summaryrefslogtreecommitdiffstats
path: root/debian/perl-framework/t/ssl
diff options
context:
space:
mode:
Diffstat (limited to 'debian/perl-framework/t/ssl')
-rw-r--r--debian/perl-framework/t/ssl/ocsp.t19
-rw-r--r--debian/perl-framework/t/ssl/pha.t47
-rw-r--r--debian/perl-framework/t/ssl/pr12355.t21
-rw-r--r--debian/perl-framework/t/ssl/pr43738.t21
-rw-r--r--debian/perl-framework/t/ssl/proxy.t16
-rw-r--r--debian/perl-framework/t/ssl/varlookup.t7
6 files changed, 114 insertions, 17 deletions
diff --git a/debian/perl-framework/t/ssl/ocsp.t b/debian/perl-framework/t/ssl/ocsp.t
index 9e0d776..8ec8505 100644
--- a/debian/perl-framework/t/ssl/ocsp.t
+++ b/debian/perl-framework/t/ssl/ocsp.t
@@ -30,24 +30,35 @@ my $r;
sok {
$r = GET $url, cert => undef;
- my $message = $r->message() || '';
+ my $message = $r->content() || '';
my $warning = $r->header('Client-Warning') || '';
+ print "warning: $warning\n";
+ print "message: $message";
+ print "response:\n";
print $r->as_string;
$r->code == 500 && $warning =~ 'Internal response' &&
- $message =~ /alert handshake failure|read failed/;
+ $message =~ /alert handshake failure|read failed|closed connection without sending any data/;
};
sok {
$r = GET $url, cert => 'client_ok';
+ my $warning = $r->header('Client-Warning') || '';
+ my $message = $r->content() || '';
+ print "warning: $warning\n";
+ print "message: $message";
+ print "response:\n";
print $r->as_string;
$r->code == 200;
};
sok {
$r = GET $url, cert => 'client_revoked';
- my $message = $r->message() || '';
+ my $message = $r->content() || '';
my $warning = $r->header('Client-Warning') || '';
+ print "warning: $warning\n";
+ print "message: $message";
+ print "response:\n";
print $r->as_string;
$r->code == 500 && $warning =~ 'Internal response' &&
- $message =~ /alert certificate revoked|read failed/;
+ $message =~ /alert certificate revoked|read failed|closed connection without sending any data/;
};
diff --git a/debian/perl-framework/t/ssl/pha.t b/debian/perl-framework/t/ssl/pha.t
new file mode 100644
index 0000000..2e2a763
--- /dev/null
+++ b/debian/perl-framework/t/ssl/pha.t
@@ -0,0 +1,47 @@
+use strict;
+use warnings FATAL => 'all';
+
+use Apache::Test;
+use Apache::TestRequest;
+use Apache::TestUtil;
+use IO::Socket::SSL;
+
+# This is the equivalent of pr12355.t for TLSv1.3.
+
+Apache::TestRequest::user_agent(ssl_opts => {SSL_version => 'TLSv13'});
+Apache::TestRequest::scheme('https');
+Apache::TestRequest::user_agent_keepalive(1);
+
+my $r = GET "/";
+
+if (!$r->is_success) {
+ print "1..0 # skip: TLSv1.3 not supported";
+ exit 0;
+}
+
+if (!defined &IO::Socket::SSL::can_pha || !IO::Socket::SSL::can_pha()) {
+ print "1..0 # skip: PHA not supported by IO::Socket::SSL < 2.061";
+ exit 0;
+}
+
+plan tests => 4, need_min_apache_version("2.4.47");
+
+$r = GET("/verify/", cert => undef);
+ok t_cmp($r->code, 403, "access must be denied without client certificate");
+
+# SSLRenegBufferSize 10 for this location which should mean a 413
+# error.
+$r = POST("/require/small/perl_echo.pl", content => 'y'x101,
+ cert => 'client_ok');
+ok t_cmp($r->code, 413, "PHA reneg body buffer size restriction works");
+
+# Reset to use a new connection.
+Apache::TestRequest::user_agent(reset => 1);
+Apache::TestRequest::user_agent(ssl_opts => {SSL_version => 'TLSv13'});
+Apache::TestRequest::scheme('https');
+
+$r = POST("/verify/modules/cgi/perl_echo.pl", content => 'x'x10000,
+ cert => 'client_ok');
+
+ok t_cmp($r->code, 200, "PHA works with POST body");
+ok t_cmp($r->content, $r->request->content, "request body matches response");
diff --git a/debian/perl-framework/t/ssl/pr12355.t b/debian/perl-framework/t/ssl/pr12355.t
index 51be00f..8444b3f 100644
--- a/debian/perl-framework/t/ssl/pr12355.t
+++ b/debian/perl-framework/t/ssl/pr12355.t
@@ -7,11 +7,26 @@ use Apache::TestUtil;
plan tests => 10, need 'ssl', need_min_apache_version('2.0');
-Apache::TestRequest::user_agent( ssl_opts => { SSL_cipher_list => 'ALL'});
-Apache::TestRequest::user_agent_keepalive(1);
+my $r;
+
+Apache::TestRequest::user_agent(ssl_opts => {SSL_version => 'TLSv13'});
Apache::TestRequest::scheme('https');
-my $r;
+$r = GET "/";
+my $tls13_works = $r->is_success;
+
+# Forget the above user agent settings, start fresh
+Apache::TestRequest::user_agent(reset => 1);
+
+# If TLS 1.3 worked, downgrade to TLS 1.2, otherwise use what works.
+if ($tls13_works) {
+ t_debug "Downgrading to TLSv12";
+ Apache::TestRequest::user_agent(ssl_opts => {SSL_cipher_list => 'ALL', SSL_version => 'TLSv12'});
+} else {
+ Apache::TestRequest::user_agent(ssl_opts => {SSL_cipher_list => 'ALL'});
+}
+Apache::TestRequest::user_agent_keepalive(1);
+Apache::TestRequest::scheme('https');
# Send a series of POST requests with varying size request bodies.
# Alternate between the location which requires a AES128-SHA ciphersuite
diff --git a/debian/perl-framework/t/ssl/pr43738.t b/debian/perl-framework/t/ssl/pr43738.t
index 0814a39..6bf9ccf 100644
--- a/debian/perl-framework/t/ssl/pr43738.t
+++ b/debian/perl-framework/t/ssl/pr43738.t
@@ -9,11 +9,26 @@ plan tests => 4,
need 'ssl', need_module('actions'),
need_min_apache_version('2.2.7');
-Apache::TestRequest::user_agent( ssl_opts => { SSL_cipher_list => 'ALL'});
-Apache::TestRequest::user_agent_keepalive(1);
+my $r;
+
+Apache::TestRequest::user_agent(ssl_opts => {SSL_version => 'TLSv13'});
Apache::TestRequest::scheme('https');
-my $r;
+$r = GET "/";
+my $tls13_works = $r->is_success;
+
+# Forget the above user agent settings, start fresh
+Apache::TestRequest::user_agent(reset => 1);
+
+# If TLS 1.3 worked, downgrade to TLS 1.2, otherwise use what works.
+if ($tls13_works) {
+ t_debug "Downgrading to TLSv12";
+ Apache::TestRequest::user_agent(ssl_opts => {SSL_cipher_list => 'ALL', SSL_version => 'TLSv12'});
+} else {
+ Apache::TestRequest::user_agent(ssl_opts => {SSL_cipher_list => 'ALL'});
+}
+Apache::TestRequest::user_agent_keepalive(1);
+Apache::TestRequest::scheme('https');
# Variation of the PR 12355 test which breaks per PR 43738.
diff --git a/debian/perl-framework/t/ssl/proxy.t b/debian/perl-framework/t/ssl/proxy.t
index bbeddb6..bec84b4 100644
--- a/debian/perl-framework/t/ssl/proxy.t
+++ b/debian/perl-framework/t/ssl/proxy.t
@@ -7,14 +7,18 @@ use Apache::TestUtil;
use Apache::TestCommon ();
my %frontend = (
- proxy_http_https => 'http',
- proxy_https_https => 'https',
- proxy_https_http => 'https',
+ proxy_http_https => 'http',
+ proxy_https_https => 'https',
+ proxy_https_http => 'https',
+ proxy_http_https_proxy_section => 'http',
+ proxy_https_https_proxy_section => 'https',
);
my %backend = (
- proxy_http_https => 'https',
- proxy_https_https => 'https',
- proxy_https_http => 'http',
+ proxy_http_https => 'https',
+ proxy_https_https => 'https',
+ proxy_https_http => 'http',
+ proxy_http_https_proxy_section => 'https',
+ proxy_https_https_proxy_section => 'https',
);
my $num_modules = scalar keys %frontend;
diff --git a/debian/perl-framework/t/ssl/varlookup.t b/debian/perl-framework/t/ssl/varlookup.t
index 126d442..e00a143 100644
--- a/debian/perl-framework/t/ssl/varlookup.t
+++ b/debian/perl-framework/t/ssl/varlookup.t
@@ -103,6 +103,10 @@ if (not have_min_apache_version('2.4.32')) {
@vars = grep(!/_RAW/, @vars);
}
+if (not have_min_apache_version('2.5.1')) {
+ @vars = grep(!/_B64CERT/, @vars);
+}
+
plan tests => scalar (@vars), need need_lwp, need_module('test_ssl');
for my $key (@vars) {
@@ -254,7 +258,8 @@ SSL_CLIENT_A_KEY 'rsaEncryption'
SSL_SERVER_A_KEY qr(^[rd]saEncryption$)
SSL_CLIENT_CERT qr(^-----BEGIN CERTIFICATE-----)
SSL_SERVER_CERT qr(^-----BEGIN CERTIFICATE-----)
-#SSL_CLIENT_CERT_CHAINn
+SSL_CLIENT_B64CERT qr(^[a-zA-Z0-9+/]{64,}={0,2}$)
+SSL_SERVER_B64CERT qr(^[a-zA-Z0-9+/]{64,}={0,2}$)
SSL_CLIENT_VERIFY 'SUCCESS'
SSL_VERSION_LIBRARY
SSL_VERSION_INTERFACE