This is an automated email from the ASF dual-hosted git repository.
masaori pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficserver.git
The following commit(s) were added to refs/heads/master by this push:
new 362786af70 Improve performance of finding SNI Actions (#9736)
362786af70 is described below
commit 362786af705894caee880d4a4f81514495c687bd
Author: Masaori Koshiba <[email protected]>
AuthorDate: Sun Oct 8 19:32:31 2023 +0900
Improve performance of finding SNI Actions (#9736)
* Improve performance of finding SNI Actions
* Fix AuTest
---
include/tscpp/util/Convert.h | 46 +++++++++++
iocore/net/SSLCertLookup.cc | 31 +++-----
iocore/net/SSLSNIConfig.cc | 89 +++++++++++++++++++---
iocore/net/SSLSNIConfig.h | 12 +--
iocore/net/unit_tests/sni_conf_test.yaml | 11 +++
iocore/net/unit_tests/test_SSLSNIConfig.cc | 10 ++-
iocore/net/unit_tests/test_YamlSNIConfig.cc | 2 +-
iocore/net/unit_tests/unit_test_main.cc | 5 ++
tests/gold_tests/h2/h2disable.test.py | 2 +-
.../h2/h2disable_no_accept_threads.test.py | 2 +-
tests/gold_tests/h2/h2enable.test.py | 2 +-
.../h2/h2enable_no_accept_threads.test.py | 2 +-
tests/gold_tests/tls/tls_client_cert2.test.py | 4 +-
.../gold_tests/tls/tls_client_cert2_plugin.test.py | 4 +-
tests/gold_tests/tls/tls_client_verify.test.py | 8 +-
tests/gold_tests/tls/tls_client_verify2.test.py | 4 +-
tests/gold_tests/tls/tls_tunnel.test.py | 16 ++--
tests/gold_tests/tls/tls_verify3.test.py | 10 +--
18 files changed, 197 insertions(+), 63 deletions(-)
diff --git a/include/tscpp/util/Convert.h b/include/tscpp/util/Convert.h
new file mode 100644
index 0000000000..b95fc3675a
--- /dev/null
+++ b/include/tscpp/util/Convert.h
@@ -0,0 +1,46 @@
+/** @file
+
+ Collection of utility functions for converting between different chars.
+
+ @section license License
+
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+ */
+
+#pragma once
+
+#include "swoc/MemSpan.h"
+
+#include <string_view>
+
+namespace ts
+{
+/** Copy @a src to @a dst, transforming to lower case.
+ *
+ * @param src Input string.
+ * @param dst Output buffer.
+ */
+inline void
+transform_lower(std::string_view src, swoc::MemSpan<char> dst)
+{
+ if (src.size() > dst.size() - 1) { // clip @a src, reserving space for the
terminal nul.
+ src = std::string_view{src.data(), dst.size() - 1};
+ }
+ auto final = std::transform(src.begin(), src.end(), dst.data(), [](char c)
-> char { return std::tolower(c); });
+ *final++ = '\0';
+}
+} // namespace ts
diff --git a/iocore/net/SSLCertLookup.cc b/iocore/net/SSLCertLookup.cc
index f736f84db8..ac570e28ea 100644
--- a/iocore/net/SSLCertLookup.cc
+++ b/iocore/net/SSLCertLookup.cc
@@ -35,6 +35,8 @@
#include "tscore/TestBox.h"
+#include "tscpp/util/Convert.h"
+
#include "I_EventSystem.h"
#include "P_SSLUtils.h"
@@ -143,24 +145,6 @@ private:
int store(SSLCertContext const &cc);
};
-namespace
-{
-/** Copy @a src to @a dst, transforming to lower case.
- *
- * @param src Input string.
- * @param dst Output buffer.
- */
-inline void
-transform_lower(std::string_view src, swoc::MemSpan<char> dst)
-{
- if (src.size() > dst.size() - 1) { // clip @a src, reserving space for the
terminal nul.
- src = std::string_view{src.data(), dst.size() - 1};
- }
- auto final = std::transform(src.begin(), src.end(), dst.data(), [](char c)
-> char { return std::tolower(c); });
- *final++ = '\0';
-}
-} // namespace
-
// Zero out and free the heap space allocated for ticket keys to avoid leaking
secrets.
