httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ic...@apache.org
Subject svn commit: r1710015 - in /httpd/test/mod_h2/trunk: ./ conf/sites/ conf/ssl/ test/
Date Thu, 22 Oct 2015 13:32:47 GMT
Author: icing
Date: Thu Oct 22 13:32:46 2015
New Revision: 1710015

URL: http://svn.apache.org/viewvc?rev=1710015&view=rev
Log:
testing new 421 handling of vhosts with compatible SSL params, testing correct HTTP/2 RST_STREAM
errors when encountering prohibited renegotiation

Added:
    httpd/test/mod_h2/trunk/conf/ssl/noh2-template.conf
    httpd/test/mod_h2/trunk/test/test_renegotiate.sh
Modified:
    httpd/test/mod_h2/trunk/Makefile.am
    httpd/test/mod_h2/trunk/conf/sites/aaa-noh2.example.org.conf
    httpd/test/mod_h2/trunk/conf/sites/test.example.org.conf
    httpd/test/mod_h2/trunk/conf/sites/test2.example.org.conf
    httpd/test/mod_h2/trunk/conf/ssl/req-template.conf
    httpd/test/mod_h2/trunk/test/test_alt_host.sh
    httpd/test/mod_h2/trunk/test/test_common.sh

Modified: httpd/test/mod_h2/trunk/Makefile.am
URL: http://svn.apache.org/viewvc/httpd/test/mod_h2/trunk/Makefile.am?rev=1710015&r1=1710014&r2=1710015&view=diff
==============================================================================
--- httpd/test/mod_h2/trunk/Makefile.am (original)
+++ httpd/test/mod_h2/trunk/Makefile.am Thu Oct 22 13:32:46 2015
@@ -117,6 +117,7 @@ test: \
 	@$(TESTRUN) test/test_curl_altsvc.sh http://$(HTTP_AUTH) https://$(HTTPS_AUTH)
 	@$(TESTRUN) test/test_proto_order.sh https://$(HTTPS_AUTH) https://$(HTTPS_AUTH_2)
 	@$(TESTRUN) test/test_alt_host.sh    https://$(HTTPS_AUTH) https://$(HTTPS_AUTH_2)
+	@$(TESTRUN) test/test_renegotiate.sh https://$(HTTPS_AUTH)
 	@$(TESTRUN) test/test_nghttp_get.sh  https://$(HTTPS_AUTH)
 	@$(TESTRUN) test/test_nghttp_post.sh https://$(HTTPS_AUTH)
 	@$(TESTRUN) test/test_curl_get.sh    https://$(HTTPS_AUTH)
@@ -226,6 +227,8 @@ $(SERVER_DIR)/.test-setup: \
 		conf/sites/*.conf \
 		$(SERVER_DIR)/conf/ssl/test.example.org.key \
 		$(SERVER_DIR)/conf/ssl/test.example.org.pem \
+		$(SERVER_DIR)/conf/ssl/noh2.example.org.key \
+		$(SERVER_DIR)/conf/ssl/noh2.example.org.pem \
 		$(SERVER_DIR)/.testdocs-setup
 	@echo -n setup httpd locally...
 	@mkdir -p $(SERVER_DIR)/bin
@@ -270,6 +273,27 @@ $(SERVER_DIR)/conf/ssl/test.example.org.
 		-out $(SERVER_DIR)/conf/ssl/test.example.org.pem \
         -extfile conf/ssl/extensions.conf -extensions ssl_test
 
+$(SERVER_DIR)/conf/ssl/noh2.example.org.key:
+	@mkdir -p $(SERVER_DIR)/conf/ssl
+	openssl genrsa -out $(SERVER_DIR)/conf/ssl/noh2.example.org.key 4096
+
+$(SERVER_DIR)/conf/ssl/noh2.example.org.req: \
+		$(SERVER_DIR)/conf/ssl/noh2.example.org.key \
+        conf/ssl/noh2-template.conf
+	openssl req -new -key $(SERVER_DIR)/conf/ssl/noh2.example.org.key \
+		-out $(SERVER_DIR)/conf/ssl/noh2.example.org.req \
+	    -config conf/ssl/noh2-template.conf
+
+$(SERVER_DIR)/conf/ssl/noh2.example.org.pem: \
+		$(SERVER_DIR)/conf/ssl/noh2.example.org.key \
+		$(SERVER_DIR)/conf/ssl/noh2.example.org.req \
+		conf/ssl/extensions.conf
+	openssl x509 -req -sha256 -days 1095 \
+		-signkey $(SERVER_DIR)/conf/ssl/noh2.example.org.key \
+		-in $(SERVER_DIR)/conf/ssl/noh2.example.org.req \
+		-out $(SERVER_DIR)/conf/ssl/noh2.example.org.pem \
+        -extfile conf/ssl/extensions.conf -extensions ssl_test
+
 ################################################################################
 # php-fpm configuration
 #

