From 3204e211a1e248154ff95b90b6a7e29cfa92069c Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Mon, 5 Aug 2024 12:00:10 +0200 Subject: Adding upstream version 2.4.62. Signed-off-by: Daniel Baumann --- test/modules/tls/conf.py | 11 ++++-- test/modules/tls/conftest.py | 6 ---- test/modules/tls/env.py | 5 ++- test/modules/tls/test_02_conf.py | 12 +++++-- test/modules/tls/test_03_sni.py | 18 ++++++++++ test/modules/tls/test_06_ciphers.py | 21 ++++++----- test/modules/tls/test_08_vars.py | 21 +++++++++-- test/modules/tls/test_14_proxy_ssl.py | 49 ++++++++++++++++++++++++-- test/modules/tls/test_15_proxy_tls.py | 10 +++++- test/modules/tls/test_16_proxy_mixed.py | 3 ++ test/modules/tls/test_17_proxy_machine_cert.py | 3 +- 11 files changed, 131 insertions(+), 28 deletions(-) (limited to 'test/modules/tls') diff --git a/test/modules/tls/conf.py b/test/modules/tls/conf.py index ddeb91f..b34f746 100644 --- a/test/modules/tls/conf.py +++ b/test/modules/tls/conf.py @@ -13,7 +13,10 @@ class TlsTestConf(HttpdConf): def start_tls_vhost(self, domains: List[str], port=None, ssl_module=None): if ssl_module is None: - ssl_module = 'mod_tls' + if not self.env.has_shared_module("tls"): + ssl_module = "mod_ssl" + else: + ssl_module = 'mod_tls' super().start_vhost(domains=domains, port=port, doc_root=f"htdocs/{domains[0]}", ssl_module=ssl_module) def end_tls_vhost(self): @@ -39,8 +42,12 @@ class TlsTestConf(HttpdConf): f" MDCertificateKeyFile {pkey_file}", ]) self.add("") + if self.env.has_shared_module("tls"): + ssl_module= "mod_tls" + else: + ssl_module= "mod_ssl" super().add_vhost(domains=[domain], port=port, doc_root=f"htdocs/{domain}", - with_ssl=True, with_certificates=False, ssl_module='mod_tls') + with_ssl=True, with_certificates=False, ssl_module=ssl_module) def add_md_base(self, domain: str): self.add([ diff --git a/test/modules/tls/conftest.py b/test/modules/tls/conftest.py index cde4be6..c7cb858 100644 --- a/test/modules/tls/conftest.py +++ b/test/modules/tls/conftest.py @@ -31,9 +31,3 @@ def env(pytestconfig) -> TlsTestEnv: env.apache_access_log_clear() env.httpd_error_log.clear_log() return env - - -@pytest.fixture(autouse=True, scope="package") -def _session_scope(env): - yield - assert env.apache_stop() == 0 diff --git a/test/modules/tls/env.py b/test/modules/tls/env.py index 0e457bf..6afc472 100644 --- a/test/modules/tls/env.py +++ b/test/modules/tls/env.py @@ -129,7 +129,10 @@ class TlsTestEnv(HttpdTestEnv): ]), CertificateSpec(name="user1", client=True, single_file=True), ]) - self.add_httpd_log_modules(['tls']) + if not HttpdTestEnv.has_shared_module("tls"): + self.add_httpd_log_modules(['ssl']) + else: + self.add_httpd_log_modules(['tls']) def setup_httpd(self, setup: TlsTestSetup = None): diff --git a/test/modules/tls/test_02_conf.py b/test/modules/tls/test_02_conf.py index 4d6aa60..88be80c 100644 --- a/test/modules/tls/test_02_conf.py +++ b/test/modules/tls/test_02_conf.py @@ -64,9 +64,15 @@ class TestConf: ]) def test_tls_02_conf_cert_listen_valid(self, env, listen: str): conf = TlsTestConf(env=env) - conf.add("TLSEngine {listen}".format(listen=listen)) - conf.install() - assert env.apache_restart() == 0 + if not env.has_shared_module("tls"): + # Without cert/key openssl will complain + conf.add("SSLEngine on"); + conf.install() + assert env.apache_restart() == 1 + else: + conf.add("TLSEngine {listen}".format(listen=listen)) + conf.install() + assert