On 8/4/2019 3:30 AM, Rainer Jung wrote: > Hi there, > > this one fails for me when the server uses OpenSSL 1.1.1 (no other > variant tested yet) but the client uses something before 1.1.1. In > this case I get Status 500 instead of the expected 403 in the client. > > Another older test t/security/CVE-2005-2700.t uses > > ok !t_cmp($r->code, 200, "... > > instead of > > ok t_cmp($r->code, 403, "... > > used in the new test. Do others observe the same problem? Should we > relax the condition on 403 or 500, or is it necessary to only relax if > client isn't using 1.1.1 (or maybe depending on effective TLS version)?
I also see the same problem. The 500 must be coming from the LWP client rather than httpd, though, as httpd does log the 403. I would prefer to skip the test for non-compatible clients rather than for the internal client error to be treated as a "pass" of a test it cannot run. -- Daniel Ruggeri > > Regards, > > Rainer > > Am 02.04.2019 um 12:44 schrieb jor...@apache.org: >> Author: jorton >> Date: Tue Apr 2 10:44:12 2019 >> New Revision: 1856807 >> >> URL: http://svn.apache.org/viewvc?rev=1856807&view=rev >> Log: >> Add test case for CVE-2019-0215. >> >> Added: >> httpd/test/framework/trunk/t/security/CVE-2019-0215.t >> >> Added: httpd/test/framework/trunk/t/security/CVE-2019-0215.t >> URL: >> http://svn.apache.org/viewvc/httpd/test/framework/trunk/t/security/CVE-2019-0215.t?rev=1856807&view=auto >> ============================================================================== >> >> --- httpd/test/framework/trunk/t/security/CVE-2019-0215.t (added) >> +++ httpd/test/framework/trunk/t/security/CVE-2019-0215.t Tue Apr 2 >> 10:44:12 2019 >> @@ -0,0 +1,26 @@ >> +use strict; >> +use warnings FATAL => 'all'; >> + >> +use Apache::Test; >> +use Apache::TestUtil; >> +use Apache::TestRequest; >> + >> +my $vars = Apache::Test::vars(); >> + >> +plan tests => 2, need $vars->{ssl_module_name}, need_lwp, >> + qw(LWP::Protocol::https); >> + >> +Apache::TestRequest::user_agent_keepalive(1); >> +Apache::TestRequest::scheme('https'); >> +Apache::TestRequest::module('ssl_optional_cc'); >> + >> +my $r; >> + >> +$r = GET "/require/any/"; >> + >> +ok t_cmp($r->code, 403, "first access denied without ccert"); >> + >> +$r = GET "/require/any/"; >> + >> +ok t_cmp($r->code, 403, "second access denied without ccert"); >> +