Changeset f5342b1 in mod_gnutls

Timestamp:

Apr 16, 2018, 8:42:39 PM (2 months ago)

Author:

Daniel Kahn Gillmor <dkg@…>

Branches:

debian/master, debian/stretch-backports, upstream

Children:

300ae82, f4ac9cc

Parents:

e105d3e (diff), 2a912c3 (diff)
Note: this is a merge changeset, the changes displayed below correspond to the merge itself.
Use the (diff) links above to see all the changes relative to each parent.

Message:

New upstream version 0.8.3

Files:

• CHANGELOG (modified) (1 diff)
• configure.ac (modified) (8 diffs)
• doc/mod_gnutls_manual.mdwn (modified) (5 diffs)
• include/mod_gnutls.h.in (modified) (3 diffs)
• src/gnutls_config.c (modified) (3 diffs)
• src/gnutls_hooks.c (modified) (14 diffs)
• src/gnutls_io.c (modified) (3 diffs)
• test/Makefile.am (modified) (10 diffs)
• test/README (modified) (1 diff)
• test/apache-conf/netns.conf.in (modified) (1 diff)
• test/apache_service.bash (added)
• test/base_apache.conf (modified) (1 diff)
• test/common.bash (modified) (1 diff)
• test/ffdhe3072.pem (added)
• test/gnutls_openpgp_support.c (added)
• test/ocsp_server.conf.in (moved) (moved from test/ocsp_server.conf) (1 diff)
• test/proxy_backend.bash (deleted)
• test/proxy_backend.conf.in (modified) (1 diff)
• test/runtests (modified) (12 diffs)
• test/test-14_basic_openpgp.bash (modified) (1 diff)
• test/test-19_TLS_reverse_proxy.bash (modified) (1 diff)
• test/test-20_TLS_reverse_proxy_client_auth.bash (modified) (1 diff)
• test/test-21_TLS_reverse_proxy_wrong_cert.bash (modified) (1 diff)
• test/test-22_TLS_reverse_proxy_crl_revoke.bash (modified) (1 diff)
• test/test-23_TLS_reverse_proxy_mismatched_priorities.bash (modified) (2 diffs)
• test/test-26_redirect_HTTP_to_HTTPS.bash (modified) (3 diffs)
• test/test-27_OCSP_server.bash (modified) (1 diff)
• test/test_ca.mk (modified) (1 diff)
• test/tests/06_verify_sni_a/apache.conf (modified) (1 diff)
• test/tests/07_verify_sni_b/apache.conf (modified) (1 diff)
• test/tests/08_verify_no_sni_fallback_to_first_vhost/apache.conf (modified) (1 diff)
• test/tests/09_verify_no_sni_fails_with_wrong_order/apache.conf (modified) (1 diff)
• test/tests/12_cgi_variables/apache.conf (modified) (1 diff)
• test/tests/12_cgi_variables/output (modified) (1 diff)
• test/tests/17_cgi_vars_large_cert/apache.conf (modified) (1 diff)
• test/tests/17_cgi_vars_large_cert/output (modified) (1 diff)
• test/tests/19_TLS_reverse_proxy/backend.conf (modified) (1 diff)
• test/tests/20_TLS_reverse_proxy_client_auth/backend.conf (modified) (1 diff)
• test/tests/21_TLS_reverse_proxy_wrong_cert/backend.conf (modified) (1 diff)
• test/tests/22_TLS_reverse_proxy_crl_revoke/backend.conf (modified) (1 diff)
• test/tests/23_TLS_reverse_proxy_mismatched_priorities/backend.conf (modified) (1 diff)
• test/tests/27_OCSP_server/apache.conf (modified) (1 diff)
• test/tests/27_OCSP_server/ocsp.conf (added)
• test/tests/Makefile.am (modified) (1 diff)

CHANGELOG

@@ +1 @@
+** Version 0.8.3 (2017-10-20)
+- Use GnuTLS' default DH parameters by default
+- Handle long Server Name Indication data and gracefully ignore
+  unknown SNI types
+- Send SNI for proxy connections
+- Deprecate OpenPGP support like GnuTLS did (will be removed
+  completely in a future release)
+- Do not announce session ticket support for proxy connections
+- Minor documentation updates (SSL_CLIENT_I_DN, reference for SNI)
+- Test suite: Simplify handling of proxy backend servers and OCSP
+  responders
+- Test suite: stability/compatibility fixes
+
 ** Version 0.8.2 (2017-01-08)
 - Test suite: Ensure CRLF line ends in HTTP headers

configure.ac

@@ -1 @@
-dnl 
-AC_INIT(mod_gnutls, 0.8.2)
+AC_INIT(mod_gnutls, 0.8.3)
 OOO_CONFIG_NICE(config.nice)
 MOD_GNUTLS_VERSION=AC_PACKAGE_VERSION
@@ -65 +64 @@
 STRICT_CFLAGS=""
 if test "$use_strict" != "no"; then
-        STRICT_CFLAGS="-Wall -Werror -Wextra"
+        STRICT_CFLAGS="-Wall -Werror -Wextra -Wno-error=deprecated-declarations"
 fi
 
@@ -84 +83 @@
         AS_IF([${FLOCK} --timeout 1 ${lockfile} true >&AS_MESSAGE_LOG_FD 2>&1],
               [flock_works="yes"], [flock_works="no"])
+        AC_MSG_RESULT([$flock_works])
+        # Old versions of flock do not support --verbose. They fail
+        # without executing the command but still return 0. Check for
+        # this behavior by testing if the rm command was executed.
+        AC_MSG_CHECKING([whether ${FLOCK} supports --verbose])
+        testfile="$(mktemp)"
+        AS_IF([${FLOCK} --verbose --timeout 1 ${lockfile} rm "${testfile}" \
+                        >&AS_MESSAGE_LOG_FD 2>&1; test ! -e "${testfile}"],
+              [flock_verbose="yes"; FLOCK="${FLOCK} --verbose"],
+              [flock_verbose="no"; rm "${testfile}"])
+        AC_MSG_RESULT([$flock_verbose])
         rm "${lockfile}"
-        AC_MSG_RESULT([$flock_works])
       ],
       [flock_works="no"])
@@ -143 +152 @@
 # and test specific PID files if using namespaces, defaults otherwise.
 AS_IF([test "$use_netns" = "yes"],
-      [MUTEX_TYPE="pthread"; PID_AFFIX="-\${TEST_NAME}"],
-      [MUTEX_TYPE="default"; PID_AFFIX=""])
-AC_SUBST(MUTEX_TYPE)
+      [MUTEX_CONF="Mutex pthread default"; PID_AFFIX="-\${TEST_NAME}"],
+      [MUTEX_CONF=""; PID_AFFIX=""])
+AC_SUBST(MUTEX_CONF)
 AC_SUBST(PID_AFFIX)
-AM_SUBST_NOTMAKE(MUTEX_TYPE)
+AM_SUBST_NOTMAKE(MUTEX_CONF)
 AM_SUBST_NOTMAKE(PID_AFFIX)
 
@@ -234 +243 @@
 AM_SUBST_NOTMAKE(TEST_IP)
 
+: ${TEST_LOCK_WAIT:="30"}
+: ${TEST_QUERY_TIMEOUT:="30"}
+AC_ARG_VAR([TEST_LOCK_WAIT], [Timeout in seconds to acquire locks for \
+                             Apache instances in the test suite, or the \
+                             previous instance to remove its PID file if \
+                             flock is not used. Default is 30.])
+AC_ARG_VAR([TEST_QUERY_TIMEOUT], [Timeout in seconds for HTTPS requests \
+                                 sent using gnutls-cli in the test suite. \
+                                 Default is 30.])
+
 dnl Allow user to set SoftHSM PKCS #11 module
 AC_ARG_VAR([SOFTHSM_LIB], [Absolute path of the SoftHSM PKCS @%:@11 module to \
@@ -247 +266 @@
 # Available extra ports, tests can "Define" variables of the listed
 # names in their apache.conf to enable them.
-for j in TEST_HTTP_PORT OCSP_PORT; do
+for j in TEST_HTTP_PORT; do
 LISTEN_LIST="${LISTEN_LIST}
 <IfDefine ${j}>"
@@ -272 +291 @@
 AC_CONFIG_FILES([Makefile src/Makefile test/Makefile test/tests/Makefile \
                         doc/Makefile doc/doxygen.conf include/mod_gnutls.h \
-                        test/proxy_backend.conf \
+                        test/proxy_backend.conf test/ocsp_server.conf \
                         test/apache-conf/listen.conf \
                         test/apache-conf/netns.conf])
@@ -283 +302 @@
 echo "   * Apache Modules directory:    ${AP_LIBEXECDIR}"
 echo "   * GnuTLS Library version:      ${LIBGNUTLS_VERSION}"
+echo "   * CFLAGS for GnuTLS:           ${LIBGNUTLS_CFLAGS}"
+echo "   * LDFLAGS for GnuTLS:  ${LIBGNUTLS_LIBS}"
 echo "   * SRP Authentication:  ${use_srp}"
 echo "   * MSVA Client Verification:    ${use_msva}"

doc/mod_gnutls_manual.mdwn

@@ -178 +178 @@
 ### GnuTLSDHFile
 
-Set to the PKCS \#3 encoded Diffie Hellman parameters
+Use the provided PKCS \#3 encoded Diffie-Hellman parameters
 
     GnuTLSDHFile FILEPATH
@@ -185 +185 @@
 Context: server config, virtual host
 
-Takes an absolute or relative path to a PKCS \#3 encoded DH
-parameters.Those are used when the DHE key exchange method is enabled.
-You can generate this file using `certtool --generate-dh-params --bits
-2048`.  If not set `mod_gnutls` will use the included parameters.
+By default, `mod_gnutls` uses the DH parameters included with GnuTLS
+corresponding to the security level of the configured private keys if
+compiled with GnuTLS 3.5.6 or newer, and the ffdhe2048 DH group as
+defined in RFC 7919, Appendix A.1 otherwise.
+
+If you need to use different DH parameters, you can provide a PEM file
+containing them in PKCS \#3 encoding using this option. Please see the
+"[Parameter
+generation](https://gnutls.org/manual/html_node/Parameter-generation.html)"
+section of the GnuTLS documentation for a short discussion of the
+security implications.
 
 ### GnuTLSPriorities
@@ -353 +360 @@
 OpenPGP Certificate Authentication
 ----------------------------------
+
+*Warning:* OpenPGP support has been deprecated in GnuTLS since version
+3.5.9 and will be removed completely. Consequently, OpenPGP support in
+`mod_gnutls` is deprecated as well and will be removed in a future
+release.
 
 ### GnuTLSPGPCertificateFile
@@ -721 +733 @@
 
 `mod_gnutls` supports "Server Name Indication", as specified in
-RFC 3546. This allows hosting many TLS websites with a single IP
-address. All recent browsers support this standard. Here is an
-example using SNI:
+[RFC 6066, Section 3](https://tools.ietf.org/html/rfc6066#section-3). This
+allows hosting many TLS websites with a single IP address. All recent
+browsers support this standard. Here is an example using SNI:
 
      # Load the module into Apache.
@@ -889 +901 @@
 -----------------
 
-The SSL or TLS cipher suite name
+The distinguished name of the issuer of the client's certificate in
+RFC2253 format.
 
 `SSL_CLIENT_S_AN%`

include/mod_gnutls.h.in

@@ -285 +285 @@
 apr_status_t apr_signal_block(int signum);
 
- /* Proxy Support */
+/* Proxy Support */
+/** mod_proxy adds a note with this key to the connection->notes table
+ * for client connections */
+#define PROXY_SNI_NOTE "proxy-request-hostname"
 /* An optional function which returns non-zero if the given connection
 is using SSL/TLS. */
@@ -424 +427 @@
                             const int arg);
 
-const char *mgs_set_require_section(cmd_parms *cmd,
-                                    void *mconfig, const char *arg);
 void *mgs_config_server_create(apr_pool_t * p, server_rec * s);
 void *mgs_config_server_merge(apr_pool_t *p, void *BASE, void *ADD);
@@ -432 +433 @@
 
 void *mgs_config_dir_create(apr_pool_t *p, char *dir);
-
-const char *mgs_set_require_bytecode(cmd_parms *cmd,
-                                    void *mconfig, const char *arg);
 
 mgs_srvconf_rec* mgs_find_sni_server(gnutls_session_t session);

src/gnutls_config.c

@@ -84 +84 @@
 }
 
-/* 2048-bit group parameters from SRP specification */
-const char static_dh_params[] = "-----BEGIN DH PARAMETERS-----\n"
-        "MIIBBwKCAQCsa9tBMkqam/Fm3l4TiVgvr3K2ZRmH7gf8MZKUPbVgUKNzKcu0oJnt\n"
-        "gZPgdXdnoT3VIxKrSwMxDc1/SKnaBP1Q6Ag5ae23Z7DPYJUXmhY6s2YaBfvV+qro\n"
-        "KRipli8Lk7hV+XmT7Jde6qgNdArb9P90c1nQQdXDPqcdKB5EaxR3O8qXtDoj+4AW\n"
-        "dr0gekNsZIHx0rkHhxdGGludMuaI+HdIVEUjtSSw1X1ep3onddLs+gMs+9v1L7N4\n"
-        "YWAnkATleuavh05zA85TKZzMBBx7wwjYKlaY86jQw4JxrjX46dv7tpS1yAPYn3rk\n"
-        "Nd4jbVJfVHWbZeNy/NaO8g+nER+eSv9zAgEC\n"
-        "-----END DH PARAMETERS-----\n";
-
-/*
- * Clean up the various GnuTLS data structures allocated from
+
+
+/**
+ * Clean up the various GnuTLS data structures allocated by
  * mgs_load_files()
  */
@@ -254 +246 @@
 #endif
 
-    if (sc->dh_params == NULL)
-    {
-        ret = gnutls_dh_params_init(&sc->dh_params);
-        if (ret < 0) {
-            ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
-                         "GnuTLS: Failed to initialize"
-                         ": (%d) %s", ret, gnutls_strerror(ret));
-            ret = -1;
-            goto cleanup;
-        }
-
-        /* Load DH parameters */
-        if (sc->dh_file)
+    /* Load user provided DH parameters, if any */
+    if (sc->dh_file)
+    {
+        if (sc->dh_params == NULL)
         {
-            if (load_datum_from_file(spool, sc->dh_file, &data) != 0) {
+            ret = gnutls_dh_params_init(&sc->dh_params);
+            if (ret < 0) {
                 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
-                             "GnuTLS: Error Reading " "DH params '%s'", sc->dh_file);
+                             "GnuTLS: Failed to initialize"
+                             ": (%d) %s", ret, gnutls_strerror(ret));
                 ret = -1;
                 goto cleanup;
             }
-
-            ret =
-                gnutls_dh_params_import_pkcs3(sc->dh_params, &data,
-                                              GNUTLS_X509_FMT_PEM);
-            if (ret < 0) {
-                ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
-                             "GnuTLS: Failed to Import "
-                             "DH params '%s': (%d) %s", sc->dh_file, ret,
-                             gnutls_strerror(ret));
-                ret = -1;
-                goto cleanup;
-            }
-        } else {
-            gnutls_datum_t pdata = {
-                (void *) static_dh_params,
-                sizeof(static_dh_params)
-            };
-
-            ret = gnutls_dh_params_import_pkcs3(sc->dh_params, &pdata, GNUTLS_X509_FMT_PEM);
-            if (ret < 0) {
-                ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
-                             "GnuTLS: Unable to generate or load DH Params: (%d) %s",
-                             ret, gnutls_strerror(ret));
-                ret = -1;
-                goto cleanup;
-            }
+        }
+
+        if (load_datum_from_file(spool, sc->dh_file, &data) != 0) {
+            ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                         "GnuTLS: Error Reading " "DH params '%s'", sc->dh_file);
+            ret = -1;
+            goto cleanup;
+        }
+
+        ret =
+            gnutls_dh_params_import_pkcs3(sc->dh_params, &data,
+                                          GNUTLS_X509_FMT_PEM);
+        if (ret < 0) {
+            ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                         "GnuTLS: Failed to Import "
+                         "DH params '%s': (%d) %s", sc->dh_file, ret,
+                         gnutls_strerror(ret));
+            ret = -1;
+            goto cleanup;
         }
     }
@@ -1109 +1087 @@
     sc->priorities = NULL;
     sc->dh_params = NULL;
+    sc->dh_file = NULL;
     sc->ca_list = NULL;
     sc->ca_list_size = 0;

src/gnutls_hooks.c

@@ -4 +4 @@
  *  Copyright 2011 Dash Shendy
  *  Copyright 2013-2014 Daniel Kahn Gillmor
- *  Copyright 2015-2016 Thomas Klute
+ *  Copyright 2015-2017 Thomas Klute
  *
  *  Licensed under the Apache License, Version 2.0 (the "License");
@@ -70 +70 @@
     session_ticket_key.data = NULL;
     session_ticket_key.size = 0;
-        /* Deinitialize GnuTLS Library */
-    gnutls_global_deinit();
     return APR_SUCCESS;
 }
@@ -118 +116 @@
     }
 
-        /* Initialize GnuTLS Library */
-    ret = gnutls_global_init();
-    if (ret < 0) {
-                ap_log_perror(APLOG_MARK, APLOG_EMERG, 0, plog, "gnutls_global_init: %s", gnutls_strerror(ret));
-                return DONE;
-    }
-
         /* Generate a Session Key */
     ret = gnutls_session_ticket_key_generate(&session_ticket_key);
@@ -143 +134 @@
 }
 
-static int mgs_select_virtual_server_cb(gnutls_session_t session) {
-
-    mgs_handle_t *ctxt = NULL;
-    mgs_srvconf_rec *tsc = NULL;
+/**
+ * Post client hello function for GnuTLS, used to configure the TLS
+ * server based on virtual host configuration. Uses SNI to select the
+ * virtual host if available.
+ *
+ * @param session the TLS session
+ *
+ * @return zero or a GnuTLS error code, as required by GnuTLS hook
+ * definition
+ */
+static int mgs_select_virtual_server_cb(gnutls_session_t session)
+{
     int ret = 0;
-
-    _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
-
-    ctxt = gnutls_transport_get_ptr(session);
-
-    /* find the virtual server */
-    tsc = mgs_find_sni_server(session);
-
-    if (tsc != NULL) {
-        // Found a TLS vhost based on the SNI from the client; use it instead.
+    mgs_handle_t *ctxt = gnutls_session_get_ptr(session);
+
+    /* try to find a virtual host */
+    mgs_srvconf_rec *tsc = mgs_find_sni_server(session);
+    if (tsc != NULL)
+    {
+        /* Found a TLS vhost based on the SNI, configure the
+         * connection context. */
         ctxt->sc = tsc;
         }
@@ -186 +183 @@
      * negotiation.
      */
-
     ret = gnutls_priority_set(session, ctxt->sc->priorities);
+
     /* actually it shouldn't fail since we have checked at startup */
     return ret;
-
 }
 
@@ -313 +309 @@
 }
 
+
+
+#if GNUTLS_VERSION_NUMBER >= 0x030506
+#define HAVE_KNOWN_DH_GROUPS 1
+#endif
+#ifdef HAVE_KNOWN_DH_GROUPS
+/**
+ * Try to estimate a GnuTLS security parameter based on the given
+ * private key. Any errors are logged.
+ *
+ * @param s The `server_rec` to use for logging
+ *
+ * @param key The private key to use
+ *
+ * @return `gnutls_sec_param_t` as returned by
+ * `gnutls_pk_bits_to_sec_param` for the key properties, or
+ * GNUTLS_SEC_PARAM_UNKNOWN in case of error
+ */
+static gnutls_sec_param_t sec_param_from_privkey(server_rec *server,
+                                                 gnutls_privkey_t key)
+{
+    unsigned int bits = 0;
+    int pk_algo = gnutls_privkey_get_pk_algorithm(key, &bits);
+    if (pk_algo < 0)
+    {
+        ap_log_error(APLOG_MARK, APLOG_ERR, APR_EGENERAL, server,
+                     "%s: Could not get private key parameters: %s (%d)",
+                     __func__, gnutls_strerror(pk_algo), pk_algo);
+        return GNUTLS_SEC_PARAM_UNKNOWN;
+    }
+    return gnutls_pk_bits_to_sec_param(pk_algo, bits);
+}
+#else
+/** ffdhe2048 DH group as defined in RFC 7919, Appendix A.1. This is
+ * the default DH group if mod_gnutls is compiled agains a GnuTLS
+ * version that does not provide known DH groups based on security
+ * parameters (before 3.5.6). */
+static const char FFDHE2048_PKCS3[] =
+    "-----BEGIN DH PARAMETERS-----\n"
+    "MIIBDAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz\n"
+    "+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a\n"
+    "87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7\n"
+    "YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi\n"
+    "7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD\n"
+    "ssbzSibBsu/6iGtCOGEoXJf//////////wIBAgICAQA=\n"
+    "-----END DH PARAMETERS-----\n";
+const gnutls_datum_t default_dh_params = {
+    (void *) FFDHE2048_PKCS3,
+    sizeof(FFDHE2048_PKCS3)
+};
+#endif
+
+
+
+/**
+ * Configure the default DH groups to use for the given server. When
+ * compiled against GnuTLS version 3.5.6 or newer the known DH group
+ * matching the GnuTLS security parameter estimated from the private
+ * key is used. Otherwise the ffdhe2048 DH group as defined in RFC
+ * 7919, Appendix A.1 is the default.
+ *
+ * @param server the host to configure
+ *
+ * @return `OK` on success, `HTTP_UNAUTHORIZED` otherwise
+ */
+static int set_default_dh_param(server_rec *server)
+{
+    mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
+        ap_get_module_config(server->module_config, &gnutls_module);
+
+#ifdef HAVE_KNOWN_DH_GROUPS
+    gnutls_sec_param_t seclevel = GNUTLS_SEC_PARAM_UNKNOWN;
+    if (sc->privkey_x509)
+    {
+        seclevel = sec_param_from_privkey(server, sc->privkey_x509);
+        ap_log_error(APLOG_MARK, APLOG_TRACE1, APR_SUCCESS, server,
+                     "%s: GnuTLS security param estimated based on "
+                     "private key '%s': %s",
+                     __func__, sc->x509_key_file,
+                     gnutls_sec_param_get_name(seclevel));
+    }
+
+    if (seclevel == GNUTLS_SEC_PARAM_UNKNOWN)
+        seclevel = GNUTLS_SEC_PARAM_MEDIUM;
+    ap_log_error(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, server,
+                 "%s: Setting DH params for security level '%s'.",
+                 __func__, gnutls_sec_param_get_name(seclevel));
+
+    int ret = gnutls_certificate_set_known_dh_params(sc->certs, seclevel);
+    if (ret < 0)
+    {
+        ap_log_error(APLOG_MARK, APLOG_EMERG, APR_EGENERAL, server,
+                     "%s: setting known DH params failed: %s (%d)",
+                     __func__, gnutls_strerror(ret), ret);
+        return HTTP_UNAUTHORIZED;
+    }
+    ret = gnutls_anon_set_server_known_dh_params(sc->anon_creds, seclevel);
+    if (ret < 0)
+    {
+        ap_log_error(APLOG_MARK, APLOG_EMERG, APR_EGENERAL, server,
+                     "%s: setting known DH params failed: %s (%d)",
+                     __func__, gnutls_strerror(ret), ret);
+        return HTTP_UNAUTHORIZED;
+    }
+#else
+    int ret = gnutls_dh_params_init(&sc->dh_params);
+    if (ret < 0)
+    {
+        ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, server,
+                     "%s: Failed to initialize DH params structure: "
+                     "%s (%d)", __func__, gnutls_strerror(ret), ret);
+        return HTTP_UNAUTHORIZED;
+    }
+    ret = gnutls_dh_params_import_pkcs3(sc->dh_params, &default_dh_params,
+                                        GNUTLS_X509_FMT_PEM);
+    if (ret < 0)
+    {
+        ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, server,
+                     "%s: Failed to import default DH params: %s (%d)",
+                     __func__, gnutls_strerror(ret), ret);
+        return HTTP_UNAUTHORIZED;
+    }
+
+    gnutls_certificate_set_dh_params(sc->certs, sc->dh_params);
+    gnutls_anon_set_server_dh_params(sc->anon_creds, sc->dh_params);
+#endif
+
+    return OK;
+}
+
+
+
 /**
  * Post config hook.
@@ -328 +456 @@
     int rv;
     server_rec *s;
-    gnutls_dh_params_t dh_params = NULL;
     mgs_srvconf_rec *sc;
     mgs_srvconf_rec *sc_base;
@@ -359 +486 @@
                                     base_server, pconf, 0);
         if (rv != APR_SUCCESS)
-        {
-            ap_log_error(APLOG_MARK, APLOG_STARTUP, rv, base_server,
-                         "Failed to create mutex '" MGS_OCSP_MUTEX_NAME
-                         "'.");
-            return HTTP_INTERNAL_SERVER_ERROR;
-        }
+            return rv;
     }
 
@@ -443 +565 @@
         }
 
-        /* Check if DH params have been set per host */
+        /* Set host DH params from user configuration or defaults */
         if (sc->dh_params != NULL) {
             gnutls_certificate_set_dh_params(sc->certs, sc->dh_params);
             gnutls_anon_set_server_dh_params(sc->anon_creds, sc->dh_params);
-        } else if (dh_params) {
-            gnutls_certificate_set_dh_params(sc->certs, dh_params);
-            gnutls_anon_set_server_dh_params(sc->anon_creds, dh_params);
+        } else {
+            rv = set_default_dh_param(s);
+            if (rv != OK)
+                return rv;
         }
 
@@ -484 +607 @@
         }
 
+        /* If OpenPGP support is already disabled in the loaded GnuTLS
+         * library startup will fail if the configuration tries to
+         * load PGP credentials. Otherwise warn affected users about
+         * deprecation. */
+        if (sc->pgp_cert_file || sc->pgp_key_file || sc->pgp_ring_file)
+            ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
+                         "Host '%s:%d' is configured to use OpenPGP auth. "
+                         "OpenPGP support has been deprecated in GnuTLS "
+                         "since version 3.5.9 and will be removed from "
+                         "mod_gnutls in a future release.",
+                         s->server_hostname, s->port);
+
         if (sc->enabled == GNUTLS_ENABLED_TRUE) {
             rv = -1;
@@ -606 +741 @@
 }
 
-#define MAX_HOST_LEN 255
+/**
+ * Default buffer size for SNI data, including the terminating NULL
+ * byte. The size matches what gnutls-cli uses initially.
+ */
+#define DEFAULT_SNI_HOST_LEN 256
 
 typedef struct {
@@ -699 +838 @@
 }
 
+/**
+ * Get SNI data from GnuTLS (if any) and search for a matching virtual
+ * host configuration. This method is called from the post client
+ * hello function.
+ *
+ * @param session the GnuTLS session
+ *
+ * @return either the matching mod_gnutls server config, or `NULL`
+ */
 mgs_srvconf_rec *mgs_find_sni_server(gnutls_session_t session)
 {
-    int rv;
+    mgs_handle_t *ctxt = gnutls_session_get_ptr(session);
+
+    char *sni_name = apr_palloc(ctxt->c->pool, DEFAULT_SNI_HOST_LEN);
+    size_t sni_len = DEFAULT_SNI_HOST_LEN;
     unsigned int sni_type;
-    size_t data_len = MAX_HOST_LEN;
-    char sni_name[MAX_HOST_LEN];
-    mgs_handle_t *ctxt;
-    vhost_cb_rec cbx;
-
-    if (session == NULL)
+
+    /* Search for a DNS SNI element. Note that RFC 6066 prohibits more
+     * than one server name per type. */
+    int sni_index = -1;
+    int rv = 0;
+    do {
+        /* The sni_index is incremented before each use, so if the
+         * loop terminates with a type match we will have the right
+         * one stored. */
+        rv = gnutls_server_name_get(session, sni_name,
+                                    &sni_len, &sni_type, ++sni_index);
+        if (rv == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
+        {
+            ap_log_cerror(APLOG_MARK, APLOG_TRACE1, APR_EGENERAL, ctxt->c,
+                          "%s: no DNS SNI found (last index: %d).",
+                          __func__, sni_index);
+            return NULL;
+        }
+    } while (sni_type != GNUTLS_NAME_DNS);
+    /* The (rv == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) path inside
+     * the loop above returns, so if we reach this point we have a DNS
+     * SNI at the current index. */
+
+    if (rv == GNUTLS_E_SHORT_MEMORY_BUFFER)
+    {
+        /* Allocate a new buffer of the right size and retry */
+        sni_name = apr_palloc(ctxt->c->pool, sni_len);
+        ap_log_cerror(APLOG_MARK, APLOG_TRACE1, APR_SUCCESS, ctxt->c,
+                      "%s: reallocated SNI data buffer for %" APR_SIZE_T_FMT
+                      " bytes.", __func__, sni_len);
+        rv = gnutls_server_name_get(session, sni_name,
+                                    &sni_len, &sni_type, sni_index);
+    }
+
+    /* Unless there's a bug in the GnuTLS API only GNUTLS_E_IDNA_ERROR
+     * can occur here, but a catch all is safer and no more
+     * complicated. */
+    if (rv != GNUTLS_E_SUCCESS)
+    {
+        ap_log_cerror(APLOG_MARK, APLOG_INFO, APR_EGENERAL, ctxt->c,
+                      "%s: error while getting SNI DNS data: '%s' (%d).",
+                      __func__, gnutls_strerror(rv), rv);
         return NULL;
-
-    _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
-    ctxt = gnutls_transport_get_ptr(session);
-
-    rv = gnutls_server_name_get(ctxt->session, sni_name,
-            &data_len, &sni_type, 0);
-
-    if (rv != 0) {
-        return NULL;
-    }
-
-    if (sni_type != GNUTLS_NAME_DNS) {
-        ap_log_cerror(APLOG_MARK, APLOG_CRIT, 0, ctxt->c,
-                      "GnuTLS: Unknown type '%d' for SNI: '%s'",
-                      sni_type, sni_name);
-        return NULL;
-    }
-
-    /**
-     * Code in the Core already sets up the c->base_server as the base
-     * for this IP/Port combo.  Trust that the core did the 'right' thing.
-     */
-    cbx.ctxt = ctxt;
-    cbx.sc = NULL;
-    cbx.sni_name = sni_name;
-
+    }
+
+    ap_log_cerror(APLOG_MARK, APLOG_TRACE1, APR_SUCCESS, ctxt->c,
+                  "%s: client requested server '%s'.",
+                  __func__, sni_name);
+
+    /* Search for vhosts matching connection parameters and the
+     * SNI. If a match is found, cbx.sc will contain the mod_gnutls
+     * server config for the vhost. */
+    vhost_cb_rec cbx = {
+        .ctxt = ctxt,
+        .sc = NULL,
+        .sni_name = sni_name
+    };
     rv = ap_vhost_iterate_given_conn(ctxt->c, vhost_cb, &cbx);
     if (rv == 1) {
@@ -824 +999 @@
             ap_log_cerror(APLOG_MARK, APLOG_ERR, err, c,
                           "gnutls_init for proxy connection failed: %s (%d)",
-                          gnutls_strerror(err), err);
-        err = gnutls_session_ticket_enable_client(ctxt->session);
-        if (err != GNUTLS_E_SUCCESS)
-            ap_log_cerror(APLOG_MARK, APLOG_ERR, err, c,
-                          "gnutls_session_ticket_enable_client failed: %s (%d)",
                           gnutls_strerror(err), err);
     }
@@ -1791 +1961 @@
     /* Get peer hostname from a note left by mod_proxy */
     const char *peer_hostname =
-        apr_table_get(ctxt->c->notes, "proxy-request-hostname");
+        apr_table_get(ctxt->c->notes, PROXY_SNI_NOTE);
     if (peer_hostname == NULL)
         ap_log_cerror(APLOG_MARK, APLOG_WARNING, 0, ctxt->c,
-                      "%s: proxy-request-hostname is NULL, cannot check "
+                      "%s: " PROXY_SNI_NOTE " NULL, cannot check "
                       "peer's hostname", __func__);
 

src/gnutls_io.c

@@ -3 +3 @@
  *  Copyright 2008 Nikos Mavrogiannopoulos
  *  Copyright 2011 Dash Shendy
- *  Copyright 2015-2016 Thomas Klute
+ *  Copyright 2015-2017 Thomas Klute
  *
  *  Licensed under the Apache License, Version 2.0 (the "License");
@@ -395 +395 @@
     }
 
+    /* Enable SNI for proxy connections */
+    if (ctxt->is_proxy == GNUTLS_ENABLED_TRUE)
+    {
+        /* Get peer hostname from note left by mod_proxy */
+        const char *peer_hostname =
+            apr_table_get(ctxt->c->notes, PROXY_SNI_NOTE);
+        /* Used only as target for apr_ipsubnet_create() */
+        apr_ipsubnet_t *probe;
+        /* Check if the note is present (!= NULL) and NOT an IP
+         * address */
+        if ((peer_hostname) != NULL
+            && (apr_ipsubnet_create(&probe, peer_hostname, NULL, ctxt->c->pool)
+                != APR_SUCCESS))
+        {
+            ret = gnutls_server_name_set(ctxt->session, GNUTLS_NAME_DNS,
+                                         peer_hostname, strlen(peer_hostname));
+            if (ret != GNUTLS_E_SUCCESS)
+                ap_log_cerror(APLOG_MARK, APLOG_ERR, ret, ctxt->c,
+                              "Could not set SNI '%s' for proxy connection: "
+                              "%s (%d)",
+                              peer_hostname, gnutls_strerror(ret), ret);
+        }
+    }
+
 tryagain:
     do {
@@ -446 +470 @@
         /* all done with the handshake */
         ctxt->status = 1;
-        /* If the session was resumed, we did not set the correct
-         * server_rec in ctxt->sc.  Go Find it. (ick!)
-         */
-        if (gnutls_session_is_resumed(ctxt->session)) {
-            mgs_srvconf_rec *sc;
-            sc = mgs_find_sni_server(ctxt->session);
-            if (sc) {
-                ctxt->sc = sc;
-            }
+        if (gnutls_session_is_resumed(ctxt->session))
+        {
+            ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, ctxt->c,
+                          "%s: TLS session resumed.", __func__);
         }
         return GNUTLS_E_SUCCESS;

test/Makefile.am

@@ -32 +32 @@
         test-27_OCSP_server.bash
 
+TEST_EXTENSIONS = .bash
 TESTS = $(dist_check_SCRIPTS)
 
-check_PROGRAMS = pgpcrc
+check_PROGRAMS = pgpcrc gnutls_openpgp_support
 pgpcrc_SOURCES = pgpcrc.c
+gnutls_openpgp_support_SOURCES = gnutls_openpgp_support.c
+gnutls_openpgp_support_CFLAGS = $(LIBGNUTLS_CFLAGS)
+gnutls_openpgp_support_LDFLAGS = $(LIBGNUTLS_LIBS)
 
 # build OCSP database tool
@@ -41 +45 @@
 check_PROGRAMS += gen_ocsp_index
 gen_ocsp_index_SOURCES = gen_ocsp_index.c cert_helper.c
+gen_ocsp_index_CFLAGS = $(LIBGNUTLS_CFLAGS)
 gen_ocsp_index_LDFLAGS = $(LIBGNUTLS_LIBS)
 noinst_HEADERS = cert_helper.h
@@ -109 +114 @@
 # necessary.
 MOSTLYCLEANFILES += */*.pgp */*.pgp.raw */*.gpg */*.gpg~ */gpg.conf \
-        authority/lock */*.kbx */*.kbx~ */S.gpg-agent */private-keys-v1.d/*
+        authority/lock */*.kbx */*.kbx~ */S.gpg-agent */private-keys-v1.d/* \
+        authority/tofu.db
 # GnuPG random pool, no need to regenerate on every build
 CLEANFILES += authority/random_seed
+
+# GnuPG 2 starts gpg-agent processes per GNUPGHOME (one for every PGP
+# identity) while creating the PGP certificates. This target is called
+# by both "check-local" and "mostlyclean-local": The former because
+# agent processes are started while preparing for "check" and are no
+# longer needed afterwards, the latter to make sure they are gone
+# along with their certificates.
+stop-gnupg-agent:
+        for id in $(pgp_identities) $(msva_home); do \
+                GNUPGHOME=$$id/ gpgconf --kill gpg-agent || true; \
+        done
+
+check-local: stop-gnupg-agent
 
 # Delete lock files for test servers on "mostlyclean" target.
@@ -124 +143 @@
         mkdir -p -m 0700 $(dir $@)
         GNUPGHOME=$(dir $@) gpg --import < $<
-        printf "%s:6:\n" "$$(GNUPGHOME=authority gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" | GNUPGHOME=$(dir $@) gpg --import-ownertrust
+        printf "%s:6:\n" "$$(GNUPGHOME=authority/ gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" | GNUPGHOME=$(dir $@) gpg --import-ownertrust
         GNUPGHOME=$(dir $@) gpg --import < client/cert.pgp
         printf "keyserver does-not-exist.example\n" > $(msva_home)/gpg.conf
@@ -171 +190 @@
         mkdir -p $(extra_dirs)
 
-.PHONY: make-test-dirs clean-softhsm2-db
-
-mostlyclean-local: clean-softhsm2-db
+.PHONY: make-test-dirs clean-softhsm2-db stop-gnupg-agent
+
+
+mostlyclean-local: clean-softhsm2-db stop-gnupg-agent
         -rmdir $(pgp_identities:=/private-keys-v1.d) || true
 if USE_MSVA
@@ -179 +199 @@
 endif
 
+# Delete test data directories, and wait for test services to
+# exit. The reason for the wait is that Apache instances may take some
+# time to exit and delete their PID files. Occasionally some PID files
+# where still around during "distcheck" runs by the time the target
+# checked if the build directory was really empty after "distclean",
+# breaking the build. Delaying "clean-local" until PID files are gone
+# avoids this issue, and the timeout will expose actually unclean
+# stops.
 clean-local:
         -rmdir $(identities) || true
@@ -185 +213 @@
         -rmdir $(msva_home) || true
 endif
+        wait=0; \
+        while ls *.pid && test "$$wait" -lt "@TEST_LOCK_WAIT@"; do \
+                wait=$$(($$wait + 1)); \
+                echo "waiting for test services to exit ($$wait seconds)"; \
+                sleep 1; \
+        done
 
 # Apache configuration and data files
 apache_data = base_apache.conf cgi_module.conf data/dump.cgi data/ocsp.cgi \
-        data/secret.txt data/test.txt mime.types ocsp_server.conf \
+        data/secret.txt data/test.txt ffdhe3072.pem mime.types \
         proxy_mods.conf
 
 EXTRA_DIST = $(apache_data) $(cert_templates) $(shared_identities:=.uid.in) \
-        common.bash proxy_backend.bash runtests server-crl.template \
+        apache_service.bash common.bash runtests server-crl.template \
         softhsm.bash
 
@@ -199 +233 @@
 # Lockfile for the proxy backend Apache process (if any)
 backend_lockfile = ./backend.lock
-# Maximum wait time in seconds for flock to aquire instance lock
-# files, or Apache to remove its PID file
-lock_wait = 30
+# Lockfile for the OCSP server Apache process (if any)
+ocsp_lockfile = ./ocsp.lock
 
 # port for the main Apache server
@@ -207 +240 @@
 # port for MSVA in test cases that use it
 MSVA_PORT ?= 9933
-# port for OCSP server (Apache vhost if enabled)
+# port for TLS proxy backend server
+BACKEND_PORT ?= 9934
+# port for the OCSP responder
 if ENABLE_OCSP_TEST
 OCSP_PORT ?= 9936
 endif
 # maximum time to wait for MSVA startup (milliseconds)
-TEST_MSVA_MAX_WAIT ?= 10000
+TEST_SERVICE_MAX_WAIT ?= 10000
 # wait loop time for MSVA startup (milliseconds)
-TEST_MSVA_WAIT ?= 400
-# seconds for the HTTP request to be sent and responded to
-TEST_QUERY_DELAY ?= 30
+TEST_SERVICE_WAIT ?= 400
 
 AM_TESTS_ENVIRONMENT = export APACHE2=@APACHE2@; \
         export AP_LIBEXECDIR=@AP_LIBEXECDIR@; \
-        export TEST_LOCK_WAIT="$(lock_wait)"; \
+        export TEST_LOCK_WAIT="@TEST_LOCK_WAIT@"; \
         export TEST_HOST="@TEST_HOST@"; \
         export TEST_PORT="$(TEST_PORT)"; \
         export MSVA_PORT="$(MSVA_PORT)"; \
-        export TEST_MSVA_MAX_WAIT="$(TEST_MSVA_MAX_WAIT)"; \
-        export TEST_MSVA_WAIT="$(TEST_MSVA_WAIT)"; \
-        export TEST_QUERY_DELAY="$(TEST_QUERY_DELAY)"; \
+        export TEST_SERVICE_MAX_WAIT="$(TEST_SERVICE_MAX_WAIT)"; \
+        export TEST_SERVICE_WAIT="$(TEST_SERVICE_WAIT)"; \
+        export TEST_QUERY_TIMEOUT="@TEST_QUERY_TIMEOUT@"; \
         export BACKEND_HOST="@TEST_HOST@"; \
+        export BACKEND_PORT="$(BACKEND_PORT)"; \
         export HTTP_CLI="@HTTP_CLI@";
 
@@ -245 +279 @@
         export USE_TEST_NAMESPACE=1;
 endif
-# Without flock tests must not run in parallel. Otherwise set lock files.
+# Without flock tests must not run in parallel, and PID files are used
+# to prevent conflicts between server instances. Otherwise set lock
+# files for flock.
 if DISABLE_FLOCK
+AM_TESTS_ENVIRONMENT += export TEST_LOCK="apache2.pid"; \
+        export BACKEND_LOCK="backend.pid"; \
+        export OCSP_LOCK="ocsp.pid";
 .NOTPARALLEL:
 else
 AM_TESTS_ENVIRONMENT += export FLOCK="@FLOCK@"; \
         export TEST_LOCK="$(test_lockfile)"; \
-        export BACKEND_LOCK="$(backend_lockfile)";
+        export BACKEND_LOCK="$(backend_lockfile)"; \
+        export OCSP_LOCK="$(ocsp_lockfile)";
 endif
 

test/README

@@ -130 +130 @@
  * If a machine is particularly slow or under heavy load, it's
    possible that these tests will fail for timing
-   reasons. [TEST_QUERY_DELAY (seconds for the HTTP request to be sent
-   and responded to)]
+   reasons. [TEST_QUERY_TIMEOUT (timeout for the HTTPS request in
+   seconds)]
 
 The first two of these issues are avoided when the tests are isolated

test/apache-conf/netns.conf.in

@@ -1 +1 @@
 # This file contains options that are different depending on whether
 # tests use namespaces or not.
-Mutex   @MUTEX_TYPE@    default
+@MUTEX_CONF@
 PidFile apache2@PID_AFFIX@.pid

test/base_apache.conf

@@ -1 +1 @@
 ServerRoot ${PWD}
+DefaultRuntimeDir cache/
 
 LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined

test/common.bash

@@ -15 +15 @@
         sleep 1
     done
+}
+
+
+
+# Usage: verbose_log [...]
+#
+# If VERBOSE is not empty, write a log message prefixed with the name
+# of the calling function. The function is defined to a no-op
+# otherwise.
+if [ -n "${VERBOSE}" ]; then
+    function verbose_log
+    {
+        echo "${FUNCNAME[1]}: ${@}"
+    }
+else
+    function verbose_log
+    {
+        return
+    }
+fi
+
+
+
+# Usage: wait_ready COMMAND [TIMEOUT] [STEP]
+#
+# Wait until COMMAND terminates with success (zero exit code), or
+# until the TIMEOUT (in milliseconds) expires. TIMEOUT defaults to
+# $TEST_SERVICE_MAX_WAIT if unset. A TIMEOUT of zero means to try
+# once.
+#
+# COMMAND is retried every STEP milliseconds, the default is
+# $TEST_SERVICE_WAIT. Note that the last try may happen a little after
+# TIMEOUT expires if STEP does not evenly divide it.
+function wait_ready
+{
+    local command="${1}"
+    if [ -z "${2}" ]; then
+        local -i timeout="${TEST_SERVICE_MAX_WAIT}"
+    else
+        local -i timeout="${2}"
+    fi
+    local -i step="${3}"
+    [ ${step} -gt 0 ] || step="${TEST_SERVICE_WAIT}"
+    # convert step to seconds because that's what "sleep" needs
+    local sec_step="$((${step} / 1000)).$((${step} % 1000))"
+
+    verbose_log "Waiting for \"${command}\" ..."
+    local -i waited=0
+    until eval "${command}"; do
+        if [ "${waited}" -ge "${timeout}" ]; then
+            echo "${FUNCNAME[0]}: Timed out waiting for \"${command}\"" \
+                 "to succeed (waited ${waited} ms)." >&2
+            return 1
+        fi
+        waited=$((waited + step));
+        sleep "${sec_step}"
+        verbose_log "waiting (${waited} ms)"
+    done
+    verbose_log "done (waited ${waited} ms)"
 }
 

test/ocsp_server.conf.in

@@ +1 @@
+Define  OCSP_PORT       ${OCSP_PORT}
+Define  TEST_PORT       ${OCSP_PORT}
+
+Include ${srcdir}/base_apache.conf
+
 Include         ${srcdir}/cgi_module.conf
 LoadModule      env_module              ${AP_LIBEXECDIR}/mod_env.so
 LoadModule      rewrite_module          ${AP_LIBEXECDIR}/mod_rewrite.so
+
+# separate log and PID file
+CustomLog       logs/${TEST_NAME}.ocsp.access.log combined
+ErrorLog        logs/${TEST_NAME}.ocsp.error.log
+PidFile         ocsp@PID_AFFIX@.pid
+
 <IfDefine !OCSP_INDEX>
         # Default index file, define OCSP_INDEX in the test specific

test/proxy_backend.conf.in

@@ +1 @@
+# redefine TEST_PORT before loading the base config
+Define  TEST_PORT       ${BACKEND_PORT}
+Include ${srcdir}/base_apache.conf
+
 # common options for proxy backend servers
 CustomLog       logs/${TEST_NAME}.backend.access.log combined

test/runtests

@@ -7 +7 @@
 set -e
 . ${srcdir}/common.bash
+. ${srcdir}/apache_service.bash
 netns_reexec ${@}
 
@@ -17 +18 @@
     testid=${srcdir}/tests/"$(printf "%02d" "$testid")"_*
 fi
+testdir="$(realpath ${testid})"
 
 BADVARS=0
-for v in APACHE2 TEST_HOST TEST_PORT TEST_QUERY_DELAY TEST_MSVA_WAIT \
+for v in APACHE2 TEST_HOST TEST_PORT TEST_QUERY_TIMEOUT TEST_SERVICE_WAIT \
                  MSVA_PORT; do
     if [ ! -v "$v" ]; then
@@ -34 +36 @@
 function pinpoint_error()
 {
-    echo "${1} failed at line ${2}!" >&2
-}
-trap 'pinpoint_error ${BASH_SOURCE} ${LINENO}' ERR
+    echo "Command \"${BASH_COMMAND}\" failed. Call trace:" >&2
+    local stack=0
+    while caller $((stack++)) >&2; do true; done
+}
+trap 'pinpoint_error' ERR
 
 function stop_msva()
@@ -89 +93 @@
         if [ -n "${pid}" ] && ps -p "${pid}"; then
             kill "${pid}"
+        else
+            echo "No running process with PID ${pid} (${pidfile})."
         fi
         rm "${pidfile}"
@@ -96 +102 @@
 function apache_down_err() {
     printf "FAILURE: %s\n" "$TEST_NAME"
-    ${APACHE2} -f "${t}/apache.conf" -k stop || true
+    ${APACHE2} -f "${testdir}/apache.conf" -k stop || true
     if [ -e output ]; then
         printf "\ngnutls-cli outputs:\n"
         diff_output_filter_headers "output" "$output" || true
+    fi
+
+    if [ -r "${testdir}/backend.conf" ]; then
+        apache_service "${testdir}" "backend.conf" stop || true
+    fi
+
+    if [ -r "${testdir}/ocsp.conf" ]; then
+        apache_service "${testdir}" "ocsp.conf" stop || true
     fi
 
@@ -123 +137 @@
 
     printf "TESTING: initial MSVA verification\n"
-    # set to 0 if MSVA is up
-    ret=1
     export MONKEYSPHERE_VALIDATION_AGENT_SOCKET="http://127.0.0.1:$MSVA_PORT"
 
-    # convert TEST_MSVA_WAIT to seconds because that's what "sleep" expects
-    TEST_MSVA_SLEEP="$((${TEST_MSVA_WAIT} / 1000)).$((${TEST_MSVA_WAIT} % 1000))"
-    # wait at most TEST_MSVA_MAX_WAIT milliseconds for MSVA to get ready
-    waited=0
-    until [ ${ret} -eq 0 ] \
-              || [ ${waited} -ge ${TEST_MSVA_MAX_WAIT} ]; do
-        if msva-query-agent https "$(cat client.uid)" x509pem client < client/x509.pem
-        then
-            ret=0
-        else
-            echo "MSVA not ready yet"
-        fi
-        sleep "${TEST_MSVA_SLEEP}"
-        waited=$((${waited} + ${TEST_MSVA_WAIT}))
-    done
-
+    msva_test_cmd="msva-query-agent https \"$(cat client.uid)\" x509pem client < client/x509.pem"
     # check if MSVA is up, fail if not
-    if [ ${ret} -eq 0 ]; then
+    if wait_ready "${msva_test_cmd}"; then
         printf "\nSUCCESS: initial MSVA verification\n"
     else
@@ -152 +149 @@
 fi
 
-TEST_PID="apache2.pid"
 # configure locking for the Apache process
 if [ -n "${USE_TEST_NAMESPACE}" ]; then
     echo "Using namespaces to isolate tests, no need for locking."
     flock_cmd=""
-elif [ -n "${TEST_LOCK}" ]; then
+elif [ -n "${FLOCK}" ]; then
     flock_cmd="${FLOCK} -w ${TEST_LOCK_WAIT} $(realpath ${TEST_LOCK})"
 else
     echo "Locking disabled, using wait based on Apache PID file."
-    wait_pid_gone "${TEST_PID}"
+    wait_pid_gone "${TEST_LOCK}"
     flock_cmd=""
 fi
 
-t="$(realpath ${testid})"
 export srcdir="$(realpath ${srcdir})"
-export TEST_NAME="$(basename "$t")"
+export TEST_NAME="$(basename "${testdir}")"
 output="outputs/${TEST_NAME}.output"
 rm -f "$output"
 
-if [ -e ${t}/fail.* ]; then
+if [ -e ${testdir}/fail.* ]; then
     EXPECTED_FAILURE="$(printf " (expected: %s)" fail.*)"
 else
@@ -179 +174 @@
 trap apache_down_err EXIT
 if [ -n "${USE_MSVA}" ]; then
-    MONKEYSPHERE_VALIDATION_AGENT_SOCKET="http://127.0.0.1:$MSVA_PORT" \
-                                        ${flock_cmd} \
-                                        ${APACHE2} -f "${t}/apache.conf" -k start \
-        || [ -e "${t}/fail.server" ]
-else
-    ${flock_cmd} \
-        ${APACHE2} -f "${t}/apache.conf" -k start \
-        || [ -e "${t}/fail.server" ]
+    export MONKEYSPHERE_VALIDATION_AGENT_SOCKET="http://127.0.0.1:$MSVA_PORT"
+fi
+
+# If VERBOSE is enabled, log the HTTPD build configuration
+if [ -n "${VERBOSE}" ]; then
+    ${APACHE2} -f "${srcdir}/base_apache.conf" -V
+fi
+
+# Start OCSP responder, if configured
+if [ -r "${testdir}/ocsp.conf" ]; then
+    apache_service "${testdir}" "ocsp.conf" start "${OCSP_LOCK}"
+    CHECK_OCSP_SERVER="true"
+    if [ -n "${VERBOSE}" ]; then
+        echo "OCSP index for the test CA:"
+        cat authority/ocsp_index.txt
+    fi
+fi
+
+# Start proxy backend server, if configured
+if [ -r "${testdir}/backend.conf" ]; then
+    apache_service "${testdir}" "backend.conf" start "${BACKEND_LOCK}"
+fi
+
+if ! ${flock_cmd} ${APACHE2} -f "${testdir}/apache.conf" -k start; then
+    if [ -e "${testdir}/fail.server" ]; then
+        echo "Apache HTTPD failed to start as expected."
+        exit 0
+    else
+        echo "Apache HTTPD unexpectedly failed to start."
+        exit 1
+    fi
 fi
 
@@ -195 +213 @@
     fi
     echo "---- Testing OCSP server ----"
-    ocsptool --ask --nonce --load-issuer authority/x509.pem --load-cert server/x509.pem ${store_ocsp}
+    wait_ready "ocsptool --ask --nonce --load-issuer authority/x509.pem --load-cert server/x509.pem ${store_ocsp}"
     echo "---- OCSP test done ----"
 fi
@@ -212 +230 @@
 # end with CRLF as required by RFC 7230, Section 3.1.1 regardless of
 # the line ends in the input file.
-if (sed -r "s/__HOSTNAME__/${TEST_HOST}/;s/\r?$/\r/" <${t}/input && \
-           run_with_pidfile "${sleep_pidfile}" sleep "${TEST_QUERY_DELAY}" &) | \
-       gnutls-cli -p "${TEST_PORT}" $(cat ${t}/gnutls-cli.args) "${TEST_HOST}" \
+if (sed -r "s/__HOSTNAME__/${TEST_HOST}/;s/\r?$/\r/" <${testdir}/input && \
+           run_with_pidfile "${sleep_pidfile}" sleep "${TEST_QUERY_TIMEOUT}" &) | \
+       gnutls-cli -p "${TEST_PORT}" $(cat ${testdir}/gnutls-cli.args) "${TEST_HOST}" \
        | tee "$output" && test "${PIPESTATUS[1]}" -eq 0;
 then
-    if [ -e ${t}/fail* ]; then
-        printf "%s should have failed but succeeded\n" "$(basename "$t")" >&2
+    if [ -e ${testdir}/fail* ]; then
+        printf "%s should have failed but succeeded\n" "$(basename "$testdir")" >&2
         exit 1
     fi
 else
-    if [ ! -e ${t}/fail* ]; then
-        printf "%s should have succeeded but failed\n" "$(basename "$t")" >&2
+    if [ ! -e ${testdir}/fail* ]; then
+        printf "%s should have succeeded but failed\n" "$(basename "$testdir")" >&2
         exit 1
     fi
@@ -231 +249 @@
 unset sleep_pidfile
 
-if [ -e ${t}/output ] ; then
-    diff_output_filter_headers "${t}/output" "$output" >&2
+if [ -e ${testdir}/output ] ; then
+    diff_output_filter_headers "${testdir}/output" "$output" >&2
 fi
 if [ -n "${USE_MSVA}" ]; then
@@ -239 +257 @@
     trap - EXIT
 fi
-${APACHE2} -f "${t}/apache.conf" -k stop || [ -e ${t}/fail.server ]
+${APACHE2} -f "${testdir}/apache.conf" -k stop || [ -e ${testdir}/fail.server ]
 printf "SUCCESS: %s\n" "$TEST_NAME"
+
+if [ -r "${testdir}/backend.conf" ]; then
+    apache_service "${testdir}" "backend.conf" stop || true
+fi
+
+if [ -r "${testdir}/ocsp.conf" ]; then
+    apache_service "${testdir}" "ocsp.conf" stop || true
+fi
 
 if [ -n "${USE_MSVA}" ]; then

test/test-14_basic_openpgp.bash

@@ -1 +1 @@
 #!/bin/bash
+./gnutls_openpgp_support || exit $?
 ${srcdir}/runtests t-14

test/test-19_TLS_reverse_proxy.bash

@@ -1 +1 @@
 #!/bin/bash
-
-set -e
-: ${srcdir:="."}
-. ${srcdir}/common.bash
-netns_reexec ${@}
-
-testdir="${srcdir}/tests/19_TLS_reverse_proxy"
-. $(dirname ${0})/proxy_backend.bash
-
-function stop_backend
-{
-    backend_apache "${testdir}" "backend.conf" stop
-}
-backend_apache "${testdir}" "backend.conf" start "${BACKEND_LOCK}"
-trap stop_backend EXIT
-
 ${srcdir}/runtests t-19
-
-backend_apache "${testdir}" "backend.conf" stop
-trap - EXIT

test/test-20_TLS_reverse_proxy_client_auth.bash

@@ -1 +1 @@
 #!/bin/bash
-
-set -e
-: ${srcdir:="."}
-. ${srcdir}/common.bash
-netns_reexec ${@}
-
-testdir="${srcdir}/tests/20_TLS_reverse_proxy_client_auth"
-. $(dirname ${0})/proxy_backend.bash
-
-function stop_backend
-{
-    backend_apache "${testdir}" "backend.conf" stop
-}
-backend_apache "${testdir}" "backend.conf" start "${BACKEND_LOCK}"
-trap stop_backend EXIT
-
 ${srcdir}/runtests t-20
-
-backend_apache "${testdir}" "backend.conf" stop
-trap - EXIT

test/test-21_TLS_reverse_proxy_wrong_cert.bash

@@ -1 +1 @@
 #!/bin/bash
-
-set -e
-: ${srcdir:="."}
-. ${srcdir}/common.bash
-netns_reexec ${@}
-
-testdir="${srcdir}/tests/21_TLS_reverse_proxy_wrong_cert"
-. $(dirname ${0})/proxy_backend.bash
-
-function stop_backend
-{
-    backend_apache "${testdir}" "backend.conf" stop
-}
-backend_apache "${testdir}" "backend.conf" start "${BACKEND_LOCK}"
-trap stop_backend EXIT
-
 ${srcdir}/runtests t-21
-
-backend_apache "${testdir}" "backend.conf" stop
-trap - EXIT

test/test-22_TLS_reverse_proxy_crl_revoke.bash

@@ -1 +1 @@
 #!/bin/bash
-
-set -e
-: ${srcdir:="."}
-. ${srcdir}/common.bash
-netns_reexec ${@}
-
-testdir="${srcdir}/tests/22_TLS_reverse_proxy_crl_revoke"
-. $(dirname ${0})/proxy_backend.bash
-
-function stop_backend
-{
-    backend_apache "${testdir}" "backend.conf" stop
-}
-backend_apache "${testdir}" "backend.conf" start "${BACKEND_LOCK}"
-trap stop_backend EXIT
-
 ${srcdir}/runtests t-22
-
-backend_apache "${testdir}" "backend.conf" stop
-trap - EXIT

test/test-23_TLS_reverse_proxy_mismatched_priorities.bash

@@ -1 +1 @@
 #!/bin/bash
-
-set -e
-: ${srcdir:="."}
-. ${srcdir}/common.bash
-netns_reexec ${@}
-
-testdir="${srcdir}/tests/23_TLS_reverse_proxy_mismatched_priorities"
-. $(dirname ${0})/proxy_backend.bash
 
