#!/usr/bin/env python3
-import sys, cgi, os
+import os, sys
+import multipart
status = '200 Ok'
#!/usr/bin/env python3
-import cgi, os
-import cgitb; cgitb.enable()
+import os, sys
+import multipart
+from urllib import parse
-status = '200 Ok'
-form = cgi.FieldStorage()
-name = form.getvalue('name')
+def get_request_params():
+ oforms = {}
+ if "REQUEST_URI" in os.environ:
+ qforms = parse.parse_qs(parse.urlsplit(os.environ["REQUEST_URI"]).query)
+ for name, values in qforms.items():
+ oforms[name] = values[0]
+ myenv = os.environ.copy()
+ myenv['wsgi.input'] = sys.stdin.buffer
+ mforms, ofiles = multipart.parse_form_data(environ=myenv)
+ for name, item in mforms.items():
+ oforms[name] = item
+ return oforms, ofiles
+
+
+forms, files = get_request_params()
+name = forms['name'] if 'name' in forms else None
if name:
print("Status: 200")
#!/usr/bin/env python3
-import cgi, os
-import cgitb; cgitb.enable()
+import os, sys
+import multipart
+from urllib import parse
+
+
+def get_request_params():
+ oforms = {}
+ if "REQUEST_URI" in os.environ:
+ qforms = parse.parse_qs(parse.urlsplit(os.environ["REQUEST_URI"]).query)
+ for name, values in qforms.items():
+ oforms[name] = values[0]
+ myenv = os.environ.copy()
+ myenv['wsgi.input'] = sys.stdin.buffer
+ mforms, ofiles = multipart.parse_form_data(environ=myenv)
+ for name, item in mforms.items():
+ oforms[name] = item
+ return oforms, ofiles
+
+
+forms, files = get_request_params()
status = '200 Ok'
try:
- form = cgi.FieldStorage()
- input = form['name']
+ ename = forms['name']
# Test if the file was uploaded
- if input.value is not None:
- val = os.environ[input.value] if input.value in os.environ else ""
+ if ename is not None:
+ val = os.environ[ename] if ename in os.environ else ""
print("Status: 200")
print("""\
Content-Type: text/plain\n""")
- print("{0}={1}".format(input.value, val))
+ print(f"{ename}={val}")
else:
print("Status: 400 Parameter Missing")
print("""\
Content-Type: text/html\n
<html><body>
- <p>No name was specified: %s</p>
- </body></html>""" % (count.value))
+ <p>No name was specified: name</p>
+ </body></html>""")
except KeyError:
print("Status: 200 Ok")
#!/usr/bin/env python3
-import cgi, os
-import cgitb; cgitb.enable()
+import os, sys
+import multipart
+from urllib import parse
+
+
+def get_request_params():
+ oforms = {}
+ if "REQUEST_URI" in os.environ:
+ qforms = parse.parse_qs(parse.urlsplit(os.environ["REQUEST_URI"]).query)
+ for name, values in qforms.items():
+ oforms[name] = values[0]
+ myenv = os.environ.copy()
+ myenv['wsgi.input'] = sys.stdin.buffer
+ mforms, ofiles = multipart.parse_form_data(environ=myenv)
+ for name, item in mforms.items():
+ oforms[name] = item
+ return oforms, ofiles
+
+
+forms, files = get_request_params()
status = '200 Ok'
try:
- form = cgi.FieldStorage()
-
+
# A nested FieldStorage instance holds the file
- name = form['name'].value
+ name = forms['name']
value = ''
try:
- value = form['value'].value
+ value = forms['value']
except KeyError:
value = os.environ.get("HTTP_"+name, "unset")
#!/usr/bin/env python3
+import os, sys
+import multipart
+from urllib import parse
-import cgi
-import cgitb; cgitb.enable()
-import os
-import sys
-try:
- form = cgi.FieldStorage()
- count = form['count'].value
- text = form['text'].value
-except KeyError:
- text="a"
- count=77784
+def get_request_params():
+ oforms = {}
+ if "REQUEST_URI" in os.environ:
+ qforms = parse.parse_qs(parse.urlsplit(os.environ["REQUEST_URI"]).query)
+ for name, values in qforms.items():
+ oforms[name] = values[0]
+ myenv = os.environ.copy()
+ myenv['wsgi.input'] = sys.stdin.buffer
+ mforms, ofiles = multipart.parse_form_data(environ=myenv)
+ for name, item in mforms.items():
+ oforms[name] = item
+ return oforms, ofiles
-count = int(count)
+
+forms, files = get_request_params()
+text = forms['text'] if 'text' in forms else "a"
+count = int(forms['count']) if 'count' in forms else 77784
print("Status: 200 OK")
print("Content-Type: text/html")
#!/usr/bin/env python3
-import cgi, os
import time
-import cgitb; cgitb.enable()
+import os, sys
+import multipart
+from urllib import parse
+
+def get_request_params():
+ oforms = {}
+ if "REQUEST_URI" in os.environ:
+ qforms = parse.parse_qs(parse.urlsplit(os.environ["REQUEST_URI"]).query)
+ for name, values in qforms.items():
+ oforms[name] = values[0]
+ myenv = os.environ.copy()
+ myenv['wsgi.input'] = sys.stdin.buffer
+ mforms, ofiles = multipart.parse_form_data(environ=myenv)
+ for name, item in mforms.items():
+ oforms[name] = item
+ return oforms, ofiles
+
+
+forms, files = get_request_params()
status = '200 Ok'
try:
- form = cgi.FieldStorage()
- count = form['count']
- text = form['text']
+ count = forms['count']
+ text = forms['text']
- waitsec = float(form['wait1'].value) if 'wait1' in form else 0.0
+ waitsec = float(forms['wait1']) if 'wait1' in forms else 0.0
if waitsec > 0:
time.sleep(waitsec)
- if int(count.value):
+ if int(count):
print("Status: 200")
print("""\
Content-Type: text/plain\n""")
- waitsec = float(form['wait2'].value) if 'wait2' in form else 0.0
+ waitsec = float(forms['wait2']) if 'wait2' in forms else 0.0
if waitsec > 0:
time.sleep(waitsec)
i = 0;
- for i in range(0, int(count.value)):
- print("%s" % (text.value))
+ for i in range(0, int(count)):
+ print("%s" % (text))
- waitsec = float(form['wait3'].value) if 'wait3' in form else 0.0
+ waitsec = float(forms['wait3']) if 'wait3' in forms else 0.0
if waitsec > 0:
time.sleep(waitsec)
Content-Type: text/html\n
<html><body>
<p>No count was specified: %s</p>
- </body></html>""" % (count.value))
+ </body></html>""" % (count))
except KeyError:
print("Status: 200 Ok")
#!/usr/bin/env python3
-import cgi, os
-import cgitb
-cgitb.enable()
+import os
+import sys
+import multipart
+from urllib import parse
-status = '200 Ok'
-try: # Windows needs stdio set for binary mode.
+try: # Windows needs stdio set for binary mode.
import msvcrt
- msvcrt.setmode (0, os.O_BINARY) # stdin = 0
- msvcrt.setmode (1, os.O_BINARY) # stdout = 1
+
+ msvcrt.setmode(0, os.O_BINARY) # stdin = 0
+ msvcrt.setmode(1, os.O_BINARY) # stdout = 1
except ImportError:
pass
-form = cgi.FieldStorage()
+def get_request_params():
+ oforms = {}
+ if "REQUEST_URI" in os.environ:
+ qforms = parse.parse_qs(parse.urlsplit(os.environ["REQUEST_URI"]).query)
+ for name, values in qforms.items():
+ oforms[name] = values[0]
+ myenv = os.environ.copy()
+ myenv['wsgi.input'] = sys.stdin.buffer
+ mforms, ofiles = multipart.parse_form_data(environ=myenv)
+ for name, item in mforms.items():
+ oforms[name] = item
+ return oforms, ofiles
+
+
+forms, files = get_request_params()
+
+status = '200 Ok'
# Test if the file was uploaded
-if 'file' in form:
- fileitem = form['file']
+if 'file' in files:
+ fitem = files['file']
# strip leading path from file name to avoid directory traversal attacks
- fn = os.path.basename(fileitem.filename)
- f = open(('%s/files/%s' % (os.environ["DOCUMENT_ROOT"], fn)), 'wb');
- f.write(fileitem.file.read())
- f.close()
- message = "The file %s was uploaded successfully" % (fn)
+ fname = fitem.filename
+ fpath = f'{os.environ["DOCUMENT_ROOT"]}/files/{fname}'
+ fitem.save_as(fpath)
+ message = "The file %s was uploaded successfully" % (fname)
print("Status: 201 Created")
print("Content-Type: text/html")
- print("Location: %s://%s/files/%s" % (os.environ["REQUEST_SCHEME"], os.environ["HTTP_HOST"], fn))
+ print("Location: %s://%s/files/%s" % (os.environ["REQUEST_SCHEME"], os.environ["HTTP_HOST"], fname))
print("")
print("<html><body><p>%s</p></body></html>" % (message))
-
-elif 'remove' in form:
- remove = form['remove'].value
+
+elif 'remove' in forms:
+ remove = forms['remove']
try:
- fn = os.path.basename(remove)
- os.remove('./files/' + fn)
- message = 'The file "' + fn + '" was removed successfully'
+ fname = os.path.basename(remove)
+ os.remove('./files/' + fname)
+ message = 'The file "' + fname + '" was removed successfully'
except OSError as e:
- message = 'Error removing ' + fn + ': ' + e.strerror
+ message = 'Error removing ' + fname + ': ' + e.strerror
status = '404 File Not Found'
print("Status: %s" % (status))
print("""
'AH01909', # mod_ssl, cert alt name complains
'AH10170', # mod_md, wrong config, tested
'AH10171', # mod_md, wrong config, tested
+ 'AH10373', # SSL errors on uncompleted handshakes
'AH10398', # test on global store lock
])
"<IfModule tls_module>",
f" TLSEngine {env.https_port}",
"</IfModule>",
- ])
+ ])
conf.add_md([domain])
conf.install()
assert env.apache_restart() == 0
-# test wildcard certificates
+# test wildcard certifcates
import os
import pytest
env.clear_store()
self.test_domain = env.get_request_domain(request)
- # -----------------------------------------------------------------------------------------------
# test case: a wildcard certificate with ACMEv2, no dns-01 supported
- #
def test_md_720_001(self, env):
domain = self.test_domain
assert md['renewal']['errors'] > 0
assert md['renewal']['last']['problem'] == 'challenge-mismatch'
- # -----------------------------------------------------------------------------------------------
- # test case: a wildcard certificate with ACMEv2, only dns-01 configured, invalid command path
- #
+ # test case: a wildcard certificate with ACMEv2, only dns-01 configured, invalid command path
def test_md_720_002(self, env):
dns01cmd = os.path.join(env.test_dir, "../modules/md/dns01-not-found.py")
for domain in domains:
assert domain in altnames
- # -----------------------------------------------------------------------------------------------
- # test case: a wildcard certificate with ACMEv2, only dns-01 configured, invalid command option
- #
+ # test case: a wildcard certificate with ACMEv2, only dns-01 configured, invalid command option
