', 'testcert_wildcard_CA1_2048.crt.pem');
+ my $key_pem = File::Spec->catfile('t', 'data', 'testcert_key_2048.pem');
+ 
+ my $pm;
+@@ -233,7 +234,6 @@ sub client {
+     {
+ 	$ctx = Net::SSLeay::CTX_new();
+ 	is(Net::SSLeay::CTX_load_verify_locations($ctx, $ca_pem, $ca_dir), 1, "load_verify_locations($ca_pem $ca_dir)");
+-	Net::SSLeay::CTX_set_security_level($ctx, 1) if exists &Net::SSLeay::CTX_set_security_level;
+ 
+ 	$cl = IO::Socket::INET->new($server_addr) or BAIL_OUT("failed to connect to server: $!");
+ 
+diff --git a/t/local/40_npn_support.t b/t/local/40_npn_support.t
+index ee4fdc1..8dc258c 100644
+--- a/t/local/40_npn_support.t
++++ b/t/local/40_npn_support.t
+@@ -25,8 +25,8 @@ my $ip = "\x7F\0\0\x01";
+ my $serv_params  = sockaddr_in($port, $ip);
+ 
+ my $msg = 'ssleay-npn-test';
+-my $cert_pem = File::Spec->catfile('t', 'data', 'cert.pem');
+-my $key_pem = File::Spec->catfile('t', 'data', 'key.pem');
++my $cert_pem = File::Spec->catfile('t', 'data', 'testcert_wildcard.crt.pem');
++my $key_pem = File::Spec->catfile('t', 'data', 'testcert_key_2048.pem');
+ my @results;
+ Net::SSLeay::initialize();
+ 
+diff --git a/t/local/41_alpn_support.t b/t/local/41_alpn_support.t
+index 2b9b374..c01f486 100644
+--- a/t/local/41_alpn_support.t
++++ b/t/local/41_alpn_support.t
+@@ -24,8 +24,8 @@ my $ip = "\x7F\0\0\x01";
+ my $serv_params  = sockaddr_in($port, $ip);
+ 
+ my $msg = 'ssleay-alpn-test';
+-my $cert_pem = File::Spec->catfile('t', 'data', 'cert.pem');
+-my $key_pem = File::Spec->catfile('t', 'data', 'key.pem');
++my $cert_pem = File::Spec->catfile('t', 'data', 'testcert_wildcard.crt.pem');
++my $key_pem = File::Spec->catfile('t', 'data', 'testcert_key_2048.pem');
+ my @results;
+ Net::SSLeay::initialize();
+ 
+diff --git a/t/local/42_info_callback.t b/t/local/42_info_callback.t
+index a9d2ea6..36ffdf3 100644
+--- a/t/local/42_info_callback.t
++++ b/t/local/42_info_callback.t
+@@ -25,8 +25,8 @@ Net::SSLeay::initialize();
+ 
+ {
+     # SSL server - just handle single connect and  shutdown connection
+-    my $cert_pem = File::Spec->catfile('t', 'data', 'cert.pem');
+-    my $key_pem = File::Spec->catfile('t', 'data', 'key.pem');
++    my $cert_pem = File::Spec->catfile('t', 'data', 'testcert_wildcard.crt.pem');
++    my $key_pem = File::Spec->catfile('t', 'data', 'testcert_key_2048.pem');
+ 
+     $server = IO::Socket::INET->new( LocalAddr => '127.0.0.1', Listen => 3)
+ 	or BAIL_OUT("failed to create server socket: $!");
+diff --git a/t/local/50_digest.t b/t/local/50_digest.t
+index c181837..f223c34 100644
+--- a/t/local/50_digest.t
++++ b/t/local/50_digest.t
+@@ -2,7 +2,7 @@
+ 
+ use strict;
+ use warnings;
+-use Test::More tests => 230;
++use Test::More tests => 203;
+ use File::Spec;
+ use Net::SSLeay;
+ 
+@@ -177,23 +177,8 @@ SKIP: {
+   isnt(scalar(keys %all_digests), 0, 'non-empty digest list');
+ }
+ 
+-my $file1 = File::Spec->catfile('t', 'data', 'cert.pem'); 
+-my $results1 = {
+-        md2       => '6d89cda9599a54d03652f9464e8b6e51',
+-        md4       => 'ada352f40f1ca64f4168a8aae7c1a281',
+-        md5       => 'e060f11c6afa9e1f59a8e7c873aa3423',
+-        mdc2      => 'e9ca1fd1cfccfb450b402a0dd446db28',
+-        ripemd160 => 'cbd50056558b01b5e9ec67901b518462b5393e5b',
+-        sha       => '79de0d0cc736d98b65f5d6b3ac89e65ca8d3b2a7',
+-        sha1      => '0267dd25bbd8930c537716d972dd9ba128846428',
+-        sha224    => '5b42d5a3b16a6cee821b03c41f0428b09b70695becb0aaafbc7d6419',
