source: mod_gnutls/test/ @ a08b25e

Last change on this file since a08b25e was a08b25e, checked in by Thomas Klute <thomas2.klute@…>, 5 years ago

Test suite: Listen on IPv6 and IPv4 loopback by default

Distributions handle host names for loopback addresses and their
resolution differently, which caused trouble with the previous
defaults of TEST_HOST=localhost and TEST_IP=[::1]. While they work
fine on Debian, tests on Ubuntu failed apparently randomly because
connections to localhost sometimes used, and setting
TEST_IP= would sometimes be hit by the opposite effect.

The best solution seems to be to let the test servers listen on both
IPv4 and IPv6 loopback addresses ( and [::1]): "localhost"
should always resolve to at least one of them, so we don't have to
care about the details. Apache handles the transport layer anyway, so
this change will not hide bugs in mod_gnutls itself.

Listening on both addresses is achieved by treating TEST_IP as a list
of addresses to listen on, changing the default to "[::1]",
and building a config file containing "Listen" directives for the test
servers from that. With this change there is no need to export TEST_IP
to the test environment any more.

Users who want to set their own TEST_IP can do so as before, but
should note that IPv6 addresses must be enclosed in square brackets.

  • Property mode set to 100644
File size: 5.8 KB
[33af2b7]1SUBDIRS = tests
3dist_check_SCRIPTS = test-00_basic.bash \
[c51e33a]4        test-01_serverwide_priorities.bash \
5        test-02_cache_in_vhost.bash \
6        test-03_cachetimeout_in_vhost.bash \
7        test-04_basic_nosni.bash \
8        test-05_mismatched-priorities.bash \
9        test-06_verify_sni_a.bash \
10        test-07_verify_sni_b.bash \
11        test-08_verify_no_sni_fallback_to_first_vhost.bash \
12        test-09_verify_no_sni_fails_with_wrong_order.bash \
13        test-10_basic_client_verification.bash \
14        test-11_basic_client_verification_fail.bash \
15        test-12_cgi_variables.bash \
16        test-13_cgi_variables_no_client_cert.bash \
[65c18ce]17        test-14_basic_openpgp.bash
[33af2b7]19dist_check_SCRIPTS += test-15_basic_msva.bash
[33af2b7]21dist_check_SCRIPTS += test-16_view-status.bash \
[eea8a16]22        test-17_cgi_vars_large_cert.bash \
[6e6a4e4]23        test-18_client_verification_wrong_cert.bash \
[ed82a6a]24        test-19_TLS_reverse_proxy.bash \
25        test-20_TLS_reverse_proxy_client_auth.bash \
[907ae8f]26        test-21_TLS_reverse_proxy_wrong_cert.bash \
[f030883]27        test-22_TLS_reverse_proxy_crl_revoke.bash \
[3f00958]28        test-23_TLS_reverse_proxy_mismatched_priorities.bash \
29        test-24_pkcs11_cert.bash
[33af2b7]31TESTS = $(dist_check_SCRIPTS)
[9a4d250]33# Identities in the miniature CA, server, and client environment for
34# the test suite
35identities = server authority client imposter rogueca
36# Append strings after ":=" to each identity to generate a list of
37# necessary files
38pgp_tokens = $(identities:=/secring.gpg) $(identities:=/cert.pgp) \
39        $(identities:=/secret.pgp)
40x509_keys = $(identities:=/secret.key)
41x509_certs = $(identities:=/x509.pem)
42x509_tokens = $(x509_certs) $(x509_keys)
43tokens = $(x509_tokens) $(pgp_tokens)
[fc8e463b]45include $(srcdir)/
[39bd695]47# Test cases trying to create keys and certificates in parallel causes
48# race conditions. Ensure that all keys and certificates are generated
49# before tests get to run.
51# NOTE: Once the support files have been generated, test cases can be
52# run with multiple jobs, but real parallelization would require
53# dynamic port assignments. At the moment, lock files ensure that only
54# one Apache instance (possibly plus a proxy back end instance) is
55# running at any time, so test cases actually have to wait for each
56# other - just not in any particular order.
[9a4d250]57check_DATA = $(tokens) server/crl.pem
[98ab9db]59MOSTLYCLEANFILES = cache/* logs/* outputs/* server/crl.pem
[90a31a4]61cert_templates = \
62 rogueca.template
