Thanks a lot!
> Am 22.10.2018 um 14:06 schrieb Rainer Jung <[email protected]>:
>
> This seems to work nicely, committed in r1844546. Tests with old OpenSSL
> either in client or server result in TLSv1 and disable h2 tests. TLS test
> requests that result in TLSv1_2 or TLSv1_3 enable h2 tests.
>
> Regards,
>
> Rainer
>
> Am 22.10.2018 um 12:37 schrieb Rainer Jung:
>> I wonder whether it would be easier to check whether a TLS connection uses
>> TLS 1.2 or later and disable the h2 test if not.
>> Nevertheless the module for checking the server version might be useful, but
>> here I guess checking the TLS version is more appropriate.
>> But that might mean, that the test runs with OpenSSL 0.9.8zh in the client.
>> At least I see some TLSv1.2 reuests during the test suite run even when
>> using 0.9.8zh in the client. It ever happens with that version in the server.
>> Will look into it.
>> Regards,
>> Rainer
>> Am 21.10.2018 um 14:28 schrieb Daniel Ruggeri:
>>>
>>> On 10/21/2018 6:46 AM, Rainer Jung wrote:
>>>> Am 18.10.2018 um 14:23 schrieb Stefan Eissing:
>>>>>> Am 18.10.2018 um 14:12 schrieb Rainer Jung <[email protected]>:
>>>>>>
>>>>>> - t/modules/http2.t fails when the server is build using OpenSSL
>>>>>> 0.9.8zh with the "Bad plan. You planned 52 tests..." message
>>>>>> indicating, that h2 using TLS does not work. It happens on all
>>>>>> platforms, but not if the client also uses OpenSSL 0.9.8zh.
>>>>>>
>>>>>> I don't know whether that is expected for old OpenSSL, so can not
>>>>>> judge on criticality.
>>>>>
>>>>> AFAICT, correct me if I am wrong, OpenSSL 0.9.8 does not support
>>>>> TLSv1.2 and is therefore unusable with h2. The test suite seems to be
>>>>> unprepared for this scenario. I will remove it after the next
>>>>> release. It is not worth fixing in its current form.
>>>>
>>>> I added a check agains the test suite OpenSSL version in r1844483.
>>>>
>>>> I have an aditional check for the server version available.
>>>> Unfortunately I didn't find a really easy way, so here's a small
>>>> module that one can query
>>>> (c-modules/test_ssl_version/mod_test_ssl_version.c), mostly a
>>>> shortened form of mod_test_ssl.c:
>>>>
>>>> ==== SNIP =====
>>>> #define HTTPD_TEST_REQUIRE_APACHE 2
>>>>
>>>> #if CONFIG_FOR_HTTPD_TEST
>>>>
>>>> <IfModule @ssl_module@>
>>>> <Location /test_ssl_version_lookup>
>>>> SetHandler test-ssl-version-lookup
>>>> </Location>
>>>> </IfModule>
>>>>
>>>> #endif
>>>>
>>>> #include "httpd.h"
>>>> #include "http_config.h"
>>>> #include "http_protocol.h"
>>>> #include "http_log.h"
>>>> #include "ap_config.h"
>>>> #include "apr_optional.h"
>>>>
>>>> #if AP_MODULE_MAGIC_AT_LEAST(20040425, 0) /* simply include mod_ssl.h
>>>> if using >= 2.1.0 */
>>>>
>>>> #include "mod_ssl.h"
>>>>
>>>> #else
>>>> /* For use of < 2.0.x, inline the declaration: */
>>>>
>>>> APR_DECLARE_OPTIONAL_FN(char *, ssl_var_lookup,
>>>> (apr_pool_t *, server_rec *,
>>>> conn_rec *, request_rec *,
>>>> char *));
>>>>
>>>> #endif
>>>>
>>>> static APR_OPTIONAL_FN_TYPE(ssl_var_lookup) *var_lookup;
>>>>
>>>> static void import_ssl_var_lookup(void)
>>>> {
>>>> var_lookup = APR_RETRIEVE_OPTIONAL_FN(ssl_var_lookup);
>>>> }
>>>>
>>>> static int test_ssl_version_lookup(request_rec *r)
>>>> {
>>>> char *value;
>>>>
>>>> if (strcmp(r->handler, "test-ssl-version-lookup")) {
>>>> return DECLINED;
>>>> }
>>>>
>>>> if (r->method_number != M_GET) {
>>>> return DECLINED;
>>>> }
>>>>
>>>> if (!var_lookup) {
>>>> ap_rputs("ssl_var_lookup is not available", r);
>>>> return OK;
>>>> }
>>>>
>>>> value = var_lookup(r->pool, r->server,
>>>> r->connection, r, "SSL_VERSION_LIBRARY");
>>>>
>>>> if (value && *value) {
>>>> ap_rputs(value, r);
>>>> }
>>>> else {
>>>> ap_rputs("NULL", r);
>>>> }
>>>>
>>>> return OK;
>>>> }
>>>>
>>>> static void test_ssl_version_register_hooks(apr_pool_t *p)
>>>> {
>>>> ap_hook_handler(test_ssl_version_lookup, NULL, NULL,
>>>> APR_HOOK_MIDDLE);
>>>> ap_hook_optional_fn_retrieve(import_ssl_var_lookup,
>>>> NULL, NULL, APR_HOOK_MIDDLE);
>>>> }
>>>>
>>>> module AP_MODULE_DECLARE_DATA test_ssl_version_module = {
>>>> STANDARD20_MODULE_STUFF,
>>>> NULL, /* create per-dir config structures */
>>>> NULL, /* merge per-dir config structures */
>>>> NULL, /* create per-server config structures */
>>>> NULL, /* merge per-server config structures */
>>>> NULL, /* table of config file commands */
>>>> test_ssl_version_register_hooks /* register hooks */
>>>> };
>>>> ==== SNIP =====
>>>>
>>>> and the necessary addition to http2.t to use the module:
>>>>
>>>> Index: t/modules/http2.t
>>>> ===================================================================
>>>> --- t/modules/http2.t (revision 1844483)
>>>> +++ t/modules/http2.t (working copy)
>>>> @@ -25,6 +25,16 @@
>>>> my $openssl_version = Net::SSLeay::OPENSSL_VERSION_NUMBER();
>>>> if ($openssl_version < 0x10000000) {
>>>> $tls_modern = 0;
>>>> +} else {
>>>> + Apache::TestRequest::scheme("https");
>>>> + my $url = '/test_ssl_version_lookup';
>>>> + my $r = GET("$url");
>>>> + $openssl_version = $r->content;
>>>> + print STDOUT "OpenSSL version '$openssl_version'\n";
>>>> + # OpenSSL/0.9.8zh, OpenSSL/1.0.2p etc.
>>>> + if ($openssl_version =~ /\/0\./) {
>>>> + $tls_modern = 0;
>>>> + }
>>>> }
>>>>
>>>> Apache::TestRequest::module("http2");
>>>>
>>>> What do people think? Should I apply it?
>>>>
>>>> Regards,
>>>>
>>>> Rainer
>>>
>>> +1
