Re: svn commit: r1844309 - /httpd/test/framework/trunk/t/htdocs/modules/cgi/ocsp.pl.PL

2018-10-19 Thread Joe Orton 
On Fri, Oct 19, 2018 at 11:39:27AM +0200, Rainer Jung wrote:
> Concerning your simpler approach: it is OK if we give up supporting 0.9.8
> but we should probably keep the "or `$openssl list -commands 2>&1` !~
> /ocsp/" part of the test.

OK good point, let's leave it as-is.  r1844320 works for me, thanks!

Re: svn commit: r1844309 - /httpd/test/framework/trunk/t/htdocs/modules/cgi/ocsp.pl.PL

2018-10-19 Thread Rainer Jung 

Am 19.10.2018 um 11:01 schrieb Joe Orton:

On Fri, Oct 19, 2018 at 07:25:55AM -, rj...@apache.org wrote:

Author: rjung
Date: Fri Oct 19 07:25:55 2018
New Revision: 1844309

URL: http://svn.apache.org/viewvc?rev=1844309=rev
Log:
Do not use STDIN / STDOUT as -reqin and -respout
for "openssl ocsp", since that is supported only
in OpenSSL 1.0.2 and above.

Instead use temporary files.


This doesn't work at all for me with Perl 5.26.2 / File::Temp 0.230.600

tempnam() from File::Temp is not exported and takes two arguments, are
you testing with a different version?


Sorry, tempnam => tmpnam. Committed in r1844320. It at least works here. 
Would you be able to recheck?



Compatibility functions:

  $unopened_file = File::Temp::tempnam( $dir, $pfx );

I would be happy to restrict this test to running with recent versions
of OpenSSL if it requires excessive hacks to make working with older
ones.

A simpler/safer test for the OpenSSL versions would be

Index: t/ssl/ocsp.t
===
--- t/ssl/ocsp.t(revision 1844314)
+++ t/ssl/ocsp.t(working copy)
@@ -20,9 +20,12 @@
  # Requires OpenSSL 1.1, can't find a simple way to test for OCSP
  # support in earlier versions without messing around with stderr
  my $openssl = Apache::TestSSLCA::openssl();
+my $version = Apache::TestSSLCA::version();
+my $min_version = "1.0.2";
+
  if (!have_min_apache_version('2.4.26')
-or `$openssl list -commands 2>&1` !~ /ocsp/) {
-print "1..0 # skip: No OpenSSL or mod_ssl OCSP support";
+or Apache::Test::normalize_vstring($version) < 
Apache::Test::normalize_vstring($min_version)) {
+print "1..0 # skip: Requires OpenSSL $min_version (got $version) and mod_ssl 
OCSP support";
  exit 0;
  }


The problem here is, that what broke the test originally was not the 
wrong OpenSSL version but instead relying on a feature of it (allowing 
-reqin and -respout to point to STDIN resp. STDOUT). That's why I would 
prefer fixing the test. At least here in my environment it now works 
also with OpenSSL 0.9.8.


Not sure, if the change I applied (using temporary files for input and 
output) should already be rated as "excessive hacks". I agree, it makes 
a simple script roughly twice the size, but some of the new lines are 
because of checking the result of the system() call (we had a fire and 
forget exec() before).


Concerning your simpler approach: it is OK if we give up supporting 
0.9.8 but we should probably keep the "or `$openssl list -commands 2>&1` 
!~ /ocsp/" part of the test.


Regards,

Rainer

Re: svn commit: r1844309 - /httpd/test/framework/trunk/t/htdocs/modules/cgi/ocsp.pl.PL

2018-10-19 Thread Ruediger Pluem 



On 10/19/2018 11:01 AM, Joe Orton wrote:
> On Fri, Oct 19, 2018 at 07:25:55AM -, rj...@apache.org wrote:
>> Author: rjung
>> Date: Fri Oct 19 07:25:55 2018
>> New Revision: 1844309
>>
>> URL: http://svn.apache.org/viewvc?rev=1844309=rev
>> Log:
>> Do not use STDIN / STDOUT as -reqin and -respout
>> for "openssl ocsp", since that is supported only
>> in OpenSSL 1.0.2 and above.
>>
>> Instead use temporary files.
> 
> This doesn't work at all for me with Perl 5.26.2 / File::Temp 0.230.600
> 
> tempnam() from File::Temp is not exported and takes two arguments, are 
> you testing with a different version?
> 
>Compatibility functions:
> 
>  $unopened_file = File::Temp::tempnam( $dir, $pfx );
> 
> I would be happy to restrict this test to running with recent versions 
> of OpenSSL if it requires excessive hacks to make working with older 
> ones.
> 
> A simpler/safer test for the OpenSSL versions would be
> 
> Index: t/ssl/ocsp.t
> ===
> --- t/ssl/ocsp.t  (revision 1844314)
> +++ t/ssl/ocsp.t  (working copy)
> @@ -20,9 +20,12 @@
>  # Requires OpenSSL 1.1, can't find a simple way to test for OCSP
>  # support in earlier versions without messing around with stderr
>  my $openssl = Apache::TestSSLCA::openssl();
> +my $version = Apache::TestSSLCA::version();
> +my $min_version = "1.0.2";
> +
>  if (!have_min_apache_version('2.4.26')
> -or `$openssl list -commands 2>&1` !~ /ocsp/) {
> -print "1..0 # skip: No OpenSSL or mod_ssl OCSP support";
> +or Apache::Test::normalize_vstring($version) < 
> Apache::Test::normalize_vstring($min_version)) {
> +print "1..0 # skip: Requires OpenSSL $min_version (got $version) and 
> mod_ssl OCSP support";

How would we know in this case that this recent Openssl version was build with 
ocsp support?

Regards

RĂ¼diger

Re: svn commit: r1844309 - /httpd/test/framework/trunk/t/htdocs/modules/cgi/ocsp.pl.PL

2018-10-19 Thread Joe Orton 
On Fri, Oct 19, 2018 at 07:25:55AM -, rj...@apache.org wrote:
> Author: rjung
> Date: Fri Oct 19 07:25:55 2018
> New Revision: 1844309
> 
> URL: http://svn.apache.org/viewvc?rev=1844309=rev
> Log:
> Do not use STDIN / STDOUT as -reqin and -respout
> for "openssl ocsp", since that is supported only
> in OpenSSL 1.0.2 and above.
> 
> Instead use temporary files.

This doesn't work at all for me with Perl 5.26.2 / File::Temp 0.230.600

tempnam() from File::Temp is not exported and takes two arguments, are 
you testing with a different version?

   Compatibility functions:

 $unopened_file = File::Temp::tempnam( $dir, $pfx );

I would be happy to restrict this test to running with recent versions 
of OpenSSL if it requires excessive hacks to make working with older 
ones.

A simpler/safer test for the OpenSSL versions would be

Index: t/ssl/ocsp.t
===
--- t/ssl/ocsp.t(revision 1844314)
+++ t/ssl/ocsp.t(working copy)
@@ -20,9 +20,12 @@
 # Requires OpenSSL 1.1, can't find a simple way to test for OCSP
 # support in earlier versions without messing around with stderr
 my $openssl = Apache::TestSSLCA::openssl();
+my $version = Apache::TestSSLCA::version();
+my $min_version = "1.0.2";
+
 if (!have_min_apache_version('2.4.26')
-or `$openssl list -commands 2>&1` !~ /ocsp/) {
-print "1..0 # skip: No OpenSSL or mod_ssl OCSP support";
+or Apache::Test::normalize_vstring($version) < 
Apache::Test::normalize_vstring($min_version)) {
+print "1..0 # skip: Requires OpenSSL $min_version (got $version) and 
mod_ssl OCSP support";
 exit 0;
 }