[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: svn commit: r1844309 - /httpd/test/framework/trunk/t/htdocs/modules/cgi/ocsp.pl.PL

Am 19.10.2018 um 11:01 schrieb Joe Orton:
On Fri, Oct 19, 2018 at 07:25:55AM -0000, rjung@xxxxxxxxxx wrote:
Author: rjung
Date: Fri Oct 19 07:25:55 2018
New Revision: 1844309

URL: http://svn.apache.org/viewvc?rev=1844309&view=rev
Do not use STDIN / STDOUT as -reqin and -respout
for "openssl ocsp", since that is supported only
in OpenSSL 1.0.2 and above.

Instead use temporary files.

This doesn't work at all for me with Perl 5.26.2 / File::Temp 0.230.600

tempnam() from File::Temp is not exported and takes two arguments, are
you testing with a different version?

Sorry, tempnam => tmpnam. Committed in r1844320. It at least works here. Would you be able to recheck?

        Compatibility functions:

          $unopened_file = File::Temp::tempnam( $dir, $pfx );

I would be happy to restrict this test to running with recent versions
of OpenSSL if it requires excessive hacks to make working with older

A simpler/safer test for the OpenSSL versions would be

Index: t/ssl/ocsp.t
--- t/ssl/ocsp.t	(revision 1844314)
+++ t/ssl/ocsp.t	(working copy)
@@ -20,9 +20,12 @@
  # Requires OpenSSL 1.1, can't find a simple way to test for OCSP
  # support in earlier versions without messing around with stderr
  my $openssl = Apache::TestSSLCA::openssl();
+my $version = Apache::TestSSLCA::version();
+my $min_version = "1.0.2";
  if (!have_min_apache_version('2.4.26')
-    or `$openssl list -commands 2>&1` !~ /ocsp/) {
-    print "1..0 # skip: No OpenSSL or mod_ssl OCSP support";
+    or Apache::Test::normalize_vstring($version) < Apache::Test::normalize_vstring($min_version)) {
+    print "1..0 # skip: Requires OpenSSL $min_version (got $version) and mod_ssl OCSP support";
      exit 0;

The problem here is, that what broke the test originally was not the wrong OpenSSL version but instead relying on a feature of it (allowing -reqin and -respout to point to STDIN resp. STDOUT). That's why I would prefer fixing the test. At least here in my environment it now works also with OpenSSL 0.9.8.

Not sure, if the change I applied (using temporary files for input and output) should already be rated as "excessive hacks". I agree, it makes a simple script roughly twice the size, but some of the new lines are because of checking the result of the system() call (we had a fire and forget exec() before).

Concerning your simpler approach: it is OK if we give up supporting 0.9.8 but we should probably keep the "or `$openssl list -commands 2>&1` !~ /ocsp/" part of the test.