Changes in / [63468af:02c8e54] in mod_gnutls


Ignore:
Files:
23 added
13 deleted
53 edited

Legend:

Unmodified
Added
Removed
  • CHANGELOG

    r63468af r02c8e54  
    22- Handle Unclean Shutdowns
    33- make session cache use generic apache caches
    4 
    5 ** Version 0.7.4 (2016-04-13)
    6 - Support SoftHSM 2 for PKCS #11 testing
    7 - Increase verbosity of test logs
    8 
    9 ** Version 0.7.3 (2016-01-12)
    10 - Update test suite for compatibility with GnuTLS 3.4, which has
    11   stricter key usage checks and priorities than 3.3.
    12 - Write non-HTML output to mod_status reports if AP_STATUS_SHORT is
    13   set (mod_status sets it for requests with the "auto" parameter, e.g.
    14   https://localhost/server-status?auto).
    15 - Register "ssl_is_https" function so the special mod_rewrite variable
    16   %{HTTPS} works correctly with mod_gnutls. The new test case for this
    17   requires Wget or curl. Fixes Debian bug #514005.
    18 - Test suite servers listen on IPv4 *and* IPv6 loopback addresses by
    19   default (other addresses configurable), which should fix failures
    20   due to localhost randomly resolving to either on some distributions.
    21 - Isolate tests using network namespaces, if possible. This avoids
    22   port conflicts with other test cases (so they can run in parallel)
    23   and host services.
    24 - Support for local Apache drop-in config files in the test suite
    25   (e.g. to load additional modules needed on Fedora).
    26 - Try to use markdown to build HTML documentation if pandoc is not
    27   available.
    28 - Disable use of flock if it is unavailable or does not support
    29   timeouts (the latter caused the build to fail on Debian Hurd).
    30 - New test: Disable TLS 1.0 (regression test for Debian bug #754960).
    314
    325** Version 0.7.2 (2015-11-21)
  • configure.ac

    r63468af r02c8e54  
    11dnl
    2 AC_INIT(mod_gnutls, 0.7.4)
     2AC_INIT(mod_gnutls, 0.7.2)
    33OOO_CONFIG_NICE(config.nice)
    44MOD_GNUTLS_VERSION=AC_PACKAGE_VERSION
     
    6060AC_MSG_RESULT($use_srp)
    6161
    62 dnl Optionally disable flock
    63 AC_ARG_ENABLE(flock,
    64         AS_HELP_STRING([--disable-flock], [Disable use of flock during tests \
    65         (some exotic architectures don't support it)]),
    66         [use_flock=$enableval], [use_flock=yes])
    67 # Check if flock is available and supports --timeout
    68 AC_PATH_PROG([FLOCK], [flock], [no])
    69 AS_IF([test "${FLOCK}" != "no"],
    70       [
    71         AC_MSG_CHECKING([whether ${FLOCK} supports --timeout])
    72         lockfile="$(mktemp)"
    73         AS_IF([${FLOCK} --timeout 1 ${lockfile} true >&AS_MESSAGE_LOG_FD 2>&1],
    74               [flock_works="yes"], [flock_works="no"])
    75         rm "${lockfile}"
    76         AC_MSG_RESULT([$flock_works])
    77       ],
    78       [flock_works="no"])
    79 # disable flock if requested by user or it doesn't support timeout
    80 AM_CONDITIONAL([DISABLE_FLOCK],
    81                [test "$enable_flock" = "no" || test "$flock_works" = "no"])
    82 
    83 dnl Enable test namespaces? Default is "yes".
    84 AC_ARG_ENABLE(test-namespaces,
    85         AS_HELP_STRING([--disable-test-namespaces], [Disable use of network \
    86         namespaces to run tests in parallel (some architectures might not \
    87         support it)]),
    88         [use_netns=$enableval], [use_netns=yes])
    89 
    90 # Check if "unshare" is available and has permission to create network
    91 # and user namespaces
    92 AC_PATH_PROG([UNSHARE], [unshare], [no])
    93 AS_IF([test "${UNSHARE}" != "no"],
    94       [
    95         AC_MSG_CHECKING([for permission to create network and user namespaces])
    96         AS_IF([${UNSHARE} --net -r /bin/sh -c \
    97                 "ip link set up lo && ip addr show" >&AS_MESSAGE_LOG_FD 2>&1],
    98               [unshare_works="yes"], [unshare_works="no"])
    99         AC_MSG_RESULT([$unshare_works])
    100       ],
    101       [unshare_works="no"])
    102 # decide whether to enable network namespaces
    103 AS_IF([test "$enable_test_namespaces" != "no" \
    104             && test "$unshare_works" = "yes"],
    105       [use_netns="yes"], [use_netns="no"])
    106 AM_CONDITIONAL([ENABLE_NETNS], [test "$use_netns" != "no"])
    107 # Adjust Apache configuration for tests accordingly: Use pthread mutex
    108 # and test specific PID files if using namespaces, defaults otherwise.
    109 AS_IF([test "$use_netns" = "yes"],
    110       [MUTEX_TYPE="pthread"; PID_AFFIX="-\${TEST_NAME}"],
    111       [MUTEX_TYPE="default"; PID_AFFIX=""])
    112 AC_SUBST(MUTEX_TYPE)
    113 AC_SUBST(PID_AFFIX)
    114 AM_SUBST_NOTMAKE(MUTEX_TYPE)
    115 AM_SUBST_NOTMAKE(PID_AFFIX)
    116 
    11762AC_ARG_ENABLE(msva,
    11863       AS_HELP_STRING([--enable-msva],
     
    14893                build_doc="html only"
    14994        fi
    150 else
    151         AC_PATH_PROG([MARKDOWN], [markdown], [no])
    152         if test "$MARKDOWN" != "no"; then
    153                 build_doc="html stub"
    154         fi
    15595fi
    15696AM_CONDITIONAL([USE_PANDOC], [test "$PANDOC" != "no"])
    15797AM_CONDITIONAL([USE_PDFLATEX], [test "$PANDOC" != "no" && \
    15898                               test "$PDFLATEX" != "no"])
    159 AM_CONDITIONAL([USE_MARKDOWN], [test -n "$MARKDOWN" && \
    160                                test "$MARKDOWN" != "no"])
    16199
    162100# Check for Apache binary
     
    167105fi
    168106
    169 AC_PATH_PROGS([HTTP_CLI], [curl wget], [no])
    170 
    171107MODULE_CFLAGS="${LIBGNUTLS_CFLAGS} ${SRP_CFLAGS} ${MSVA_CFLAGS} ${APR_MEMCACHE_CFLAGS} ${APXS_CFLAGS} ${AP_INCLUDES} ${APR_INCLUDES} ${APU_INCLUDES} ${STRICT_CFLAGS}"
    172108MODULE_LIBS="${APR_MEMCACHE_LIBS} ${LIBGNUTLS_LIBS}"
    173 
    174 AC_PATH_PROGS([SOFTHSM], [softhsm2-util softhsm], [no])
    175 if test "${SOFTHSM}" != "no"; then
    176         softhsm_version=$(${SOFTHSM} --version)
    177         AS_VERSION_COMPARE([$(${SOFTHSM} --version)], [2.0.0],
    178                            [AC_SUBST(SOFTHSM_MAJOR_VERSION, [1])],
    179                            [AC_SUBST(SOFTHSM_MAJOR_VERSION, [2])],
    180                            [AC_SUBST(SOFTHSM_MAJOR_VERSION, [2])])
    181 fi
    182 AM_CONDITIONAL([HAVE_SOFTHSM], [test "${SOFTHSM}" != "no"])
    183 AM_CONDITIONAL([HAVE_SOFTHSM1], [test "${SOFTHSM_MAJOR_VERSION}" = "1"])
    184 AM_CONDITIONAL([HAVE_SOFTHSM2], [test "${SOFTHSM_MAJOR_VERSION}" = "2"])
    185109
    186110AC_SUBST(MODULE_CFLAGS)
     