// The first several bytes stores the number of keys and the rest stores the
ticket keys.
void
@@ -461,7 +445,7 @@ SSLContextStorage::insert(const char *name, int idx)
{
ats_wildcard_matcher wildcard;
char lower_case_name[TS_MAX_HOST_NAME_LEN + 1];
- transform_lower(name, lower_case_name);
+ ts::transform_lower(name, lower_case_name);
shared_SSL_CTX ctx = this->ctx_store[idx].getCtx();
if (wildcard.match(lower_case_name)) {
@@ -512,7 +496,7 @@ SSLContextStorage::lookup(const std::string &name)
}
// Try lower casing it
char lower_case_name[TS_MAX_HOST_NAME_LEN + 1];
- transform_lower(name, lower_case_name);
+ ts::transform_lower(name, lower_case_name);
if (auto it_lower = this->hostnames.find(lower_case_name); it_lower !=
this->hostnames.end()) {
return &(this->ctx_store[it_lower->second]);
}
@@ -557,7 +541,7 @@ reverse_dns_name(const char *hostname, char
(&reversed)[TS_MAX_HOST_NAME_LEN + 1
*(--ptr) = '.';
}
}
- transform_lower(ptr, {ptr, strlen(ptr) + 1});
+ ts::transform_lower(ptr, {ptr, strlen(ptr) + 1});
return ptr;
}
@@ -572,8 +556,13 @@ REGRESSION_TEST(SSLWildcardMatch)(RegressionTest *t, int
/* atype ATS_UNUSED */,
box.check(wildcard.match("foo.com") == false, "foo.com is not a wildcard");
box.check(wildcard.match("*.foo.com") == true, "*.foo.com is a wildcard");
box.check(wildcard.match("bar*.foo.com") == false, "bar*.foo.com not a
wildcard");
+ box.check(wildcard.match("*bar.foo.com") == false, "*bar.foo.com not a
wildcard");
+ box.check(wildcard.match("b*ar.foo.com") == false, "*bar.foo.com not a
wildcard");
+ box.check(wildcard.match("bar.*.foo.com") == false, "bar.*.foo.com not a
wildcard");
+ box.check(wildcard.match("*.*.foo.com") == false, "multiple *");
box.check(wildcard.match("*") == false, "* is not a wildcard");
box.check(wildcard.match("") == false, "'' is not a wildcard");
+ box.check(wildcard.match("foo[0-9]+.example.com") == false, "regex is not
wildcard");
}
REGRESSION_TEST(SSLReverseHostname)(RegressionTest *t, int /* atype ATS_UNUSED
*/, int *pstatus)
diff --git a/iocore/net/SSLSNIConfig.cc b/iocore/net/SSLSNIConfig.cc
index e3aada4dc6..1124b76a2f 100644
--- a/iocore/net/SSLSNIConfig.cc
+++ b/iocore/net/SSLSNIConfig.cc
@@ -40,6 +40,9 @@
#include "tscore/I_Layout.h"
#include "tscpp/util/ts_ip.h"
+#include "tscpp/util/Convert.h"
+
+#include "swoc/TextView.h"
#include <netinet/in.h>
@@ -53,6 +56,16 @@ static constexpr int OVECSIZE{30};
static DbgCtl dbg_ctl_ssl{"ssl"};
static DbgCtl dbg_ctl_ssl_sni{"ssl_sni"};
+namespace
+{
+bool
+is_port_in_the_ranges(const std::vector<ts::port_range_t> &port_ranges,
in_port_t port)
+{
+ return std::any_of(port_ranges.begin(), port_ranges.end(),
+ [port](ts::port_range_t const &port_range) { return
port_range.contains(port); });
+}
+} // namespace
+
////
// NamedElement
//
@@ -117,13 +130,36 @@ SNIConfigParams::get_property_config(const std::string
&servername) const
bool
SNIConfigParams::load_sni_config()
{
+ uint32_t count = 0;
+ ats_wildcard_matcher wildcard;
+
for (auto &item : yaml_sni.items) {
- auto &ai = sni_action_list.emplace_back();
- ai.set_glob_name(item.fqdn);
- ai.inbound_port_ranges = item.inbound_port_ranges;
Dbg(dbg_ctl_ssl, "name: %s", item.fqdn.data());
- item.populate_sni_actions(ai.actions);
+ ActionElement *element = nullptr;
+
+ // servername is case-insensitive, store & find it in lower case
+ char lower_case_name[TS_MAX_HOST_NAME_LEN + 1];
+ ts::transform_lower(item.fqdn, lower_case_name);
+
+ if (wildcard.match(lower_case_name)) {
