This is an automated email from the ASF dual-hosted git repository.
shinrich pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficserver.git
The following commit(s) were added to refs/heads/master by this push:
new 083c525 Add back in the option to conf_remap the verify_server
settings.
083c525 is described below
commit 083c5256f6b3c92b3f13ee8141db3c74e23feefb
Author: Susan Hinrichs <[email protected]>
AuthorDate: Thu Nov 29 16:08:05 2018 +0000
Add back in the option to conf_remap the verify_server settings.
---
doc/admin-guide/files/records.config.en.rst | 8 +-
include/ts/apidefs.h.in | 3 +
iocore/net/P_SSLSNI.h | 6 +-
iocore/net/SSLNetVConnection.cc | 22 ++-
iocore/net/YamlSNIConfig.h | 8 +-
plugins/lua/ts_lua_http_config.c | 6 +
proxy/http/HttpConfig.h | 4 +
proxy/http/HttpSM.cc | 42 +++++
src/traffic_server/InkAPI.cc | 23 ++-
src/traffic_server/InkAPITest.cc | 5 +-
tests/gold_tests/tls/tls_verify_override.test.py | 185 +++++++++++++++++++++++
11 files changed, 297 insertions(+), 15 deletions(-)
diff --git a/doc/admin-guide/files/records.config.en.rst
b/doc/admin-guide/files/records.config.en.rst
index 52ee8fc..249bd25 100644
--- a/doc/admin-guide/files/records.config.en.rst
+++ b/doc/admin-guide/files/records.config.en.rst
@@ -3455,11 +3455,14 @@ Client-Related Configuration
.. ts:cv:: CONFIG proxy.config.ssl.client.verify.server.policy STRING DISABLED
:reloadable:
+ :overridable:
Configures |TS| to verify the origin server certificate
with the Certificate Authority (CA). This configuration takes a value of
:code:`DISABLED`, :code:`PERMISSIVE`, or :code:`ENFORCED`
- You can override this global setting on a per domain basis in the
ssl_servername.yaml file using the :ref:`verify_server_policy
attribute<override-verify-server-policy>`.
+ You can override this global setting on a per domain basis in the
ssl_server_name.yaml file using the :ref:`verify_server_policy
attribute<override-verify-server-policy>`.
+
+ You can also override via the conf_remap plugin. Those changes will take
precedence over the changes in ssl_server_name.yaml.
:code:`DISABLED`
Server Certificate will not be verified
@@ -3470,11 +3473,14 @@ Client-Related Configuration
.. ts:cv:: CONFIG proxy.config.ssl.client.verify.server.properties STRING ALL
:reloadable:
+ :overridable:
Configures |TS| for what the default verify callback should check during
origin server verification.
You can override this global setting on a per domain basis in the
ssl_servername.yaml file using the :ref:`verify_server_properties
attribute<override-verify-server-properties>`.
+ You can also override via the conf_remap plugin. Those changes will take
precedence over the changes in ssl_server_name.yaml.
+
:code:`NONE`
Check nothing in the standard callback. Rely entirely on plugins to check
the certificate.
