Hi there,
this one fails for me when the server uses OpenSSL 1.1.1 (no other
variant tested yet) but the client uses something before 1.1.1. In this
case I get Status 500 instead of the expected 403 in the client.
Another older test t/security/CVE-2005-2700.t uses
ok !t_cmp($r->code, 200, "...
instead of
ok t_cmp($r->code, 403, "...
used in the new test. Do others observe the same problem? Should we
relax the condition on 403 or 500, or is it necessary to only relax if
client isn't using 1.1.1 (or maybe depending on effective TLS version)?
Regards,
Rainer
Am 02.04.2019 um 12:44 schrieb [email protected]:
Author: jorton
Date: Tue Apr 2 10:44:12 2019
New Revision: 1856807
URL: http://svn.apache.org/viewvc?rev=1856807&view=rev
Log:
Add test case for CVE-2019-0215.
Added:
httpd/test/framework/trunk/t/security/CVE-2019-0215.t
Added: httpd/test/framework/trunk/t/security/CVE-2019-0215.t
URL:
http://svn.apache.org/viewvc/httpd/test/framework/trunk/t/security/CVE-2019-0215.t?rev=1856807&view=auto
==============================================================================
--- httpd/test/framework/trunk/t/security/CVE-2019-0215.t (added)
+++ httpd/test/framework/trunk/t/security/CVE-2019-0215.t Tue Apr 2 10:44:12
2019
@@ -0,0 +1,26 @@
+use strict;
+use warnings FATAL => 'all';
+
+use Apache::Test;
+use Apache::TestUtil;
+use Apache::TestRequest;
+
+my $vars = Apache::Test::vars();
+
+plan tests => 2, need $vars->{ssl_module_name}, need_lwp,
+ qw(LWP::Protocol::https);
+
+Apache::TestRequest::user_agent_keepalive(1);
+Apache::TestRequest::scheme('https');
+Apache::TestRequest::module('ssl_optional_cc');
+
+my $r;
+
+$r = GET "/require/any/";
+
+ok t_cmp($r->code, 403, "first access denied without ccert");
+
+$r = GET "/require/any/";
+
+ok t_cmp($r->code, 403, "second access denied without ccert");
+
