You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Rainer Jung <ra...@kippdata.de> on 2018/10/21 11:46:16 UTC
t/modules/http2.t: Run only if OpenSSL >= 1.0.0 is available
Am 18.10.2018 um 14:23 schrieb Stefan Eissing:
>> Am 18.10.2018 um 14:12 schrieb Rainer Jung <ra...@kippdata.de>:
>>
>> - t/modules/http2.t fails when the server is build using OpenSSL 0.9.8zh with the "Bad plan. You planned 52 tests..." message indicating, that h2 using TLS does not work. It happens on all platforms, but not if the client also uses OpenSSL 0.9.8zh.
>>
>> I don't know whether that is expected for old OpenSSL, so can not judge on criticality.
>
> AFAICT, correct me if I am wrong, OpenSSL 0.9.8 does not support TLSv1.2 and is therefore unusable with h2. The test suite seems to be unprepared for this scenario. I will remove it after the next release. It is not worth fixing in its current form.
I added a check agains the test suite OpenSSL version in r1844483.
I have an aditional check for the server version available.
Unfortunately I didn't find a really easy way, so here's a small module
that one can query (c-modules/test_ssl_version/mod_test_ssl_version.c),
mostly a shortened form of mod_test_ssl.c:
==== SNIP =====
#define HTTPD_TEST_REQUIRE_APACHE 2
#if CONFIG_FOR_HTTPD_TEST
<IfModule @ssl_module@>
<Location /test_ssl_version_lookup>
SetHandler test-ssl-version-lookup
</Location>
</IfModule>
#endif
#include "httpd.h"
#include "http_config.h"
#include "http_protocol.h"
#include "http_log.h"
#include "ap_config.h"
#include "apr_optional.h"
#if AP_MODULE_MAGIC_AT_LEAST(20040425, 0) /* simply include mod_ssl.h if
using >= 2.1.0 */
#include "mod_ssl.h"
#else
/* For use of < 2.0.x, inline the declaration: */
APR_DECLARE_OPTIONAL_FN(char *, ssl_var_lookup,
(apr_pool_t *, server_rec *,
conn_rec *, request_rec *,
char *));
#endif
static APR_OPTIONAL_FN_TYPE(ssl_var_lookup) *var_lookup;
static void import_ssl_var_lookup(void)
{
var_lookup = APR_RETRIEVE_OPTIONAL_FN(ssl_var_lookup);
}
static int test_ssl_version_lookup(request_rec *r)
{
char *value;
if (strcmp(r->handler, "test-ssl-version-lookup")) {
return DECLINED;
}
if (r->method_number != M_GET) {
return DECLINED;
}
if (!var_lookup) {
ap_rputs("ssl_var_lookup is not available", r);
return OK;
}
value = var_lookup(r->pool, r->server,
r->connection, r, "SSL_VERSION_LIBRARY");
if (value && *value) {
ap_rputs(value, r);
}
else {
ap_rputs("NULL", r);
}
return OK;
}
static void test_ssl_version_register_hooks(apr_pool_t *p)
{
ap_hook_handler(test_ssl_version_lookup, NULL, NULL, APR_HOOK_MIDDLE);
ap_hook_optional_fn_retrieve(import_ssl_var_lookup,
NULL, NULL, APR_HOOK_MIDDLE);
}
module AP_MODULE_DECLARE_DATA test_ssl_version_module = {
STANDARD20_MODULE_STUFF,
NULL, /* create per-dir config structures */
NULL, /* merge per-dir config structures */
NULL, /* create per-server config structures */
NULL, /* merge per-server config structures */
NULL, /* table of config file commands */
test_ssl_version_register_hooks /* register hooks
*/
};
==== SNIP =====
and the necessary addition to http2.t to use the module:
Index: t/modules/http2.t
===================================================================
--- t/modules/http2.t (revision 1844483)
+++ t/modules/http2.t (working copy)
@@ -25,6 +25,16 @@
my $openssl_version = Net::SSLeay::OPENSSL_VERSION_NUMBER();
if ($openssl_version < 0x10000000) {
$tls_modern = 0;
+} else {
+ Apache::TestRequest::scheme("https");
+ my $url = '/test_ssl_version_lookup';
+ my $r = GET("$url");
+ $openssl_version = $r->content;
+ print STDOUT "OpenSSL version '$openssl_version'\n";
+ # OpenSSL/0.9.8zh, OpenSSL/1.0.2p etc.
+ if ($openssl_version =~ /\/0\./) {
+ $tls_modern = 0;
+ }
}
Apache::TestRequest::module("http2");
What do people think? Should I apply it?
Regards,
Rainer
Re: t/modules/http2.t: Run only if OpenSSL >= 1.0.0 is available
Posted by Stefan Eissing <st...@greenbytes.de>.
Thanks a lot!
> Am 22.10.2018 um 14:06 schrieb Rainer Jung <ra...@kippdata.de>:
>
> This seems to work nicely, committed in r1844546. Tests with old OpenSSL either in client or server result in TLSv1 and disable h2 tests. TLS test requests that result in TLSv1_2 or TLSv1_3 enable h2 tests.
>
> Regards,
>
> Rainer
>
> Am 22.10.2018 um 12:37 schrieb Rainer Jung:
>> I wonder whether it would be easier to check whether a TLS connection uses TLS 1.2 or later and disable the h2 test if not.
>> Nevertheless the module for checking the server version might be useful, but here I guess checking the TLS version is more appropriate.
>> But that might mean, that the test runs with OpenSSL 0.9.8zh in the client. At least I see some TLSv1.2 reuests during the test suite run even when using 0.9.8zh in the client. It ever happens with that version in the server.
>> Will look into it.
>> Regards,
>> Rainer
>> Am 21.10.2018 um 14:28 schrieb Daniel Ruggeri:
>>>
>>> On 10/21/2018 6:46 AM, Rainer Jung wrote:
>>>> Am 18.10.2018 um 14:23 schrieb Stefan Eissing:
>>>>>> Am 18.10.2018 um 14:12 schrieb Rainer Jung <ra...@kippdata.de>:
>>>>>>
>>>>>> - t/modules/http2.t fails when the server is build using OpenSSL
>>>>>> 0.9.8zh with the "Bad plan. You planned 52 tests..." message
>>>>>> indicating, that h2 using TLS does not work. It happens on all
>>>>>> platforms, but not if the client also uses OpenSSL 0.9.8zh.
>>>>>>
>>>>>> I don't know whether that is expected for old OpenSSL, so can not
>>>>>> judge on criticality.
>>>>>
>>>>> AFAICT, correct me if I am wrong, OpenSSL 0.9.8 does not support
>>>>> TLSv1.2 and is therefore unusable with h2. The test suite seems to be
>>>>> unprepared for this scenario. I will remove it after the next
>>>>> release. It is not worth fixing in its current form.
>>>>
>>>> I added a check agains the test suite OpenSSL version in r1844483.
>>>>
>>>> I have an aditional check for the server version available.
>>>> Unfortunately I didn't find a really easy way, so here's a small
>>>> module that one can query
>>>> (c-modules/test_ssl_version/mod_test_ssl_version.c), mostly a
>>>> shortened form of mod_test_ssl.c:
>>>>
>>>> ==== SNIP =====
>>>> #define HTTPD_TEST_REQUIRE_APACHE 2
>>>>
>>>> #if CONFIG_FOR_HTTPD_TEST
>>>>
>>>> <IfModule @ssl_module@>
>>>> <Location /test_ssl_version_lookup>
>>>> SetHandler test-ssl-version-lookup
>>>> </Location>
>>>> </IfModule>
>>>>
>>>> #endif
>>>>
>>>> #include "httpd.h"
>>>> #include "http_config.h"
>>>> #include "http_protocol.h"
>>>> #include "http_log.h"
>>>> #include "ap_config.h"
>>>> #include "apr_optional.h"
>>>>
>>>> #if AP_MODULE_MAGIC_AT_LEAST(20040425, 0) /* simply include mod_ssl.h
>>>> if using >= 2.1.0 */
>>>>
>>>> #include "mod_ssl.h"
>>>>
>>>> #else
>>>> /* For use of < 2.0.x, inline the declaration: */
>>>>
>>>> APR_DECLARE_OPTIONAL_FN(char *, ssl_var_lookup,
>>>> (apr_pool_t *, server_rec *,
>>>> conn_rec *, request_rec *,
>>>> char *));
>>>>
>>>> #endif
>>>>
