PR#47: Adapt tests to work with OpenSSL 1.1.1a - mod_nss

		`@@ -38,6 +38,11 @@`
		`echo $maxhost`
		`return`
		`fi`
		`+ hostname=$(python -c 'import socket; print(socket.getfqdn())')`
		`+ if [ $? == 0 ]; then`
		`+ echo $hostname`
		`+ return`
		`+ fi`
		defhost=`hostname`
		`if [ -e /usr/bin/host -o -e /bin/host ]; then`
		hosthost=`host $defhost \| grep -v "not found" \| awk '{print $1}'`

nss_engine_cipher.h

file modified

+1 -1

		`@@ -86,7 +86,7 @@`
		`#define SSLV3 0x00000002L`
		`#define TLSV1 SSLV3`
		`#define TLSV1_2 0x00000004L`
		`- #define TLSV1_3 0x00000005L`
		`+ #define TLSV1_3 0x00000008L`

		`/* the table itself is defined in nss_engine_cipher.c */`
		`#if 0`

test/test.py

file modified

+29 -13

		`@@ -1,5 +1,6 @@`
		`from test_config import Declarative, write_template_file, restart_apache`
		`from test_config import stop_apache`
		`+ from test_util import run`
		`from variable import ENABLE_SERVER_DHE`
		`import ssl`
		`import requests.exceptions`
		`@@ -17,6 +18,16 @@`
		`from urllib3.packages.ssl_match_hostname import CertificateError`


		`+ def www1_defined():`
		`+ """Dumb test to see if www1.example.com is a known host to see`
		`+ whether the proxy tests should be executed or not.`
		`+ """`
		`+ (out, err, rc) = run(["/usr/bin/ping",`
		`+ "-w", "2",`
		`+ "-c", "1", "www1.example.com"])`
		`+ return rc == 0`
		`+`
		`+`
		`class test_suite1(Declarative):`
		`@classmethod`
		`def setUpClass(cls):`
		`@@ -232,21 +243,26 @@`
		`expected=200,`
		`),`

		`- dict(`
		`- desc='SNI request when SNI is disabled',`
		`- request=('/index.html',`
		`- {'host': 'www1.example.com', 'port': 8000}),`
		`- expected=requests.exceptions.SSLError(),`
		`- expected_str='doesn\'t match',`
		`- ),`
		`+ ]`

		`- dict(`
		`- desc='Reverse proxy request when SNI is disabled',`
		`- request=('/proxy/index.html', {}),`
		`- expected=400,`
		`- ),`
		`+ if www1_defined():`
		`+ tests.append(`
		`+ dict(`
		`+ desc='SNI request when SNI is disabled',`
		`+ request=('/index.html',`
		`+ {'host': 'www1.example.com', 'port': 8000}),`
		`+ expected=requests.exceptions.SSLError(),`
		`+ expected_str='doesn\'t match',`
		`+ ),`
		`+ )`

		`- ]`
		`+ tests.append(`
		`+ dict(`
		`+ desc='Reverse proxy request when SNI is disabled',`
		`+ request=('/proxy/index.html', {}),`
		`+ expected=400,`
		`+ ),`
		`+ )`

		`if ENABLE_SERVER_DHE:`
		`tests.append(`

test/test_cipher.py

file modified

+24 -5

		`@@ -45,6 +45,7 @@`
		`'ECDHE-RSA-CAMELLIA128-SHA256',`
		`'DHE-RSA-CAMELLIA128-SHA256',`
		`'DHE-RSA-CAMELLIA256-SHA256',`
		`+ 'TLS_AES_128_CCM_SHA256',`
		`]`

		`CIPHERS_NOT_IN_OPENSSL = [`
		`@@ -59,7 +60,7 @@`
		`]`

		`OPENSSL_CIPHERS_IGNORE = ":-SSLv2:-KRB5:-PSK:-ADH:-DSS:-SEED:-IDEA" \`
		`- ":-SRP:-AESCCM:-AESCCM8"`
		`+ ":-SRP:-AESCCM:-AESCCM8:-RC4:-ARIA"`