env.apache_restart() == 0 def test_tls_02_conf_cert_listen_cert(self, env): domain = env.domain_a diff --git a/test/modules/tls/test_03_sni.py b/test/modules/tls/test_03_sni.py index cf421c0..cbd142a 100644 --- a/test/modules/tls/test_03_sni.py +++ b/test/modules/tls/test_03_sni.py @@ -34,6 +34,12 @@ class TestSni: domain_unknown = "unknown.test" r = env.tls_get(domain_unknown, "/index.json") assert r.exit_code != 0 + # + env.httpd_error_log.ignore_recent( + lognos = [ + "AH10353" # cannot decrypt peer's message + ] + ) def test_tls_03_sni_request_other_same_config(self, env): # do we see the first vhost response for another domain with different certs? @@ -44,6 +50,12 @@ class TestSni: assert r.exit_code == 0 assert r.json is None assert r.response['status'] == 421 + # + env.httpd_error_log.ignore_recent( + lognos = [ + "AH10345" # Connection host selected via SNI and request have incompatible TLS configurations + ] + ) def test_tls_03_sni_request_other_other_honor(self, env): # do we see the first vhost response for an unknown domain? @@ -60,6 +72,12 @@ class TestSni: # request denied assert r.exit_code == 0 assert r.json is None + # + env.httpd_error_log.ignore_recent( + lognos = [ + "AH10345" # Connection host selected via SNI and request have incompatible TLS configurations + ] + ) @pytest.mark.skip('openssl behaviour changed on ventura, unreliable') def test_tls_03_sni_bad_hostname(self, env): diff --git a/test/modules/tls/test_06_ciphers.py b/test/modules/tls/test_06_ciphers.py index 2e60bdd..4bedd69 100644 --- a/test/modules/tls/test_06_ciphers.py +++ b/test/modules/tls/test_06_ciphers.py @@ -176,16 +176,21 @@ class TestCiphers: def test_tls_06_ciphers_pref_unsupported(self, env): # a warning on preferring a known, but not supported cipher - env.httpd_error_log.ignore_recent() conf = TlsTestConf(env=env, extras={ env.domain_b: "TLSCiphersPrefer TLS_NULL_WITH_NULL_NULL" }) conf.add_tls_vhosts(domains=[env.domain_a, env.domain_b]) conf.install() - assert env.apache_restart() == 0 - (errors, warnings) = env.httpd_error_log.get_recent_count() - assert errors == 0 - assert warnings == 2 # once on dry run, once on start + if not conf.env.has_shared_module("tls"): + assert env.apache_restart() != 0 + else: + assert env.apache_restart() == 0 + # + env.httpd_error_log.ignore_recent( + lognos = [ + "AH10319" # Server has TLSCiphersPrefer configured that are not supported by rustls + ] + ) def test_tls_06_ciphers_supp_unknown(self, env): conf = TlsTestConf(env=env, extras={ @@ -197,13 +202,11 @@ class TestCiphers: def test_tls_06_ciphers_supp_unsupported(self, env): # no warnings on suppressing known, but not supported ciphers - env.httpd_error_log.ignore_recent() conf = TlsTestConf(env=env, extras={ env.domain_b: "TLSCiphersSuppress TLS_NULL_WITH_NULL_NULL" }) conf.add_tls_vhosts(domains=[env.domain_a, env.domain_b]) conf.install() + if not conf.env.has_shared_module("tls"): + return assert env.apache_restart() == 0 - (errors, warnings) = env.httpd_error_log.get_recent_count() - assert errors == 0 - assert warnings == 0 diff --git a/test/modules/tls/test_08_vars.py b/test/modules/tls/test_08_vars.py index a8df99a..0e3ee74 100644 --- a/test/modules/tls/test_08_vars.py +++ b/test/modules/tls/test_08_vars.py @@ -23,7 +23,10 @@ class TestVars: def test_tls_08_vars_root(self, env): # in domain_b root, the StdEnvVars is switch on exp_proto = "TLSv1.2" - exp_cipher = "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" + if env.has_shared_module("tls"): + exp_cipher = "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" + else: + exp_cipher = "ECDHE-ECDSA-AES256-GCM-SHA384" options = [ '--tls-max', '1.2'] r = env.tls_get(env.domain_b, "/vars.py", options=options) assert r.exit_code == 0, r.stderr @@ -47,7 +50,12 @@ class TestVars: def test_tls_08_vars_const(self, env, name: str, value: str): r = env.tls_get(env.domain_b, f"/vars.py?name={name}") assert r.exit_code == 0, r.stderr - assert r.json == {name: value}, r.stdout + if env.has_shared_module("tls"): + assert r.json == {name: value}, r.stdout + else: + if name == "SSL_SECURE_RENEG": + value = "true" + assert r.json == {name: value}, r.stdout @pytest.mark.parametrize("name, pattern", [ ("SSL_VERSION_INTERFACE", r'mod_tls/\d+\.\d+\.\d+'), @@ -57,4 +65,11 @@ class TestVars: r = env.tls_get(env.domain_b, f"/vars.py?name={name}") assert r.exit_code == 0, r.stderr assert name in r.json - assert re.match(pattern, r.json[name]), r.json + if env.has_shared_module("tls"): + assert re.match(pattern, r.json[name]), r.json + else: + if name == "SSL_VERSION_INTERFACE": + pattern = r'mod_ssl/\d+\.\d+\.\d+' + else: + pattern = r'OpenSSL/\d+\.\d+\.\d+' + assert re.match(pattern, r.json[name]), r.json diff --git a/test/modules/tls/test_14_proxy_ssl.py b/test/modules/tls/test_14_proxy_ssl.py index cefcbf6..87e04c2 100644 --- a/test/modules/tls/test_14_proxy_ssl.py +++ b/test/modules/tls/test_14_proxy_ssl.py @@ -2,6 +2,7 @@ import re import pytest from .conf import TlsTestConf +from pyhttpd.env import HttpdTestEnv class TestProxySSL: @@ -9,6 +10,12 @@ class TestProxySSL: @pytest.fixture(autouse=True, scope='class') def _class_scope(self, env): # add vhosts a+b and a ssl proxy from a to b + if not HttpdTestEnv.has_shared_module("tls"): + myoptions="SSLOptions +StdEnvVars" + myssl="mod_ssl" + else: + myoptions="TLSOptions +StdEnvVars" + myssl="mod_tls" conf = TlsTestConf(env=env, extras={ 'base': [ "LogLevel proxy:trace1 proxy_http:trace1 ssl:trace1 proxy_http2:trace1", @@ -33,10 +40,10 @@ class TestProxySSL: f'ProxyPass /proxy-ssl/ https://127.0.0.1:{env.https_port}/', f'ProxyPass /proxy-local/ https://localhost:{env.https_port}/', f'ProxyPass /proxy-h2-ssl/ h2://127.0.0.1:{env.https_port}/', - "TLSOptions +StdEnvVars", + myoptions, ], }) - conf.add_tls_vhosts(domains=[env.domain_a, env.domain_b]) + conf.add_tls_vhosts(domains=[env.domain_a, env.domain_b], ssl_module=myssl) conf.install() assert env.apache_restart() == 0 @@ -48,6 +55,13 @@ class TestProxySSL: # does not work, since SSLProxy* not configured data = env.tls_get_json(env.domain_b, "/proxy-local/index.json") assert data is None + # + env.httpd_error_log.ignore_recent( + lognos = [ + "AH01961", # failed to enable ssl support [Hint: if using mod_ssl, see SSLProxyEngine] + "AH00961" # failed to enable ssl support (mod_proxy) + ] + ) def test_tls_14_proxy_ssl_h2_get(self, env): r = env.tls_get(env.domain_b, "/proxy-h2-ssl/index.json") @@ -62,7 +76,24 @@ class TestProxySSL: ("SSL_CIPHER_EXPORT", "false"), ("SSL_CLIENT_VERIFY", "NONE"), ]) + def test_tls_14_proxy_tsl_vars_const(self, env, name: str, value: str): + if not HttpdTestEnv.has_shared_module("tls"): + return + r = env.tls_get(env.domain_b, f"/proxy-ssl/vars.py?name={name}") + assert r.exit_code == 0, r.stderr + assert r.json == {name: value}, r.stdout + + @pytest.mark.parametrize("name, value", [ + ("SERVER_NAME", "b.mod-tls.test"), + ("SSL_SESSION_RESUMED", "Initial"), + ("SSL_SECURE_RENEG", "true"), + ("SSL_COMPRESS_METHOD", "NULL"), + ("SSL_CIPHER_EXPORT", "false"), + ("SSL_CLIENT_VERIFY", "NONE"), + ]) def test_tls_14_proxy_ssl_vars_const(self, env, name: str, value: str): + if HttpdTestEnv.has_shared_module("tls"): + return r = env.tls_get(env.domain_b, f"/proxy-ssl/vars.py?name={name}") assert r.exit_code == 0, r.stderr assert r.json == {name: value}, r.stdout @@ -71,7 +102,21 @@ class TestProxySSL: ("SSL_VERSION_INTERFACE", r'mod_tls/\d+\.\d+\.\d+'), ("SSL_VERSION_LIBRARY", r'rustls-ffi/\d+\.\d+\.\d+/rustls/\d+\.\d+(\.\d+)?'), ]) + def test_tls_14_proxy_tsl_vars_match(self, env, name: str, pattern: str): + if not HttpdTestEnv.has_shared_module("tls"): + return + r = env.tls_get(env.domain_b, f"/proxy-ssl/vars.py?name={name}") + assert r.exit_code == 0, r.stderr + assert name in r.json + assert re.match(pattern, r.json[name]), r.json + + @pytest.mark.parametrize("name, pattern", [ + ("SSL_VERSION_INTERFACE", r'mod_ssl/\d+\.\d+\.\d+'), + ("SSL_VERSION_LIBRARY", r'OpenSSL/\d+\.\d+\.\d+'), + ]) def test_tls_14_proxy_ssl_vars_match(self, env, name: str, pattern: str): + if HttpdTestEnv.has_shared_module("tls"): + return r = env.tls_get(env.domain_b, f"/proxy-ssl/vars.py?name={name}") assert r.exit_code == 0, r.stderr assert name in r.json diff --git a/test/modules/tls/test_15_proxy_tls.py b/test/modules/tls/test_15_proxy_tls.py index f2f670d..e7eb103 100644 --- a/test/modules/tls/test_15_proxy_tls.py +++ b/test/modules/tls/test_15_proxy_tls.py @@ -1,10 +1,11 @@ -import re from datetime import timedelta import pytest from .conf import TlsTestConf +from pyhttpd.env import HttpdTestEnv +@pytest.mark.skipif(condition=not HttpdTestEnv.has_shared_module("tls"), reason="no mod_tls available") class TestProxyTLS: @@ -53,6 +54,13 @@ class TestProxyTLS: # does not work, since SSLProxy* not configured data = env.tls_get_json(env.domain_b, "/proxy-local/index.json") assert data is None + # + env.httpd_error_log.ignore_recent( + lognos = [ + "AH01961", # failed to enable ssl support [Hint: if using mod_ssl, see SSLProxyEngine] + "AH00961" # failed to enable ssl support (mod_proxy) + ] + ) def test_tls_15_proxy_tls_h2_get(self, env): r = env.tls_get(env.domain_b, "/proxy-h2-tls/index.json") diff --git a/test/modules/tls/test_16_proxy_mixed.py b/test/modules/tls/test_16_proxy_mixed.py index ca08236..88b351f 100644 --- a/test/modules/tls/test_16_proxy_mixed.py +++ b/test/modules/tls/test_16_proxy_mixed.py @@ -3,6 +3,9 @@ import time import pytest from .conf import TlsTestConf +from pyhttpd.env import HttpdTestEnv + +@pytest.mark.skipif(condition=not HttpdTestEnv.has_shared_module("tls"), reason="no mod_tls available") class TestProxyMixed: diff --git a/test/modules/tls/test_17_proxy_machine_cert.py b/test/modules/tls/test_17_proxy_machine_cert.py index 7b5ef44..a5410d6 100644 --- a/test/modules/tls/test_17_proxy_machine_cert.py +++ b/test/modules/tls/test_17_proxy_machine_cert.py @@ -3,8 +3,9 @@ import os import pytest from .conf import TlsTestConf +from pyhttpd.env import HttpdTestEnv - +@pytest.mark.skipif(condition=not HttpdTestEnv.has_shared_module("tls"), reason="no mod_tls available") class TestProxyMachineCert: @pytest.fixture(autouse=True, scope='class') -- cgit v1.2.3