Re: svn commit: r1844309 - /httpd/test/framework/trunk/t/htdocs/modules/cgi/ocsp.pl.PL

[Joe Orton <jo...@redhat.com>]

On Fri, Oct 19, 2018 at 07:25:55AM -0000, rjung@apache.org wrote:
> Author: rjung
> Date: Fri Oct 19 07:25:55 2018
> New Revision: 1844309
> 
> URL: http://svn.apache.org/viewvc?rev=1844309&view=rev
> Log:
> Do not use STDIN / STDOUT as -reqin and -respout
> for "openssl ocsp", since that is supported only
> in OpenSSL 1.0.2 and above.
> 
> Instead use temporary files.

This doesn't work at all for me with Perl 5.26.2 / File::Temp 0.230.600

tempnam() from File::Temp is not exported and takes two arguments, are 
you testing with a different version?

       Compatibility functions:

         $unopened_file = File::Temp::tempnam( $dir, $pfx );

I would be happy to restrict this test to running with recent versions 
of OpenSSL if it requires excessive hacks to make working with older 
ones.

A simpler/safer test for the OpenSSL versions would be

Index: t/ssl/ocsp.t
===================================================================
--- t/ssl/ocsp.t	(revision 1844314)
+++ t/ssl/ocsp.t	(working copy)
@@ -20,9 +20,12 @@
 # Requires OpenSSL 1.1, can't find a simple way to test for OCSP
 # support in earlier versions without messing around with stderr
 my $openssl = Apache::TestSSLCA::openssl();
+my $version = Apache::TestSSLCA::version();
+my $min_version = "1.0.2";
+
 if (!have_min_apache_version('2.4.26')
-    or `$openssl list -commands 2>&1` !~ /ocsp/) {
-    print "1..0 # skip: No OpenSSL or mod_ssl OCSP support";
+    or Apache::Test::normalize_vstring($version) < Apache::Test::normalize_vstring($min_version)) {
+    print "1..0 # skip: Requires OpenSSL $min_version (got $version) and mod_ssl OCSP support";
     exit 0;
 }
 

Re: svn commit: r1844309 - /httpd/test/framework/trunk/t/htdocs/modules/cgi/ocsp.pl.PL

[Joe Orton <jo...@redhat.com>]

On Fri, Oct 19, 2018 at 11:39:27AM +0200, Rainer Jung wrote:
> Concerning your simpler approach: it is OK if we give up supporting 0.9.8
> but we should probably keep the "or `$openssl list -commands 2>&1` !~
> /ocsp/" part of the test.

OK good point, let's leave it as-is.  r1844320 works for me, thanks!

Re: svn commit: r1844309 - /httpd/test/framework/trunk/t/htdocs/modules/cgi/ocsp.pl.PL

[Rainer Jung <ra...@kippdata.de>]

Am 19.10.2018 um 11:01 schrieb Joe Orton:
> On Fri, Oct 19, 2018 at 07:25:55AM -0000, rjung@apache.org wrote:
>> Author: rjung
>> Date: Fri Oct 19 07:25:55 2018
>> New Revision: 1844309
>>
>> URL: http://svn.apache.org/viewvc?rev=1844309&view=rev
>> Log:
>> Do not use STDIN / STDOUT as -reqin and -respout
>> for "openssl ocsp", since that is supported only
>> in OpenSSL 1.0.2 and above.
>>
>> Instead use temporary files.
> 
> This doesn't work at all for me with Perl 5.26.2 / File::Temp 0.230.600
> 
> tempnam() from File::Temp is not exported and takes two arguments, are
> you testing with a different version?

Sorry, tempnam => tmpnam. Committed in r1844320. It at least works here. 
Would you be able to recheck?