63generated_templates = authority.template client.template \
64        imposter.template server.template
[9a4d250]66# Delete X.509 private keys on full clean. Note that unless you need
67# to generate fresh keys, the "mostlyclean" target should be
68# sufficient (see below).
69CLEANFILES = $(x509_keys)
[90a31a4]71# Delete X.509 certificates and generated templates on "mostlyclean"
72# target. Certificates can be rebuilt without generating new key
73# pairs, and regenerating them makes it possible to change identities
74# (e.g. host names) without wasting entropy on new keys (which would
75# happen after "clean").
[9a4d250]76MOSTLYCLEANFILES += */x509.pem $(generated_templates) *.uid
[6ce02e2]79# Delete PGP keyrings on "mostlyclean" target. They are created from
80# the X.509 private keys and certificates with an expiration time of
81# one day, so regenerating them is both fast and frequently
82# necessary.
[9a4d250]83MOSTLYCLEANFILES += */*.pgp */*.gpg */*.gpg~ */gpg.conf authority/lock
84# GnuPG random pool, no need to regenerate on every build
85CLEANFILES += authority/random_seed
[9a4d250]87# Delete lock files for test servers on "mostlyclean" target.
90# rule to build MSVA trust database
92msva_home = msva.gnupghome
93check_DATA += $(msva_home)/trustdb.gpg client.uid
94MOSTLYCLEANFILES += $(msva_home)/trustdb.gpg
95$(msva_home)/trustdb.gpg: authority/minimal.pgp client/cert.pgp
96        mkdir -p -m 0700 $(dir $@)
97        GNUPGHOME=$(dir $@) gpg --import < $<
98        printf "%s:6:\n" "$$(GNUPGHOME=authority gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" | GNUPGHOME=$(dir $@) gpg --import-ownertrust
99        GNUPGHOME=$(dir $@) gpg --import < client/cert.pgp
100        printf "keyserver does-not-exist.example\n" > $(msva_home)/gpg.conf
[349fd6e]103# SoftHSM files
[3f00958]104check_DATA += server/softhsm.db
[9a4d250]105MOSTLYCLEANFILES += tests/24_pkcs11_cert/softhsm.conf server/softhsm.db
108check_DATA += make-test-dirs
109extra_dirs = logs cache outputs
111        mkdir -p $(extra_dirs)
112.PHONY: make-test-dirs
115        -rmdir $(identities) || true
116        -rmdir $(extra_dirs) || true
117if USE_MSVA
118        -rmdir $(msva_home) || true
[9a4d250]121# Apache configuration and data files
[af7da2d]122apache_data = base_apache.conf cgi_module.conf data/* mime.types proxy_mods.conf
124EXTRA_DIST = $(apache_data) $(cert_templates) * proxy_backend.bash \
[fc8e463b]125        runtests server-crl.template server-softhsm.conf softhsm.bash
[34e5dc7]127# Lockfile for the main Apache process
128test_lockfile = ./test.lock
[50eab8e]129# Maximum wait time in seconds for flock to aquire instance lock files
130lock_wait = 30
[34e5dc7]132# port for the main Apache server
133TEST_PORT ?= 9932
134# port for MSVA in test cases that use it
135MSVA_PORT ?= 9933
[a61edfd]136# maximum time to wait for MSVA startup (milliseconds)
137TEST_MSVA_MAX_WAIT ?= 10000
138# wait loop time for MSVA startup (milliseconds)
139TEST_MSVA_WAIT ?= 400
[34e5dc7]140# seconds for the HTTP request to be sent and responded to
[af7da2d]143AM_TESTS_ENVIRONMENT = export APACHE2=$(APACHE2); \
[26081ce]144        export AP_LIBEXECDIR=$(AP_LIBEXECDIR); \
[34e5dc7]145        export TEST_LOCK="$(test_lockfile)"; \
146        export TEST_LOCK_WAIT="$(lock_wait)"; \
[26081ce]147        export TEST_HOST="$(TEST_HOST)"; \
[34e5dc7]148        export TEST_PORT="$(TEST_PORT)"; \
149        export MSVA_PORT="$(MSVA_PORT)"; \
150        export TEST_MSVA_MAX_WAIT="$(TEST_MSVA_MAX_WAIT)"; \
151        export TEST_MSVA_WAIT="$(TEST_MSVA_WAIT)"; \
152        export TEST_QUERY_DELAY="$(TEST_QUERY_DELAY)"; \
[a08b25e]153        export BACKEND_HOST="$(TEST_HOST)";
155# Echo AM_TESTS_ENVIRONMENT. This can be useful for debugging, e.g. if
156# you want to manually run an Apache instance with Valgrind using the
157# same configuration as a test case.
158show-test-env: export TEST_ENV=$(AM_TESTS_ENVIRONMENT)
160        @echo "$${TEST_ENV}"
Note: See TracBrowser for help on using the repository browser.