Check OpenSSL version

2026-06-07 15:52:08 -04:00 · 2020-02-12 17:39:08 -08:00 · 2020-02-12 17:39:08 -08:00 · ea160c2350
commit ea160c2350
parent d0e64328df
5 changed files with 36 additions and 14 deletions
--- a/certbot-apache/certbot_apache/_internal/apache_util.py
+++ b/certbot-apache/certbot_apache/_internal/apache_util.py
@ -253,4 +253,4 @@ def find_ssl_apache_conf(prefix):
    """
    return pkg_resources.resource_filename(
        "certbot_apache",
-        os.path.join("tls_configs", "{0}-options-ssl-apache.conf".format(prefix)))
+        os.path.join("_internal", "tls_configs", "{0}-options-ssl-apache.conf".format(prefix)))
--- a/certbot-apache/certbot_apache/_internal/configurator.py
+++ b/certbot-apache/certbot_apache/_internal/configurator.py
@ -123,7 +123,7 @@ class ApacheConfigurator(common.Installer):
        """
        # Disabling TLS session tickets is supported by Apache 2.4.11+.
        # So for old versions of Apache we pick a configuration without this option.
-        if self.version < (2, 4, 11):
+        if self.version < (2, 4, 11) :#or self.openssl_version < (1, 0, 2, 'l'):
            return apache_util.find_ssl_apache_conf("old")
        return apache_util.find_ssl_apache_conf("current")

@ -189,9 +189,12 @@ class ApacheConfigurator(common.Installer):

        :param tup version: version of Apache as a tuple (2, 4, 7)
            (used mostly for unittesting)
+        :param tup openssl_version: version of OpenSSL compiled in mod_ssl as a tuple (1, 0, 2, 'l')
+            (used mostly for unittesting)

        """
        version = kwargs.pop("version", None)
+        openssl_version = kwargs.pop("openssl_version", None)
        use_parsernode = kwargs.pop("use_parsernode", False)
        super(ApacheConfigurator, self).__init__(*args, **kwargs)

@ -218,6 +221,7 @@ class ApacheConfigurator(common.Installer):
        self.parser = None
        self.parser_root = None
        self.version = version
+        self._openssl_version = openssl_version
        self.vhosts = None
        self.options = copy.deepcopy(self.OS_DEFAULTS)
        self._enhance_func = {"redirect": self._enable_redirect,
@ -234,6 +238,23 @@ class ApacheConfigurator(common.Installer):
        """Full absolute path to digest of updated SSL configuration file."""
        return os.path.join(self.config.config_dir, constants.UPDATED_MOD_SSL_CONF_DIGEST)

+    @property
+    def openssl_version(self):
+        """Lazily retrieve openssl version"""
+        if self._openssl_version:
+            return self._openssl_version
+        # Attempt to set openssl version
+        # Check for LoadModule directive
+        try:
+            ssl_module_location = self.parser.modules['ssl_module']
+        except KeyError:
+            return None
+        # Grep in the .so for openssl version
+        # TODO
+          # strings mod_ssl.so | egrep '^OpenSSL [0-9]'
+          # OpenSSL 1.0.2s  28 May 2019
+
+
    def prepare(self):
        """Prepare the authenticator/installer.

--- a/certbot-apache/certbot_apache/_internal/parser.py
+++ b/certbot-apache/certbot_apache/_internal/parser.py
@ -52,7 +52,7 @@ class ApacheParser(object):
                "version 1.2.0 or higher, please make sure you have you have "
                "those installed.")

-        self.modules = set()  # type: Set[str]
+        self.modules = {}  # type: Dict[str, str]
        self.parser_paths = {}  # type: Dict[str, List[str]]
        self.variables = {}  # type: Dict[str, str]

@ -256,7 +256,7 @@ class ApacheParser(object):
    def reset_modules(self):
        """Reset the loaded modules list. This is called from cleanup to clear
        temporarily loaded modules."""
-        self.modules = set()
+        self.modules = {}
        self.update_modules()
        self.parse_modules()

@ -267,7 +267,7 @@ class ApacheParser(object):
            the iteration issue.  Else... parse and enable mods at same time.

