Re: [PR] Disable h2 prior knowledge on tls (#11881) [trafficserver]

via GitHub Tue, 28 Jan 2025 09:23:33 -0800


maskit commented on code in PR #11983:
URL: https://github.com/apache/trafficserver/pull/11983#discussion_r1932580373



##########
tests/gold_tests/tls/tls_0rtt_server.test.py:
##########
@@ -116,68 +115,143 @@
             
'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'
     })
 
-ts.Disk.ssl_multicert_config.AddLine('dest_ip=* ssl_cert_name=server.pem 
ssl_key_name=server.key')
+ts1.Disk.ssl_multicert_config.AddLine('dest_ip=* ssl_cert_name=server.pem 
ssl_key_name=server.key')
 
-ts.Disk.remap_config.AddLine('map / 
http://127.0.0.1:{0}'.format(server.Variables.Port))
+ts1.Disk.remap_config.AddLine('map / 
http://127.0.0.1:{0}'.format(server.Variables.Port))
+
+ts1.Disk.sni_yaml.AddLines([
+    'sni:',
+    '- fqdn: example-no.com',
+    '  server_max_early_data: 0',
+])
+
+ts2.Disk.records_config.update(
+    {
+        'proxy.config.diags.debug.enabled': 1,
+        'proxy.config.diags.debug.tags': 'http|ssl_early_data|ssl',
+        'proxy.config.exec_thread.autoconfig': 0,
+        'proxy.config.exec_thread.limit': 8,
+        'proxy.config.ssl.server.cert.path': 
'{0}'.format(ts1.Variables.SSLDir),
+        'proxy.config.ssl.server.private_key.path': 
'{0}'.format(ts1.Variables.SSLDir),
+        'proxy.config.ssl.session_cache': 2,
+        'proxy.config.ssl.session_cache.size': 512000,
+        'proxy.config.ssl.session_cache.timeout': 7200,
+        'proxy.config.ssl.session_cache.num_buckets': 32768,
+        'proxy.config.ssl.server.session_ticket.enable': 1,
+        'proxy.config.ssl.server.max_early_data': 0,
+        'proxy.config.ssl.server.allow_early_data_params': 0,
+        'proxy.config.ssl.server.cipher_suite':
+            
'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'
+    })
+
+ts2.Disk.ssl_multicert_config.AddLine('dest_ip=* ssl_cert_name=server.pem 
ssl_key_name=server.key')
+
+ts2.Disk.remap_config.AddLine('map / 
http://127.0.0.1:{0}'.format(server.Variables.Port))
+
+ts2.Disk.sni_yaml.AddLines([
+    'sni:',
+    '- fqdn: example-yes.com',
+    '  server_max_early_data: 16384',
+])
 
 tr = Test.AddTestRun('Basic Curl Test')
-tr.Processes.Default.Command = 'curl https://127.0.0.1:{0} 
-k'.format(ts.Variables.ssl_port)
+tr.Processes.Default.Command = 'curl -k --resolve example.com:{0}:127.0.0.1 
https://example.com:{0}'.format(ts1.Variables.ssl_port)
 tr.Processes.Default.ReturnCode = 0
 tr.Processes.Default.StartBefore(server)
-tr.Processes.Default.StartBefore(Test.Processes.ts)
+tr.Processes.Default.StartBefore(ts1)
 tr.Processes.Default.Streams.All = Testers.ContainsExpression('curl test', 
'Making sure the basics still work')
 tr.Processes.Default.Streams.All += Testers.ExcludesExpression('early data 
accepted', '')
 tr.StillRunningAfter = server
-tr.StillRunningAfter += ts
+tr.StillRunningAfter += ts1
 
 tr = Test.AddTestRun('TLSv1.3 0-RTT Support (HTTP/1.1 GET)')
-tr.Processes.Default.Command = f'{sys.executable} test-0rtt-s_client.py 
{ts.Variables.ssl_port} h1 get {Test.RunDirectory}'
+tr.Processes.Default.Command = f'{sys.executable} 
{Test.RunDirectory}/test-0rtt-s_client.py -p {ts1.Variables.ssl_port} -v h1 -t 
get -r {Test.RunDirectory}'
 tr.Processes.Default.ReturnCode = 0
 tr.Processes.Default.Streams.All = Testers.ContainsExpression('early data 
accepted', '')
 tr.Processes.Default.Streams.All += Testers.ExcludesExpression('curl test', '')
 tr.StillRunningAfter = server
-tr.StillRunningAfter += ts
+tr.StillRunningAfter += ts1
 