    189113# assign default values to TEST_HOST and TEST_IP if necessary
    190114: ${TEST_HOST:="localhost"}
    191 : ${TEST_IP:="[[::1]] 127.0.0.1"}
     115: ${TEST_IP:="[::1]"}
    192116AC_ARG_VAR([TEST_HOST], [Host name to use for server instances started by \
    193                         "make check", must resolve to addresses in TEST_IP. \
    194                         The default is "localhost".])
    195 AC_ARG_VAR([TEST_IP], [List of IP addresses to use for server instances \
    196                       started by "make check". The default is \
    197                       "[::1] 127.0.0.1". Note that IPv6 addresses must be \
    198                       enclosed in square brackets.])
    199 AM_SUBST_NOTMAKE(TEST_IP)
    200 
    201 dnl Allow user to set SoftHSM PKCS #11 module
    202 AC_ARG_VAR([SOFTHSM_LIB], [Absolute path of the SoftHSM PKCS @%:@11 module to \
    203                           use. By default the test suite will search common \
    204                           library paths.])
    205 
    206 dnl Build list of "Listen" statements for Apache
    207 LISTEN_LIST="# Listen addresses for the test servers"
    208 for i in ${TEST_IP}; do
    209         LISTEN_LIST="${LISTEN_LIST}
    210 Listen ${i}:\${TEST_PORT}"
    211 done
    212 dnl HTTP ports, only active if TEST_HTTP_PORT is defined
    213 LISTEN_LIST="${LISTEN_LIST}
    214 <IfDefine TEST_HTTP_PORT>"
    215 for i in ${TEST_IP}; do
    216         LISTEN_LIST="${LISTEN_LIST}
    217         Listen ${i}:\${TEST_HTTP_PORT}"
    218 done
    219 LISTEN_LIST="${LISTEN_LIST}
    220 </IfDefine>"
    221 AC_SUBST(LISTEN_LIST)
    222 AM_SUBST_NOTMAKE(LISTEN_LIST)
     117                        "make check", must resolve to TEST_IP. The default \
     118                        is "localhost".])
     119AC_ARG_VAR([TEST_IP], [IP address to use for server instances started by \
     120                      "make check". The default is the IPv6 loopback address \
     121                      [::1].])
    223122
    224123AC_CONFIG_FILES([Makefile src/Makefile test/Makefile test/tests/Makefile \
    225                         doc/Makefile include/mod_gnutls.h \
    226                         test/proxy_backend.conf \
    227                         test/apache-conf/listen.conf \
    228                         test/apache-conf/netns.conf])
     124                          doc/Makefile include/mod_gnutls.h])
    229125AC_OUTPUT
    230126
  • doc/Makefile.am

    r63468af r02c8e54  
    33if USE_PANDOC
    44html_DATA = mod_gnutls_manual.html
     5endif
     6# pandoc needs pdflatex for PDF output, so USE_PDFLATEX will only be
     7# enabled if USE_PANDOC is, too.
    58if USE_PDFLATEX
    6 # pandoc && pdflatex
    79pdf_DATA = mod_gnutls_manual.pdf
    810endif
    9 else
    10 if USE_MARKDOWN
    11 # !pandoc && markdown
    12 html_DATA = mod_gnutls_manual.html
    13 endif
    14 endif
    15 
    1611MOSTLYCLEANFILES = $(html_DATA) $(pdf_DATA)
    1712
    18 # pdf_DATA will be empty if pandoc isn't available
    1913$(html_DATA) $(pdf_DATA): mod_gnutls_manual.mdwn
    20 if USE_PANDOC
    2114        $(PANDOC) --toc --standalone -f markdown -o $@ $<
    22 else
    23 if USE_MARKDOWN
    24         $(MARKDOWN) $< > $@
    25 endif
    26 endif
  • doc/mod_gnutls_manual.mdwn

    r63468af r02c8e54  
    3131:   Provides a list of all available configure options.
    3232
    33 It is recommended to run `make check` before installation. If your
    34 system doesn't have a loopback device with IPv6 and IPv4 support or
    35 `localhost` does not resolve to at least one of `[::1]` and
    36 `127.0.0.1`, you may have to set the `TEST_HOST` or `TEST_IP`
     33It is recommended to run `make check` before installation. If
     34`localhost` does not resolve to the IPv6 loopback address `[::1]` on
     35your system, you may have to set the `TEST_HOST` or `TEST_IP`
    3736environment variables when running `./configure` to make the test
    3837suite work correctly.
  • src/gnutls_hooks.c

    r63468af r02c8e54  
    44 *  Copyright 2011 Dash Shendy
    55 *  Copyright 2013-2014 Daniel Kahn Gillmor
    6  *  Copyright 2015-2016 Thomas Klute
     6 *  Copyright 2015 Thomas Klute
    77 *
    88 *  Licensed under the Apache License, Version 2.0 (the "License");
     
    16551655#endif /* ENABLE_MSVA */
    16561656
    1657 
    1658 
    1659 /*
    1660  * This hook writes the mod_gnutls status message for a mod_status
    1661  * report. According to the comments in mod_status.h, the "flags"
    1662  * parameter is a bitwise OR of the AP_STATUS_ flags.
    1663  *
    1664  * Note that this implementation gives flags explicitly requesting a
    1665  * simple response priority, e.g. if AP_STATUS_SHORT is set, flags
    1666  * requesting an HTML report will be ignored. As of Apache 2.4.10, the
    1667  * following flags were defined in mod_status.h:
    1668  *
    1669  * AP_STATUS_SHORT (short, non-HTML report requested)
    1670  * AP_STATUS_NOTABLE (HTML report without tables)
    1671  * AP_STATUS_EXTENDED (detailed report)
    1672  */
    1673 static int mgs_status_hook(request_rec *r, int flags)
     1657static int mgs_status_hook(request_rec *r, int flags __attribute__((unused)))
    16741658{
     1659    mgs_srvconf_rec *sc;
     1660
    16751661    if (r == NULL)
    16761662        return OK;
    16771663
    1678     mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
    1679         ap_get_module_config(r->server->module_config, &gnutls_module);
     1664    sc = (mgs_srvconf_rec *) ap_get_module_config(r->server->module_config, &gnutls_module);
    16801665
    16811666    _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
    16821667
    1683     if (flags & AP_STATUS_SHORT)
    1684     {
    1685         ap_rprintf(r, "Using GnuTLS version: %s\n", gnutls_check_version(NULL));
    1686         ap_rputs("Built against GnuTLS version: " GNUTLS_VERSION "\n", r);
    1687     }
    1688     else
    1689     {
    1690         ap_rputs("<hr>\n", r);
    1691         ap_rputs("<h2>GnuTLS Information:</h2>\n<dl>\n", r);
    1692 
    1693         ap_rprintf(r, "<dt>Using GnuTLS version:</dt><dd>%s</dd>\n",
    1694                    gnutls_check_version(NULL));
    1695         ap_rputs("<dt>Built against GnuTLS version:</dt><dd>"
    1696                  GNUTLS_VERSION "</dd>\n", r);
    1697         ap_rprintf(r, "<dt>Using TLS:</dt><dd>%s</dd>\n",
    1698                    (sc->enabled == GNUTLS_ENABLED_FALSE ? "no" : "yes"));
    1699     }
    1700 
    1701     if (sc->enabled != GNUTLS_ENABLED_FALSE)
    1702     {
    1703         mgs_handle_t* ctxt =
    1704             ap_get_module_config(r->connection->conn_config, &gnutls_module);
    1705         if (ctxt && ctxt->session != NULL)
    1706         {
    1707             char* s_info = gnutls_session_get_desc(ctxt->session);
    1708             if (s_info)
    1709             {
    1710                 if (flags & AP_STATUS_SHORT)
    1711                     ap_rprintf(r, "Current TLS session: %s\n", s_info);
    1712                 else
    1713                     ap_rprintf(r, "<dt>Current TLS session:</dt><dd>%s</dd>\n",
    1714                                s_info);
    1715                 gnutls_free(s_info);
     1668    ap_rputs("<hr>\n", r);
     1669    ap_rputs("<h2>GnuTLS Information:</h2>\n<dl>\n", r);
     1670
     1671    ap_rprintf(r, "<dt>GnuTLS version:</dt><dd>%s</dd>\n", gnutls_check_version(NULL));
     1672    ap_rputs("<dt>Built against:</dt><dd>" GNUTLS_VERSION "</dd>\n", r);
     1673    ap_rprintf(r, "<dt>using TLS:</dt><dd>%s</dd>\n", (sc->enabled == GNUTLS_ENABLED_FALSE ? "no" : "yes"));
     1674    if (sc->enabled != GNUTLS_ENABLED_FALSE) {
     1675        mgs_handle_t* ctxt;
     1676        ctxt = ap_get_module_config(r->connection->conn_config, &gnutls_module);
     1677        if (ctxt && ctxt->session != NULL) {
     1678#if GNUTLS_VERSION_MAJOR < 3
     1679            ap_rprintf(r, "<dt>This TLS Session:</dt><dd>%s</dd>\n",
     1680                gnutls_cipher_suite_get_name(gnutls_kx_get(ctxt->session),
     1681                gnutls_cipher_get(ctxt->session),
     1682                gnutls_mac_get(ctxt->session)));
     1683#else
     1684            char* z = NULL;
     1685            z = gnutls_session_get_desc(ctxt->session);
     1686            if (z) {
     1687                ap_rprintf(r, "<dt>This TLS Session:</dt><dd>%s</dd>\n", z);
     1688                gnutls_free(z);
    17161689            }
    1717         }
    1718     }
    1719 
    1720     if (!(flags & AP_STATUS_SHORT))
    1721         ap_rputs("</dl>\n", r);
    1722 
     1690#endif
     1691        }
     1692    }
     1693
     1694    ap_rputs("</dl>\n", r);
    17231695    return OK;
    17241696}
  • src/mod_gnutls.c

