'Re: t/modules/http2.t: Run only if OpenSSL >= 1.0.0 is available'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       apache-httpd-dev
Subject:    Re: t/modules/http2.t: Run only if OpenSSL >= 1.0.0 is available
From:       Stefan Eissing <stefan.eissing () greenbytes ! de>
Date:       2018-10-22 13:09:53
Message-ID: 32972739-0293-41BC-856E-A7FB9B7FA545 () greenbytes ! de
[Download RAW message or body]

Thanks a lot!

> Am 22.10.2018 um 14:06 schrieb Rainer Jung <rainer.jung@kippdata.de>:
> 
> This seems to work nicely, committed in r1844546. Tests with old OpenSSL either in \
> client or server result in TLSv1 and disable h2 tests. TLS test requests that \
> result in TLSv1_2 or TLSv1_3 enable h2 tests. 
> Regards,
> 
> Rainer
> 
> Am 22.10.2018 um 12:37 schrieb Rainer Jung:
> > I wonder whether it would be easier to check whether a TLS connection uses TLS \
> > 1.2 or later and disable the h2 test if not. Nevertheless the module for checking \
> > the server version might be useful, but here I guess checking the TLS version is \
> > more appropriate. But that might mean, that the test runs with OpenSSL 0.9.8zh in \
> > the client. At least I see some TLSv1.2 reuests during the test suite run even \
> > when using 0.9.8zh in the client. It ever happens with that version in the \
> > server. Will look into it.
> > Regards,
> > Rainer
> > Am 21.10.2018 um 14:28 schrieb Daniel Ruggeri:
> > > 
> > > On 10/21/2018 6:46 AM, Rainer Jung wrote:
> > > > Am 18.10.2018 um 14:23 schrieb Stefan Eissing:
> > > > > > Am 18.10.2018 um 14:12 schrieb Rainer Jung <rainer.jung@kippdata.de>:
> > > > > > 
> > > > > > - t/modules/http2.t fails when the server is build using OpenSSL
> > > > > > 0.9.8zh with the "Bad plan.  You planned 52 tests..." message
> > > > > > indicating, that h2 using TLS does not work. It happens on all
> > > > > > platforms, but not if the client also uses OpenSSL 0.9.8zh.
> > > > > > 
> > > > > > I don't know whether that is expected for old OpenSSL, so can not
> > > > > > judge on criticality.
> > > > > 
> > > > > AFAICT, correct me if I am wrong, OpenSSL 0.9.8 does not support
> > > > > TLSv1.2 and is therefore unusable with h2. The test suite seems to be
> > > > > unprepared for this scenario. I will remove it after the next
> > > > > release. It is not worth fixing in its current form.
> > > > 
> > > > I added a check agains the test suite OpenSSL version in r1844483.
> > > > 
> > > > I have an aditional check for the server version available.
> > > > Unfortunately I didn't find a really easy way, so here's a small
> > > > module that one can query
> > > > (c-modules/test_ssl_version/mod_test_ssl_version.c), mostly a
> > > > shortened form of mod_test_ssl.c:
> > > > 
> > > > ==== SNIP =====
> > > > #define HTTPD_TEST_REQUIRE_APACHE 2
> > > > 
> > > > #if CONFIG_FOR_HTTPD_TEST
> > > > 
> > > > <IfModule @ssl_module@>
> > > > <Location /test_ssl_version_lookup>
> > > > SetHandler test-ssl-version-lookup
> > > > </Location>
> > > > </IfModule>
> > > > 
> > > > #endif
> > > > 
> > > > #include "httpd.h"
> > > > #include "http_config.h"
> > > > #include "http_protocol.h"
> > > > #include "http_log.h"
> > > > #include "ap_config.h"
> > > > #include "apr_optional.h"
> > > > 
> > > > #if AP_MODULE_MAGIC_AT_LEAST(20040425, 0) /* simply include mod_ssl.h
> > > > if using >= 2.1.0 */
> > > > 
> > > > #include "mod_ssl.h"
> > > > 
> > > > #else
> > > > /* For use of < 2.0.x, inline the declaration: */
> > > > 
> > > > APR_DECLARE_OPTIONAL_FN(char *, ssl_var_lookup,
> > > > (apr_pool_t *, server_rec *,
> > > > conn_rec *, request_rec *,
> > > > char *));
> > > > 
> > > > #endif
> > > > 
> > > > static APR_OPTIONAL_FN_TYPE(ssl_var_lookup) *var_lookup;
> > > > 
> > > > static void import_ssl_var_lookup(void)
> > > > {
> > > > var_lookup = APR_RETRIEVE_OPTIONAL_FN(ssl_var_lookup);
> > > > }
> > > > 
> > > > static int test_ssl_version_lookup(request_rec *r)
> > > > {
> > > > char *value;
> > > > 
> > > > if (strcmp(r->handler, "test-ssl-version-lookup")) {
> > > > return DECLINED;
> > > > }
> > > > 
> > > > if (r->method_number != M_GET) {
> > > > return DECLINED;
> > > > }
> > > > 
> > > > if (!var_lookup) {
> > > > ap_rputs("ssl_var_lookup is not available", r);
> > > > return OK;
> > > > }
> > > > 
> > > > value = var_lookup(r->pool, r->server,
> > > > r->connection, r, "SSL_VERSION_LIBRARY");
> > > > 
> > > > if (value && *value) {
> > > > ap_rputs(value, r);
> > > > }
> > > > else {
> > > > ap_rputs("NULL", r);
> > > > }
> > > > 
> > > > return OK;
> > > > }
> > > > 
> > > > static void test_ssl_version_register_hooks(apr_pool_t *p)
> > > > {
> > > > ap_hook_handler(test_ssl_version_lookup, NULL, NULL,
> > > > APR_HOOK_MIDDLE);
> > > > ap_hook_optional_fn_retrieve(import_ssl_var_lookup,
> > > > NULL, NULL, APR_HOOK_MIDDLE);
> > > > }
> > > > 
> > > > module AP_MODULE_DECLARE_DATA test_ssl_version_module = {
> > > > STANDARD20_MODULE_STUFF,
> > > > NULL,                  /* create per-dir    config structures */
> > > > NULL,                  /* merge  per-dir    config structures */
> > > > NULL,                  /* create per-server config structures */
> > > > NULL,                  /* merge  per-server config structures */
> > > > NULL,                  /* table of config file commands       */
> > > > test_ssl_version_register_hooks  /* register hooks     */
> > > > };
> > > > ==== SNIP =====
> > > > 
> > > > and the necessary addition to http2.t to use the module:
> > > > 
> > > > Index: t/modules/http2.t
> > > > ===================================================================
> > > > --- t/modules/http2.t   (revision 1844483)
> > > > +++ t/modules/http2.t   (working copy)
> > > > @@ -25,6 +25,16 @@
> > > > my $openssl_version = Net::SSLeay::OPENSSL_VERSION_NUMBER();
> > > > if ($openssl_version < 0x10000000) {
> > > > $tls_modern = 0;
> > > > +} else {
> > > > +    Apache::TestRequest::scheme("https");
> > > > +    my $url = '/test_ssl_version_lookup';
> > > > +    my $r = GET("$url");
> > > > +    $openssl_version = $r->content;
> > > > +    print STDOUT "OpenSSL version '$openssl_version'\n";
> > > > +    # OpenSSL/0.9.8zh, OpenSSL/1.0.2p etc.
> > > > +    if ($openssl_version =~ /\/0\./) {
> > > > +        $tls_modern = 0;
> > > > +    }
> > > > }
> > > > 
> > > > Apache::TestRequest::module("http2");
> > > > 
> > > > What do people think? Should I apply it?
> > > > 
> > > > Regards,
> > > > 
> > > > Rainer
> > > 
> > > +1


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic