Changes in / [02c8e54:63468af] in mod_gnutls

Files:

• CHANGELOG (modified) (1 diff)
• Makefile.in (deleted)
• aclocal.m4 (deleted)
• config.in (deleted)
• config/compile (deleted)
• config/config.guess (deleted)
• config/config.sub (deleted)
• config/depcomp (deleted)
• config/install-sh (deleted)
• config/ltmain.sh (deleted)
• config/missing (deleted)
• config/test-driver (deleted)
• configure (deleted)
• configure.ac (modified) (5 diffs)
• doc/Makefile.am (modified) (1 diff)
• doc/Makefile.in (deleted)
• doc/mod_gnutls_manual.mdwn (modified) (1 diff)
• m4/libtool.m4 (deleted)
• m4/ltoptions.m4 (deleted)
• m4/ltsugar.m4 (deleted)
• m4/ltversion.m4 (deleted)
• m4/lt~obsolete.m4 (deleted)
• src/Makefile.in (deleted)
• src/gnutls_hooks.c (modified) (2 diffs)
• src/mod_gnutls.c (modified) (2 diffs)
• test/Makefile.am (modified) (9 diffs)
• test/Makefile.in (deleted)
• test/README (modified) (5 diffs)
• test/apache-conf/listen.conf.in (added)
• test/apache-conf/netns.conf.in (added)
• test/base_apache.conf (modified) (2 diffs)
• test/common.bash (added)
• test/data/ocsp.cgi~ (added)
• test/proxy_backend.bash (modified) (4 diffs)
• test/proxy_backend.conf.in (added)
• test/rogueclient.template.in (added)
• test/runtests (modified) (5 diffs)
• test/server-softhsm.conf (deleted)
• test/softhsm.bash (modified) (6 diffs)
• test/test-19_TLS_reverse_proxy.bash (modified) (2 diffs)
• test/test-20_TLS_reverse_proxy_client_auth.bash (modified) (2 diffs)
• test/test-21_TLS_reverse_proxy_wrong_cert.bash (modified) (2 diffs)
• test/test-22_TLS_reverse_proxy_crl_revoke.bash (modified) (2 diffs)
• test/test-23_TLS_reverse_proxy_mismatched_priorities.bash (modified) (2 diffs)
• test/test-24_pkcs11_cert.bash (modified) (2 diffs)
• test/test-25_Disable_TLS_1.0.bash (added)
• test/test-26_redirect_HTTP_to_HTTPS.bash (added)
• test/test_ca.mk (modified) (2 diffs)
• test/tests/00_basic/apache.conf (modified) (1 diff)
• test/tests/01_serverwide_priorities/apache.conf (modified) (1 diff)
• test/tests/02_cache_in_vhost/apache.conf (modified) (1 diff)
• test/tests/03_cachetimeout_in_vhost/apache.conf (modified) (1 diff)
• test/tests/04_basic_nosni/apache.conf (modified) (1 diff)
• test/tests/05_mismatched-priorities/apache.conf (modified) (1 diff)
• test/tests/06_verify_sni_a/apache.conf (modified) (2 diffs)
• test/tests/07_verify_sni_b/apache.conf (modified) (2 diffs)
• test/tests/08_verify_no_sni_fallback_to_first_vhost/apache.conf (modified) (2 diffs)
• test/tests/09_verify_no_sni_fails_with_wrong_order/apache.conf (modified) (2 diffs)
• test/tests/10_basic_client_verification/apache.conf (modified) (1 diff)
• test/tests/11_basic_client_verification_fail/apache.conf (modified) (1 diff)
• test/tests/12_cgi_variables/apache.conf (modified) (1 diff)
• test/tests/13_cgi_variables_no_client_cert/apache.conf (modified) (1 diff)
• test/tests/14_basic_openpgp/apache.conf (modified) (1 diff)
• test/tests/15_basic_msva/apache.conf (modified) (1 diff)
• test/tests/16_view-status/apache.conf (modified) (1 diff)
• test/tests/16_view-status/gnutls-cli.args (modified) (1 diff)
• test/tests/16_view-status/output (modified) (1 diff)
• test/tests/17_cgi_vars_large_cert/apache.conf (modified) (1 diff)
• test/tests/18_client_verification_wrong_cert/apache.conf (modified) (1 diff)
• test/tests/18_client_verification_wrong_cert/gnutls-cli.args (modified) (1 diff)
• test/tests/19_TLS_reverse_proxy/apache.conf (modified) (1 diff)
• test/tests/19_TLS_reverse_proxy/backend.conf (modified) (1 diff)
• test/tests/20_TLS_reverse_proxy_client_auth/apache.conf (modified) (1 diff)
• test/tests/20_TLS_reverse_proxy_client_auth/backend.conf (modified) (1 diff)
• test/tests/21_TLS_reverse_proxy_wrong_cert/apache.conf (modified) (1 diff)
• test/tests/21_TLS_reverse_proxy_wrong_cert/backend.conf (modified) (1 diff)
• test/tests/22_TLS_reverse_proxy_crl_revoke/apache.conf (modified) (1 diff)
• test/tests/22_TLS_reverse_proxy_crl_revoke/backend.conf (modified) (1 diff)
• test/tests/23_TLS_reverse_proxy_mismatched_priorities/apache.conf (modified) (1 diff)
• test/tests/23_TLS_reverse_proxy_mismatched_priorities/backend.conf (modified) (1 diff)
• test/tests/24_pkcs11_cert/apache.conf (modified) (1 diff)
• test/tests/24_pkcs11_cert/softhsm.conf.in (deleted)
• test/tests/25_Disable_TLS_1.0/apache.conf (added)
• test/tests/25_Disable_TLS_1.0/fail.client (added)
• test/tests/25_Disable_TLS_1.0/gnutls-cli.args (added)
• test/tests/25_Disable_TLS_1.0/input (added)
• test/tests/26_redirect_HTTP_to_HTTPS/apache.conf (added)
• test/tests/Makefile.am (modified) (1 diff)
• test/tests/Makefile.in (deleted)

CHANGELOG

@@ -2 +2 @@
 - Handle Unclean Shutdowns
 - make session cache use generic apache caches
+
+** Version 0.7.4 (2016-04-13)
+- Support SoftHSM 2 for PKCS #11 testing
+- Increase verbosity of test logs
+
+** Version 0.7.3 (2016-01-12)
+- Update test suite for compatibility with GnuTLS 3.4, which has
+  stricter key usage checks and priorities than 3.3.
+- Write non-HTML output to mod_status reports if AP_STATUS_SHORT is
+  set (mod_status sets it for requests with the "auto" parameter, e.g.
+  https://localhost/server-status?auto).
+- Register "ssl_is_https" function so the special mod_rewrite variable
+  %{HTTPS} works correctly with mod_gnutls. The new test case for this
+  requires Wget or curl. Fixes Debian bug #514005.
+- Test suite servers listen on IPv4 *and* IPv6 loopback addresses by
+  default (other addresses configurable), which should fix failures
+  due to localhost randomly resolving to either on some distributions.
+- Isolate tests using network namespaces, if possible. This avoids
+  port conflicts with other test cases (so they can run in parallel)
+  and host services.
+- Support for local Apache drop-in config files in the test suite
+  (e.g. to load additional modules needed on Fedora).
+- Try to use markdown to build HTML documentation if pandoc is not
+  available.
+- Disable use of flock if it is unavailable or does not support
+  timeouts (the latter caused the build to fail on Debian Hurd).
+- New test: Disable TLS 1.0 (regression test for Debian bug #754960).
 