        """
-        mods = set()  # type: Set[str]
+        mods = {}  # type: Dict[str, str]
        matches = self.find_dir("LoadModule")
        iterator = iter(matches)
        # Make sure prev_size != cur_size for do: while: iteration
@ -281,8 +281,8 @@ class ApacheParser(object):
                mod_name = self.get_arg(match_name)
                mod_filename = self.get_arg(match_filename)
                if mod_name and mod_filename:
-                    mods.add(mod_name)
-                    mods.add(os.path.basename(mod_filename)[:-2] + "c")
+                    mods[mod_name] = mod_filename
+                    mods[os.path.basename(mod_filename)[:-2] + "c"] = mod_filename
                else:
                    logger.debug("Could not read LoadModule directive from Augeas path: %s",
                                 match_name[6:])
@ -621,7 +621,7 @@ class ApacheParser(object):

    def exclude_dirs(self, matches):
        """Exclude directives that are not loaded into the configuration."""
-        filters = [("ifmodule", self.modules), ("ifdefine", self.variables)]
+        filters = [("ifmodule", self.modules.keys()), ("ifdefine", self.variables)]

        valid_matches = []

--- a/certbot-apache/tests/configurator_test.py
+++ b/certbot-apache/tests/configurator_test.py
@ -1766,10 +1766,11 @@ class InstallSslOptionsConfTest(util.ApacheTest):
        file has been manually edited by the user, and will refuse to update it.
        This test ensures that all necessary hashes are present.
        """
-        from certbot_apache.constants import ALL_SSL_OPTIONS_HASHES
+        from certbot_apache._internal.constants import ALL_SSL_OPTIONS_HASHES
        import pkg_resources

-        tls_configs_dir = pkg_resources.resource_filename("certbot_apache", "tls_configs")
+        tls_configs_dir = pkg_resources.resource_filename(
+            "certbot_apache", os.path.join("_internal", "tls_configs"))
        all_files = [os.path.join(tls_configs_dir, name) for name in os.listdir(tls_configs_dir)
                     if name.endswith('options-ssl-apache.conf')]
        self.assertTrue(all_files)
--- a/certbot-apache/tests/parser_test.py
+++ b/certbot-apache/tests/parser_test.py
@ -114,7 +114,7 @@ class BasicParserTest(util.ParserTest):
        """
        from certbot_apache._internal.parser import get_aug_path
        # This makes sure that find_dir will work
-        self.parser.modules.add("mod_ssl.c")
+        self.parser.modules["mod_ssl.c"] = "/fake/path"

        self.parser.add_dir_to_ifmodssl(
            get_aug_path(self.parser.loc["default"]),
@ -128,7 +128,7 @@ class BasicParserTest(util.ParserTest):
    def test_add_dir_to_ifmodssl_multiple(self):
        from certbot_apache._internal.parser import get_aug_path
        # This makes sure that find_dir will work
-        self.parser.modules.add("mod_ssl.c")
+        self.parser.modules["mod_ssl.c"] = "/fake/path"

        self.parser.add_dir_to_ifmodssl(
            get_aug_path(self.parser.loc["default"]),
@ -260,7 +260,7 @@ class BasicParserTest(util.ParserTest):
        expected_vars = {"TEST": "", "U_MICH": "", "TLS": "443",
                         "example_path": "Documents/path"}

-        self.parser.modules = set()
+        self.parser.modules = {}
        with mock.patch(
            "certbot_apache._internal.parser.ApacheParser.parse_file") as mock_parse:
            self.parser.update_runtime_variables()
@ -282,7 +282,7 @@ class BasicParserTest(util.ParserTest):
                 os.path.dirname(self.parser.loc["root"]))

        mock_cfg.return_value = inc_val
-        self.parser.modules = set()
+        self.parser.modules = {}

        with mock.patch(
            "certbot_apache._internal.parser.ApacheParser.parse_file") as mock_parse: