> On 4 Mar 2021, at 01:03, Jacob Champion <pchamp...@vmware.com> wrote:
> Andrew pointed out elsewhere [1] that it's pretty difficult to add new > certificates to the test/ssl suite without blowing away the current > state and starting over. I needed new cases for the NSS backend work, > and ran into the same pain, so here is my attempt to improve the > situation. Thanks for working on this, I second the pain cited. I've just started to look at this, so only a few comments thus far. > The unused server-ss certificate has been removed entirely. Nice catch, this seems to have been unused since the original import of the SSL test suite. To cut down scope of the patch (even if only a small bit) I propose to apply this separately first, as per the attached. > - Serial number collisions are less likely, thanks to Andrew's idea to > use the current clock time as the initial serial number in a series. +my $serialno = `openssl x509 -serial -noout -in ssl/client.crt`; +$serialno =~ s/^serial=//; +$serialno = hex($serialno); # OpenSSL prints serial numbers in hexadecimal Will that work on Windows? We don't currently require the openssl binary to be in PATH unless one wants to rebuild sslfiles (which it is quite likely to be but there should at least be errorhandling covering when it's not). > - I am making _heavy_ use of GNU Make-isms, which does not improve > long-term maintainability. GNU Make is already a requirement, I don't see this shifting the needle in any direction. -- Daniel Gustafsson https://vmware.com/
ssl-remove-server-ss.patch
Description: Binary data
