#!/usr/share/ucs-test/runner bash
# shellcheck shell=bash
## desc: Test Apache2 SSL/TLS protocols
## bugs: [38632]
## packages:
##  - openssl
## exposure: dangerous
set -e -u

# shellcheck source=../../lib/base.sh
. "$TESTLIBPATH/base.sh" || exit 137
# shellcheck source=../../lib/ucr.sh
. "$TESTLIBPATH/ucr.sh" || exit 137

cleanup () {
	ucr_restore || :
	apachectl graceful || :
	exit ${RETVAL:-0}
}
trap cleanup EXIT

OPENSSL="$(dpkg-query -W -f '${Version}' openssl)"
CMD=(
	openssl s_client
	-CAfile /etc/univention/ssl/ucsCA/CAcert.pem
	-connect localhost:443
	-quiet -no_ign_eof
)

check () {
	local check protocol result
	apachectl configtest
	apachectl graceful
	for check in "$@"
	do
		protocol=${check%=*} result=${check#*=}
		case "$protocol/$OPENSSL" in
		ssl2/1.*) continue ;; # SSLv2 is completely disabled in OpenSSL-1.x
		ssl3/1.1*) continue ;; # SSLv3 is completely disabled in OpenSSL-1.1x
		tls1_?/0.*) continue ;; # OpenSSL-0.x does not yet support TLSv1_x
		esac
		info "$check"
		"check${result}" "${CMD[@]}" "-${protocol}" </dev/null ;
	done
}
check0 () { "$@" 2>&1 | grep -q -F "ssl handshake failure" || fail_test 1 "$*"; }
check1 () { "$@" 2>&1 | grep -q -F -x "DONE" || fail_test 1 "$*"; }
check2 () { "$@" 2>&1 | grep -q -F "write:errno=0" || fail_test 1 "$*"; }
check3 () { "$@" 2>&1 | grep -q -F "tlsv1 alert protocol version" || fail_test 1 "$*"; }

ucr unset apache2/ssl/tlsv11 apache2/ssl/tlsv12
check ssl2=0 ssl3=0 tls1=1 tls1_1=1 tls1_2=1

case "$OPENSSL" in
1.*)
	ucr set apache2/ssl/tlsv11=true
	check ssl2=0 ssl3=0 tls1_1=1 tls1_2=1

	ucr set apache2/ssl/tlsv12=true
	check ssl2=0 ssl3=0 tls1=3 tls1_1=3 tls1_2=1
esac

# vim: set ft=sh :