 # This test checks if server and proxy priorities are applied
@@ -13 +5 @@
 # back end server is configured not to use TLS 1.2. The proxy request
 # must fail and the client must receive an error message to pass.
-
-function stop_backend
-{
-    backend_apache "${testdir}" "backend.conf" stop
-}
-backend_apache "${testdir}" "backend.conf" start "${BACKEND_LOCK}"
-trap stop_backend EXIT
-
 ${srcdir}/runtests t-23
-
-backend_apache "${testdir}" "backend.conf" stop
-trap - EXIT

test/test-26_redirect_HTTP_to_HTTPS.bash

@@ -11 +11 @@
 testdir="${srcdir}/tests/26_redirect_HTTP_to_HTTPS"
 TEST_NAME="$(basename ${testdir})"
-. $(dirname ${0})/proxy_backend.bash
+. $(dirname ${0})/apache_service.bash
 
 : ${TEST_HTTP_PORT:="9935"}
@@ -17 +17 @@
 
 # "Proxy backend" functions are used to start the only instance needed
-# here without "runtests". We have to override BACKEND_PID and
-# BACKEND_PORT to make them match what a runtests-based test would
-# use.
-export BACKEND_PID="apache2.pid"
+# here without "runtests". We have to override BACKEND_PORT to make it
+# match what a runtests-based test would use.
 export BACKEND_PORT="${TEST_PORT}"
 function stop_backend
 {
-    backend_apache "${testdir}" "apache.conf" stop
+    apache_service "${testdir}" "apache.conf" stop
 }
-backend_apache "${testdir}" "apache.conf" start "${TEST_LOCK}"
+apache_service "${testdir}" "apache.conf" start "${TEST_LOCK}"
 trap stop_backend EXIT
 
@@ -48 +46 @@
 grep "Current TLS session: (TLS" "${output}"
 
-backend_apache "${testdir}" "apache.conf" stop
+apache_service "${testdir}" "apache.conf" stop
 trap - EXIT

test/test-27_OCSP_server.bash

@@ -4 +4 @@
 # Skip if OCSP tests are not enabled
 [ -n "${OCSP_PORT}" ] || exit 77
-
-# trigger OCSP server test in the runtests script
-export CHECK_OCSP_SERVER="true"
-echo "OCSP index for the test CA:"
-cat authority/ocsp_index.txt
 
 ${srcdir}/runtests t-27

test/test_ca.mk

@@ -48 +48 @@
 %/cert.pgp: %/minimal.pgp authority/minimal.pgp
         if test -r $@; then rm $@; fi
-        GNUPGHOME=authority $(GPG_FLOCK) gpg --import $<
-        GNUPGHOME=authority $(GPG_FLOCK) gpg --batch --sign-key --no-tty --yes "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)"
-        GNUPGHOME=authority $(GPG_FLOCK) gpg --output $@ --armor --export "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)"
+        GNUPGHOME=authority/ $(GPG_FLOCK) gpg --import $<
+        GNUPGHOME=authority/ $(GPG_FLOCK) gpg --batch --sign-key --no-tty --yes "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)"
+        GNUPGHOME=authority/ $(GPG_FLOCK) gpg --output $@ --armor --export "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)"
 
 # special cases for the authorities' root certs:

test/tests/06_verify_sni_a/apache.conf

@@ -2 +2 @@
 
 GnuTLSCache dbm cache/gnutls_cache
-
-NameVirtualHost _default_:${TEST_PORT}
 
 <VirtualHost _default_:${TEST_PORT}>

test/tests/07_verify_sni_b/apache.conf

@@ -2 +2 @@
 
 GnuTLSCache dbm cache/gnutls_cache
-
-NameVirtualHost _default_:${TEST_PORT}
 
 # trying in a different order from 06_verify_sni_a

test/tests/08_verify_no_sni_fallback_to_first_vhost/apache.conf

@@ -2 +2 @@
 
 GnuTLSCache dbm cache/gnutls_cache
-
-NameVirtualHost _default_:${TEST_PORT}
 
 <VirtualHost _default_:${TEST_PORT}>

test/tests/09_verify_no_sni_fails_with_wrong_order/apache.conf

@@ -2 +2 @@
 
 GnuTLSCache dbm cache/gnutls_cache
-
-NameVirtualHost _default_:${TEST_PORT}
 
 # In this order, clients with no SNI should get the imposter's key

test/tests/12_cgi_variables/apache.conf

@@ -13 +13 @@
  GnuTLSCertificateFile server/x509.pem
  GnuTLSKeyFile server/secret.key
+ GnuTLSDHFile ${srcdir}/ffdhe3072.pem
  GnuTLSPriorities NORMAL
  GnuTLSClientCAFile authority/x509.pem

test/tests/12_cgi_variables/output

@@ -8 +8 @@
 RFC822NAME:test0@modgnutls.test
 
-DH prime bits: 2048
+DH prime bits: 3072
 - Peer has closed the GnuTLS connection

test/tests/17_cgi_vars_large_cert/apache.conf

@@ -13 +13 @@
  GnuTLSCertificateFile server/x509.pem
  GnuTLSKeyFile server/secret.key
+ GnuTLSDHFile ${srcdir}/ffdhe3072.pem
  GnuTLSPriorities NORMAL
  GnuTLSClientCAFile authority/x509.pem

test/tests/17_cgi_vars_large_cert/output

@@ -8 +8 @@
 RFC822NAME:test0@modgnutls.test
 
-DH prime bits: 2048
+DH prime bits: 3072
 - Peer has closed the GnuTLS connection

test/tests/19_TLS_reverse_proxy/backend.conf

@@ -1 @@
-Include ${srcdir}/base_apache.conf
-Include proxy_backend.conf
+Include ${PWD}/proxy_backend.conf
 
 GnuTLSCache dbm cache/gnutls_cache

test/tests/20_TLS_reverse_proxy_client_auth/backend.conf

@@ -1 @@
-Include ${srcdir}/base_apache.conf
-Include proxy_backend.conf
+Include ${PWD}/proxy_backend.conf
 
 GnuTLSCache dbm cache/gnutls_cache

test/tests/21_TLS_reverse_proxy_wrong_cert/backend.conf

@@ -1 @@
-Include ${srcdir}/base_apache.conf
-Include proxy_backend.conf
+Include ${PWD}/proxy_backend.conf
 
 GnuTLSCache dbm cache/gnutls_cache

test/tests/22_TLS_reverse_proxy_crl_revoke/backend.conf

@@ -1 @@
-Include ${srcdir}/base_apache.conf
-Include proxy_backend.conf
+Include ${PWD}/proxy_backend.conf
 
 GnuTLSCache dbm cache/gnutls_cache

test/tests/23_TLS_reverse_proxy_mismatched_priorities/backend.conf

@@ -1 @@
-Include ${srcdir}/base_apache.conf
-Include proxy_backend.conf
+Include ${PWD}/proxy_backend.conf
 
 GnuTLSCache dbm cache/gnutls_cache

test/tests/27_OCSP_server/apache.conf

@@ -1 @@
-Define  OCSP_PORT       ${OCSP_PORT}
-
 Include ${srcdir}/base_apache.conf
-Include ${srcdir}/ocsp_server.conf
-GnuTLSCache dbm cache/gnutls_cache
+GnuTLSCache dbm cache/gnutls_cache_${TEST_NAME}
 
 <VirtualHost _default_:${TEST_PORT}>

test/tests/Makefile.am

@@ -27 +27 @@
         25_Disable_TLS_1.0/apache.conf 25_Disable_TLS_1.0/fail.client 25_Disable_TLS_1.0/gnutls-cli.args 25_Disable_TLS_1.0/input \
         26_redirect_HTTP_to_HTTPS/apache.conf \
-        27_OCSP_server/apache.conf 27_OCSP_server/gnutls-cli.args 27_OCSP_server/input 27_OCSP_server/output
+        27_OCSP_server/apache.conf 27_OCSP_server/gnutls-cli.args 27_OCSP_server/input 27_OCSP_server/ocsp.conf 27_OCSP_server/output