trafficserver-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From shinr...@apache.org
Subject [trafficserver] branch master updated: Add control for how outbound SNI is selected.
Date Fri, 21 Dec 2018 18:30:25 GMT
This is an automated email from the ASF dual-hosted git repository.

shinrich pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficserver.git


The following commit(s) were added to refs/heads/master by this push:
     new 149195e  Add control for how outbound SNI is selected.
149195e is described below

commit 149195e7fff0bd195a6e72de96c15354c7fcfd4e
Author: Susan Hinrichs <shinrich@oath.com>
AuthorDate: Wed Dec 19 19:04:04 2018 +0000

    Add control for how outbound SNI is selected.
---
 doc/admin-guide/files/records.config.en.rst        |  7 +++
 .../api/functions/TSHttpOverridableConfig.en.rst   |  5 +-
 include/ts/apidefs.h.in                            |  1 +
 mgmt/RecordsConfig.cc                              |  2 +
 plugins/lua/ts_lua_http_config.c                   |  2 +
 proxy/http/HttpConfig.h                            |  2 +
 proxy/http/HttpSM.cc                               | 13 ++--
 src/traffic_server/InkAPI.cc                       | 10 ++-
 src/traffic_server/InkAPITest.cc                   |  3 +-
 tests/gold_tests/tls/tls_verify_override.test.py   | 72 ++++++++++++++++++----
 10 files changed, 98 insertions(+), 19 deletions(-)

diff --git a/doc/admin-guide/files/records.config.en.rst b/doc/admin-guide/files/records.config.en.rst
index 249bd25..a62235d 100644
--- a/doc/admin-guide/files/records.config.en.rst
+++ b/doc/admin-guide/files/records.config.en.rst
@@ -3541,6 +3541,13 @@ Client-Related Configuration
    Specifies the location of the certificate authority file against
    which the origin server will be verified.
 
+.. ts:cv:: CONFIG proxy.config.ssl.client.sni_policy STRING NULL
+   :overridable:
+
+   Indicate how the SNI value for the TLS connection to the origin is selected.  By default
it is 
+   `host` which means the host header field value is used for the SNI.  If `remap` is specified,
the
+   remapped origin name is used for the SNI value.
+
 .. ts:cv:: CONFIG proxy.config.ssl.client.SSLv3 INT 0
 
    Enables (``1``) or disables (``0``) SSLv3 in the ATS client context. Disabled by default
diff --git a/doc/developer-guide/api/functions/TSHttpOverridableConfig.en.rst b/doc/developer-guide/api/functions/TSHttpOverridableConfig.en.rst
index 003ee33..9416861 100644
--- a/doc/developer-guide/api/functions/TSHttpOverridableConfig.en.rst
+++ b/doc/developer-guide/api/functions/TSHttpOverridableConfig.en.rst
@@ -175,7 +175,10 @@ TS_CONFIG_HTTP_REQUEST_BUFFER_ENABLED                               proxy.config
 :c:macro:`TS_CONFIG_SRV_ENABLED`                                    :ts:cv:`proxy.config.srv_enabled`
 :c:macro:`TS_CONFIG_SSL_CERT_FILENAME`                              :ts:cv:`proxy.config.ssl.client.cert.filename`
 :c:macro:`TS_CONFIG_SSL_CERT_FILEPATH`                              :ts:cv:`proxy.config.ssl.client.cert.path`
-TS_CONFIG_SSL_CLIENT_VERIFY_SERVER                                  :ts:cv:`proxy.config.ssl.client.verify.server`
+:c:macro:`TS_CONFIG_SSL_CLIENT_VERIFY_SERVER`                       :ts:cv:`proxy.config.ssl.client.verify.server`
+:c:macro:`TS_CONFIG_SSL_CLIENT_VERIFY_SERVER_PROPERTIES`            :ts:cv:`proxy.config.ssl.client.verify.server,properties`
+:c:macro:`TS_CONFIG_SSL_CLIENT_VERIFY_SERVER_POLICY`                :ts:cv:`proxy.config.ssl.client.verify.server.policy`
+:c:macro:`TS_CONFIG_SSL_CLIENT_SNI_POLICY`                          :ts:cv:`proxy.config.ssl.client.sni_policy`
 :c:macro:`TS_CONFIG_SSL_HSTS_INCLUDE_SUBDOMAINS`                    :ts:cv:`proxy.config.ssl.hsts_include_subdomains`
 :c:macro:`TS_CONFIG_SSL_HSTS_MAX_AGE`                               :ts:cv:`proxy.config.ssl.hsts_max_age`
 :c:macro:`TS_CONFIG_URL_REMAP_PRISTINE_HOST_HDR`                    :ts:cv:`proxy.config.url_remap.pristine_host_hdr`
diff --git a/include/ts/apidefs.h.in b/include/ts/apidefs.h.in
index ad5be0b..76189d1 100644
--- a/include/ts/apidefs.h.in
+++ b/include/ts/apidefs.h.in
@@ -801,6 +801,7 @@ typedef enum {
   TS_CONFIG_SSL_CLIENT_VERIFY_SERVER,
   TS_CONFIG_SSL_CLIENT_VERIFY_SERVER_POLICY,
   TS_CONFIG_SSL_CLIENT_VERIFY_SERVER_PROPERTIES,
+  TS_CONFIG_SSL_CLIENT_SNI_POLICY,
   TS_CONFIG_LAST_ENTRY
 } TSOverridableConfigKey;
 
diff --git a/mgmt/RecordsConfig.cc b/mgmt/RecordsConfig.cc
index 931c6e3..e9cb40f 100644
--- a/mgmt/RecordsConfig.cc
+++ b/mgmt/RecordsConfig.cc
@@ -1154,6 +1154,8 @@ static const RecordElement RecordsConfig[] =
   ,
   {RECT_CONFIG, "proxy.config.ssl.client.CA.cert.path", RECD_STRING, TS_BUILD_SYSCONFDIR,
RECU_RESTART_TS, RR_NULL, RECC_NULL, nullptr, RECA_NULL}
   ,
+  {RECT_CONFIG, "proxy.config.ssl.client.sni_policy", RECD_STRING, TS_BUILD_SYSCONFDIR, RECU_RESTART_TS,
RR_NULL, RECC_NULL, nullptr, RECA_NULL}
+  ,
   {RECT_CONFIG, "proxy.config.ssl.session_cache", RECD_INT, "2", RECU_RESTART_TS, RR_NULL,
RECC_NULL, nullptr, RECA_NULL}
   ,
   {RECT_CONFIG, "proxy.config.ssl.session_cache.size", RECD_INT, "102400", RECU_RESTART_TS,
RR_NULL, RECC_NULL, nullptr, RECA_NULL}
diff --git a/plugins/lua/ts_lua_http_config.c b/plugins/lua/ts_lua_http_config.c
index b7c63ea..74bc201 100644
--- a/plugins/lua/ts_lua_http_config.c
+++ b/plugins/lua/ts_lua_http_config.c
@@ -137,6 +137,7 @@ typedef enum {
   TS_LUA_CONFIG_SSL_CLIENT_VERIFY_SERVER                      = TS_CONFIG_SSL_CLIENT_VERIFY_SERVER,
   TS_LUA_CONFIG_SSL_CLIENT_VERIFY_SERVER_POLICY               = TS_CONFIG_SSL_CLIENT_VERIFY_SERVER_POLICY,
   TS_LUA_CONFIG_SSL_CLIENT_VERIFY_SERVER_PROPERTIES           = TS_CONFIG_SSL_CLIENT_VERIFY_SERVER_PROPERTIES,
+  TS_LUA_CONFIG_SSL_CLIENT_SNI_POLICY                         = TS_CONFIG_SSL_CLIENT_SNI_POLICY,
   TS_LUA_CONFIG_LAST_ENTRY                                    = TS_CONFIG_LAST_ENTRY,
 } TSLuaOverridableConfigKey;
 