def test_md_720_003(self, env):
dns01cmd = os.path.join(env.test_dir, "../modules/md/dns01.py fail")
domain = self.test_domain
assert md['renewal']['errors'] > 0
assert md['renewal']['last']['problem'] == 'challenge-setup-failure'
- # -----------------------------------------------------------------------------------------------
- # test case: a wildcard name certificate with ACMEv2, only dns-01 configured
- #
+ # test case: a wildcard name certificate with ACMEv2, only dns-01 configured
def test_md_720_004(self, env):
dns01cmd = os.path.join(env.test_dir, "../modules/md/dns01.py")
domain = self.test_domain
for domain in domains:
assert domain in altnames
- # -----------------------------------------------------------------------------------------------
# test case: a wildcard name and 2nd normal vhost, not overlapping
- #
def test_md_720_005(self, env):
dns01cmd = os.path.join(env.test_dir, "../modules/md/dns01.py")
domain = self.test_domain
for domain in domains:
assert domain in altnames
- # -----------------------------------------------------------------------------------------------
# test case: a wildcard name and 2nd normal vhost, overlapping
def test_md_720_006(self, env):
dns01cmd = os.path.join(env.test_dir, "../modules/md/dns01.py")
for domain in [domain, dwild]:
assert domain in altnames
- # -----------------------------------------------------------------------------------------------
# test case: a MDomain with just a wildcard, see #239
def test_md_720_007(self, env):
dns01cmd = os.path.join(env.test_dir, "../modules/md/dns01.py")
cert_a = env.get_cert(wwwdomain)
altnames = cert_a.get_san_list()
assert domains == altnames
+
+ # test case: a plain name, only dns-01 configured,
+ # http-01 should not be intercepted. See #279
+ def test_md_720_008(self, env):
+ dns01cmd = os.path.join(env.test_dir, "../modules/md/dns01.py")
+ domain = self.test_domain
+ domains = [domain]
+
+ conf = MDConf(env)
+ conf.add("MDCAChallenges dns-01")
+ conf.add(f"MDChallengeDns01 {dns01cmd}")
+ conf.add_md(domains)
+ conf.add_vhost(domains)
+ conf.add("LogLevel http:trace4")
+ conf.install()
+
+ challengedir = os.path.join(env.server_dir, "htdocs/test1/.well-known/acme-challenge")
+ env.mkpath(challengedir)
+ content = b'not a challenge'
+ with open(os.path.join(challengedir, "123456"), "wb") as fd:
+ fd.write(content)
+
+ # restart, check that md is in store
+ assert env.apache_restart() == 0
+ env.check_md(domains)
+ # await drive completion
+ assert env.await_completion([domain], restart=False)
+ # access a fake http-01 challenge on the domain
+ r = env.curl_get(f"http://{domain}:{env.http_port}/.well-known/acme-challenge/123456")
+ assert r.response['status'] == 200
+ assert r.response['body'] == content
+ assert env.apache_restart() == 0
+ env.check_md_complete(domain)
cert1 = MDCertUtil(env.store_domain_file(self.domain, 'pubcert.pem'))
assert not cert1.get_must_staple()
stat = env.get_ocsp_status(self.domain)
- assert stat['ocsp'] == "no response sent"
+ assert 'ocsp' not in stat or stat['ocsp'] == "no response sent"
# MD that must staple and toggle off again
@pytest.mark.skipif(MDTestEnv.lacks_ocsp(), reason="no OCSP responder")
import os
import re
import subprocess
-import sys
-import time
from datetime import timedelta, datetime
-from http.client import HTTPConnection
from typing import List, Optional, Dict, Tuple, Union
-from urllib.parse import urlparse
from pyhttpd.certs import CertificateSpec
from pyhttpd.env import HttpdTestEnv, HttpdTestSetup
class TlsTestEnv(HttpdTestEnv):
+ CURL_SUPPORTS_TLS_1_3 = None
+
+ @classmethod
+ def curl_supports_tls_1_3(cls) -> bool:
+ if cls.CURL_SUPPORTS_TLS_1_3 is None:
+ # Unfortunately, there is no reliable, platform-independant
+ # way to verify that TLSv1.3 is properly supported by curl.
