chore(ci): bump action versions

.github/workflows/luacheck.yml

@@ -21,8 +21,8 @@ jobs:
     runs-on: ubuntu-20.04
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
-      - uses: leafo/gh-actions-lua@v9
+        uses: actions/checkout@v4
+      - uses: leafo/gh-actions-lua@v10
       - uses: leafo/gh-actions-luarocks@v4
       - name: Lint rockspecs
         run: |

.github/workflows/unix_build.yml

@@ -17,17 +17,17 @@ on:
 
 jobs:
   test:
-    runs-on: ubuntu-18.04
+    runs-on: ubuntu-20.04
 
     strategy:
       fail-fast: false
       matrix:
         luaVersion: ["5.1", "5.2", "5.3", "5.4", "luajit-2.1.0-beta3"]
 
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v4
 
-    - uses: leafo/gh-actions-lua@v8
+    - uses: leafo/gh-actions-lua@v10
       with:
         luaVersion: ${{ matrix.luaVersion }}
 

tests/certs/clientA.bat

@@ -1,8 +1,8 @@
 rem #!/bin/sh
 
-openssl req -newkey rsa:1024 -sha1 -keyout clientAkey.pem -out clientAreq.pem -nodes -config ./clientA.cnf -days 365 -batch
+openssl req -newkey rsa:2048 -sha256 -keyout clientAkey.pem -out clientAreq.pem -nodes -config ./clientA.cnf -days 365 -batch
 
-openssl x509 -req -in clientAreq.pem -sha1 -extfile ./clientA.cnf -extensions usr_cert -CA rootA.pem -CAkey rootAkey.pem -CAcreateserial -out clientAcert.pem -days 365
+openssl x509 -req -in clientAreq.pem -sha256 -extfile ./clientA.cnf -extensions usr_cert -CA rootA.pem -CAkey rootAkey.pem -CAcreateserial -out clientAcert.pem -days 365
 
 copy clientAcert.pem + rootA.pem clientA.pem
 

tests/certs/clientA.sh

@@ -1,9 +1,9 @@
 #!/bin/sh
 
-openssl req -newkey rsa:1024 -sha1 -keyout clientAkey.pem -out clientAreq.pem \
+openssl req -newkey rsa:2048 -sha256 -keyout clientAkey.pem -out clientAreq.pem \
   -nodes -config ./clientA.cnf -days 365 -batch
 
-openssl x509 -req -in clientAreq.pem -sha1 -extfile ./clientA.cnf \
+openssl x509 -req -in clientAreq.pem -sha256 -extfile ./clientA.cnf \
   -extensions usr_cert -CA rootA.pem -CAkey rootAkey.pem -CAcreateserial \
   -out clientAcert.pem -days 365
 

tests/certs/clientB.bat

@@ -1,8 +1,8 @@
 rem #!/bin/sh
 
-openssl req -newkey rsa:1024 -sha1 -keyout clientBkey.pem -out clientBreq.pem -nodes -config ./clientB.cnf -days 365 -batch
+openssl req -newkey rsa:2048 -sha256 -keyout clientBkey.pem -out clientBreq.pem -nodes -config ./clientB.cnf -days 365 -batch
 
-openssl x509 -req -in clientBreq.pem -sha1 -extfile ./clientB.cnf -extensions usr_cert -CA rootB.pem -CAkey rootBkey.pem -CAcreateserial -out clientBcert.pem -days 365
+openssl x509 -req -in clientBreq.pem -sha256 -extfile ./clientB.cnf -extensions usr_cert -CA rootB.pem -CAkey rootBkey.pem -CAcreateserial -out clientBcert.pem -days 365
 
 copy clientBcert.pem + rootB.pem clientB.pem
 

tests/certs/clientB.sh

@@ -1,9 +1,9 @@
 #!/bin/sh
 
-openssl req -newkey rsa:1024 -sha1 -keyout clientBkey.pem -out clientBreq.pem \
+openssl req -newkey rsa:2048 -sha256 -keyout clientBkey.pem -out clientBreq.pem \
   -nodes -config ./clientB.cnf -days 365 -batch
 
-openssl x509 -req -in clientBreq.pem -sha1 -extfile ./clientB.cnf \
+openssl x509 -req -in clientBreq.pem -sha256 -extfile ./clientB.cnf \
   -extensions usr_cert -CA rootB.pem -CAkey rootBkey.pem -CAcreateserial \
   -out clientBcert.pem -days 365
 

tests/certs/rootA.bat

@@ -1,7 +1,7 @@
 REM #!/bin/sh
 
-openssl req -newkey rsa:1024 -sha1 -keyout rootAkey.pem -out rootAreq.pem -nodes -config ./rootA.cnf -days 365 -batch
+openssl req -newkey rsa:2048 -sha256 -keyout rootAkey.pem -out rootAreq.pem -nodes -config ./rootA.cnf -days 365 -batch
 