 ** Version 0.7.2 (2015-11-21)

configure.ac

@@ -1 +1 @@
 dnl 
-AC_INIT(mod_gnutls, 0.7.2)
+AC_INIT(mod_gnutls, 0.7.4)
 OOO_CONFIG_NICE(config.nice)
 MOD_GNUTLS_VERSION=AC_PACKAGE_VERSION
@@ -59 +59 @@
 AC_MSG_CHECKING([whether to enable SRP functionality])
 AC_MSG_RESULT($use_srp)
+
+dnl Optionally disable flock
+AC_ARG_ENABLE(flock,
+        AS_HELP_STRING([--disable-flock], [Disable use of flock during tests \
+        (some exotic architectures don't support it)]),
+        [use_flock=$enableval], [use_flock=yes])
+# Check if flock is available and supports --timeout
+AC_PATH_PROG([FLOCK], [flock], [no])
+AS_IF([test "${FLOCK}" != "no"],
+      [
+        AC_MSG_CHECKING([whether ${FLOCK} supports --timeout])
+        lockfile="$(mktemp)"
+        AS_IF([${FLOCK} --timeout 1 ${lockfile} true >&AS_MESSAGE_LOG_FD 2>&1],
+              [flock_works="yes"], [flock_works="no"])
+        rm "${lockfile}"
+        AC_MSG_RESULT([$flock_works])
+      ],
+      [flock_works="no"])
+# disable flock if requested by user or it doesn't support timeout
+AM_CONDITIONAL([DISABLE_FLOCK],
+               [test "$enable_flock" = "no" || test "$flock_works" = "no"])
+
+dnl Enable test namespaces? Default is "yes".
+AC_ARG_ENABLE(test-namespaces,
+        AS_HELP_STRING([--disable-test-namespaces], [Disable use of network \
+        namespaces to run tests in parallel (some architectures might not \
+        support it)]),
+        [use_netns=$enableval], [use_netns=yes])
+
+# Check if "unshare" is available and has permission to create network
+# and user namespaces
+AC_PATH_PROG([UNSHARE], [unshare], [no])
+AS_IF([test "${UNSHARE}" != "no"],
+      [
+        AC_MSG_CHECKING([for permission to create network and user namespaces])
+        AS_IF([${UNSHARE} --net -r /bin/sh -c \
+                "ip link set up lo && ip addr show" >&AS_MESSAGE_LOG_FD 2>&1],
+              [unshare_works="yes"], [unshare_works="no"])
+        AC_MSG_RESULT([$unshare_works])
+      ],
+      [unshare_works="no"])
+# decide whether to enable network namespaces
+AS_IF([test "$enable_test_namespaces" != "no" \
+            && test "$unshare_works" = "yes"],
+      [use_netns="yes"], [use_netns="no"])
+AM_CONDITIONAL([ENABLE_NETNS], [test "$use_netns" != "no"])
+# Adjust Apache configuration for tests accordingly: Use pthread mutex
+# and test specific PID files if using namespaces, defaults otherwise.
+AS_IF([test "$use_netns" = "yes"],
+      [MUTEX_TYPE="pthread"; PID_AFFIX="-\${TEST_NAME}"],
+      [MUTEX_TYPE="default"; PID_AFFIX=""])
+AC_SUBST(MUTEX_TYPE)
+AC_SUBST(PID_AFFIX)
+AM_SUBST_NOTMAKE(MUTEX_TYPE)
+AM_SUBST_NOTMAKE(PID_AFFIX)
 
 AC_ARG_ENABLE(msva,
@@ -93 +148 @@
                 build_doc="html only"
         fi
+else
+        AC_PATH_PROG([MARKDOWN], [markdown], [no])
+        if test "$MARKDOWN" != "no"; then
+                build_doc="html stub"
+        fi
 fi
 AM_CONDITIONAL([USE_PANDOC], [test "$PANDOC" != "no"])
 AM_CONDITIONAL([USE_PDFLATEX], [test "$PANDOC" != "no" && \
                                test "$PDFLATEX" != "no"])
+AM_CONDITIONAL([USE_MARKDOWN], [test -n "$MARKDOWN" && \
+                               test "$MARKDOWN" != "no"])
 
 # Check for Apache binary
@@ -105 +167 @@
 fi
 
+AC_PATH_PROGS([HTTP_CLI], [curl wget], [no])
+
 MODULE_CFLAGS="${LIBGNUTLS_CFLAGS} ${SRP_CFLAGS} ${MSVA_CFLAGS} ${APR_MEMCACHE_CFLAGS} ${APXS_CFLAGS} ${AP_INCLUDES} ${APR_INCLUDES} ${APU_INCLUDES} ${STRICT_CFLAGS}"
 MODULE_LIBS="${APR_MEMCACHE_LIBS} ${LIBGNUTLS_LIBS}"
 
+AC_PATH_PROGS([SOFTHSM], [softhsm2-util softhsm], [no])
+if test "${SOFTHSM}" != "no"; then
+        softhsm_version=$(${SOFTHSM} --version)
+        AS_VERSION_COMPARE([$(${SOFTHSM} --version)], [2.0.0],
+                           [AC_SUBST(SOFTHSM_MAJOR_VERSION, [1])],
+                           [AC_SUBST(SOFTHSM_MAJOR_VERSION, [2])],
+                           [AC_SUBST(SOFTHSM_MAJOR_VERSION, [2])])
+fi
+AM_CONDITIONAL([HAVE_SOFTHSM], [test "${SOFTHSM}" != "no"])
+AM_CONDITIONAL([HAVE_SOFTHSM1], [test "${SOFTHSM_MAJOR_VERSION}" = "1"])
+AM_CONDITIONAL([HAVE_SOFTHSM2], [test "${SOFTHSM_MAJOR_VERSION}" = "2"])
+
 AC_SUBST(MODULE_CFLAGS)
 AC_SUBST(MODULE_LIBS)
@@ -113 +189 @@
 # assign default values to TEST_HOST and TEST_IP if necessary
 : ${TEST_HOST:="localhost"}
-: ${TEST_IP:="[::1]"}
+: ${TEST_IP:="[[::1]] 127.0.0.1"}
 AC_ARG_VAR([TEST_HOST], [Host name to use for server instances started by \
-                        "make check", must resolve to TEST_IP. The default \
-                        is "localhost".])
-AC_ARG_VAR([TEST_IP], [IP address to use for server instances started by \
-                      "make check". The default is the IPv6 loopback address \
-                      [::1].])
+                        "make check", must resolve to addresses in TEST_IP. \
+                        The default is "localhost".])
+AC_ARG_VAR([TEST_IP], [List of IP addresses to use for server instances \
+                      started by "make check". The default is \
+                      "[::1] 127.0.0.1". Note that IPv6 addresses must be \
+                      enclosed in square brackets.])
+AM_SUBST_NOTMAKE(TEST_IP)
+
+dnl Allow user to set SoftHSM PKCS #11 module
+AC_ARG_VAR([SOFTHSM_LIB], [Absolute path of the SoftHSM PKCS @%:@11 module to \
+                          use. By default the test suite will search common \
+                          library paths.])
+
+dnl Build list of "Listen" statements for Apache
+LISTEN_LIST="# Listen addresses for the test servers"
+for i in ${TEST_IP}; do
+        LISTEN_LIST="${LISTEN_LIST}
+Listen ${i}:\${TEST_PORT}"
+done
+dnl HTTP ports, only active if TEST_HTTP_PORT is defined
+LISTEN_LIST="${LISTEN_LIST}
+<IfDefine TEST_HTTP_PORT>"
+for i in ${TEST_IP}; do
+        LISTEN_LIST="${LISTEN_LIST}
+        Listen ${i}:\${TEST_HTTP_PORT}"
+done
+LISTEN_LIST="${LISTEN_LIST}
+</IfDefine>"
+AC_SUBST(LISTEN_LIST)
+AM_SUBST_NOTMAKE(LISTEN_LIST)
 
 AC_CONFIG_FILES([Makefile src/Makefile test/Makefile test/tests/Makefile \
-                          doc/Makefile include/mod_gnutls.h])
+                        doc/Makefile include/mod_gnutls.h \
+                        test/proxy_backend.conf \
+                        test/apache-conf/listen.conf \
+                        test/apache-conf/netns.conf])
 AC_OUTPUT
 

doc/Makefile.am

@@ -3 +3 @@
 if USE_PANDOC
 html_DATA = mod_gnutls_manual.html
-endif
-# pandoc needs pdflatex for PDF output, so USE_PDFLATEX will only be
-# enabled if USE_PANDOC is, too.
 if USE_PDFLATEX
+# pandoc && pdflatex
 pdf_DATA = mod_gnutls_manual.pdf
 endif
+else
+if USE_MARKDOWN
+# !pandoc && markdown
+html_DATA = mod_gnutls_manual.html
+endif
+endif
+
 MOSTLYCLEANFILES = $(html_DATA) $(pdf_DATA)
 
+# pdf_DATA will be empty if pandoc isn't available
 $(html_DATA) $(pdf_DATA): mod_gnutls_manual.mdwn
+if USE_PANDOC
         $(PANDOC) --toc --standalone -f markdown -o $@ $<
+else
+if USE_MARKDOWN
+        $(MARKDOWN) $< > $@
+endif
+endif

doc/mod_gnutls_manual.mdwn

@@ -31 +31 @@
 :   Provides a list of all available configure options.
 
