Adding debian version 2.4.59-1~deb10u1.debian/2.4.59-1_deb10u1debian

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

6 files changed, 114 insertions, 17 deletions

diff --git a/debian/perl-framework/t/ssl/ocsp.t b/debian/perl-framework/t/ssl/ocsp.t
index 9e0d776..8ec8505 100644
--- a/debian/perl-framework/t/ssl/ocsp.t
+++ b/debian/perl-framework/t/ssl/ocsp.t
@@ -30,24 +30,35 @@ my $r;
 
 sok {
     $r = GET $url, cert => undef;
-    my $message = $r->message() || '';
+    my $message = $r->content() || '';
     my $warning = $r->header('Client-Warning') || '';
+    print "warning: $warning\n";
+    print "message: $message";
+    print "response:\n";
     print $r->as_string;
     $r->code == 500 && $warning =~ 'Internal response' &&
-        $message =~ /alert handshake failure|read failed/;
+        $message =~ /alert handshake failure|read failed|closed connection without sending any data/;
 };
 
 sok {
     $r = GET $url, cert => 'client_ok';
+    my $warning = $r->header('Client-Warning') || '';
+    my $message = $r->content() || '';
+    print "warning: $warning\n";
+    print "message: $message";
+    print "response:\n";
     print $r->as_string;
     $r->code == 200;
 };
 
 sok {
     $r = GET $url, cert => 'client_revoked';
-    my $message = $r->message() || '';
+    my $message = $r->content() || '';
     my $warning = $r->header('Client-Warning') || '';
+    print "warning: $warning\n";
+    print "message: $message";
+    print "response:\n";
     print $r->as_string;
     $r->code == 500 && $warning =~ 'Internal response' &&
-        $message =~ /alert certificate revoked|read failed/;
+        $message =~ /alert certificate revoked|read failed|closed connection without sending any data/;
 };
diff --git a/debian/perl-framework/t/ssl/pha.t b/debian/perl-framework/t/ssl/pha.t
new file mode 100644
index 0000000..2e2a763
--- /dev/null
+++ b/debian/perl-framework/t/ssl/pha.t
@@ -0,0 +1,47 @@
+use strict;
+use warnings FATAL => 'all';
+
+use Apache::Test;
+use Apache::TestRequest;
+use Apache::TestUtil;
+use IO::Socket::SSL;
+
+# This is the equivalent of pr12355.t for TLSv1.3.
+
+Apache::TestRequest::user_agent(ssl_opts => {SSL_version => 'TLSv13'});
+Apache::TestRequest::scheme('https');
+Apache::TestRequest::user_agent_keepalive(1);
+
+my $r = GET "/";
+
+if (!$r->is_success) {
+    print "1..0 # skip: TLSv1.3 not supported";
+    exit 0;
+}
+
+if (!defined &IO::Socket::SSL::can_pha || !IO::Socket::SSL::can_pha()) {
+    print "1..0 # skip: PHA not supported by IO::Socket::SSL < 2.061";
+    exit 0;
+}
+
+plan tests => 4, need_min_apache_version("2.4.47");
+
+$r = GET("/verify/", cert => undef);
+ok t_cmp($r->code, 403, "access must be denied without client certificate");
+
+# SSLRenegBufferSize 10 for this location which should mean a 413
+# error.
+$r = POST("/require/small/perl_echo.pl", content => 'y'x101,
+          cert => 'client_ok');
+ok t_cmp($r->code, 413, "PHA reneg body buffer size restriction works");
+
+# Reset to use a new connection.
+Apache::TestRequest::user_agent(reset => 1);
+Apache::TestRequest::user_agent(ssl_opts => {SSL_version => 'TLSv13'});
+Apache::TestRequest::scheme('https');
+
+$r = POST("/verify/modules/cgi/perl_echo.pl", content => 'x'x10000,
+          cert => 'client_ok');
+
+ok t_cmp($r->code, 200, "PHA works with POST body");
+ok t_cmp($r->content, $r->request->content, "request body matches response");
diff --git a/debian/perl-framework/t/ssl/pr12355.t b/debian/perl-framework/t/ssl/pr12355.t
index 51be00f..8444b3f 100644
--- a/debian/perl-framework/t/ssl/pr12355.t
+++ b/debian/perl-framework/t/ssl/pr12355.t
@@ -7,11 +7,26 @@ use Apache::TestUtil;
 
 plan tests => 10, need 'ssl', need_min_apache_version('2.0');
 
-Apache::TestRequest::user_agent( ssl_opts => { SSL_cipher_list => 'ALL'});
-Apache::TestRequest::user_agent_keepalive(1);
+my $r;
+
+Apache::TestRequest::user_agent(ssl_opts => {SSL_version => 'TLSv13'});
 Apache::TestRequest::scheme('https');
 
-my $r;
+$r = GET "/";
+my $tls13_works = $r->is_success;
+
+# Forget the above user agent settings, start fresh
+Apache::TestRequest::user_agent(reset => 1);
+
+# If TLS 1.3 worked, downgrade to TLS 1.2, otherwise use what works.
+if ($tls13_works) {
+    t_debug "Downgrading to TLSv12";
+    Apache::TestRequest::user_agent(ssl_opts => {SSL_cipher_list => 'ALL', SSL_version => 'TLSv12'});
+} else {
+    Apache::TestRequest::user_agent(ssl_opts => {SSL_cipher_list => 'ALL'});
+}
+Apache::TestRequest::user_agent_keepalive(1);
+Apache::TestRequest::scheme('https');
 
 # Send a series of POST requests with varying size request bodies.
 # Alternate between the location which requires a AES128-SHA ciphersuite
diff --git a/debian/perl-framework/t/ssl/pr43738.t b/debian/perl-framework/t/ssl/pr43738.t
index 0814a39..6bf9ccf 100644
--- a/debian/perl-framework/t/ssl/pr43738.t
+++ b/debian/perl-framework/t/ssl/pr43738.t
@@ -9,11 +9,26 @@ plan tests => 4,
     need 'ssl', need_module('actions'),
     need_min_apache_version('2.2.7');
 
-Apache::TestRequest::user_agent( ssl_opts => { SSL_cipher_list => 'ALL'});
-Apache::TestRequest::user_agent_keepalive(1);
+my $r;
+
+Apache::TestRequest::user_agent(ssl_opts => {SSL_version => 'TLSv13'});
 Apache::TestRequest::scheme('https');
 
-my $r;
+$r = GET "/";
+my $tls13_works = $r->is_success;
+
+# Forget the above user agent settings, start fresh
+Apache::TestRequest::user_agent(reset => 1);
+
+# If TLS 1.3 worked, downgrade to TLS 1.2, otherwise use what works.
+if ($tls13_works) {
+    t_debug "Downgrading to TLSv12";
+    Apache::TestRequest::user_agent(ssl_opts => {SSL_cipher_list => 'ALL', SSL_version => 'TLSv12'});
+} else {
+    Apache::TestRequest::user_agent(ssl_opts => {SSL_cipher_list => 'ALL'});
+}
+Apache::TestRequest::user_agent_keepalive(1);
+Apache::TestRequest::scheme('https');
 
 # Variation of the PR 12355 test which breaks per PR 43738.
 
diff --git a/debian/perl-framework/t/ssl/proxy.t b/debian/perl-framework/t/ssl/proxy.t
index bbeddb6..bec84b4 100644
--- a/debian/perl-framework/t/ssl/proxy.t
+++ b/debian/perl-framework/t/ssl/proxy.t
@@ -7,14 +7,18 @@ use Apache::TestUtil;
 use Apache::TestCommon ();
 
 my %frontend = (
-    proxy_http_https  => 'http',
-    proxy_https_https => 'https',
-    proxy_https_http  => 'https',
+    proxy_http_https                => 'http',
+    proxy_https_https               => 'https',
+    proxy_https_http                => 'https',
+    proxy_http_https_proxy_section  => 'http',
+    proxy_https_https_proxy_section => 'https',
 );
 my %backend = (
-    proxy_http_https  => 'https',
-    proxy_https_https => 'https',
-    proxy_https_http  => 'http',
+    proxy_http_https                => 'https',
+    proxy_https_https               => 'https',
+    proxy_https_http                => 'http',
+    proxy_http_https_proxy_section  => 'https',
+    proxy_https_https_proxy_section => 'https',
 );
 
 my $num_modules = scalar keys %frontend;
diff --git a/debian/perl-framework/t/ssl/varlookup.t b/debian/perl-framework/t/ssl/varlookup.t
index 126d442..e00a143 100644
--- a/debian/perl-framework/t/ssl/varlookup.t
+++ b/debian/perl-framework/t/ssl/varlookup.t
@@ -103,6 +103,10 @@ if (not have_min_apache_version('2.4.32')) {
     @vars = grep(!/_RAW/, @vars);
 }
 
+if (not have_min_apache_version('2.5.1')) {
+    @vars = grep(!/_B64CERT/, @vars);
+}
+
 plan tests => scalar (@vars), need need_lwp, need_module('test_ssl');
 
 for my $key (@vars) {
@@ -254,7 +258,8 @@ SSL_CLIENT_A_KEY             'rsaEncryption'
 SSL_SERVER_A_KEY             qr(^[rd]saEncryption$)
 SSL_CLIENT_CERT              qr(^-----BEGIN CERTIFICATE-----)
 SSL_SERVER_CERT              qr(^-----BEGIN CERTIFICATE-----)
-#SSL_CLIENT_CERT_CHAINn
+SSL_CLIENT_B64CERT           qr(^[a-zA-Z0-9+/]{64,}={0,2}$)
+SSL_SERVER_B64CERT           qr(^[a-zA-Z0-9+/]{64,}={0,2}$)
 SSL_CLIENT_VERIFY            'SUCCESS'
 SSL_VERSION_LIBRARY
 SSL_VERSION_INTERFACE