summaryrefslogtreecommitdiffstats
path: root/test/modules/tls
diff options
context:
space:
mode:
Diffstat (limited to 'test/modules/tls')
-rw-r--r--test/modules/tls/conf.py11
-rw-r--r--test/modules/tls/conftest.py6
-rw-r--r--test/modules/tls/env.py5
-rw-r--r--test/modules/tls/test_02_conf.py12
-rw-r--r--test/modules/tls/test_03_sni.py18
-rw-r--r--test/modules/tls/test_06_ciphers.py21
-rw-r--r--test/modules/tls/test_08_vars.py21
-rw-r--r--test/modules/tls/test_14_proxy_ssl.py49
-rw-r--r--test/modules/tls/test_15_proxy_tls.py10
-rw-r--r--test/modules/tls/test_16_proxy_mixed.py3
-rw-r--r--test/modules/tls/test_17_proxy_machine_cert.py3
11 files changed, 131 insertions, 28 deletions
diff --git a/test/modules/tls/conf.py b/test/modules/tls/conf.py
index ddeb91f..b34f746 100644
--- a/test/modules/tls/conf.py
+++ b/test/modules/tls/conf.py
@@ -13,7 +13,10 @@ class TlsTestConf(HttpdConf):
def start_tls_vhost(self, domains: List[str], port=None, ssl_module=None):
if ssl_module is None:
- ssl_module = 'mod_tls'
+ if not self.env.has_shared_module("tls"):
+ ssl_module = "mod_ssl"
+ else:
+ ssl_module = 'mod_tls'
super().start_vhost(domains=domains, port=port, doc_root=f"htdocs/{domains[0]}", ssl_module=ssl_module)
def end_tls_vhost(self):
@@ -39,8 +42,12 @@ class TlsTestConf(HttpdConf):
f" MDCertificateKeyFile {pkey_file}",
])
self.add("</MDomain>")
+ if self.env.has_shared_module("tls"):
+ ssl_module= "mod_tls"
+ else:
+ ssl_module= "mod_ssl"
super().add_vhost(domains=[domain], port=port, doc_root=f"htdocs/{domain}",
- with_ssl=True, with_certificates=False, ssl_module='mod_tls')
+ with_ssl=True, with_certificates=False, ssl_module=ssl_module)
def add_md_base(self, domain: str):
self.add([
diff --git a/test/modules/tls/conftest.py b/test/modules/tls/conftest.py
index cde4be6..c7cb858 100644
--- a/test/modules/tls/conftest.py
+++ b/test/modules/tls/conftest.py
@@ -31,9 +31,3 @@ def env(pytestconfig) -> TlsTestEnv:
env.apache_access_log_clear()
env.httpd_error_log.clear_log()
return env
-
-
-@pytest.fixture(autouse=True, scope="package")
-def _session_scope(env):
- yield
- assert env.apache_stop() == 0
diff --git a/test/modules/tls/env.py b/test/modules/tls/env.py
index 0e457bf..6afc472 100644
--- a/test/modules/tls/env.py
+++ b/test/modules/tls/env.py
@@ -129,7 +129,10 @@ class TlsTestEnv(HttpdTestEnv):
]),
CertificateSpec(name="user1", client=True, single_file=True),
])
- self.add_httpd_log_modules(['tls'])
+ if not HttpdTestEnv.has_shared_module("tls"):
+ self.add_httpd_log_modules(['ssl'])
+ else:
+ self.add_httpd_log_modules(['tls'])
def setup_httpd(self, setup: TlsTestSetup = None):
diff --git a/test/modules/tls/test_02_conf.py b/test/modules/tls/test_02_conf.py
index 4d6aa60..88be80c 100644
--- a/test/modules/tls/test_02_conf.py
+++ b/test/modules/tls/test_02_conf.py
@@ -64,9 +64,15 @@ class TestConf:
])
def test_tls_02_conf_cert_listen_valid(self, env, listen: str):
conf = TlsTestConf(env=env)
- conf.add("TLSEngine {listen}".format(listen=listen))
- conf.install()
- assert env.apache_restart() == 0
+ if not env.has_shared_module("tls"):
+ # Without cert/key openssl will complain
+ conf.add("SSLEngine on");
+ conf.install()
+ assert env.apache_restart() == 1
+ else:
+ conf.add("TLSEngine {listen}".format(listen=listen))
+ conf.install()
+ assert env.apache_restart() == 0
def test_tls_02_conf_cert_listen_cert(self, env):
domain = env.domain_a
diff --git a/test/modules/tls/test_03_sni.py b/test/modules/tls/test_03_sni.py
index cf421c0..cbd142a 100644
--- a/test/modules/tls/test_03_sni.py
+++ b/test/modules/tls/test_03_sni.py
@@ -34,6 +34,12 @@ class TestSni:
domain_unknown = "unknown.test"
r = env.tls_get(domain_unknown, "/index.json")
assert r.exit_code != 0
+ #
+ env.httpd_error_log.ignore_recent(
+ lognos = [
+ "AH10353" # cannot decrypt peer's message
+ ]
+ )
def test_tls_03_sni_request_other_same_config(self, env):