    r63468af r02c8e54  
    6969    APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable);
    7070    APR_REGISTER_OPTIONAL_FN(ssl_engine_disable);
    71 
    72     /* mod_rewrite calls this function to detect HTTPS */
    73     APR_REGISTER_OPTIONAL_FN(ssl_is_https);
    74 }
    75 
    76 
    77 
    78 /*
    79  * mod_rewrite calls this function to fill %{HTTPS}. A non-zero return
    80  * value means that HTTPS is in use.
    81  */
     71}
     72
    8273int ssl_is_https(conn_rec *c)
    8374{
    8475    mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
    8576        ap_get_module_config(c->base_server->module_config, &gnutls_module);
    86     mgs_handle_t *ctxt = (mgs_handle_t *)
    87         ap_get_module_config(c->conn_config, &gnutls_module);
    88 
    89     if(sc->enabled == GNUTLS_ENABLED_FALSE
    90        || ctxt == NULL
    91        || ctxt->enabled == GNUTLS_ENABLED_FALSE)
    92     {
     77    if(sc->enabled == 0 || sc->non_ssl_request == 1) {
    9378        /* SSL/TLS Disabled or Plain HTTP Connection Detected */
    9479        return 0;
     
    9782    return 1;
    9883}
    99 
    100 
    10184
    10285int ssl_engine_disable(conn_rec *c)
  • test/Makefile.am

    r63468af r02c8e54  
    2727        test-22_TLS_reverse_proxy_crl_revoke.bash \
    2828        test-23_TLS_reverse_proxy_mismatched_priorities.bash \
    29         test-24_pkcs11_cert.bash \
    30         test-25_Disable_TLS_1.0.bash \
    31         test-26_redirect_HTTP_to_HTTPS.bash
     29        test-24_pkcs11_cert.bash
    3230
    3331TESTS = $(dist_check_SCRIPTS)
     
    3533# Identities in the miniature CA, server, and client environment for
    3634# the test suite
    37 shared_identities = server authority client imposter rogueca
    38 pgp_identities = $(shared_identities)
    39 x509_only_identities = rogueclient
    40 x509_identities = $(shared_identities) $(x509_only_identities)
    41 identities = $(shared_identities) $(x509_only_identities)
     35identities = server authority client imposter rogueca
    4236# Append strings after ":=" to each identity to generate a list of
    4337# necessary files
    44 pgp_tokens = $(pgp_identities:=/secring.gpg) $(pgp_identities:=/cert.pgp) \
    45         $(pgp_identities:=/secret.pgp)
    46 x509_keys = $(x509_identities:=/secret.key)
    47 x509_certs = $(x509_identities:=/x509.pem)
     38pgp_tokens = $(identities:=/secring.gpg) $(identities:=/cert.pgp) \
     39        $(identities:=/secret.pgp)
     40x509_keys = $(identities:=/secret.key)
     41x509_certs = $(identities:=/x509.pem)
    4842x509_tokens = $(x509_certs) $(x509_keys)
    4943tokens = $(x509_tokens) $(pgp_tokens)
    50 
    51 if !DISABLE_FLOCK
    52 # flock command for write access to the authority keyring
    53 GPG_FLOCK = @FLOCK@ authority/lock
    54 endif
    5544
    5645include $(srcdir)/test_ca.mk
     
    7160
    7261cert_templates = authority.template.in client.template.in \
    73         imposter.template.in rogueca.template rogueclient.template.in \
    74         server.template.in
     62        imposter.template.in rogueca.template server.template.in
    7563generated_templates = authority.template client.template \
    76         imposter.template rogueclient.template server.template
     64        imposter.template server.template
    7765
    7866# Delete X.509 private keys on full clean. Note that unless you need
     
    8472# target. Certificates can be rebuilt without generating new key
    8573# pairs, and regenerating them makes it possible to change identities
    86 # (e.g. host names) without wasting time on new keys (which would
     74# (e.g. host names) without wasting entropy on new keys (which would
    8775# happen after "clean").
    8876MOSTLYCLEANFILES += */x509.pem $(generated_templates) *.uid
     
    113101endif
    114102
     103# SoftHSM files
     104check_DATA += server/softhsm.db
     105MOSTLYCLEANFILES += tests/24_pkcs11_cert/softhsm.conf server/softhsm.db
    115106
    116 # SoftHSM tokens. Note that the SoftHSM 2 token is a directory and
    117 # hence has to be treated slightly differently.
    118 SOFTHSM_TOKEN = server/softhsm.db
    119 SOFTHSM2_TOKEN = server/softhsm2.db
    120 
    121 # Tokens should be cleaned whether or not the matching SoftHSM version
    122 # was detected on the last ./configure run.
    123 MOSTLYCLEANFILES += $(SOFTHSM_TOKEN)
    124 # included in mostlyclean-local below
    125 clean-softhsm2-db:
    126         -rm -rf $(SOFTHSM2_TOKEN)
    127 
    128 if HAVE_SOFTHSM1
    129 check_DATA += $(SOFTHSM_TOKEN)
    130 endif HAVE_SOFTHSM1
    131 
    132 if HAVE_SOFTHSM2
    133 check_DATA += $(SOFTHSM2_TOKEN)
    134 endif HAVE_SOFTHSM2
    135107
    136108check_DATA += make-test-dirs
     
    138110make-test-dirs:
    139111        mkdir -p $(extra_dirs)
    140 
    141 .PHONY: make-test-dirs clean-softhsm2-db
    142 
    143 mostlyclean-local: clean-softhsm2-db
     112.PHONY: make-test-dirs
    144113
    145114clean-local:
     
    153122apache_data = base_apache.conf cgi_module.conf data/* mime.types proxy_mods.conf
    154123
    155 EXTRA_DIST = $(apache_data) $(cert_templates) *.uid.in common.bash \
    156         proxy_backend.bash runtests server-crl.template softhsm.bash
     124EXTRA_DIST = $(apache_data) $(cert_templates) *.uid.in proxy_backend.bash \
     125        runtests server-crl.template server-softhsm.conf softhsm.bash
    157126
    158127# Lockfile for the main Apache process
    159128test_lockfile = ./test.lock
    160 # Lockfile for the proxy backend Apache process (if any)
    161 backend_lockfile = ./backend.lock
    162 # Maximum wait time in seconds for flock to aquire instance lock
    163 # files, or Apache to remove its PID file
     129# Maximum wait time in seconds for flock to aquire instance lock files
    164130lock_wait = 30
    165131
     
    175141TEST_QUERY_DELAY ?= 30
    176142
    177 AM_TESTS_ENVIRONMENT = export APACHE2=@APACHE2@; \
    178         export AP_LIBEXECDIR=@AP_LIBEXECDIR@; \
     143AM_TESTS_ENVIRONMENT = export APACHE2=$(APACHE2); \
     144        export AP_LIBEXECDIR=$(AP_LIBEXECDIR); \
     145        export TEST_LOCK="$(test_lockfile)"; \
    179146        export TEST_LOCK_WAIT="$(lock_wait)"; \
    180         export TEST_HOST="@TEST_HOST@"; \
     147        export TEST_HOST="$(TEST_HOST)"; \
     148        export TEST_IP="$(TEST_IP)"; \
    181149        export TEST_PORT="$(TEST_PORT)"; \
    182150        export MSVA_PORT="$(MSVA_PORT)"; \
     