 tr = Test.AddTestRun('TLSv1.3 0-RTT Support (HTTP/1.1 POST)')
-tr.Processes.Default.Command = f'{sys.executable} test-0rtt-s_client.py 
{ts.Variables.ssl_port} h1 post {Test.RunDirectory}'
+tr.Processes.Default.Command = f'{sys.executable} 
{Test.RunDirectory}/test-0rtt-s_client.py -p {ts1.Variables.ssl_port} -v h1 -t 
post -r {Test.RunDirectory}'
 tr.Processes.Default.ReturnCode = 0
 tr.Processes.Default.Streams.All = Testers.ContainsExpression('HTTP/1.1 425 
Too Early', '')
 tr.Processes.Default.Streams.All += Testers.ExcludesExpression('curl test', '')
 tr.Processes.Default.Streams.All += Testers.ExcludesExpression('early data 
accepted', '')
 tr.StillRunningAfter = server
-tr.StillRunningAfter += ts
+tr.StillRunningAfter += ts1
 
 tr = Test.AddTestRun('TLSv1.3 0-RTT Support (HTTP/2 GET)')
-tr.Processes.Default.Command = f'{sys.executable} test-0rtt-s_client.py 
{ts.Variables.ssl_port} h2 get {Test.RunDirectory}'
+tr.Processes.Default.Command = f'{sys.executable} 
{Test.RunDirectory}/test-0rtt-s_client.py -p {ts1.Variables.ssl_port} -v h2 -t 
get -r {Test.RunDirectory}'
 tr.Processes.Default.ReturnCode = 0
 tr.Processes.Default.Streams.All = Testers.ContainsExpression('early data 
accepted', '')
 tr.Processes.Default.Streams.All += Testers.ExcludesExpression('curl test', '')
 tr.StillRunningAfter = server
-tr.StillRunningAfter += ts
+tr.StillRunningAfter += ts1
 
 tr = Test.AddTestRun('TLSv1.3 0-RTT Support (HTTP/2 POST)')
-tr.Processes.Default.Command = f'{sys.executable} test-0rtt-s_client.py 
{ts.Variables.ssl_port} h2 post {Test.RunDirectory}'
+tr.Processes.Default.Command = f'{sys.executable} 
{Test.RunDirectory}/test-0rtt-s_client.py -p {ts1.Variables.ssl_port} -v h2 -t 
post -r {Test.RunDirectory}'
 tr.Processes.Default.ReturnCode = 0
 tr.Processes.Default.Streams.All = Testers.ContainsExpression(':status 425', 
'Only safe methods are allowed')
 tr.Processes.Default.Streams.All += Testers.ExcludesExpression('curl test', '')
 tr.Processes.Default.Streams.All += Testers.ExcludesExpression('early data 
accepted', '')
 tr.StillRunningAfter = server
-tr.StillRunningAfter += ts
+tr.StillRunningAfter += ts1
 
 tr = Test.AddTestRun('TLSv1.3 0-RTT Support (HTTP/2 Multiplex)')
-tr.Processes.Default.Command = f'{sys.executable} test-0rtt-s_client.py 
{ts.Variables.ssl_port} h2 multi1 {Test.RunDirectory}'
+tr.Processes.Default.Command = f'{sys.executable} 
{Test.RunDirectory}/test-0rtt-s_client.py -p {ts1.Variables.ssl_port} -v h2 -t 
multi1 -r {Test.RunDirectory}'
 tr.Processes.Default.ReturnCode = 0
 tr.Processes.Default.Streams.All = Testers.ContainsExpression('early data 
accepted multi_1', '')
 tr.Processes.Default.Streams.All += Testers.ContainsExpression('early data 
accepted multi_2', '')
 tr.Processes.Default.Streams.All += Testers.ContainsExpression('early data 
accepted multi_3', '')
 tr.Processes.Default.Streams.All += Testers.ExcludesExpression('curl test', '')
 tr.StillRunningAfter = server
-tr.StillRunningAfter += ts
+tr.StillRunningAfter += ts1
 
 tr = Test.AddTestRun('TLSv1.3 0-RTT Support (HTTP/2 Multiplex with POST)')
-tr.Processes.Default.Command = f'{sys.executable} test-0rtt-s_client.py 
{ts.Variables.ssl_port} h2 multi2 {Test.RunDirectory}'
+tr.Processes.Default.Command = f'{sys.executable} 
{Test.RunDirectory}/test-0rtt-s_client.py -p {ts1.Variables.ssl_port} -v h2 -t 
multi2 -r {Test.RunDirectory}'
 tr.Processes.Default.ReturnCode = 0
 tr.Processes.Default.Streams.All = Testers.ContainsExpression('early data 
accepted multi_1', '')
 tr.Processes.Default.Streams.All += Testers.ContainsExpression(':status 425', 
'Only safe methods are allowed')
 tr.Processes.Default.Streams.All += Testers.ContainsExpression('early data 
accepted multi_3', '')
 tr.Processes.Default.Streams.All += Testers.ExcludesExpression('curl test', '')
+tr.StillRunningAfter = server
+tr.StillRunningAfter += ts1
+
+tr = Test.AddTestRun('TLSv1.3 0-RTT Support (HTTP/1.1 GET) SNI Provided')

Review Comment:
   These 5 new tests can't pass without back porting whole #9741. Let's remove 
these.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Re: [PR] Disable h2 prior knowledge on tls (#11881) [trafficserver]

Reply via email to