Merge branch '3.3dev' into https_rr

2026-06-23 16:57:38 +02:00 · 2026-06-22 16:26:38 +02:00
parent dca6434604 689516c378
commit 50966dc1d6
19 changed files with 658 additions and 298 deletions
@@ -0,0 +1,39 @@
+#!/usr/bin/env perl
+
+# Example for debugging what the runners do, here MacOS only
+# (we used that before), To get output on the screen it's
+# needed to encapsulate the functions you want to debug with
+# set -x/+x and comment the last function @ 00_testssl_help.t
+
+use strict;
+use Test::More;
+use IPC::Run3;
+
+my $os="$^O";
+my $prg="./testssl.sh";
+my $check2run ="-p";
+my $uri="testssl.sh";
+my $stdout = '';
+my $stderr = '';
+
+# if ( $os eq "darwin" ){
+     printf "%s\n", "testing MacOS ";
+     run3(["/bin/bash", $prg, $check2run, $uri], \undef, \$stdout, \$stderr);
+     print STDERR $stderr;
+     print STDOUT $stdout;
+# } elsif ( $os eq "linux" ){
+#     printf "skipped check on Linux\n\n";
+#}
+
+
+# Use the following when you want to run everything below ~/t
+# done_testing();
+
+
+# This stops, no further checks within ~/t will run:
+BAIL_OUT("Fundamental check done, aborting");
+
+
+
+# vim:ts=5:sw=5:expandtab
+
@@ -98,6 +98,11 @@ $cat_csvfile2 =~ s/.nonce-.* //g;
 $cat_csvfile  =~ s/","google.com\/.*","443/","google.com","443/g;
 $cat_csvfile2 =~ s/","google.com\/.*","443/","google.com","443/g;

+# Address differences in QUIC: Ubuntu 24.04's openssl still doesn't support QUIC, MacOS 26 does
+# (Status 06/2026, should be checked later)
+$cat_csvfile  =~  s/"QUIC".*\n//g;
+$cat_csvfile2  =~ s/"QUIC".*\n//g;
+

 if ( $os eq "darwin" ){
     # Now address the differences for LibreSSL, see t/61_diff_testsslsh.t
@@ -0,0 +1,52 @@
+#!/usr/bin/env perl
+
+# Check the HSTS preload list status against the hstspreload.org API (needs --phone-out).
+# github.com is on the preload list, example.com is not.
+#
+# We don't use a full run, only the HTTP header section.
+
+use strict;
+use Test::More;
+
+my $tests = 0;
+my $prg="./testssl.sh";
+my $csv="tmp.csv";
+my $cat_csv="";
+my $check2run="-q --color 0 --phone-out --ip=one --headers --csvfile $csv";
+my $uri="github.com";
+my @args="";
+
+die "Unable to open $prg" unless -f $prg;
+
+# Provide proper start conditions
+unlink $csv;
+
+#1 run -- a domain which is on the HSTS preload list
+printf "\n%s\n", "Unit test for HSTS preload list status against \"$uri\"";
+@args="$prg $check2run $uri >/dev/null";
+system("@args") == 0
+     or die ("FAILED: \"@args\" ");
+$cat_csv=`cat $csv`;
+
+# github.com is on the preload list
+like($cat_csv, qr/"HSTS_preloadAPI".*"preloaded"/,"\"$uri\" should be on the HSTS preload list");
+$tests++;
+unlink $csv;
+
+#2 run -- a domain which is NOT on the HSTS preload list
+$uri="example.com";
+@args="$prg $check2run $uri >/dev/null";
+system("@args") == 0
+     or die ("FAILED: \"@args\" ");
+$cat_csv=`cat $csv`;
+
+# example.com is not on the preload list
+like($cat_csv, qr/"HSTS_preloadAPI".*"no entry"/,"\"$uri\" should not be on the HSTS preload list");
+$tests++;
+unlink $csv;
+
+done_testing($tests);
+printf "\n";
+
+
+# vim:ts=5:sw=5:expandtab
@@ -8,3 +8,7 @@
 Please help to write CI tests! Documentation can be found [here](https://perldoc.perl.org/Test/More.html).
 You can consult the existing code here. Feel free to use `10_baseline_ipv4_http.t` or `12_diff_opensslversions.t` as a
 template. The latter is newer and code is cleaner.
+
+
+* `03_debug.t.DISABLED` is a handy tool when the runner is not in line with checks outside github. It provides debugging means
+* IPv6 was (status 2025) not allowed, thus the file `11_baseline_ipv6_http.t.DISABLED` which can be renamed if that will change.