>>>> static APR_OPTIONAL_FN_TYPE(ssl_var_lookup) *var_lookup;
>>>>
>>>> static void import_ssl_var_lookup(void)
>>>> {
>>>> var_lookup = APR_RETRIEVE_OPTIONAL_FN(ssl_var_lookup);
>>>> }
>>>>
>>>> static int test_ssl_version_lookup(request_rec *r)
>>>> {
>>>> char *value;
>>>>
>>>> if (strcmp(r->handler, "test-ssl-version-lookup")) {
>>>> return DECLINED;
>>>> }
>>>>
>>>> if (r->method_number != M_GET) {
>>>> return DECLINED;
>>>> }
>>>>
>>>> if (!var_lookup) {
>>>> ap_rputs("ssl_var_lookup is not available", r);
>>>> return OK;
>>>> }
>>>>
>>>> value = var_lookup(r->pool, r->server,
>>>> r->connection, r, "SSL_VERSION_LIBRARY");
>>>>
>>>> if (value && *value) {
>>>> ap_rputs(value, r);
>>>> }
>>>> else {
>>>> ap_rputs("NULL", r);
>>>> }
>>>>
>>>> return OK;
>>>> }
>>>>
>>>> static void test_ssl_version_register_hooks(apr_pool_t *p)
>>>> {
>>>> ap_hook_handler(test_ssl_version_lookup, NULL, NULL,
>>>> APR_HOOK_MIDDLE);
>>>> ap_hook_optional_fn_retrieve(import_ssl_var_lookup,
>>>> NULL, NULL, APR_HOOK_MIDDLE);
>>>> }
>>>>
>>>> module AP_MODULE_DECLARE_DATA test_ssl_version_module = {
>>>> STANDARD20_MODULE_STUFF,
>>>> NULL, /* create per-dir config structures */
>>>> NULL, /* merge per-dir config structures */
>>>> NULL, /* create per-server config structures */
>>>> NULL, /* merge per-server config structures */
>>>> NULL, /* table of config file commands */
>>>> test_ssl_version_register_hooks /* register hooks */
>>>> };
>>>> ==== SNIP =====
>>>>
>>>> and the necessary addition to http2.t to use the module:
>>>>
>>>> Index: t/modules/http2.t
>>>> ===================================================================
>>>> --- t/modules/http2.t (revision 1844483)
>>>> +++ t/modules/http2.t (working copy)
>>>> @@ -25,6 +25,16 @@
>>>> my $openssl_version = Net::SSLeay::OPENSSL_VERSION_NUMBER();
>>>> if ($openssl_version < 0x10000000) {
>>>> $tls_modern = 0;
>>>> +} else {
>>>> + Apache::TestRequest::scheme("https");
>>>> + my $url = '/test_ssl_version_lookup';
>>>> + my $r = GET("$url");
>>>> + $openssl_version = $r->content;
>>>> + print STDOUT "OpenSSL version '$openssl_version'\n";
>>>> + # OpenSSL/0.9.8zh, OpenSSL/1.0.2p etc.
>>>> + if ($openssl_version =~ /\/0\./) {
>>>> + $tls_modern = 0;
>>>> + }
>>>> }
>>>>
>>>> Apache::TestRequest::module("http2");
>>>>
>>>> What do people think? Should I apply it?
>>>>
>>>> Regards,
>>>>
>>>> Rainer
>>>
>>> +1
Re: t/modules/http2.t: Run only if OpenSSL >= 1.0.0 is available
Posted by Rainer Jung <ra...@kippdata.de>.
This seems to work nicely, committed in r1844546. Tests with old OpenSSL
either in client or server result in TLSv1 and disable h2 tests. TLS
test requests that result in TLSv1_2 or TLSv1_3 enable h2 tests.
Regards,
Rainer
Am 22.10.2018 um 12:37 schrieb Rainer Jung:
> I wonder whether it would be easier to check whether a TLS connection
> uses TLS 1.2 or later and disable the h2 test if not.
>
> Nevertheless the module for checking the server version might be useful,
> but here I guess checking the TLS version is more appropriate.
>
> But that might mean, that the test runs with OpenSSL 0.9.8zh in the
> client. At least I see some TLSv1.2 reuests during the test suite run
> even when using 0.9.8zh in the client. It ever happens with that version
> in the server.