    184152        export TEST_MSVA_WAIT="$(TEST_MSVA_WAIT)"; \
    185153        export TEST_QUERY_DELAY="$(TEST_QUERY_DELAY)"; \
    186         export BACKEND_HOST="@TEST_HOST@"; \
    187         export HTTP_CLI="@HTTP_CLI@";
    188 
    189 if HAVE_SOFTHSM
    190 AM_TESTS_ENVIRONMENT += export SOFTHSM="@SOFTHSM@"; \
    191         export SOFTHSM_MAJOR_VERSION="@SOFTHSM_MAJOR_VERSION@"; \
    192         export SOFTHSM_LIB="@SOFTHSM_LIB@"
    193 endif
    194 
    195 if ENABLE_NETNS
    196 AM_TESTS_ENVIRONMENT += export UNSHARE="@UNSHARE@"; \
    197         export USE_TEST_NAMESPACE=1;
    198 endif
    199 # Without flock tests must not run in parallel. Otherwise set lock files.
    200 if DISABLE_FLOCK
    201 .NOTPARALLEL:
    202 else
    203 AM_TESTS_ENVIRONMENT += export FLOCK="@FLOCK@"; \
    204         export TEST_LOCK="$(test_lockfile)"; \
    205         export BACKEND_LOCK="$(backend_lockfile)";
    206 endif
     154        export BACKEND_HOST="$(TEST_HOST)"; \
     155        export BACKEND_IP="$(TEST_IP)";
    207156
    208157# Echo AM_TESTS_ENVIRONMENT. This can be useful for debugging, e.g. if
  • test/README

    r63468af r02c8e54  
    1212=================
    1313
    14 From the top level of the source, or from test/ (where this README is),
     14from the top level of the source, or from test/ (where this README is),
    1515just run:
    1616
    17   make check
     17 make check
    1818
    19 from test/. You can also run specific test cases by passing their
    20 script names to make in the TESTS variable:
     19from test/ you can also run specific tests by passing their script
     20names to make in the TESTS variable:
    2121
    22   TESTS="test-03_cachetimeout_in_vhost.bash" make -e check
     22 TESTS="test-03_cachetimeout_in_vhost.bash" make -e check
    2323
    2424This should be handy when you're just trying to experiment with a new
    2525test and don't want to wait for the full test suite to run.
    2626
    27 The default configuration assumes that a loopback device with IPv4 and
    28 IPv6 support is available (TEST_IP="[::1] 127.0.0.1") and that
    29 TEST_HOST="localhost" resolves to at least one of these addresses. If
    30 this does not apply to your system, you can pass different values to
    31 ./configure, e.g. to use IPv4 only:
     27The default configuration assumes that an IPv6 loopback device is
     28available (TEST_IP=[::1]) and that TEST_HOST="localhost" resolves to
     29the IPv6 loopback address [::1]. If this does not apply to your
     30system, you can pass different values to ./configure, e.g. to use IPv4
     31instead:
    3232
    3333  TEST_HOST="localhost" TEST_IP="127.0.0.1" ./configure
    34 
    35 If tests fail due to expired certificates or PGP signatures, run
    36 
    37   make mostlyclean
    38 
    39 to delete them and create fresh ones on the next test run. You could
    40 also use "make clean", but in that case the keys will be deleted as
    41 well and have to be recreated, too, which takes more time.
    4234
    4335
     
    4941The simplest way to add a test is (from test/):
    5042
    51   ./newtest
     43 ./newtest
    5244
    5345This will prompt you for a simple name for the test and then copy a
     
    6052==============
    6153
    62 Each test consists of a script in test/ and a directory in
    63 test/tests/, which the test suite uses to spin up an isolated Apache
    64 instance or two (for proxy tests) and try to connect to it with
    65 gnutls-cli and make a simple HTTP 1.1 or 1.0 request.
     54Each test consists of a directory in test/tests/, which will cause the
     55test suite to spin up an isolated apache instance and try to connect
     56to it with gnutls-cli and make a simple HTTP 1.1 request.
    6657
    67 Test directories usually contain the following files:
     58By default, these tests are expected to succeed, by having
    6859
    69  * apache.conf -- Apache configuration to be used
     60In each directory, you can put the following files:
    7061
    71  * gnutls-cli.args -- the arguments to pass to gnutls-cli
     62 * apache.conf --  the apache configuration to be used
     63
     64 * gnutls-cli.args --  the arguments to pass to gnutls-cli
    7265
    7366 * input -- the full HTTP request (including the final blank line)
    7467
    75  * backend.conf [optional] -- Apache configuration for the proxy
    76    backend server, if any
    77 
    7868 * output [optional] -- the lines of this file will be checked against
    7969   the same number of lines at the end of the output produced by the
    80    gnutls-cli process. "Date" and "Server" headers are filtered from
    81    the response because they are expected to change between runs
    82    (date) or builds (server version).
     70   gnutls-cli process.
    8371
    8472 * fail.server [optional] -- if this file exists, it means we expect
     
    9179   should result in a failed file retrieval.
    9280
    93 The "runtests" script is used to start one Apache instance and send a
    94 request based on the files described above. Note that some tests take
    95 additional steps, e.g. starting another server to act as proxy
    96 backend, and at least one does not use "runtests" at all.
    97 
    98 By default (if "unshare" is available and has the permissions required
    99 to create network and user namespaces), each test case is run inside
    100 its own network namespace. This avoids address and port conflicts with
    101 other tests as well has the host system.
    102 
    103 When writing your own tests, make sure to call netns_reexec (defined
    104 in common.bash) if you need to start any network services outside of
    105 runtests (which will create the namespace if it doesn't exist
    106 already). However, some architectures might not support namespaces, so
    107 traditional locking (using flock) and serial execution are still
    108 supported.
    109 
    11081
    11182Robustness and Tuning
    11283=====================
    11384
    114 Here are some things that you might want to tune about the tests based
    115 on your expected setup (along with the variables that can be passed to
    116 "make check" to adjust them):
     85These tests aren't nearly as robust as i'd like them to be, but they
     86work for the moment and they're better than no tests at all.
    11787
    118  * They need a functioning loopback device.
     88Here are some things that you might want to tune based on your
     89expected setup (along with the variables that can be passed to "make
     90check" to adjust them):
    11991
    120  * They expect (by default) to have port 9932 [TEST_PORT] available
    121    and open for connections on the addresses listed in TEST_IP.
     92 * they need a functioning loopback device.
    12293
    123  * Depending on the compile time configuration of the Apache binary
    124    installed on your system you may need to load additional Apache
    125    modules. The recommended way to do this is to drop a configuration
    126    file into the test/apache-conf/ directory. Patches to detect such
    127    situations and automatically configure the tests accordingly are
    128    welcome.
     94 * they expect (by default) the TEST_IP to have port 9932
     95   open. [TEST_PORT]
    12996
    130  * If a machine is particularly slow or under heavy load, it's
     97 * if a machine is particularly slow or under heavy load, it's
    13198   possible that these tests will fail for timing
    132    reasons. [TEST_QUERY_DELAY (seconds for the HTTP request to be sent
     99   reasons. [TEST_QUERY_DELAY (seconds for the http request to be sent
    133100   and responded to)]
    134 
    135 The first two of these issues are avoided when the tests are isolated
    136 using network namespaces, which is the default (see "Implementation"
    137 above). The ./configure script tries to detect if namespaces can be
    138 used (some Linux distributions disable them for unprivileged
    139 users). If this detection returns a false positive or you do not want
    140 to use namespace isolation for some other reason, you can run
    141 configure with the --disable-test-namespaces option.
    142101
    143102In some situations you may want to see the exact environment as
     
    145104instance with Valgrind using the same configuration as a test
    146105case. Use "make show-test-env" to dump AM_TESTS_ENVIRONMENT to stdout.
    147 
    148 If you are building on an exotic architecture which does not support
    149 flock (or timeouts using flock -w), ./configure should detect that and
    150 disable locking, or you can disable it manually by passing
    151 "--disable-flock" to ./configure. This will force serial execution of
    152 tests, including environment setup.
  • test/base_apache.conf

    r63468af r02c8e54  
    55ErrorLog logs/${TEST_NAME}.error.log
    66HostnameLookups Off
     7PidFile apache2.pid
    78KeepAlive Off
    89LogLevel debug
     