:code:`SIGNATURE`
diff --git a/include/ts/apidefs.h.in b/include/ts/apidefs.h.in
index b8ab962..6c04265 100644
--- a/include/ts/apidefs.h.in
+++ b/include/ts/apidefs.h.in
@@ -782,6 +782,9 @@ typedef enum {
TS_CONFIG_HTTP_ALLOW_HALF_OPEN,
TS_CONFIG_HTTP_PER_SERVER_CONNECTION_MAX,
TS_CONFIG_HTTP_PER_SERVER_CONNECTION_MATCH,
+ TS_CONFIG_SSL_CLIENT_VERIFY_SERVER,
+ TS_CONFIG_SSL_CLIENT_VERIFY_SERVER_POLICY,
+ TS_CONFIG_SSL_CLIENT_VERIFY_SERVER_PROPERTIES,
TS_CONFIG_LAST_ENTRY
} TSOverridableConfigKey;
diff --git a/iocore/net/P_SSLSNI.h b/iocore/net/P_SSLSNI.h
index 15580ff..a1d7504 100644
--- a/iocore/net/P_SSLSNI.h
+++ b/iocore/net/P_SSLSNI.h
@@ -42,9 +42,9 @@
// Properties for the next hop server
struct NextHopProperty {
- std::string name;
// name of the server
- YamlSNIConfig::Policy verifyServerPolicy =
YamlSNIConfig::Policy::DISABLED; // whether to verify the next hop
- YamlSNIConfig::Property verifyServerProperties =
YamlSNIConfig::Property::NONE; // what to verify on the next hop
+ std::string name;
// name of the server
+ YamlSNIConfig::Policy verifyServerPolicy =
YamlSNIConfig::Policy::UNSET; // whether to verify the next hop
+ YamlSNIConfig::Property verifyServerProperties =
YamlSNIConfig::Property::UNSET; // what to verify on the next hop
SSL_CTX *ctx = nullptr; // ctx generated
off the certificate to present to this server
NextHopProperty();
};
diff --git a/iocore/net/SSLNetVConnection.cc b/iocore/net/SSLNetVConnection.cc
index 71e1b08..96221d4 100644
--- a/iocore/net/SSLNetVConnection.cc
+++ b/iocore/net/SSLNetVConnection.cc
@@ -971,15 +971,27 @@ SSLNetVConnection::sslStartHandShake(int event, int &err)
SSL_CTX *clientCTX = nullptr;
if (nps) {
- clientCTX = nps->ctx;
- options.verifyServerPolicy = nps->verifyServerPolicy;
- options.verifyServerProperties = nps->verifyServerProperties;
+ clientCTX = nps->ctx;
+ } else { // Just stay with the values passed down from the SM for verify
+ clientCTX = params->client_ctx;
+ }
+ if (options.verifyServerPolicy != YamlSNIConfig::Policy::UNSET) {
+ // Stay with conf-override version as the highest priority
+ } else if (nps && nps->verifyServerPolicy !=
YamlSNIConfig::Policy::UNSET) {
+ options.verifyServerPolicy = nps->verifyServerPolicy;
+ } else {
+ options.verifyServerPolicy = params->verifyServerPolicy;
+ }
+
+ if (options.verifyServerProperties != YamlSNIConfig::Property::UNSET) {
+ // Stay with conf-override version as the highest priority
+ } else if (nps && nps->verifyServerProperties !=
YamlSNIConfig::Property::UNSET) {
+ options.verifyServerProperties = nps->verifyServerProperties;
} else {
- clientCTX = params->client_ctx;
- options.verifyServerPolicy = params->verifyServerPolicy;
options.verifyServerProperties = params->verifyServerProperties;
}
+
if (!clientCTX) {
SSLErrorVC(this, "failed to create SSL client session");
return EVENT_ERROR;
diff --git a/iocore/net/YamlSNIConfig.h b/iocore/net/YamlSNIConfig.h
index 8926c29..0acf4f2 100644
--- a/iocore/net/YamlSNIConfig.h
+++ b/iocore/net/YamlSNIConfig.h
@@ -52,8 +52,8 @@ struct YamlSNIConfig {
client_cert
};