-It is recommended to run `make check` before installation. If
-`localhost` does not resolve to the IPv6 loopback address `[::1]` on
-your system, you may have to set the `TEST_HOST` or `TEST_IP`
+It is recommended to run `make check` before installation. If your
+system doesn't have a loopback device with IPv6 and IPv4 support or
+`localhost` does not resolve to at least one of `[::1]` and
+`127.0.0.1`, you may have to set the `TEST_HOST` or `TEST_IP`
 environment variables when running `./configure` to make the test
 suite work correctly.

src/gnutls_hooks.c

@@ -4 +4 @@
  *  Copyright 2011 Dash Shendy
  *  Copyright 2013-2014 Daniel Kahn Gillmor
- *  Copyright 2015 Thomas Klute
+ *  Copyright 2015-2016 Thomas Klute
  *
  *  Licensed under the Apache License, Version 2.0 (the "License");
@@ -1655 +1655 @@
 #endif /* ENABLE_MSVA */
 
-static int mgs_status_hook(request_rec *r, int flags __attribute__((unused)))
+
+
+/*
+ * This hook writes the mod_gnutls status message for a mod_status
+ * report. According to the comments in mod_status.h, the "flags"
+ * parameter is a bitwise OR of the AP_STATUS_ flags.
+ *
+ * Note that this implementation gives flags explicitly requesting a
+ * simple response priority, e.g. if AP_STATUS_SHORT is set, flags
+ * requesting an HTML report will be ignored. As of Apache 2.4.10, the
+ * following flags were defined in mod_status.h:
+ *
+ * AP_STATUS_SHORT (short, non-HTML report requested)
+ * AP_STATUS_NOTABLE (HTML report without tables)
+ * AP_STATUS_EXTENDED (detailed report)
+ */
+static int mgs_status_hook(request_rec *r, int flags)
 {
-    mgs_srvconf_rec *sc;
-
     if (r == NULL)
         return OK;
 
-    sc = (mgs_srvconf_rec *) ap_get_module_config(r->server->module_config, &gnutls_module);
+    mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
+        ap_get_module_config(r->server->module_config, &gnutls_module);
 
     _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
 
-    ap_rputs("<hr>\n", r);
-    ap_rputs("<h2>GnuTLS Information:</h2>\n<dl>\n", r);
-
-    ap_rprintf(r, "<dt>GnuTLS version:</dt><dd>%s</dd>\n", gnutls_check_version(NULL));
-    ap_rputs("<dt>Built against:</dt><dd>" GNUTLS_VERSION "</dd>\n", r);
-    ap_rprintf(r, "<dt>using TLS:</dt><dd>%s</dd>\n", (sc->enabled == GNUTLS_ENABLED_FALSE ? "no" : "yes"));
-    if (sc->enabled != GNUTLS_ENABLED_FALSE) {
-        mgs_handle_t* ctxt;
-        ctxt = ap_get_module_config(r->connection->conn_config, &gnutls_module);
-        if (ctxt && ctxt->session != NULL) {
-#if GNUTLS_VERSION_MAJOR < 3
-            ap_rprintf(r, "<dt>This TLS Session:</dt><dd>%s</dd>\n",
-                gnutls_cipher_suite_get_name(gnutls_kx_get(ctxt->session),
-                gnutls_cipher_get(ctxt->session),
-                gnutls_mac_get(ctxt->session)));
-#else
-            char* z = NULL;
-            z = gnutls_session_get_desc(ctxt->session);
-            if (z) {
-                ap_rprintf(r, "<dt>This TLS Session:</dt><dd>%s</dd>\n", z);
-                gnutls_free(z);
+    if (flags & AP_STATUS_SHORT)
+    {
+        ap_rprintf(r, "Using GnuTLS version: %s\n", gnutls_check_version(NULL));
+        ap_rputs("Built against GnuTLS version: " GNUTLS_VERSION "\n", r);
+    }
+    else
+    {
+        ap_rputs("<hr>\n", r);
+        ap_rputs("<h2>GnuTLS Information:</h2>\n<dl>\n", r);
+
+        ap_rprintf(r, "<dt>Using GnuTLS version:</dt><dd>%s</dd>\n",
+                   gnutls_check_version(NULL));
+        ap_rputs("<dt>Built against GnuTLS version:</dt><dd>"
+                 GNUTLS_VERSION "</dd>\n", r);
+        ap_rprintf(r, "<dt>Using TLS:</dt><dd>%s</dd>\n",
+                   (sc->enabled == GNUTLS_ENABLED_FALSE ? "no" : "yes"));
+    }
+
+    if (sc->enabled != GNUTLS_ENABLED_FALSE)
+    {
+        mgs_handle_t* ctxt =
+            ap_get_module_config(r->connection->conn_config, &gnutls_module);
+        if (ctxt && ctxt->session != NULL)
+        {
+            char* s_info = gnutls_session_get_desc(ctxt->session);
+            if (s_info)
+            {
+                if (flags & AP_STATUS_SHORT)
+                    ap_rprintf(r, "Current TLS session: %s\n", s_info);
+                else
+                    ap_rprintf(r, "<dt>Current TLS session:</dt><dd>%s</dd>\n",
+                               s_info);
+                gnutls_free(s_info);
             }
-#endif
-        }
-    }
-
-    ap_rputs("</dl>\n", r);
+        }
+    }
+
+    if (!(flags & AP_STATUS_SHORT))
+        ap_rputs("</dl>\n", r);
+
     return OK;
 }

src/mod_gnutls.c

@@ -69 +69 @@
     APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable);
     APR_REGISTER_OPTIONAL_FN(ssl_engine_disable);
-}
-
+
+    /* mod_rewrite calls this function to detect HTTPS */
+    APR_REGISTER_OPTIONAL_FN(ssl_is_https);
+}
+
+
+
+/*
+ * mod_rewrite calls this function to fill %{HTTPS}. A non-zero return
+ * value means that HTTPS is in use.
+ */
 int ssl_is_https(conn_rec *c)
 {
     mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
         ap_get_module_config(c->base_server->module_config, &gnutls_module);
-    if(sc->enabled == 0 || sc->non_ssl_request == 1) {
+    mgs_handle_t *ctxt = (mgs_handle_t *)
+        ap_get_module_config(c->conn_config, &gnutls_module);
+
+    if(sc->enabled == GNUTLS_ENABLED_FALSE
+       || ctxt == NULL
+       || ctxt->enabled == GNUTLS_ENABLED_FALSE)
+    {
         /* SSL/TLS Disabled or Plain HTTP Connection Detected */
         return 0;
@@ -82 +97 @@
     return 1;
 }
+
+
 
 int ssl_engine_disable(conn_rec *c)

test/Makefile.am

@@ -27 +27 @@
         test-22_TLS_reverse_proxy_crl_revoke.bash \
         test-23_TLS_reverse_proxy_mismatched_priorities.bash \
-        test-24_pkcs11_cert.bash
+        test-24_pkcs11_cert.bash \
+        test-25_Disable_TLS_1.0.bash \
+        test-26_redirect_HTTP_to_HTTPS.bash
 
 TESTS = $(dist_check_SCRIPTS)
@@ -33 +35 @@
 # Identities in the miniature CA, server, and client environment for
 # the test suite
-identities = server authority client imposter rogueca
+shared_identities = server authority client imposter rogueca
+pgp_identities = $(shared_identities)
+x509_only_identities = rogueclient
+x509_identities = $(shared_identities) $(x509_only_identities)
+identities = $(shared_identities) $(x509_only_identities)
 # Append strings after ":=" to each identity to generate a list of
 # necessary files
-pgp_tokens = $(identities:=/secring.gpg) $(identities:=/cert.pgp) \
-        $(identities:=/secret.pgp)
-x509_keys = $(identities:=/secret.key)
-x509_certs = $(identities:=/x509.pem)
+pgp_tokens = $(pgp_identities:=/secring.gpg) $(pgp_identities:=/cert.pgp) \
+        $(pgp_identities:=/secret.pgp)
+x509_keys = $(x509_identities:=/secret.key)
+x509_certs = $(x509_identities:=/x509.pem)
 x509_tokens = $(x509_certs) $(x509_keys)
 tokens = $(x509_tokens) $(pgp_tokens)
+
+if !DISABLE_FLOCK
+# flock command for write access to the authority keyring
+GPG_FLOCK = @FLOCK@ authority/lock
+endif
 
 include $(srcdir)/test_ca.mk
@@ -60 +71 @@
 
 cert_templates = authority.template.in client.template.in \
-        imposter.template.in rogueca.template server.template.in
+        imposter.template.in rogueca.template rogueclient.template.in \
+        server.template.in
 generated_templates = authority.template client.template \
-        imposter.template server.template
+        imposter.template rogueclient.template server.template
 
 # Delete X.509 private keys on full clean. Note that unless you need
@@ -72 +84 @@
 # target. Certificates can be rebuilt without generating new key
 # pairs, and regenerating them makes it possible to change identities
-# (e.g. host names) without wasting entropy on new keys (which would
+# (e.g. host names) without wasting time on new keys (which would
 # happen after "clean").
 MOSTLYCLEANFILES += */x509.pem $(generated_templates) *.uid
@@ -101 +113 @@
 endif
 
-# SoftHSM files
-check_DATA += server/softhsm.db
-MOSTLYCLEANFILES += tests/24_pkcs11_cert/softhsm.conf server/softhsm.db
-
+
+# SoftHSM tokens. Note that the SoftHSM 2 token is a directory and
+# hence has to be treated slightly differently.
+SOFTHSM_TOKEN = server/softhsm.db
+SOFTHSM2_TOKEN = server/softhsm2.db
+
+# Tokens should be cleaned whether or not the matching SoftHSM version
+# was detected on the last ./configure run.
+MOSTLYCLEANFILES += $(SOFTHSM_TOKEN)
+# included in mostlyclean-local below
+clean-softhsm2-db:
+        -rm -rf $(SOFTHSM2_TOKEN)
+
+if HAVE_SOFTHSM1
+check_DATA += $(SOFTHSM_TOKEN)
+endif HAVE_SOFTHSM1
+
+if HAVE_SOFTHSM2
+check_DATA += $(SOFTHSM2_TOKEN)
+endif HAVE_SOFTHSM2
 
 check_DATA += make-test-dirs
@@ -110 +138 @@
 make-test-dirs:
         mkdir -p $(extra_dirs)
-.PHONY: make-test-dirs
+
+.PHONY: make-test-dirs clean-softhsm2-db
+
+mostlyclean-local: clean-softhsm2-db
 
 clean-local:
@@ -122 +153 @@
 apache_data = base_apache.conf cgi_module.conf data/* mime.types proxy_mods.conf
 
-EXTRA_DIST = $(apache_data) $(cert_templates) *.uid.in proxy_backend.bash \
-        runtests server-crl.template server-softhsm.conf softhsm.bash
+EXTRA_DIST = $(apache_data) $(cert_templates) *.uid.in common.bash \
+        proxy_backend.bash runtests server-crl.template softhsm.bash
 
 # Lockfile for the main Apache process
 test_lockfile = ./test.lock
-# Maximum wait time in seconds for flock to aquire instance lock files
+# Lockfile for the proxy backend Apache process (if any)
+backend_lockfile = ./backend.lock
+# Maximum wait time in seconds for flock to aquire instance lock
+# files, or Apache to remove its PID file
 lock_wait = 30
 
@@ -141 +175 @@
 TEST_QUERY_DELAY ?= 30
 
-AM_TESTS_ENVIRONMENT = export APACHE2=$(APACHE2); \
-        export AP_LIBEXECDIR=$(AP_LIBEXECDIR); \
-        export TEST_LOCK="$(test_lockfile)"; \
+AM_TESTS_ENVIRONMENT = export APACHE2=@APACHE2@; \
+        export AP_LIBEXECDIR=@AP_LIBEXECDIR@; \
         export TEST_LOCK_WAIT="$(lock_wait)"; \
-        export TEST_HOST="$(TEST_HOST)"; \
-        export TEST_IP="$(TEST_IP)"; \
+        export TEST_HOST="@TEST_HOST@"; \
         export TEST_PORT="$(TEST_PORT)"; \
         export MSVA_PORT="$(MSVA_PORT)"; \
@@ -152 +184 @@
         export TEST_MSVA_WAIT="$(TEST_MSVA_WAIT)"; \
         export TEST_QUERY_DELAY="$(TEST_QUERY_DELAY)"; \
-        export BACKEND_HOST="$(TEST_HOST)"; \
-        export BACKEND_IP="$(TEST_IP)";
+        export BACKEND_HOST="@TEST_HOST@"; \
+        export HTTP_CLI="@HTTP_CLI@";
+
+if HAVE_SOFTHSM
+AM_TESTS_ENVIRONMENT += export SOFTHSM="@SOFTHSM@"; \
+        export SOFTHSM_MAJOR_VERSION="@SOFTHSM_MAJOR_VERSION@"; \
+        export SOFTHSM_LIB="@SOFTHSM_LIB@"
+endif
+
+if ENABLE_NETNS
+AM_TESTS_ENVIRONMENT += export UNSHARE="@UNSHARE@"; \
+        export USE_TEST_NAMESPACE=1;
+endif
+# Without flock tests must not run in parallel. Otherwise set lock files.
+if DISABLE_FLOCK
+.NOTPARALLEL:
+else
+AM_TESTS_ENVIRONMENT += export FLOCK="@FLOCK@"; \
+        export TEST_LOCK="$(test_lockfile)"; \
+        export BACKEND_LOCK="$(backend_lockfile)";
+endif
 
 # Echo AM_TESTS_ENVIRONMENT. This can be useful for debugging, e.g. if

test/README

@@ -12 +12 @@
 =================
 
-from the top level of the source, or from test/ (where this README is),
+From the top level of the source, or from test/ (where this README is),
 just run:
 
- make check
+  make check
 
-from test/ you can also run specific tests by passing their script
-names to make in the TESTS variable:
+from test/. You can also run specific test cases by passing their
+script names to make in the TESTS variable:
 
- TESTS="test-03_cachetimeout_in_vhost.bash" make -e check
+  TESTS="test-03_cachetimeout_in_vhost.bash" make -e check
 
 This should be handy when you're just trying to experiment with a new
 test and don't want to wait for the full test suite to run.
 
-The default configuration assumes that an IPv6 loopback device is
-available (TEST_IP=[::1]) and that TEST_HOST="localhost" resolves to
-the IPv6 loopback address [::1]. If this does not apply to your
-system, you can pass different values to ./configure, e.g. to use IPv4
-instead:
+The default configuration assumes that a loopback device with IPv4 and
+IPv6 support is available (TEST_IP="[::1] 127.0.0.1") and that
+TEST_HOST="localhost" resolves to at least one of these addresses. If
+this does not apply to your system, you can pass different values to
+./configure, e.g. to use IPv4 only:
 
   TEST_HOST="localhost" TEST_IP="127.0.0.1" ./configure
+
+If tests fail due to expired certificates or PGP signatures, run
+
+  make mostlyclean
+
+to delete them and create fresh ones on the next test run. You could
+also use "make clean", but in that case the keys will be deleted as
+well and have to be recreated, too, which takes more time.
 
 
@@ -41 +49 @@
 The simplest way to add a test is (from test/):
 
- ./newtest
+  ./newtest
 
 This will prompt you for a simple name for the test and then copy a
@@ -52 +60 @@
 ==============
 
-Each test consists of a directory in test/tests/, which will cause the
-test suite to spin up an isolated apache instance and try to connect
-to it with gnutls-cli and make a simple HTTP 1.1 request.
+Each test consists of a script in test/ and a directory in
+test/tests/, which the test suite uses to spin up an isolated Apache
+instance or two (for proxy tests) and try to connect to it with
+gnutls-cli and make a simple HTTP 1.1 or 1.0 request.
 
-By default, these tests are expected to succeed, by having 
+Test directories usually contain the following files:
 
-In each directory, you can put the following files:
+ * apache.conf -- Apache configuration to be used
 
- * apache.conf --  the apache configuration to be used
-
- * gnutls-cli.args --  the arguments to pass to gnutls-cli
+ * gnutls-cli.args -- the arguments to pass to gnutls-cli
 
  * input -- the full HTTP request (including the final blank line)
 
+ * backend.conf [optional] -- Apache configuration for the proxy
+   backend server, if any
+
  * output [optional] -- the lines of this file will be checked against
    the same number of lines at the end of the output produced by the
-   gnutls-cli process.
+   gnutls-cli process. "Date" and "Server" headers are filtered from
+   the response because they are expected to change between runs
+   (date) or builds (server version).
 
  * fail.server [optional] -- if this file exists, it means we expect
@@ -79 +91 @@
    should result in a failed file retrieval.
 