    1314TypesConfig ${srcdir}/mime.types
    1415
    15 Include         apache-conf/*.conf
     16Listen ${TEST_IP}:${TEST_PORT}
    1617
    1718DocumentRoot ${srcdir}/data
  • test/proxy_backend.bash

    r63468af r02c8e54  
    22
    33set -e
    4 . ${srcdir}/common.bash
    54
    65if [ -z "${BACKEND_HOST}" ]; then
     
    1312    export BACKEND_PORT="9934"
    1413fi
    15 : ${BACKEND_PID:="backend.pid"}
     14: ${BACKEND_LOCK:="backend.lock"}
    1615: ${srcdir:="."}
    1716: ${APACHE2:="apache2"}
     
    2524    lockfile="${4}"
    2625
     26    if [ -n "${lockfile}" ]; then
     27        flock_cmd="flock -w ${TEST_LOCK_WAIT} ${lockfile}"
     28    fi
     29
    2730    TEST_NAME="$(basename "${dir}")"
    2831    (
     
    3336        case $action in
    3437            start)
    35                 if [ -n "${USE_TEST_NAMESPACE}" ]; then
    36                     echo "Using namespaces to isolate tests, no need for" \
    37                          "locking."
    38                     flock_cmd=""
    39                 elif [ -n "${lockfile}" ]; then
    40                     flock_cmd="${FLOCK} -w ${TEST_LOCK_WAIT} ${lockfile}"
    41                 else
    42                     echo "Locking disabled, using wait based on proxy PID file."
    43                     wait_pid_gone "${BACKEND_PID}"
    44                     flock_cmd=""
    45                 fi
    4638                ${flock_cmd} \
    4739                    ${APACHE2} -f "$(realpath ${testdir}/${conf})" -k start || return 1
  • test/runtests

    r63468af r02c8e54  
    66
    77set -e
    8 . ${srcdir}/common.bash
    9 netns_reexec ${@}
    108
    119testid="${1##t-}"
     
    1917
    2018BADVARS=0
    21 for v in APACHE2 TEST_HOST TEST_PORT TEST_QUERY_DELAY TEST_MSVA_WAIT \
    22                  MSVA_PORT; do
     19for v in APACHE2 TEST_HOST TEST_IP TEST_PORT TEST_QUERY_DELAY TEST_MSVA_WAIT \
     20                 MSVA_PORT TEST_LOCK; do
    2321    if [ ! -v "$v" ]; then
    2422        printf "You need to set the %s environment variable\n" "$v" >&2
     
    152150fi
    153151
    154 TEST_PID="apache2.pid"
    155152# configure locking for the Apache process
    156 if [ -n "${USE_TEST_NAMESPACE}" ]; then
    157     echo "Using namespaces to isolate tests, no need for locking."
    158     flock_cmd=""
    159 elif [ -n "${TEST_LOCK}" ]; then
    160     flock_cmd="${FLOCK} -w ${TEST_LOCK_WAIT} $(realpath ${TEST_LOCK})"
    161 else
    162     echo "Locking disabled, using wait based on Apache PID file."
    163     wait_pid_gone "${TEST_PID}"
    164     flock_cmd=""
    165 fi
     153flock_cmd="flock -w ${TEST_LOCK_WAIT} $(realpath ${TEST_LOCK})"
    166154
    167155t="$(realpath ${testid})"
     
    201189           run_with_pidfile "${sleep_pidfile}" sleep "${TEST_QUERY_DELAY}" &) | \
    202190       gnutls-cli -p "${TEST_PORT}" $(cat ${t}/gnutls-cli.args) "${TEST_HOST}" \
    203        | tee "$output" && test "${PIPESTATUS[1]}" -eq 0;
     191                  >"$output";
    204192then
    205193    if [ -e ${t}/fail* ]; then
     
    218206
    219207if [ -e ${t}/output ] ; then
    220     diff_output_filter_headers "${t}/output" "$output" >&2
     208    diff_output_filter_headers "${t}/output" "$output" "-q"
    221209fi
    222210if [ -n "${USE_MSVA}" ]; then
  • test/softhsm.bash

    r63468af r02c8e54  
    1717    local label="${3}"
    1818
    19     p11tool --provider=${SOFTHSM_LIB} --login --write --label "${label}" \
     19    p11tool --provider=${softhsm_lib} --login --write --label "${label}" \
    2020            --load-privkey "${keyfile}" "${token}"
    2121}
     
    2828    local label="${3}"
    2929
    30     p11tool --provider=${SOFTHSM_LIB} --login --write --no-mark-private \
     30    p11tool --provider=${softhsm_lib} --login --write --no-mark-private \
    3131            --label "${label}" --load-certificate "${certfile}" "${token}"
    3232}
     
    3636{
    3737    local label="${1}"
    38     p11tool --provider=${SOFTHSM_LIB} --list-tokens | \
     38    p11tool --provider=${softhsm_lib} --list-tokens | \
    3939        grep -o -P "(?<=URL:\s)(.*token=${label}.*)$"
    4040}
     
    4444function get_object_url
    4545{
    46     p11tool --provider=${SOFTHSM_LIB} --list-all --login "${1}" | \
     46    p11tool --provider=${softhsm_lib} --list-all --login "${1}" | \
    4747        grep -o -P "(?<=URL:\s)(.*object=${2}.*)$"
    4848}
     
    6565
    6666# try to find SoftHSM
    67 softhsm="$(basename ${SOFTHSM})"
    68 
    69 if [ "${softhsm}" = "softhsm" ]; then
    70     softhsm_libname="libsofthsm.so"
    71     # fail if SOFTHSM_CONF is not set
    72     if [ -z "${SOFTHSM_CONF}" ]; then
    73         echo "ERROR: SOFTHSM_CONF not set!" 1>&2
    74         exit 1
    75     else
    76         export SOFTHSM_CONF
    77     fi
    78     echo "using SOFTHSM_CONF=\"${SOFTHSM_CONF}\""
    79 elif [ "${softhsm}" = "softhsm2-util" ]; then
    80     softhsm_libname="libsofthsm2.so"
    81     # fail if SOFTHSM2_CONF is not set
    82     if [ -z "${SOFTHSM2_CONF}" ]; then
    83         echo "ERROR: SOFTHSM2_CONF not set!" 1>&2
    84         exit 1
    85     else
    86         export SOFTHSM2_CONF
    87     fi
    88 else
    89     # no SoftHSM
    90     echo "No SoftHSM!" >&2
    91     exit 77
    92 fi
    93 
    94 if [ -z "${SOFTHSM_LIB}" ]; then
    95     # Try to find the libsofthsm[2] module in some common locations.
    96     softhsm_searchpath=(/usr/lib64/pkcs11 /usr/lib/softhsm /usr/lib/x86_64-linux-gnu/softhsm /usr/lib /usr/lib64/softhsm)
    97     for i in ${softhsm_searchpath[@]} ""; do
    98         SOFTHSM_LIB="${i}/${softhsm_libname}"
    99         echo "checking ${SOFTHSM_LIB} ..."
    100         if [ -f "${SOFTHSM_LIB}" ]; then
    101             echo "found!"
    102             export SOFTHSM_LIB
    103             break;
    104         fi
    105     done
    106 else
    107     echo "using ${SOFTHSM_LIB} (set by user)"
    108 fi
    109 
    110 if [ ! -f "${SOFTHSM_LIB}" ]; then
    111     echo "${softhsm_libname} not found!" >&2
    112     exit 77
    113 fi
     67softhsm="$(which softhsm)"
    11468
    11569case "${1}" in
     
    13488set -e
    13589
     90# Guess location of libsofthsm based on softhsm binary. The path
     91# matches SoftHSM upstream, but this might fail if someone changes the
     92# libdir or bindir of the SoftHSM installation independently of its
     93# general prefix.
     94softhsm_prefix="$(realpath $(dirname ${softhsm})/..)"
     95softhsm_lib="${softhsm_prefix}/lib/softhsm/libsofthsm.so"
     96
     97# fail if SOFTHSM_CONF is not set
     98if [ -z "${SOFTHSM_CONF}" ]; then
     99    echo "ERROR: SOFTHSM_CONF not set!" 1>&2
     100    exit 1
     101else
     102    export SOFTHSM_CONF
     103fi
     104echo "using SOFTHSM_CONF=\"${SOFTHSM_CONF}\""
     105
    136106# variables for token configuration
    137107token_label="mod_gnutls-test"
  • test/test-19_TLS_reverse_proxy.bash

    r63468af r02c8e54  
    33set -e
    44: ${srcdir:="."}
    5 . ${srcdir}/common.bash
    6 netns_reexec ${@}
    75
    86testdir="${srcdir}/tests/19_TLS_reverse_proxy"
     
    119function stop_backend
    1210{
    13     backend_apache "${testdir}" "backend.conf" stop
     11    backend_apache "${dir}" "backend.conf" stop
    1412}
    1513backend_apache "${testdir}" "backend.conf" start "${BACKEND_LOCK}"
  • test/test-20_TLS_reverse_proxy_client_auth.bash

    r63468af r02c8e54  
    33set -e
    44: ${srcdir:="."}
    5 . ${srcdir}/common.bash
    6 netns_reexec ${@}
    75
    86testdir="${srcdir}/tests/20_TLS_reverse_proxy_client_auth"
     
    119function stop_backend
    1210{
    13     backend_apache "${testdir}" "backend.conf" stop
     11    backend_apache "${dir}" "backend.conf" stop
    1412}
    1513backend_apache "${testdir}" "backend.conf" start "${BACKEND_LOCK}"
  • test/test-21_TLS_reverse_proxy_wrong_cert.bash

    r63468af r02c8e54  
    33set -e
    44: ${srcdir:="."}
    5 . ${srcdir}/common.bash
    6 netns_reexec ${@}
    75
    86testdir="${srcdir}/tests/21_TLS_reverse_proxy_wrong_cert"
     
    119function stop_backend
    1210{
    13     backend_apache "${testdir}" "backend.conf" stop
     11    backend_apache "${dir}" "backend.conf" stop
    1412}
    1513backend_apache "${testdir}" "backend.conf" start "${BACKEND_LOCK}"
  • test/test-22_TLS_reverse_proxy_crl_revoke.bash

    r63468af r02c8e54  
    33set -e
    44: ${srcdir:="."}
    5 . ${srcdir}/common.bash
    6 netns_reexec ${@}
    75
    86testdir="${srcdir}/tests/22_TLS_reverse_proxy_crl_revoke"
     
    119function stop_backend
    1210{
    13     backend_apache "${testdir}" "backend.conf" stop
     11    backend_apache "${dir}" "backend.conf" stop
    1412}
    1513backend_apache "${testdir}" "backend.conf" start "${BACKEND_LOCK}"
  • test/test-23_TLS_reverse_proxy_mismatched_priorities.bash

    r63468af r02c8e54  
    33set -e
    44: ${srcdir:="."}
    5 . ${srcdir}/common.bash
    6 netns_reexec ${@}
    75
    86testdir="${srcdir}/tests/23_TLS_reverse_proxy_mismatched_priorities"
     
    1614function stop_backend
    1715{
    18     backend_apache "${testdir}" "backend.conf" stop
     16    backend_apache "${dir}" "backend.conf" stop
    1917}
    2018backend_apache "${testdir}" "backend.conf" start "${BACKEND_LOCK}"
  • test/test-24_pkcs11_cert.bash

    r63468af r02c8e54  
    33testdir="$(dirname ${0})/tests/24_pkcs11_cert"
    44
    5 # The Apache/SoftHSM configuration mixes up directories, so generate
    6 # config files with absolute paths to the token database from a
    7 # template. Generating them on every run avoids problems if the source
     5# The Apache/SoftHSM configuration mixes up directories, so generate a
     6# config file with an absolute path to the token database from a
     7# template. Generating it on every run avoids problems if the source
    88# tree was moved.
    99tmp_softhsm_conf="$(mktemp mod_gnutls_test-XXXXXX.conf)"
     
    1414trap cleanup_tmpconf EXIT
    1515
    16 if [ "${SOFTHSM_MAJOR_VERSION}" = "1" ]; then
    17     cat - >"${tmp_softhsm_conf}" <<EOF
    18 0:$(realpath $(pwd))/server/softhsm.db
    19 EOF
    20     export SOFTHSM_CONF="${tmp_softhsm_conf}"
    21 elif [ "${SOFTHSM_MAJOR_VERSION}" = "2" ]; then
    22     cat - >"${tmp_softhsm_conf}" <<EOF
    23 objectstore.backend = file
    24 directories.tokendir = $(realpath $(pwd))/server/softhsm2.db
    25 EOF
    26     export SOFTHSM2_CONF="${tmp_softhsm_conf}"
    27 fi
    28 
     16sed "s,__DIR__,$(realpath $(pwd))," \
     17    "${testdir}/softhsm.conf.in" \
     18    >"${tmp_softhsm_conf}"
     19export SOFTHSM_CONF="${tmp_softhsm_conf}"
    2920echo "Generated temporary SoftHSM config ${tmp_softhsm_conf}:"
    3021cat "${tmp_softhsm_conf}"
  • test/test_ca.mk

    r63468af r02c8e54  
    3535# conditions with parallel make. Locking avoids this problem.
    3636%/cert.pgp: %/minimal.pgp authority/gpg.conf
    37         GNUPGHOME=authority $(GPG_FLOCK) gpg --import $<
    38         GNUPGHOME=authority $(GPG_FLOCK) gpg --batch --sign-key --no-tty --yes "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)"
     37        GNUPGHOME=authority flock authority/lock gpg --import $<
     38        GNUPGHOME=authority flock authority/lock gpg --batch --sign-key --no-tty --yes "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)"
    3939        GNUPGHOME=authority gpg --armor --export "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" > $@
    4040
     
    4848        certtool --generate-request --load-privkey $(dir $@)secret.key --template $< > $@
    4949
    50 # normal case: certificates signed by test CA
    5150%/x509.pem: %.template %/cert-request authority/secret.key authority/x509.pem
    5251        certtool --generate-certificate --load-ca-certificate authority/x509.pem --load-ca-privkey authority/secret.key --load-request $(dir $@)cert-request --template $< > $@
    5352
    54 # error case: certificates signed by rogue CA
    55 rogue%/x509.pem: rogue%.template rogue%/cert-request rogueca/x509.pem
    56         certtool --generate-certificate --load-ca-certificate rogueca/x509.pem --load-ca-privkey rogueca/secret.key --load-request $(dir $@)cert-request --template $< > $@
    57 
    58 %/softhsm.conf: %/secret.key
    59         echo "0:$(dir $@)softhsm.db" > $@
    60 
    61 %/softhsm.db: %/x509.pem %/secret.key %/softhsm.conf
    62         SOFTHSM="$(SOFTHSM)" \
    63         SOFTHSM_CONF="$(dir $@)softhsm.conf" \
    64         $(srcdir)/softhsm.bash init $(dir $@)secret.key $(dir $@)x509.pem
    65 
    66 %/softhsm2.conf: %/secret.key
    67         echo "objectstore.backend = file" > $@
    68         echo "directories.tokendir = $(dir $@)softhsm2.db" >> $@
    69 
    70 %/softhsm2.db: %/x509.pem %/secret.key %/softhsm2.conf
    71         mkdir -p $@
    72         SOFTHSM="$(SOFTHSM)" \
    73         SOFTHSM2_CONF="$(dir $@)softhsm2.conf" \
    74         $(srcdir)/softhsm.bash init $(dir $@)secret.key $(dir $@)x509.pem
     53%/softhsm.db: %/x509.pem %/secret.key
     54        SOFTHSM_CONF="$(srcdir)/$(*)-softhsm.conf" $(srcdir)/softhsm.bash init $(dir $@)secret.key $(dir $@)x509.pem
    7555
    7656# Generate CRL revoking a certain certificate. Currently used to
  • test/tests/00_basic/apache.conf

    r63468af r02c8e54  
    33GnuTLSCache dbm cache/gnutls_cache
    44
    5 <VirtualHost _default_:${TEST_PORT}>
     5<VirtualHost ${TEST_IP}:${TEST_PORT}>
    66 ServerName ${TEST_HOST}
    77 GnuTLSEnable On
  • test/tests/01_serverwide_priorities/apache.conf

    r63468af r02c8e54  
    55GnuTLSPriorities NORMAL
    66
    7 <VirtualHost _default_:${TEST_PORT}>
     7<VirtualHost ${TEST_IP}:${TEST_PORT}>
    88 ServerName ${TEST_HOST}
    99 GnuTLSEnable On
  • test/tests/02_cache_in_vhost/apache.conf

