You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@trafficcontrol.apache.org by GitBox <gi...@apache.org> on 2019/02/20 18:04:13 UTC

[GitHub] JBevillC commented on issue #3331: Make SSL Cert lookup case-insensitive

JBevillC commented on issue #3331: Make SSL Cert lookup case-insensitive
URL: https://github.com/apache/trafficcontrol/pull/3331#issuecomment-465689966
 
 
   @ajschmidt I've tested this PR successfully.  2 of 2 manual tests of this PR are successful.  This PR is ready to be merged.
   
   Testing environment:
   * Latest CiaB environment from master
   * Traffic Router rebuilt with the changes from this PR.
   
   Tests:
   1) Verify GET request containing mixed case FQDN in URL returns the correct certificate for demo1 delivery service.
   2) Verify Raw SNI mixed case FQDN in TLS client_hello returns the correct certificate for demo1 DS.
   
   Results:
   **Pass**. The tests below verify that the correct x509 certificate is returned by the traffic router, even when the SNI has mixed case alphabetical characters:
   
   Test1 - Verify GET request containing mixed case FQDN in URL returns the correct certificate for demo1 delivery service:
   ```
   $ mydc exec trafficrouter /bin/bash
   [root@trafficrouter /]# curl -vq https://vIDeO.DeMo1.MyCDn.CiAb.TeST
   * About to connect() to vIDeO.DeMo1.MyCDn.CiAb.TeST port 443 (#0)
   *   Trying 172.25.0.11...
   * Connected to vIDeO.DeMo1.MyCDn.CiAb.TeST (172.25.0.11) port 443 (#0)
   * Initializing NSS with certpath: sql:/etc/pki/nssdb
   *   CAfile: /etc/pki/tls/certs/ca-bundle.crt
     CApath: none
   * SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
   * Server certificate:
   * 	subject: CN=*.demo1.mycdn.ciab.test,O=CDN-in-a-Box,L=Denver,ST=Colorado,C=US
   * 	start date: Jan 30 18:39:35 2019 GMT
   * 	expire date: Jan 30 18:39:35 2020 GMT
   * 	common name: *.demo1.mycdn.ciab.test
   * 	issuer: E=no-reply@infra.ciab.test,CN=CDN-in-a-Box Intermediate CA,OU=CDN-in-a-Box,O=CDN-in-a-Box,L=Denver,ST=Colorado,C=US
   > GET / HTTP/1.1
   > User-Agent: curl/7.29.0
   > Host: vIDeO.DeMo1.MyCDn.CiAb.TeST
   > Accept: */*
   > 
   < HTTP/1.1 302 Found
   < Location: https://edge.demo1.mycdn.ciab.test/
   < Content-Length: 0
   < Date: Wed, 20 Feb 2019 17:53:33 GMT
   < 
   * Connection #0 to host vIDeO.DeMo1.MyCDn.CiAb.TeST left intact
   ```
   
   Test2 - Verify Raw SNI mixed case FQDN in TLS client_hello returns the correct certificate for demo1 DS:
   ```
   $ ./sniclient 172.25.0.11 443 vIDeO.DeMo1.MyCDn.CiAb.TeST
   Server resolved IP address: 172.25.0.11
   SSL connection using ECDHE-RSA-AES256-GCM-SHA384
   Server certificate:
   	 subject: /C=US/ST=Colorado/L=Denver/O=CDN-in-a-Box/CN=*.demo1.mycdn.ciab.test
   	 issuer: /C=US/ST=Colorado/L=Denver/O=CDN-in-a-Box/OU=CDN-in-a-Box/CN=CDN-in-a-Box Intermediate CA/emailAddress=no-reply@infra.ciab.test
   ```

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services