+The "runtests" script is used to start one Apache instance and send a
+request based on the files described above. Note that some tests take
+additional steps, e.g. starting another server to act as proxy
+backend, and at least one does not use "runtests" at all.
+
+By default (if "unshare" is available and has the permissions required
+to create network and user namespaces), each test case is run inside
+its own network namespace. This avoids address and port conflicts with
+other tests as well has the host system.
+
+When writing your own tests, make sure to call netns_reexec (defined
+in common.bash) if you need to start any network services outside of
+runtests (which will create the namespace if it doesn't exist
+already). However, some architectures might not support namespaces, so
+traditional locking (using flock) and serial execution are still
+supported.
+
 
 Robustness and Tuning
 =====================
 
-These tests aren't nearly as robust as i'd like them to be, but they
-work for the moment and they're better than no tests at all.
+Here are some things that you might want to tune about the tests based
+on your expected setup (along with the variables that can be passed to
+"make check" to adjust them):
 
-Here are some things that you might want to tune based on your
-expected setup (along with the variables that can be passed to "make
-check" to adjust them):
+ * They need a functioning loopback device.
 
- * they need a functioning loopback device.
+ * They expect (by default) to have port 9932 [TEST_PORT] available
+   and open for connections on the addresses listed in TEST_IP.
 
- * they expect (by default) the TEST_IP to have port 9932
-   open. [TEST_PORT]
+ * Depending on the compile time configuration of the Apache binary
+   installed on your system you may need to load additional Apache
+   modules. The recommended way to do this is to drop a configuration
+   file into the test/apache-conf/ directory. Patches to detect such
+   situations and automatically configure the tests accordingly are
+   welcome.
 
- * if a machine is particularly slow or under heavy load, it's
+ * If a machine is particularly slow or under heavy load, it's
    possible that these tests will fail for timing
-   reasons. [TEST_QUERY_DELAY (seconds for the http request to be sent
+   reasons. [TEST_QUERY_DELAY (seconds for the HTTP request to be sent
    and responded to)]
+
+The first two of these issues are avoided when the tests are isolated
+using network namespaces, which is the default (see "Implementation"
+above). The ./configure script tries to detect if namespaces can be
+used (some Linux distributions disable them for unprivileged
+users). If this detection returns a false positive or you do not want
+to use namespace isolation for some other reason, you can run
+configure with the --disable-test-namespaces option.
 
 In some situations you may want to see the exact environment as
@@ -104 +145 @@
 instance with Valgrind using the same configuration as a test
 case. Use "make show-test-env" to dump AM_TESTS_ENVIRONMENT to stdout.
+
+If you are building on an exotic architecture which does not support
+flock (or timeouts using flock -w), ./configure should detect that and
+disable locking, or you can disable it manually by passing
+"--disable-flock" to ./configure. This will force serial execution of
+tests, including environment setup.

test/base_apache.conf

@@ -5 +5 @@
 ErrorLog logs/${TEST_NAME}.error.log
 HostnameLookups Off
-PidFile apache2.pid
 KeepAlive Off
 LogLevel debug
@@ -14 +13 @@
 TypesConfig ${srcdir}/mime.types
 
-Listen ${TEST_IP}:${TEST_PORT}
+Include         apache-conf/*.conf
 
 DocumentRoot ${srcdir}/data

test/proxy_backend.bash

@@ -2 +2 @@
 
 set -e
+. ${srcdir}/common.bash
 
 if [ -z "${BACKEND_HOST}" ]; then
@@ -12 +13 @@
     export BACKEND_PORT="9934"
 fi
-: ${BACKEND_LOCK:="backend.lock"}
+: ${BACKEND_PID:="backend.pid"}
 : ${srcdir:="."}
 : ${APACHE2:="apache2"}
@@ -24 +25 @@
     lockfile="${4}"
 
-    if [ -n "${lockfile}" ]; then
-        flock_cmd="flock -w ${TEST_LOCK_WAIT} ${lockfile}"
-    fi
-
     TEST_NAME="$(basename "${dir}")"
     (
@@ -36 +33 @@
         case $action in
             start)
+                if [ -n "${USE_TEST_NAMESPACE}" ]; then
+                    echo "Using namespaces to isolate tests, no need for" \
+                         "locking."
+                    flock_cmd=""
+                elif [ -n "${lockfile}" ]; then
+                    flock_cmd="${FLOCK} -w ${TEST_LOCK_WAIT} ${lockfile}"
+                else
+                    echo "Locking disabled, using wait based on proxy PID file."
+                    wait_pid_gone "${BACKEND_PID}"
+                    flock_cmd=""
+                fi
                 ${flock_cmd} \
                     ${APACHE2} -f "$(realpath ${testdir}/${conf})" -k start || return 1

test/runtests

@@ -6 +6 @@
 
 set -e
+. ${srcdir}/common.bash
+netns_reexec ${@}
 
 testid="${1##t-}"
@@ -17 +19 @@
 
 BADVARS=0
-for v in APACHE2 TEST_HOST TEST_IP TEST_PORT TEST_QUERY_DELAY TEST_MSVA_WAIT \
-                 MSVA_PORT TEST_LOCK; do
+for v in APACHE2 TEST_HOST TEST_PORT TEST_QUERY_DELAY TEST_MSVA_WAIT \
+                 MSVA_PORT; do
     if [ ! -v "$v" ]; then
         printf "You need to set the %s environment variable\n" "$v" >&2
@@ -150 +152 @@
 fi
 
+TEST_PID="apache2.pid"
 # configure locking for the Apache process
-flock_cmd="flock -w ${TEST_LOCK_WAIT} $(realpath ${TEST_LOCK})"
+if [ -n "${USE_TEST_NAMESPACE}" ]; then
+    echo "Using namespaces to isolate tests, no need for locking."
+    flock_cmd=""
+elif [ -n "${TEST_LOCK}" ]; then
+    flock_cmd="${FLOCK} -w ${TEST_LOCK_WAIT} $(realpath ${TEST_LOCK})"
+else
+    echo "Locking disabled, using wait based on Apache PID file."
+    wait_pid_gone "${TEST_PID}"
+    flock_cmd=""
+fi
 
 t="$(realpath ${testid})"
@@ -189 +201 @@
            run_with_pidfile "${sleep_pidfile}" sleep "${TEST_QUERY_DELAY}" &) | \
        gnutls-cli -p "${TEST_PORT}" $(cat ${t}/gnutls-cli.args) "${TEST_HOST}" \
-                  >"$output";
+       | tee "$output" && test "${PIPESTATUS[1]}" -eq 0;
 then
     if [ -e ${t}/fail* ]; then
@@ -206 +218 @@
 
 if [ -e ${t}/output ] ; then
-    diff_output_filter_headers "${t}/output" "$output" "-q"
+    diff_output_filter_headers "${t}/output" "$output" >&2
 fi
 if [ -n "${USE_MSVA}" ]; then

test/softhsm.bash

@@ -17 +17 @@
     local label="${3}"
 
-    p11tool --provider=${softhsm_lib} --login --write --label "${label}" \
+    p11tool --provider=${SOFTHSM_LIB} --login --write --label "${label}" \
             --load-privkey "${keyfile}" "${token}"
 }
@@ -28 +28 @@
     local label="${3}"
 
-    p11tool --provider=${softhsm_lib} --login --write --no-mark-private \
+    p11tool --provider=${SOFTHSM_LIB} --login --write --no-mark-private \
             --label "${label}" --load-certificate "${certfile}" "${token}"
 }
@@ -36 +36 @@
 {
     local label="${1}"
-    p11tool --provider=${softhsm_lib} --list-tokens | \
+    p11tool --provider=${SOFTHSM_LIB} --list-tokens | \
         grep -o -P "(?<=URL:\s)(.*token=${label}.*)$"
 }
@@ -44 +44 @@
 function get_object_url
 {
-    p11tool --provider=${softhsm_lib} --list-all --login "${1}" | \
+    p11tool --provider=${SOFTHSM_LIB} --list-all --login "${1}" | \
         grep -o -P "(?<=URL:\s)(.*object=${2}.*)$"
 }
@@ -65 +65 @@
 