Modified: httpd/test/mod_h2/trunk/conf/sites/aaa-noh2.example.org.conf
URL: http://svn.apache.org/viewvc/httpd/test/mod_h2/trunk/conf/sites/aaa-noh2.example.org.conf?rev=1710015&r1=1710014&r2=1710015&view=diff
==============================================================================
--- httpd/test/mod_h2/trunk/conf/sites/aaa-noh2.example.org.conf (original)
+++ httpd/test/mod_h2/trunk/conf/sites/aaa-noh2.example.org.conf Thu Oct 22 13:32:46 2015
@@ -11,8 +11,8 @@
     Protocols http/1.1
 
     SSLEngine on
-	SSLCertificateFile conf/ssl/test.example.org.pem
-	SSLCertificateKeyFile conf/ssl/test.example.org.key
+	SSLCertificateFile conf/ssl/noh2.example.org.pem
+	SSLCertificateKeyFile conf/ssl/noh2.example.org.key
 
     RewriteEngine on
     RewriteRule ^/latest.tar.gz$ /xxx-1.0.2a.tar.gz [R=302,NC]

Modified: httpd/test/mod_h2/trunk/conf/sites/test.example.org.conf
URL: http://svn.apache.org/viewvc/httpd/test/mod_h2/trunk/conf/sites/test.example.org.conf?rev=1710015&r1=1710014&r2=1710015&view=diff
==============================================================================
--- httpd/test/mod_h2/trunk/conf/sites/test.example.org.conf (original)
+++ httpd/test/mod_h2/trunk/conf/sites/test.example.org.conf Thu Oct 22 13:32:46 2015
@@ -75,6 +75,13 @@
         </FilesMatch>
     </IfModule>
 
+    <Location /ssl/renegotiate/cipher>
+        SSLCipherSuite DHE-RSA-AES256-SHA
+    </Location>
+    <Location /ssl/renegotiate/verify>
+        SSLVerifyClient require
+    </Location>
+
 </VirtualHost>
 
 

Modified: httpd/test/mod_h2/trunk/conf/sites/test2.example.org.conf
URL: http://svn.apache.org/viewvc/httpd/test/mod_h2/trunk/conf/sites/test2.example.org.conf?rev=1710015&r1=1710014&r2=1710015&view=diff
==============================================================================
--- httpd/test/mod_h2/trunk/conf/sites/test2.example.org.conf (original)
+++ httpd/test/mod_h2/trunk/conf/sites/test2.example.org.conf Thu Oct 22 13:32:46 2015
@@ -12,11 +12,15 @@
 
     SSLEngine on
     SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2
-    SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
   
+    SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
      
     SSLHonorCipherOrder on
     SSLCertificateFile conf/ssl/test.example.org.pem
     SSLCertificateKeyFile conf/ssl/test.example.org.key
 
+    <Location /hello.py>
+        SSLOptions +StdEnvVars
+    </Location>
+
 </VirtualHost>
 
 <VirtualHost *:SUBST_PORT_HTTP_SUBST>

Added: httpd/test/mod_h2/trunk/conf/ssl/noh2-template.conf
URL: http://svn.apache.org/viewvc/httpd/test/mod_h2/trunk/conf/ssl/noh2-template.conf?rev=1710015&view=auto
==============================================================================
--- httpd/test/mod_h2/trunk/conf/ssl/noh2-template.conf (added)
+++ httpd/test/mod_h2/trunk/conf/ssl/noh2-template.conf Thu Oct 22 13:32:46 2015
@@ -0,0 +1,22 @@
+[ req ]
+default_bits       = 4096
+default_md         = sha512
+default_keyfile    = key.pem
+prompt             = no
+encrypt_key        = no
+
+# base request
+distinguished_name = req_distinguished_name
+
+# distinguished_name
+[ req_distinguished_name ]
+countryName            = "DE"
+stateOrProvinceName    = "NRW"
+localityName           = "Muenster"
+postalCode             = "48155"
+streetAddress          = "Hafenweg 16"
+organizationName       = "greenbytes GmbH"
+#organizationalUnitName = ""
+commonName             = "noh2.example.org"
+emailAddress           = "webmaster@noh2.example.org"
+

Modified: httpd/test/mod_h2/trunk/conf/ssl/req-template.conf
URL: http://svn.apache.org/viewvc/httpd/test/mod_h2/trunk/conf/ssl/req-template.conf?rev=1710015&r1=1710014&r2=1710015&view=diff
==============================================================================
--- httpd/test/mod_h2/trunk/conf/ssl/req-template.conf (original)
+++ httpd/test/mod_h2/trunk/conf/ssl/req-template.conf Thu Oct 22 13:32:46 2015
@@ -25,4 +25,4 @@ emailAddress           = "webmaster@test
 
 # req_extensions
 [ v3_req ]
-subjectAltName  = DNS:test2.example.org,DNS:test-ser.example.org,DNS:noh2.example.org
+subjectAltName  = DNS:test2.example.org,DNS:test-ser.example.org

Modified: httpd/test/mod_h2/trunk/test/test_alt_host.sh
URL: http://svn.apache.org/viewvc/httpd/test/mod_h2/trunk/test/test_alt_host.sh?rev=1710015&r1=1710014&r2=1710015&view=diff
==============================================================================
--- httpd/test/mod_h2/trunk/test/test_alt_host.sh (original)
+++ httpd/test/mod_h2/trunk/test/test_alt_host.sh Thu Oct 22 13:32:46 2015
@@ -21,9 +21,11 @@ echo "alt host access: $@"
 # check access to other hosts on same connection
 ################################################################################
 
-# The correct answer is 421 and mod_h2 will created if once the SSL parse 
-# request filter is no longer strict on SNI name checking. See
-# https://bz.apache.org/bugzilla/show_bug.cgi?id=58007#c9
+# The correct answer is 421 if a request cannot be served on the connection
+# it appears on (see RFC 7540). 
+#
+# mod_ssl refuses to serve requests for other servers than the one negotiated
+# via SNI.
 #
 MISDIR_STATUS="421 Misdirected Request"
 
@@ -32,11 +34,17 @@ URL2="$2"
 
 URL_PREFIX="$URL1"
 
+# nghttp uses the host from the header for SNI. this will fail as the
+# test conf has h2 disabled for this vhost
+#
 nghttp_check_content index.html "noh2 host" -H'Host: noh2.example.org' <<EOF
 [ERROR] HTTP/2 protocol was not selected. (nghttp2 expects h2)
 Some requests were not processed. total=1, processed=0
 EOF
 
+# Make a request via curl (that uses the url host for SNI) for a ServerAlias
+# configured on the same host.
+#
 curl_check_content hello.py "serveralias" --http2 -H'Host: test3.example.org'  <<EOF
 <html>
 <body>
@@ -47,6 +55,22 @@ SSL_PROTOCOL=${EXP_SSL_PROTOCOL}<br/>
 </html>
 EOF
 
+# Make a request via curl (that uses the url host for SNI) for a different
+# vhost that is configured, allows h2 and has the same SSL parameter.
+#
+curl_check_content hello.py "test2 host" --http2 -H'Host: test2.example.org' <<EOF
+<html>
+<body>
+<h2>Hello World!</h2>
+PROTOCOL=HTTP/2<br/>
+SSL_PROTOCOL=${EXP_SSL_PROTOCOL}<br/>
+</body>
+</html>
+EOF
+
+# Make a request via curl (that uses the url host for SNI) for a different
+# vhost that is configured without h2 support.
+#
 curl_check_content index.html "noh2 host" --http2 -H'Host: noh2.example.org' <<EOF
 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
 <html><head>
@@ -60,6 +84,9 @@ connection.</p>
 </body></html>
 EOF
 
+# Make a request via curl (that uses the url host for SNI) for an unknown
+# host.
+#
 curl_check_content index.html "unknown host" --http2 -H'Host: unknown.example.org' <<EOF
 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
 <html><head>

Modified: httpd/test/mod_h2/trunk/test/test_common.sh
URL: http://svn.apache.org/viewvc/httpd/test/mod_h2/trunk/test/test_common.sh?rev=1710015&r1=1710014&r2=1710015&view=diff
==============================================================================
--- httpd/test/mod_h2/trunk/test/test_common.sh (original)
+++ httpd/test/mod_h2/trunk/test/test_common.sh Thu Oct 22 13:32:46 2015
@@ -81,7 +81,7 @@ curl_check_alpn() {
     ARGS="$@ -v"
     echo -n " * curl /: $MSG..."
     rm -rf $TMP
-    mkdir -p $TMP
+    mkdir -p "$TMP"
     ${CURL} $ARGS $URL_PREFIX > $TMP/out 2>&1 || fail
     fgrep "* ALPN, server accepted to use $PROTOCOL" $TMP/out >/dev/null || fail
     echo ok.
@@ -93,7 +93,7 @@ nghttp_check_doc() {
     ARGS="$@"$ARG_UPGRADE
     echo -n " * nghttp /$DOC: $MSG..."
     rm -rf $TMP &&
-    mkdir -p $TMP &&
+    mkdir -p "$TMP" &&
     ${NGHTTP} $ARGS $URL_PREFIX/$DOC > $TMP/$DOC 2>&1 || fail
     diff  $DOC_ROOT/$DOC $TMP/$DOC || fail
     echo ok.
@@ -105,7 +105,7 @@ nghttp_check_assets() {
     ARGS="$@"$ARG_UPGRADE
     echo -n " * nghttp /$DOC: $MSG..."
     rm -rf $TMP &&
-    mkdir -p $TMP &&
+    mkdir -p "$TMP"
     sort > $TMP/reference
     ${NGHTTP} -ans $ARGS $URL_PREFIX/$DOC > $TMP/out 2>&1 || fail
     fgrep " /" $TMP/out | while read id begin end dur stat size path; do
@@ -115,11 +115,24 @@ nghttp_check_assets() {
     echo ok.
 }
 
