diff options
Diffstat (limited to 'debian/perl-framework/t/ssl')
-rw-r--r-- | debian/perl-framework/t/ssl/ocsp.t | 19 | ||||
-rw-r--r-- | debian/perl-framework/t/ssl/pha.t | 47 | ||||
-rw-r--r-- | debian/perl-framework/t/ssl/pr12355.t | 21 | ||||
-rw-r--r-- | debian/perl-framework/t/ssl/pr43738.t | 21 | ||||
-rw-r--r-- | debian/perl-framework/t/ssl/proxy.t | 16 | ||||
-rw-r--r-- | debian/perl-framework/t/ssl/varlookup.t | 7 |
6 files changed, 114 insertions, 17 deletions
diff --git a/debian/perl-framework/t/ssl/ocsp.t b/debian/perl-framework/t/ssl/ocsp.t index 9e0d776..8ec8505 100644 --- a/debian/perl-framework/t/ssl/ocsp.t +++ b/debian/perl-framework/t/ssl/ocsp.t @@ -30,24 +30,35 @@ my $r; sok { $r = GET $url, cert => undef; - my $message = $r->message() || ''; + my $message = $r->content() || ''; my $warning = $r->header('Client-Warning') || ''; + print "warning: $warning\n"; + print "message: $message"; + print "response:\n"; print $r->as_string; $r->code == 500 && $warning =~ 'Internal response' && - $message =~ /alert handshake failure|read failed/; + $message =~ /alert handshake failure|read failed|closed connection without sending any data/; }; sok { $r = GET $url, cert => 'client_ok'; + my $warning = $r->header('Client-Warning') || ''; + my $message = $r->content() || ''; + print "warning: $warning\n"; + print "message: $message"; + print "response:\n"; print $r->as_string; $r->code == 200; }; sok { $r = GET $url, cert => 'client_revoked'; - my $message = $r->message() || ''; + my $message = $r->content() || ''; my $warning = $r->header('Client-Warning') || ''; + print "warning: $warning\n"; + print "message: $message"; + print "response:\n"; print $r->as_string; $r->code == 500 && $warning =~ 'Internal response' && - $message =~ /alert certificate revoked|read failed/; + $message =~ /alert certificate revoked|read failed|closed connection without sending any data/; }; diff --git a/debian/perl-framework/t/ssl/pha.t b/debian/perl-framework/t/ssl/pha.t new file mode 100644 index 0000000..2e2a763 --- /dev/null +++ b/debian/perl-framework/t/ssl/pha.t @@ -0,0 +1,47 @@ +use strict; +use warnings FATAL => 'all'; + +use Apache::Test; +use Apache::TestRequest; +use Apache::TestUtil; +use IO::Socket::SSL; + +# This is the equivalent of pr12355.t for TLSv1.3. + +Apache::TestRequest::user_agent(ssl_opts => {SSL_version => 'TLSv13'}); +Apache::TestRequest::scheme('https'); +Apache::TestRequest::user_agent_keepalive(1); + +my $r = GET "/"; + +if (!$r->is_success) { + print "1..0 # skip: TLSv1.3 not supported"; + exit 0; +} + +if (!defined &IO::Socket::SSL::can_pha || !IO::Socket::SSL::can_pha()) { + print "1..0 # skip: PHA not supported by IO::Socket::SSL < 2.061"; + exit 0; +} + +plan tests => 4, need_min_apache_version("2.4.47"); + +$r = GET("/verify/", cert => undef); +ok t_cmp($r->code, 403, "access must be denied without client certificate"); + +# SSLRenegBufferSize 10 for this location which should mean a 413 +# error. +$r = POST("/require/small/perl_echo.pl", content => 'y'x101, + cert => 'client_ok'); +ok t_cmp($r->code, 413, "PHA reneg body buffer size restriction works"); + +# Reset to use a new connection. +Apache::TestRequest::user_agent(reset => 1); +Apache::TestRequest::user_agent(ssl_opts => {SSL_version => 'TLSv13'}); +Apache::TestRequest::scheme('https'); + +$r = POST("/verify/modules/cgi/perl_echo.pl", content => 'x'x10000, + cert => 'client_ok'); + +ok t_cmp($r->code, 200, "PHA works with POST body"); +ok t_cmp($r->content, $r->request->content, "request body matches response"); diff --git a/debian/perl-framework/t/ssl/pr12355.t b/debian/perl-framework/t/ssl/pr12355.t index 51be00f..8444b3f 100644 --- a/debian/perl-framework/t/ssl/pr12355.t +++ b/debian/perl-framework/t/ssl/pr12355.t @@ -7,11 +7,26 @@ use Apache::TestUtil; plan tests => 10, need 'ssl', need_min_apache_version('2.0'); -Apache::TestRequest::user_agent( ssl_opts => { SSL_cipher_list => 'ALL'}); -Apache::TestRequest::user_agent_keepalive(1); +my $r; + +Apache::TestRequest::user_agent(ssl_opts => {SSL_version => 'TLSv13'}); Apache::TestRequest::scheme('https'); -my $r; +$r = GET "/"; +my $tls13_works = $r->is_success; + +# Forget the above user agent settings, start fresh +Apache::TestRequest::user_agent(reset => 1); + +# If TLS 1.3 worked, downgrade to TLS 1.2, otherwise use what works. +if ($tls13_works) { + t_debug "Downgrading to TLSv12"; + Apache::TestRequest::user_agent(ssl_opts => {SSL_cipher_list => 'ALL', SSL_version => 'TLSv12'}); +} else { + Apache::TestRequest::user_agent(ssl_opts => {SSL_cipher_list => 'ALL'}); +} +Apache::TestRequest::user_agent_keepalive(1); +Apache::TestRequest::scheme('https'); # Send a series of POST requests with varying size request bodies. # Alternate between the location which requires a AES128-SHA ciphersuite diff --git a/debian/perl-framework/t/ssl/pr43738.t b/debian/perl-framework/t/ssl/pr43738.t index 0814a39..6bf9ccf 100644 --- a/debian/perl-framework/t/ssl/pr43738.t +++ b/debian/perl-framework/t/ssl/pr43738.t @@ -9,11 +9,26 @@ plan tests => 4, need 'ssl', need_module('actions'), need_min_apache_version('2.2.7'); -Apache::TestRequest::user_agent( ssl_opts => { SSL_cipher_list => 'ALL'}); -Apache::TestRequest::user_agent_keepalive(1); +my $r; + +Apache::TestRequest::user_agent(ssl_opts => {SSL_version => 'TLSv13'}); Apache::TestRequest::scheme('https'); -my $r; +$r = GET "/"; +my $tls13_works = $r->is_success; + +# Forget the above user agent settings, start fresh +Apache::TestRequest::user_agent(reset => 1); + +# If TLS 1.3 worked, downgrade to TLS 1.2, otherwise use what works. +if ($tls13_works) { + t_debug "Downgrading to TLSv12"; + Apache::TestRequest::user_agent(ssl_opts => {SSL_cipher_list => 'ALL', SSL_version => 'TLSv12'}); +} else { + Apache::TestRequest::user_agent(ssl_opts => {SSL_cipher_list => 'ALL'}); +} +Apache::TestRequest::user_agent_keepalive(1); +Apache::TestRequest::scheme('https'); # Variation of the PR 12355 test which breaks per PR 43738. diff --git a/debian/perl-framework/t/ssl/proxy.t b/debian/perl-framework/t/ssl/proxy.t index bbeddb6..bec84b4 100644 --- a/debian/perl-framework/t/ssl/proxy.t +++ b/debian/perl-framework/t/ssl/proxy.t @@ -7,14 +7,18 @@ use Apache::TestUtil; use Apache::TestCommon (); my %frontend = ( - proxy_http_https => 'http', - proxy_https_https => 'https', - proxy_https_http => 'https', + proxy_http_https => 'http', + proxy_https_https => 'https', + proxy_https_http => 'https', + proxy_http_https_proxy_section => 'http', + proxy_https_https_proxy_section => 'https', ); my %backend = ( - proxy_http_https => 'https', - proxy_https_https => 'https', - proxy_https_http => 'http', + proxy_http_https => 'https', + proxy_https_https => 'https', + proxy_https_http => 'http', + proxy_http_https_proxy_section => 'https', + proxy_https_https_proxy_section => 'https', ); my $num_modules = scalar keys %frontend; diff --git a/debian/perl-framework/t/ssl/varlookup.t b/debian/perl-framework/t/ssl/varlookup.t index 126d442..e00a143 100644 --- a/debian/perl-framework/t/ssl/varlookup.t +++ b/debian/perl-framework/t/ssl/varlookup.t @@ -103,6 +103,10 @@ if (not have_min_apache_version('2.4.32')) { @vars = grep(!/_RAW/, @vars); } +if (not have_min_apache_version('2.5.1')) { + @vars = grep(!/_B64CERT/, @vars); +} + plan tests => scalar (@vars), need need_lwp, need_module('test_ssl'); for my $key (@vars) { @@ -254,7 +258,8 @@ SSL_CLIENT_A_KEY 'rsaEncryption' SSL_SERVER_A_KEY qr(^[rd]saEncryption$) SSL_CLIENT_CERT qr(^-----BEGIN CERTIFICATE-----) SSL_SERVER_CERT qr(^-----BEGIN CERTIFICATE-----) -#SSL_CLIENT_CERT_CHAINn +SSL_CLIENT_B64CERT qr(^[a-zA-Z0-9+/]{64,}={0,2}$) +SSL_SERVER_B64CERT qr(^[a-zA-Z0-9+/]{64,}={0,2}$) SSL_CLIENT_VERIFY 'SUCCESS' SSL_VERSION_LIBRARY SSL_VERSION_INTERFACE |