From 3ff933810835e7ef9158c39702883fe727ca6ffb Mon Sep 17 00:00:00 2001
From: Erica Portnoy <ebportnoy@gmail.com>
Date: Tue, 17 Mar 2020 17:21:35 -0700
Subject: [PATCH] Add test to check if OpenSSL detection is working on
 different systems

---
 tests/letstest/scripts/test_apache2.sh        | 16 ++++++++++++
 .../letstest/scripts/test_openssl_version.py  | 26 +++++++++++++++++++
 2 files changed, 42 insertions(+)
 create mode 100644 tests/letstest/scripts/test_openssl_version.py

diff --git a/tests/letstest/scripts/test_apache2.sh b/tests/letstest/scripts/test_apache2.sh
index 9af39e8bb..4e7deb3f3 100755
--- a/tests/letstest/scripts/test_apache2.sh
+++ b/tests/letstest/scripts/test_apache2.sh
@@ -58,6 +58,22 @@ if [ $? -ne 0 ] ; then
     FAIL=1
 fi
 
+# Check that ssl_module detection is working on various systems
+if [ "$OS_TYPE" = "ubuntu" ] ; then
+    MOD_SSL_LOCATION="/usr/lib/apache2/modules/mod_ssl.so"
+    APACHE_NAME=apache2
+elif [ "$OS_TYPE" = "centos" ]; then
+    MOD_SSL_LOCATION="/usr/lib/httpd/modules/mod_ssl.so"
+    APACHE_NAME=httpd
+fi
+OPENSSL_VERSION=$(strings "$MOD_SSL_LOCATION" | egrep -o '^OpenSSL ([0-9]\.[^ ]+) ' | tail -c -8)
+APACHE_VERSION=$($APACHE_NAME -v | egrep -o 'Apache/([0-9]\.[^ ]+)' | tail -c -7)
+"$PYTHON_NAME" test_openssl_version.py "$OPENSSL_VERSION" "$APACHE_VERSION"
+if [ $? -ne 0 ] ; then
+    FAIL=1
+fi
+
+
 if [ "$OS_TYPE" = "ubuntu" ] ; then
     export SERVER="$BOULDER_URL"
     "$VENV_PATH/bin/tox" -e apacheconftest
diff --git a/tests/letstest/scripts/test_openssl_version.py b/tests/letstest/scripts/test_openssl_version.py
new file mode 100644
index 000000000..f9b1e4e91
--- /dev/null
+++ b/tests/letstest/scripts/test_openssl_version.py
@@ -0,0 +1,26 @@
+#!/usr/bin/env python
+# Test script for OpenSSL version checking
+from distutils.version import LooseVersion
+import sys
+
+
+def main(openssl_version, apache_version):
+    conf_file_location = "/etc/letsencrypt/options-ssl-apache.conf"
+    with open(conf_file_location) as f:
+        contents = f.read()
+    if tuple(apache_version.split(".")) < (2, 4, 11) or \
+        LooseVersion(openssl_version) < LooseVersion('1.0.2l'):
+        # should be old version
+        # assert SSLSessionTickets not in conf file
+        if "SSLSessionTickets" in contents:
+            raise Exception("Apache or OpenSSL version is too old, "
+                "but SSLSessionTickets is enabled.")
+    else:
+        # should be current version
+        # assert SSLSessionTickets in conf file
+        if "SSLSessionTickets" not in contents:
+            raise Exception("Apache and OpenSSL versions are sufficiently new, "
+                "but SSLSessionTickets is not enabled.")
+
+if __name__ == '__main__':
+    main(*sys.argv[1:])