You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Joe Orton <jo...@redhat.com> on 2018/10/19 09:01:23 UTC
Re: svn commit: r1844309 -
/httpd/test/framework/trunk/t/htdocs/modules/cgi/ocsp.pl.PL
On Fri, Oct 19, 2018 at 07:25:55AM -0000, rjung@apache.org wrote:
> Author: rjung
> Date: Fri Oct 19 07:25:55 2018
> New Revision: 1844309
>
> URL: http://svn.apache.org/viewvc?rev=1844309&view=rev
> Log:
> Do not use STDIN / STDOUT as -reqin and -respout
> for "openssl ocsp", since that is supported only
> in OpenSSL 1.0.2 and above.
>
> Instead use temporary files.
This doesn't work at all for me with Perl 5.26.2 / File::Temp 0.230.600
tempnam() from File::Temp is not exported and takes two arguments, are
you testing with a different version?
Compatibility functions:
$unopened_file = File::Temp::tempnam( $dir, $pfx );
I would be happy to restrict this test to running with recent versions
of OpenSSL if it requires excessive hacks to make working with older
ones.
A simpler/safer test for the OpenSSL versions would be
Index: t/ssl/ocsp.t
===================================================================
--- t/ssl/ocsp.t (revision 1844314)
+++ t/ssl/ocsp.t (working copy)
@@ -20,9 +20,12 @@
# Requires OpenSSL 1.1, can't find a simple way to test for OCSP
# support in earlier versions without messing around with stderr
my $openssl = Apache::TestSSLCA::openssl();
+my $version = Apache::TestSSLCA::version();
+my $min_version = "1.0.2";
+
if (!have_min_apache_version('2.4.26')
- or `$openssl list -commands 2>&1` !~ /ocsp/) {
- print "1..0 # skip: No OpenSSL or mod_ssl OCSP support";
+ or Apache::Test::normalize_vstring($version) < Apache::Test::normalize_vstring($min_version)) {
+ print "1..0 # skip: Requires OpenSSL $min_version (got $version) and mod_ssl OCSP support";
exit 0;
}
Re: svn commit: r1844309 -
/httpd/test/framework/trunk/t/htdocs/modules/cgi/ocsp.pl.PL
Posted by Joe Orton <jo...@redhat.com>.
On Fri, Oct 19, 2018 at 11:39:27AM +0200, Rainer Jung wrote:
> Concerning your simpler approach: it is OK if we give up supporting 0.9.8
> but we should probably keep the "or `$openssl list -commands 2>&1` !~
> /ocsp/" part of the test.
OK good point, let's leave it as-is. r1844320 works for me, thanks!
Re: svn commit: r1844309 -
/httpd/test/framework/trunk/t/htdocs/modules/cgi/ocsp.pl.PL
Posted by Rainer Jung <ra...@kippdata.de>.
Am 19.10.2018 um 11:01 schrieb Joe Orton:
> On Fri, Oct 19, 2018 at 07:25:55AM -0000, rjung@apache.org wrote:
>> Author: rjung
>> Date: Fri Oct 19 07:25:55 2018
>> New Revision: 1844309
>>
>> URL: http://svn.apache.org/viewvc?rev=1844309&view=rev
>> Log:
>> Do not use STDIN / STDOUT as -reqin and -respout
>> for "openssl ocsp", since that is supported only
>> in OpenSSL 1.0.2 and above.
>>
>> Instead use temporary files.
>
> This doesn't work at all for me with Perl 5.26.2 / File::Temp 0.230.600
>
> tempnam() from File::Temp is not exported and takes two arguments, are
> you testing with a different version?
Sorry, tempnam => tmpnam. Committed in r1844320. It at least works here.
Would you be able to recheck?
> Compatibility functions:
>
> $unopened_file = File::Temp::tempnam( $dir, $pfx );
>
> I would be happy to restrict this test to running with recent versions
> of OpenSSL if it requires excessive hacks to make working with older
> ones.