@@ -264,6 +265,7 @@ ts_lua_var_item ts_lua_http_config_vars[] = {
   TS_LUA_MAKE_VAR_ITEM(TS_CONFIG_SSL_CLIENT_VERIFY_SERVER),
   TS_LUA_MAKE_VAR_ITEM(TS_CONFIG_SSL_CLIENT_VERIFY_SERVER_POLICY),
   TS_LUA_MAKE_VAR_ITEM(TS_CONFIG_SSL_CLIENT_VERIFY_SERVER_PROPERTIES),
+  TS_LUA_MAKE_VAR_ITEM(TS_CONFIG_SSL_CLIENT_SNI_POLICY),
   TS_LUA_MAKE_VAR_ITEM(TS_LUA_CONFIG_HTTP_PER_SERVER_CONNECTION_MAX),
   TS_LUA_MAKE_VAR_ITEM(TS_LUA_CONFIG_HTTP_PER_SERVER_CONNECTION_MATCH),
   TS_LUA_MAKE_VAR_ITEM(TS_LUA_CONFIG_LAST_ENTRY),
diff --git a/proxy/http/HttpConfig.h b/proxy/http/HttpConfig.h
index 41d5e81..f274168 100644
--- a/proxy/http/HttpConfig.h
+++ b/proxy/http/HttpConfig.h
@@ -494,6 +494,7 @@ struct OverridableHttpConfigParams {
       ssl_client_verify_server(0),
       ssl_client_verify_server_policy(nullptr),
       ssl_client_verify_server_properties(nullptr),
+      ssl_client_sni_policy(nullptr),
       redirect_use_orig_cache_key(0),
       number_of_redirections(0),
       proxy_response_hsts_max_age(-1),
@@ -681,6 +682,7 @@ struct OverridableHttpConfigParams {
   MgmtByte ssl_client_verify_server;
   char *ssl_client_verify_server_policy;
   char *ssl_client_verify_server_properties;
+  char *ssl_client_sni_policy;
 
   //////////////////
   // Redirection  //
diff --git a/proxy/http/HttpSM.cc b/proxy/http/HttpSM.cc
index b372dd3..75095d9 100644
--- a/proxy/http/HttpSM.cc
+++ b/proxy/http/HttpSM.cc
@@ -5048,10 +5048,15 @@ HttpSM::do_http_server_open(bool raw)
   if (scheme_to_use == URL_WKSIDX_HTTPS) {
     SMDebug("http", "calling sslNetProcessor.connect_re");
 
-    int len          = 0;
-    const char *host = t_state.hdr_info.server_request.host_get(&len);
-    if (host && len > 0) {
-      opt.set_sni_servername(host, len);
+    int len = 0;
+    if (t_state.txn_conf->ssl_client_sni_policy != nullptr && !strcmp(t_state.txn_conf->ssl_client_sni_policy,
"remap")) {
+      len = strlen(t_state.server_info.name);
+      opt.set_sni_servername(t_state.server_info.name, len);
+    } else { // Do the default of host header for SNI
+      const char *host = t_state.hdr_info.server_request.host_get(&len);
+      if (host && len > 0) {
+        opt.set_sni_servername(host, len);
+      }
     }
     if (t_state.server_info.name) {
       opt.set_ssl_servername(t_state.server_info.name);
diff --git a/src/traffic_server/InkAPI.cc b/src/traffic_server/InkAPI.cc
index 7b17eb0..c537e16 100644
--- a/src/traffic_server/InkAPI.cc
+++ b/src/traffic_server/InkAPI.cc
@@ -8209,6 +8209,7 @@ _conf_to_memberp(TSOverridableConfigKey conf, OverridableHttpConfigParams
*overr
     break;
   case TS_CONFIG_SSL_CLIENT_VERIFY_SERVER_POLICY:
   case TS_CONFIG_SSL_CLIENT_VERIFY_SERVER_PROPERTIES:
+  case TS_CONFIG_SSL_CLIENT_SNI_POLICY:
     // String, must be handled elsewhere
     break;
   case TS_CONFIG_PARENT_FAILURES_UPDATE_HOSTDB:
@@ -8425,6 +8426,11 @@ TSHttpTxnConfigStringSet(TSHttpTxn txnp, TSOverridableConfigKey conf,
const char
       s->t_state.txn_conf->ssl_client_verify_server_properties = const_cast<char
*>(value);
     }
     break;
+  case TS_CONFIG_SSL_CLIENT_SNI_POLICY:
+    if (value && length > 0) {
+      s->t_state.txn_conf->ssl_client_sni_policy = const_cast<char *>(value);
+    }
+    break;
   default: {
     MgmtConverter const *conv;
     void *dest = _conf_to_memberp(conf, s->t_state.txn_conf, conv);
@@ -8614,8 +8620,8 @@ static const std::unordered_map<std::string_view, std::tuple<const
TSOverridable
     {TS_CONFIG_HTTP_PER_PARENT_CONNECT_ATTEMPTS, TS_RECORDDATATYPE_INT}},
    {"proxy.config.ssl.client.verify.server", {TS_CONFIG_SSL_CLIENT_VERIFY_SERVER, TS_RECORDDATATYPE_INT}},
    {"proxy.config.ssl.client.verify.server.policy", {TS_CONFIG_SSL_CLIENT_VERIFY_SERVER_POLICY,
TS_RECORDDATATYPE_STRING}},
-   {"proxy.config.ssl.client.verify.server.properties",
-    {TS_CONFIG_SSL_CLIENT_VERIFY_SERVER_PROPERTIES, TS_RECORDDATATYPE_STRING}}});
+   {"proxy.config.ssl.client.verify.server.properties", {TS_CONFIG_SSL_CLIENT_VERIFY_SERVER_PROPERTIES,
TS_RECORDDATATYPE_STRING}},
+   {"proxy.config.ssl.client.sni_policy", {TS_CONFIG_SSL_CLIENT_SNI_POLICY, TS_RECORDDATATYPE_STRING}}});
 
 TSReturnCode
 TSHttpTxnConfigFind(const char *name, int length, TSOverridableConfigKey *conf, TSRecordDataType
*type)
diff --git a/src/traffic_server/InkAPITest.cc b/src/traffic_server/InkAPITest.cc
index 869da77..7e17baf 100644
--- a/src/traffic_server/InkAPITest.cc
+++ b/src/traffic_server/InkAPITest.cc
@@ -8692,7 +8692,8 @@ std::array<std::string_view, TS_CONFIG_LAST_ENTRY> SDK_Overridable_Configs
= {
    OutboundConnTrack::CONFIG_VAR_MATCH,
    "proxy.config.ssl.client.verify.server",
    "proxy.config.ssl.client.verify.server.policy",
-   "proxy.config.ssl.client.verify.server.properties"}};
+   "proxy.config.ssl.client.verify.server.properties",
+   "proxy.config.ssl.client.sni_policy"}};
 
 REGRESSION_TEST(SDK_API_OVERRIDABLE_CONFIGS)(RegressionTest *test, int /* atype ATS_UNUSED
*/, int *pstatus)
 {
diff --git a/tests/gold_tests/tls/tls_verify_override.test.py b/tests/gold_tests/tls/tls_verify_override.test.py
index 6afbfd5..fd56819 100644
--- a/tests/gold_tests/tls/tls_verify_override.test.py
+++ b/tests/gold_tests/tls/tls_verify_override.test.py
@@ -32,6 +32,8 @@ server_foo = Test.MakeOriginServer("server_foo", ssl=True, options = {"--key":
"
 server_bar = Test.MakeOriginServer("server_bar", ssl=True, options = {"--key": "{0}/signed-bar.key".format(Test.RunDirectory),
"--cert": "{0}/signed-bar.pem".format(Test.RunDirectory)})
 server = Test.MakeOriginServer("server", ssl=True)
 
+dns = Test.MakeDNServer("dns")
+
 request_foo_header = {"headers": "GET / HTTP/1.1\r\nHost: foo.com\r\n\r\n", "timestamp":
"1469733493.993", "body": ""}
 request_bad_foo_header = {"headers": "GET / HTTP/1.1\r\nHost: bad_foo.com\r\n\r\n", "timestamp":
"1469733493.993", "body": ""}
 request_bar_header = {"headers": "GET / HTTP/1.1\r\nHost: bar.com\r\n\r\n", "timestamp":
"1469733493.993", "body": ""}
@@ -54,23 +56,31 @@ ts.addSSLfile("ssl/signer.key")
 
 ts.Variables.ssl_port = 4443
 ts.Disk.remap_config.AddLine(
-    'map http://foo.com/basic https://127.0.0.1:{0}'.format(server_foo.Variables.Port))
+    'map http://foo.com/basic https://foo.com:{0}'.format(server_foo.Variables.Port))
 ts.Disk.remap_config.AddLine(
-    'map http://foo.com/override https://127.0.0.1:{0} @plugin=conf_remap.so @pparam=proxy.config.ssl.client.verify.server.policy=ENFORCED'.format(server_foo.Variables.Port))
+    'map http://foo.com/override https://foo.com:{0} @plugin=conf_remap.so @pparam=proxy.config.ssl.client.verify.server.policy=ENFORCED'.format(server_foo.Variables.Port))
 ts.Disk.remap_config.AddLine(
-    'map http://bar.com/basic https://127.0.0.1:{0}'.format(server_foo.Variables.Port))
+    'map http://bar.com/basic https://bar.com:{0}'.format(server_foo.Variables.Port))
 ts.Disk.remap_config.AddLine(
-    'map http://bar.com/overridedisabled https://127.0.0.1:{0} @plugin=conf_remap.so @pparam=proxy.config.ssl.client.verify.server.policy=DISABLED'.format(server_foo.Variables.Port))
+    'map http://bar.com/overridedisabled https://bar.com:{0} @plugin=conf_remap.so @pparam=proxy.config.ssl.client.verify.server.policy=DISABLED'.format(server_foo.Variables.Port))
 ts.Disk.remap_config.AddLine(
-    'map http://bar.com/overridesignature https://127.0.0.1:{0} @plugin=conf_remap.so @pparam=proxy.config.ssl.client.verify.server.properties=SIGNATURE
@plugin=conf_remap.so @pparam=proxy.config.ssl.client.verify.server.policy=ENFORCED'.format(server_foo.Variables.Port))
+    'map http://bar.com/overridesignature https://bar.com:{0} @plugin=conf_remap.so @pparam=proxy.config.ssl.client.verify.server.properties=SIGNATURE
@plugin=conf_remap.so @pparam=proxy.config.ssl.client.verify.server.policy=ENFORCED'.format(server_foo.Variables.Port))
 ts.Disk.remap_config.AddLine(
-    'map http://bar.com/overrideenforced https://127.0.0.1:{0} @plugin=conf_remap.so @pparam=proxy.config.ssl.client.verify.server.policy=ENFORCED'.format(server_foo.Variables.Port))
+    'map http://bar.com/overrideenforced https://bar.com:{0} @plugin=conf_remap.so @pparam=proxy.config.ssl.client.verify.server.policy=ENFORCED'.format(server_foo.Variables.Port))
 ts.Disk.remap_config.AddLine(
     'map /basic https://127.0.0.1:{0}'.format(server.Variables.Port))
 ts.Disk.remap_config.AddLine(
     'map /overrideenforce https://127.0.0.1:{0} @plugin=conf_remap.so @pparam=proxy.config.ssl.client.verify.server.policy=ENFORCED'.format(server.Variables.Port))
 ts.Disk.remap_config.AddLine(
     'map /overridename  https://127.0.0.1:{0} @plugin=conf_remap.so @pparam=proxy.config.ssl.client.verify.server.properties=NAME'.format(server.Variables.Port))
+ts.Disk.remap_config.AddLine(
+    'map /snipolicyfooremap  https://foo.com:{0} @plugin=conf_remap.so @pparam=proxy.config.ssl.client.verify.server.properties=NAME
@plugin=conf_remap.so @pparam=proxy.config.ssl.client.verify.server.policy=ENFORCED @plugin=conf_remap.so
@pparam=proxy.config.ssl.client.sni_policy=remap'.format(server_bar.Variables.Port))
+ts.Disk.remap_config.AddLine(
+    'map /snipolicyfoohost  https://foo.com:{0} @plugin=conf_remap.so @pparam=proxy.config.ssl.client.verify.server.properties=NAME
@plugin=conf_remap.so @pparam=proxy.config.ssl.client.verify.server.policy=ENFORCED @plugin=conf_remap.so
@pparam=proxy.config.ssl.client.sni_policy=host'.format(server_bar.Variables.Port))
+ts.Disk.remap_config.AddLine(
+    'map /snipolicybarremap  https://bar.com:{0} @plugin=conf_remap.so @pparam=proxy.config.ssl.client.verify.server.properties=NAME
@plugin=conf_remap.so @pparam=proxy.config.ssl.client.verify.server.policy=ENFORCED @plugin=conf_remap.so
@pparam=proxy.config.ssl.client.sni_policy=remap'.format(server_bar.Variables.Port))
+ts.Disk.remap_config.AddLine(
+    'map /snipolicybarhost  https://bar.com:{0} @plugin=conf_remap.so @pparam=proxy.config.ssl.client.verify.server.properties=NAME
@plugin=conf_remap.so @pparam=proxy.config.ssl.client.verify.server.policy=ENFORCED @plugin=conf_remap.so
@pparam=proxy.config.ssl.client.sni_policy=host'.format(server_bar.Variables.Port))
 