+-        sha256    => '764633a51af4ef374cabb1ea859cc324680cfeff694797e90562e19ffb71ab26',
+-        sha512    => '37e3a2e84aec822922c51d4d8d37bf003e1d85f55a4bf2fae2940a5aab5b32f7601c2a9cde5b9c6391aaa4ffef1e845f11d2f0b6a37a9b2f48fb7f6469f0a51c',
+-        whirlpool => 'b2dc90dbbc60e5e2dc28de3bdeab45fb2fa6d13d86ff14908130624a242e38ecc195b3b11a7ef137b77a24e9a0ba5be061ac1baa11892369286d613569199458',
+-};
+-
+-my $file2 = File::Spec->catfile('t', 'data', 'binary-test.file'); 
+-my $results2 = {
++my $file = File::Spec->catfile('t', 'data', 'binary-test.file'); 
++my $file_digests = {
+         md2       => '67ae6d821be6898101414c56b1fb4f46',
+         md4       => '480438696e7d9a6ab3ecc1e2a3419f78',
+         md5       => 'cc89b43c171818c347639fa5170aee16',
+@@ -310,6 +295,5 @@ SKIP: {
+   is(Net::SSLeay::EVP_MD_size(Net::SSLeay::EVP_sha1()), 20, 'EVP_MD_size sha1');
+ }
+ 
+-digest_file($file1, $results1, \%all_digests);
+-digest_file($file2, $results2, \%all_digests);
++digest_file($file, $file_digests, \%all_digests);
+ digest_strings(\%fps, \%all_digests);
+diff --git a/t/local/61_threads-cb-crash.t b/t/local/61_threads-cb-crash.t
+index 26469c0..c47298e 100644
+--- a/t/local/61_threads-cb-crash.t
++++ b/t/local/61_threads-cb-crash.t
+@@ -19,7 +19,7 @@ use File::Spec;
+ use Net::SSLeay;
+ 
+ my $start_time = time;
+-my $file = File::Spec->catfile('t', 'data', 'key.pem');
++my $file = File::Spec->catfile('t', 'data', 'testcert_key_2048.pem');
+ 
+ Net::SSLeay::randomize();
+ Net::SSLeay::load_error_strings();
+diff --git a/t/local/64_ticket_sharing.t b/t/local/64_ticket_sharing.t
+index 61590ed..43e54a5 100644
+--- a/t/local/64_ticket_sharing.t
++++ b/t/local/64_ticket_sharing.t
+@@ -27,8 +27,8 @@ my %TRANSFER;  # set in _handshake
+ 
+ my $client = _minSSL->new();
+ my $server = _minSSL->new( cert => [
+-    File::Spec->catfile('t','data','cert.pem'),
+-    File::Spec->catfile('t','data','key.pem')
++    File::Spec->catfile('t', 'data', 'testcert_wildcard.crt.pem'),
++    File::Spec->catfile('t', 'data', 'testcert_key_2048.pem')
+ ]);
+ 
+ 
+@@ -48,8 +48,8 @@ is( _handshake($client,$server,$reuse),'reuse',"handshake again with reuse");
+ # should not be reused
+ # ----------------------------------------------
+ my $server2 = _minSSL->new( cert => [
+-    File::Spec->catfile('t','data','cert.pem'),
+-    File::Spec->catfile('t','data','key.pem')
++    File::Spec->catfile('t', 'data', 'testcert_wildcard.crt.pem'),
++    File::Spec->catfile('t', 'data', 'testcert_key_2048.pem')
+ ]);
+ is( _handshake($client,$server2,$reuse),'full',"handshake with server2 is full");
+ 
+@@ -178,7 +178,6 @@ sub _handshake {
+ 	my $ctx = Net::SSLeay::CTX_tlsv1_new();
+ 	Net::SSLeay::CTX_set_options($ctx,Net::SSLeay::OP_ALL());
+ 	Net::SSLeay::CTX_set_cipher_list($ctx,'AES128-SHA');
+-	Net::SSLeay::CTX_set_security_level($ctx, 1) if exists &Net::SSLeay::CTX_set_security_level;
+ 	my $id = 'client';
+ 	if ($args{cert}) {
+ 	    my ($cert,$key) = @{ delete $args{cert} };
+-- 
+2.20.1
+
diff -Nru libnet-ssleay-perl-1.85/debian/patches/series libnet-ssleay-perl-1.85/debian/patches/series
--- libnet-ssleay-perl-1.85/debian/patches/series	2018-08-30 07:31:59.000000000 +0300
+++ libnet-ssleay-perl-1.85/debian/patches/series	2022-03-21 17:36:29.000000000 +0200
@@ -9,3 +9,4 @@
 ok-result-is-no-error.patch
 set_num_tickets-min-version.patch
 debian-min-tls-ver.patch
+0001-Use-2048-bit-RSA-keys-certificates-in-tests.patch


More information about the Pkg-openssl-devel mailing list