+ #
+ # p = subprocess.run(['curl', '--tlsv1.3', 'https://shouldneverexistreally'],
+ # stderr=subprocess.PIPE, stdout=subprocess.PIPE)
+ # return code 6 means the site could not be resolved, but the
+ # tls parameter was recognized
+ cls.CURL_SUPPORTS_TLS_1_3 = False
+ return cls.CURL_SUPPORTS_TLS_1_3
+
+
# current rustls supported ciphers in their order of preference
# used to test cipher selection, see test_06_ciphers.py
RUSTLS_CIPHERS = [
args.extend([])
return self.openssl(args)
- CURL_SUPPORTS_TLS_1_3 = None
-
- def curl_supports_tls_1_3(self) -> bool:
- if self.CURL_SUPPORTS_TLS_1_3 is None:
- r = self.tls_get(self.domain_a, "/index.json", options=["--tlsv1.3"])
- self.CURL_SUPPORTS_TLS_1_3 = r.exit_code == 0
- return self.CURL_SUPPORTS_TLS_1_3
-
OPENSSL_SUPPORTED_PROTOCOLS = None
@staticmethod
#!/usr/bin/env python3
import json
-import os, cgi
-import re
+import os, sys
+import multipart
+from urllib import parse
+
+
+def get_request_params():
+ oforms = {}
+ if "REQUEST_URI" in os.environ:
+ qforms = parse.parse_qs(parse.urlsplit(os.environ["REQUEST_URI"]).query)
+ for name, values in qforms.items():
+ oforms[name] = values[0]
+ myenv = os.environ.copy()
+ myenv['wsgi.input'] = sys.stdin.buffer
+ mforms, ofiles = multipart.parse_form_data(environ=myenv)
+ for name, item in mforms.items():
+ oforms[name] = item
+ return oforms, ofiles
+
+
+forms, files = get_request_params()
jenc = json.JSONEncoder()
return jenc.encode(var)
-name = None
-try:
- form = cgi.FieldStorage()
- if 'name' in form:
- name = str(form['name'].value)
-except Exception:
- pass
+name = forms['name'] if 'name' in forms else None
print("Content-Type: application/json\n")
if name:
#!/usr/bin/env python3
import json
-import os, cgi
+import os, sys
+import multipart
+from urllib import parse
+
+
+def get_request_params():
+ oforms = {}
+ if "REQUEST_URI" in os.environ:
+ qforms = parse.parse_qs(parse.urlsplit(os.environ["REQUEST_URI"]).query)
+ for name, values in qforms.items():
+ oforms[name] = values[0]
+ myenv = os.environ.copy()
+ myenv['wsgi.input'] = sys.stdin.buffer
+ mforms, ofiles = multipart.parse_form_data(environ=myenv)
+ for name, item in mforms.items():
+ oforms[name] = item
+ return oforms, ofiles
+
+
+forms, files = get_request_params()
jenc = json.JSONEncoder()
return jenc.encode(var)
-name = None
-try:
- form = cgi.FieldStorage()
- if 'name' in form:
- name = str(form['name'].value)
-except Exception:
- pass
+name = forms['name'] if 'name' in forms else None
print("Content-Type: application/json\n")
if name:
TlsTestConf(env=env).install()
assert env.apache_restart() == 0
- def test_01_apache_http(self, env):
+ def test_tls_01_apache_http(self, env):
assert env.is_live(env.http_base_url)
if env.is_live(timeout=timedelta(milliseconds=100)):
assert env.apache_stop() == 0
- def test_02_conf_cert_args_missing(self, env):
+ def test_tls_02_conf_cert_args_missing(self, env):
conf = TlsTestConf(env=env)
conf.add("TLSCertificate")
conf.install()
assert env.apache_fail() == 0
- def test_02_conf_cert_single_arg(self, env):
+ def test_tls_02_conf_cert_single_arg(self, env):
conf = TlsTestConf(env=env)
conf.add("TLSCertificate cert.pem")
conf.install()
assert env.apache_fail() == 0
- def test_02_conf_cert_file_missing(self, env):
+ def test_tls_02_conf_cert_file_missing(self, env):
conf = TlsTestConf(env=env)
conf.add("TLSCertificate cert.pem key.pem")
conf.install()
assert env.apache_fail() == 0
- def test_02_conf_cert_file_exist(self, env):
+ def test_tls_02_conf_cert_file_exist(self, env):
conf = TlsTestConf(env=env)
conf.add("TLSCertificate test-02-cert.pem test-02-key.pem")
conf.install()
fd.write("")
assert env.apache_fail() == 0
- def test_02_conf_cert_listen_missing(self, env):
+ def test_tls_02_conf_cert_listen_missing(self, env):
conf = TlsTestConf(env=env)
conf.add("TLSEngine")
conf.install()
assert env.apache_fail() == 0
- def test_02_conf_cert_listen_wrong(self, env):
+ def test_tls_02_conf_cert_listen_wrong(self, env):
conf = TlsTestConf(env=env)
conf.add("TLSEngine ^^^^^")
conf.install()
"129.168.178.188:443",
"[::]:443",
])
- def test_02_conf_cert_listen_valid(self, env, listen: str):
+ def test_tls_02_conf_cert_listen_valid(self, env, listen: str):
conf = TlsTestConf(env=env)
conf.add("TLSEngine {listen}".format(listen=listen))
conf.install()
assert env.apache_restart() == 0
- def test_02_conf_cert_listen_cert(self, env):
+ def test_tls_02_conf_cert_listen_cert(self, env):
domain = env.domain_a
conf = TlsTestConf(env=env)
conf.add_tls_vhosts(domains=[domain])
conf.install()
assert env.apache_restart() == 0
- def test_02_conf_proto_wrong(self, env):
+ def test_tls_02_conf_proto_wrong(self, env):
conf = TlsTestConf(env=env)
conf.add("TLSProtocol wrong")
conf.install()
"TLSv1.3+",
"TLSv0x0303+",
])
- def test_02_conf_proto_valid(self, env, proto):
+ def test_tls_02_conf_proto_valid(self, env, proto):
conf = TlsTestConf(env=env)
conf.add("TLSProtocol {proto}".format(proto=proto))
conf.install()
assert env.apache_restart() == 0
- def test_02_conf_honor_wrong(self, env):
+ def test_tls_02_conf_honor_wrong(self, env):
conf = TlsTestConf(env=env)
conf.add("TLSHonorClientOrder wrong")
conf.install()
"on",
"OfF",
])
- def test_02_conf_honor_valid(self, env, honor: str):
+ def test_tls_02_conf_honor_valid(self, env, honor: str):
conf = TlsTestConf(env=env)
conf.add("TLSHonorClientOrder {honor}".format(honor=honor))
conf.install()
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\\
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256:TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"""
])
- def test_02_conf_cipher_valid(self, env, cipher):
+ def test_tls_02_conf_cipher_valid(self, env, cipher):
conf = TlsTestConf(env=env)
conf.add("TLSCiphersPrefer {cipher}".format(cipher=cipher))
conf.install()
"TLS_NULL_WITH_NULL_NULLX", # not supported
"TLS_DHE_RSA_WITH_AES128_GCM_SHA256", # not supported
])
- def test_02_conf_cipher_wrong(self, env, cipher):
+ def test_tls_02_conf_cipher_wrong(self, env, cipher):
conf = TlsTestConf(env=env)
conf.add("TLSCiphersPrefer {cipher}".format(cipher=cipher))
conf.install()
import pytest
from .conf import TlsTestConf
+from .env import TlsTestEnv
class TestSni:
conf.add_tls_vhosts(domains=[env.domain_a, env.domain_b])
conf.install()
assert env.apache_restart() == 0
- env.curl_supports_tls_1_3() # init
@pytest.fixture(autouse=True, scope='function')
def _function_scope(self, env):
pass
- def test_03_sni_get_a(self, env):
+ def test_tls_03_sni_get_a(self, env):
# do we see the correct json for the domain_a?
data = env.tls_get_json(env.domain_a, "/index.json")
assert data == {'domain': env.domain_a}
- def test_03_sni_get_b(self, env):
+ def test_tls_03_sni_get_b(self, env):
# do we see the correct json for the domain_a?
data = env.tls_get_json(env.domain_b, "/index.json")
assert data == {'domain': env.domain_b}
- def test_03_sni_unknown(self, env):
+ def test_tls_03_sni_unknown(self, env):
# connection will be denied as cert does not cover this domain
domain_unknown = "unknown.test"
r = env.tls_get(domain_unknown, "/index.json")
assert r.exit_code != 0
- def test_03_sni_request_other_same_config(self, env):
+ def test_tls_03_sni_request_other_same_config(self, env):
# do we see the first vhost response for another domain with different certs?
r = env.tls_get(env.domain_a, "/index.json", options=[
"-vvvv", "--header", "Host: {0}".format(env.domain_b)
assert r.json is None
assert r.response['status'] == 421
- def test_03_sni_request_other_other_honor(self, env):
- if env.curl_supports_tls_1_3():
- # can't do this test then
- return
+ def test_tls_03_sni_request_other_other_honor(self, env):
# do we see the first vhost response for an unknown domain?
conf = TlsTestConf(env=env, extras={
env.domain_a: "TLSProtocol TLSv1.2+",
conf.install()
assert env.apache_restart() == 0
r = env.tls_get(env.domain_a, "/index.json", options=[
- "-vvvv", "--header", "Host: {0}".format(env.domain_b)
+ "-vvvv", "--tls-max", "1.2", "--header", "Host: {0}".format(env.domain_b)
])
# request denied
assert r.exit_code == 0
assert r.json is None
- def test_03_sni_bad_hostname(self, env):
+ @pytest.mark.skip('openssl behaviour changed on ventura, unreliable')
+ def test_tls_03_sni_bad_hostname(self, env):
# curl checks hostnames we give it, but the openssl client
# does not. Good for us, since we need to test it.
r = env.openssl(["s_client", "-connect",
("1m.txt", 1000 * 1024),
("10m.txt", 10000 * 1024),
])
- def test_04_get(self, env, fname, flen):
+ def test_tls_04_get(self, env, fname, flen):
# do we see the correct json for the domain_a?
docs_a = os.path.join(env.server_docs_dir, env.domain_a)
r = env.tls_get(env.domain_a, "/{0}".format(fname))
@pytest.mark.parametrize("fname, flen", [
("1k.txt", 1024),
])
- def test_04_double_get(self, env, fname, flen):
+ def test_tls_04_double_get(self, env, fname, flen):
# we'd like to check that we can do >1 requests on the same connection
# however curl hides that from us, unless we analyze its verbose output
docs_a = os.path.join(env.server_docs_dir, env.domain_a)
import pytest
from .conf import TlsTestConf
+from .env import TlsTestEnv
class TestProto:
def _function_scope(self, env):
pass
- CURL_SUPPORTS_TLS_1_3 = None
-
- def test_05_proto_1_2(self, env):
+ def test_tls_05_proto_1_2(self, env):
r = env.tls_get(env.domain_b, "/index.json", options=["--tlsv1.2"])
assert r.exit_code == 0, r.stderr
- if env.curl_supports_tls_1_3():
+ if TlsTestEnv.curl_supports_tls_1_3():
r = env.tls_get(env.domain_b, "/index.json", options=["--tlsv1.3"])
assert r.exit_code == 0, r.stderr
- def test_05_proto_1_3(self, env):
+ def test_tls_05_proto_1_3(self, env):
r = env.tls_get(env.domain_a, "/index.json", options=["--tlsv1.3"])
- if env.curl_supports_tls_1_3():
+ if TlsTestEnv.curl_supports_tls_1_3():
assert r.exit_code == 0, r.stderr
else:
assert r.exit_code == 4, r.stderr
- def test_05_proto_close(self, env):
+ def test_tls_05_proto_close(self, env):
s = socket.create_connection(('localhost', env.https_port))
time.sleep(0.1)
s.close()
- def test_05_proto_ssl_close(self, env):
+ def test_tls_05_proto_ssl_close(self, env):
conf = TlsTestConf(env=env, extras={
'base': "LogLevel ssl:debug",
env.domain_a: "SSLProtocol TLSv1.3",
cipher = m.group(1)
return protocol, cipher
- def test_06_ciphers_ecdsa(self, env):
+ def test_tls_06_ciphers_ecdsa(self, env):
ecdsa_1_2 = [c for c in env.RUSTLS_CIPHERS
if c.max_version == 1.2 and c.flavour == 'ECDSA'][0]
# client speaks only this cipher, see that it gets it
assert protocol == "TLSv1.2", r.stdout
assert cipher == ecdsa_1_2.openssl_name, r.stdout
- def test_06_ciphers_rsa(self, env):
+ def test_tls_06_ciphers_rsa(self, env):
rsa_1_2 = [c for c in env.RUSTLS_CIPHERS
if c.max_version == 1.2 and c.flavour == 'RSA'][0]
# client speaks only this cipher, see that it gets it
], ids=[
c.name for c in TlsTestEnv.RUSTLS_CIPHERS if c.max_version == 1.2 and c.flavour == 'ECDSA'
])
- def test_06_ciphers_server_prefer_ecdsa(self, env, cipher):
+ def test_tls_06_ciphers_server_prefer_ecdsa(self, env, cipher):