 # try to find SoftHSM
-softhsm="$(which softhsm)"
+softhsm="$(basename ${SOFTHSM})"
+
+if [ "${softhsm}" = "softhsm" ]; then
+    softhsm_libname="libsofthsm.so"
+    # fail if SOFTHSM_CONF is not set
+    if [ -z "${SOFTHSM_CONF}" ]; then
+        echo "ERROR: SOFTHSM_CONF not set!" 1>&2
+        exit 1
+    else
+        export SOFTHSM_CONF
+    fi
+    echo "using SOFTHSM_CONF=\"${SOFTHSM_CONF}\""
+elif [ "${softhsm}" = "softhsm2-util" ]; then
+    softhsm_libname="libsofthsm2.so"
+    # fail if SOFTHSM2_CONF is not set
+    if [ -z "${SOFTHSM2_CONF}" ]; then
+        echo "ERROR: SOFTHSM2_CONF not set!" 1>&2
+        exit 1
+    else
+        export SOFTHSM2_CONF
+    fi
+else
+    # no SoftHSM
+    echo "No SoftHSM!" >&2
+    exit 77
+fi
+
+if [ -z "${SOFTHSM_LIB}" ]; then
+    # Try to find the libsofthsm[2] module in some common locations.
+    softhsm_searchpath=(/usr/lib64/pkcs11 /usr/lib/softhsm /usr/lib/x86_64-linux-gnu/softhsm /usr/lib /usr/lib64/softhsm)
+    for i in ${softhsm_searchpath[@]} ""; do
+        SOFTHSM_LIB="${i}/${softhsm_libname}"
+        echo "checking ${SOFTHSM_LIB} ..."
+        if [ -f "${SOFTHSM_LIB}" ]; then
+            echo "found!"
+            export SOFTHSM_LIB
+            break;
+        fi
+    done
+else
+    echo "using ${SOFTHSM_LIB} (set by user)"
+fi
+
+if [ ! -f "${SOFTHSM_LIB}" ]; then
+    echo "${softhsm_libname} not found!" >&2
+    exit 77
+fi
 
 case "${1}" in
@@ -88 +134 @@
 set -e
 
-# Guess location of libsofthsm based on softhsm binary. The path
-# matches SoftHSM upstream, but this might fail if someone changes the
-# libdir or bindir of the SoftHSM installation independently of its
-# general prefix.
-softhsm_prefix="$(realpath $(dirname ${softhsm})/..)"
-softhsm_lib="${softhsm_prefix}/lib/softhsm/libsofthsm.so"
-
-# fail if SOFTHSM_CONF is not set
-if [ -z "${SOFTHSM_CONF}" ]; then
-    echo "ERROR: SOFTHSM_CONF not set!" 1>&2
-    exit 1
-else
-    export SOFTHSM_CONF
-fi
-echo "using SOFTHSM_CONF=\"${SOFTHSM_CONF}\""
-
 # variables for token configuration
 token_label="mod_gnutls-test"

test/test-19_TLS_reverse_proxy.bash

@@ -3 +3 @@
 set -e
 : ${srcdir:="."}
+. ${srcdir}/common.bash
+netns_reexec ${@}
 
 testdir="${srcdir}/tests/19_TLS_reverse_proxy"
@@ -9 +11 @@
 function stop_backend
 {
-    backend_apache "${dir}" "backend.conf" stop
+    backend_apache "${testdir}" "backend.conf" stop
 }
 backend_apache "${testdir}" "backend.conf" start "${BACKEND_LOCK}"

test/test-20_TLS_reverse_proxy_client_auth.bash

@@ -3 +3 @@
 set -e
 : ${srcdir:="."}
+. ${srcdir}/common.bash
+netns_reexec ${@}
 
 testdir="${srcdir}/tests/20_TLS_reverse_proxy_client_auth"
@@ -9 +11 @@
 function stop_backend
 {
-    backend_apache "${dir}" "backend.conf" stop
+    backend_apache "${testdir}" "backend.conf" stop
 }
 backend_apache "${testdir}" "backend.conf" start "${BACKEND_LOCK}"

test/test-21_TLS_reverse_proxy_wrong_cert.bash

@@ -3 +3 @@
 set -e
 : ${srcdir:="."}
+. ${srcdir}/common.bash
+netns_reexec ${@}
 
 testdir="${srcdir}/tests/21_TLS_reverse_proxy_wrong_cert"
@@ -9 +11 @@
 function stop_backend
 {
-    backend_apache "${dir}" "backend.conf" stop
+    backend_apache "${testdir}" "backend.conf" stop
 }
 backend_apache "${testdir}" "backend.conf" start "${BACKEND_LOCK}"

test/test-22_TLS_reverse_proxy_crl_revoke.bash

@@ -3 +3 @@
 set -e
 : ${srcdir:="."}
+. ${srcdir}/common.bash
+netns_reexec ${@}
 
 testdir="${srcdir}/tests/22_TLS_reverse_proxy_crl_revoke"
@@ -9 +11 @@
 function stop_backend
 {
-    backend_apache "${dir}" "backend.conf" stop
+    backend_apache "${testdir}" "backend.conf" stop
 }
 backend_apache "${testdir}" "backend.conf" start "${BACKEND_LOCK}"

test/test-23_TLS_reverse_proxy_mismatched_priorities.bash

@@ -3 +3 @@
 set -e
 : ${srcdir:="."}
+. ${srcdir}/common.bash
+netns_reexec ${@}
 
 testdir="${srcdir}/tests/23_TLS_reverse_proxy_mismatched_priorities"
@@ -14 +16 @@
 function stop_backend
 {
-    backend_apache "${dir}" "backend.conf" stop
+    backend_apache "${testdir}" "backend.conf" stop
 }
 backend_apache "${testdir}" "backend.conf" start "${BACKEND_LOCK}"

test/test-24_pkcs11_cert.bash

@@ -3 +3 @@
 testdir="$(dirname ${0})/tests/24_pkcs11_cert"
 
-# The Apache/SoftHSM configuration mixes up directories, so generate a
-# config file with an absolute path to the token database from a
-# template. Generating it on every run avoids problems if the source
+# The Apache/SoftHSM configuration mixes up directories, so generate
+# config files with absolute paths to the token database from a
+# template. Generating them on every run avoids problems if the source
 # tree was moved.
 tmp_softhsm_conf="$(mktemp mod_gnutls_test-XXXXXX.conf)"
@@ -14 +14 @@
 trap cleanup_tmpconf EXIT
 
-sed "s,__DIR__,$(realpath $(pwd))," \
-    "${testdir}/softhsm.conf.in" \
-    >"${tmp_softhsm_conf}"
-export SOFTHSM_CONF="${tmp_softhsm_conf}"
+if [ "${SOFTHSM_MAJOR_VERSION}" = "1" ]; then
+    cat - >"${tmp_softhsm_conf}" <<EOF
+0:$(realpath $(pwd))/server/softhsm.db
+EOF
+    export SOFTHSM_CONF="${tmp_softhsm_conf}"
+elif [ "${SOFTHSM_MAJOR_VERSION}" = "2" ]; then
+    cat - >"${tmp_softhsm_conf}" <<EOF
+objectstore.backend = file
+directories.tokendir = $(realpath $(pwd))/server/softhsm2.db
+EOF
+    export SOFTHSM2_CONF="${tmp_softhsm_conf}"
+fi
+
 echo "Generated temporary SoftHSM config ${tmp_softhsm_conf}:"
 cat "${tmp_softhsm_conf}"

test/test_ca.mk

@@ -35 +35 @@
 # conditions with parallel make. Locking avoids this problem.
 %/cert.pgp: %/minimal.pgp authority/gpg.conf
-        GNUPGHOME=authority flock authority/lock gpg --import $<
-        GNUPGHOME=authority flock authority/lock gpg --batch --sign-key --no-tty --yes "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)"
+        GNUPGHOME=authority $(GPG_FLOCK) gpg --import $<
+        GNUPGHOME=authority $(GPG_FLOCK) gpg --batch --sign-key --no-tty --yes "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)"
         GNUPGHOME=authority gpg --armor --export "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" > $@
 
@@ -48 +48 @@
         certtool --generate-request --load-privkey $(dir $@)secret.key --template $< > $@
 
+# normal case: certificates signed by test CA
 %/x509.pem: %.template %/cert-request authority/secret.key authority/x509.pem
         certtool --generate-certificate --load-ca-certificate authority/x509.pem --load-ca-privkey authority/secret.key --load-request $(dir $@)cert-request --template $< > $@
 
-%/softhsm.db: %/x509.pem %/secret.key
-        SOFTHSM_CONF="$(srcdir)/$(*)-softhsm.conf" $(srcdir)/softhsm.bash init $(dir $@)secret.key $(dir $@)x509.pem
+# error case: certificates signed by rogue CA
+rogue%/x509.pem: rogue%.template rogue%/cert-request rogueca/x509.pem
+        certtool --generate-certificate --load-ca-certificate rogueca/x509.pem --load-ca-privkey rogueca/secret.key --load-request $(dir $@)cert-request --template $< > $@
+
+%/softhsm.conf: %/secret.key
+        echo "0:$(dir $@)softhsm.db" > $@
+
+%/softhsm.db: %/x509.pem %/secret.key %/softhsm.conf
+        SOFTHSM="$(SOFTHSM)" \
+        SOFTHSM_CONF="$(dir $@)softhsm.conf" \
+        $(srcdir)/softhsm.bash init $(dir $@)secret.key $(dir $@)x509.pem
+
+%/softhsm2.conf: %/secret.key
+        echo "objectstore.backend = file" > $@
+        echo "directories.tokendir = $(dir $@)softhsm2.db" >> $@
+
+%/softhsm2.db: %/x509.pem %/secret.key %/softhsm2.conf
+        mkdir -p $@
+        SOFTHSM="$(SOFTHSM)" \
+        SOFTHSM2_CONF="$(dir $@)softhsm2.conf" \
+        $(srcdir)/softhsm.bash init $(dir $@)secret.key $(dir $@)x509.pem
 
 # Generate CRL revoking a certain certificate. Currently used to

test/tests/00_basic/apache.conf

@@ -3 +3 @@
 GnuTLSCache dbm cache/gnutls_cache
 
-<VirtualHost ${TEST_IP}:${TEST_PORT}>
+<VirtualHost _default_:${TEST_PORT}>
  ServerName ${TEST_HOST}
  GnuTLSEnable On

test/tests/01_serverwide_priorities/apache.conf

@@ -5 +5 @@
 GnuTLSPriorities NORMAL
 
-<VirtualHost ${TEST_IP}:${TEST_PORT}>
+<VirtualHost _default_:${TEST_PORT}>
  ServerName ${TEST_HOST}
  GnuTLSEnable On

test/tests/02_cache_in_vhost/apache.conf

@@ -1 +1 @@
 Include ${srcdir}/base_apache.conf
 
-<VirtualHost ${TEST_IP}:${TEST_PORT}>
+<VirtualHost _default_:${TEST_PORT}>
  # Cache configuration not allowed in here:
  GnuTLSCache dbm cache/gnutls_cache

test/tests/03_cachetimeout_in_vhost/apache.conf

@@ -1 +1 @@
 Include ${srcdir}/base_apache.conf
 
-<VirtualHost ${TEST_IP}:${TEST_PORT}>
+<VirtualHost _default_:${TEST_PORT}>
  # Cache configuration not allowed in here:
  GnuTLSCacheTimeout 200

test/tests/04_basic_nosni/apache.conf

@@ -3 +3 @@
 GnuTLSCache dbm cache/gnutls_cache
 
-<VirtualHost ${TEST_IP}:${TEST_PORT}>
+<VirtualHost _default_:${TEST_PORT}>
  ServerName ${TEST_HOST}
  GnuTLSEnable On

test/tests/05_mismatched-priorities/apache.conf

@@ -3 +3 @@
 GnuTLSCache dbm cache/gnutls_cache
 
-<VirtualHost ${TEST_IP}:${TEST_PORT}>
+<VirtualHost _default_:${TEST_PORT}>
  ServerName ${TEST_HOST}
  GnuTLSEnable On

test/tests/06_verify_sni_a/apache.conf

@@ -3 +3 @@
 GnuTLSCache dbm cache/gnutls_cache
 
-NameVirtualHost ${TEST_IP}:${TEST_PORT}
+NameVirtualHost _default_:${TEST_PORT}
 
-<VirtualHost ${TEST_IP}:${TEST_PORT}>
+<VirtualHost _default_:${TEST_PORT}>
  ServerName ${TEST_HOST}
  GnuTLSEnable On
@@ -13 +13 @@
 </VirtualHost>
 
-<VirtualHost ${TEST_IP}:${TEST_PORT}>
+<VirtualHost _default_:${TEST_PORT}>
  ServerName imposter.example
  GnuTLSEnable On

test/tests/07_verify_sni_b/apache.conf

@@ -3 +3 @@
 GnuTLSCache dbm cache/gnutls_cache
 
-NameVirtualHost ${TEST_IP}:${TEST_PORT}
+NameVirtualHost _default_:${TEST_PORT}
 
 # trying in a different order from 06_verify_sni_a
 
-<VirtualHost ${TEST_IP}:${TEST_PORT}>
+<VirtualHost _default_:${TEST_PORT}>
  ServerName imposter.example
  GnuTLSEnable On
@@ -15 +15 @@
 </VirtualHost>
 
-<VirtualHost ${TEST_IP}:${TEST_PORT}>
+<VirtualHost _default_:${TEST_PORT}>
  ServerName ${TEST_HOST}
  GnuTLSEnable On

test/tests/08_verify_no_sni_fallback_to_first_vhost/apache.conf

@@ -3 +3 @@
 GnuTLSCache dbm cache/gnutls_cache
 
-NameVirtualHost ${TEST_IP}:${TEST_PORT}
+NameVirtualHost _default_:${TEST_PORT}
 
-<VirtualHost ${TEST_IP}:${TEST_PORT}>
+<VirtualHost _default_:${TEST_PORT}>
  ServerName ${TEST_HOST}
  GnuTLSEnable On
@@ -13 +13 @@
 </VirtualHost>
 
-<VirtualHost ${TEST_IP}:${TEST_PORT}>
+<VirtualHost _default_:${TEST_PORT}>
  ServerName imposter.example
  GnuTLSEnable On

test/tests/09_verify_no_sni_fails_with_wrong_order/apache.conf

@@ -3 +3 @@
 GnuTLSCache dbm cache/gnutls_cache
 
-NameVirtualHost ${TEST_IP}:${TEST_PORT}
+NameVirtualHost _default_:${TEST_PORT}
 
 # In this order, clients with no SNI should get the imposter's key
 
-<VirtualHost ${TEST_IP}:${TEST_PORT}>
+<VirtualHost _default_:${TEST_PORT}>
  ServerName imposter.example
  GnuTLSEnable On
@@ -15 +15 @@
 </VirtualHost>
 
-<VirtualHost ${TEST_IP}:${TEST_PORT}>
+<VirtualHost _default_:${TEST_PORT}>
  ServerName ${TEST_HOST}
  GnuTLSEnable On

test/tests/10_basic_client_verification/apache.conf

@@ -3 +3 @@
 GnuTLSCache dbm cache/gnutls_cache
 
-<VirtualHost ${TEST_IP}:${TEST_PORT}>
+<VirtualHost _default_:${TEST_PORT}>
  ServerName ${TEST_HOST}
  GnuTLSEnable On

test/tests/11_basic_client_verification_fail/apache.conf

@@ -3 +3 @@
 GnuTLSCache dbm cache/gnutls_cache
 
-<VirtualHost ${TEST_IP}:${TEST_PORT}>
+<VirtualHost _default_:${TEST_PORT}>
  ServerName ${TEST_HOST}
  GnuTLSEnable On

test/tests/12_cgi_variables/apache.conf

@@ -8 +8 @@
 </Directory>
 
-<VirtualHost ${TEST_IP}:${TEST_PORT}>
+<VirtualHost _default_:${TEST_PORT}>
  ServerName ${TEST_HOST}
  GnuTLSEnable On

test/tests/13_cgi_variables_no_client_cert/apache.conf

@@ -8 +8 @@
 </Directory>
 
-<VirtualHost ${TEST_IP}:${TEST_PORT}>
+<VirtualHost _default_:${TEST_PORT}>
  ServerName ${TEST_HOST}
  GnuTLSEnable On

test/tests/14_basic_openpgp/apache.conf

@@ -3 +3 @@
 GnuTLSCache dbm cache/gnutls_cache
 
-<VirtualHost ${TEST_IP}:${TEST_PORT}>
+<VirtualHost _default_:${TEST_PORT}>
  ServerName ${TEST_HOST}
  GnuTLSEnable On

test/tests/15_basic_msva/apache.conf

@@ -3 +3 @@
 GnuTLSCache dbm cache/gnutls_cache
 
-<VirtualHost ${TEST_IP}:${TEST_PORT}>
+<VirtualHost _default_:${TEST_PORT}>
  ServerName ${TEST_HOST}
  GnuTLSEnable On

test/tests/16_view-status/apache.conf

@@ -9 +9 @@
 GnuTLSCache dbm cache/gnutls_cache
 
-<VirtualHost ${TEST_IP}:${TEST_PORT}>
+<VirtualHost _default_:${TEST_PORT}>
  ServerName ${TEST_HOST}
  GnuTLSEnable On

test/tests/16_view-status/gnutls-cli.args

@@ -1 +1 @@
 --x509cafile=authority/x509.pem
---priority=NONE:+VERS-TLS1.0:+AES-128-CBC:+SHA1:+RSA:+COMP-NULL
+--priority=NONE:+VERS-TLS1.2:+AES-128-CBC:+SHA256:+RSA:+COMP-NULL:+SIGN-RSA-SHA256

test/tests/16_view-status/output

@@ -1 @@
-<dt>using TLS:</dt><dd>yes</dd>
-<dt>This TLS Session:</dt><dd>(TLS1.0)-(RSA)-(AES-128-CBC)-(SHA1)</dd>
+<dt>Using TLS:</dt><dd>yes</dd>
+<dt>Current TLS session:</dt><dd>(TLS1.2)-(RSA)-(AES-128-CBC)-(SHA256)</dd>
 </dl>
 </body></html>

test/tests/17_cgi_vars_large_cert/apache.conf

@@ -8 +8 @@
 </Directory>
 
-<VirtualHost ${TEST_IP}:${TEST_PORT}>
+<VirtualHost _default_:${TEST_PORT}>
  ServerName ${TEST_HOST}
  GnuTLSEnable On

test/tests/18_client_verification_wrong_cert/apache.conf

@@ -3 +3 @@
 GnuTLSCache dbm cache/gnutls_cache
 
-<VirtualHost ${TEST_IP}:${TEST_PORT}>
+<VirtualHost _default_:${TEST_PORT}>
  ServerName ${TEST_HOST}
  GnuTLSEnable On

test/tests/18_client_verification_wrong_cert/gnutls-cli.args

@@ -1 @@
---x509certfile=rogueca/x509.pem
---x509keyfile=rogueca/secret.key
+--x509certfile=rogueclient/x509.pem
+--x509keyfile=rogueclient/secret.key
 --x509cafile=authority/x509.pem
 --priority=NORMAL

test/tests/19_TLS_reverse_proxy/apache.conf

@@ -4 +4 @@
 GnuTLSCache dbm cache/gnutls_cache
 
-<VirtualHost ${TEST_IP}:${TEST_PORT}>
+<VirtualHost _default_:${TEST_PORT}>
  ServerName ${TEST_HOST}
  GnuTLSEnable On

test/tests/19_TLS_reverse_proxy/backend.conf

@@ -1 @@
-Include ${srcdir}/base_apache.conf
-
-CustomLog logs/${TEST_NAME}.backend.access.log combined
-ErrorLog logs/${TEST_NAME}.backend.error.log
-PidFile backend.pid
+Include ${srcdir}/base_apache.conf
+Include proxy_backend.conf
 
 GnuTLSCache dbm cache/gnutls_cache
 
-<VirtualHost ${BACKEND_IP}:${BACKEND_PORT}>
+<VirtualHost _default_:${BACKEND_PORT}>
  ServerName ${BACKEND_HOST}
  GnuTLSEnable On

test/tests/20_TLS_reverse_proxy_client_auth/apache.conf

@@ -4 +4 @@
 GnuTLSCache dbm cache/gnutls_cache
 
-<VirtualHost ${TEST_IP}:${TEST_PORT}>
+<VirtualHost _default_:${TEST_PORT}>
  ServerName ${TEST_HOST}
  GnuTLSEnable On

test/tests/20_TLS_reverse_proxy_client_auth/backend.conf

@@ -1 @@
-Include ${srcdir}/base_apache.conf
-
-CustomLog logs/${TEST_NAME}.backend.access.log combined
-ErrorLog logs/${TEST_NAME}.backend.error.log
-PidFile backend.pid
+Include ${srcdir}/base_apache.conf
+Include proxy_backend.conf
 
 GnuTLSCache dbm cache/gnutls_cache
 
-<VirtualHost ${BACKEND_IP}:${BACKEND_PORT}>
+<VirtualHost _default_:${BACKEND_PORT}>
  ServerName ${BACKEND_HOST}
  GnuTLSEnable On

test/tests/21_TLS_reverse_proxy_wrong_cert/apache.conf

@@ -4 +4 @@
 GnuTLSCache dbm cache/gnutls_cache
 
-<VirtualHost ${TEST_IP}:${TEST_PORT}>
+<VirtualHost _default_:${TEST_PORT}>
  ServerName ${TEST_HOST}
  GnuTLSEnable On

test/tests/21_TLS_reverse_proxy_wrong_cert/backend.conf

@@ -1 +1 @@
 Include ${srcdir}/base_apache.conf
-
-CustomLog logs/${TEST_NAME}.backend.access.log combined
-ErrorLog logs/${TEST_NAME}.backend.error.log
-PidFile backend.pid
+Include proxy_backend.conf
 
 GnuTLSCache dbm cache/gnutls_cache
 
-<VirtualHost ${BACKEND_IP}:${BACKEND_PORT}>
+<VirtualHost _default_:${BACKEND_PORT}>
  ServerName ${BACKEND_HOST}
  GnuTLSEnable On

test/tests/22_TLS_reverse_proxy_crl_revoke/apache.conf

@@ -4 +4 @@
 GnuTLSCache dbm cache/gnutls_cache
 
-<VirtualHost ${TEST_IP}:${TEST_PORT}>
+<VirtualHost _default_:${TEST_PORT}>
  ServerName ${TEST_HOST}
  GnuTLSEnable On

test/tests/22_TLS_reverse_proxy_crl_revoke/backend.conf

@@ -1 @@
-Include ${srcdir}/base_apache.conf
-
-CustomLog logs/${TEST_NAME}.backend.access.log combined
-ErrorLog logs/${TEST_NAME}.backend.error.log
-PidFile backend.pid
+Include ${srcdir}/base_apache.conf
+Include proxy_backend.conf
 
 GnuTLSCache dbm cache/gnutls_cache
 
-<VirtualHost ${BACKEND_IP}:${BACKEND_PORT}>
+<VirtualHost _default_:${BACKEND_PORT}>
  ServerName ${BACKEND_HOST}
  GnuTLSEnable On

test/tests/23_TLS_reverse_proxy_mismatched_priorities/apache.conf

@@ -4 +4 @@
 GnuTLSCache dbm cache/gnutls_cache
 
-<VirtualHost ${TEST_IP}:${TEST_PORT}>
+<VirtualHost _default_:${TEST_PORT}>
  ServerName ${TEST_HOST}
  GnuTLSEnable On

test/tests/23_TLS_reverse_proxy_mismatched_priorities/backend.conf

@@ -1 @@
-Include ${srcdir}/base_apache.conf
-
-CustomLog logs/${TEST_NAME}.backend.access.log combined
-ErrorLog logs/${TEST_NAME}.backend.error.log
-PidFile backend.pid
+Include ${srcdir}/base_apache.conf
+Include proxy_backend.conf
 
 GnuTLSCache dbm cache/gnutls_cache
 
-<VirtualHost ${BACKEND_IP}:${BACKEND_PORT}>
+<VirtualHost _default_:${BACKEND_PORT}>
  ServerName ${BACKEND_HOST}
  GnuTLSEnable On

test/tests/24_pkcs11_cert/apache.conf

@@ -3 +3 @@
 GnuTLSCache dbm cache/gnutls_cache
 
-GnuTLSP11Module /usr/lib/softhsm/libsofthsm.so
+GnuTLSP11Module ${SOFTHSM_LIB}
 
-<VirtualHost ${TEST_IP}:${TEST_PORT}>
+<VirtualHost _default_:${TEST_PORT}>
  ServerName ${TEST_HOST}
  GnuTLSEnable On

test/tests/Makefile.am

@@ -24 +24 @@
         22_TLS_reverse_proxy_crl_revoke/apache.conf 22_TLS_reverse_proxy_crl_revoke/backend.conf 22_TLS_reverse_proxy_crl_revoke/gnutls-cli.args 22_TLS_reverse_proxy_crl_revoke/input 22_TLS_reverse_proxy_crl_revoke/output \
         23_TLS_reverse_proxy_mismatched_priorities/apache.conf 23_TLS_reverse_proxy_mismatched_priorities/backend.conf 23_TLS_reverse_proxy_mismatched_priorities/gnutls-cli.args 23_TLS_reverse_proxy_mismatched_priorities/input 23_TLS_reverse_proxy_mismatched_priorities/output \
-        24_pkcs11_cert/apache.conf 24_pkcs11_cert/gnutls-cli.args 24_pkcs11_cert/input 24_pkcs11_cert/output 24_pkcs11_cert/softhsm.conf.in
+        24_pkcs11_cert/apache.conf 24_pkcs11_cert/gnutls-cli.args 24_pkcs11_cert/input 24_pkcs11_cert/output \
+        25_Disable_TLS_1.0/apache.conf 25_Disable_TLS_1.0/fail.client 25_Disable_TLS_1.0/gnutls-cli.args 25_Disable_TLS_1.0/input \
+        26_redirect_HTTP_to_HTTPS/apache.conf