enum class Level { NONE = 0, MODERATE, STRICT };
- enum class Policy : uint8_t { DISABLED = 0, PERMISSIVE, ENFORCED };
- enum class Property : uint8_t { NONE = 0, SIGNATURE_MASK = 0x1, NAME_MASK =
0x2, ALL_MASK = 0x3 };
+ enum class Policy : uint8_t { DISABLED = 0, PERMISSIVE, ENFORCED, UNSET };
+ enum class Property : uint8_t { NONE = 0, SIGNATURE_MASK = 0x1, NAME_MASK =
0x2, ALL_MASK = 0x3, UNSET };
YamlSNIConfig() {}
@@ -63,8 +63,8 @@ struct YamlSNIConfig {
uint8_t verify_client_level = 255;
std::string tunnel_destination;
bool tunnel_decrypt = false;
- Policy verify_server_policy = Policy::DISABLED;
- Property verify_server_properties = Property::NONE;
+ Policy verify_server_policy = Policy::UNSET;
+ Property verify_server_properties = Property::UNSET;
std::string client_cert;
std::string client_key;
std::string ip_allow;
diff --git a/plugins/lua/ts_lua_http_config.c b/plugins/lua/ts_lua_http_config.c
index d7f25c6..b7c63ea 100644
--- a/plugins/lua/ts_lua_http_config.c
+++ b/plugins/lua/ts_lua_http_config.c
@@ -134,6 +134,9 @@ typedef enum {
TS_LUA_CONFIG_HTTP_ALLOW_MULTI_RANGE =
TS_CONFIG_HTTP_ALLOW_MULTI_RANGE,
TS_LUA_CONFIG_HTTP_REQUEST_BUFFER_ENABLED =
TS_CONFIG_HTTP_REQUEST_BUFFER_ENABLED,
TS_LUA_CONFIG_HTTP_ALLOW_HALF_OPEN =
TS_CONFIG_HTTP_ALLOW_HALF_OPEN,
+ TS_LUA_CONFIG_SSL_CLIENT_VERIFY_SERVER =
TS_CONFIG_SSL_CLIENT_VERIFY_SERVER,
+ TS_LUA_CONFIG_SSL_CLIENT_VERIFY_SERVER_POLICY =
TS_CONFIG_SSL_CLIENT_VERIFY_SERVER_POLICY,
+ TS_LUA_CONFIG_SSL_CLIENT_VERIFY_SERVER_PROPERTIES =
TS_CONFIG_SSL_CLIENT_VERIFY_SERVER_PROPERTIES,
TS_LUA_CONFIG_LAST_ENTRY =
TS_CONFIG_LAST_ENTRY,
} TSLuaOverridableConfigKey;
@@ -258,6 +261,9 @@ ts_lua_var_item ts_lua_http_config_vars[] = {
TS_LUA_MAKE_VAR_ITEM(TS_LUA_CONFIG_HTTP_ALLOW_MULTI_RANGE),
TS_LUA_MAKE_VAR_ITEM(TS_LUA_CONFIG_HTTP_REQUEST_BUFFER_ENABLED),
TS_LUA_MAKE_VAR_ITEM(TS_LUA_CONFIG_HTTP_ALLOW_HALF_OPEN),
+ TS_LUA_MAKE_VAR_ITEM(TS_CONFIG_SSL_CLIENT_VERIFY_SERVER),
+ TS_LUA_MAKE_VAR_ITEM(TS_CONFIG_SSL_CLIENT_VERIFY_SERVER_POLICY),
+ TS_LUA_MAKE_VAR_ITEM(TS_CONFIG_SSL_CLIENT_VERIFY_SERVER_PROPERTIES),
TS_LUA_MAKE_VAR_ITEM(TS_LUA_CONFIG_HTTP_PER_SERVER_CONNECTION_MAX),
TS_LUA_MAKE_VAR_ITEM(TS_LUA_CONFIG_HTTP_PER_SERVER_CONNECTION_MATCH),
TS_LUA_MAKE_VAR_ITEM(TS_LUA_CONFIG_LAST_ENTRY),
diff --git a/proxy/http/HttpConfig.h b/proxy/http/HttpConfig.h
index fd61d07..41d5e81 100644
--- a/proxy/http/HttpConfig.h
+++ b/proxy/http/HttpConfig.h
@@ -492,6 +492,8 @@ struct OverridableHttpConfigParams {
request_buffer_enabled(0),
allow_half_open(1),
ssl_client_verify_server(0),
+ ssl_client_verify_server_policy(nullptr),
+ ssl_client_verify_server_properties(nullptr),
redirect_use_orig_cache_key(0),
number_of_redirections(0),
proxy_response_hsts_max_age(-1),
@@ -677,6 +679,8 @@ struct OverridableHttpConfigParams {
// server verification mode//
/////////////////////////////
MgmtByte ssl_client_verify_server;
+ char *ssl_client_verify_server_policy;
+ char *ssl_client_verify_server_properties;
//////////////////
// Redirection //
diff --git a/proxy/http/HttpSM.cc b/proxy/http/HttpSM.cc
index e677a8e..435da94 100644
