Merge ~ahasenack/qa-regression-testing:apache-2.4.33-wont-start-ssl-compression into qa-regression-testing:master

Proposed by Andreas Hasenack on 2018-05-14
Status: Merged
Merged at revision: dfe329df90023fc6c82275ac9c77d87617413f29
Proposed branch: ~ahasenack/qa-regression-testing:apache-2.4.33-wont-start-ssl-compression
Merge into: qa-regression-testing:master
Diff against target: 36 lines (+24/-1)
1 file modified
scripts/ (+24/-1)
Reviewer Review Type Date Requested Status
Steve Beattie 2018-05-14 Approve on 2018-05-15
Review via email:

Commit message

Cope with apache 2.4.32 and higher no longer starting when ssl compression is requested but not provided by openssl.

Description of the change

I'm updating cosmic's apache from 2.4.29 to 2.4.33 and this triggered a test error in qa-regression-testing/scripts/
FAIL: test_cve_2012_4929_on (__main__.BasicTest)
Test CVE-2012-4929 (compression on)
Traceback (most recent call last):
  File "scripts/", line 527, in test_cve_2012_4929_on
  File "/home/ubuntu/git/qa-regression-testing/scripts/", line 287, in _prepare_ssl
  File "/home/ubuntu/git/qa-regression-testing/scripts/", line 186, in _enable_mod
  File "/home/ubuntu/git/qa-regression-testing/scripts/", line 283, in _restart
  File "/home/ubuntu/git/qa-regression-testing/scripts/", line 107, in _start
    self.assertEqual(expected, rc, result + report)
AssertionError: Got exit code 1, expected 0
Starting apache2 (via systemctl): apache2.serviceJob for apache2.service failed because the control process exited with error code.
See "systemctl status apache2.service" and "journalctl -xe" for details.

What happened there is that since apache 2.4.32 (see, search for SSLCompression) it is considered an error to enable SSL compression if the openssl build doesn't support it.

The test suite adds "SSLCompression on" to the default site, then calls _prepare_ssl() which will eventually restart apache. The restart action is guarded by an "apachectl -t" call, which fails because of the above reason, failing the whole test.

I've seen that there are some exceptions in test_cve_2012_4929_on for similar reasons, because (according to the test) since 14.04 we don't offer ssl with compression, but in those versions at least apache would start. That is no longer the case.

This patch will catch the failure in _prepare_ssl() and check if apachectl -t failed because of this problem. If that's the case, the test is skipped (should it succeed instead?) with a message. If apachectl succeeds, or fails for a different reason, then the original exception from _prepare_ssl() is raised and the test fails.

To post a comment you must log in.
Steve Beattie (sbeattie) wrote :

Looks good to me, merged. Thanks!

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/scripts/ b/scripts/
2index 6cd6432..1df4c43 100755
3--- a/scripts/
4+++ b/scripts/
5@@ -524,7 +524,30 @@ class BasicTest(testlib_httpd.HttpdCommon):
6 testlib.config_replace(self.default_vhost, "\nSSLCompression on\n", append=True)
8 (tmpdir, srvcert_pem, srvkey_pem, clientcert_pem, clientkey_pem, cacert_pem) = testlib_ssl.gen_ssl()
9- self._prepare_ssl(srvkey_pem, srvcert_pem)
10+ # apache 2.4.32 and higher won't restart if SSL compression is requested
11+ # and openssl doesn't provide it. Restart is gated on apachctl -t
12+ # succeeding, which catches this.
13+ # From
14+ # *) mod_ssl: The SSLCompression directive will now give an error if used
15+ # with an OpenSSL build which does not support any compression methods.
16+ # [Joe Orton]
17+ try:
18+ self._prepare_ssl(srvkey_pem, srvcert_pem)
19+ except AssertionError as orig_exception:
20+ test_command = ['apache2ctl', '-t']
21+ test_msg = ('This version of OpenSSL does not have any compression '
22+ 'methods available, cannot enable SSLCompression.')
23+ # we are expecting this to fail
24+ try:
25+ _ = subprocess.check_output(test_command,
26+ stderr=subprocess.STDOUT)
27+ except subprocess.CalledProcessError as e:
28+ if test_msg in e.output:
29+ self._skipped(test_msg)
30+ return True
31+ # if the apachectl command didn't fail, or failed for a different
32+ # reason, then something else is wrong
33+ raise orig_exception
34 ca = os.path.join(self.tempdir, os.path.basename(cacert_pem))
35 shutil.copy(cacert_pem, ca)
36 testlib.recursive_rm(tmpdir)


People subscribed via source and target branches