trafficserver-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jackso...@apache.org
Subject [2/3] trafficserver git commit: Integration test for TLS ticket key rotation.
Date Tue, 30 Jun 2015 01:36:07 GMT
Integration test for TLS ticket key rotation.


Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo
Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/56da67cc
Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/56da67cc
Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/56da67cc

Branch: refs/heads/master
Commit: 56da67cc84167e5704df68199d65c0e8a598360b
Parents: 1a160e1
Author: Bin Zeng <bzeng@linkedin.com>
Authored: Wed Apr 22 16:37:45 2015 -0700
Committer: Thomas Jackson <jacksontj@apache.org>
Committed: Mon Jun 29 18:07:25 2015 -0700

----------------------------------------------------------------------
 ci/new_tsqa/files/rsa_keys/server.crt           |  16 ++
 ci/new_tsqa/files/rsa_keys/server.key           |  15 ++
 .../tests/test_tls_ticket_key_rotation.py       | 175 +++++++++++++++++++
 3 files changed, 206 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/trafficserver/blob/56da67cc/ci/new_tsqa/files/rsa_keys/server.crt
----------------------------------------------------------------------
diff --git a/ci/new_tsqa/files/rsa_keys/server.crt b/ci/new_tsqa/files/rsa_keys/server.crt
new file mode 100644
index 0000000..db84788
--- /dev/null
+++ b/ci/new_tsqa/files/rsa_keys/server.crt
@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE-----
+MIICfzCCAegCCQD5X+YRIXU9pTANBgkqhkiG9w0BAQUFADCBgzELMAkGA1UEBhMC
+VVMxCzAJBgNVBAgMAkNBMQswCQYDVQQHDAJNVjEQMA4GA1UECgwHSGFja2luZzER
+MA8GA1UECwwIU2VjdXJpdHkxEjAQBgNVBAMMCTEyNy4wLjAuMTEhMB8GCSqGSIb3
+DQEJARYSYnplbmdAbGlua2VkaW4uY29tMB4XDTE0MDcyOTE2NDgxOVoXDTI0MDcy
+NjE2NDgxOVowgYMxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTELMAkGA1UEBwwC
+TVYxEDAOBgNVBAoMB0hhY2tpbmcxETAPBgNVBAsMCFNlY3VyaXR5MRIwEAYDVQQD
+DAkxMjcuMC4wLjExITAfBgkqhkiG9w0BCQEWEmJ6ZW5nQGxpbmtlZGluLmNvbTCB
+nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAsHvcPHDgPj5kHTRFi9vXsKXmxwl7
+qzrQIh3r0psocbL02YY0n0aQzAoToGiDjXNu7+Ldg52UHj85WQXmkJlw+kau4i/7
++FPnY/XeW0CNp7emW9XeZlGtu3XTHxGviS2XCsOWhKZkdL6b3cbxt3EzeFveSC2z
+/inYSnFDTfx+sE0CAwEAATANBgkqhkiG9w0BAQUFAAOBgQBFFugtKZHQSSr++bcm
+IYNZu2XVWJIzZAvvUyLwzNiTyo1sWF6E7IqtBJMjfhAGp8iKgTewaJJIPFqYZScV
+X03VMRUPN0YOVGVbzrZs+mgo8IgvXb/gzpgisbLMNbOyffh6rFOc44TYJKb1ogxw
+E67cvhwsvvLIvlcaI77B3vO6iQ==
+-----END CERTIFICATE-----

http://git-wip-us.apache.org/repos/asf/trafficserver/blob/56da67cc/ci/new_tsqa/files/rsa_keys/server.key
----------------------------------------------------------------------
diff --git a/ci/new_tsqa/files/rsa_keys/server.key b/ci/new_tsqa/files/rsa_keys/server.key
new file mode 100644
index 0000000..a6805d5
--- /dev/null
+++ b/ci/new_tsqa/files/rsa_keys/server.key
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXAIBAAKBgQCwe9w8cOA+PmQdNEWL29ewpebHCXurOtAiHevSmyhxsvTZhjSf
+RpDMChOgaIONc27v4t2DnZQePzlZBeaQmXD6Rq7iL/v4U+dj9d5bQI2nt6Zb1d5m
+Ua27ddMfEa+JLZcKw5aEpmR0vpvdxvG3cTN4W95ILbP+KdhKcUNN/H6wTQIDAQAB
+AoGARM+2enaEaKCJBn4IE9UfD0hQaBDBgG0JFBRYi6Blr5dYMqxKPkQUVwoixuuZ
+R4DXo37wYc4CH50FLjnHwV+ilb0mvqRYPTwVOlUIRpvN9CHS8RZmccmUwxtTG128
+81hFAz0VJBQ0+SHvha8XGCBfbQAEjHxIYORrHOKs/4KO+MECQQDebyVdBRTmvAF/
+2zt5jvWkSvUX49n0SLsok2pH2nConvKwQ2J0I6wXw4sNSnbsDik6pJjDFx/rLZpz
+OfcRLUvRAkEAyx2bZE1r5M3y7HGM6rmRv5zP86wFsoPryxFVi4t9ZHSynkarSNWA
+4YGT44MsctYrij4eSqztBiIGBbtVnwsHvQJAQEJRw/a03BeSQ1Kdcvem5Ui2V6l+
+jMD6OLWlrY5gn4YTzHIbHjwz+kWGhVdu1bEdnhBxBWNH2FQ7W3ByfObeEQJBAK9p
+VEedLS6eRcq4jbAwrpRCQrz3tLvkfgATakNnJdVZiuBxu37dE76sfyGeqQZLu7JZ
+zyNCkDgZrgXJMTp29ikCQDdSanJybsmPxcjcjH/VmO058Hpt7+vRIsUljdKmdC0k
+Duzl8xSbIcKScQcrsPwpOr1SsiR6XFMqJxCiHLx/vMU=
+-----END RSA PRIVATE KEY-----