--- a/proxy/http/HttpSM.cc
+++ b/proxy/http/HttpSM.cc
@@ -4671,6 +4671,46 @@ HttpSM::send_origin_throttled_response()
call_transact_and_set_next_state(HttpTransact::HandleResponse);
}
+static void
+set_tls_options(NetVCOptions &opt, OverridableHttpConfigParams *txn_conf)
+{
+ char *verify_server = nullptr;
+ if (txn_conf->ssl_client_verify_server_policy == nullptr) {
+ opt.verifyServerPolicy = YamlSNIConfig::Policy::UNSET;
+ } else {
+ verify_server = txn_conf->ssl_client_verify_server_policy;
+ if (strcmp(verify_server, "DISABLED") == 0) {
+ opt.verifyServerPolicy = YamlSNIConfig::Policy::DISABLED;
+ } else if (strcmp(verify_server, "PERMISSIVE") == 0) {
+ opt.verifyServerPolicy = YamlSNIConfig::Policy::PERMISSIVE;
+ } else if (strcmp(verify_server, "ENFORCED") == 0) {
+ opt.verifyServerPolicy = YamlSNIConfig::Policy::ENFORCED;
+ } else {
+ Warning("%s is invalid for proxy.config.ssl.client.verify.server.policy.
Should be one of DISABLED, PERMISSIVE, or ENFORCED",
+ verify_server);
+ opt.verifyServerPolicy = YamlSNIConfig::Policy::UNSET;
+ }
+ }
+ if (txn_conf->ssl_client_verify_server_properties == nullptr) {
+ opt.verifyServerProperties = YamlSNIConfig::Property::UNSET;
+ } else {
+ verify_server = txn_conf->ssl_client_verify_server_properties;
+ if (strcmp(verify_server, "SIGNATURE") == 0) {
+ opt.verifyServerProperties = YamlSNIConfig::Property::SIGNATURE_MASK;
+ } else if (strcmp(verify_server, "NAME") == 0) {
+ opt.verifyServerProperties = YamlSNIConfig::Property::NAME_MASK;
+ } else if (strcmp(verify_server, "ALL") == 0) {
+ opt.verifyServerProperties = YamlSNIConfig::Property::ALL_MASK;
+ } else if (strcmp(verify_server, "NONE") == 0) {
+ opt.verifyServerProperties = YamlSNIConfig::Property::NONE;
+ } else {
+ Warning("%s is invalid for
proxy.config.ssl.client.verify.server.properties. Should be one of SIGNATURE,
NAME, or ALL",
+ verify_server);
+ opt.verifyServerProperties = YamlSNIConfig::Property::NONE;
+ }
+ }
+}
+
//////////////////////////////////////////////////////////////////////////
//
// HttpSM::do_http_server_open()
@@ -4959,6 +4999,8 @@ HttpSM::do_http_server_open(bool raw)
t_state.txn_conf->sock_option_flag_out,
t_state.txn_conf->sock_packet_mark_out,
t_state.txn_conf->sock_packet_tos_out);
+ set_tls_options(opt, t_state.txn_conf);
+
opt.ip_family = ip_family;
if (ua_txn) {
diff --git a/src/traffic_server/InkAPI.cc b/src/traffic_server/InkAPI.cc
index 810435a..7b17eb0 100644
--- a/src/traffic_server/InkAPI.cc
+++ b/src/traffic_server/InkAPI.cc
@@ -8204,6 +8204,13 @@ _conf_to_memberp(TSOverridableConfigKey conf,
OverridableHttpConfigParams *overr
case TS_CONFIG_SSL_CERT_FILEPATH:
ret = _memberp_to_generic(&overridableHttpConfig->client_cert_filepath,
conv);
break;
+ case TS_CONFIG_SSL_CLIENT_VERIFY_SERVER:
+ ret =
_memberp_to_generic(&overridableHttpConfig->ssl_client_verify_server, conv);
+ break;
+ case TS_CONFIG_SSL_CLIENT_VERIFY_SERVER_POLICY:
+ case TS_CONFIG_SSL_CLIENT_VERIFY_SERVER_PROPERTIES:
+ // String, must be handled elsewhere
+ break;
case TS_CONFIG_PARENT_FAILURES_UPDATE_HOSTDB:
ret =