+ auto &ai = sni_action_list.emplace_back();
+ ai.set_glob_name(lower_case_name);
+ element = &ai;
+ } else {
+ auto it = sni_action_map.emplace(std::make_pair(lower_case_name,
ActionElement()));
+ if (it == sni_action_map.end()) {
+ Error("error on loading sni yaml - fqdn=%s", item.fqdn.c_str());
+ return false;
+ }
+
+ element = &it->second;
+ }
+
+ element->inbound_port_ranges = item.inbound_port_ranges;
+ element->rank = count++;
+
+ item.populate_sni_actions(element->actions);
if (!set_next_hop_properties(item)) {
return false;
}
@@ -167,20 +203,50 @@
SNIConfigParams::load_certs_if_client_cert_specified(YamlSNIConfig::Item const &
return true;
}
+/**
+ CAVEAT: the "fqdn" field in the sni.yaml accepts wildcards (*), but it has a
negative performance impact.
+ */
std::pair<const ActionVector *, ActionItem::Context>
SNIConfigParams::get(std::string_view servername, in_port_t
dest_incoming_port) const
{
+ const ActionElement *element = nullptr;
+
+ // Check for exact matches
+ char lower_case_name[TS_MAX_HOST_NAME_LEN + 1];
+ ts::transform_lower(servername, lower_case_name);
+
+ Debug("sni", "lower_case_name=%s", lower_case_name);
+
+ auto range = sni_action_map.equal_range(lower_case_name);
+ for (auto it = range.first; it != range.second; ++it) {
+ Debug("sni", "match with %s", it->first.c_str());
+
+ if (!is_port_in_the_ranges(it->second.inbound_port_ranges,
dest_incoming_port)) {
+ continue;
+ }
+
+ const ActionElement *candidate = &it->second;
+ if (element == nullptr) {
+ element = candidate;
+ } else if (candidate->rank < element->rank) {
+ element = &it->second;
+ }
+ }
+
+ // Check for wildcard matches
int ovector[OVECSIZE];
for (auto const &retval : sni_action_list) {
+ if (element != nullptr && element->rank < retval.rank) {
+ break;
+ }
+
int length = servername.length();
if (retval.match == nullptr && length == 0) {
return {&retval.actions, {}};
} else if (auto offset = pcre_exec(retval.match.get(), nullptr,
servername.data(), length, 0, 0, ovector, OVECSIZE);
offset >= 0) {
- if (std::none_of(
- retval.inbound_port_ranges.begin(),
retval.inbound_port_ranges.end(),
- [dest_incoming_port](ts::port_range_t const &port_range) { return
port_range.contains(dest_incoming_port); })) {
+ if (!is_port_in_the_ranges(retval.inbound_port_ranges,
dest_incoming_port)) {
continue;
}
if (offset == 1) {
@@ -209,7 +275,12 @@ SNIConfigParams::get(std::string_view servername,
in_port_t dest_incoming_port)
return {&retval.actions, {std::move(groups)}};
}
}
- return {nullptr, {}};
+
+ if (element != nullptr) {
+ return {&element->actions, {}};
+ } else {
+ return {nullptr, {}};
+ }
}
bool
@@ -251,7 +322,7 @@ SNIConfigParams::initialize(std::string const &sni_filename)
SNIConfigParams::~SNIConfigParams()
{
- // sni_action_list and next_hop_list should cleanup with the params object
+ // sni_action_map, sni_action_list and next_hop_list should cleanup with the
params object
}
////
diff --git a/iocore/net/SSLSNIConfig.h b/iocore/net/SSLSNIConfig.h
index 6affb09d9f..88c714a26c 100644
--- a/iocore/net/SSLSNIConfig.h
+++ b/iocore/net/SSLSNIConfig.h
@@ -30,6 +30,8 @@
****************************************************************************/
#pragma once
+#include <string>
+#include <unordered_map>
#include <vector>
#include <string_view>
#include <strings.h>
@@ -74,6 +76,8 @@ struct NamedElement {
std::vector<ts::port_range_t> inbound_port_ranges;
std::unique_ptr<pcre, PcreFreer> match;
+
+ uint32_t rank = 0; ///< order of the config. smaller is higher.
};
struct ActionElement : public NamedElement {
@@ -84,9 +88,6 @@ struct NextHopItem : public NamedElement {
NextHopProperty prop;
};
-using SNIList = std::vector<ActionElement>;
-using NextHopPropertyList = std::vector<NextHopItem>;
-
class SNIConfigParams : public ConfigInfo
{
public:
@@ -102,8 +103,9 @@ public:
bool load_sni_config();
std::pair<const ActionVector *, ActionItem::Context> get(std::string_view
servername, uint16_t dest_incoming_port) const;
- SNIList sni_action_list;
- NextHopPropertyList next_hop_list;
+ std::unordered_multimap<std::string, ActionElement> sni_action_map; ///< for
exact fqdn matching
+ std::vector<ActionElement> sni_action_list; ///< for
regex fqdn matching
+ std::vector<NextHopItem> next_hop_list;
YamlSNIConfig yaml_sni;
private:
diff --git a/iocore/net/unit_tests/sni_conf_test.yaml
b/iocore/net/unit_tests/sni_conf_test.yaml
index 84123c675c..d8b264a503 100644
--- a/iocore/net/unit_tests/sni_conf_test.yaml
+++ b/iocore/net/unit_tests/sni_conf_test.yaml
@@ -25,3 +25,14 @@ sni:
inbound_port_ranges: 8080-65535
- fqdn: oneport.com
inbound_port_ranges: 433
+
+# order check
+- fqdn: foo.bar.com
+ http2: true
+ http2_buffer_water_mark: 256
+ http2_initial_window_size_in: 256
+- fqdn: "*.bar.com"
+ http2: true
+ http2_buffer_water_mark: 256
+- fqdn: foo.bar.com
+ http2: false
diff --git a/iocore/net/unit_tests/test_SSLSNIConfig.cc
b/iocore/net/unit_tests/test_SSLSNIConfig.cc
index 7d50bf3b1b..e7f24c7bb2 100644
--- a/iocore/net/unit_tests/test_SSLSNIConfig.cc
+++ b/iocore/net/unit_tests/test_SSLSNIConfig.cc
@@ -37,7 +37,7 @@
TEST_CASE("Test SSLSNIConfig")
{
SNIConfigParams params;
- params.initialize(_XSTR(LIBINKNET_UNIT_TEST_DIR) "/sni_conf_test.yaml");
+ REQUIRE(params.initialize(_XSTR(LIBINKNET_UNIT_TEST_DIR)
"/sni_conf_test.yaml"));
SECTION("The config does not match any SNIs for someport.com:577")
{
@@ -105,4 +105,12 @@ TEST_CASE("Test SSLSNIConfig")
REQUIRE(actions.first);
REQUIRE(actions.first->size() == 3);
}
+
+ SECTION("Matching order")
+ {
+ std::string_view target = "foo.bar.com";
+ auto const &actions{params.get(target, 443)};
+ REQUIRE(actions.first);
+ REQUIRE(actions.first->size() == 5); ///< three H2 config + early data +
fqdn
+ }
}
diff --git a/iocore/net/unit_tests/test_YamlSNIConfig.cc
b/iocore/net/unit_tests/test_YamlSNIConfig.cc
index 7cefd9f273..ad1b3f217d 100644
--- a/iocore/net/unit_tests/test_YamlSNIConfig.cc
+++ b/iocore/net/unit_tests/test_YamlSNIConfig.cc
@@ -55,7 +55,7 @@ TEST_CASE("YamlSNIConfig sets port ranges appropriately")
FAIL(errorstream.str());
}
REQUIRE(zret.isOK());
- REQUIRE(conf.items.size() == 4);
+ REQUIRE(conf.items.size() == 7);
SECTION("If no ports were specified, port range should contain all ports.")