http://git-wip-us.apache.org/repos/asf/trafficserver/blob/56da67cc/ci/new_tsqa/tests/test_tls_ticket_key_rotation.py
----------------------------------------------------------------------
diff --git a/ci/new_tsqa/tests/test_tls_ticket_key_rotation.py b/ci/new_tsqa/tests/test_tls_ticket_key_rotation.py
new file mode 100644
index 0000000..d617384
--- /dev/null
+++ b/ci/new_tsqa/tests/test_tls_ticket_key_rotation.py
@@ -0,0 +1,175 @@
+#  Licensed to the Apache Software Foundation (ASF) under one
+#  or more contributor license agreements.  See the NOTICE file
+#  distributed with this work for additional information
+#  regarding copyright ownership.  The ASF licenses this file
+#  to you under the Apache License, Version 2.0 (the
+#  "License"); you may not use this file except in compliance
+#  with the License.  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+
+import logging
+from OpenSSL import SSL
+import socket
+import subprocess
+import time
+
+import helpers
+import tsqa.utils
+
+import os
+import tsqa.utils
+
+# helper function to get the path of a program.
+def which(program):
+    def is_exe(fpath):
+        return os.path.isfile(fpath) and os.access(fpath, os.X_OK)
+    fpath, fname = os.path.split(program)
+    if fpath:
+        if is_exe(program):
+            return program
+    else:
+        for path in os.environ["PATH"].split(os.pathsep):
+            path = path.strip('"')
+            exe_file = os.path.join(path, program)
+            if is_exe(exe_file):
+                return exe_file
+    return None
+"""
+ Test TLS session resumption through session tickets and TLS ticket key rotation.
+"""
+class TestTLSTicketKeyRotation(helpers.EnvironmentCase):
+    @classmethod
+    def setUpEnv(cls, env):
+        '''
+        This function is responsible for setting up the environment for this fixture
+        This includes everything pre-daemon start
+        '''
+
+        # add an SSL port to ATS
+        cls.ssl_port = tsqa.utils.bind_unused_port()[1]
+        cls.configs['records.config']['CONFIG']['proxy.config.http.server_ports'] += ' {0}:ssl'.format(cls.ssl_port)
+        cls.configs['records.config']['CONFIG']['proxy.config.diags.debug.enabled'] = 1
+        cls.configs['records.config']['CONFIG']['proxy.config.diags.debug.tags'] = 'ssl'
+
+        # configure SSL multicert
+
+        cls.configs['ssl_multicert.config'].add_line('dest_ip=* ssl_cert_name={0} ssl_key_name={1}
ticket_key_name={2}'.format(helpers.tests_file_path('rsa_keys/server.crt'), helpers.tests_file_path('rsa_keys/server.key'),
helpers.tests_file_path('rsa_keys/ssl_ticket.key')))
+
+    def _get_cert(self, addr):
+        '''
+        Return the certificate for addr.
+        '''
+        ctx = SSL.Context(SSL.SSLv23_METHOD)
+        # Set up client
+        sock = SSL.Connection(ctx, socket.socket(socket.AF_INET, socket.SOCK_STREAM))
+        sock.connect(addr)
+        sock.do_handshake()
+        return sock.get_peer_certificate()
+
+    def test_tls_ticket_resumption(self):
+        '''
+        Make sure the new ticket key is loaded
+        '''
+        addr = ('127.0.0.1', self.ssl_port)
+        self._get_cert(addr)
+
+        # openssl s_client -connect 127.0.0.1:443 -tls1 < /dev/null
+        sess = os.path.join(self.environment.layout.logdir, 'sess')
+        ticket_cmd = 'echo | openssl s_client -connect {0}:{1} -sess_out {2}'.format(addr[0],
addr[1], sess);
+
+        # check whether TLS session tickets are received by s_client.
+        stdout, _ = tsqa.utils.run_sync_command(ticket_cmd, stdout=subprocess.PIPE, shell=True)
+        ticket_exists = False
+        for line in stdout.splitlines():
+            text = line.strip()
+            if text.startswith("TLS session ticket:"):
+                ticket_exists = True
+                break
+        self.assertTrue(ticket_exists)
+
+        # check whether the session has been reused
+        reused = False
+        ticket_cmd = 'echo | openssl s_client -connect {0}:{1} -sess_in {2}'.format(addr[0],
addr[1], sess);
+        stdout, _ = tsqa.utils.run_sync_command(ticket_cmd, stdout=subprocess.PIPE, shell=True)
+        for line in stdout.splitlines():
+            text = line.strip()
+            if text.startswith("Reused, TLSv1/SSLv3,"):
+                reused = True
+                break
+        self.assertTrue(reused)
+
+        # negative test case. The session is not reused.
+        reused = False
+        ticket_cmd = 'echo | openssl s_client -connect {0}:{1}'.format(addr[0], addr[1]);
+        stdout, _ = tsqa.utils.run_sync_command(ticket_cmd, stdout=subprocess.PIPE, shell=True)
+        for line in stdout.splitlines():
+            text = line.strip()
+            if text.startswith("Reused, TLSv1/SSLv3,"):
+                reused = True
+                break
+        self.assertFalse(reused)
+
+    def test_tls_ticket_rotation(self):
+        '''
+        Make sure the new ticket key is loaded
+        '''
+        addr = ('127.0.0.1', self.ssl_port)
+        self._get_cert(addr)
+
+        '''
+        openssl s_client -connect server_ip:ssl_port -tls1 < /dev/null
+        '''
+
+        # Generate and push a new ticket key
+        rotate_cmd = 'openssl rand 48 -base64 > {0}'.format(helpers.tests_file_path('rsa_keys/ssl_ticket.key'))
+        stdout, _ = tsqa.utils.run_sync_command(rotate_cmd, stdout=subprocess.PIPE, shell=True)
+
+        # touch the ssl_multicert.config file
+        ssl_multicert = os.path.join(self.environment.layout.sysconfdir, 'ssl_multicert.config')
+
+        read_renewed_cmd = os.path.join(self.environment.layout.bindir, 'traffic_line') +
' -r proxy.process.ssl.total_ticket_keys_renewed'
+
+        # Check whether the config file exists.
+        self.assertTrue(os.path.isfile(ssl_multicert), ssl_multicert)
+        touch_cmd = which('touch') + ' ' +  ssl_multicert
+        tsqa.utils.run_sync_command(touch_cmd, stdout=subprocess.PIPE, shell=True)
+
+        count = 0
+        while True:
+            try:
+                stdout, _ = tsqa.utils.run_sync_command(read_renewed_cmd, stdout=subprocess.PIPE,
shell=True)
+                old_renewed = stdout
+                break
+            except Exception:
+                ++count
+                # If we have waited more than 30 seconds and the command still failed, quit
here.
+                if count > 30:
+                    self.assertTrue(False)
+                time.sleep(1)
+
+        signal_cmd = os.path.join(self.environment.layout.bindir, 'traffic_line') + ' -x'
+        tsqa.utils.run_sync_command(signal_cmd, stdout=subprocess.PIPE, shell=True)
+
+        # wait for the ticket keys to be sucked in by traffic_server.
+        count = 0
+        while True:
+            try:
+                stdout, _ = tsqa.utils.run_sync_command(read_renewed_cmd, stdout=subprocess.PIPE,
shell=True)
+                cur_renewed = stdout
+                if old_renewed != cur_renewed:
+                    break
+            except Exception:
+                ++count
+                if count > 30:
+                    self.assertTrue(False)
+                time.sleep(1)
+
+        # the number of ticket keys renewed has been increased.
+        self.assertNotEqual(old_renewed, cur_renewed)


Mime
View raw message