You are viewing a plain text version of this content. The canonical link for it is here.
Posted to test-cvs@httpd.apache.org by jo...@apache.org on 2005/08/30 17:41:14 UTC

svn commit: r264798 - in /httpd/test/trunk/perl-framework/t: conf/ssl/ssl.conf.in security/CAN-2005-2700.t

Author: jorton
Date: Tue Aug 30 08:41:09 2005
New Revision: 264798

URL: http://svn.apache.org/viewcvs?rev=264798&view=rev
Log:
Add test for new mod_ssl issue, CAN-2005-2700.

Added:
    httpd/test/trunk/perl-framework/t/security/CAN-2005-2700.t
Modified:
    httpd/test/trunk/perl-framework/t/conf/ssl/ssl.conf.in

Modified: httpd/test/trunk/perl-framework/t/conf/ssl/ssl.conf.in
URL: http://svn.apache.org/viewcvs/httpd/test/trunk/perl-framework/t/conf/ssl/ssl.conf.in?rev=264798&r1=264797&r2=264798&view=diff
==============================================================================
--- httpd/test/trunk/perl-framework/t/conf/ssl/ssl.conf.in (original)
+++ httpd/test/trunk/perl-framework/t/conf/ssl/ssl.conf.in Tue Aug 30 08:41:09 2005
@@ -1,4 +1,4 @@
-#test config derived from httpd-2.0/docs/conf/ssl-std.conf
+#test config derived from httpd-2.0/docs/conf/ssl-std.conf -*- text -*-
 
 <IfModule @ssl_module@>
     #base config that can be used by any SSL enabled VirtualHosts
@@ -138,4 +138,22 @@
         </IfModule>
 
     </VirtualHost>
+
+    # An SSL vhost which does optional ccert checks at vhost level, to
+    # check for CVE CAN-2005-2700.
+      
+    <VirtualHost ssl_optional_cc>
+        SSLEngine on
+        
+        SSLVerifyClient optional
+
+        Alias /require/any        @DocumentRoot@
+        Alias /require/none       @DocumentRoot@
+
+        <Location /require/any>
+            SSLVerifyClient require
+            SSLVerifyDepth  10
+        </Location>
+    </VirtualHost>
+
 </IfModule>

Added: httpd/test/trunk/perl-framework/t/security/CAN-2005-2700.t
URL: http://svn.apache.org/viewcvs/httpd/test/trunk/perl-framework/t/security/CAN-2005-2700.t?rev=264798&view=auto
==============================================================================
--- httpd/test/trunk/perl-framework/t/security/CAN-2005-2700.t (added)
+++ httpd/test/trunk/perl-framework/t/security/CAN-2005-2700.t Tue Aug 30 08:41:09 2005
@@ -0,0 +1,24 @@
+use strict;
+use warnings FATAL => 'all';
+
+use Apache::Test;
+use Apache::TestUtil;
+use Apache::TestRequest;
+
+my $vars = Apache::Test::vars();
+
+plan tests => 2, [$vars->{ssl_module_name}, qw(LWP::Protocol::https)];
+
+Apache::TestRequest::user_agent_keepalive(0);
+Apache::TestRequest::scheme('https');
+Apache::TestRequest::module('ssl_optional_cc');
+
+my $r;
+
+$r = GET "/require/none/";
+
+ok t_cmp($r->code, 200, "access permitted without ccert");
+
+$r = GET "/require/any/";
+
+ok !t_cmp($r->code, 200, "access *not* permitted without ccert");