>
> Will look into it.
>
> Regards,
>
> Rainer
>
> Am 21.10.2018 um 14:28 schrieb Daniel Ruggeri:
>>
>> On 10/21/2018 6:46 AM, Rainer Jung wrote:
>>> Am 18.10.2018 um 14:23 schrieb Stefan Eissing:
>>>>> Am 18.10.2018 um 14:12 schrieb Rainer Jung <ra...@kippdata.de>:
>>>>>
>>>>> - t/modules/http2.t fails when the server is build using OpenSSL
>>>>> 0.9.8zh with the "Bad plan. You planned 52 tests..." message
>>>>> indicating, that h2 using TLS does not work. It happens on all
>>>>> platforms, but not if the client also uses OpenSSL 0.9.8zh.
>>>>>
>>>>> I don't know whether that is expected for old OpenSSL, so can not
>>>>> judge on criticality.
>>>>
>>>> AFAICT, correct me if I am wrong, OpenSSL 0.9.8 does not support
>>>> TLSv1.2 and is therefore unusable with h2. The test suite seems to be
>>>> unprepared for this scenario. I will remove it after the next
>>>> release. It is not worth fixing in its current form.
>>>
>>> I added a check agains the test suite OpenSSL version in r1844483.
>>>
>>> I have an aditional check for the server version available.
>>> Unfortunately I didn't find a really easy way, so here's a small
>>> module that one can query
>>> (c-modules/test_ssl_version/mod_test_ssl_version.c), mostly a
>>> shortened form of mod_test_ssl.c:
>>>
>>> ==== SNIP =====
>>> #define HTTPD_TEST_REQUIRE_APACHE 2
>>>
>>> #if CONFIG_FOR_HTTPD_TEST
>>>
>>> <IfModule @ssl_module@>
>>> <Location /test_ssl_version_lookup>
>>> SetHandler test-ssl-version-lookup
>>> </Location>
>>> </IfModule>
>>>
>>> #endif
>>>
>>> #include "httpd.h"
>>> #include "http_config.h"
>>> #include "http_protocol.h"
>>> #include "http_log.h"
>>> #include "ap_config.h"
>>> #include "apr_optional.h"
>>>
>>> #if AP_MODULE_MAGIC_AT_LEAST(20040425, 0) /* simply include mod_ssl.h
>>> if using >= 2.1.0 */
>>>
>>> #include "mod_ssl.h"
>>>
>>> #else
>>> /* For use of < 2.0.x, inline the declaration: */
>>>
>>> APR_DECLARE_OPTIONAL_FN(char *, ssl_var_lookup,
>>> (apr_pool_t *, server_rec *,
>>> conn_rec *, request_rec *,
>>> char *));
>>>
>>> #endif
>>>
>>> static APR_OPTIONAL_FN_TYPE(ssl_var_lookup) *var_lookup;
>>>
>>> static void import_ssl_var_lookup(void)
>>> {
>>> var_lookup = APR_RETRIEVE_OPTIONAL_FN(ssl_var_lookup);
>>> }
>>>
>>> static int test_ssl_version_lookup(request_rec *r)
>>> {
>>> char *value;
>>>
>>> if (strcmp(r->handler, "test-ssl-version-lookup")) {
>>> return DECLINED;
>>> }
>>>
>>> if (r->method_number != M_GET) {
>>> return DECLINED;
>>> }
>>>
>>> if (!var_lookup) {
>>> ap_rputs("ssl_var_lookup is not available", r);
>>> return OK;
>>> }
>>>
>>> value = var_lookup(r->pool, r->server,
>>> r->connection, r, "SSL_VERSION_LIBRARY");
>>>
>>> if (value && *value) {
>>> ap_rputs(value, r);
>>> }
>>> else {
>>> ap_rputs("NULL", r);
>>> }
>>>
>>> return OK;
>>> }
>>>
>>> static void test_ssl_version_register_hooks(apr_pool_t *p)
>>> {
>>> ap_hook_handler(test_ssl_version_lookup, NULL, NULL,
>>> APR_HOOK_MIDDLE);
>>> ap_hook_optional_fn_retrieve(import_ssl_var_lookup,
