| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
| |
Since we don't support ADH ciphers can just ignore DH-*
Note that OpenSSL defines the DH- ciphers but does not implement
them so the DH string support is there only for compatibility.
|
| |
|
|
|
|
|
| |
I used to have a separate set of options when comparing the
NSS and OpenSSL ciphers. These differed between tests, sometimes
being just a difference in order. This just made the tests
hard to understand.
|
| | |
|
| |
|
|
|
|
|
| |
The AESGCM test was duplicated. Remove one.
Two different tests were in test_AES_no_ECDH. I broke one out
separately.
|
| |
|
|
|
|
|
|
| |
Fetches https://www.google.com and just looks for a 200 response.
This adds implicit requirement that the test machine has Internet
access so I might have to remove this eventually, but it at
least exercises that code in a positive test case.
|
| |
|
|
|
|
| |
Update gencert to do a better job parsing arguments so I can
pass in a --test flag to generate a special test-only user
certificate to test colons in the DN.
|
| | |
|
| |
|
|
|
| |
Use the %p option to generate separate logs for each process
with valgrind.
|
| | |
|
| | |
|
| |
|
|
| |
make check was failing in Fedora rawhide
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
python for OpenSSL is in quite a sad state with several competing
mid-level implementations which provide different feature sets.
The httplib client provides access to the negotiated cipher and
protocol but not SNI (and it has lousy hostname checking).
The urllib3 client provides SNI and is generally better but doesn't
give any details on the connection.
So I'm using both. The original one is used for basic server testing
and the urllib3 one is used just for SNI testing.
Also:
- Indent the test configuration to make it more readable
- Add separate config file for SNI testing
- Add a CGI configuration and script to test CGI variables
- Change client cipher test to use AES256-SHA instead of RC4
- Add a commented-out valgrind option in start for future
debuggers
- Change the VirtualServers to *:port and use ServerName
- Add per-VH document roots so SNI can be more easily tested
|
| |
|
|
|
|
|
| |
I don't want to assume these ciphers are available in
every distro so I'm bending over backwards a bit to
check for availablility and get the defines right
for the python cipher tests.
|
| |
|
|
| |
Also add test for AESGCM
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The + operator didn't perform properly at all. It is supposed
to be used either for logical AND to combine two cipher suites
or to move ciphers to the end of the list. Given that NSS
doesn't support cipher ordering + is a no-op in this case.
Also add in a slew of missing aliases: kRSA, aRSA, EDH,
ECDH, kECDHe, kECDHr, kEECDH, aECDH, aNULL, AESGCM, AES128,
AES256, CAMELLIA, CAMELLIA128, CAMELLIA256.
Fix the definition of TLSv1.2.
Define some ciphers as unimplemented in NSS.
Renumber the mask/protocol/strength values to ensure uniqueness.
Replace the existing cipher test to one that compares the output
of the NSS-generated cipher string with the openssl generated
string. There are a lot of restrictions on the openssl string
since so much isn't either implemented or needed for mod_nss.
Add a new openssl-compatible cipher request test to the server
tests.
|
| |
|
|
|
|
|
| |
I'm not going to commit a million of these 1-liners but I think
the code is stable enough that it won't be a big deal. If it
happens again I'll see about adding a fuzzer to assert_equal()
to avoid line number differences.
|
| |
|
|
|
|
|
|
| |
- Add Camelia ciphers
- Remove Fortezza ciphers
- Add TLSv1.2-specific ciphers
Resolves BZ: #862938
|
| |
|
|
|
|
|
|
|
|
|
|
| |
We do a chdir() to the NSS database location so that libnssckbi.so
is available when the database is opened. Strip off a sql: prefix
if one is available. This allows the new sqlite format to work.
Add an additional test pass configuring NSS using the sqlite format.
This requires a bit of a hack to pass in the value to python but
it will work for now.
Resolves: #1057650
|
| | |
|
| |
|
|
|
|
| |
Protocol is a per-server or Virtual Host setting so I added a new
VH to do TLSv1.2 testing. It isn't as configurable as I'd like
because the port is hardcoded but it'll do for now.
|
|
|
This tests in an in-tree Apache instance using the local libmodnss.so
shared library, so no pre-installation is necessary.
The tests use python-nose and a hacked python-requests library. It is
hacked so I can obtain the negotiated cipher and protocol as well as
pass a few other things into it.
Tests right now are limited to GET requests.
A new user certificate for 'beta' was added to gencert to do pass/fail
access control testing.
The basic process of the tests are:
- run setup.sh which sets up a new instance with createinstance.sh
and does some variable substitution.
- nosetests -v
I picture multiple test "suites" of different configurations. Right now
there is only one. A template file is provided for each suite.
Tested only on Fedora 20 right now.
|