# do we see the first vhost response for another domain with different certs?
@@ -44,6 +50,12 @@ class TestSni:
assert r.exit_code == 0
assert r.json is None
assert r.response['status'] == 421
+ #
+ env.httpd_error_log.ignore_recent(
+ lognos = [
+ "AH10345" # Connection host selected via SNI and request have incompatible TLS configurations
+ ]
+ )
def test_tls_03_sni_request_other_other_honor(self, env):
# do we see the first vhost response for an unknown domain?
@@ -60,6 +72,12 @@ class TestSni:
# request denied
assert r.exit_code == 0
assert r.json is None
+ #
+ env.httpd_error_log.ignore_recent(
+ lognos = [
+ "AH10345" # Connection host selected via SNI and request have incompatible TLS configurations
+ ]
+ )
@pytest.mark.skip('openssl behaviour changed on ventura, unreliable')
def test_tls_03_sni_bad_hostname(self, env):
diff --git a/test/modules/tls/test_06_ciphers.py b/test/modules/tls/test_06_ciphers.py
index 2e60bdd..4bedd69 100644
--- a/test/modules/tls/test_06_ciphers.py
+++ b/test/modules/tls/test_06_ciphers.py
@@ -176,16 +176,21 @@ class TestCiphers:
def test_tls_06_ciphers_pref_unsupported(self, env):
# a warning on preferring a known, but not supported cipher
- env.httpd_error_log.ignore_recent()
conf = TlsTestConf(env=env, extras={
env.domain_b: "TLSCiphersPrefer TLS_NULL_WITH_NULL_NULL"
})
conf.add_tls_vhosts(domains=[env.domain_a, env.domain_b])
conf.install()
- assert env.apache_restart() == 0
- (errors, warnings) = env.httpd_error_log.get_recent_count()
- assert errors == 0
- assert warnings == 2 # once on dry run, once on start
+ if not conf.env.has_shared_module("tls"):
+ assert env.apache_restart() != 0
+ else:
+ assert env.apache_restart() == 0
+ #
+ env.httpd_error_log.ignore_recent(
+ lognos = [
+ "AH10319" # Server has TLSCiphersPrefer configured that are not supported by rustls
+ ]
+ )
def test_tls_06_ciphers_supp_unknown(self, env):
conf = TlsTestConf(env=env, extras={
@@ -197,13 +202,11 @@ class TestCiphers:
def test_tls_06_ciphers_supp_unsupported(self, env):
# no warnings on suppressing known, but not supported ciphers
- env.httpd_error_log.ignore_recent()
conf = TlsTestConf(env=env, extras={
env.domain_b: "TLSCiphersSuppress TLS_NULL_WITH_NULL_NULL"
})
conf.add_tls_vhosts(domains=[env.domain_a, env.domain_b])
conf.install()
+ if not conf.env.has_shared_module("tls"):
+ return
assert env.apache_restart() == 0
- (errors, warnings) = env.httpd_error_log.get_recent_count()
- assert errors == 0
- assert warnings == 0
diff --git a/test/modules/tls/test_08_vars.py b/test/modules/tls/test_08_vars.py
index a8df99a..0e3ee74 100644
--- a/test/modules/tls/test_08_vars.py
+++ b/test/modules/tls/test_08_vars.py
@@ -23,7 +23,10 @@ class TestVars:
def test_tls_08_vars_root(self, env):
# in domain_b root, the StdEnvVars is switch on
exp_proto = "TLSv1.2"
- exp_cipher = "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
+ if env.has_shared_module("tls"):
+ exp_cipher = "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
+ else:
+ exp_cipher = "ECDHE-ECDSA-AES256-GCM-SHA384"
options = [ '--tls-max', '1.2']
r = env.tls_get(env.domain_b, "/vars.py", options=options)
assert r.exit_code == 0, r.stderr
@@ -47,7 +50,12 @@ class TestVars:
def test_tls_08_vars_const(self, env, name: str, value: str):
r = env.tls_get(env.domain_b, f"/vars.py?name={name}")
assert r.exit_code == 0, r.stderr
- assert r.json == {name: value}, r.stdout
+ if env.has_shared_module("tls"):
+ assert r.json == {name: value}, r.stdout
+ else:
+ if name == "SSL_SECURE_RENEG":
+ value = "true"
+ assert r.json == {name: value}, r.stdout
@pytest.mark.parametrize("name, pattern", [
("SSL_VERSION_INTERFACE", r'mod_tls/\d+\.\d+\.\d+'),
@@ -57,4 +65,11 @@ class TestVars:
r = env.tls_get(env.domain_b, f"/vars.py?name={name}")
assert r.exit_code == 0, r.stderr
assert name in r.json
- assert re.match(pattern, r.json[name]), r.json
+ if env.has_shared_module("tls"):
+ assert re.match(pattern, r.json[name]), r.json
+ else:
+ if name == "SSL_VERSION_INTERFACE":
+ pattern = r'mod_ssl/\d+\.\d+\.\d+'
+ else:
+ pattern = r'OpenSSL/\d+\.\d+\.\d+'
+ assert re.match(pattern, r.json[name]), r.json
diff --git a/test/modules/tls/test_14_proxy_ssl.py b/test/modules/tls/test_14_proxy_ssl.py
index cefcbf6..87e04c2 100644
--- a/test/modules/tls/test_14_proxy_ssl.py
+++ b/test/modules/tls/test_14_proxy_ssl.py
@@ -2,6 +2,7 @@ import re
import pytest
from .conf import TlsTestConf
+from pyhttpd.env import HttpdTestEnv
class TestProxySSL:
@@ -9,6 +10,12 @@ class TestProxySSL:
@pytest.fixture(autouse=True, scope='class')
def _class_scope(self, env):
# add vhosts a+b and a ssl proxy from a to b
+ if not HttpdTestEnv.has_shared_module("tls"):
+ myoptions="SSLOptions +StdEnvVars"
+ myssl="mod_ssl"
+ else:
+ myoptions="TLSOptions +StdEnvVars"
+ myssl="mod_tls"
conf = TlsTestConf(env=env, extras={
'base': [
"LogLevel proxy:trace1 proxy_http:trace1 ssl:trace1 proxy_http2:trace1",
@@ -33,10 +40,10 @@ class TestProxySSL:
f'ProxyPass /proxy-ssl/ https://127.0.0.1:{env.https_port}/',
f'ProxyPass /proxy-local/ https://localhost:{env.https_port}/',
f'ProxyPass /proxy-h2-ssl/ h2://127.0.0.1:{env.https_port}/',
- "TLSOptions +StdEnvVars",
+ myoptions,
],
})
- conf.add_tls_vhosts(domains=[env.domain_a, env.domain_b])
+ conf.add_tls_vhosts(domains=[env.domain_a, env.domain_b], ssl_module=myssl)
conf.install()
assert env.apache_restart() == 0
@@ -48,6 +55,13 @@ class TestProxySSL:
# does not work, since SSLProxy* not configured
data = env.tls_get_json(env.domain_b, "/proxy-local/index.json")
assert data is None
+ #
+ env.httpd_error_log.ignore_recent(
+ lognos = [
+ "AH01961", # failed to enable ssl support [Hint: if using mod_ssl, see SSLProxyEngine]
+ "AH00961" # failed to enable ssl support (mod_proxy)
+ ]
+ )
def test_tls_14_proxy_ssl_h2_get(self, env):
r = env.tls_get(env.domain_b, "/proxy-h2-ssl/index.json")
@@ -62,7 +76,24 @@ class TestProxySSL:
("SSL_CIPHER_EXPORT", "false"),
("SSL_CLIENT_VERIFY", "NONE"),
])
+ def test_tls_14_proxy_tsl_vars_const(self, env, name: str, value: str):
+ if not HttpdTestEnv.has_shared_module("tls"):
+ return
+ r = env.tls_get(env.domain_b, f"/proxy-ssl/vars.py?name={name}")
+ assert r.exit_code == 0, r.stderr
+ assert r.json == {name: value}, r.stdout
+
+ @pytest.mark.parametrize("name, value", [
+ ("SERVER_NAME", "b.mod-tls.test"),
+ ("SSL_SESSION_RESUMED", "Initial"),
+ ("SSL_SECURE_RENEG", "true"),
