openssl: adjust tests for OpenSSL 1.1.0

This fixes `make test-all TESTS=openssl` with OpenSSL master. * test/openssl/test_x509name.rb: Don't register OID for 'emailAddress' and 'serialNumber'. A recent change in OpenSSL made OBJ_create() reject an already existing OID. They were needed to run tests with OpenSSL 0.9.6 which is now unsupported. https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=52832e470f5fe8c222249ae5b539aeb3c74cdb25 [ruby-core:75225] [Feature #12324] * test/openssl/test_ssl_session.rb (test_server_session): Duplicate SSL::Session before re-adding to the session store. OpenSSL 1.1.0 starts rejecting SSL_SESSION once removed by SSL_CTX_remove_session(). https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=7c2d4fee2547650102cd16d23f8125b76112ae75 * test/openssl/test_pkey_ec.rb (setup): Remove X25519 from @keys. X25519 is new in OpenSSL 1.1.0 but this is for key agreement and not for signing. * test/openssl/test_pair.rb, test/openssl/test_ssl.rb, test/openssl/utils.rb: Set security level to 0 when using aNULL cipher suites. * test/openssl/utils.rb: Use 1024 bits DSA key for client certificates. * test/openssl/test_engine.rb: Run each test in separate process. We can no longer cleanup engines explicitly as ENGINE_cleanup() was removed. https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=6d4fb1d59e61aacefa25edc4fe5acfe1ac93f743 * ext/openssl/ossl_engine.c (ossl_engine_s_cleanup): Add a note to the RDoc for Engine.cleanup. * ext/openssl/lib/openssl/digest.rb: Don't define constants for DSS, DSS1 and SHA(-0) when using with OpenSSL 1.1.0. They are removed. * test/openssl/test_digest.rb, test/openssl/test_pkey_dsa.rb, test/openssl/test_pkey_dsa.rb, test/openssl/test_ssl.rb, test/openssl/test_x509cert.rb, test/openssl/test_x509req.rb: Don't test unsupported hash functions. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55314 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2016-06-07 12:20:46 +00:00 · 2016-06-07 12:20:46 +00:00 · b257af8859
--- a/40
+++ b/40
@ -1,3 +1,43 @@
 Tue Jun  7 21:20:38 2016  Kazuki Yamaguchi  <k@rhe.jp>
 	* test/openssl/test_x509name.rb: Don't register OID for 'emailAddress'
 	  and 'serialNumber'. A recent change in OpenSSL made OBJ_create()
 	  reject an already existing OID. They were needed to run tests with
 	  OpenSSL 0.9.6 which is now unsupported.
 	  https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=52832e470f5fe8c222249ae5b539aeb3c74cdb25
 	  [ruby-core:75225] [Feature #12324]
 	* test/openssl/test_ssl_session.rb (test_server_session): Duplicate
 	  SSL::Session before re-adding to the session store. OpenSSL 1.1.0
 	  starts rejecting SSL_SESSION once removed by SSL_CTX_remove_session().
 	  https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=7c2d4fee2547650102cd16d23f8125b76112ae75
 	* test/openssl/test_pkey_ec.rb (setup): Remove X25519 from @keys. X25519
 	  is new in OpenSSL 1.1.0 but this is for key agreement and not for
 	  signing.
 	* test/openssl/test_pair.rb, test/openssl/test_ssl.rb,
 	  test/openssl/utils.rb: Set security level to 0 when using aNULL cipher
 	  suites.
 	* test/openssl/utils.rb: Use 1024 bits DSA key for client certificates.
 	* test/openssl/test_engine.rb: Run each test in separate process.
 	  We can no longer cleanup engines explicitly as ENGINE_cleanup() was
 	  removed.
 	  https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=6d4fb1d59e61aacefa25edc4fe5acfe1ac93f743
 	* ext/openssl/ossl_engine.c (ossl_engine_s_cleanup): Add a note to the
 	  RDoc for Engine.cleanup.
 	* ext/openssl/lib/openssl/digest.rb: Don't define constants for DSS,
 	  DSS1 and SHA(-0) when using with OpenSSL 1.1.0. They are removed.
 	* test/openssl/test_digest.rb, test/openssl/test_pkey_dsa.rb,
 	  test/openssl/test_pkey_dsa.rb, test/openssl/test_ssl.rb,
 	  test/openssl/test_x509cert.rb, test/openssl/test_x509req.rb: Don't
 	  test unsupported hash functions.
 Tue Jun  7 17:49:52 2016  Martin Duerst  <duerst@it.aoyama.ac.jp>
 	* test/ruby/enc/test_case_comprehensive: Change test for encodings
--- a/ext/openssl/lib/openssl/digest.rb
+++ b/ext/openssl/lib/openssl/digest.rb
@ -15,7 +15,10 @@
 module OpenSSL
  class Digest
-    alg = %w(DSS DSS1 MD2 MD4 MD5 MDC2 RIPEMD160 SHA SHA1)
+    alg = %w(MD2 MD4 MD5 MDC2 RIPEMD160 SHA1)
    if OPENSSL_VERSION_NUMBER < 0x10100000
      alg += %w(DSS DSS1 SHA)
    end
    if OPENSSL_VERSION_NUMBER > 0x00908000
      alg += %w(SHA224 SHA256 SHA384 SHA512)
    end
--- a/ext/openssl/ossl_engine.c
+++ b/ext/openssl/ossl_engine.c
@ -160,6 +160,8 @@ ossl_engine_s_load(int argc, VALUE *argv, VALUE klass)
 * It is only necessary to run cleanup when engines are loaded via
 * OpenSSL::Engine.load. However, running cleanup before exit is recommended.
 *
 * Note that this is needed and works only in OpenSSL < 1.1.0.
 *
 * See also, https://www.openssl.org/docs/crypto/engine.html
 */
 static VALUE
--- a/test/openssl/test_digest.rb
+++ b/test/openssl/test_digest.rb
@ -59,9 +59,9 @@ class OpenSSL::TestDigest < OpenSSL::TestCase
  end
  def test_digest_constants
-    algs = %w(DSS1 MD4 MD5 RIPEMD160 SHA1)
+    algs = %w(MD4 MD5 RIPEMD160 SHA1)
-    if !libressl?  || !version_since([2,3])
+    if OpenSSL::OPENSSL_VERSION_NUMBER < 0x10100000
-      algs += %w(SHA)
+      algs += %w(DSS1 SHA)
    end
    if OpenSSL::OPENSSL_VERSION_NUMBER > 0x00908000
      algs += %w(SHA224 SHA256 SHA384 SHA512)
--- a/test/openssl/test_engine.rb
+++ b/test/openssl/test_engine.rb
@ -3,46 +3,52 @@ require_relative 'utils'
 class OpenSSL::TestEngine < OpenSSL::TestCase
  def teardown
    super
    OpenSSL::Engine.cleanup # [ruby-core:40669]
    assert_equal(0, OpenSSL::Engine.engines.size)
  end
  def test_engines_free # [ruby-dev:44173]
    with_openssl <<-'end;'
      OpenSSL::Engine.load("openssl")
      OpenSSL::Engine.engines
      OpenSSL::Engine.engines
    end;
  end
  def test_openssl_engine_builtin
    with_openssl <<-'end;'
      engine = OpenSSL::Engine.load("openssl")
      assert_equal(true, engine)
      assert_equal(1, OpenSSL::Engine.engines.size)
    end;
  end
  def test_openssl_engine_by_id_string
    with_openssl <<-'end;'
      engine = get_engine
      assert_not_nil(engine)
      assert_equal(1, OpenSSL::Engine.engines.size)
    end;
  end
  def test_openssl_engine_id_name_inspect
    with_openssl <<-'end;'
      engine = get_engine
      assert_equal("openssl", engine.id)
      assert_not_nil(engine.name)
      assert_not_nil(engine.inspect)
    end;
  end
  def test_openssl_engine_digest_sha1
    with_openssl <<-'end;'
      engine = get_engine
      digest = engine.digest("SHA1")
      assert_not_nil(digest)
      data = "test"
      assert_equal(OpenSSL::Digest::SHA1.digest(data), digest.digest(data))
    end;
  end
  def test_openssl_engine_cipher_rc4
    with_openssl <<-'end;'
      begin
        engine = get_engine
        algo = "RC4" #AES is not supported by openssl Engine (<=1.0.0e)
        data = "a" * 1000
@ -59,9 +65,21 @@ class OpenSSL::TestEngine < OpenSSL::TestCase
          err_back.close
        end
      end
    end;
  end
  private
  # this is required because OpenSSL::Engine methods change global state
  def with_openssl(code)
    assert_separately(["-ropenssl"], <<~"end;")
      require #{__FILE__.dump}
      include OpenSSL::TestEngine::Utils
      #{code}
    end;
  end
  module Utils
    def get_engine
      OpenSSL::Engine.by_id("openssl")
    end
@ -72,6 +90,6 @@ class OpenSSL::TestEngine < OpenSSL::TestCase
      cipher.key = key
      cipher.update(data) + cipher.final
    end
  end
-end if defined?(OpenSSL::TestUtils)
+end if defined?(OpenSSL::TestUtils) && defined?(OpenSSL::Engine)
--- a/test/openssl/test_pair.rb
+++ b/test/openssl/test_pair.rb
@ -12,6 +12,7 @@ module OpenSSL::SSLPairM
    port = 0
    ctx = OpenSSL::SSL::SSLContext.new()
    ctx.ciphers = "ADH"
    ctx.security_level = 0
    ctx.tmp_dh_callback = proc { OpenSSL::TestUtils::TEST_KEY_DH1024 }
    tcps = create_tcp_server(host, port)
    ssls = OpenSSL::SSL::SSLServer.new(tcps, ctx)
@ -22,6 +23,7 @@ module OpenSSL::SSLPairM
    host = "127.0.0.1"
    ctx = OpenSSL::SSL::SSLContext.new()
    ctx.ciphers = "ADH"
    ctx.security_level = 0
    s = create_tcp_client(host, port)
    ssl = OpenSSL::SSL::SSLSocket.new(s, ctx)
    ssl.connect
@ -324,6 +326,7 @@ module OpenSSL::TestPairM
  def test_connect_works_when_setting_dh_callback_to_nil
    ctx2 = OpenSSL::SSL::SSLContext.new
    ctx2.ciphers = "DH"
    ctx2.security_level = 0
    ctx2.tmp_dh_callback = nil
    sock1, sock2 = tcp_pair
    s2 = OpenSSL::SSL::SSLSocket.new(sock2, ctx2)
@ -331,6 +334,7 @@ module OpenSSL::TestPairM
    ctx1 = OpenSSL::SSL::SSLContext.new
    ctx1.ciphers = "DH"
    ctx1.security_level = 0
    ctx1.tmp_dh_callback = nil
    s1 = OpenSSL::SSL::SSLSocket.new(sock1, ctx1)
    t = Thread.new { s1.connect }
@ -350,12 +354,14 @@ module OpenSSL::TestPairM
  def test_connect_without_setting_dh_callback
    ctx2 = OpenSSL::SSL::SSLContext.new
    ctx2.ciphers = "DH"
    ctx2.security_level = 0
    sock1, sock2 = tcp_pair
    s2 = OpenSSL::SSL::SSLSocket.new(sock2, ctx2)
    accepted = s2.accept_nonblock(exception: false)
    ctx1 = OpenSSL::SSL::SSLContext.new
    ctx1.ciphers = "DH"
    ctx1.security_level = 0