    r63468af r02c8e54  
    11Include ${srcdir}/base_apache.conf
    22
    3 <VirtualHost _default_:${TEST_PORT}>
     3<VirtualHost ${TEST_IP}:${TEST_PORT}>
    44 # Cache configuration not allowed in here:
    55 GnuTLSCache dbm cache/gnutls_cache
  • test/tests/03_cachetimeout_in_vhost/apache.conf

    r63468af r02c8e54  
    11Include ${srcdir}/base_apache.conf
    22
    3 <VirtualHost _default_:${TEST_PORT}>
     3<VirtualHost ${TEST_IP}:${TEST_PORT}>
    44 # Cache configuration not allowed in here:
    55 GnuTLSCacheTimeout 200
  • test/tests/04_basic_nosni/apache.conf

    r63468af r02c8e54  
    33GnuTLSCache dbm cache/gnutls_cache
    44
    5 <VirtualHost _default_:${TEST_PORT}>
     5<VirtualHost ${TEST_IP}:${TEST_PORT}>
    66 ServerName ${TEST_HOST}
    77 GnuTLSEnable On
  • test/tests/05_mismatched-priorities/apache.conf

    r63468af r02c8e54  
    33GnuTLSCache dbm cache/gnutls_cache
    44
    5 <VirtualHost _default_:${TEST_PORT}>
     5<VirtualHost ${TEST_IP}:${TEST_PORT}>
    66 ServerName ${TEST_HOST}
    77 GnuTLSEnable On
  • test/tests/06_verify_sni_a/apache.conf

    r63468af r02c8e54  
    33GnuTLSCache dbm cache/gnutls_cache
    44
    5 NameVirtualHost _default_:${TEST_PORT}
     5NameVirtualHost ${TEST_IP}:${TEST_PORT}
    66
    7 <VirtualHost _default_:${TEST_PORT}>
     7<VirtualHost ${TEST_IP}:${TEST_PORT}>
    88 ServerName ${TEST_HOST}
    99 GnuTLSEnable On
     
    1313</VirtualHost>
    1414
    15 <VirtualHost _default_:${TEST_PORT}>
     15<VirtualHost ${TEST_IP}:${TEST_PORT}>
    1616 ServerName imposter.example
    1717 GnuTLSEnable On
  • test/tests/07_verify_sni_b/apache.conf

    r63468af r02c8e54  
    33GnuTLSCache dbm cache/gnutls_cache
    44
    5 NameVirtualHost _default_:${TEST_PORT}
     5NameVirtualHost ${TEST_IP}:${TEST_PORT}
    66
    77# trying in a different order from 06_verify_sni_a
    88
    9 <VirtualHost _default_:${TEST_PORT}>
     9<VirtualHost ${TEST_IP}:${TEST_PORT}>
    1010 ServerName imposter.example
    1111 GnuTLSEnable On
     
    1515</VirtualHost>
    1616
    17 <VirtualHost _default_:${TEST_PORT}>
     17<VirtualHost ${TEST_IP}:${TEST_PORT}>
    1818 ServerName ${TEST_HOST}
    1919 GnuTLSEnable On
  • test/tests/08_verify_no_sni_fallback_to_first_vhost/apache.conf

    r63468af r02c8e54  
    33GnuTLSCache dbm cache/gnutls_cache
    44
    5 NameVirtualHost _default_:${TEST_PORT}
     5NameVirtualHost ${TEST_IP}:${TEST_PORT}
    66
    7 <VirtualHost _default_:${TEST_PORT}>
     7<VirtualHost ${TEST_IP}:${TEST_PORT}>
    88 ServerName ${TEST_HOST}
    99 GnuTLSEnable On
     
    1313</VirtualHost>
    1414
    15 <VirtualHost _default_:${TEST_PORT}>
     15<VirtualHost ${TEST_IP}:${TEST_PORT}>
    1616 ServerName imposter.example
    1717 GnuTLSEnable On
  • test/tests/09_verify_no_sni_fails_with_wrong_order/apache.conf

    r63468af r02c8e54  
    33GnuTLSCache dbm cache/gnutls_cache
    44
    5 NameVirtualHost _default_:${TEST_PORT}
     5NameVirtualHost ${TEST_IP}:${TEST_PORT}
    66
    77# In this order, clients with no SNI should get the imposter's key
    88
    9 <VirtualHost _default_:${TEST_PORT}>
     9<VirtualHost ${TEST_IP}:${TEST_PORT}>
    1010 ServerName imposter.example
    1111 GnuTLSEnable On
     
    1515</VirtualHost>
    1616
    17 <VirtualHost _default_:${TEST_PORT}>
     17<VirtualHost ${TEST_IP}:${TEST_PORT}>
    1818 ServerName ${TEST_HOST}
    1919 GnuTLSEnable On
  • test/tests/10_basic_client_verification/apache.conf

    r63468af r02c8e54  
    33GnuTLSCache dbm cache/gnutls_cache
    44
    5 <VirtualHost _default_:${TEST_PORT}>
     5<VirtualHost ${TEST_IP}:${TEST_PORT}>
    66 ServerName ${TEST_HOST}
    77 GnuTLSEnable On
  • test/tests/11_basic_client_verification_fail/apache.conf

    r63468af r02c8e54  
    33GnuTLSCache dbm cache/gnutls_cache
    44
    5 <VirtualHost _default_:${TEST_PORT}>
     5<VirtualHost ${TEST_IP}:${TEST_PORT}>
    66 ServerName ${TEST_HOST}
    77 GnuTLSEnable On
  • test/tests/12_cgi_variables/apache.conf

    r63468af r02c8e54  
    88</Directory>
    99
    10 <VirtualHost _default_:${TEST_PORT}>
     10<VirtualHost ${TEST_IP}:${TEST_PORT}>
    1111 ServerName ${TEST_HOST}
    1212 GnuTLSEnable On
  • test/tests/13_cgi_variables_no_client_cert/apache.conf

    r63468af r02c8e54  
    88</Directory>
    99
    10 <VirtualHost _default_:${TEST_PORT}>
     10<VirtualHost ${TEST_IP}:${TEST_PORT}>
    1111 ServerName ${TEST_HOST}
    1212 GnuTLSEnable On
  • test/tests/14_basic_openpgp/apache.conf

    r63468af r02c8e54  
    33GnuTLSCache dbm cache/gnutls_cache
    44
    5 <VirtualHost _default_:${TEST_PORT}>
     5<VirtualHost ${TEST_IP}:${TEST_PORT}>
    66 ServerName ${TEST_HOST}
    77 GnuTLSEnable On
  • test/tests/15_basic_msva/apache.conf

    r63468af r02c8e54  
    33GnuTLSCache dbm cache/gnutls_cache
    44
    5 <VirtualHost _default_:${TEST_PORT}>
     5<VirtualHost ${TEST_IP}:${TEST_PORT}>
    66 ServerName ${TEST_HOST}
    77 GnuTLSEnable On
  • test/tests/16_view-status/apache.conf

    r63468af r02c8e54  
    99GnuTLSCache dbm cache/gnutls_cache
    1010
    11 <VirtualHost _default_:${TEST_PORT}>
     11<VirtualHost ${TEST_IP}:${TEST_PORT}>
    1212 ServerName ${TEST_HOST}
    1313 GnuTLSEnable On
  • test/tests/16_view-status/gnutls-cli.args

    r63468af r02c8e54  
    11--x509cafile=authority/x509.pem
    2 --priority=NONE:+VERS-TLS1.2:+AES-128-CBC:+SHA256:+RSA:+COMP-NULL:+SIGN-RSA-SHA256
     2--priority=NONE:+VERS-TLS1.0:+AES-128-CBC:+SHA1:+RSA:+COMP-NULL
  • test/tests/16_view-status/output

    r63468af r02c8e54  
    1 <dt>Using TLS:</dt><dd>yes</dd>
    2 <dt>Current TLS session:</dt><dd>(TLS1.2)-(RSA)-(AES-128-CBC)-(SHA256)</dd>
     1<dt>using TLS:</dt><dd>yes</dd>
     2<dt>This TLS Session:</dt><dd>(TLS1.0)-(RSA)-(AES-128-CBC)-(SHA1)</dd>
    33</dl>
    44</body></html>
  • test/tests/17_cgi_vars_large_cert/apache.conf

    r63468af r02c8e54  
    88</Directory>
    99
    10 <VirtualHost _default_:${TEST_PORT}>
     10<VirtualHost ${TEST_IP}:${TEST_PORT}>
    1111 ServerName ${TEST_HOST}
    1212 GnuTLSEnable On
  • test/tests/18_client_verification_wrong_cert/apache.conf

    r63468af r02c8e54  
    33GnuTLSCache dbm cache/gnutls_cache
    44
    5 <VirtualHost _default_:${TEST_PORT}>
     5<VirtualHost ${TEST_IP}:${TEST_PORT}>
    66 ServerName ${TEST_HOST}
    77 GnuTLSEnable On
  • test/tests/18_client_verification_wrong_cert/gnutls-cli.args

    r63468af r02c8e54  
    1 --x509certfile=rogueclient/x509.pem
    2 --x509keyfile=rogueclient/secret.key
     1--x509certfile=rogueca/x509.pem
     2--x509keyfile=rogueca/secret.key
    33--x509cafile=authority/x509.pem
    44--priority=NORMAL
  • test/tests/19_TLS_reverse_proxy/apache.conf

    r63468af r02c8e54  
    44GnuTLSCache dbm cache/gnutls_cache
    55
    6 <VirtualHost _default_:${TEST_PORT}>
     6<VirtualHost ${TEST_IP}:${TEST_PORT}>
    77 ServerName ${TEST_HOST}
    88 GnuTLSEnable On
  • test/tests/19_TLS_reverse_proxy/backend.conf

    r63468af r02c8e54  
    1 Include ${srcdir}/base_apache.conf
    2 Include proxy_backend.conf
     1Include ${srcdir}/base_apache.conf
     2
     3CustomLog logs/${TEST_NAME}.backend.access.log combined
     4ErrorLog logs/${TEST_NAME}.backend.error.log
     5PidFile backend.pid
    36
    47GnuTLSCache dbm cache/gnutls_cache
    58
    6 <VirtualHost _default_:${BACKEND_PORT}>
     9<VirtualHost ${BACKEND_IP}:${BACKEND_PORT}>
    710 ServerName ${BACKEND_HOST}
    811 GnuTLSEnable On
  • test/tests/20_TLS_reverse_proxy_client_auth/apache.conf

    r63468af r02c8e54  
    44GnuTLSCache dbm cache/gnutls_cache
    55
    6 <VirtualHost _default_:${TEST_PORT}>
     6<VirtualHost ${TEST_IP}:${TEST_PORT}>
    77 ServerName ${TEST_HOST}
    88 GnuTLSEnable On
  • test/tests/20_TLS_reverse_proxy_client_auth/backend.conf

    r63468af r02c8e54  
    1 Include ${srcdir}/base_apache.conf
    2 Include proxy_backend.conf
     1Include ${srcdir}/base_apache.conf
     2
     3CustomLog logs/${TEST_NAME}.backend.access.log combined
     4ErrorLog logs/${TEST_NAME}.backend.error.log
     5PidFile backend.pid
    36
    47GnuTLSCache dbm cache/gnutls_cache
    58
    6 <VirtualHost _default_:${BACKEND_PORT}>
     9<VirtualHost ${BACKEND_IP}:${BACKEND_PORT}>
    710 ServerName ${BACKEND_HOST}
    811 GnuTLSEnable On
  • test/tests/21_TLS_reverse_proxy_wrong_cert/apache.conf

    r63468af r02c8e54  
    44GnuTLSCache dbm cache/gnutls_cache
    55
    6 <VirtualHost _default_:${TEST_PORT}>
     6<VirtualHost ${TEST_IP}:${TEST_PORT}>
    77 ServerName ${TEST_HOST}
    88 GnuTLSEnable On
  • test/tests/21_TLS_reverse_proxy_wrong_cert/backend.conf

    r63468af r02c8e54  
    11Include ${srcdir}/base_apache.conf
    2 Include proxy_backend.conf
     2
     3CustomLog logs/${TEST_NAME}.backend.access.log combined
     4ErrorLog logs/${TEST_NAME}.backend.error.log
     5PidFile backend.pid
    36
    47GnuTLSCache dbm cache/gnutls_cache
    58
    6 <VirtualHost _default_:${BACKEND_PORT}>
     9<VirtualHost ${BACKEND_IP}:${BACKEND_PORT}>
    710 ServerName ${BACKEND_HOST}
    811 GnuTLSEnable On
  • test/tests/22_TLS_reverse_proxy_crl_revoke/apache.conf

    r63468af r02c8e54  
    44GnuTLSCache dbm cache/gnutls_cache
    55
    6 <VirtualHost _default_:${TEST_PORT}>
     6<VirtualHost ${TEST_IP}:${TEST_PORT}>
    77 ServerName ${TEST_HOST}
    88 GnuTLSEnable On
  • test/tests/22_TLS_reverse_proxy_crl_revoke/backend.conf

    r63468af r02c8e54  
    1 Include ${srcdir}/base_apache.conf
    2 Include proxy_backend.conf
     1Include ${srcdir}/base_apache.conf
     2
     3CustomLog logs/${TEST_NAME}.backend.access.log combined
     4ErrorLog logs/${TEST_NAME}.backend.error.log
     5PidFile backend.pid
    36
    47GnuTLSCache dbm cache/gnutls_cache
    58
    6 <VirtualHost _default_:${BACKEND_PORT}>
     9<VirtualHost ${BACKEND_IP}:${BACKEND_PORT}>
    710 ServerName ${BACKEND_HOST}
    811 GnuTLSEnable On
  • test/tests/23_TLS_reverse_proxy_mismatched_priorities/apache.conf

    r63468af r02c8e54  
    44GnuTLSCache dbm cache/gnutls_cache
    55
    6 <VirtualHost _default_:${TEST_PORT}>
     6<VirtualHost ${TEST_IP}:${TEST_PORT}>
    77 ServerName ${TEST_HOST}
    88 GnuTLSEnable On
  • test/tests/23_TLS_reverse_proxy_mismatched_priorities/backend.conf

    r63468af r02c8e54  
    1 Include ${srcdir}/base_apache.conf
    2 Include proxy_backend.conf
     1Include ${srcdir}/base_apache.conf
     2
     3CustomLog logs/${TEST_NAME}.backend.access.log combined
     4ErrorLog logs/${TEST_NAME}.backend.error.log
     5PidFile backend.pid
    36
    47GnuTLSCache dbm cache/gnutls_cache
    58
    6 <VirtualHost _default_:${BACKEND_PORT}>
     9<VirtualHost ${BACKEND_IP}:${BACKEND_PORT}>
    710 ServerName ${BACKEND_HOST}
    811 GnuTLSEnable On
  • test/tests/24_pkcs11_cert/apache.conf

    r63468af r02c8e54  
    33GnuTLSCache dbm cache/gnutls_cache
    44
    5 GnuTLSP11Module ${SOFTHSM_LIB}
     5GnuTLSP11Module /usr/lib/softhsm/libsofthsm.so
    66
    7 <VirtualHost _default_:${TEST_PORT}>
     7<VirtualHost ${TEST_IP}:${TEST_PORT}>
    88 ServerName ${TEST_HOST}
    99 GnuTLSEnable On
  • test/tests/Makefile.am

    r63468af r02c8e54  
    2424        22_TLS_reverse_proxy_crl_revoke/apache.conf 22_TLS_reverse_proxy_crl_revoke/backend.conf 22_TLS_reverse_proxy_crl_revoke/gnutls-cli.args 22_TLS_reverse_proxy_crl_revoke/input 22_TLS_reverse_proxy_crl_revoke/output \
    2525        23_TLS_reverse_proxy_mismatched_priorities/apache.conf 23_TLS_reverse_proxy_mismatched_priorities/backend.conf 23_TLS_reverse_proxy_mismatched_priorities/gnutls-cli.args 23_TLS_reverse_proxy_mismatched_priorities/input 23_TLS_reverse_proxy_mismatched_priorities/output \
    26         24_pkcs11_cert/apache.conf 24_pkcs11_cert/gnutls-cli.args 24_pkcs11_cert/input 24_pkcs11_cert/output \
    27         25_Disable_TLS_1.0/apache.conf 25_Disable_TLS_1.0/fail.client 25_Disable_TLS_1.0/gnutls-cli.args 25_Disable_TLS_1.0/input \
    28         26_redirect_HTTP_to_HTTPS/apache.conf
     26        24_pkcs11_cert/apache.conf 24_pkcs11_cert/gnutls-cli.args 24_pkcs11_cert/input 24_pkcs11_cert/output 24_pkcs11_cert/softhsm.conf.in
Note: See TracChangeset for help on using the changeset viewer.