Changeset 63468af in mod_gnutls


Ignore:
Timestamp:
Apr 16, 2016, 11:14:26 AM (4 years ago)
Author:
Daniel Kahn Gillmor <dkg@…>
Branches:
debian/master, debian/stretch-backports, jessie-backports, upstream
Children:
b586b27, ce12806
Parents:
02c8e54 (diff), c6cfe6e (diff)
Note: this is a merge changeset, the changes displayed below correspond to the merge itself.
Use the (diff) links above to see all the changes relative to each parent.
Message:

Imported Upstream version 0.7.4

Files:
13 added
23 deleted
53 edited

Legend:

Unmodified
Added
Removed
  • CHANGELOG

    r02c8e54 r63468af  
    22- Handle Unclean Shutdowns
    33- make session cache use generic apache caches
     4
     5** Version 0.7.4 (2016-04-13)
     6- Support SoftHSM 2 for PKCS #11 testing
     7- Increase verbosity of test logs
     8
     9** Version 0.7.3 (2016-01-12)
     10- Update test suite for compatibility with GnuTLS 3.4, which has
     11  stricter key usage checks and priorities than 3.3.
     12- Write non-HTML output to mod_status reports if AP_STATUS_SHORT is
     13  set (mod_status sets it for requests with the "auto" parameter, e.g.
     14  https://localhost/server-status?auto).
     15- Register "ssl_is_https" function so the special mod_rewrite variable
     16  %{HTTPS} works correctly with mod_gnutls. The new test case for this
     17  requires Wget or curl. Fixes Debian bug #514005.
     18- Test suite servers listen on IPv4 *and* IPv6 loopback addresses by
     19  default (other addresses configurable), which should fix failures
     20  due to localhost randomly resolving to either on some distributions.
     21- Isolate tests using network namespaces, if possible. This avoids
     22  port conflicts with other test cases (so they can run in parallel)
     23  and host services.
     24- Support for local Apache drop-in config files in the test suite
     25  (e.g. to load additional modules needed on Fedora).
     26- Try to use markdown to build HTML documentation if pandoc is not
     27  available.
     28- Disable use of flock if it is unavailable or does not support
     29  timeouts (the latter caused the build to fail on Debian Hurd).
     30- New test: Disable TLS 1.0 (regression test for Debian bug #754960).
    431
    532** Version 0.7.2 (2015-11-21)
  • configure.ac

    r02c8e54 r63468af  
    11dnl
    2 AC_INIT(mod_gnutls, 0.7.2)
     2AC_INIT(mod_gnutls, 0.7.4)
    33OOO_CONFIG_NICE(config.nice)
    44MOD_GNUTLS_VERSION=AC_PACKAGE_VERSION
     
    5959AC_MSG_CHECKING([whether to enable SRP functionality])
    6060AC_MSG_RESULT($use_srp)
     61
     62dnl Optionally disable flock
     63AC_ARG_ENABLE(flock,
     64        AS_HELP_STRING([--disable-flock], [Disable use of flock during tests \
     65        (some exotic architectures don't support it)]),
     66        [use_flock=$enableval], [use_flock=yes])
     67# Check if flock is available and supports --timeout
     68AC_PATH_PROG([FLOCK], [flock], [no])
     69AS_IF([test "${FLOCK}" != "no"],
     70      [
     71        AC_MSG_CHECKING([whether ${FLOCK} supports --timeout])
     72        lockfile="$(mktemp)"
     73        AS_IF([${FLOCK} --timeout 1 ${lockfile} true >&AS_MESSAGE_LOG_FD 2>&1],
     74              [flock_works="yes"], [flock_works="no"])
     75        rm "${lockfile}"
     76        AC_MSG_RESULT([$flock_works])
     77      ],
     78      [flock_works="no"])
     79# disable flock if requested by user or it doesn't support timeout
     80AM_CONDITIONAL([DISABLE_FLOCK],
     81               [test "$enable_flock" = "no" || test "$flock_works" = "no"])
     82
     83dnl Enable test namespaces? Default is "yes".
     84AC_ARG_ENABLE(test-namespaces,
     85        AS_HELP_STRING([--disable-test-namespaces], [Disable use of network \
     86        namespaces to run tests in parallel (some architectures might not \
     87        support it)]),
     88        [use_netns=$enableval], [use_netns=yes])
     89
     90# Check if "unshare" is available and has permission to create network
     91# and user namespaces
     92AC_PATH_PROG([UNSHARE], [unshare], [no])
     93AS_IF([test "${UNSHARE}" != "no"],
     94      [
     95        AC_MSG_CHECKING([for permission to create network and user namespaces])
     96        AS_IF([${UNSHARE} --net -r /bin/sh -c \
     97                "ip link set up lo && ip addr show" >&AS_MESSAGE_LOG_FD 2>&1],
     98              [unshare_works="yes"], [unshare_works="no"])
     99        AC_MSG_RESULT([$unshare_works])
     100      ],
     101      [unshare_works="no"])
     102# decide whether to enable network namespaces
     103AS_IF([test "$enable_test_namespaces" != "no" \
     104            && test "$unshare_works" = "yes"],
     105      [use_netns="yes"], [use_netns="no"])
     106AM_CONDITIONAL([ENABLE_NETNS], [test "$use_netns" != "no"])
     107# Adjust Apache configuration for tests accordingly: Use pthread mutex
     108# and test specific PID files if using namespaces, defaults otherwise.
     109AS_IF([test "$use_netns" = "yes"],
     110      [MUTEX_TYPE="pthread"; PID_AFFIX="-\${TEST_NAME}"],
     111      [MUTEX_TYPE="default"; PID_AFFIX=""])
     112AC_SUBST(MUTEX_TYPE)
     113AC_SUBST(PID_AFFIX)
     114AM_SUBST_NOTMAKE(MUTEX_TYPE)
     115AM_SUBST_NOTMAKE(PID_AFFIX)
    61116
    62117AC_ARG_ENABLE(msva,
     
    93148                build_doc="html only"
    94149        fi
     150else
     151        AC_PATH_PROG([MARKDOWN], [markdown], [no])
     152        if test "$MARKDOWN" != "no"; then
     153                build_doc="html stub"
     154        fi
    95155fi
    96156AM_CONDITIONAL([USE_PANDOC], [test "$PANDOC" != "no"])
    97157AM_CONDITIONAL([USE_PDFLATEX], [test "$PANDOC" != "no" && \
    98158                               test "$PDFLATEX" != "no"])
     159AM_CONDITIONAL([USE_MARKDOWN], [test -n "$MARKDOWN" && \
     160                               test "$MARKDOWN" != "no"])
    99161
    100162# Check for Apache binary
     
    105167fi
    106168
     169AC_PATH_PROGS([HTTP_CLI], [curl wget], [no])
     170
    107171MODULE_CFLAGS="${LIBGNUTLS_CFLAGS} ${SRP_CFLAGS} ${MSVA_CFLAGS} ${APR_MEMCACHE_CFLAGS} ${APXS_CFLAGS} ${AP_INCLUDES} ${APR_INCLUDES} ${APU_INCLUDES} ${STRICT_CFLAGS}"
    108172MODULE_LIBS="${APR_MEMCACHE_LIBS} ${LIBGNUTLS_LIBS}"
    109173
     174AC_PATH_PROGS([SOFTHSM], [softhsm2-util softhsm], [no])
     175if test "${SOFTHSM}" != "no"; then
     176        softhsm_version=$(${SOFTHSM} --version)
     177        AS_VERSION_COMPARE([$(${SOFTHSM} --version)], [2.0.0],
     178                           [AC_SUBST(SOFTHSM_MAJOR_VERSION, [1])],
     179                           [AC_SUBST(SOFTHSM_MAJOR_VERSION, [2])],
     180                           [AC_SUBST(SOFTHSM_MAJOR_VERSION, [2])])
     181fi
     182AM_CONDITIONAL([HAVE_SOFTHSM], [test "${SOFTHSM}" != "no"])
     183AM_CONDITIONAL([HAVE_SOFTHSM1], [test "${SOFTHSM_MAJOR_VERSION}" = "1"])
     184AM_CONDITIONAL([HAVE_SOFTHSM2], [test "${SOFTHSM_MAJOR_VERSION}" = "2"])
     185
    110186AC_SUBST(MODULE_CFLAGS)
    111187AC_SUBST(MODULE_LIBS)
     
    113189# assign default values to TEST_HOST and TEST_IP if necessary
    114190: ${TEST_HOST:="localhost"}
    115 : ${TEST_IP:="[::1]"}
     191: ${TEST_IP:="[[::1]] 127.0.0.1"}
    116192AC_ARG_VAR([TEST_HOST], [Host name to use for server instances started by \
    117                         "make check", must resolve to TEST_IP. The default \
    118                         is "localhost".])
    119 AC_ARG_VAR([TEST_IP], [IP address to use for server instances started by \
    120                       "make check". The default is the IPv6 loopback address \
    121                       [::1].])
     193                        "make check", must resolve to addresses in TEST_IP. \
     194                        The default is "localhost".])
     195AC_ARG_VAR([TEST_IP], [List of IP addresses to use for server instances \
     196                      started by "make check". The default is \
     197                      "[::1] 127.0.0.1". Note that IPv6 addresses must be \
     198                      enclosed in square brackets.])
     199AM_SUBST_NOTMAKE(TEST_IP)
     200
     201dnl Allow user to set SoftHSM PKCS #11 module
     202AC_ARG_VAR([SOFTHSM_LIB], [Absolute path of the SoftHSM PKCS @%:@11 module to \
     203                          use. By default the test suite will search common \
     204                          library paths.])
     205
     206dnl Build list of "Listen" statements for Apache
     207LISTEN_LIST="# Listen addresses for the test servers"
     208for i in ${TEST_IP}; do
     209        LISTEN_LIST="${LISTEN_LIST}
     210Listen ${i}:\${TEST_PORT}"
     211done
     212dnl HTTP ports, only active if TEST_HTTP_PORT is defined
     213LISTEN_LIST="${LISTEN_LIST}
     214<IfDefine TEST_HTTP_PORT>"
     215for i in ${TEST_IP}; do
     216        LISTEN_LIST="${LISTEN_LIST}
     217        Listen ${i}:\${TEST_HTTP_PORT}"
     218done
     219LISTEN_LIST="${LISTEN_LIST}
     220</IfDefine>"
     221AC_SUBST(LISTEN_LIST)
     222AM_SUBST_NOTMAKE(LISTEN_LIST)
    122223
    123224AC_CONFIG_FILES([Makefile src/Makefile test/Makefile test/tests/Makefile \
    124                           doc/Makefile include/mod_gnutls.h])
     225                        doc/Makefile include/mod_gnutls.h \
     226                        test/proxy_backend.conf \
     227                        test/apache-conf/listen.conf \
     228                        test/apache-conf/netns.conf])
    125229AC_OUTPUT
    126230
  • doc/Makefile.am

    r02c8e54 r63468af  
    33if USE_PANDOC
    44html_DATA = mod_gnutls_manual.html
    5 endif
    6 # pandoc needs pdflatex for PDF output, so USE_PDFLATEX will only be
    7 # enabled if USE_PANDOC is, too.
    85if USE_PDFLATEX
     6# pandoc && pdflatex
    97pdf_DATA = mod_gnutls_manual.pdf
    108endif
     9else
     10if USE_MARKDOWN
     11# !pandoc && markdown
     12html_DATA = mod_gnutls_manual.html
     13endif
     14endif
     15
    1116MOSTLYCLEANFILES = $(html_DATA) $(pdf_DATA)
    1217
     18# pdf_DATA will be empty if pandoc isn't available
    1319$(html_DATA) $(pdf_DATA): mod_gnutls_manual.mdwn
     20if USE_PANDOC
    1421        $(PANDOC) --toc --standalone -f markdown -o $@ $<
     22else
     23if USE_MARKDOWN
     24        $(MARKDOWN) $< > $@
     25endif
     26endif
  • doc/mod_gnutls_manual.mdwn

    r02c8e54 r63468af  
    3131:   Provides a list of all available configure options.
    3232
    33 It is recommended to run `make check` before installation. If
    34 `localhost` does not resolve to the IPv6 loopback address `[::1]` on
    35 your system, you may have to set the `TEST_HOST` or `TEST_IP`
     33It is recommended to run `make check` before installation. If your
     34system doesn't have a loopback device with IPv6 and IPv4 support or
     35`localhost` does not resolve to at least one of `[::1]` and
     36`127.0.0.1`, you may have to set the `TEST_HOST` or `TEST_IP`
    3637environment variables when running `./configure` to make the test
    3738suite work correctly.
  • src/gnutls_hooks.c

    r02c8e54 r63468af  
    44 *  Copyright 2011 Dash Shendy
    55 *  Copyright 2013-2014 Daniel Kahn Gillmor
    6  *  Copyright 2015 Thomas Klute
     6 *  Copyright 2015-2016 Thomas Klute
    77 *
    88 *  Licensed under the Apache License, Version 2.0 (the "License");
     
    16551655#endif /* ENABLE_MSVA */
    16561656
    1657 static int mgs_status_hook(request_rec *r, int flags __attribute__((unused)))
     1657
     1658
     1659/*
     1660 * This hook writes the mod_gnutls status message for a mod_status
     1661 * report. According to the comments in mod_status.h, the "flags"
     1662 * parameter is a bitwise OR of the AP_STATUS_ flags.
     1663 *
     1664 * Note that this implementation gives flags explicitly requesting a
     1665 * simple response priority, e.g. if AP_STATUS_SHORT is set, flags
     1666 * requesting an HTML report will be ignored. As of Apache 2.4.10, the
     1667 * following flags were defined in mod_status.h:
     1668 *
     1669 * AP_STATUS_SHORT (short, non-HTML report requested)
     1670 * AP_STATUS_NOTABLE (HTML report without tables)
     1671 * AP_STATUS_EXTENDED (detailed report)
     1672 */
     1673static int mgs_status_hook(request_rec *r, int flags)
    16581674{
    1659     mgs_srvconf_rec *sc;
    1660 
    16611675    if (r == NULL)
    16621676        return OK;
    16631677
    1664     sc = (mgs_srvconf_rec *) ap_get_module_config(r->server->module_config, &gnutls_module);
     1678    mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
     1679        ap_get_module_config(r->server->module_config, &gnutls_module);
    16651680
    16661681    _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
    16671682
    1668     ap_rputs("<hr>\n", r);
    1669     ap_rputs("<h2>GnuTLS Information:</h2>\n<dl>\n", r);
    1670 
    1671     ap_rprintf(r, "<dt>GnuTLS version:</dt><dd>%s</dd>\n", gnutls_check_version(NULL));
    1672     ap_rputs("<dt>Built against:</dt><dd>" GNUTLS_VERSION "</dd>\n", r);
    1673     ap_rprintf(r, "<dt>using TLS:</dt><dd>%s</dd>\n", (sc->enabled == GNUTLS_ENABLED_FALSE ? "no" : "yes"));
    1674     if (sc->enabled != GNUTLS_ENABLED_FALSE) {
    1675         mgs_handle_t* ctxt;
    1676         ctxt = ap_get_module_config(r->connection->conn_config, &gnutls_module);
    1677         if (ctxt && ctxt->session != NULL) {
    1678 #if GNUTLS_VERSION_MAJOR < 3
    1679             ap_rprintf(r, "<dt>This TLS Session:</dt><dd>%s</dd>\n",
    1680                 gnutls_cipher_suite_get_name(gnutls_kx_get(ctxt->session),
    1681                 gnutls_cipher_get(ctxt->session),
    1682                 gnutls_mac_get(ctxt->session)));
    1683 #else
    1684             char* z = NULL;
    1685             z = gnutls_session_get_desc(ctxt->session);
    1686             if (z) {
    1687                 ap_rprintf(r, "<dt>This TLS Session:</dt><dd>%s</dd>\n", z);
    1688                 gnutls_free(z);
     1683    if (flags & AP_STATUS_SHORT)
     1684    {
     1685        ap_rprintf(r, "Using GnuTLS version: %s\n", gnutls_check_version(NULL));
     1686        ap_rputs("Built against GnuTLS version: " GNUTLS_VERSION "\n", r);
     1687    }
     1688    else
     1689    {
     1690        ap_rputs("<hr>\n", r);
     1691        ap_rputs("<h2>GnuTLS Information:</h2>\n<dl>\n", r);
     1692
     1693        ap_rprintf(r, "<dt>Using GnuTLS version:</dt><dd>%s</dd>\n",
     1694                   gnutls_check_version(NULL));
     1695        ap_rputs("<dt>Built against GnuTLS version:</dt><dd>"
     1696                 GNUTLS_VERSION "</dd>\n", r);
     1697        ap_rprintf(r, "<dt>Using TLS:</dt><dd>%s</dd>\n",
     1698                   (sc->enabled == GNUTLS_ENABLED_FALSE ? "no" : "yes"));
     1699    }
     1700
     1701    if (sc->enabled != GNUTLS_ENABLED_FALSE)
     1702    {
     1703        mgs_handle_t* ctxt =
     1704            ap_get_module_config(r->connection->conn_config, &gnutls_module);
     1705        if (ctxt && ctxt->session != NULL)
     1706        {
     1707            char* s_info = gnutls_session_get_desc(ctxt->session);
     1708            if (s_info)
     1709            {
     1710                if (flags & AP_STATUS_SHORT)
     1711                    ap_rprintf(r, "Current TLS session: %s\n", s_info);
     1712                else
     1713                    ap_rprintf(r, "<dt>Current TLS session:</dt><dd>%s</dd>\n",
     1714                               s_info);
     1715                gnutls_free(s_info);
    16891716            }
    1690 #endif
    1691         }
    1692     }
    1693 
    1694     ap_rputs("</dl>\n", r);
     1717        }
     1718    }
     1719
     1720    if (!(flags & AP_STATUS_SHORT))
     1721        ap_rputs("</dl>\n", r);
     1722
    16951723    return OK;
    16961724}
  • src/mod_gnutls.c

    r02c8e54 r63468af  
    6969    APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable);
    7070    APR_REGISTER_OPTIONAL_FN(ssl_engine_disable);
    71 }
    72 
     71
     72    /* mod_rewrite calls this function to detect HTTPS */
     73    APR_REGISTER_OPTIONAL_FN(ssl_is_https);
     74}
     75
     76
     77
     78/*
     79 * mod_rewrite calls this function to fill %{HTTPS}. A non-zero return
     80 * value means that HTTPS is in use.
     81 */
    7382int ssl_is_https(conn_rec *c)
    7483{
    7584    mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
    7685        ap_get_module_config(c->base_server->module_config, &gnutls_module);
    77     if(sc->enabled == 0 || sc->non_ssl_request == 1) {
     86    mgs_handle_t *ctxt = (mgs_handle_t *)
     87        ap_get_module_config(c->conn_config, &gnutls_module);
     88
     89    if(sc->enabled == GNUTLS_ENABLED_FALSE
     90       || ctxt == NULL
     91       || ctxt->enabled == GNUTLS_ENABLED_FALSE)
     92    {
    7893        /* SSL/TLS Disabled or Plain HTTP Connection Detected */
    7994        return 0;
     
    8297    return 1;
    8398}
     99
     100
    84101
    85102int ssl_engine_disable(conn_rec *c)
  • test/Makefile.am

    r02c8e54 r63468af  
    2727        test-22_TLS_reverse_proxy_crl_revoke.bash \
    2828        test-23_TLS_reverse_proxy_mismatched_priorities.bash \
    29         test-24_pkcs11_cert.bash
     29        test-24_pkcs11_cert.bash \
     30        test-25_Disable_TLS_1.0.bash \
     31        test-26_redirect_HTTP_to_HTTPS.bash
    3032
    3133TESTS = $(dist_check_SCRIPTS)
     
    3335# Identities in the miniature CA, server, and client environment for
    3436# the test suite
    35 identities = server authority client imposter rogueca
     37shared_identities = server authority client imposter rogueca
     38pgp_identities = $(shared_identities)
     39x509_only_identities = rogueclient
     40x509_identities = $(shared_identities) $(x509_only_identities)
     41identities = $(shared_identities) $(x509_only_identities)
    3642# Append strings after ":=" to each identity to generate a list of
    3743# necessary files
    38 pgp_tokens = $(identities:=/secring.gpg) $(identities:=/cert.pgp) \
    39         $(identities:=/secret.pgp)
    40 x509_keys = $(identities:=/secret.key)
    41 x509_certs = $(identities:=/x509.pem)
     44pgp_tokens = $(pgp_identities:=/secring.gpg) $(pgp_identities:=/cert.pgp) \
     45        $(pgp_identities:=/secret.pgp)
     46x509_keys = $(x509_identities:=/secret.key)
     47x509_certs = $(x509_identities:=/x509.pem)
    4248x509_tokens = $(x509_certs) $(x509_keys)
    4349tokens = $(x509_tokens) $(pgp_tokens)
     50
     51if !DISABLE_FLOCK
     52# flock command for write access to the authority keyring
     53GPG_FLOCK = @FLOCK@ authority/lock
     54endif
    4455
    4556include $(srcdir)/test_ca.mk
     
    6071
    6172cert_templates = authority.template.in client.template.in \
    62         imposter.template.in rogueca.template server.template.in
     73        imposter.template.in rogueca.template rogueclient.template.in \
     74        server.template.in
    6375generated_templates = authority.template client.template \
    64         imposter.template server.template
     76        imposter.template rogueclient.template server.template
    6577
    6678# Delete X.509 private keys on full clean. Note that unless you need
     
    7284# target. Certificates can be rebuilt without generating new key
    7385# pairs, and regenerating them makes it possible to change identities
    74 # (e.g. host names) without wasting entropy on new keys (which would
     86# (e.g. host names) without wasting time on new keys (which would
    7587# happen after "clean").
    7688MOSTLYCLEANFILES += */x509.pem $(generated_templates) *.uid
     
    101113endif
    102114
    103 # SoftHSM files
    104 check_DATA += server/softhsm.db
    105 MOSTLYCLEANFILES += tests/24_pkcs11_cert/softhsm.conf server/softhsm.db
    106 
     115
     116# SoftHSM tokens. Note that the SoftHSM 2 token is a directory and
     117# hence has to be treated slightly differently.
     118SOFTHSM_TOKEN = server/softhsm.db
     119SOFTHSM2_TOKEN = server/softhsm2.db
     120
     121# Tokens should be cleaned whether or not the matching SoftHSM version
     122# was detected on the last ./configure run.
     123MOSTLYCLEANFILES += $(SOFTHSM_TOKEN)
     124# included in mostlyclean-local below
     125clean-softhsm2-db:
     126        -rm -rf $(SOFTHSM2_TOKEN)
     127
     128if HAVE_SOFTHSM1
     129check_DATA += $(SOFTHSM_TOKEN)
     130endif HAVE_SOFTHSM1
     131
     132if HAVE_SOFTHSM2
     133check_DATA += $(SOFTHSM2_TOKEN)
     134endif HAVE_SOFTHSM2
    107135
    108136check_DATA += make-test-dirs
     
    110138make-test-dirs:
    111139        mkdir -p $(extra_dirs)
    112 .PHONY: make-test-dirs
     140
     141.PHONY: make-test-dirs clean-softhsm2-db
     142
     143mostlyclean-local: clean-softhsm2-db
    113144
    114145clean-local:
     
    122153apache_data = base_apache.conf cgi_module.conf data/* mime.types proxy_mods.conf
    123154
    124 EXTRA_DIST = $(apache_data) $(cert_templates) *.uid.in proxy_backend.bash \
    125         runtests server-crl.template server-softhsm.conf softhsm.bash
     155EXTRA_DIST = $(apache_data) $(cert_templates) *.uid.in common.bash \
     156        proxy_backend.bash runtests server-crl.template softhsm.bash
    126157
    127158# Lockfile for the main Apache process
    128159test_lockfile = ./test.lock
    129 # Maximum wait time in seconds for flock to aquire instance lock files
     160# Lockfile for the proxy backend Apache process (if any)
     161backend_lockfile = ./backend.lock
     162# Maximum wait time in seconds for flock to aquire instance lock
     163# files, or Apache to remove its PID file
    130164lock_wait = 30
    131165
     
    141175TEST_QUERY_DELAY ?= 30
    142176
    143 AM_TESTS_ENVIRONMENT = export APACHE2=$(APACHE2); \
    144         export AP_LIBEXECDIR=$(AP_LIBEXECDIR); \
    145         export TEST_LOCK="$(test_lockfile)"; \
     177AM_TESTS_ENVIRONMENT = export APACHE2=@APACHE2@; \
     178        export AP_LIBEXECDIR=@AP_LIBEXECDIR@; \
    146179        export TEST_LOCK_WAIT="$(lock_wait)"; \
    147         export TEST_HOST="$(TEST_HOST)"; \
    148         export TEST_IP="$(TEST_IP)"; \
     180        export TEST_HOST="@TEST_HOST@"; \
    149181        export TEST_PORT="$(TEST_PORT)"; \
    150182        export MSVA_PORT="$(MSVA_PORT)"; \
     
    152184        export TEST_MSVA_WAIT="$(TEST_MSVA_WAIT)"; \
    153185        export TEST_QUERY_DELAY="$(TEST_QUERY_DELAY)"; \
    154         export BACKEND_HOST="$(TEST_HOST)"; \
    155         export BACKEND_IP="$(TEST_IP)";
     186        export BACKEND_HOST="@TEST_HOST@"; \
     187        export HTTP_CLI="@HTTP_CLI@";
     188
     189if HAVE_SOFTHSM
     190AM_TESTS_ENVIRONMENT += export SOFTHSM="@SOFTHSM@"; \
     191        export SOFTHSM_MAJOR_VERSION="@SOFTHSM_MAJOR_VERSION@"; \
     192        export SOFTHSM_LIB="@SOFTHSM_LIB@"
     193endif
     194
     195if ENABLE_NETNS
     196AM_TESTS_ENVIRONMENT += export UNSHARE="@UNSHARE@"; \
     197        export USE_TEST_NAMESPACE=1;
     198endif
     199# Without flock tests must not run in parallel. Otherwise set lock files.
     200if DISABLE_FLOCK
     201.NOTPARALLEL:
     202else
     203AM_TESTS_ENVIRONMENT += export FLOCK="@FLOCK@"; \
     204        export TEST_LOCK="$(test_lockfile)"; \
     205        export BACKEND_LOCK="$(backend_lockfile)";
     206endif
    156207
    157208# Echo AM_TESTS_ENVIRONMENT. This can be useful for debugging, e.g. if
  • test/README

    r02c8e54 r63468af  
    1212=================
    1313
    14 from the top level of the source, or from test/ (where this README is),
     14From the top level of the source, or from test/ (where this README is),
    1515just run:
    1616
    17  make check
     17  make check
    1818
    19 from test/ you can also run specific tests by passing their script
    20 names to make in the TESTS variable:
     19from test/. You can also run specific test cases by passing their
     20script names to make in the TESTS variable:
    2121
    22  TESTS="test-03_cachetimeout_in_vhost.bash" make -e check
     22  TESTS="test-03_cachetimeout_in_vhost.bash" make -e check
    2323
    2424This should be handy when you're just trying to experiment with a new
    2525test and don't want to wait for the full test suite to run.
    2626
    27 The default configuration assumes that an IPv6 loopback device is
    28 available (TEST_IP=[::1]) and that TEST_HOST="localhost" resolves to
    29 the IPv6 loopback address [::1]. If this does not apply to your
    30 system, you can pass different values to ./configure, e.g. to use IPv4
    31 instead:
     27The default configuration assumes that a loopback device with IPv4 and
     28IPv6 support is available (TEST_IP="[::1] 127.0.0.1") and that
     29TEST_HOST="localhost" resolves to at least one of these addresses. If
     30this does not apply to your system, you can pass different values to
     31./configure, e.g. to use IPv4 only:
    3232
    3333  TEST_HOST="localhost" TEST_IP="127.0.0.1" ./configure
     34
     35If tests fail due to expired certificates or PGP signatures, run
     36
     37  make mostlyclean
     38
     39to delete them and create fresh ones on the next test run. You could
     40also use "make clean", but in that case the keys will be deleted as
     41well and have to be recreated, too, which takes more time.
    3442
    3543
     
    4149The simplest way to add a test is (from test/):
    4250
    43  ./newtest
     51  ./newtest
    4452
    4553This will prompt you for a simple name for the test and then copy a
     
    5260==============
    5361
    54 Each test consists of a directory in test/tests/, which will cause the
    55 test suite to spin up an isolated apache instance and try to connect
    56 to it with gnutls-cli and make a simple HTTP 1.1 request.
     62Each test consists of a script in test/ and a directory in
     63test/tests/, which the test suite uses to spin up an isolated Apache
     64instance or two (for proxy tests) and try to connect to it with
     65gnutls-cli and make a simple HTTP 1.1 or 1.0 request.
    5766
    58 By default, these tests are expected to succeed, by having
     67Test directories usually contain the following files:
    5968
    60 In each directory, you can put the following files:
     69 * apache.conf -- Apache configuration to be used
    6170
    62  * apache.conf --  the apache configuration to be used
    63 
    64  * gnutls-cli.args --  the arguments to pass to gnutls-cli
     71 * gnutls-cli.args -- the arguments to pass to gnutls-cli
    6572
    6673 * input -- the full HTTP request (including the final blank line)
    6774
     75 * backend.conf [optional] -- Apache configuration for the proxy
     76   backend server, if any
     77
    6878 * output [optional] -- the lines of this file will be checked against
    6979   the same number of lines at the end of the output produced by the
    70    gnutls-cli process.
     80   gnutls-cli process. "Date" and "Server" headers are filtered from
     81   the response because they are expected to change between runs
     82   (date) or builds (server version).
    7183
    7284 * fail.server [optional] -- if this file exists, it means we expect
     
    7991   should result in a failed file retrieval.
    8092
     93The "runtests" script is used to start one Apache instance and send a
     94request based on the files described above. Note that some tests take
     95additional steps, e.g. starting another server to act as proxy
     96backend, and at least one does not use "runtests" at all.
     97
     98By default (if "unshare" is available and has the permissions required
     99to create network and user namespaces), each test case is run inside
     100its own network namespace. This avoids address and port conflicts with
     101other tests as well has the host system.
     102
     103When writing your own tests, make sure to call netns_reexec (defined
     104in common.bash) if you need to start any network services outside of
     105runtests (which will create the namespace if it doesn't exist
     106already). However, some architectures might not support namespaces, so
     107traditional locking (using flock) and serial execution are still
     108supported.
     109
    81110
    82111Robustness and Tuning
    83112=====================
    84113
    85 These tests aren't nearly as robust as i'd like them to be, but they
    86 work for the moment and they're better than no tests at all.
     114Here are some things that you might want to tune about the tests based
     115on your expected setup (along with the variables that can be passed to
     116"make check" to adjust them):
    87117
    88 Here are some things that you might want to tune based on your
    89 expected setup (along with the variables that can be passed to "make
    90 check" to adjust them):
     118 * They need a functioning loopback device.
    91119
    92  * they need a functioning loopback device.
     120 * They expect (by default) to have port 9932 [TEST_PORT] available
     121   and open for connections on the addresses listed in TEST_IP.
    93122
    94  * they expect (by default) the TEST_IP to have port 9932
    95    open. [TEST_PORT]
     123 * Depending on the compile time configuration of the Apache binary
     124   installed on your system you may need to load additional Apache
     125   modules. The recommended way to do this is to drop a configuration
     126   file into the test/apache-conf/ directory. Patches to detect such
     127   situations and automatically configure the tests accordingly are
     128   welcome.
    96129
    97  * if a machine is particularly slow or under heavy load, it's
     130 * If a machine is particularly slow or under heavy load, it's
    98131   possible that these tests will fail for timing
    99    reasons. [TEST_QUERY_DELAY (seconds for the http request to be sent
     132   reasons. [TEST_QUERY_DELAY (seconds for the HTTP request to be sent
    100133   and responded to)]
     134
     135The first two of these issues are avoided when the tests are isolated
     136using network namespaces, which is the default (see "Implementation"
     137above). The ./configure script tries to detect if namespaces can be
     138used (some Linux distributions disable them for unprivileged
     139users). If this detection returns a false positive or you do not want
     140to use namespace isolation for some other reason, you can run
     141configure with the --disable-test-namespaces option.
    101142
    102143In some situations you may want to see the exact environment as
     
    104145instance with Valgrind using the same configuration as a test
    105146case. Use "make show-test-env" to dump AM_TESTS_ENVIRONMENT to stdout.
     147
     148If you are building on an exotic architecture which does not support
     149flock (or timeouts using flock -w), ./configure should detect that and
     150disable locking, or you can disable it manually by passing
     151"--disable-flock" to ./configure. This will force serial execution of
     152tests, including environment setup.
  • test/base_apache.conf

    r02c8e54 r63468af  
    55ErrorLog logs/${TEST_NAME}.error.log
    66HostnameLookups Off
    7 PidFile apache2.pid
    87KeepAlive Off
    98LogLevel debug
     
    1413TypesConfig ${srcdir}/mime.types
    1514
    16 Listen ${TEST_IP}:${TEST_PORT}
     15Include         apache-conf/*.conf
    1716
    1817DocumentRoot ${srcdir}/data
  • test/proxy_backend.bash

    r02c8e54 r63468af  
    22
    33set -e
     4. ${srcdir}/common.bash
    45
    56if [ -z "${BACKEND_HOST}" ]; then
     
    1213    export BACKEND_PORT="9934"
    1314fi
    14 : ${BACKEND_LOCK:="backend.lock"}
     15: ${BACKEND_PID:="backend.pid"}
    1516: ${srcdir:="."}
    1617: ${APACHE2:="apache2"}
     
    2425    lockfile="${4}"
    2526
    26     if [ -n "${lockfile}" ]; then
    27         flock_cmd="flock -w ${TEST_LOCK_WAIT} ${lockfile}"
    28     fi
    29 
    3027    TEST_NAME="$(basename "${dir}")"
    3128    (
     
    3633        case $action in
    3734            start)
     35                if [ -n "${USE_TEST_NAMESPACE}" ]; then
     36                    echo "Using namespaces to isolate tests, no need for" \
     37                         "locking."
     38                    flock_cmd=""
     39                elif [ -n "${lockfile}" ]; then
     40                    flock_cmd="${FLOCK} -w ${TEST_LOCK_WAIT} ${lockfile}"
     41                else
     42                    echo "Locking disabled, using wait based on proxy PID file."
     43                    wait_pid_gone "${BACKEND_PID}"
     44                    flock_cmd=""
     45                fi
    3846                ${flock_cmd} \
    3947                    ${APACHE2} -f "$(realpath ${testdir}/${conf})" -k start || return 1
  • test/runtests

    r02c8e54 r63468af  
    66
    77set -e
     8. ${srcdir}/common.bash
     9netns_reexec ${@}
    810
    911testid="${1##t-}"
     
    1719
    1820BADVARS=0
    19 for v in APACHE2 TEST_HOST TEST_IP TEST_PORT TEST_QUERY_DELAY TEST_MSVA_WAIT \
    20                  MSVA_PORT TEST_LOCK; do
     21for v in APACHE2 TEST_HOST TEST_PORT TEST_QUERY_DELAY TEST_MSVA_WAIT \
     22                 MSVA_PORT; do
    2123    if [ ! -v "$v" ]; then
    2224        printf "You need to set the %s environment variable\n" "$v" >&2
     
    150152fi
    151153
     154TEST_PID="apache2.pid"
    152155# configure locking for the Apache process
    153 flock_cmd="flock -w ${TEST_LOCK_WAIT} $(realpath ${TEST_LOCK})"
     156if [ -n "${USE_TEST_NAMESPACE}" ]; then
     157    echo "Using namespaces to isolate tests, no need for locking."
     158    flock_cmd=""
     159elif [ -n "${TEST_LOCK}" ]; then
     160    flock_cmd="${FLOCK} -w ${TEST_LOCK_WAIT} $(realpath ${TEST_LOCK})"
     161else
     162    echo "Locking disabled, using wait based on Apache PID file."
     163    wait_pid_gone "${TEST_PID}"
     164    flock_cmd=""
     165fi
    154166
    155167t="$(realpath ${testid})"
     
    189201           run_with_pidfile "${sleep_pidfile}" sleep "${TEST_QUERY_DELAY}" &) | \
    190202       gnutls-cli -p "${TEST_PORT}" $(cat ${t}/gnutls-cli.args) "${TEST_HOST}" \
    191                   >"$output";
     203       | tee "$output" && test "${PIPESTATUS[1]}" -eq 0;
    192204then
    193205    if [ -e ${t}/fail* ]; then
     
    206218
    207219if [ -e ${t}/output ] ; then
    208     diff_output_filter_headers "${t}/output" "$output" "-q"
     220    diff_output_filter_headers "${t}/output" "$output" >&2
    209221fi
    210222if [ -n "${USE_MSVA}" ]; then
  • test/softhsm.bash

    r02c8e54 r63468af  
    1717    local label="${3}"
    1818
    19     p11tool --provider=${softhsm_lib} --login --write --label "${label}" \
     19    p11tool --provider=${SOFTHSM_LIB} --login --write --label "${label}" \
    2020            --load-privkey "${keyfile}" "${token}"
    2121}
     
    2828    local label="${3}"
    2929
    30     p11tool --provider=${softhsm_lib} --login --write --no-mark-private \
     30    p11tool --provider=${SOFTHSM_LIB} --login --write --no-mark-private \
    3131            --label "${label}" --load-certificate "${certfile}" "${token}"
    3232}
     
    3636{
    3737    local label="${1}"
    38     p11tool --provider=${softhsm_lib} --list-tokens | \
     38    p11tool --provider=${SOFTHSM_LIB} --list-tokens | \
    3939        grep -o -P "(?<=URL:\s)(.*token=${label}.*)$"
    4040}
     
    4444function get_object_url
    4545{
    46     p11tool --provider=${softhsm_lib} --list-all --login "${1}" | \
     46    p11tool --provider=${SOFTHSM_LIB} --list-all --login "${1}" | \
    4747        grep -o -P "(?<=URL:\s)(.*object=${2}.*)$"
    4848}
     
    6565
    6666# try to find SoftHSM
    67 softhsm="$(which softhsm)"
     67softhsm="$(basename ${SOFTHSM})"
     68
     69if [ "${softhsm}" = "softhsm" ]; then
     70    softhsm_libname="libsofthsm.so"
     71    # fail if SOFTHSM_CONF is not set
     72    if [ -z "${SOFTHSM_CONF}" ]; then
     73        echo "ERROR: SOFTHSM_CONF not set!" 1>&2
     74        exit 1
     75    else
     76        export SOFTHSM_CONF
     77    fi
     78    echo "using SOFTHSM_CONF=\"${SOFTHSM_CONF}\""
     79elif [ "${softhsm}" = "softhsm2-util" ]; then
     80    softhsm_libname="libsofthsm2.so"
     81    # fail if SOFTHSM2_CONF is not set
     82    if [ -z "${SOFTHSM2_CONF}" ]; then
     83        echo "ERROR: SOFTHSM2_CONF not set!" 1>&2
     84        exit 1
     85    else
     86        export SOFTHSM2_CONF
     87    fi
     88else
     89    # no SoftHSM
     90    echo "No SoftHSM!" >&2
     91    exit 77
     92fi
     93
     94if [ -z "${SOFTHSM_LIB}" ]; then
     95    # Try to find the libsofthsm[2] module in some common locations.
     96    softhsm_searchpath=(/usr/lib64/pkcs11 /usr/lib/softhsm /usr/lib/x86_64-linux-gnu/softhsm /usr/lib /usr/lib64/softhsm)
     97    for i in ${softhsm_searchpath[@]} ""; do
     98        SOFTHSM_LIB="${i}/${softhsm_libname}"
     99        echo "checking ${SOFTHSM_LIB} ..."
     100        if [ -f "${SOFTHSM_LIB}" ]; then
     101            echo "found!"
     102            export SOFTHSM_LIB
     103            break;
     104        fi
     105    done
     106else
     107    echo "using ${SOFTHSM_LIB} (set by user)"
     108fi
     109
     110if [ ! -f "${SOFTHSM_LIB}" ]; then
     111    echo "${softhsm_libname} not found!" >&2
     112    exit 77
     113fi
    68114
    69115case "${1}" in
     
    88134set -e
    89135
    90 # Guess location of libsofthsm based on softhsm binary. The path
    91 # matches SoftHSM upstream, but this might fail if someone changes the
    92 # libdir or bindir of the SoftHSM installation independently of its
    93 # general prefix.
    94 softhsm_prefix="$(realpath $(dirname ${softhsm})/..)"
    95 softhsm_lib="${softhsm_prefix}/lib/softhsm/libsofthsm.so"
    96 
    97 # fail if SOFTHSM_CONF is not set
    98 if [ -z "${SOFTHSM_CONF}" ]; then
    99     echo "ERROR: SOFTHSM_CONF not set!" 1>&2
    100     exit 1
    101 else
    102     export SOFTHSM_CONF
    103 fi
    104 echo "using SOFTHSM_CONF=\"${SOFTHSM_CONF}\""
    105 
    106136# variables for token configuration
    107137token_label="mod_gnutls-test"
  • test/test-19_TLS_reverse_proxy.bash

    r02c8e54 r63468af  
    33set -e
    44: ${srcdir:="."}
     5. ${srcdir}/common.bash
     6netns_reexec ${@}
    57
    68testdir="${srcdir}/tests/19_TLS_reverse_proxy"
     
