| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
|
|
|
|
|
|
| |
Fetches https://www.google.com and just looks for a 200 response.
This adds implicit requirement that the test machine has Internet
access so I might have to remove this eventually, but it at
least exercises that code in a positive test case.
|
|
|
|
|
|
| |
Update gencert to do a better job parsing arguments so I can
pass in a --test flag to generate a special test-only user
certificate to test colons in the DN.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
python for OpenSSL is in quite a sad state with several competing
mid-level implementations which provide different feature sets.
The httplib client provides access to the negotiated cipher and
protocol but not SNI (and it has lousy hostname checking).
The urllib3 client provides SNI and is generally better but doesn't
give any details on the connection.
So I'm using both. The original one is used for basic server testing
and the urllib3 one is used just for SNI testing.
Also:
- Indent the test configuration to make it more readable
- Add separate config file for SNI testing
- Add a CGI configuration and script to test CGI variables
- Change client cipher test to use AES256-SHA instead of RC4
- Add a commented-out valgrind option in start for future
debuggers
- Change the VirtualServers to *:port and use ServerName
- Add per-VH document roots so SNI can be more easily tested
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The + operator didn't perform properly at all. It is supposed
to be used either for logical AND to combine two cipher suites
or to move ciphers to the end of the list. Given that NSS
doesn't support cipher ordering + is a no-op in this case.
Also add in a slew of missing aliases: kRSA, aRSA, EDH,
ECDH, kECDHe, kECDHr, kEECDH, aECDH, aNULL, AESGCM, AES128,
AES256, CAMELLIA, CAMELLIA128, CAMELLIA256.
Fix the definition of TLSv1.2.
Define some ciphers as unimplemented in NSS.
Renumber the mask/protocol/strength values to ensure uniqueness.
Replace the existing cipher test to one that compares the output
of the NSS-generated cipher string with the openssl generated
string. There are a lot of restrictions on the openssl string
since so much isn't either implemented or needed for mod_nss.
Add a new openssl-compatible cipher request test to the server
tests.
|
|
|
|
|
|
|
|
| |
- Add Camelia ciphers
- Remove Fortezza ciphers
- Add TLSv1.2-specific ciphers
Resolves BZ: #862938
|
|
|
|
|
|
|
|
|
|
|
|
| |
We do a chdir() to the NSS database location so that libnssckbi.so
is available when the database is opened. Strip off a sql: prefix
if one is available. This allows the new sqlite format to work.
Add an additional test pass configuring NSS using the sqlite format.
This requires a bit of a hack to pass in the value to python but
it will work for now.
Resolves: #1057650
|
|
|
|
|
|
| |
Protocol is a per-server or Virtual Host setting so I added a new
VH to do TLSv1.2 testing. It isn't as configurable as I'd like
because the port is hardcoded but it'll do for now.
|
|
This tests in an in-tree Apache instance using the local libmodnss.so
shared library, so no pre-installation is necessary.
The tests use python-nose and a hacked python-requests library. It is
hacked so I can obtain the negotiated cipher and protocol as well as
pass a few other things into it.
Tests right now are limited to GET requests.
A new user certificate for 'beta' was added to gencert to do pass/fail
access control testing.
The basic process of the tests are:
- run setup.sh which sets up a new instance with createinstance.sh
and does some variable substitution.
- nosetests -v
I picture multiple test "suites" of different configurations. Right now
there is only one. A template file is provided for each suite.
Tested only on Fedora 20 right now.
|