summaryrefslogtreecommitdiffstats
path: root/test/test.py
Commit message (Collapse)AuthorAgeFilesLines
* Basic test case for DHE cipher negotiationRob Crittenden2016-02-291-0/+11
|
* Add basic reverse proxy test case (over Internet)Rob Crittenden2016-01-191-0/+6
| | | | | | | | Fetches https://www.google.com and just looks for a 200 response. This adds implicit requirement that the test machine has Internet access so I might have to remove this eventually, but it at least exercises that code in a positive test case.
* Add test for colons in FakeBasicAuth user certificateRob Crittenden2016-01-151-0/+9
| | | | | | Update gencert to do a better job parsing arguments so I can pass in a --test flag to generate a special test-only user certificate to test colons in the DN.
* Add a test for reverse proxy SNIRob Crittenden2015-10-021-2/+10
|
* Add test suite for SNIRob Crittenden2015-10-021-4/+35
| | | | | | | | | | | | | | | | | | | | | | | | | python for OpenSSL is in quite a sad state with several competing mid-level implementations which provide different feature sets. The httplib client provides access to the negotiated cipher and protocol but not SNI (and it has lousy hostname checking). The urllib3 client provides SNI and is generally better but doesn't give any details on the connection. So I'm using both. The original one is used for basic server testing and the urllib3 one is used just for SNI testing. Also: - Indent the test configuration to make it more readable - Add separate config file for SNI testing - Add a CGI configuration and script to test CGI variables - Change client cipher test to use AES256-SHA instead of RC4 - Add a commented-out valgrind option in start for future debuggers - Change the VirtualServers to *:port and use ServerName - Add per-VH document roots so SNI can be more easily tested
* Fix logical AND support in OpenSSL cipher compatibilityRob Crittenden2015-07-221-0/+6
| | | | | | | | | | | | | | | | | | | | | | | | | The + operator didn't perform properly at all. It is supposed to be used either for logical AND to combine two cipher suites or to move ciphers to the end of the list. Given that NSS doesn't support cipher ordering + is a no-op in this case. Also add in a slew of missing aliases: kRSA, aRSA, EDH, ECDH, kECDHe, kECDHr, kEECDH, aECDH, aNULL, AESGCM, AES128, AES256, CAMELLIA, CAMELLIA128, CAMELLIA256. Fix the definition of TLSv1.2. Define some ciphers as unimplemented in NSS. Renumber the mask/protocol/strength values to ensure uniqueness. Replace the existing cipher test to one that compares the output of the NSS-generated cipher string with the openssl generated string. There are a lot of restrictions on the openssl string since so much isn't either implemented or needed for mod_nss. Add a new openssl-compatible cipher request test to the server tests.
* Add compatibility for mod_ssl-style cipher definitionsRob Crittenden2014-12-021-0/+6
| | | | | | | | - Add Camelia ciphers - Remove Fortezza ciphers - Add TLSv1.2-specific ciphers Resolves BZ: #862938
* Add support for sqlite NSS databasesRob Crittenden2014-10-281-1/+2
| | | | | | | | | | | | We do a chdir() to the NSS database location so that libnssckbi.so is available when the database is opened. Strip off a sql: prefix if one is available. This allows the new sqlite format to work. Add an additional test pass configuring NSS using the sqlite format. This requires a bit of a hack to pass in the value to python but it will work for now. Resolves: #1057650
* Add a new VirtualHost for testing TLS v1.2Rob Crittenden2014-10-171-0/+89
| | | | | | Protocol is a per-server or Virtual Host setting so I added a new VH to do TLSv1.2 testing. It isn't as configurable as I'd like because the port is hardcoded but it'll do for now.
* Add some basic functional tests.Rob Crittenden2014-02-261-0/+138
This tests in an in-tree Apache instance using the local libmodnss.so shared library, so no pre-installation is necessary. The tests use python-nose and a hacked python-requests library. It is hacked so I can obtain the negotiated cipher and protocol as well as pass a few other things into it. Tests right now are limited to GET requests. A new user certificate for 'beta' was added to gencert to do pass/fail access control testing. The basic process of the tests are: - run setup.sh which sets up a new instance with createinstance.sh and does some variable substitution. - nosetests -v I picture multiple test "suites" of different configurations. Right now there is only one. A template file is provided for each suite. Tested only on Fedora 20 right now.