    911function stop_backend
    1012{
    11     backend_apache "${dir}" "backend.conf" stop
     13    backend_apache "${testdir}" "backend.conf" stop
    1214}
    1315backend_apache "${testdir}" "backend.conf" start "${BACKEND_LOCK}"
  • test/test-20_TLS_reverse_proxy_client_auth.bash

    r02c8e54 r63468af  
    33set -e
    44: ${srcdir:="."}
     5. ${srcdir}/common.bash
     6netns_reexec ${@}
    57
    68testdir="${srcdir}/tests/20_TLS_reverse_proxy_client_auth"
     
    911function stop_backend
    1012{
    11     backend_apache "${dir}" "backend.conf" stop
     13    backend_apache "${testdir}" "backend.conf" stop
    1214}
    1315backend_apache "${testdir}" "backend.conf" start "${BACKEND_LOCK}"
  • test/test-21_TLS_reverse_proxy_wrong_cert.bash

    r02c8e54 r63468af  
    33set -e
    44: ${srcdir:="."}
     5. ${srcdir}/common.bash
     6netns_reexec ${@}
    57
    68testdir="${srcdir}/tests/21_TLS_reverse_proxy_wrong_cert"
     
    911function stop_backend
    1012{
    11     backend_apache "${dir}" "backend.conf" stop
     13    backend_apache "${testdir}" "backend.conf" stop
    1214}
    1315backend_apache "${testdir}" "backend.conf" start "${BACKEND_LOCK}"
  • test/test-22_TLS_reverse_proxy_crl_revoke.bash

    r02c8e54 r63468af  
    33set -e
    44: ${srcdir:="."}
     5. ${srcdir}/common.bash
     6netns_reexec ${@}
    57
    68testdir="${srcdir}/tests/22_TLS_reverse_proxy_crl_revoke"
     
    911function stop_backend
    1012{
    11     backend_apache "${dir}" "backend.conf" stop
     13    backend_apache "${testdir}" "backend.conf" stop
    1214}
    1315backend_apache "${testdir}" "backend.conf" start "${BACKEND_LOCK}"
  • test/test-23_TLS_reverse_proxy_mismatched_priorities.bash

    r02c8e54 r63468af  
    33set -e
    44: ${srcdir:="."}
     5. ${srcdir}/common.bash
     6netns_reexec ${@}
    57
    68testdir="${srcdir}/tests/23_TLS_reverse_proxy_mismatched_priorities"
     
    1416function stop_backend
    1517{
    16     backend_apache "${dir}" "backend.conf" stop
     18    backend_apache "${testdir}" "backend.conf" stop
    1719}
    1820backend_apache "${testdir}" "backend.conf" start "${BACKEND_LOCK}"
  • test/test-24_pkcs11_cert.bash

    r02c8e54 r63468af  
    33testdir="$(dirname ${0})/tests/24_pkcs11_cert"
    44
    5 # The Apache/SoftHSM configuration mixes up directories, so generate a
    6 # config file with an absolute path to the token database from a
    7 # template. Generating it on every run avoids problems if the source
     5# The Apache/SoftHSM configuration mixes up directories, so generate
     6# config files with absolute paths to the token database from a
     7# template. Generating them on every run avoids problems if the source
    88# tree was moved.
    99tmp_softhsm_conf="$(mktemp mod_gnutls_test-XXXXXX.conf)"
     
    1414trap cleanup_tmpconf EXIT
    1515
    16 sed "s,__DIR__,$(realpath $(pwd))," \
    17     "${testdir}/softhsm.conf.in" \
    18     >"${tmp_softhsm_conf}"
    19 export SOFTHSM_CONF="${tmp_softhsm_conf}"
     16if [ "${SOFTHSM_MAJOR_VERSION}" = "1" ]; then
     17    cat - >"${tmp_softhsm_conf}" <<EOF
     180:$(realpath $(pwd))/server/softhsm.db
     19EOF
     20    export SOFTHSM_CONF="${tmp_softhsm_conf}"
     21elif [ "${SOFTHSM_MAJOR_VERSION}" = "2" ]; then
     22    cat - >"${tmp_softhsm_conf}" <<EOF
     23objectstore.backend = file
     24directories.tokendir = $(realpath $(pwd))/server/softhsm2.db
     25EOF
     26    export SOFTHSM2_CONF="${tmp_softhsm_conf}"
     27fi
     28
    2029echo "Generated temporary SoftHSM config ${tmp_softhsm_conf}:"
    2130cat "${tmp_softhsm_conf}"
  • test/test_ca.mk

    r02c8e54 r63468af  
    3535# conditions with parallel make. Locking avoids this problem.
    3636%/cert.pgp: %/minimal.pgp authority/gpg.conf
    37         GNUPGHOME=authority flock authority/lock gpg --import $<
    38         GNUPGHOME=authority flock authority/lock gpg --batch --sign-key --no-tty --yes "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)"
     37        GNUPGHOME=authority $(GPG_FLOCK) gpg --import $<
     38        GNUPGHOME=authority $(GPG_FLOCK) gpg --batch --sign-key --no-tty --yes "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)"
    3939        GNUPGHOME=authority gpg --armor --export "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" > $@
    4040
     
    4848        certtool --generate-request --load-privkey $(dir $@)secret.key --template $< > $@
    4949
     50# normal case: certificates signed by test CA
    5051%/x509.pem: %.template %/cert-request authority/secret.key authority/x509.pem
    5152        certtool --generate-certificate --load-ca-certificate authority/x509.pem --load-ca-privkey authority/secret.key --load-request $(dir $@)cert-request --template $< > $@
    5253
    53 %/softhsm.db: %/x509.pem %/secret.key
    54         SOFTHSM_CONF="$(srcdir)/$(*)-softhsm.conf" $(srcdir)/softhsm.bash init $(dir $@)secret.key $(dir $@)x509.pem
     54# error case: certificates signed by rogue CA
     55rogue%/x509.pem: rogue%.template rogue%/cert-request rogueca/x509.pem
     56        certtool --generate-certificate --load-ca-certificate rogueca/x509.pem --load-ca-privkey rogueca/secret.key --load-request $(dir $@)cert-request --template $< > $@
     57
     58%/softhsm.conf: %/secret.key
     59        echo "0:$(dir $@)softhsm.db" > $@
     60
     61%/softhsm.db: %/x509.pem %/secret.key %/softhsm.conf
     62        SOFTHSM="$(SOFTHSM)" \
     63        SOFTHSM_CONF="$(dir $@)softhsm.conf" \
     64        $(srcdir)/softhsm.bash init $(dir $@)secret.key $(dir $@)x509.pem
     65
     66%/softhsm2.conf: %/secret.key
     67        echo "objectstore.backend = file" > $@
     68        echo "directories.tokendir = $(dir $@)softhsm2.db" >> $@
     69
     70%/softhsm2.db: %/x509.pem %/secret.key %/softhsm2.conf
     71        mkdir -p $@
     72        SOFTHSM="$(SOFTHSM)" \
     73        SOFTHSM2_CONF="$(dir $@)softhsm2.conf" \
     74        $(srcdir)/softhsm.bash init $(dir $@)secret.key $(dir $@)x509.pem
    5575
    5676# Generate CRL revoking a certain certificate. Currently used to
  • test/tests/00_basic/apache.conf

    r02c8e54 r63468af  
    33GnuTLSCache dbm cache/gnutls_cache
    44
    5 <VirtualHost ${TEST_IP}:${TEST_PORT}>
     5<VirtualHost _default_:${TEST_PORT}>
    66 ServerName ${TEST_HOST}
    77 GnuTLSEnable On
  • test/tests/01_serverwide_priorities/apache.conf

    r02c8e54 r63468af  
    55GnuTLSPriorities NORMAL
    66
    7 <VirtualHost ${TEST_IP}:${TEST_PORT}>
     7<VirtualHost _default_:${TEST_PORT}>
    88 ServerName ${TEST_HOST}
    99 GnuTLSEnable On
  • test/tests/02_cache_in_vhost/apache.conf

    r02c8e54 r63468af  
    11Include ${srcdir}/base_apache.conf
    22
    3 <VirtualHost ${TEST_IP}:${TEST_PORT}>
     3<VirtualHost _default_:${TEST_PORT}>
    44 # Cache configuration not allowed in here:
    55 GnuTLSCache dbm cache/gnutls_cache
  • test/tests/03_cachetimeout_in_vhost/apache.conf