>         Compatibility functions:
> 
>           $unopened_file = File::Temp::tempnam( $dir, $pfx );
> 
> I would be happy to restrict this test to running with recent versions
> of OpenSSL if it requires excessive hacks to make working with older
> ones.
> 
> A simpler/safer test for the OpenSSL versions would be
> 
> Index: t/ssl/ocsp.t
> ===================================================================
> --- t/ssl/ocsp.t	(revision 1844314)
> +++ t/ssl/ocsp.t	(working copy)
> @@ -20,9 +20,12 @@
>   # Requires OpenSSL 1.1, can't find a simple way to test for OCSP
>   # support in earlier versions without messing around with stderr
>   my $openssl = Apache::TestSSLCA::openssl();
> +my $version = Apache::TestSSLCA::version();
> +my $min_version = "1.0.2";
> +
>   if (!have_min_apache_version('2.4.26')
> -    or `$openssl list -commands 2>&1` !~ /ocsp/) {
> -    print "1..0 # skip: No OpenSSL or mod_ssl OCSP support";
> +    or Apache::Test::normalize_vstring($version) < Apache::Test::normalize_vstring($min_version)) {
> +    print "1..0 # skip: Requires OpenSSL $min_version (got $version) and mod_ssl OCSP support";
>       exit 0;
>   }

The problem here is, that what broke the test originally was not the 
wrong OpenSSL version but instead relying on a feature of it (allowing 
-reqin and -respout to point to STDIN resp. STDOUT). That's why I would 
prefer fixing the test. At least here in my environment it now works 
also with OpenSSL 0.9.8.

Not sure, if the change I applied (using temporary files for input and 
output) should already be rated as "excessive hacks". I agree, it makes 
a simple script roughly twice the size, but some of the new lines are 
because of checking the result of the system() call (we had a fire and 
forget exec() before).

Concerning your simpler approach: it is OK if we give up supporting 
0.9.8 but we should probably keep the "or `$openssl list -commands 2>&1` 
!~ /ocsp/" part of the test.

Regards,

Rainer

Re: svn commit: r1844309 - /httpd/test/framework/trunk/t/htdocs/modules/cgi/ocsp.pl.PL

[Ruediger Pluem <rp...@apache.org>]

On 10/19/2018 11:01 AM, Joe Orton wrote:
> On Fri, Oct 19, 2018 at 07:25:55AM -0000, rjung@apache.org wrote:
>> Author: rjung
>> Date: Fri Oct 19 07:25:55 2018
>> New Revision: 1844309
>>
>> URL: http://svn.apache.org/viewvc?rev=1844309&view=rev
>> Log:
>> Do not use STDIN / STDOUT as -reqin and -respout
>> for "openssl ocsp", since that is supported only
>> in OpenSSL 1.0.2 and above.
>>
>> Instead use temporary files.
> 
> This doesn't work at all for me with Perl 5.26.2 / File::Temp 0.230.600
> 
> tempnam() from File::Temp is not exported and takes two arguments, are 
> you testing with a different version?
> 
>        Compatibility functions:
> 
>          $unopened_file = File::Temp::tempnam( $dir, $pfx );
> 
> I would be happy to restrict this test to running with recent versions 
> of OpenSSL if it requires excessive hacks to make working with older 
> ones.
> 
> A simpler/safer test for the OpenSSL versions would be
> 
> Index: t/ssl/ocsp.t
> ===================================================================
> --- t/ssl/ocsp.t	(revision 1844314)
> +++ t/ssl/ocsp.t	(working copy)
> @@ -20,9 +20,12 @@
>  # Requires OpenSSL 1.1, can't find a simple way to test for OCSP
>  # support in earlier versions without messing around with stderr
>  my $openssl = Apache::TestSSLCA::openssl();
> +my $version = Apache::TestSSLCA::version();
> +my $min_version = "1.0.2";
> +
>  if (!have_min_apache_version('2.4.26')
> -    or `$openssl list -commands 2>&1` !~ /ocsp/) {
> -    print "1..0 # skip: No OpenSSL or mod_ssl OCSP support";
> +    or Apache::Test::normalize_vstring($version) < Apache::Test::normalize_vstring($min_version)) {
> +    print "1..0 # skip: Requires OpenSSL $min_version (got $version) and mod_ssl OCSP support";

How would we know in this case that this recent Openssl version was build with ocsp support?

Regards

Rüdiger