# Select a ECSDA ciphers as preference and suppress all RSA ciphers.
# The last is not strictly necessary since rustls prefers ECSDA anyway
suppress_names = [c.name for c in env.RUSTLS_CIPHERS
], ids=[
c.name for c in TlsTestEnv.RUSTLS_CIPHERS if c.max_version == 1.2 and c.flavour == 'RSA'
])
- def test_06_ciphers_server_prefer_rsa(self, env, cipher):
+ def test_tls_06_ciphers_server_prefer_rsa(self, env, cipher):
# Select a RSA ciphers as preference and suppress all ECDSA ciphers.
# The last is necessary since rustls prefers ECSDA and openssl leaks that it can.
suppress_names = [c.name for c in env.RUSTLS_CIPHERS
], ids=[
c.openssl_name for c in TlsTestEnv.RUSTLS_CIPHERS if c.max_version == 1.2 and c.flavour == 'RSA'
])
- def test_06_ciphers_server_prefer_rsa_alias(self, env, cipher):
+ def test_tls_06_ciphers_server_prefer_rsa_alias(self, env, cipher):
# same as above, but using openssl names for ciphers
suppress_names = [c.openssl_name for c in env.RUSTLS_CIPHERS
if c.max_version == 1.2 and c.flavour == 'ECDSA']
], ids=[
c.id_name for c in TlsTestEnv.RUSTLS_CIPHERS if c.max_version == 1.2 and c.flavour == 'RSA'
])
- def test_06_ciphers_server_prefer_rsa_id(self, env, cipher):
+ def test_tls_06_ciphers_server_prefer_rsa_id(self, env, cipher):
# same as above, but using openssl names for ciphers
suppress_names = [c.id_name for c in env.RUSTLS_CIPHERS
if c.max_version == 1.2 and c.flavour == 'ECDSA']
assert client_proto == "TLSv1.2", r.stdout
assert client_cipher == cipher.openssl_name, r.stdout
- def test_06_ciphers_pref_unknown(self, env):
+ def test_tls_06_ciphers_pref_unknown(self, env):
conf = TlsTestConf(env=env, extras={
env.domain_b: "TLSCiphersPrefer TLS_MY_SUPER_CIPHER:SSL_WHAT_NOT"
})
conf.install()
env.apache_restart()
- def test_06_ciphers_pref_unsupported(self, env):
+ def test_tls_06_ciphers_pref_unsupported(self, env):
# a warning on preferring a known, but not supported cipher
env.httpd_error_log.ignore_recent()
conf = TlsTestConf(env=env, extras={
assert errors == 0
assert warnings == 2 # once on dry run, once on start
- def test_06_ciphers_supp_unknown(self, env):
+ def test_tls_06_ciphers_supp_unknown(self, env):
conf = TlsTestConf(env=env, extras={
env.domain_b: "TLSCiphersSuppress TLS_MY_SUPER_CIPHER:SSL_WHAT_NOT"
})
conf.install()
assert env.apache_restart() != 0
- def test_06_ciphers_supp_unsupported(self, env):
+ def test_tls_06_ciphers_supp_unsupported(self, env):
# no warnings on suppressing known, but not supported ciphers
env.httpd_error_log.ignore_recent()
conf = TlsTestConf(env=env, extras={
def _get_protocol(self, output: str):
for line in output.splitlines():
- m = re.match(r'^\*\s+ALPN, server accepted to use\s+(.*)$', line)
+ m = re.match(r'^\*\s+ALPN[:,] server accepted (to use\s+)?(.*)$', line)
if m:
- return m.group(1)
+ return m.group(2)
return None
- def test_07_alpn_get_a(self, env):
+ def test_tls_07_alpn_get_a(self, env):
# do we see the correct json for the domain_a?
- r = env.tls_get(env.domain_a, "/index.json", options=["-vvvvvv"])
+ r = env.tls_get(env.domain_a, "/index.json", options=["-vvvvvv", "--http1.1"])
assert r.exit_code == 0, r.stderr
protocol = self._get_protocol(r.stderr)
assert protocol == "http/1.1", r.stderr
- def test_07_alpn_get_b(self, env):
+ def test_tls_07_alpn_get_b(self, env):
# do we see the correct json for the domain_a?
r = env.tls_get(env.domain_b, "/index.json", options=["-vvvvvv"])
assert r.exit_code == 0, r.stderr
conf.install()
assert env.apache_restart() == 0
- def test_08_vars_root(self, env):
+ def test_tls_08_vars_root(self, env):
# in domain_b root, the StdEnvVars is switch on
exp_proto = "TLSv1.2"
exp_cipher = "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
("SSL_CIPHER_EXPORT", "false"),
("SSL_CLIENT_VERIFY", "NONE"),
])
- def test_08_vars_const(self, env, name: str, value: str):
+ def test_tls_08_vars_const(self, env, name: str, value: str):
r = env.tls_get(env.domain_b, f"/vars.py?name={name}")
assert r.exit_code == 0, r.stderr
assert r.json == {name: value}, r.stdout
("SSL_VERSION_INTERFACE", r'mod_tls/\d+\.\d+\.\d+'),
("SSL_VERSION_LIBRARY", r'rustls-ffi/\d+\.\d+\.\d+/rustls/\d+\.\d+\.\d+'),
])
- def test_08_vars_match(self, env, name: str, pattern: str):
+ def test_tls_08_vars_match(self, env, name: str, pattern: str):
r = env.tls_get(env.domain_b, f"/vars.py?name={name}")
assert r.exit_code == 0, r.stderr
assert name in r.json
def _function_scope(self, env):
pass
- def test_09_timeout_handshake(self, env):
+ def test_tls_09_timeout_handshake(self, env):
# in domain_b root, the StdEnvVars is switch on
s = socket.create_connection(('localhost', env.https_port))
s.send(b'1234')
ids.append(m.group(1))
return ids
- def test_10_session_id_12(self, env):
+ def test_tls_10_session_id_12(self, env):
r = env.openssl_client(env.domain_b, extra_args=[
"-reconnect", "-tls1_2"
])
@pytest.mark.skipif(True or not TlsTestEnv.openssl_supports_tls_1_3(),
reason="openssl TLSv1.3 session storage test incomplete")
- def test_10_session_id_13(self, env):
+ def test_tls_10_session_id_13(self, env):
r = env.openssl_client(env.domain_b, extra_args=[
"-reconnect", "-tls1_3"
])
conf.install()
assert env.apache_restart() == 0
- def test_11_get_a(self, env):
+ def test_tls_11_get_a(self, env):
# do we see the correct json for the domain_a?
data = env.tls_get_json(env.domain_a, "/index.json")
assert data == {'domain': env.domain_a}
- def test_11_get_b(self, env):
+ def test_tls_11_get_b(self, env):
# do we see the correct json for the domain_a?
data = env.tls_get_json(env.domain_b, "/index.json")
assert data == {'domain': env.domain_b}
- def test_11_get_base(self, env):
+ def test_tls_11_get_base(self, env):
# give the base server domain_a and lookup its index.json
conf = TlsTestConf(env=env)
conf.add_md_base(domain=env.domain_a)
assert r.json, r.stderr + r.stdout
return r.json[name] if name in r.json else None
- def test_12_set_ca_non_existing(self, env):
+ def test_tls_12_set_ca_non_existing(self, env):
conf = TlsTestConf(env=env, extras={
env.domain_a: "TLSClientCA xxx"
})
conf.install()
assert env.apache_restart() == 1
- def test_12_set_ca_existing(self, env, cax_file):
+ def test_tls_12_set_ca_existing(self, env, cax_file):
conf = TlsTestConf(env=env, extras={
env.domain_a: f"TLSClientCA {cax_file}"
})
conf.install()
assert env.apache_restart() == 0
- def test_12_set_auth_no_ca(self, env):
+ def test_tls_12_set_auth_no_ca(self, env):
conf = TlsTestConf(env=env, extras={
env.domain_a: "TLSClientCertificate required"
})
# will fail bc lacking clien CA
assert env.apache_restart() == 1
- def test_12_auth_option_std(self, env, cax_file, clients_x):
+ def test_tls_12_auth_option_std(self, env, cax_file, clients_x):
conf = TlsTestConf(env=env, extras={
env.domain_b: [
f"TLSClientCertificate required",
val = self.get_ssl_var(env, env.domain_b, ccert, "SSL_CLIENT_CERT")
assert val == ""
- def test_12_auth_option_cert(self, env, test_ca, cax_file, clients_x):
+ def test_tls_12_auth_option_cert(self, env, test_ca, cax_file, clients_x):
conf = TlsTestConf(env=env, extras={
env.domain_b: [
"TLSClientCertificate required",
server_certs = test_ca.get_credentials_for_name(env.domain_b)
assert val in [c.cert_pem.decode() for c in server_certs]
- def test_12_auth_ssl_optional(self, env, cax_file, clients_x):
+ def test_tls_12_auth_ssl_optional(self, env, cax_file, clients_x):
domain = env.domain_b
conf = TlsTestConf(env=env, extras={
domain: [
val = self.get_ssl_var(env, env.domain_b, ccert, "SSL_CLIENT_CERT")
assert val == ccert.cert_pem.decode()
- def test_12_auth_optional(self, env, cax_file, clients_x):
+ def test_tls_12_auth_optional(self, env, cax_file, clients_x):
domain = env.domain_b
conf = TlsTestConf(env=env, extras={
domain: [
'SSL_CLIENT_S_DN_CN': 'Not Implemented',
}, r.stdout
- def test_12_auth_expired(self, env, cax_file, clients_x):
+ def test_tls_12_auth_expired(self, env, cax_file, clients_x):
conf = TlsTestConf(env=env, extras={
env.domain_b: [
"TLSClientCertificate required",
])
assert r.exit_code != 0
- def test_12_auth_other_ca(self, env, cax_file, clients_y):
+ def test_tls_12_auth_other_ca(self, env, cax_file, clients_y):
conf = TlsTestConf(env=env, extras={
env.domain_b: [
"TLSClientCertificate required",
conf.install()
assert env.apache_restart() == 0
- def test_13_proxy_http_get(self, env):
+ def test_tls_13_proxy_http_get(self, env):
data = env.tls_get_json(env.domain_b, "/proxy/index.json")
assert data == {'domain': env.domain_b}
("SSL_CIPHER_EXPORT", ""),
("SSL_CLIENT_VERIFY", ""),
])
- def test_13_proxy_http_vars(self, env, name: str, value: str):
+ def test_tls_13_proxy_http_vars(self, env, name: str, value: str):
r = env.tls_get(env.domain_b, f"/proxy/vars.py?name={name}")
assert r.exit_code == 0, r.stderr
assert r.json == {name: value}, r.stdout
conf.install()
assert env.apache_restart() == 0
- def test_14_proxy_ssl_get(self, env):
+ def test_tls_14_proxy_ssl_get(self, env):
data = env.tls_get_json(env.domain_b, "/proxy-ssl/index.json")
assert data == {'domain': env.domain_b}
- def test_14_proxy_ssl_get_local(self, env):
+ def test_tls_14_proxy_ssl_get_local(self, env):
# does not work, since SSLProxy* not configured
data = env.tls_get_json(env.domain_b, "/proxy-local/index.json")
assert data is None
- def test_14_proxy_ssl_h2_get(self, env):
