You are viewing a plain text version of this content. The canonical link for it is here.
Posted to test-commits@perl.apache.org by jo...@apache.org on 2018/10/10 12:15:47 UTC

svn commit: r1843435 - in /perl/Apache-Test/trunk/lib/Apache: TestConfig.pm TestSSLCA.pm

Author: jorton
Date: Wed Oct 10 12:15:46 2018
New Revision: 1843435

URL: http://svn.apache.org/viewvc?rev=1843435&view=rev
Log:
Expose -sslproto flag and try to hack around OpenSSL 1.1.1 PHA mess
so mod_ssl tests aren't entirely broken under TLSv1.3.

Modified:
    perl/Apache-Test/trunk/lib/Apache/TestConfig.pm
    perl/Apache-Test/trunk/lib/Apache/TestSSLCA.pm

Modified: perl/Apache-Test/trunk/lib/Apache/TestConfig.pm
URL: http://svn.apache.org/viewvc/perl/Apache-Test/trunk/lib/Apache/TestConfig.pm?rev=1843435&r1=1843434&r2=1843435&view=diff
==============================================================================
--- perl/Apache-Test/trunk/lib/Apache/TestConfig.pm (original)
+++ perl/Apache-Test/trunk/lib/Apache/TestConfig.pm Wed Oct 10 12:15:46 2018
@@ -86,6 +86,7 @@ use vars qw(%Usage);
    proxyssl_url    => 'url for testing ProxyPass / https (default is localhost)',
    sslca           => 'location of SSL CA (default is $t_conf/ssl/ca)',
    sslcaorg        => 'SSL CA organization to use for tests (default is asf)',
+   sslproto        => 'SSL/TLS protocol version(s) to test',
    libmodperl      => 'path to mod_perl\'s .so (full or relative to LIBEXECDIR)',
    defines         => 'values to add as -D defines (for example, "VAR1 VAR2")',
    (map { $_ . '_module_name', "$_ module name"} qw(cgi ssl thread access auth php)),
@@ -296,6 +297,16 @@ sub new {
     $vars->{t_conf}       ||= catfile $vars->{serverroot}, 'conf';
     $vars->{sslca}        ||= catfile $vars->{t_conf}, 'ssl', 'ca';
     $vars->{sslcaorg}     ||= 'asf';
+
+    if (!defined($vars->{sslproto})) {
+        require Apache::TestSSLCA;
+
+        $vars->{sslproto} = Apache::TestSSLCA::sslproto();
+    }
+    else {
+        $vars->{sslproto} = 'all';
+    }
+
     $vars->{t_logs}       ||= catfile $vars->{serverroot}, 'logs';
     $vars->{t_conf_file}  ||= catfile $vars->{t_conf},   'httpd.conf';
     $vars->{t_pid_file}   ||= catfile $vars->{t_logs},   'httpd.pid';

Modified: perl/Apache-Test/trunk/lib/Apache/TestSSLCA.pm
URL: http://svn.apache.org/viewvc/perl/Apache-Test/trunk/lib/Apache/TestSSLCA.pm?rev=1843435&r1=1843434&r2=1843435&view=diff
==============================================================================
--- perl/Apache-Test/trunk/lib/Apache/TestSSLCA.pm (original)
+++ perl/Apache-Test/trunk/lib/Apache/TestSSLCA.pm Wed Oct 10 12:15:46 2018
@@ -70,6 +70,20 @@ if (Apache::Test::normalize_vstring($ver
     $san_msupn = $san_dnssrv = "";
 }
 
+my $sslproto = "all";
+
+if (Apache::Test::normalize_vstring($version) >= 
+    Apache::Test::normalize_vstring("1.1.1")
+    && !defined(&Net::SSLeay::CTX_set_post_handshake_auth)) {
+    # OpenSSL 1.1.1 disables PHA by default client-side in TLSv1.3 but
+    # most clients are not updated to enable it (at time of writing).
+    # Many mod_ssl tests require working PHA, so disable v1.3 unless
+    # using an updated Net::SSLeay. This is strictly insufficient
+    # since an updated IO::Socket::SSL is also needed; to be
+    # continued.  Ref: https://github.com/openssl/openssl/issues/6933
+    $sslproto = "all -TLSv1.3";
+}
+
 my $ca_dn = {
     asf => {
         C  => 'US',
@@ -570,5 +584,9 @@ sub email_field {
     return $email_field;
 }
 
+sub sslproto {
+    return $sslproto;
+}
+
 1;
 __END__