_memberp_to_generic(&overridableHttpConfig->parent_failures_update_hostdb,
conv);
break;
@@ -8408,6 +8415,16 @@ TSHttpTxnConfigStringSet(TSHttpTxn txnp,
TSOverridableConfigKey conf, const char
}
}
break;
+ case TS_CONFIG_SSL_CLIENT_VERIFY_SERVER_POLICY:
+ if (value && length > 0) {
+ s->t_state.txn_conf->ssl_client_verify_server_policy = const_cast<char
*>(value);
+ }
+ break;
+ case TS_CONFIG_SSL_CLIENT_VERIFY_SERVER_PROPERTIES:
+ if (value && length > 0) {
+ s->t_state.txn_conf->ssl_client_verify_server_properties =
const_cast<char *>(value);
+ }
+ break;
default: {
MgmtConverter const *conv;
void *dest = _conf_to_memberp(conf, s->t_state.txn_conf, conv);
@@ -8594,7 +8611,11 @@ static const std::unordered_map<std::string_view,
std::tuple<const TSOverridable
{"proxy.config.http.connect_attempts_max_retries_dead_server",
{TS_CONFIG_HTTP_CONNECT_ATTEMPTS_MAX_RETRIES_DEAD_SERVER,
TS_RECORDDATATYPE_INT}},
{"proxy.config.http.parent_proxy.per_parent_connect_attempts",
- {TS_CONFIG_HTTP_PER_PARENT_CONNECT_ATTEMPTS, TS_RECORDDATATYPE_INT}}});
+ {TS_CONFIG_HTTP_PER_PARENT_CONNECT_ATTEMPTS, TS_RECORDDATATYPE_INT}},
+ {"proxy.config.ssl.client.verify.server",
{TS_CONFIG_SSL_CLIENT_VERIFY_SERVER, TS_RECORDDATATYPE_INT}},
+ {"proxy.config.ssl.client.verify.server.policy",
{TS_CONFIG_SSL_CLIENT_VERIFY_SERVER_POLICY, TS_RECORDDATATYPE_STRING}},
+ {"proxy.config.ssl.client.verify.server.properties",
+ {TS_CONFIG_SSL_CLIENT_VERIFY_SERVER_PROPERTIES,
TS_RECORDDATATYPE_STRING}}});
TSReturnCode
TSHttpTxnConfigFind(const char *name, int length, TSOverridableConfigKey
*conf, TSRecordDataType *type)
diff --git a/src/traffic_server/InkAPITest.cc b/src/traffic_server/InkAPITest.cc
index e044e5c..869da77 100644
--- a/src/traffic_server/InkAPITest.cc
+++ b/src/traffic_server/InkAPITest.cc
@@ -8689,7 +8689,10 @@ std::array<std::string_view, TS_CONFIG_LAST_ENTRY>
SDK_Overridable_Configs = {
"proxy.config.http.request_buffer_enabled",
"proxy.config.http.allow_half_open",
OutboundConnTrack::CONFIG_VAR_MAX,
- OutboundConnTrack::CONFIG_VAR_MATCH}};
+ OutboundConnTrack::CONFIG_VAR_MATCH,
+ "proxy.config.ssl.client.verify.server",
+ "proxy.config.ssl.client.verify.server.policy",
+ "proxy.config.ssl.client.verify.server.properties"}};
REGRESSION_TEST(SDK_API_OVERRIDABLE_CONFIGS)(RegressionTest *test, int /*
atype ATS_UNUSED */, int *pstatus)
{
diff --git a/tests/gold_tests/tls/tls_verify_override.test.py
b/tests/gold_tests/tls/tls_verify_override.test.py
new file mode 100644
index 0000000..6afbfd5
--- /dev/null
+++ b/tests/gold_tests/tls/tls_verify_override.test.py
@@ -0,0 +1,185 @@
+'''
+'''
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import os
+Test.Summary = '''
+Test tls server certificate verification options. Exercise conf_remap
+'''
+
+# need Curl
+Test.SkipUnless(
+ Condition.HasProgram("curl", "Curl need to be installed on system for this
test to work")
+)
+
+# Define default ATS
+ts = Test.MakeATSProcess("ts", select_ports=False)
+server_foo = Test.MakeOriginServer("server_foo", ssl=True, options = {"--key":
"{0}/signed-foo.key".format(Test.RunDirectory), "--cert":
"{0}/signed-foo.pem".format(Test.RunDirectory)})
+server_bar = Test.MakeOriginServer("server_bar", ssl=True, options = {"--key":
"{0}/signed-bar.key".format(Test.RunDirectory), "--cert":
"{0}/signed-bar.pem".format(Test.RunDirectory)})
+server = Test.MakeOriginServer("server", ssl=True)
+
+request_foo_header = {"headers": "GET / HTTP/1.1\r\nHost: foo.com\r\n\r\n",
"timestamp": "1469733493.993", "body": ""}
+request_bad_foo_header = {"headers": "GET / HTTP/1.1\r\nHost:
bad_foo.com\r\n\r\n", "timestamp": "1469733493.993", "body": ""}
+request_bar_header = {"headers": "GET / HTTP/1.1\r\nHost: bar.com\r\n\r\n",
"timestamp": "1469733493.993", "body": ""}
+request_bad_bar_header = {"headers": "GET / HTTP/1.1\r\nHost:
bad_bar.com\r\n\r\n", "timestamp": "1469733493.993", "body": ""}
+response_header = {"headers": "HTTP/1.1 200 OK\r\nConnection: close\r\n\r\n",
"timestamp": "1469733493.993", "body": ""}
+server_foo.addResponse("sessionlog.json", request_foo_header, response_header)
+server_foo.addResponse("sessionlog.json", request_bad_foo_header,
response_header)
+server_bar.addResponse("sessionlog.json", request_bar_header, response_header)
+server_bar.addResponse("sessionlog.json", request_bad_bar_header,
response_header)
+
+# add ssl materials like key, certificates for the server
+ts.addSSLfile("ssl/signed-foo.pem")
+ts.addSSLfile("ssl/signed-foo.key")
+ts.addSSLfile("ssl/signed-bar.pem")
+ts.addSSLfile("ssl/signed-bar.key")
+ts.addSSLfile("ssl/server.pem")
+ts.addSSLfile("ssl/server.key")
+ts.addSSLfile("ssl/signer.pem")
+ts.addSSLfile("ssl/signer.key")
+
+ts.Variables.ssl_port = 4443
+ts.Disk.remap_config.AddLine(
+ 'map http://foo.com/basic
https://127.0.0.1:{0}'.format(server_foo.Variables.Port))
+ts.Disk.remap_config.AddLine(
+ 'map http://foo.com/override https://127.0.0.1:{0} @plugin=conf_remap.so
@pparam=proxy.config.ssl.client.verify.server.policy=ENFORCED'.format(server_foo.Variables.Port))
+ts.Disk.remap_config.AddLine(
+ 'map http://bar.com/basic
https://127.0.0.1:{0}'.format(server_foo.Variables.Port))
+ts.Disk.remap_config.AddLine(
+ 'map http://bar.com/overridedisabled https://127.0.0.1:{0}
@plugin=conf_remap.so
@pparam=proxy.config.ssl.client.verify.server.policy=DISABLED'.format(server_foo.Variables.Port))
+ts.Disk.remap_config.AddLine(
+ 'map http://bar.com/overridesignature https://127.0.0.1:{0}
@plugin=conf_remap.so
@pparam=proxy.config.ssl.client.verify.server.properties=SIGNATURE
@plugin=conf_remap.so
@pparam=proxy.config.ssl.client.verify.server.policy=ENFORCED'.format(server_foo.Variables.Port))
+ts.Disk.remap_config.AddLine(
+ 'map http://bar.com/overrideenforced https://127.0.0.1:{0}
@plugin=conf_remap.so
@pparam=proxy.config.ssl.client.verify.server.policy=ENFORCED'.format(server_foo.Variables.Port))
+ts.Disk.remap_config.AddLine(
+ 'map /basic https://127.0.0.1:{0}'.format(server.Variables.Port))
+ts.Disk.remap_config.AddLine(
+ 'map /overrideenforce https://127.0.0.1:{0} @plugin=conf_remap.so
@pparam=proxy.config.ssl.client.verify.server.policy=ENFORCED'.format(server.Variables.Port))
+ts.Disk.remap_config.AddLine(