    r02c8e54 r63468af  
    11Include ${srcdir}/base_apache.conf
    22
    3 <VirtualHost ${TEST_IP}:${TEST_PORT}>
     3<VirtualHost _default_:${TEST_PORT}>
    44 # Cache configuration not allowed in here:
    55 GnuTLSCacheTimeout 200
  • test/tests/04_basic_nosni/apache.conf

    r02c8e54 r63468af  
    33GnuTLSCache dbm cache/gnutls_cache
    44
    5 <VirtualHost ${TEST_IP}:${TEST_PORT}>
     5<VirtualHost _default_:${TEST_PORT}>
    66 ServerName ${TEST_HOST}
    77 GnuTLSEnable On
  • test/tests/05_mismatched-priorities/apache.conf

    r02c8e54 r63468af  
    33GnuTLSCache dbm cache/gnutls_cache
    44
    5 <VirtualHost ${TEST_IP}:${TEST_PORT}>
     5<VirtualHost _default_:${TEST_PORT}>
    66 ServerName ${TEST_HOST}
    77 GnuTLSEnable On
  • test/tests/06_verify_sni_a/apache.conf

    r02c8e54 r63468af  
    33GnuTLSCache dbm cache/gnutls_cache
    44
    5 NameVirtualHost ${TEST_IP}:${TEST_PORT}
     5NameVirtualHost _default_:${TEST_PORT}
    66
    7 <VirtualHost ${TEST_IP}:${TEST_PORT}>
     7<VirtualHost _default_:${TEST_PORT}>
    88 ServerName ${TEST_HOST}
    99 GnuTLSEnable On
     
    1313</VirtualHost>
    1414
    15 <VirtualHost ${TEST_IP}:${TEST_PORT}>
     15<VirtualHost _default_:${TEST_PORT}>
    1616 ServerName imposter.example
    1717 GnuTLSEnable On
  • test/tests/07_verify_sni_b/apache.conf

    r02c8e54 r63468af  
    33GnuTLSCache dbm cache/gnutls_cache
    44
    5 NameVirtualHost ${TEST_IP}:${TEST_PORT}
     5NameVirtualHost _default_:${TEST_PORT}
    66
    77# trying in a different order from 06_verify_sni_a
    88
    9 <VirtualHost ${TEST_IP}:${TEST_PORT}>
     9<VirtualHost _default_:${TEST_PORT}>
    1010 ServerName imposter.example
    1111 GnuTLSEnable On
     
    1515</VirtualHost>
    1616
    17 <VirtualHost ${TEST_IP}:${TEST_PORT}>
     17<VirtualHost _default_:${TEST_PORT}>
    1818 ServerName ${TEST_HOST}
    1919 GnuTLSEnable On
  • test/tests/08_verify_no_sni_fallback_to_first_vhost/apache.conf

    r02c8e54 r63468af  
    33GnuTLSCache dbm cache/gnutls_cache
    44
    5 NameVirtualHost ${TEST_IP}:${TEST_PORT}
     5NameVirtualHost _default_:${TEST_PORT}
    66
    7 <VirtualHost ${TEST_IP}:${TEST_PORT}>
     7<VirtualHost _default_:${TEST_PORT}>
    88 ServerName ${TEST_HOST}
    99 GnuTLSEnable On
     
    1313</VirtualHost>
    1414
    15 <VirtualHost ${TEST_IP}:${TEST_PORT}>
     15<VirtualHost _default_:${TEST_PORT}>
    1616 ServerName imposter.example
    1717 GnuTLSEnable On
  • test/tests/09_verify_no_sni_fails_with_wrong_order/apache.conf

    r02c8e54 r63468af  
    33GnuTLSCache dbm cache/gnutls_cache
    44
    5 NameVirtualHost ${TEST_IP}:${TEST_PORT}
     5NameVirtualHost _default_:${TEST_PORT}
    66
    77# In this order, clients with no SNI should get the imposter's key
    88
    9 <VirtualHost ${TEST_IP}:${TEST_PORT}>
     9<VirtualHost _default_:${TEST_PORT}>
    1010 ServerName imposter.example
    1111 GnuTLSEnable On
     
    1515</VirtualHost>
    1616
    17 <VirtualHost ${TEST_IP}:${TEST_PORT}>
     17<VirtualHost _default_:${TEST_PORT}>
    1818 ServerName ${TEST_HOST}
    1919 GnuTLSEnable On
  • test/tests/10_basic_client_verification/apache.conf

    r02c8e54 r63468af  
    33GnuTLSCache dbm cache/gnutls_cache
    44
    5 <VirtualHost ${TEST_IP}:${TEST_PORT}>
     5<VirtualHost _default_:${TEST_PORT}>
    66 ServerName ${TEST_HOST}
    77 GnuTLSEnable On
  • test/tests/11_basic_client_verification_fail/apache.conf

    r02c8e54 r63468af  
    33GnuTLSCache dbm cache/gnutls_cache
    44
    5 <VirtualHost ${TEST_IP}:${TEST_PORT}>
     5<VirtualHost _default_:${TEST_PORT}>
    66 ServerName ${TEST_HOST}
    77 GnuTLSEnable On
  • test/tests/12_cgi_variables/apache.conf

    r02c8e54 r63468af  
    88</Directory>
    99
    10 <VirtualHost ${TEST_IP}:${TEST_PORT}>
     10<VirtualHost _default_:${TEST_PORT}>
    1111 ServerName ${TEST_HOST}
    1212 GnuTLSEnable On
  • test/tests/13_cgi_variables_no_client_cert/apache.conf

    r02c8e54 r63468af  
    88</Directory>
    99
    10 <VirtualHost ${TEST_IP}:${TEST_PORT}>
     10<VirtualHost _default_:${TEST_PORT}>
    1111 ServerName ${TEST_HOST}
    1212 GnuTLSEnable On
  • test/tests/14_basic_openpgp/apache.conf

    r02c8e54 r63468af  
    33GnuTLSCache dbm cache/gnutls_cache
    44
    5 <VirtualHost ${TEST_IP}:${TEST_PORT}>
     5<VirtualHost _default_:${TEST_PORT}>
    66 ServerName ${TEST_HOST}
    77 GnuTLSEnable On
  • test/tests/15_basic_msva/apache.conf

    r02c8e54 r63468af  
    33GnuTLSCache dbm cache/gnutls_cache
    44
    5 <VirtualHost ${TEST_IP}:${TEST_PORT}>
     5<VirtualHost _default_:${TEST_PORT}>
    66 ServerName ${TEST_HOST}
    77 GnuTLSEnable On
  • test/tests/16_view-status/apache.conf

    r02c8e54 r63468af  
    99GnuTLSCache dbm cache/gnutls_cache
    1010
    11 <VirtualHost ${TEST_IP}:${TEST_PORT}>
     11<VirtualHost _default_:${TEST_PORT}>
    1212 ServerName ${TEST_HOST}
    1313 GnuTLSEnable On
  • test/tests/16_view-status/gnutls-cli.args

    r02c8e54 r63468af  
    11--x509cafile=authority/x509.pem
    2 --priority=NONE:+VERS-TLS1.0:+AES-128-CBC:+SHA1:+RSA:+COMP-NULL
     2--priority=NONE:+VERS-TLS1.2:+AES-128-CBC:+SHA256:+RSA:+COMP-NULL:+SIGN-RSA-SHA256
  • test/tests/16_view-status/output

    r02c8e54 r63468af  
    1 <dt>using TLS:</dt><dd>yes</dd>
    2 <dt>This TLS Session:</dt><dd>(TLS1.0)-(RSA)-(AES-128-CBC)-(SHA1)</dd>
     1<dt>Using TLS:</dt><dd>yes</dd>
     2<dt>Current TLS session:</dt><dd>(TLS1.2)-(RSA)-(AES-128-CBC)-(SHA256)</dd>
    33</dl>
    44</body></html>
  • test/tests/17_cgi_vars_large_cert/apache.conf

    r02c8e54 r63468af  
    88</Directory>
    99
    10 <VirtualHost ${TEST_IP}:${TEST_PORT}>
     10<VirtualHost _default_:${TEST_PORT}>
    1111 ServerName ${TEST_HOST}
    1212 GnuTLSEnable On
  • test/tests/18_client_verification_wrong_cert/apache.conf