 ts.Disk.ssl_multicert_config.AddLine(
     'dest_ip=* ssl_cert_name=server.pem ssl_key_name=server.key'
@@ -91,9 +101,14 @@ ts.Disk.records_config.update({
     'proxy.config.ssl.client.verify.server.properties': 'ALL',
     'proxy.config.ssl.client.CA.cert.path': '{0}'.format(ts.Variables.SSLDir),
     'proxy.config.ssl.client.CA.cert.filename': 'signer.pem',
-    'proxy.config.url_remap.pristine_host_hdr': 1
+    'proxy.config.url_remap.pristine_host_hdr': 1,
+    'proxy.config.dns.nameservers': '127.0.0.1:{0}'.format(dns.Variables.Port),
+    'proxy.config.dns.resolv_conf': 'NULL'
 })
 
+dns.addRecords(records={"foo.com.": ["127.0.0.1"]})
+dns.addRecords(records={"bar.com.": ["127.0.0.1"]})
+
 # Should succeed without message
 tr = Test.AddTestRun("default-permissive-success")
 tr.Setup.Copy("ssl/signed-foo.key")
@@ -102,6 +117,7 @@ tr.Setup.Copy("ssl/signed-bar.key")
 tr.Setup.Copy("ssl/signed-bar.pem")
 tr.Processes.Default.Command = 'curl -k -H \"host: foo.com\"  http://127.0.0.1:{0}/basic'.format(ts.Variables.port)
 tr.ReturnCode = 0
+tr.Processes.Default.StartBefore(dns)
 tr.Processes.Default.StartBefore(server_foo)
 tr.Processes.Default.StartBefore(server_bar)
 tr.Processes.Default.StartBefore(server)
@@ -168,18 +184,52 @@ tr6.StillRunningAfter = server
 tr6.StillRunningAfter = ts
 tr6.Processes.Default.TimeOut = 5
 