>>> NULL, NULL, APR_HOOK_MIDDLE);
>>> }
>>>
>>> module AP_MODULE_DECLARE_DATA test_ssl_version_module = {
>>> STANDARD20_MODULE_STUFF,
>>> NULL, /* create per-dir config structures */
>>> NULL, /* merge per-dir config structures */
>>> NULL, /* create per-server config structures */
>>> NULL, /* merge per-server config structures */
>>> NULL, /* table of config file commands */
>>> test_ssl_version_register_hooks /* register hooks */
>>> };
>>> ==== SNIP =====
>>>
>>> and the necessary addition to http2.t to use the module:
>>>
>>> Index: t/modules/http2.t
>>> ===================================================================
>>> --- t/modules/http2.t (revision 1844483)
>>> +++ t/modules/http2.t (working copy)
>>> @@ -25,6 +25,16 @@
>>> my $openssl_version = Net::SSLeay::OPENSSL_VERSION_NUMBER();
>>> if ($openssl_version < 0x10000000) {
>>> $tls_modern = 0;
>>> +} else {
>>> + Apache::TestRequest::scheme("https");
>>> + my $url = '/test_ssl_version_lookup';
>>> + my $r = GET("$url");
>>> + $openssl_version = $r->content;
>>> + print STDOUT "OpenSSL version '$openssl_version'\n";
>>> + # OpenSSL/0.9.8zh, OpenSSL/1.0.2p etc.
>>> + if ($openssl_version =~ /\/0\./) {
>>> + $tls_modern = 0;
>>> + }
>>> }
>>>
>>> Apache::TestRequest::module("http2");
>>>
>>> What do people think? Should I apply it?
>>>
>>> Regards,
>>>
>>> Rainer
>>
>> +1
Re: t/modules/http2.t: Run only if OpenSSL >= 1.0.0 is available
Posted by Rainer Jung <ra...@kippdata.de>.
I wonder whether it would be easier to check whether a TLS connection
uses TLS 1.2 or later and disable the h2 test if not.
Nevertheless the module for checking the server version might be useful,
but here I guess checking the TLS version is more appropriate.
But that might mean, that the test runs with OpenSSL 0.9.8zh in the
client. At least I see some TLSv1.2 reuests during the test suite run
even when using 0.9.8zh in the client. It ever happens with that version
in the server.
Will look into it.
Regards,
Rainer
Am 21.10.2018 um 14:28 schrieb Daniel Ruggeri:
>
> On 10/21/2018 6:46 AM, Rainer Jung wrote:
>> Am 18.10.2018 um 14:23 schrieb Stefan Eissing:
>>>> Am 18.10.2018 um 14:12 schrieb Rainer Jung <ra...@kippdata.de>:
>>>>
>>>> - t/modules/http2.t fails when the server is build using OpenSSL
>>>> 0.9.8zh with the "Bad plan. You planned 52 tests..." message
>>>> indicating, that h2 using TLS does not work. It happens on all
>>>> platforms, but not if the client also uses OpenSSL 0.9.8zh.
>>>>
>>>> I don't know whether that is expected for old OpenSSL, so can not
>>>> judge on criticality.
>>>
>>> AFAICT, correct me if I am wrong, OpenSSL 0.9.8 does not support
>>> TLSv1.2 and is therefore unusable with h2. The test suite seems to be
>>> unprepared for this scenario. I will remove it after the next
>>> release. It is not worth fixing in its current form.
>>
>> I added a check agains the test suite OpenSSL version in r1844483.
>>
>> I have an aditional check for the server version available.