    r02c8e54 r63468af  
    33GnuTLSCache dbm cache/gnutls_cache
    44
    5 <VirtualHost ${TEST_IP}:${TEST_PORT}>
     5<VirtualHost _default_:${TEST_PORT}>
    66 ServerName ${TEST_HOST}
    77 GnuTLSEnable On
  • test/tests/18_client_verification_wrong_cert/gnutls-cli.args

    r02c8e54 r63468af  
    1 --x509certfile=rogueca/x509.pem
    2 --x509keyfile=rogueca/secret.key
     1--x509certfile=rogueclient/x509.pem
     2--x509keyfile=rogueclient/secret.key
    33--x509cafile=authority/x509.pem
    44--priority=NORMAL
  • test/tests/19_TLS_reverse_proxy/apache.conf

    r02c8e54 r63468af  
    44GnuTLSCache dbm cache/gnutls_cache
    55
    6 <VirtualHost ${TEST_IP}:${TEST_PORT}>
     6<VirtualHost _default_:${TEST_PORT}>
    77 ServerName ${TEST_HOST}
    88 GnuTLSEnable On
  • test/tests/19_TLS_reverse_proxy/backend.conf

    r02c8e54 r63468af  
    1 Include ${srcdir}/base_apache.conf
    2 
    3 CustomLog logs/${TEST_NAME}.backend.access.log combined
    4 ErrorLog logs/${TEST_NAME}.backend.error.log
    5 PidFile backend.pid
     1Include ${srcdir}/base_apache.conf
     2Include proxy_backend.conf
    63
    74GnuTLSCache dbm cache/gnutls_cache
    85
    9 <VirtualHost ${BACKEND_IP}:${BACKEND_PORT}>
     6<VirtualHost _default_:${BACKEND_PORT}>
    107 ServerName ${BACKEND_HOST}
    118 GnuTLSEnable On
  • test/tests/20_TLS_reverse_proxy_client_auth/apache.conf

    r02c8e54 r63468af  
    44GnuTLSCache dbm cache/gnutls_cache
    55
    6 <VirtualHost ${TEST_IP}:${TEST_PORT}>
     6<VirtualHost _default_:${TEST_PORT}>
    77 ServerName ${TEST_HOST}
    88 GnuTLSEnable On
  • test/tests/20_TLS_reverse_proxy_client_auth/backend.conf

    r02c8e54 r63468af  
    1 Include ${srcdir}/base_apache.conf
    2 
    3 CustomLog logs/${TEST_NAME}.backend.access.log combined
    4 ErrorLog logs/${TEST_NAME}.backend.error.log
    5 PidFile backend.pid
     1Include ${srcdir}/base_apache.conf
     2Include proxy_backend.conf
    63
    74GnuTLSCache dbm cache/gnutls_cache
    85
    9 <VirtualHost ${BACKEND_IP}:${BACKEND_PORT}>
     6<VirtualHost _default_:${BACKEND_PORT}>
    107 ServerName ${BACKEND_HOST}
    118 GnuTLSEnable On
  • test/tests/21_TLS_reverse_proxy_wrong_cert/apache.conf

    r02c8e54 r63468af  
    44GnuTLSCache dbm cache/gnutls_cache
    55
    6 <VirtualHost ${TEST_IP}:${TEST_PORT}>
     6<VirtualHost _default_:${TEST_PORT}>
    77 ServerName ${TEST_HOST}
    88 GnuTLSEnable On
  • test/tests/21_TLS_reverse_proxy_wrong_cert/backend.conf

    r02c8e54 r63468af  
    11Include ${srcdir}/base_apache.conf
    2 
    3 CustomLog logs/${TEST_NAME}.backend.access.log combined
    4 ErrorLog logs/${TEST_NAME}.backend.error.log
    5 PidFile backend.pid
     2Include proxy_backend.conf
    63
    74GnuTLSCache dbm cache/gnutls_cache
    85
    9 <VirtualHost ${BACKEND_IP}:${BACKEND_PORT}>
     6<VirtualHost _default_:${BACKEND_PORT}>
    107 ServerName ${BACKEND_HOST}
    118 GnuTLSEnable On
  • test/tests/22_TLS_reverse_proxy_crl_revoke/apache.conf

    r02c8e54 r63468af  
    44GnuTLSCache dbm cache/gnutls_cache
    55
    6 <VirtualHost ${TEST_IP}:${TEST_PORT}>
     6<VirtualHost _default_:${TEST_PORT}>
    77 ServerName ${TEST_HOST}
    88 GnuTLSEnable On
  • test/tests/22_TLS_reverse_proxy_crl_revoke/backend.conf

    r02c8e54 r63468af  
    1 Include ${srcdir}/base_apache.conf
    2 
    3 CustomLog logs/${TEST_NAME}.backend.access.log combined
    4 ErrorLog logs/${TEST_NAME}.backend.error.log
    5 PidFile backend.pid
     1Include ${srcdir}/base_apache.conf
     2Include proxy_backend.conf
    63
    74GnuTLSCache dbm cache/gnutls_cache
    85
    9 <VirtualHost ${BACKEND_IP}:${BACKEND_PORT}>
     6<VirtualHost _default_:${BACKEND_PORT}>
    107 ServerName ${BACKEND_HOST}
    118 GnuTLSEnable On
  • test/tests/23_TLS_reverse_proxy_mismatched_priorities/apache.conf

    r02c8e54 r63468af  
    44GnuTLSCache dbm cache/gnutls_cache
    55
    6 <VirtualHost ${TEST_IP}:${TEST_PORT}>
     6<VirtualHost _default_:${TEST_PORT}>
    77 ServerName ${TEST_HOST}
    88 GnuTLSEnable On
  • test/tests/23_TLS_reverse_proxy_mismatched_priorities/backend.conf

    r02c8e54 r63468af  
    1 Include ${srcdir}/base_apache.conf
    2 
    3 CustomLog logs/${TEST_NAME}.backend.access.log combined
    4 ErrorLog logs/${TEST_NAME}.backend.error.log
    5 PidFile backend.pid
     1Include ${srcdir}/base_apache.conf
     2Include proxy_backend.conf
    63
    74GnuTLSCache dbm cache/gnutls_cache
    85
    9 <VirtualHost ${BACKEND_IP}:${BACKEND_PORT}>
     6<VirtualHost _default_:${BACKEND_PORT}>
    107 ServerName ${BACKEND_HOST}
    118 GnuTLSEnable On
  • test/tests/24_pkcs11_cert/apache.conf

    r02c8e54 r63468af  
    33GnuTLSCache dbm cache/gnutls_cache
    44
    5 GnuTLSP11Module /usr/lib/softhsm/libsofthsm.so
     5GnuTLSP11Module ${SOFTHSM_LIB}
    66
    7 <VirtualHost ${TEST_IP}:${TEST_PORT}>
     7<VirtualHost _default_:${TEST_PORT}>
    88 ServerName ${TEST_HOST}
    99 GnuTLSEnable On
  • test/tests/Makefile.am

    r02c8e54 r63468af  
    2424        22_TLS_reverse_proxy_crl_revoke/apache.conf 22_TLS_reverse_proxy_crl_revoke/backend.conf 22_TLS_reverse_proxy_crl_revoke/gnutls-cli.args 22_TLS_reverse_proxy_crl_revoke/input 22_TLS_reverse_proxy_crl_revoke/output \
    2525        23_TLS_reverse_proxy_mismatched_priorities/apache.conf 23_TLS_reverse_proxy_mismatched_priorities/backend.conf 23_TLS_reverse_proxy_mismatched_priorities/gnutls-cli.args 23_TLS_reverse_proxy_mismatched_priorities/input 23_TLS_reverse_proxy_mismatched_priorities/output \
    26         24_pkcs11_cert/apache.conf 24_pkcs11_cert/gnutls-cli.args 24_pkcs11_cert/input 24_pkcs11_cert/output 24_pkcs11_cert/softhsm.conf.in
     26        24_pkcs11_cert/apache.conf 24_pkcs11_cert/gnutls-cli.args 24_pkcs11_cert/input 24_pkcs11_cert/output \
     27        25_Disable_TLS_1.0/apache.conf 25_Disable_TLS_1.0/fail.client 25_Disable_TLS_1.0/gnutls-cli.args 25_Disable_TLS_1.0/input \
     28        26_redirect_HTTP_to_HTTPS/apache.conf
Note: See TracChangeset for help on using the changeset viewer.