You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by rj...@apache.org on 2018/10/19 07:25:55 UTC
svn commit: r1844309 -
/httpd/test/framework/trunk/t/htdocs/modules/cgi/ocsp.pl.PL
Author: rjung
Date: Fri Oct 19 07:25:55 2018
New Revision: 1844309
URL: http://svn.apache.org/viewvc?rev=1844309&view=rev
Log:
Do not use STDIN / STDOUT as -reqin and -respout
for "openssl ocsp", since that is supported only
in OpenSSL 1.0.2 and above.
Instead use temporary files.
Modified:
httpd/test/framework/trunk/t/htdocs/modules/cgi/ocsp.pl.PL
Modified: httpd/test/framework/trunk/t/htdocs/modules/cgi/ocsp.pl.PL
URL: http://svn.apache.org/viewvc/httpd/test/framework/trunk/t/htdocs/modules/cgi/ocsp.pl.PL?rev=1844309&r1=1844308&r2=1844309&view=diff
==============================================================================
--- httpd/test/framework/trunk/t/htdocs/modules/cgi/ocsp.pl.PL (original)
+++ httpd/test/framework/trunk/t/htdocs/modules/cgi/ocsp.pl.PL Fri Oct 19 07:25:55 2018
@@ -1,3 +1,5 @@
+use File::Temp qw/:POSIX/;
+
my $caroot = $ENV{SSL_CA_ROOT};
if (! -d $caroot) {
@@ -5,23 +7,72 @@ if (! -d $caroot) {
Status: 500 Internal Server Error
Content-Type: text/plain
-Cannot find CA root at "$ENV{SSL_CA_ROOT}";
+Cannot find CA root at "$ENV{SSL_CA_ROOT}"
EOT
- ;
- print STDERR "SSL_CA_ROOT env var not set or can't find CA root.\n";
- exit(1);
+ ;
+ print STDERR "SSL_CA_ROOT env var not set or can't find CA root.\n";
+ exit(1);
}
chdir($caroot);
-
+
+my $filein = tempnam();
+my $fileout = tempnam();
+
+# Enable slurp mode (read all lines at once)
+local $/;
+
+# Copy STDIN to $filein, which will be used as input for openssl
+open(IN, '>', "$filein") or die "Could not open file '$filein' for write: $!";
+binmode IN;
+print IN <STDIN>;
+close(IN);
+
+my $cmd = 'openssl ocsp -CA certs/ca.crt'.
+ ' -index index.txt'.
+ ' -rsigner certs/server.crt'.
+ ' -rkey keys/server.pem'.
+ ' -reqin ' . $filein .
+ ' -respout ' . $fileout;
+system($cmd);
+
+# Check system result
+my $err = '';
+if ($? == -1) {
+ my $err = "failed to execute '$cmd': $!\n";
+}
+elsif ($? & 127) {
+ my $err = sprintf("child '$cmd' died with signal %d, %s coredump\n",
+ ($? & 127), ($? & 128) ? 'with' : 'without');
+}
+else {
+ my $rc = $? >> 8;
+ my $err = "child '$cmd' exited with value $rc\n" if $rc;
+}
+
+unlink($filein);
+
+if ($err ne '') {
+ print <<EOT
+Status: 500 Internal Server Error
+Content-Type: text/plain
+
+$err
+EOT
+ ;
+ print STDERR $err;
+ exit(1);
+}
+
print <<EOT
Content-Type: application/ocsp-response
EOT
;
-exec("openssl ocsp -CA certs/ca.crt ".
- "-index index.txt ".
- "-rsigner certs/server.crt ".
- "-rkey keys/server.pem ".
- "-reqin - -respout -");
+# Copy openssl result from $fileout to STDOUT
+open(OUT, '<', "$fileout") or die "Could not open file '$fileout' for read: $!";
+binmode OUT;
+print <OUT>;
+close(OUT);
+unlink($fileout);
Re: svn commit: r1844309 -
/httpd/test/framework/trunk/t/htdocs/modules/cgi/ocsp.pl.PL
Posted by Joe Orton <jo...@redhat.com>.
On Fri, Oct 19, 2018 at 11:39:27AM +0200, Rainer Jung wrote:
> Concerning your simpler approach: it is OK if we give up supporting 0.9.8
> but we should probably keep the "or `$openssl list -commands 2>&1` !~
> /ocsp/" part of the test.
OK good point, let's leave it as-is. r1844320 works for me, thanks!
Re: svn commit: r1844309 -
/httpd/test/framework/trunk/t/htdocs/modules/cgi/ocsp.pl.PL
Posted by Rainer Jung <ra...@kippdata.de>.
Am 19.10.2018 um 11:01 schrieb Joe Orton:
> On Fri, Oct 19, 2018 at 07:25:55AM -0000, rjung@apache.org wrote:
>> Author: rjung
>> Date: Fri Oct 19 07:25:55 2018
>> New Revision: 1844309
>>
>> URL: http://svn.apache.org/viewvc?rev=1844309&view=rev
>> Log:
>> Do not use STDIN / STDOUT as -reqin and -respout
>> for "openssl ocsp", since that is supported only
>> in OpenSSL 1.0.2 and above.
>>
>> Instead use temporary files.
>
> This doesn't work at all for me with Perl 5.26.2 / File::Temp 0.230.600
>
> tempnam() from File::Temp is not exported and takes two arguments, are
> you testing with a different version?
Sorry, tempnam => tmpnam. Committed in r1844320. It at least works here.
Would you be able to recheck?
> Compatibility functions:
>
> $unopened_file = File::Temp::tempnam( $dir, $pfx );
>
> I would be happy to restrict this test to running with recent versions
> of OpenSSL if it requires excessive hacks to make working with older
> ones.
>
> A simpler/safer test for the OpenSSL versions would be
>
> Index: t/ssl/ocsp.t
> ===================================================================
> --- t/ssl/ocsp.t (revision 1844314)
> +++ t/ssl/ocsp.t (working copy)
> @@ -20,9 +20,12 @@
> # Requires OpenSSL 1.1, can't find a simple way to test for OCSP
> # support in earlier versions without messing around with stderr
> my $openssl = Apache::TestSSLCA::openssl();
> +my $version = Apache::TestSSLCA::version();
> +my $min_version = "1.0.2";
> +
> if (!have_min_apache_version('2.4.26')
> - or `$openssl list -commands 2>&1` !~ /ocsp/) {
> - print "1..0 # skip: No OpenSSL or mod_ssl OCSP support";
> + or Apache::Test::normalize_vstring($version) < Apache::Test::normalize_vstring($min_version)) {
> + print "1..0 # skip: Requires OpenSSL $min_version (got $version) and mod_ssl OCSP support";
> exit 0;
> }
The problem here is, that what broke the test originally was not the
wrong OpenSSL version but instead relying on a feature of it (allowing
-reqin and -respout to point to STDIN resp. STDOUT). That's why I would
prefer fixing the test. At least here in my environment it now works
also with OpenSSL 0.9.8.
Not sure, if the change I applied (using temporary files for input and
output) should already be rated as "excessive hacks". I agree, it makes
a simple script roughly twice the size, but some of the new lines are
because of checking the result of the system() call (we had a fire and
forget exec() before).
Concerning your simpler approach: it is OK if we give up supporting
0.9.8 but we should probably keep the "or `$openssl list -commands 2>&1`
!~ /ocsp/" part of the test.
Regards,
Rainer
Re: svn commit: r1844309 -
/httpd/test/framework/trunk/t/htdocs/modules/cgi/ocsp.pl.PL
Posted by Ruediger Pluem <rp...@apache.org>.
On 10/19/2018 11:01 AM, Joe Orton wrote:
> On Fri, Oct 19, 2018 at 07:25:55AM -0000, rjung@apache.org wrote:
>> Author: rjung
>> Date: Fri Oct 19 07:25:55 2018
>> New Revision: 1844309
>>
>> URL: http://svn.apache.org/viewvc?rev=1844309&view=rev
>> Log:
>> Do not use STDIN / STDOUT as -reqin and -respout
>> for "openssl ocsp", since that is supported only
>> in OpenSSL 1.0.2 and above.
>>
>> Instead use temporary files.
>
> This doesn't work at all for me with Perl 5.26.2 / File::Temp 0.230.600
>
> tempnam() from File::Temp is not exported and takes two arguments, are
> you testing with a different version?
>
> Compatibility functions:
>
> $unopened_file = File::Temp::tempnam( $dir, $pfx );
>
> I would be happy to restrict this test to running with recent versions
> of OpenSSL if it requires excessive hacks to make working with older
> ones.
>
> A simpler/safer test for the OpenSSL versions would be
>
> Index: t/ssl/ocsp.t
> ===================================================================
> --- t/ssl/ocsp.t (revision 1844314)
> +++ t/ssl/ocsp.t (working copy)
> @@ -20,9 +20,12 @@
> # Requires OpenSSL 1.1, can't find a simple way to test for OCSP
> # support in earlier versions without messing around with stderr
> my $openssl = Apache::TestSSLCA::openssl();
> +my $version = Apache::TestSSLCA::version();
> +my $min_version = "1.0.2";
> +
> if (!have_min_apache_version('2.4.26')
> - or `$openssl list -commands 2>&1` !~ /ocsp/) {
> - print "1..0 # skip: No OpenSSL or mod_ssl OCSP support";
> + or Apache::Test::normalize_vstring($version) < Apache::Test::normalize_vstring($min_version)) {
> + print "1..0 # skip: Requires OpenSSL $min_version (got $version) and mod_ssl OCSP support";
How would we know in this case that this recent Openssl version was build with ocsp support?
Regards
RĂ¼diger
Re: svn commit: r1844309 -
/httpd/test/framework/trunk/t/htdocs/modules/cgi/ocsp.pl.PL
Posted by Joe Orton <jo...@redhat.com>.
On Fri, Oct 19, 2018 at 07:25:55AM -0000, rjung@apache.org wrote:
> Author: rjung
> Date: Fri Oct 19 07:25:55 2018
> New Revision: 1844309
>
> URL: http://svn.apache.org/viewvc?rev=1844309&view=rev
> Log:
> Do not use STDIN / STDOUT as -reqin and -respout
> for "openssl ocsp", since that is supported only
> in OpenSSL 1.0.2 and above.
>
> Instead use temporary files.
This doesn't work at all for me with Perl 5.26.2 / File::Temp 0.230.600
tempnam() from File::Temp is not exported and takes two arguments, are
you testing with a different version?
Compatibility functions:
$unopened_file = File::Temp::tempnam( $dir, $pfx );
I would be happy to restrict this test to running with recent versions
of OpenSSL if it requires excessive hacks to make working with older
ones.
A simpler/safer test for the OpenSSL versions would be
Index: t/ssl/ocsp.t
===================================================================
--- t/ssl/ocsp.t (revision 1844314)
+++ t/ssl/ocsp.t (working copy)
@@ -20,9 +20,12 @@
# Requires OpenSSL 1.1, can't find a simple way to test for OCSP
# support in earlier versions without messing around with stderr
my $openssl = Apache::TestSSLCA::openssl();
+my $version = Apache::TestSSLCA::version();
+my $min_version = "1.0.2";
+
if (!have_min_apache_version('2.4.26')
- or `$openssl list -commands 2>&1` !~ /ocsp/) {
- print "1..0 # skip: No OpenSSL or mod_ssl OCSP support";
+ or Apache::Test::normalize_vstring($version) < Apache::Test::normalize_vstring($min_version)) {
+ print "1..0 # skip: Requires OpenSSL $min_version (got $version) and mod_ssl OCSP support";
exit 0;
}