>> Unfortunately I didn't find a really easy way, so here's a small
>> module that one can query
>> (c-modules/test_ssl_version/mod_test_ssl_version.c), mostly a
>> shortened form of mod_test_ssl.c:
>>
>> ==== SNIP =====
>> #define HTTPD_TEST_REQUIRE_APACHE 2
>>
>> #if CONFIG_FOR_HTTPD_TEST
>>
>> <IfModule @ssl_module@>
>> <Location /test_ssl_version_lookup>
>> SetHandler test-ssl-version-lookup
>> </Location>
>> </IfModule>
>>
>> #endif
>>
>> #include "httpd.h"
>> #include "http_config.h"
>> #include "http_protocol.h"
>> #include "http_log.h"
>> #include "ap_config.h"
>> #include "apr_optional.h"
>>
>> #if AP_MODULE_MAGIC_AT_LEAST(20040425, 0) /* simply include mod_ssl.h
>> if using >= 2.1.0 */
>>
>> #include "mod_ssl.h"
>>
>> #else
>> /* For use of < 2.0.x, inline the declaration: */
>>
>> APR_DECLARE_OPTIONAL_FN(char *, ssl_var_lookup,
>> (apr_pool_t *, server_rec *,
>> conn_rec *, request_rec *,
>> char *));
>>
>> #endif
>>
>> static APR_OPTIONAL_FN_TYPE(ssl_var_lookup) *var_lookup;
>>
>> static void import_ssl_var_lookup(void)
>> {
>> var_lookup = APR_RETRIEVE_OPTIONAL_FN(ssl_var_lookup);
>> }
>>
>> static int test_ssl_version_lookup(request_rec *r)
>> {
>> char *value;
>>
>> if (strcmp(r->handler, "test-ssl-version-lookup")) {
>> return DECLINED;
>> }
>>
>> if (r->method_number != M_GET) {
>> return DECLINED;
>> }
>>
>> if (!var_lookup) {
>> ap_rputs("ssl_var_lookup is not available", r);
>> return OK;
>> }
>>
>> value = var_lookup(r->pool, r->server,
>> r->connection, r, "SSL_VERSION_LIBRARY");
>>
>> if (value && *value) {
>> ap_rputs(value, r);
>> }
>> else {
>> ap_rputs("NULL", r);
>> }
>>
>> return OK;
>> }
>>
>> static void test_ssl_version_register_hooks(apr_pool_t *p)
>> {
>> ap_hook_handler(test_ssl_version_lookup, NULL, NULL,
>> APR_HOOK_MIDDLE);
>> ap_hook_optional_fn_retrieve(import_ssl_var_lookup,
>> NULL, NULL, APR_HOOK_MIDDLE);
>> }
>>
>> module AP_MODULE_DECLARE_DATA test_ssl_version_module = {
>> STANDARD20_MODULE_STUFF,
>> NULL, /* create per-dir config structures */
>> NULL, /* merge per-dir config structures */
>> NULL, /* create per-server config structures */
>> NULL, /* merge per-server config structures */
>> NULL, /* table of config file commands */
>> test_ssl_version_register_hooks /* register hooks */
>> };
>> ==== SNIP =====
>>
>> and the necessary addition to http2.t to use the module:
>>
>> Index: t/modules/http2.t
>> ===================================================================
>> --- t/modules/http2.t (revision 1844483)
>> +++ t/modules/http2.t (working copy)
>> @@ -25,6 +25,16 @@
>> my $openssl_version = Net::SSLeay::OPENSSL_VERSION_NUMBER();
>> if ($openssl_version < 0x10000000) {
>> $tls_modern = 0;
>> +} else {
>> + Apache::TestRequest::scheme("https");
>> + my $url = '/test_ssl_version_lookup';
>> + my $r = GET("$url");
>> + $openssl_version = $r->content;
>> + print STDOUT "OpenSSL version '$openssl_version'\n";
>> + # OpenSSL/0.9.8zh, OpenSSL/1.0.2p etc.
>> + if ($openssl_version =~ /\/0\./) {
>> + $tls_modern = 0;
>> + }
>> }
>>
>> Apache::TestRequest::module("http2");
>>
>> What do people think? Should I apply it?
>>
>> Regards,
>>
>> Rainer
>
> +1
Re: t/modules/http2.t: Run only if OpenSSL >= 1.0.0 is available
Posted by Daniel Ruggeri <dr...@primary.net>.
On 10/21/2018 6:46 AM, Rainer Jung wrote:
> Am 18.10.2018 um 14:23 schrieb Stefan Eissing:
>>> Am 18.10.2018 um 14:12 schrieb Rainer Jung <ra...@kippdata.de>:
>>>
>>> - t/modules/http2.t fails when the server is build using OpenSSL
>>> 0.9.8zh with the "Bad plan. You planned 52 tests..." message
>>> indicating, that h2 using TLS does not work. It happens on all
>>> platforms, but not if the client also uses OpenSSL 0.9.8zh.
>>>
>>> I don't know whether that is expected for old OpenSSL, so can not
>>> judge on criticality.
>>
>> AFAICT, correct me if I am wrong, OpenSSL 0.9.8 does not support
>> TLSv1.2 and is therefore unusable with h2. The test suite seems to be
>> unprepared for this scenario. I will remove it after the next
>> release. It is not worth fixing in its current form.
>
> I added a check agains the test suite OpenSSL version in r1844483.
>
> I have an aditional check for the server version available.
> Unfortunately I didn't find a really easy way, so here's a small
> module that one can query
> (c-modules/test_ssl_version/mod_test_ssl_version.c), mostly a
> shortened form of mod_test_ssl.c:
>
> ==== SNIP =====
> #define HTTPD_TEST_REQUIRE_APACHE 2
>
> #if CONFIG_FOR_HTTPD_TEST
>
> <IfModule @ssl_module@>
> <Location /test_ssl_version_lookup>
> SetHandler test-ssl-version-lookup
> </Location>
> </IfModule>
>
> #endif
>
> #include "httpd.h"
> #include "http_config.h"
> #include "http_protocol.h"
> #include "http_log.h"
> #include "ap_config.h"
> #include "apr_optional.h"
>
> #if AP_MODULE_MAGIC_AT_LEAST(20040425, 0) /* simply include mod_ssl.h
> if using >= 2.1.0 */
>
> #include "mod_ssl.h"
>
> #else
> /* For use of < 2.0.x, inline the declaration: */
>
> APR_DECLARE_OPTIONAL_FN(char *, ssl_var_lookup,
> (apr_pool_t *, server_rec *,
> conn_rec *, request_rec *,
> char *));
>
> #endif
>
> static APR_OPTIONAL_FN_TYPE(ssl_var_lookup) *var_lookup;
>
> static void import_ssl_var_lookup(void)
> {
> var_lookup = APR_RETRIEVE_OPTIONAL_FN(ssl_var_lookup);
> }
>
> static int test_ssl_version_lookup(request_rec *r)
> {
> char *value;
>
> if (strcmp(r->handler, "test-ssl-version-lookup")) {
> return DECLINED;
> }
>
> if (r->method_number != M_GET) {
> return DECLINED;
> }
>
> if (!var_lookup) {
> ap_rputs("ssl_var_lookup is not available", r);
> return OK;
> }
>
> value = var_lookup(r->pool, r->server,
> r->connection, r, "SSL_VERSION_LIBRARY");
>
> if (value && *value) {
> ap_rputs(value, r);
> }
> else {
> ap_rputs("NULL", r);
> }
>
> return OK;
> }
>
> static void test_ssl_version_register_hooks(apr_pool_t *p)
> {
> ap_hook_handler(test_ssl_version_lookup, NULL, NULL,
> APR_HOOK_MIDDLE);
> ap_hook_optional_fn_retrieve(import_ssl_var_lookup,
> NULL, NULL, APR_HOOK_MIDDLE);
> }
>
> module AP_MODULE_DECLARE_DATA test_ssl_version_module = {
> STANDARD20_MODULE_STUFF,
> NULL, /* create per-dir config structures */
> NULL, /* merge per-dir config structures */
> NULL, /* create per-server config structures */
> NULL, /* merge per-server config structures */
> NULL, /* table of config file commands */
> test_ssl_version_register_hooks /* register hooks */
> };
> ==== SNIP =====
>
> and the necessary addition to http2.t to use the module:
>
> Index: t/modules/http2.t
> ===================================================================
> --- t/modules/http2.t (revision 1844483)
> +++ t/modules/http2.t (working copy)
> @@ -25,6 +25,16 @@
> my $openssl_version = Net::SSLeay::OPENSSL_VERSION_NUMBER();
> if ($openssl_version < 0x10000000) {
> $tls_modern = 0;
> +} else {
> + Apache::TestRequest::scheme("https");
> + my $url = '/test_ssl_version_lookup';
> + my $r = GET("$url");
> + $openssl_version = $r->content;
> + print STDOUT "OpenSSL version '$openssl_version'\n";
> + # OpenSSL/0.9.8zh, OpenSSL/1.0.2p etc.
> + if ($openssl_version =~ /\/0\./) {
> + $tls_modern = 0;
> + }
> }
>
> Apache::TestRequest::module("http2");
>
> What do people think? Should I apply it?
>
> Regards,
>
> Rainer
+1
--
Daniel Ruggeri