		`if ENABLE_SERVER_DHE == 0:`
		`OPENSSL_CIPHERS_IGNORE += ':-DH'`
		`@@ -76,8 +77,13 @@`
		`(out, err, rc) = run([openssl, 'ciphers', 'tls1_3'])`
		`return rc == 0`

		`+ def openssl_has_ciphersuites():`
		`+ (out, err, rc) = run(["openssl", "ciphers", "-ciphersuites", "", "AES"])`
		`+ return rc == 0`
		`+`
		`OPENSSL_CHACHA20 = openssl_CHACHA20()`
		`OPENSSL_TLS13 = openssl_tls13()`
		`+ OPENSSL_HAS_CIPHERSUITES = openssl_has_ciphersuites()`

		`tls13_ciphers = [`
		`'TLS-AES-128-GCM-SHA256',`
		`@@ -86,12 +92,21 @@`
		`]`


		`- def assert_equal_openssl(ciphers):`
		`+ def assert_equal_openssl(ciphers, tls13=False):`
		`nss_ciphers = ciphers + ":-EXP:-LOW:-RC4:-EDH"`
		`ossl_ciphers = ciphers + OPENSSL_CIPHERS_IGNORE`
		`+`
		`+ if not tls13 and OPENSSL_HAS_CIPHERSUITES:`
		`+ # Disable TLSv1.3 ciphers to match default output in openssl ciphers`
		`+ nss_ciphers = nss_ciphers + ":-TLSv1.3"`
		`(nss, err, rc) = run([exe, "--o", nss_ciphers])`
		`assert rc == 0`
		`- (ossl, err, rc) = run([openssl, "ciphers", ossl_ciphers])`
		`+ if not tls13 and OPENSSL_HAS_CIPHERSUITES:`
		`+ # Disable TLSv1.3 ciphers to match previous behavior`
		`+ cmd = [openssl, "ciphers", "-ciphersuites", "", ossl_ciphers]`
		`+ else:`
		`+ cmd = [openssl, "ciphers", ossl_ciphers]`
		`+ (ossl, err, rc) = run(cmd)`
		`assert rc == 0`

		`nss_list = nss.strip().split(':')`
		`@@ -134,9 +149,9 @@`
		`elif len(ossl_list) > len(nss_list):`
		`diff = set(ossl_list) - set(nss_list)`
		`else:`
		`- diff = ''`
		`+ diff = None`

		`- assert nss_list == ossl_list, '%r != %r. Difference %r' % (`
		`+ assert diff is None, '%r != %r. Difference %r' % (`
		`':'.join(nss_list), ':'.join(ossl_list), diff)`


		`@@ -228,6 +243,10 @@`
		`def test_TLSv12(self):`
		`assert_equal_openssl("TLSv1.2")`

		`+ def test_TLSv13(self):`
		`+ if OPENSSL_TLS13:`
		`+ assert_equal_openssl("TLSv1.3", tls13=True)`
		`+`
		`def test_NULL(self):`
		`assert_equal_openssl("NULL")`

rcritten commented 5 years ago

The ciphers command behavior that the tests relies on what modified:

*) Separated TLSv1.3 ciphersuite configuration out from TLSv1.2 ciphersuite
configuration. TLSv1.3 ciphersuites are not compatible with TLSv1.2 and
below. Similarly TLSv1.2 ciphersuites are not compatible with TLSv1.3.
In order to avoid issues where legacy TLSv1.2 ciphersuite configuration
would otherwise inadvertently disable all TLSv1.3 ciphersuites the
configuration has been separated out. See the ciphers man page or the
SSL_CTX_set_ciphersuites() man page for more information.
[Matt Caswell]

Update the tests to handle this change plus some other modifications.