Apache-Test
view release on metacpan or search on metacpan
lib/Apache/TestSSLCA.pm view on Meta::CPAN
use File::Copy 'cp';
use File::Basename;
use File::Spec::Functions qw(devnull);
use Apache::TestConfig ();
use Apache::TestTrace;
use constant SSLCA_DB => 'index.txt';
use vars qw(@EXPORT_OK &import);
use subs qw(symlink);
@EXPORT_OK = qw(dn dn_vars dn_oneline);
*import = \&Exporter::import;
my $openssl = $ENV{APACHE_TEST_OPENSSL_CMD} || 'openssl';
my $version = version();
my $CA = 'asf';
my $Config; #global Apache::TestConfig object
my $days = '-days 365';
my $cakey = 'keys/ca.pem';
my $cacert = 'certs/ca.crt';
my $capolicy = '-policy policy_anything';
my $cacrl = 'crl/ca-bundle.crl';
my $dgst = 'sha256';
#we use the same password for everything
my $pass = 'httpd';
my $passin = "-passin pass:$pass";
my $passout = "-passout pass:$pass";
# (limited) subjectAltName otherName testing
my $san_msupn = ', otherName:msUPN;UTF8:$mail';
my $san_dnssrv = ', otherName:1.3.6.1.5.5.7.8.7;IA5:_https.$CN';
# in 0.9.7 s/Email/emailAddress/ in DN
my $email_field = Apache::Test::normalize_vstring($version) <
Apache::Test::normalize_vstring("0.9.7") ?
"Email" : "emailAddress";
# downgrade to SHA-1 for OpenSSL before 0.9.8
if (Apache::Test::normalize_vstring($version) <
Apache::Test::normalize_vstring("0.9.8")) {
$dgst = 'sha1';
# otherNames in x509v3_config are not supported either
$san_msupn = $san_dnssrv = "";
}
my $sslproto = "all";
eval { require Net::SSLeay; };
if (Apache::Test::normalize_vstring($version) >=
Apache::Test::normalize_vstring("1.1.1")
&& !defined(&Net::SSLeay::CTX_set_post_handshake_auth)) {
# OpenSSL 1.1.1 disables PHA by default client-side in TLSv1.3 but
# most clients are not updated to enable it (at time of writing).
# Many mod_ssl tests require working PHA, so disable v1.3 unless
# using an updated Net::SSLeay. This is strictly insufficient
# since an updated IO::Socket::SSL is also needed; to be
# continued. Ref: https://github.com/openssl/openssl/issues/6933
$sslproto = "all -TLSv1.3";
}
my $ca_dn = {
asf => {
C => 'US',
ST => 'California',
L => 'San Francisco',
O => 'ASF',
OU => 'httpd-test',
CN => '',
$email_field => 'test-dev@httpd.apache.org',
},
};
my $cert_dn = {
client_snakeoil => {
C => 'AU',
ST => 'Queensland',
L => 'Mackay',
O => 'Snake Oil, Ltd.',
OU => 'Staff',
},
client_ok => {
},
client_colon => {
CN => "user:colon",
},
client_revoked => {
},
server => {
CN => 'localhost',
OU => 'httpd-test/rsa-test',
},
server2 => {
CN => 'localhost',
OU => 'httpd-test/rsa-test-2',
},
server_des3 => {
CN => 'localhost',
OU => 'httpd-test/rsa-des3-test',
},
server2_des3 => {
CN => 'localhost',
OU => 'httpd-test/rsa-des3-test-2',
},
};
#generate DSA versions of the server certs/keys
for my $key (keys %$cert_dn) {
next unless $key =~ /^server/;
my $val = $$cert_dn{$key};
my $name = join '_', $key, 'dsa';
$cert_dn->{$name} = { %$val }; #copy
$cert_dn->{$name}->{OU} =~ s/rsa/dsa/;
}
sub ca_dn {
$ca_dn = shift if @_;
( run in 2.352 seconds using v1.01-cache-2.11-cpan-39bf76dae61 )