-openssl x509 -req -in rootAreq.pem -sha1 -extfile ./rootA.cnf -extensions v3_ca -signkey rootAkey.pem -out rootA.pem -days 365
+openssl x509 -req -in rootAreq.pem -sha256 -extfile ./rootA.cnf -extensions v3_ca -signkey rootAkey.pem -out rootA.pem -days 365
 
 openssl x509 -subject -issuer -noout -in rootA.pem

tests/certs/rootA.sh

@@ -1,7 +1,6 @@
 #!/bin/sh
+openssl req -newkey rsa:2048 -sha256 -keyout rootAkey.pem -out rootAreq.pem -nodes -config ./rootA.cnf -days 365 -batch
 
-openssl req -newkey rsa:1024 -sha1 -keyout rootAkey.pem -out rootAreq.pem -nodes -config ./rootA.cnf -days 365 -batch
-
-openssl x509 -req -in rootAreq.pem -sha1 -extfile ./rootA.cnf -extensions v3_ca -signkey rootAkey.pem -out rootA.pem -days 365
+openssl x509 -req -in rootAreq.pem -sha256 -extfile ./rootA.cnf -extensions v3_ca -signkey rootAkey.pem -out rootA.pem -days 365
 
 openssl x509 -subject -issuer -noout -in rootA.pem

tests/certs/rootB.bat

@@ -1,7 +1,7 @@
 rem #!/bin/sh
 
-openssl req -newkey rsa:1024 -sha1 -keyout rootBkey.pem -out rootBreq.pem -nodes -config ./rootB.cnf -days 365 -batch
+openssl req -newkey rsa:2048 -sha256 -keyout rootBkey.pem -out rootBreq.pem -nodes -config ./rootB.cnf -days 365 -batch
 
-openssl x509 -req -in rootBreq.pem -sha1 -extfile ./rootB.cnf -extensions v3_ca -signkey rootBkey.pem -out rootB.pem -days 365
+openssl x509 -req -in rootBreq.pem -sha256 -extfile ./rootB.cnf -extensions v3_ca -signkey rootBkey.pem -out rootB.pem -days 365
 
 openssl x509 -subject -issuer -noout -in rootB.pem

tests/certs/rootB.sh

@@ -1,7 +1,7 @@
 #!/bin/sh
 
-openssl req -newkey rsa:1024 -sha1 -keyout rootBkey.pem -out rootBreq.pem -nodes -config ./rootB.cnf -days 365 -batch
+openssl req -newkey rsa:2048 -sha256 -keyout rootBkey.pem -out rootBreq.pem -nodes -config ./rootB.cnf -days 365 -batch
 
-openssl x509 -req -in rootBreq.pem -sha1 -extfile ./rootB.cnf -extensions v3_ca -signkey rootBkey.pem -out rootB.pem -days 365
+openssl x509 -req -in rootBreq.pem -sha256 -extfile ./rootB.cnf -extensions v3_ca -signkey rootBkey.pem -out rootB.pem -days 365
 
 openssl x509 -subject -issuer -noout -in rootB.pem

tests/certs/serverA.bat

@@ -1,8 +1,8 @@
 rem #!/bin/sh
 
-openssl req -newkey rsa:1024 -keyout serverAkey.pem -out serverAreq.pem -config ./serverA.cnf -nodes -days 365 -batch
+openssl req -newkey rsa:2048 -keyout serverAkey.pem -out serverAreq.pem -config ./serverA.cnf -nodes -days 365 -batch
 
-openssl x509 -req -in serverAreq.pem -sha1 -extfile ./serverA.cnf -extensions usr_cert -CA rootA.pem -CAkey rootAkey.pem -CAcreateserial -out serverAcert.pem -days 365
+openssl x509 -req -in serverAreq.pem -sha256 -extfile ./serverA.cnf -extensions usr_cert -CA rootA.pem -CAkey rootAkey.pem -CAcreateserial -out serverAcert.pem -days 365
 
 copy serverAcert.pem + rootA.pem serverA.pem
 

tests/certs/serverA.sh

@@ -1,9 +1,9 @@
 #!/bin/sh
 
-openssl req -newkey rsa:1024 -keyout serverAkey.pem -out serverAreq.pem \
+openssl req -newkey rsa:2048 -keyout serverAkey.pem -out serverAreq.pem \
    -config ./serverA.cnf -nodes -days 365 -batch
 
-openssl x509 -req -in serverAreq.pem -sha1 -extfile ./serverA.cnf \
+openssl x509 -req -in serverAreq.pem -sha256 -extfile ./serverA.cnf \
    -extensions usr_cert -CA rootA.pem -CAkey rootAkey.pem -CAcreateserial \
    -out serverAcert.pem -days 365
 

tests/certs/serverB.bat

@@ -1,8 +1,8 @@
 rem #!/bin/sh
 
-openssl req -newkey rsa:1024 -keyout serverBkey.pem -out serverBreq.pem -config ./serverB.cnf -nodes -days 365 -batch
+openssl req -newkey rsa:2048 -keyout serverBkey.pem -out serverBreq.pem -config ./serverB.cnf -nodes -days 365 -batch
 
-openssl x509 -req -in serverBreq.pem -sha1 -extfile ./serverB.cnf -extensions usr_cert -CA rootB.pem -CAkey rootBkey.pem -CAcreateserial -out serverBcert.pem -days 365
+openssl x509 -req -in serverBreq.pem -sha256 -extfile ./serverB.cnf -extensions usr_cert -CA rootB.pem -CAkey rootBkey.pem -CAcreateserial -out serverBcert.pem -days 365
 
 copy serverBcert.pem + rootB.pem serverB.pem
 

tests/certs/serverB.sh

@@ -1,9 +1,9 @@
 #!/bin/sh
 
-openssl req -newkey rsa:1024 -keyout serverBkey.pem -out serverBreq.pem \
+openssl req -newkey rsa:2048 -keyout serverBkey.pem -out serverBreq.pem \
    -config ./serverB.cnf -nodes -days 365 -batch
 
-openssl x509 -req -in serverBreq.pem -sha1 -extfile ./serverB.cnf \
+openssl x509 -req -in serverBreq.pem -sha256 -extfile ./serverB.cnf \
    -extensions usr_cert -CA rootB.pem -CAkey rootBkey.pem -CAcreateserial \
    -out serverBcert.pem -days 365
 

tests/httpredirect.lua

@@ -35,13 +35,13 @@ local done = false
 
 copas.addthread(function()
   local _, code, headers = doreq("https://goo.gl/UBCUc5")  -- https --> https redirect
-  assert(tonumber(code)==200)
-  assert(headers.location == "https://github.com/brunoos/luasec")
+  assert(tonumber(code)==200, "unexpected status code: "..tostring(code))
+  assert(headers.location == "https://github.com/lunarmodules/luasec", "unexpected location header: "..tostring(headers.location))
   print("https -> https redirect OK!")
   copas.addthread(function()
     local _, code, headers = doreq("http://goo.gl/UBCUc5")  -- http --> https redirect
-    assert(tonumber(code)==200)
-    assert(headers.location == "https://github.com/brunoos/luasec")
+    assert(tonumber(code)==200, "unexpected status code: "..tostring(code))
+    assert(headers.location == "https://github.com/lunarmodules/luasec", "unexpected location header: "..tostring(headers.location))
     print("http  -> https redirect OK!")
     copas.addthread(function()
       --local result, code, headers, status = doreq("http://goo.gl/tBfqNu")  -- http --> http redirect
@@ -63,7 +63,7 @@ copas.addthread(function()
       -- execute test request
       local _, code, headers = doreq("http://localhost:9876/")  -- http --> http redirect
       copas.removeserver(server)  -- immediately close server again
-      assert(tonumber(code)==200)
+      assert(tonumber(code)==200, "unexpected status code: "..tostring(code))
       assert(headers.location == "http://www.httpvshttps.com")
       print("http  -> http  redirect OK!")
       copas.addthread(function()
@@ -73,7 +73,7 @@ copas.addthread(function()
         copas.addthread(function()
           redirect = "all"
           local _, code, headers = doreq("https://bit.ly/3vmhXhW")  -- https --> http security test case
-          assert(tonumber(code)==200)
+          assert(tonumber(code)==200, "unexpected status code: "..tostring(code))
           assert(headers.location == "http://www.httpvshttps.com/")
           print("https -> http  redirect, while allowed OK!")
           done = true