+ 'map /overridename https://127.0.0.1:{0} @plugin=conf_remap.so
@pparam=proxy.config.ssl.client.verify.server.properties=NAME'.format(server.Variables.Port))
+
+ts.Disk.ssl_multicert_config.AddLine(
+ 'dest_ip=* ssl_cert_name=server.pem ssl_key_name=server.key'
+)
+
+# Case 1, global config policy=permissive properties=signature
+# override for foo.com policy=enforced properties=all
+ts.Disk.records_config.update({
+ 'proxy.config.diags.debug.enabled': 1,
+ 'proxy.config.diags.debug.tags': 'http|ssl',
+ 'proxy.config.ssl.server.cert.path': '{0}'.format(ts.Variables.SSLDir),
+ 'proxy.config.ssl.server.private_key.path':
'{0}'.format(ts.Variables.SSLDir),
+ # enable ssl port
+ 'proxy.config.http.server_ports': '{0}
{1}:proto=http2;http:ssl'.format(ts.Variables.port, ts.Variables.ssl_port),
+ 'proxy.config.ssl.server.cipher_suite':
'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:RC4-SHA:RC4-MD5:AES128-SHA:AES256-SHA:DES-CBC3-SHA!SRP:!DSS:!PSK:!aNULL:!eNULL:!SSLv2',
+ # set global policy
+ 'proxy.config.ssl.client.verify.server.policy': 'PERMISSIVE',
+ 'proxy.config.ssl.client.verify.server.properties': 'ALL',
+ 'proxy.config.ssl.client.CA.cert.path': '{0}'.format(ts.Variables.SSLDir),
+ 'proxy.config.ssl.client.CA.cert.filename': 'signer.pem',
+ 'proxy.config.url_remap.pristine_host_hdr': 1
+})
+
+# Should succeed without message
+tr = Test.AddTestRun("default-permissive-success")
+tr.Setup.Copy("ssl/signed-foo.key")
+tr.Setup.Copy("ssl/signed-foo.pem")
+tr.Setup.Copy("ssl/signed-bar.key")
+tr.Setup.Copy("ssl/signed-bar.pem")
+tr.Processes.Default.Command = 'curl -k -H \"host: foo.com\"
http://127.0.0.1:{0}/basic'.format(ts.Variables.port)
+tr.ReturnCode = 0
+tr.Processes.Default.StartBefore(server_foo)
+tr.Processes.Default.StartBefore(server_bar)
+tr.Processes.Default.StartBefore(server)
+tr.Processes.Default.StartBefore(Test.Processes.ts,
ready=When.PortOpen(ts.Variables.port))
+tr.StillRunningAfter = server
+tr.StillRunningAfter = ts
+tr.Processes.Default.TimeOut = 5
+# Should succed. No message
+tr.Processes.Default.Streams.stdout = Testers.ExcludesExpression("Could Not
Connect", "Curl attempt should have succeeded")
+tr.TimeOut = 5
+
+tr2 = Test.AddTestRun("default-permissive-fail")
+tr2.Processes.Default.Command = "curl -k -H \"host: bar.com\"
http://127.0.0.1:{0}/basic".format(ts.Variables.port)
+tr2.ReturnCode = 0
+tr2.StillRunningAfter = server
+tr2.Processes.Default.TimeOut = 5
+tr2.StillRunningAfter = ts
+# Should succeed, but will be message in log about name mismatch
+tr2.Processes.Default.Streams.stdout = Testers.ExcludesExpression("Could Not
Connect", "Curl attempt should have succeeded")
+tr2.TimeOut = 5
+
+tr2 = Test.AddTestRun("default-permissive-fail2")
+tr2.Processes.Default.Command = "curl -k -H \"host: random.com\"
http://127.0.0.1:{0}/basic".format(ts.Variables.port)
+tr2.ReturnCode = 0
+tr2.StillRunningAfter = server
+tr2.Processes.Default.TimeOut = 5
+tr2.StillRunningAfter = ts
+# Should succeed, but will be message in log about signature
+tr2.Processes.Default.Streams.stdout = Testers.ExcludesExpression("Could Not
Connect", "Curl attempt should have succeeded")
+tr2.TimeOut = 5
+
+tr3 = Test.AddTestRun("override-foo")
+tr3.Processes.Default.Command = "curl -k -H \"host: foo.com\"
http://127.0.0.1:{0}/override".format(ts.Variables.port)
+tr3.ReturnCode = 0
+tr3.StillRunningAfter = server
+tr3.StillRunningAfter = ts
+# Should succeed. No error messages
+tr3.Processes.Default.Streams.stdout = Testers.ExcludesExpression("Could Not
Connect", "Curl attempt should have succeeded")
+tr3.Processes.Default.TimeOut = 5
+
+tr4 = Test.AddTestRun("override-bar-disabled")
+tr4.Processes.Default.Command = "curl -k -H \"host: bad_bar.com\"
http://127.0.0.1:{0}/overridedisabled".format(ts.Variables.port)
+tr4.ReturnCode = 0
+tr4.StillRunningAfter = server
+tr4.StillRunningAfter = ts
+# Succeed. No error messages
+tr4.Processes.Default.Streams.stdout = Testers.ExcludesExpression("Could Not
Connect", "Curl attempt should have succeeded")
+tr4.Processes.Default.TimeOut = 5
+
+tr5 = Test.AddTestRun("override-bar-signature-enforced")
+tr5.Processes.Default.Command = "curl -k -H \"host: bar.com\"
http://127.0.0.1:{0}/overridesignature".format(ts.Variables.port)
+tr5.ReturnCode = 0
+tr5.Processes.Default.Streams.stdout = Testers.ExcludesExpression("Could Not
Connect", "Curl attempt should have succeeded")
+tr5.StillRunningAfter = server
+tr5.StillRunningAfter = ts
+tr5.Processes.Default.TimeOut = 5
+
+tr6 = Test.AddTestRun("override-bar-enforced")
+tr6.Processes.Default.Command = "curl -k -H \"host: bar.com\"
http://127.0.0.1:{0}/overrideenforced".format(ts.Variables.port)
+tr6.ReturnCode = 0
+# Should fail
+tr6.Processes.Default.Streams.stdout = Testers.ContainsExpression("Could Not
Connect", "Curl attempt should have failed")
+tr6.StillRunningAfter = server
+tr6.StillRunningAfter = ts
+tr6.Processes.Default.TimeOut = 5
+
+
+# Over riding the built in ERROR check since we expect some cases to fail
+
+# checks on random.com should fail with message only
+ts.Disk.diags_log.Content = Testers.ContainsExpression("WARNING: Core server
certificate verification failed for \(random.com\). Action=Continue Error=self
signed certificate server=127.0.0.1\(127.0.0.1\) depth=0", "Warning for self
signed certificate")
+# No complaints about foo
+ts.Disk.diags_log.Content += Testers.ExcludesExpression("WARNING: SNI
\(foo.com\) not in certificate", "foo.com name requests are good")
+# permissive failure for bar.com
+ts.Disk.diags_log.Content += Testers.ContainsExpression("WARNING: SNI
\(bar.com\) not in certificate. Action=Continue server=127.0.0.1\(127.0.0.1\)",
"Warning on missing name for bar.com")
+# name check failure for random.com
+ts.Disk.diags_log.Content += Testers.ContainsExpression("WARNING: SNI
\(random.com\) not in certificate. Action=Continue
server=127.0.0.1\(127.0.0.1\)", "Warning on missing name for randome.com")
+# name check failure for bar.com
+ts.Disk.diags_log.Content += Testers.ContainsExpression("WARNING: SNI
\(bar.com\) not in certificate. Action=Terminate
server=127.0.0.1\(127.0.0.1\)", "Failure on missing name for bar.com")
+
+