    s1 = OpenSSL::SSL::SSLSocket.new(sock1, ctx1)
    t = Thread.new { s1.connect }
@ -378,6 +384,8 @@ module OpenSSL::TestPairM
        called = false
        ctx2 = OpenSSL::SSL::SSLContext.new
        ctx2.ciphers = "ECDH"
        # OpenSSL 1.1.0 doesn't have tmp_ecdh_callback so this shouldn't be required
        ctx2.security_level = 0
        ctx2.tmp_ecdh_callback = ->(*args) {
          called = true
          OpenSSL::PKey::EC.new "prime256v1"
@ -388,6 +396,7 @@ module OpenSSL::TestPairM
        s2 = OpenSSL::SSL::SSLSocket.new(sock2, ctx2)
        ctx1 = OpenSSL::SSL::SSLContext.new
        ctx1.ciphers = "ECDH"
        ctx1.security_level = 0
        s1 = OpenSSL::SSL::SSLSocket.new(sock1, ctx1)
        th = Thread.new do
@ -426,11 +435,13 @@ module OpenSSL::TestPairM
    ctx1 = OpenSSL::SSL::SSLContext.new
    ctx1.ciphers = "ECDH"
    ctx1.ecdh_curves = "P-384:P-521"
    ctx1.security_level = 0
    s1 = OpenSSL::SSL::SSLSocket.new(sock1, ctx1)
    ctx2 = OpenSSL::SSL::SSLContext.new
    ctx2.ciphers = "ECDH"
    ctx2.ecdh_curves = "P-256:P-384"
    ctx2.security_level = 0
    s2 = OpenSSL::SSL::SSLSocket.new(sock2, ctx2)
    th = Thread.new { s1.accept }
@ -451,6 +462,7 @@ module OpenSSL::TestPairM
  def test_connect_accept_nonblock_no_exception
    ctx2 = OpenSSL::SSL::SSLContext.new
    ctx2.ciphers = "ADH"
    ctx2.security_level = 0
    ctx2.tmp_dh_callback = proc { OpenSSL::TestUtils::TEST_KEY_DH1024 }
    sock1, sock2 = tcp_pair
@ -461,6 +473,7 @@ module OpenSSL::TestPairM
    ctx1 = OpenSSL::SSL::SSLContext.new
    ctx1.ciphers = "ADH"
    ctx1.security_level = 0
    s1 = OpenSSL::SSL::SSLSocket.new(sock1, ctx1)
    th = Thread.new do
      rets = []
@ -499,6 +512,7 @@ module OpenSSL::TestPairM
  def test_connect_accept_nonblock
    ctx = OpenSSL::SSL::SSLContext.new()
    ctx.ciphers = "ADH"
    ctx.security_level = 0
    ctx.tmp_dh_callback = proc { OpenSSL::TestUtils::TEST_KEY_DH1024 }
    sock1, sock2 = tcp_pair
@ -522,6 +536,7 @@ module OpenSSL::TestPairM
    sleep 0.1
    ctx = OpenSSL::SSL::SSLContext.new()
    ctx.ciphers = "ADH"
    ctx.security_level = 0
    s1 = OpenSSL::SSL::SSLSocket.new(sock1, ctx)
    begin
      sleep 0.2
--- a/test/openssl/test_pkey_dsa.rb
+++ b/test/openssl/test_pkey_dsa.rb
@ -39,7 +39,7 @@ class OpenSSL::TestPKeyDSA < OpenSSL::TestCase
  def test_sign_verify
    check_sign_verify(OpenSSL::Digest::DSS1.new)
-  end
+  end if defined?(OpenSSL::Digest::DSS1)
 if (OpenSSL::OPENSSL_VERSION_NUMBER > 0x10000000)
  def test_sign_verify_sha1
@ -53,8 +53,8 @@ end
  def test_digest_state_irrelevant_verify
    key = OpenSSL::TestUtils::TEST_KEY_DSA256
-    digest1 = OpenSSL::Digest::DSS1.new
+    digest1 = OpenSSL::TestUtils::DSA_SIGNATURE_DIGEST.new
-    digest2 = OpenSSL::Digest::DSS1.new
+    digest2 = OpenSSL::TestUtils::DSA_SIGNATURE_DIGEST.new
    data = 'Sign me!'