{
diff --git a/iocore/net/unit_tests/unit_test_main.cc
b/iocore/net/unit_tests/unit_test_main.cc
index 701b818c43..42ec30bc89 100644
--- a/iocore/net/unit_tests/unit_test_main.cc
+++ b/iocore/net/unit_tests/unit_test_main.cc
@@ -46,6 +46,11 @@ public:
Layout::create();
BaseLogFile *base_log_file = new BaseLogFile("stderr");
DiagsPtr::set(new Diags(testRunInfo.name, "" /* tags */, "" /* actions */,
base_log_file));
+
+ diags()->activate_taglist("sni", DiagsTagType_Debug);
+ diags()->config.enabled(DiagsTagType_Debug, 0); // set 1 if you want to
see debug log
+ diags()->show_location = SHOW_LOCATION_DEBUG;
+
RecProcessInit();
LibRecordsConfigInit();
diff --git a/tests/gold_tests/h2/h2disable.test.py
b/tests/gold_tests/h2/h2disable.test.py
index e7cb6649be..355a70e4f0 100644
--- a/tests/gold_tests/h2/h2disable.test.py
+++ b/tests/gold_tests/h2/h2disable.test.py
@@ -57,7 +57,7 @@ ts.Disk.sni_yaml.AddLines([
'sni:',
'- fqdn: bar.com',
' http2: off',
- '- fqdn: bob.*.com',
+ '- fqdn: "*.foo.com"',
' http2: off',
])
diff --git a/tests/gold_tests/h2/h2disable_no_accept_threads.test.py
b/tests/gold_tests/h2/h2disable_no_accept_threads.test.py
index a332bdcd9c..2a00febe85 100644
--- a/tests/gold_tests/h2/h2disable_no_accept_threads.test.py
+++ b/tests/gold_tests/h2/h2disable_no_accept_threads.test.py
@@ -57,7 +57,7 @@ ts.Disk.sni_yaml.AddLines([
'sni:',
'- fqdn: bar.com',
' http2: off',
- '- fqdn: bob.*.com',
+ '- fqdn: "*.foo.com"',
' http2: off',
])
diff --git a/tests/gold_tests/h2/h2enable.test.py
b/tests/gold_tests/h2/h2enable.test.py
index d0bdba79ec..fd669f1dec 100644
--- a/tests/gold_tests/h2/h2enable.test.py
+++ b/tests/gold_tests/h2/h2enable.test.py
@@ -57,7 +57,7 @@ ts.Disk.sni_yaml.AddLines([
'sni:',
'- fqdn: bar.com',
' http2: on',
- '- fqdn: bob.*.com',
+ '- fqdn: "*.foo.com"',
' http2: on',
])
diff --git a/tests/gold_tests/h2/h2enable_no_accept_threads.test.py
b/tests/gold_tests/h2/h2enable_no_accept_threads.test.py
index 91af61f15e..b756ba25ce 100644
--- a/tests/gold_tests/h2/h2enable_no_accept_threads.test.py
+++ b/tests/gold_tests/h2/h2enable_no_accept_threads.test.py
@@ -57,7 +57,7 @@ ts.Disk.sni_yaml.AddLines([
'sni:',
'- fqdn: bar.com',
' http2: on',
- '- fqdn: bob.*.com',
+ '- fqdn: "*.foo.com"',
' http2: on',
])
diff --git a/tests/gold_tests/tls/tls_client_cert2.test.py
b/tests/gold_tests/tls/tls_client_cert2.test.py
index c2f460d217..d7a5c3484a 100644
--- a/tests/gold_tests/tls/tls_client_cert2.test.py
+++ b/tests/gold_tests/tls/tls_client_cert2.test.py
@@ -95,9 +95,9 @@ ts.Disk.sni_yaml.AddLines([
'- fqdn: bob.bar.com',
' client_cert: signed-bar.pem',
' client_key: signed-bar.key',
- '- fqdn: bob.*.com',
+ '- fqdn: "bob.foo.com"',
' client_cert: {0}/combo-signed-foo.pem'.format(ts.Variables.SSLDir),
- '- fqdn: "*bar.com"',
+ '- fqdn: "*.bar.com"',
' client_cert: {0}/signed2-bar.pem'.format(ts.Variables.SSLDir),
' client_key: {0}/signed-bar.key'.format(ts.Variables.SSLDir),
'- fqdn: "foo.com"',