+# Should succeed
+tr = Test.AddTestRun("foo-to-bar-sni-policy-remap")
+tr.Processes.Default.Command = "curl -k -H \"host: foo.com\"  http://127.0.0.1:{0}/snipolicybarremap".format(ts.Variables.port)
+tr.ReturnCode = 0
+tr.StillRunningAfter = server
+tr.StillRunningAfter = ts
+tr.Processes.Default.TimeOut = 5
+tr.Processes.Default.Streams.stdout = Testers.ExcludesExpression("Could not connect", "Curl
attempt should succeed")
+
+# Should fail
+tr = Test.AddTestRun("foo-to-bar-sni-policy-host")
+tr.Processes.Default.Command = "curl -k -H \"host: foo.com\"  http://127.0.0.1:{0}/snipolicybarhost".format(ts.Variables.port)
+tr.ReturnCode = 0
+tr.StillRunningAfter = server
+tr.StillRunningAfter = ts
+tr.Processes.Default.TimeOut = 5
+tr.Processes.Default.Streams.stdout = Testers.ContainsExpression("Could not connect", "Curl
attempt should fail")
+
+# Should fail
+tr = Test.AddTestRun("bar-to-foo-sni-policy-remap")
+tr.Processes.Default.Command = "curl -k -H \"host: bar.com\"  http://127.0.0.1:{0}/snipolicyfooremap".format(ts.Variables.port)
+tr.ReturnCode = 0
+tr.StillRunningAfter = server
+tr.StillRunningAfter = ts
+tr.Processes.Default.TimeOut = 5
+tr.Processes.Default.Streams.stdout = Testers.ContainsExpression("Could not connect", "Curl
attempt should fail")
+
+# Should succeed
+tr = Test.AddTestRun("bar-to-foo-sni-policy-host")
+tr.Processes.Default.Command = "curl -k -H \"host: bar.com\"  http://127.0.0.1:{0}/snipolicyfoohost".format(ts.Variables.port)
+tr.ReturnCode = 0
+tr.StillRunningAfter = server
+tr.StillRunningAfter = ts
+tr.Processes.Default.TimeOut = 5
+tr.Processes.Default.Streams.stdout = Testers.ExcludesExpression("Could not connect", "Curl
attempt should succeed")
+
 
 # Over riding the built in ERROR check since we expect some cases to fail
 
 # checks on random.com should fail with message only
 ts.Disk.diags_log.Content = Testers.ContainsExpression("WARNING: Core server certificate
verification failed for \(random.com\). Action=Continue Error=self signed certificate server=127.0.0.1\(127.0.0.1\)
depth=0", "Warning for self signed certificate")
-# No complaints about foo
-ts.Disk.diags_log.Content += Testers.ExcludesExpression("WARNING: SNI \(foo.com\) not in
certificate", "foo.com name requests are good")
 # permissive failure for bar.com
-ts.Disk.diags_log.Content += Testers.ContainsExpression("WARNING: SNI \(bar.com\) not in
certificate. Action=Continue server=127.0.0.1\(127.0.0.1\)", "Warning on missing name for
bar.com")
+ts.Disk.diags_log.Content += Testers.ContainsExpression("WARNING: SNI \(bar.com\) not in
certificate. Action=Continue server=bar.com\(127.0.0.1\)", "Warning on missing name for bar.com")
 # name check failure for random.com
 ts.Disk.diags_log.Content += Testers.ContainsExpression("WARNING: SNI \(random.com\) not
in certificate. Action=Continue server=127.0.0.1\(127.0.0.1\)", "Warning on missing name for
randome.com")
 # name check failure for bar.com
-ts.Disk.diags_log.Content += Testers.ContainsExpression("WARNING: SNI \(bar.com\) not in
certificate. Action=Terminate server=127.0.0.1\(127.0.0.1\)", "Failure on missing name for
bar.com")
+ts.Disk.diags_log.Content += Testers.ContainsExpression("WARNING: SNI \(bar.com\) not in
certificate. Action=Terminate server=bar.com\(127.0.0.1\)", "Failure on missing name for bar.com")
 
 


Mime
View raw message