+ def test_tls_14_proxy_ssl_h2_get(self, env):
r = env.tls_get(env.domain_b, "/proxy-h2-ssl/index.json")
assert r.exit_code == 0
assert r.json == {'domain': env.domain_b}
("SSL_CIPHER_EXPORT", "false"),
("SSL_CLIENT_VERIFY", "NONE"),
])
- def test_14_proxy_ssl_vars_const(self, env, name: str, value: str):
+ def test_tls_14_proxy_ssl_vars_const(self, env, name: str, value: str):
r = env.tls_get(env.domain_b, f"/proxy-ssl/vars.py?name={name}")
assert r.exit_code == 0, r.stderr
assert r.json == {name: value}, r.stdout
("SSL_VERSION_INTERFACE", r'mod_tls/\d+\.\d+\.\d+'),
("SSL_VERSION_LIBRARY", r'rustls-ffi/\d+\.\d+\.\d+/rustls/\d+\.\d+\.\d+'),
])
- def test_14_proxy_ssl_vars_match(self, env, name: str, pattern: str):
+ def test_tls_14_proxy_ssl_vars_match(self, env, name: str, pattern: str):
r = env.tls_get(env.domain_b, f"/proxy-ssl/vars.py?name={name}")
assert r.exit_code == 0, r.stderr
assert name in r.json
conf.install()
assert env.apache_restart() == 0
- def test_15_proxy_tls_get(self, env):
+ def test_tls_15_proxy_tls_get(self, env):
data = env.tls_get_json(env.domain_b, "/proxy-tls/index.json")
assert data == {'domain': env.domain_b}
- def test_15_proxy_tls_get_local(self, env):
+ def test_tls_15_proxy_tls_get_local(self, env):
# does not work, since SSLProxy* not configured
data = env.tls_get_json(env.domain_b, "/proxy-local/index.json")
assert data is None
- def test_15_proxy_tls_h2_get(self, env):
+ def test_tls_15_proxy_tls_h2_get(self, env):
r = env.tls_get(env.domain_b, "/proxy-h2-tls/index.json")
assert r.exit_code == 0
assert r.json == {'domain': env.domain_b}, f"{r.stdout}"
("SSL_CIPHER_EXPORT", "false"),
("SSL_CLIENT_VERIFY", "NONE"),
])
- def test_15_proxy_tls_h1_vars(self, env, name: str, value: str):
+ def test_tls_15_proxy_tls_h1_vars(self, env, name: str, value: str):
r = env.tls_get(env.domain_b, f"/proxy-tls/vars.py?name={name}")
assert r.exit_code == 0, r.stderr
assert r.json == {name: value}, r.stdout
@pytest.mark.parametrize("name, value", [
- ("SERVER_NAME", "b.mod-tls.test"),
- ("SERVER_NAME", "b.mod-tls.test"),
- ("SERVER_NAME", "b.mod-tls.test"),
("SERVER_NAME", "b.mod-tls.test"),
("SSL_PROTOCOL", "TLSv1.3"),
("SSL_CIPHER", "TLS_CHACHA20_POLY1305_SHA256"),
("SSL_SESSION_RESUMED", "Initial"),
])
- def test_15_proxy_tls_h2_vars(self, env, name: str, value: str):
+ def test_tls_15_proxy_tls_h2_vars(self, env, name: str, value: str):
r = env.tls_get(env.domain_b, f"/proxy-h2-tls/vars.py?name={name}")
assert r.exit_code == 0, r.stderr
assert r.json == {name: value}, r.stdout
+import time
+
import pytest
from .conf import TlsTestConf
def _class_scope(self, env):
conf = TlsTestConf(env=env, extras={
'base': [
- "LogLevel proxy:trace1 proxy_http:trace1 ssl:trace1 proxy_http2:trace1",
+ "LogLevel proxy:trace1 proxy_http:trace1 ssl:trace1 proxy_http2:trace1 http2:debug",
"ProxyPreserveHost on",
],
env.domain_a: [
conf.install()
assert env.apache_restart() == 0
- def test_16_proxy_mixed_ssl_get(self, env):
+ def test_tls_16_proxy_mixed_ssl_get(self, env, repeat):
data = env.tls_get_json(env.domain_b, "/proxy-ssl/index.json")
assert data == {'domain': env.domain_b}
- def test_16_proxy_mixed_tls_get(self, env):
+ def test_tls_16_proxy_mixed_tls_get(self, env, repeat):
data = env.tls_get_json(env.domain_a, "/proxy-tls/index.json")
+ if data is None:
+ time.sleep(300)
assert data == {'domain': env.domain_a}
conf.install()
assert env.apache_restart() == 0
- def test_17_proxy_machine_cert_get_a(self, env):
+ def test_tls_17_proxy_machine_cert_get_a(self, env):
data = env.tls_get_json(env.domain_a, "/proxy-tls/index.json")
assert data == {'domain': env.domain_a}
("SSL_CLIENT_VERIFY", "SUCCESS"),
("REMOTE_USER", "user1"),
])
- def test_17_proxy_machine_cert_vars(self, env, name: str, value: str):
+ def test_tls_17_proxy_machine_cert_vars(self, env, name: str, value: str):
r = env.tls_get(env.domain_a, f"/proxy-tls/vars.py?name={name}")
assert r.exit_code == 0, r.stderr
assert r.json == {name: value}, r.stdout
projects / thirdparty / apache / httpd.git / commitdiff