    sig = key.sign(digest1, data)
    digest1.reset
--- a/test/openssl/test_pkey_ec.rb
+++ b/test/openssl/test_pkey_ec.rb
@ -12,12 +12,14 @@ class OpenSSL::TestEC < OpenSSL::TestCase
    @keys = []
    OpenSSL::PKey::EC.builtin_curves.each do |curve, comment|
      next if curve.start_with?("Oakley") # Oakley curves are not suitable for ECDSA
      group = OpenSSL::PKey::EC::Group.new(curve)
      key = OpenSSL::PKey::EC.new(group)
      key.generate_key!
      # Oakley curves and X25519 are not suitable for signing
      next if ["Oakley", "X25519"].any? { |n| curve.start_with?(n) }
      @groups << group
      @keys << key
    end
--- a/test/openssl/test_ssl.rb
+++ b/test/openssl/test_ssl.rb
@ -405,7 +405,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
      ciphers = ctx.ciphers
      ciphers_versions = ciphers.collect{|_, v, _, _| v }
      ciphers_names = ciphers.collect{|v, _, _, _| v }
-      assert(ciphers_names.all?{|v| /ADH/ !~ v })
+      assert(ciphers_names.all?{|v| /A(EC)?DH/ !~ v })
      assert(ciphers_versions.all?{|v| /SSLv2/ !~ v })
      ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
      ssl.sync_close = true
@ -424,6 +424,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
    start_server(OpenSSL::SSL::VERIFY_NONE, true, {use_anon_cipher: true}){|server, port|
      ctx = OpenSSL::SSL::SSLContext.new
      ctx.ciphers = "aNULL"
      ctx.security_level = 0
      server_connect(port, ctx) { |ssl|
        msg = "Peer verification enabled, but no certificate received. Anonymous cipher suite " \
          "ADH-AES256-GCM-SHA384 was negotiated. Anonymous suites must be disabled to use peer verification."
@ -687,6 +688,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
    ctx3 = OpenSSL::SSL::SSLContext.new
    ctx3.ciphers = "DH"
    ctx3.security_level = 0
    ctx2 = OpenSSL::SSL::SSLContext.new
    ctx2.ciphers = "DH"
@ -698,6 +700,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
    ctx1 = OpenSSL::SSL::SSLContext.new
    ctx1.ciphers = "DH"
    ctx1.security_level = 0
    s1 = OpenSSL::SSL::SSLSocket.new(sock1, ctx1)
    s1.hostname = hostname
@ -720,6 +723,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
    ctx2 = OpenSSL::SSL::SSLContext.new
    ctx2.ciphers = "DH"
    ctx2.security_level = 0
    ctx2.servername_cb = lambda { |args| Object.new }
    sock1, sock2 = socketpair
@ -728,6 +732,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
    ctx1 = OpenSSL::SSL::SSLContext.new
    ctx1.ciphers = "DH"
    ctx1.security_level = 0
    s1 = OpenSSL::SSL::SSLSocket.new(sock1, ctx1)
    s1.hostname = hostname
@ -752,6 +757,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
    ctx3 = OpenSSL::SSL::SSLContext.new
    ctx3.ciphers = "DH"
    ctx3.security_level = 0
    assert_not_predicate ctx3, :frozen?
    ctx2 = OpenSSL::SSL::SSLContext.new
@ -764,6 +770,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
    ctx1 = OpenSSL::SSL::SSLContext.new
    ctx1.ciphers = "DH"
    ctx1.security_level = 0
    s1 = OpenSSL::SSL::SSLSocket.new(sock1, ctx1)
    s1.hostname = hostname
@ -785,6 +792,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
    ctx2 = OpenSSL::SSL::SSLContext.new
    ctx2.ciphers = "DH"
    ctx2.security_level = 0
    ctx2.servername_cb = lambda { |args| nil }
    sock1, sock2 = socketpair
@ -793,6 +801,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
    ctx1 = OpenSSL::SSL::SSLContext.new
    ctx1.ciphers = "DH"
    ctx1.security_level = 0
    s1 = OpenSSL::SSL::SSLSocket.new(sock1, ctx1)
    s1.hostname = hostname
@ -815,6 +824,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
    ctx2 = OpenSSL::SSL::SSLContext.new
    ctx2.ciphers = "DH"
    ctx2.security_level = 0
    ctx2.servername_cb = lambda do |args|
      cb_socket     = args[0]
      lambda_called = args[1]
@ -827,6 +837,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
    ctx1 = OpenSSL::SSL::SSLContext.new
    ctx1.ciphers = "DH"
    ctx1.security_level = 0
    s1 = OpenSSL::SSL::SSLSocket.new(sock1, ctx1)
    s1.hostname = hostname
@ -1171,6 +1182,7 @@ end
    # test it doesn't cause a segmentation fault
    ctx = OpenSSL::SSL::SSLContext.new
    ctx.ciphers = "aNULL"
    ctx.security_level = 0
    sock1, sock2 = socketpair
    ssl1 = OpenSSL::SSL::SSLSocket.new(sock1, ctx)
--- a/test/openssl/test_ssl_session.rb
+++ b/test/openssl/test_ssl_session.rb
@ -211,25 +211,25 @@ __EOS__
        assert_equal(stats[:cache_misses], 0)
        assert(ssl.session_reused?)
        ctx.session_remove(session)
-        saved_session = session
+        saved_session = session.to_der
      when 2
        assert_equal(stats[:cache_num], 1)
        assert_equal(stats[:cache_hits], 1)
        assert_equal(stats[:cache_misses], 1)
        assert(!ssl.session_reused?)
-        ctx.session_add(saved_session)
+        ctx.session_add(OpenSSL::SSL::Session.new(saved_session))
      when 3
        assert_equal(stats[:cache_num], 2)
        assert_equal(stats[:cache_hits], 2)
        assert_equal(stats[:cache_misses], 1)
        assert(ssl.session_reused?)
-        ctx.flush_sessions(Time.now + 5000)
+        ctx.flush_sessions(Time.now + 10000)
      when 4
        assert_equal(stats[:cache_num], 1)
        assert_equal(stats[:cache_hits], 2)
        assert_equal(stats[:cache_misses], 2)
        assert(!ssl.session_reused?)
-        ctx.session_add(saved_session)
+        ctx.session_add(OpenSSL::SSL::Session.new(saved_session))
      end
      connections += 1
--- a/test/openssl/test_x509cert.rb
+++ b/test/openssl/test_x509cert.rb
@ -168,7 +168,7 @@ class OpenSSL::TestX509Certificate < OpenSSL::TestCase
    cert.subject = @ee1
    assert_equal(false, cert.verify(@rsa2048))
  rescue OpenSSL::X509::CertificateError
-  end
+  end if defined?(OpenSSL::Digest::DSS1)
  def test_sign_and_verify_dsa_md5
    assert_raise(OpenSSL::X509::CertificateError){
--- a/test/openssl/test_x509name.rb
+++ b/test/openssl/test_x509name.rb
@ -5,11 +5,6 @@ require_relative 'utils'
 if defined?(OpenSSL::TestUtils)
 class OpenSSL::TestX509Name < OpenSSL::TestCase
  OpenSSL::ASN1::ObjectId.register(
    "1.2.840.113549.1.9.1", "emailAddress", "emailAddress")
  OpenSSL::ASN1::ObjectId.register(
    "2.5.4.5", "serialNumber", "serialNumber")
  def setup
    @obj_type_tmpl = Hash.new(OpenSSL::ASN1::PRINTABLESTRING)
    @obj_type_tmpl.update(OpenSSL::X509::Name::OBJECT_TYPE_TEMPLATE)
--- a/test/openssl/test_x509req.rb
+++ b/test/openssl/test_x509req.rb
@ -140,7 +140,7 @@ class OpenSSL::TestX509Request < OpenSSL::TestCase
    assert_equal(false, req.verify(@rsa1024))
  rescue OpenSSL::X509::RequestError
    skip
-  end
+  end if defined?(OpenSSL::Digest::DSS1)
  def test_sign_and_verify_dsa_md5
    assert_raise(OpenSSL::X509::RequestError){
--- a/test/openssl/utils.rb
+++ b/test/openssl/utils.rb
@ -82,6 +82,21 @@ AkB9HdFw/3td8K4l1FZHv7TCZeJ3ZLb7dF3TWoGUP003RCqoji3/lHdKoVdTQNuR
 S/m6DlCwhjRjiQ/lBRgCLCcaAkEAjN891JBjzpMj4bWgsACmMggFf57DS0Ti+5++
 Q1VB8qkJN7rA7/2HrCR3gTsWNb1YhAsnFsoeRscC+LxXoXi9OAIUBG98h4tilg6S
 55jreJD3Se3slps=
 -----END DSA PRIVATE KEY-----
  _end_of_pem_
  TEST_KEY_DSA1024 = OpenSSL::PKey::DSA.new <<-_end_of_pem_
 -----BEGIN DSA PRIVATE KEY-----
 MIIBugIBAAKBgQCH9aAoXvWWThIjkA6D+nI1F9ksF9iDq594rkiGNOT9sPDOdB+n
 D+qeeeeloRlj19ymCSADPI0ZLRgkchkAEnY2RnqnhHOjVf/roGgRbW+iQDMbQ9wa
 /pvc6/fAbsu1goE1hBYjm98/sZEeXavj8tR56IXnjF1b6Nx0+sgeUKFKEQIVAMiz
 4BJUFeTtddyM4uadBM7HKLPRAoGAZdLBSYNGiij7vAjesF5mGUKTIgPd+JKuBEDx
 OaBclsgfdoyoF/TMOkIty+PVlYD+//Vl2xnoUEIRaMXHwHfm0r2xUX++oeRaSScg
 YizJdUxe5jvBuBszGPRc/mGpb9YvP0sB+FL1KmuxYmdODfCe51zl8uM/CVhouJ3w
 DjmRGscCgYAuFlfC7p+e8huCKydfcv/beftqjewiOPpQ3u5uI6KPCtCJPpDhs3+4
 IihH2cPsAlqwGF4tlibW1+/z/OZ1AZinPK3y7b2jSJASEaPeEltVzB92hcd1khk2
 jTYcmSsV4VddplOPK9czytR/GbbibxsrhhgZUbd8LPbvIgaiadJ1PgIUBnJ/5vN2
 CVArsEzlPUCbohPvZnE=
 -----END DSA PRIVATE KEY-----
  _end_of_pem_
@ -196,7 +211,7 @@ AQjjxMXhwULlmuR/K+WwlaZPiLIBYalLAZQ7ZbOPeVkJ8ePao0eLAgEC
    def setup
      @ca_key  = OpenSSL::TestUtils::TEST_KEY_RSA2048
      @svr_key = OpenSSL::TestUtils::TEST_KEY_RSA1024
-      @cli_key = OpenSSL::TestUtils::TEST_KEY_DSA256
+      @cli_key = OpenSSL::TestUtils::TEST_KEY_DSA1024
      @ca  = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=CA")
      @svr = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=localhost")
      @cli = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=localhost")
@ -277,6 +292,7 @@ AQjjxMXhwULlmuR/K+WwlaZPiLIBYalLAZQ7ZbOPeVkJ8ePao0eLAgEC
        store.purpose = OpenSSL::X509::PURPOSE_SSL_CLIENT
        ctx = OpenSSL::SSL::SSLContext.new
        ctx.ciphers = "ADH-AES256-GCM-SHA384" if use_anon_cipher
        ctx.security_level = 0 if use_anon_cipher
        ctx.cert_store = store
        #ctx.extra_chain_cert = [ ca_cert ]
        ctx.cert = @svr_cert