diff --git a/tests/gold_tests/tls/tls_client_cert2_plugin.test.py
b/tests/gold_tests/tls/tls_client_cert2_plugin.test.py
index 843606b101..a74ac1a5de 100644
--- a/tests/gold_tests/tls/tls_client_cert2_plugin.test.py
+++ b/tests/gold_tests/tls/tls_client_cert2_plugin.test.py
@@ -104,9 +104,9 @@ ts.Disk.sni_yaml.AddLines([
'- fqdn: bob.bar.com',
' client_cert: {0}/../signed-bar.pem'.format(ts.Variables.SSLDir),
' client_key: {0}/../signed-bar.key'.format(ts.Variables.SSLDir),
- '- fqdn: bob.*.com',
+ '- fqdn: "bob.foo.com"',
' client_cert: {0}/../combo-signed-foo.pem'.format(ts.Variables.SSLDir),
- '- fqdn: "*bar.com"',
+ '- fqdn: "*.bar.com"',
' client_cert: {0}/../signed2-bar.pem'.format(ts.Variables.SSLDir),
' client_key: {0}/../signed-bar.key'.format(ts.Variables.SSLDir),
'- fqdn: "foo.com"',
diff --git a/tests/gold_tests/tls/tls_client_verify.test.py
b/tests/gold_tests/tls/tls_client_verify.test.py
index e94268f2ea..8562e3cd00 100644
--- a/tests/gold_tests/tls/tls_client_verify.test.py
+++ b/tests/gold_tests/tls/tls_client_verify.test.py
@@ -65,9 +65,9 @@ ts.Disk.sni_yaml.AddLines([
' verify_client: NONE',
'- fqdn: "bob.com"',
' verify_client: STRICT',
- '- fqdn: bob.*.com',
+ '- fqdn: "*.foo.com"',
' verify_client: NONE',
- '- fqdn: "*bar.com"',
+ '- fqdn: "*.bar.com"',
' verify_client: STRICT',
])
@@ -205,10 +205,10 @@ tr.Processes.Default.Command = "curl --tls-max 1.2 -k
--resolve 'bob.com:{0}:127
ts.Variables.ssl_port)
tr.Processes.Default.ReturnCode = 35
-tr = Test.AddTestRun("Connect to bob.com.com without cert, should succeed")
+tr = Test.AddTestRun("Connect to bob.foo.com without cert, should succeed")
tr.StillRunningAfter = ts
tr.StillRunningAfter = server
-tr.Processes.Default.Command = "curl --tls-max 1.2 -k --resolve
'bob.com.com:{0}:127.0.0.1' https://bob.com.com:{0}/case14".format(
+tr.Processes.Default.Command = "curl --tls-max 1.2 -k --resolve
'bob.foo.com:{0}:127.0.0.1' https://bob.foo.com:{0}/case14".format(
ts.Variables.ssl_port)
tr.Processes.Default.ReturnCode = 0
diff --git a/tests/gold_tests/tls/tls_client_verify2.test.py
b/tests/gold_tests/tls/tls_client_verify2.test.py
index 32042c0344..27c6cbd57e 100644
--- a/tests/gold_tests/tls/tls_client_verify2.test.py
+++ b/tests/gold_tests/tls/tls_client_verify2.test.py
@@ -61,9 +61,9 @@ ts.Disk.sni_yaml.AddLines([
'sni:',
'- fqdn: bob.bar.com',
' verify_client: STRICT',
- '- fqdn: bob.*.com',
+ '- fqdn: "*.foo.com"',
' verify_client: STRICT',
- '- fqdn: "*bar.com"',
+ '- fqdn: "*.bar.com"',
' verify_client: NONE',
])
diff --git a/tests/gold_tests/tls/tls_tunnel.test.py
b/tests/gold_tests/tls/tls_tunnel.test.py
index af4cd8f715..938ee27b74 100644
--- a/tests/gold_tests/tls/tls_tunnel.test.py
+++ b/tests/gold_tests/tls/tls_tunnel.test.py
@@ -93,22 +93,24 @@ ts.Disk.sni_yaml.AddLines([
'sni:',
'- fqdn: foo.com',
" tunnel_route: localhost:{0}".format(server_foo.Variables.SSL_Port),
- "- fqdn: bob.*.com",
+ "- fqdn: '*.bar.com'",
" tunnel_route: localhost:{0}".format(server_foo.Variables.SSL_Port),