+ ("SSL_COMPRESS_METHOD", "NULL"),
+ ("SSL_CIPHER_EXPORT", "false"),
+ ("SSL_CLIENT_VERIFY", "NONE"),
+ ])
def test_tls_14_proxy_ssl_vars_const(self, env, name: str, value: str):
+ if HttpdTestEnv.has_shared_module("tls"):
+ return
r = env.tls_get(env.domain_b, f"/proxy-ssl/vars.py?name={name}")
assert r.exit_code == 0, r.stderr
assert r.json == {name: value}, r.stdout
@@ -71,7 +102,21 @@ class TestProxySSL:
("SSL_VERSION_INTERFACE", r'mod_tls/\d+\.\d+\.\d+'),
("SSL_VERSION_LIBRARY", r'rustls-ffi/\d+\.\d+\.\d+/rustls/\d+\.\d+(\.\d+)?'),
])
+ def test_tls_14_proxy_tsl_vars_match(self, env, name: str, pattern: str):
+ if not HttpdTestEnv.has_shared_module("tls"):
+ return
+ r = env.tls_get(env.domain_b, f"/proxy-ssl/vars.py?name={name}")
+ assert r.exit_code == 0, r.stderr
+ assert name in r.json
+ assert re.match(pattern, r.json[name]), r.json
+
+ @pytest.mark.parametrize("name, pattern", [
+ ("SSL_VERSION_INTERFACE", r'mod_ssl/\d+\.\d+\.\d+'),
+ ("SSL_VERSION_LIBRARY", r'OpenSSL/\d+\.\d+\.\d+'),
+ ])
def test_tls_14_proxy_ssl_vars_match(self, env, name: str, pattern: str):
+ if HttpdTestEnv.has_shared_module("tls"):
+ return
r = env.tls_get(env.domain_b, f"/proxy-ssl/vars.py?name={name}")
assert r.exit_code == 0, r.stderr
assert name in r.json
diff --git a/test/modules/tls/test_15_proxy_tls.py b/test/modules/tls/test_15_proxy_tls.py
index f2f670d..e7eb103 100644
--- a/test/modules/tls/test_15_proxy_tls.py
+++ b/test/modules/tls/test_15_proxy_tls.py
@@ -1,10 +1,11 @@
-import re
from datetime import timedelta
import pytest
from .conf import TlsTestConf
+from pyhttpd.env import HttpdTestEnv
+@pytest.mark.skipif(condition=not HttpdTestEnv.has_shared_module("tls"), reason="no mod_tls available")
class TestProxyTLS:
@@ -53,6 +54,13 @@ class TestProxyTLS:
# does not work, since SSLProxy* not configured
data = env.tls_get_json(env.domain_b, "/proxy-local/index.json")
assert data is None
+ #
+ env.httpd_error_log.ignore_recent(
+ lognos = [
+ "AH01961", # failed to enable ssl support [Hint: if using mod_ssl, see SSLProxyEngine]
+ "AH00961" # failed to enable ssl support (mod_proxy)
+ ]
+ )
def test_tls_15_proxy_tls_h2_get(self, env):
r = env.tls_get(env.domain_b, "/proxy-h2-tls/index.json")
diff --git a/test/modules/tls/test_16_proxy_mixed.py b/test/modules/tls/test_16_proxy_mixed.py
index ca08236..88b351f 100644
--- a/test/modules/tls/test_16_proxy_mixed.py
+++ b/test/modules/tls/test_16_proxy_mixed.py
@@ -3,6 +3,9 @@ import time
import pytest
from .conf import TlsTestConf
+from pyhttpd.env import HttpdTestEnv
+
+@pytest.mark.skipif(condition=not HttpdTestEnv.has_shared_module("tls"), reason="no mod_tls available")
class TestProxyMixed:
diff --git a/test/modules/tls/test_17_proxy_machine_cert.py b/test/modules/tls/test_17_proxy_machine_cert.py
index 7b5ef44..a5410d6 100644
--- a/test/modules/tls/test_17_proxy_machine_cert.py
+++ b/test/modules/tls/test_17_proxy_machine_cert.py
@@ -3,8 +3,9 @@ import os
import pytest
from .conf import TlsTestConf
+from pyhttpd.env import HttpdTestEnv
-
+@pytest.mark.skipif(condition=not HttpdTestEnv.has_shared_module("tls"), reason="no mod_tls available")
class TestProxyMachineCert:
@pytest.fixture(autouse=True, scope='class')