From fiona.klute at gmx.de Mon Feb 3 21:10:20 2020 From: fiona.klute at gmx.de (Fiona Klute) Date: Mon, 3 Feb 2020 21:10:20 +0100 Subject: [mod_gnutls-devel] New release: mod_gnutls 0.10.0 Message-ID: Hi everyone, I have just uploaded a new source archive and matching signature to https://mod.gnutls.org/downloads/ as well as the signed mod_gnutls/0.10.0 tag to the git repositories [1, 2]. This release brings a lot of new features and better tests: * Added support for stapling multiple OCSP responses (TLS 1.3 only). mod_gnutls will staple for as many consecutive certificates in the certificate chain as possible. * Added support for TLS 1.3 post-handshake authentication, used if TLS client authentication is required only for some resources on the server. Rehandshake (for older TLS versions) is not supported, the existing but broken code has been removed. * The test infrastructure has been mostly rewritten in Python, note the new dependencies (Python 3, Pyyaml). Tests can run multiple TLS connections and HTTP(S) requests as well as custom hooks now, see test/README.md for details. * Server certificates are checked for the must-staple TLS feature extension, stapling must be enabled if it is present. * Compatibility fix for GnuTLS 3.6.11 in the test suite: Handle peer certificate type in TLS session information strings. * The test system will automatically detect if it needs to load critical modules (e.g. mod_logio) that are built-in with the Debian packages. This makes the tests work on Fedora without modifications, and likely on similar distributions too. * Tests can optionally run with Valgrind for the primary HTTPD instance by running ./configure with --enable-valgrind-test, see test/README.md for details. * Known issue: When using MSVA client certificate validation the Valgrind tests indicate memory leaks from libcurl, which is used by libmsv to send requests to the MSVA. For details see the bug report: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=950359 Regards, Fiona [1] https://mod.gnutls.org/git/mod_gnutls [2] https://github.com/airtower-luna/mod_gnutls.git -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: From pgajdos at suse.cz Thu Feb 13 20:26:36 2020 From: pgajdos at suse.cz (pgajdos) Date: Thu, 13 Feb 2020 20:26:36 +0100 Subject: [mod_gnutls-devel] test-suite failure Message-ID: <20200213192636.GA12732@laura.suse.cz> Hello, thanks for new release and new test infrastructure. I just get two failures: test-27_OCSP_server and test-34_TLS_reverse_proxy_h2. See the test-suite.log attached. It seems there is simlar reason. What am I missing? Petr -- Have a lot of fun! -------------- next part -------------- ============================================ mod_gnutls 0.10.0: test/test-suite.log ============================================ # TOTAL: 36 # PASS: 34 # SKIP: 0 # XFAIL: 0 # FAIL: 2 # XPASS: 0 # ERROR: 0 .. contents:: :depth: 2 FAIL: test-27_OCSP_server ========================= Connecting to OCSP server: localhost... Could not connect to 127.0.0.1:9936: Connection refused Resolving 'localhost:9936'... Connecting to '127.0.0.1:9936'... Connecting to OCSP server: localhost... Assuming response's signer = issuer (use --load-signer to override). Resolving 'localhost:9936'... Connecting to '127.0.0.1:9936'... OCSP Response Information: Response Status: Successful Response Type: Basic OCSP Response Version: 1 Responder ID: CN=Testing Authority OCSP Responder Produced At: Thu Feb 13 19:14:50 UTC 2020 Responses: Certificate ID: Hash Algorithm: SHA1 Issuer Name Hash: bac68790352ceb4c4de1534445348f8b4b5309b3 Issuer Key Hash: e750f1f0a75dd8952273d95c7d65a78f24d5e698 Serial Number: 22fff0d9 Certificate Status: good This Update: Thu Feb 13 19:14:50 UTC 2020 Next Update: Thu Feb 13 19:19:50 UTC 2020 Extensions: Nonce: 19eacc1745ba4ac46c71242b737d811c0cafb6ebe6c8ce Signature Algorithm: RSA-SHA256 -----BEGIN OCSP RESPONSE----- MIIG4QoBAKCCBtowggbWBgkrBgEFBQcwAQEEggbHMIIGwzCB1aEtMCsxKTAnBgNV BAMTIFRlc3RpbmcgQXV0aG9yaXR5IE9DU1AgUmVzcG9uZGVyGA8yMDIwMDIxMzE5 MTQ1MFowZzBlMD0wCQYFKw4DAhoFAAQUusaHkDUs60xN4VNERTSPi0tTCbMEFOdQ 8fCnXdiVInPZXH1lp48k1eaYAgQi//DZgAAYDzIwMjAwMjEzMTkxNDUwWqARGA8y MDIwMDIxMzE5MTk1MFqhKjAoMCYGCSsGAQUFBzABAgQZBBcZ6swXRbpKxGxxJCtz fYEcDK+26+bIzjANBgkqhkiG9w0BAQsFAAOCAYEAzW8foDfxMWtYh8i5G9Yeqecn QigfwpaiZzB9QQSr6T9Q8CPEvOt0INd2GA61y5Zny32OqQ6s1C/hazd9LL152Sza 4mWy/zVzRfuHAc4PRo61iGZITGO03CcPsKW5OGpW6/ZtxIIbfV9Ek3i2ilGswmR0 a3livkDu97vcCA3rZFAcDlfO/+kPsW+DV3GOrOx3QizWPz6T8YZXBm6eAIzPJ48M /m6NDJCvQToSj4Yv9iMa3WsOPWjzJ3LR+70uMH0BIVhJx4L647YKEEDSYzOySNkR s6Izgcdh+UKesrW762BV30YvrGXwlcED1RuULnQ5Jpc6GQFQ0FOcf06GAH7RL9Zy Pnwnv1oVBwRio+j9zHW34MJX//RJRWm5uwnDFiVGoM6IHZTE3rwWY2UuCMlA8O+g pbRBanmQl8zt6zAwnqfOQW7L1EFYKoxZo/oLlhHsArMFfcsfAwuJIQVrPlwtyLlR /EHxubTFCXcVgRMD3JKfAQ64gLS+wJeoIBtK7qOeoIIEUzCCBE8wggRLMIICs6AD AgECAhQmCf6le83M22s2pAqZP6Zd+kCD6jANBgkqhkiG9w0BAQsFADAcMRowGAYD VQQDExFUZXN0aW5nIEF1dGhvcml0eTAeFw0yMDAyMTMxOTEzNTVaFw0yMTAyMTIx OTEzNTVaMCsxKTAnBgNVBAMTIFRlc3RpbmcgQXV0aG9yaXR5IE9DU1AgUmVzcG9u ZGVyMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEA0cdiw5HjI3B1s06/ PpI7BSGtI3w0qogh5ygtcbW0yCjoywVvAEZ9IajsYGrHu7DJM9lHDQh278DWMQGN EI1VBs5bdvEnvUZ0XcWY96Qnc6iNnWL7wG64X5D4CiTch7aGjbwmedYi5fY43ewX FOauabt1v9XMe7mqWOxvce/9foyiDDbUuDsdZ4a98UX3L0iojYVXqVQkyLijvXbh 57UA+MtEp+RPN60NVzRKZtCjby9b8lYPCuayWI21pofBoVWAcqwdQ0V561dVdEXu tDvIc9oRdNFbQuaNVBjpVI7+OY53bM6TF2IWfFbJmtPOMBv3HoAJtXJf3mc5jjjD 41eDQe7seKdfOwSagHerZ+sUCdtiucfICDweWe6nVSlP7KJ1eA1h7Q0MeEKf31t6 zmLUJ5Bf0OhtOHT0uKcoQmNc+zshOYDSniU6E+SvCcsuAieDJhbiak8fqQeUgJtt xgpu6ZAJLd12yMVP6yE59i8DIHgoRjCSu27r5mdJCMgrVVVzAgMBAAGjdjB0MAwG A1UdEwEB/wQCMAAwEwYDVR0lBAwwCgYIKwYBBQUHAwkwDwYDVR0PAQH/BAUDAweA ADAdBgNVHQ4EFgQUE8Ec/9Ud+8Eqba5Cfpwa1M//BQ0wHwYDVR0jBBgwFoAUkdSQ j2S/gH1XRb/EQQ2ArhmC18AwDQYJKoZIhvcNAQELBQADggGBAEKOhney7u0Wq+QS Ao6eGkQZkW8Jos64KBIn/sCLa+1X0zIhb55ZG+HLuIL80E5y9z0dbHTCAjBqQK5w HAxlpB0jcLX8bXd2pBdfTgfPIeVFDlaU3g9sc6aq93FvMJZeCeIHmKFDPZYCcZ+a HYeEqJu6a8elruB4vNfwbdSYWqB7YbvSqNEB0HKrreLmvsaZcGpejjK343o3Xpqi jf2YNvCT7qzzARCzlLJysYqaJYtrJ9/fbshEbS3YV0mQ2mOyVZJ+U6vSQ/cbwdrQ Y0P/vIuh6+QY26bswMRP/i1nXXdm3fb9Uv8M83/Ky6RX/McFxKpUx0BMOJDsyh5o dGldrrUYud7M25SzeoBzPwRygE1v93G/SR2XhIDO+KfvoffWoee8Umxe0DUF7SIG q2HqGt1iYT0IeRSqHvzGFcmCAt1O8Zuq2rMWb0EwFzpoaVXoFMpL9gievDjUWgcZ LzZ4U+n0x3XBTh14aqgAcxif8PpPooJTi0Xr/ev+m2vPgJgFTg== -----END OCSP RESPONSE----- Verifying OCSP Response: Success. [Thu Feb 13 19:14:50.845690 2020] [gnutls:debug] [pid 26134:tid 139946841315328] gnutls_cache.c(356): mgs_cache_inst_config: Socache 'shmcb:cache/gnutls_cache_27_OCSP_server(65536)' created. Found test 27_OCSP_server, test dir is /home/abuild/rpmbuild/BUILD/mod_gnutls-0.10.0/test/tests/27_OCSP_server Starting: ['/usr/sbin/httpd', '-f', '/home/abuild/rpmbuild/BUILD/mod_gnutls-0.10.0/test/tests/27_OCSP_server/ocsp.conf', '-k', 'start', '-DFOREGROUND'] Starting: ['/usr/sbin/httpd', '-f', '/home/abuild/rpmbuild/BUILD/mod_gnutls-0.10.0/test/tests/27_OCSP_server/apache.conf', '-k', 'start', '-DFOREGROUND'] Running test connection 0: Check if the HTTPS server provides an OCSP status Aquiring lock on test.lock... Got lock on test.lock. *** Fatal error: A TLS fatal alert has been received. Processed 1 CA certificate(s). Resolving 'localhost:9932'... Connecting to '127.0.0.1:9932'... *** Received alert [40]: Handshake failed [Thu Feb 13 19:14:51.294954 2020] [gnutls:debug] [pid 26198:tid 140665505531904] gnutls_cache.c(356): mgs_cache_inst_config: Socache 'shmcb:cache/gnutls_cache_27_OCSP_server(65536)' created. Unlocking test.lock... Unlocked test.lock. Stopping: ['/usr/sbin/httpd', '-f', '/home/abuild/rpmbuild/BUILD/mod_gnutls-0.10.0/test/tests/27_OCSP_server/apache.conf', '-k', 'stop'] Stopping: ['/usr/sbin/httpd', '-f', '/home/abuild/rpmbuild/BUILD/mod_gnutls-0.10.0/test/tests/27_OCSP_server/ocsp.conf', '-k', 'stop'] Traceback (most recent call last): File "./runtest.py", line 249, in main(args) File "./runtest.py", line 200, in main response_log=args.log_responses) File "/home/abuild/rpmbuild/BUILD/mod_gnutls-0.10.0/test/mgstest/tests.py", line 568, in run_test_conf response_log=response_log) File "/home/abuild/rpmbuild/BUILD/mod_gnutls-0.10.0/test/mgstest/tests.py", line 179, in run act.run(conn, response_log) File "/home/abuild/rpmbuild/BUILD/mod_gnutls-0.10.0/test/mgstest/tests.py", line 239, in run raise err File "/home/abuild/rpmbuild/BUILD/mod_gnutls-0.10.0/test/mgstest/tests.py", line 230, in run resp = conn.getresponse() File "/usr/lib64/python3.7/http/client.py", line 1333, in getresponse response.begin() File "/usr/lib64/python3.7/http/client.py", line 305, in begin version, status, reason = self._read_status() File "/usr/lib64/python3.7/http/client.py", line 266, in _read_status line = str(self.fp.readline(_MAXLINE + 1), "iso-8859-1") File "/usr/lib64/python3.7/socket.py", line 589, in readinto return self._sock.recv_into(b) ConnectionResetError: [Errno 104] Connection reset by peer FAIL test-27_OCSP_server.bash (exit status: 1) FAIL: test-34_TLS_reverse_proxy_h2 ================================== [Thu Feb 13 19:15:03.197431 2020] [gnutls:debug] [pid 26721:tid 139992753018880] gnutls_cache.c(356): mgs_cache_inst_config: Socache 'shmcb:cache/gnutls_cache_34_TLS_reverse_proxy_h2_backend(65536)' created. httpd: Syntax error on line 4 of /home/abuild/rpmbuild/BUILD/mod_gnutls-0.10.0/test/tests/34_TLS_reverse_proxy_h2/apache.conf: Cannot load /usr/lib64/apache2/mod_proxy_http2.so into server: /usr/lib64/apache2/mod_proxy_http2.so: undefined symbol: ap_sock_disable_nagle Found test 34_TLS_reverse_proxy_h2, test dir is /home/abuild/rpmbuild/BUILD/mod_gnutls-0.10.0/test/tests/34_TLS_reverse_proxy_h2 Starting: ['/usr/sbin/httpd', '-f', '/home/abuild/rpmbuild/BUILD/mod_gnutls-0.10.0/test/tests/34_TLS_reverse_proxy_h2/backend.conf', '-k', 'start', '-DFOREGROUND'] Starting: ['/usr/sbin/httpd', '-f', '/home/abuild/rpmbuild/BUILD/mod_gnutls-0.10.0/test/tests/34_TLS_reverse_proxy_h2/apache.conf', '-k', 'start', '-DFOREGROUND'] Running test connection 0. Aquiring lock on test.lock... Got lock on test.lock. Could not connect to 127.0.0.1:9932: Connection refused Processed 1 CA certificate(s). Resolving 'localhost:9932'... Connecting to '127.0.0.1:9932'... [Thu Feb 13 19:15:04.011289 2020] [gnutls:debug] [pid 26856:tid 140290153654272] gnutls_cache.c(356): mgs_cache_inst_config: Socache 'shmcb:cache/gnutls_cache_34_TLS_reverse_proxy_h2_backend(65536)' created. Unlocking test.lock... Unlocked test.lock. Stopping: ['/usr/sbin/httpd', '-f', '/home/abuild/rpmbuild/BUILD/mod_gnutls-0.10.0/test/tests/34_TLS_reverse_proxy_h2/backend.conf', '-k', 'stop'] Traceback (most recent call last): File "./runtest.py", line 249, in main(args) File "./runtest.py", line 200, in main response_log=args.log_responses) File "/home/abuild/rpmbuild/BUILD/mod_gnutls-0.10.0/test/mgstest/tests.py", line 568, in run_test_conf response_log=response_log) File "/home/abuild/rpmbuild/BUILD/mod_gnutls-0.10.0/test/mgstest/tests.py", line 179, in run act.run(conn, response_log) File "/home/abuild/rpmbuild/BUILD/mod_gnutls-0.10.0/test/mgstest/tests.py", line 239, in run raise err File "/home/abuild/rpmbuild/BUILD/mod_gnutls-0.10.0/test/mgstest/tests.py", line 230, in run resp = conn.getresponse() File "/usr/lib64/python3.7/http/client.py", line 1333, in getresponse response.begin() File "/usr/lib64/python3.7/http/client.py", line 305, in begin version, status, reason = self._read_status() File "/usr/lib64/python3.7/http/client.py", line 266, in _read_status line = str(self.fp.readline(_MAXLINE + 1), "iso-8859-1") File "/usr/lib64/python3.7/socket.py", line 589, in readinto return self._sock.recv_into(b) ConnectionResetError: [Errno 104] Connection reset by peer FAIL test-34_TLS_reverse_proxy_h2.bash (exit status: 1)