"- fqdn: '*.match.com'",
" tunnel_route: $1.testmatch:{0}".format(server_foo.Variables.SSL_Port),
- "- fqdn: '*.ok.*.com'",
- " tunnel_route: $2.example.$1:{0}".format(server_foo.Variables.SSL_Port),
+ "- fqdn: '*.ok.two.com'",
+ " tunnel_route: two.example.$1:{0}".format(server_foo.Variables.SSL_Port),
"- fqdn: ''", # No SNI sent
" tunnel_route: localhost:{0}".format(server_bar.Variables.SSL_Port),
"- fqdn: 'incoming.port.com'",
" tunnel_route: backend.incoming.port.com:{inbound_local_port}",
"- fqdn: 'proxy.protocol.port.com'",
" tunnel_route: backend.proxy.protocol.port.com:{proxy_protocol_port}",
- "- fqdn: '*.*.incoming.port.com'",
- " tunnel_route: backend.$1.$2.incoming.port.com:{inbound_local_port}",
- "- fqdn: '*.*.proxy.protocol.port.com'",
- " tunnel_route:
backend.$1.$2.proxy.protocol.port.com:{proxy_protocol_port}",
+ "- fqdn: '*.backend.incoming.port.com'",
+ " tunnel_route: backend.$1.incoming.port.com:{inbound_local_port}",
+ "- fqdn: '*.with.incoming.port.com'",
+ " tunnel_route: backend.$1.with.incoming.port.com:{inbound_local_port}",
+ "- fqdn: '*.with.proxy.protocol.port.com'",
+ " tunnel_route:
backend.$1.with.proxy.protocol.port.com:{proxy_protocol_port}",
])
tr = Test.AddTestRun("foo.com Tunnel-test")
diff --git a/tests/gold_tests/tls/tls_verify3.test.py
b/tests/gold_tests/tls/tls_verify3.test.py
index 4e4db2bd9a..53678d1517 100644
--- a/tests/gold_tests/tls/tls_verify3.test.py
+++ b/tests/gold_tests/tls/tls_verify3.test.py
@@ -86,10 +86,10 @@ ts.Disk.sni_yaml.AddLines([
'- fqdn: bob.bar.com',
' verify_server_policy: ENFORCED',
' verify_server_properties: ALL',
- '- fqdn: bob.*.com',
+ '- fqdn: "*.foo.com"',
' verify_server_policy: ENFORCED',
' verify_server_properties: SIGNATURE',
- "- fqdn: '*bar.com'",
+ "- fqdn: '*.bar.com'",
' verify_server_policy: DISABLED',
])
@@ -108,8 +108,8 @@ tr.StillRunningAfter = server
tr.StillRunningAfter = ts
tr.Processes.Default.Streams.stdout = Testers.ExcludesExpression("Could Not
Connect", "Curl attempt should have succeeded")
-tr = Test.AddTestRun("my.foo.com Permissive-Test log failure")
-tr.Processes.Default.Command = "curl -v -k --resolve
'my.foo.com:{0}:127.0.0.1' https://my.foo.com:{0}".format(
+tr = Test.AddTestRun("my.random.com Permissive-Test log failure")
+tr.Processes.Default.Command = "curl -v -k --resolve
'my.random.com:{0}:127.0.0.1' https://my.random.com:{0}".format(
ts.Variables.ssl_port)
tr.ReturnCode = 0
tr.StillRunningAfter = server
@@ -146,5 +146,5 @@ tr3.StillRunningAfter = ts
ts.Disk.diags_log.Content = Testers.ContainsExpression(
r"WARNING: SNI \(bob.bar.com\) not in certificate", "Make sure bob.bar
name checked failed.")
ts.Disk.diags_log.Content += Testers.ContainsExpression(
- r"WARNING: Core server certificate verification failed for \(my.foo.com\).
Action=Continue",
+ r"WARNING: Core server certificate verification failed for
\(my.random.com\). Action=Continue",
"Make sure default permissive action takes")
