Merge ~ahasenack/qa-regression-testing:apache-2.4.33-wont-start-ssl-compression into qa-regression-testing:master

Proposed by Andreas Hasenack on 2018-05-14
Status: Merged
Merged at revision: dfe329df90023fc6c82275ac9c77d87617413f29
Proposed branch: ~ahasenack/qa-regression-testing:apache-2.4.33-wont-start-ssl-compression
Merge into: qa-regression-testing:master
Diff against target: 36 lines (+24/-1)
1 file modified
scripts/ (+24/-1)
Reviewer Review Type Date Requested Status
Steve Beattie 2018-05-14 Approve on 2018-05-15
Review via email:

Commit message

Cope with apache 2.4.32 and higher no longer starting when ssl compression is requested but not provided by openssl.

Description of the change

I'm updating cosmic's apache from 2.4.29 to 2.4.33 and this triggered a test error in qa-regression-testing/scripts/
FAIL: test_cve_2012_4929_on (__main__.BasicTest)
Test CVE-2012-4929 (compression on)
Traceback (most recent call last):
  File "scripts/", line 527, in test_cve_2012_4929_on
  File "/home/ubuntu/git/qa-regression-testing/scripts/", line 287, in _prepare_ssl
  File "/home/ubuntu/git/qa-regression-testing/scripts/", line 186, in _enable_mod
  File "/home/ubuntu/git/qa-regression-testing/scripts/", line 283, in _restart
  File "/home/ubuntu/git/qa-regression-testing/scripts/", line 107, in _start
    self.assertEqual(expected, rc, result + report)
AssertionError: Got exit code 1, expected 0
Starting apache2 (via systemctl): apache2.serviceJob for apache2.service failed because the control process exited with error code.
See "systemctl status apache2.service" and "journalctl -xe" for details.

What happened there is that since apache 2.4.32 (see, search for SSLCompression) it is considered an error to enable SSL compression if the openssl build doesn't support it.

The test suite adds "SSLCompression on" to the default site, then calls _prepare_ssl() which will eventually restart apache. The restart action is guarded by an "apachectl -t" call, which fails because of the above reason, failing the whole test.

I've seen that there are some exceptions in test_cve_2012_4929_on for similar reasons, because (according to the test) since 14.04 we don't offer ssl with compression, but in those versions at least apache would start. That is no longer the case.

This patch will catch the failure in _prepare_ssl() and check if apachectl -t failed because of this problem. If that's the case, the test is skipped (should it succeed instead?) with a message. If apachectl succeeds, or fails for a different reason, then the original exception from _prepare_ssl() is raised and the test fails.

To post a comment you must log in.
Steve Beattie (sbeattie) wrote :

Looks good to me, merged. Thanks!

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/scripts/ b/scripts/
index 6cd6432..1df4c43 100755
--- a/scripts/
+++ b/scripts/
@@ -524,7 +524,30 @@ class BasicTest(testlib_httpd.HttpdCommon):
524 testlib.config_replace(self.default_vhost, "\nSSLCompression on\n", append=True)524 testlib.config_replace(self.default_vhost, "\nSSLCompression on\n", append=True)
526 (tmpdir, srvcert_pem, srvkey_pem, clientcert_pem, clientkey_pem, cacert_pem) = testlib_ssl.gen_ssl()526 (tmpdir, srvcert_pem, srvkey_pem, clientcert_pem, clientkey_pem, cacert_pem) = testlib_ssl.gen_ssl()
527 self._prepare_ssl(srvkey_pem, srvcert_pem)527 # apache 2.4.32 and higher won't restart if SSL compression is requested
528 # and openssl doesn't provide it. Restart is gated on apachctl -t
529 # succeeding, which catches this.
530 # From
531 # *) mod_ssl: The SSLCompression directive will now give an error if used
532 # with an OpenSSL build which does not support any compression methods.
533 # [Joe Orton]
534 try:
535 self._prepare_ssl(srvkey_pem, srvcert_pem)
536 except AssertionError as orig_exception:
537 test_command = ['apache2ctl', '-t']
538 test_msg = ('This version of OpenSSL does not have any compression '
539 'methods available, cannot enable SSLCompression.')
540 # we are expecting this to fail
541 try:
542 _ = subprocess.check_output(test_command,
543 stderr=subprocess.STDOUT)
544 except subprocess.CalledProcessError as e:
545 if test_msg in e.output:
546 self._skipped(test_msg)
547 return True
548 # if the apachectl command didn't fail, or failed for a different
549 # reason, then something else is wrong
550 raise orig_exception
528 ca = os.path.join(self.tempdir, os.path.basename(cacert_pem))551 ca = os.path.join(self.tempdir, os.path.basename(cacert_pem))
529 shutil.copy(cacert_pem, ca)552 shutil.copy(cacert_pem, ca)
530 testlib.recursive_rm(tmpdir)553 testlib.recursive_rm(tmpdir)


People subscribed via source and target branches