1 files changed, 47 insertions, 0 deletions

diff --git a/debian/perl-framework/t/ssl/pha.t b/debian/perl-framework/t/ssl/pha.t
new file mode 100644
index 0000000..2e2a763
--- /dev/null
+++ b/debian/perl-framework/t/ssl/pha.t
@@ -0,0 +1,47 @@
+use strict;
+use warnings FATAL => 'all';
+
+use Apache::Test;
+use Apache::TestRequest;
+use Apache::TestUtil;
+use IO::Socket::SSL;
+
+# This is the equivalent of pr12355.t for TLSv1.3.
+
+Apache::TestRequest::user_agent(ssl_opts => {SSL_version => 'TLSv13'});
+Apache::TestRequest::scheme('https');
+Apache::TestRequest::user_agent_keepalive(1);
+
+my $r = GET "/";
+
+if (!$r->is_success) {
+    print "1..0 # skip: TLSv1.3 not supported";
+    exit 0;
+}
+
+if (!defined &IO::Socket::SSL::can_pha || !IO::Socket::SSL::can_pha()) {
+    print "1..0 # skip: PHA not supported by IO::Socket::SSL < 2.061";
+    exit 0;
+}
+
+plan tests => 4, need_min_apache_version("2.4.47");
+
+$r = GET("/verify/", cert => undef);
+ok t_cmp($r->code, 403, "access must be denied without client certificate");
+
+# SSLRenegBufferSize 10 for this location which should mean a 413
+# error.
+$r = POST("/require/small/perl_echo.pl", content => 'y'x101,
+          cert => 'client_ok');
+ok t_cmp($r->code, 413, "PHA reneg body buffer size restriction works");
+
+# Reset to use a new connection.
+Apache::TestRequest::user_agent(reset => 1);
+Apache::TestRequest::user_agent(ssl_opts => {SSL_version => 'TLSv13'});
+Apache::TestRequest::scheme('https');
+
+$r = POST("/verify/modules/cgi/perl_echo.pl", content => 'x'x10000,
+          cert => 'client_ok');
+
+ok t_cmp($r->code, 200, "PHA works with POST body");
+ok t_cmp($r->content, $r->request->content, "request body matches response");