tests/largetransfer.lua

@@ -97,22 +97,22 @@ runtest()   -- run test using regular connection (s/cparams == nil)
 -- set ssl parameters and do it again
 sparams = {
    mode = "server",
-   protocol = "tlsv1",
+   protocol = "any",
    key = "tests/certs/serverAkey.pem",
    certificate = "tests/certs/serverA.pem",
    cafile = "tests/certs/rootA.pem",
    verify = {"peer", "fail_if_no_peer_cert"},
-   options = {"all", "no_sslv2"},
-}
+   options = {"all", "no_sslv2", "no_sslv3", "no_tlsv1"},
+  }
 cparams = {
    mode = "client",
-   protocol = "tlsv1",
+   protocol = "any",
    key = "tests/certs/clientAkey.pem",
    certificate = "tests/certs/clientA.pem",
    cafile = "tests/certs/rootA.pem",
    verify = {"peer", "fail_if_no_peer_cert"},
-   options = {"all", "no_sslv2"},
-}
+   options = {"all", "no_sslv2", "no_sslv3", "no_tlsv1"},
+  }
 done = 0
 start = socket.gettime()
 runtest()

tests/removeserver.lua

@@ -9,19 +9,31 @@ local wskt = socket.bind("*", 0)
 local whost, wport = wskt:getsockname()
 wport = tonumber(wport)
 
+-- set up a timeout to not hang on failure
+local timeout_timer = copas.timer.new {
+  delay = 10,
+  callback = function()
+      print("timeout!")
+      os.exit(1)
+  end
+}
+
+local connection_handler = function(cskt)
+  print(tostring(cskt).." ("..type(cskt)..") received a connection")
+  local data, _, partial = cskt:receive()
+  if partial and not data then
+     data = partial
+  end
+  print("triggered", data)
+  copas.removeserver(wskt, true)
+end
+
 local function wait_for_trigger()
-   copas.addserver(wskt, function(cskt)
-      local data, _, partial = cskt:receive()
-      if partial and not data then
-         data = partial
-      end
-      print("triggered", data)
-      copas.removeserver(wskt, true)
-   end)
+   copas.addserver(wskt, copas.handler(connection_handler), "my_TCP_server")
 end
 
 local function trigger_it(n)
-   local cskt = socket.tcp()
+   local cskt = copas.wrap(socket.tcp())
    local ok = cskt:connect(whost, wport)
    if ok then
       cskt:send("hi "..n)
@@ -35,6 +47,7 @@ copas.addthread(function()
       trigger_it(i)
       copas.pause(0.1)
    end
+   timeout_timer:cancel()
 end)
 
 copas.loop()

tests/tls-sni.lua

@@ -16,12 +16,12 @@ end
 local server_params = {
   wrap = {
     mode = "server",
-    protocol = "tlsv1",
+    protocol = "any",
     key = "tests/certs/serverAkey.pem",
     certificate = "tests/certs/serverA.pem",
     cafile = "tests/certs/rootA.pem",
     verify = {"peer", "fail_if_no_peer_cert"},
-    options = {"all", "no_sslv2"},
+    options = {"all", "no_sslv2", "no_sslv3", "no_tlsv1"},
   },
   sni = {
     strict = true, -- only allow connection 'myhost.com'
@@ -33,12 +33,12 @@ server_params.sni.names["myhost.com"] = ssl.newcontext(server_params.wrap)
 local client_params = {
   wrap = {
     mode = "client",
-    protocol = "tlsv1",
+    protocol = "any",
     key = "tests/certs/clientAkey.pem",
     certificate = "tests/certs/clientA.pem",
     cafile = "tests/certs/rootA.pem",
     verify = {"peer", "fail_if_no_peer_cert"},
-    options = {"all", "no_sslv2"},
+    options = {"all", "no_sslv2", "no_sslv3", "no_tlsv1"},
   },
   sni = {
     names = "" -- will be added in test below
@@ -63,7 +63,7 @@ local function echoHandler(skt)
       return -- close this client connection, after stopping the server
 
     end
-    skt:send(data)
+    skt:send(data.."\n")
   end
 end
 
@@ -92,12 +92,16 @@ copas.addthread(function()
   local skt = copas.wrap(socket.tcp(), client_params)
   local success, ok = pcall(skt.connect, skt, "localhost", port)
   if not (success and ok) then
-    print "expected connection to be completed"
+    print("expected connection to be completed", success, ok)
     os.exit(1)
   end
 
+  assert(skt:send("hello world\n"))
+  assert(skt:receive() == "hello world")
   print "succesfully completed test"
-  os.exit(0)
+
+  -- send exit signal to server
+  skt:send("exit\n")
 end)
 
 -- no ugly errors please, comment out when debugging