>
> A simpler/safer test for the OpenSSL versions would be
>
> Index: t/ssl/ocsp.t
> ===================================================================
> --- t/ssl/ocsp.t (revision 1844314)
> +++ t/ssl/ocsp.t (working copy)
> @@ -20,9 +20,12 @@
> # Requires OpenSSL 1.1, can't find a simple way to test for OCSP
> # support in earlier versions without messing around with stderr
> my $openssl = Apache::TestSSLCA::openssl();
> +my $version = Apache::TestSSLCA::version();
> +my $min_version = "1.0.2";
> +
> if (!have_min_apache_version('2.4.26')
> - or `$openssl list -commands 2>&1` !~ /ocsp/) {
> - print "1..0 # skip: No OpenSSL or mod_ssl OCSP support";
> + or Apache::Test::normalize_vstring($version) < Apache::Test::normalize_vstring($min_version)) {
> + print "1..0 # skip: Requires OpenSSL $min_version (got $version) and mod_ssl OCSP support";
> exit 0;
> }
The problem here is, that what broke the test originally was not the
wrong OpenSSL version but instead relying on a feature of it (allowing
-reqin and -respout to point to STDIN resp. STDOUT). That's why I would
prefer fixing the test. At least here in my environment it now works
also with OpenSSL 0.9.8.
Not sure, if the change I applied (using temporary files for input and
output) should already be rated as "excessive hacks". I agree, it makes
a simple script roughly twice the size, but some of the new lines are
because of checking the result of the system() call (we had a fire and
forget exec() before).
Concerning your simpler approach: it is OK if we give up supporting
0.9.8 but we should probably keep the "or `$openssl list -commands 2>&1`
!~ /ocsp/" part of the test.
Regards,
Rainer
Re: svn commit: r1844309 -
/httpd/test/framework/trunk/t/htdocs/modules/cgi/ocsp.pl.PL
Posted by Ruediger Pluem <rp...@apache.org>.
On 10/19/2018 11:01 AM, Joe Orton wrote:
> On Fri, Oct 19, 2018 at 07:25:55AM -0000, rjung@apache.org wrote:
>> Author: rjung
>> Date: Fri Oct 19 07:25:55 2018
>> New Revision: 1844309
>>
>> URL: http://svn.apache.org/viewvc?rev=1844309&view=rev
>> Log:
>> Do not use STDIN / STDOUT as -reqin and -respout
>> for "openssl ocsp", since that is supported only
>> in OpenSSL 1.0.2 and above.
>>
>> Instead use temporary files.
>
> This doesn't work at all for me with Perl 5.26.2 / File::Temp 0.230.600
>
> tempnam() from File::Temp is not exported and takes two arguments, are
> you testing with a different version?
>
> Compatibility functions:
>
> $unopened_file = File::Temp::tempnam( $dir, $pfx );
>
> I would be happy to restrict this test to running with recent versions
> of OpenSSL if it requires excessive hacks to make working with older
> ones.
>
> A simpler/safer test for the OpenSSL versions would be
>
> Index: t/ssl/ocsp.t
> ===================================================================
> --- t/ssl/ocsp.t (revision 1844314)
> +++ t/ssl/ocsp.t (working copy)
> @@ -20,9 +20,12 @@
> # Requires OpenSSL 1.1, can't find a simple way to test for OCSP
> # support in earlier versions without messing around with stderr
> my $openssl = Apache::TestSSLCA::openssl();
> +my $version = Apache::TestSSLCA::version();
> +my $min_version = "1.0.2";
> +
> if (!have_min_apache_version('2.4.26')
> - or `$openssl list -commands 2>&1` !~ /ocsp/) {
> - print "1..0 # skip: No OpenSSL or mod_ssl OCSP support";
> + or Apache::Test::normalize_vstring($version) < Apache::Test::normalize_vstring($min_version)) {
> + print "1..0 # skip: Requires OpenSSL $min_version (got $version) and mod_ssl OCSP support";
How would we know in this case that this recent Openssl version was build with ocsp support?
Regards
RĂ¼diger