+nghttp_check_rst_error() {
+    DOC="$1"; shift;
+    ERROR="$1"; shift;
+    MSG="$1"; shift;
+    rm -rf $TMP
+    mkdir -p "$(dirname $TMP/$DOC)"
+    echo -n " * nghttp /$DOC: $MSG..."
+    ${NGHTTP} "$@" -v $ARG_UPGRADE $URL_PREFIX/$DOC > $TMP/$DOC 2>&1 || fail "ret:
$?"
+    fgrep RST_STREAM $TMP/$DOC >/dev/null || fail "expected RST_STREAM in output: $( cat
$TMP/$DOC )"
+    fgrep "error_code=$ERROR" $TMP/$DOC >/dev/null || fail "expected error_code=$ERROR
in output: $( cat $TMP/$DOC )"
+    echo ok.
+}
+
 nghttp_check_content() {
     DOC="$1"; shift;
     MSG="$1"; shift;
     rm -rf $TMP
-    mkdir -p $TMP
+    mkdir -p "$(dirname $TMP/$DOC)"
     cat > $TMP/expected
     echo -n " * nghttp /$DOC: $MSG..."
     ${NGHTTP} "$@" $ARG_UPGRADE $URL_PREFIX/$DOC > $TMP/$DOC 2>&1 || fail
@@ -128,11 +141,26 @@ nghttp_check_content() {
 }
 
 
+curl_check_status() {
+    DOC="$1"; shift;
+    STATUS="$1"; shift;
+    MSG="$1"; shift;
+    rm -rf $TMP
+    mkdir -p "$(dirname $TMP/$DOC)"
+    echo -n " * curl /$DOC: $MSG..."
+    ${CURL} -D - "$@" $URL_PREFIX/$DOC > $TMP/$DOC 2>&1 || fail "ret: $?"
+    read proto stat descr < $TMP/$DOC
+    if test "$STATUS" != "$stat"; then
+        fail "expected: $STATUS, got: $stat"
+    fi
+    echo ok.
+}
+
 curl_check_content() {
     DOC="$1"; shift;
     MSG="$1"; shift;
     rm -rf $TMP
-    mkdir -p $TMP
+    mkdir -p "$(dirname $TMP/$DOC)"
     cat > $TMP/expected
     echo -n " * curl /$DOC: $MSG..."
     ${CURL} "$@" $URL_PREFIX/$DOC > $TMP/$DOC 2>&1 || fail

Added: httpd/test/mod_h2/trunk/test/test_renegotiate.sh
URL: http://svn.apache.org/viewvc/httpd/test/mod_h2/trunk/test/test_renegotiate.sh?rev=1710015&view=auto
==============================================================================
--- httpd/test/mod_h2/trunk/test/test_renegotiate.sh (added)
+++ httpd/test/mod_h2/trunk/test/test_renegotiate.sh Thu Oct 22 13:32:46 2015
@@ -0,0 +1,42 @@
+#!/bin/bash
+# Copyright 2015 greenbytes GmbH (https://www.greenbytes.de)
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+source $(dirname $0)/test_common.sh
+echo "test renegotiate: $@"
+
+################################################################################
+# check access to other hosts on same connection
+################################################################################
+
+
+URL1="$1"
+
+URL_PREFIX="$URL1"
+
+# lookup a resource that requires TLS cipher suite renegotiation. Should
+# work when using HTTP/1.1
+#
+curl_check_status ssl/renegotiate/cipher "404" "curl reneg cipher: http/1"
+
+# curl does not give the RST_STREAM error anywhere, it seems. Skip this for now
+#curl_check_status ssl/renegotiate/cipher "404" "curl reneg cipher: h2" --http2
+
+# nghttp gives RST_STREAM in verbose mode, check that the given urls
+# signal fallback to HTTP/1.1
+#
+nghttp_check_rst_error ssl/renegotiate/cipher "HTTP_1_1_REQUIRED" "nghttp reneg cipher"
+nghttp_check_rst_error ssl/renegotiate/verify "HTTP_1_1_REQUIRED" "nghttp reneg verify"
+



Mime
View raw message