You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@trafficserver.apache.org by zeb209 <gi...@git.apache.org> on 2015/04/23 01:59:06 UTC
[GitHub] trafficserver pull request: Integration test for TLS ticket key ro...
GitHub user zeb209 opened a pull request:
https://github.com/apache/trafficserver/pull/189
Integration test for TLS ticket key rotation.
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/zeb209/trafficserver test_tls_key_rot
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/trafficserver/pull/189.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #189
----
commit a46ddcb0d79573e5424d26686b286c6de00618c5
Author: Bin Zeng <bz...@linkedin.com>
Date: 2015-04-22T23:37:45Z
Integration test for TLS ticket key rotation.
----
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] trafficserver pull request: Integration test for TLS ticket key ro...
Posted by jacksontj <gi...@git.apache.org>.
Github user jacksontj commented on the pull request:
https://github.com/apache/trafficserver/pull/189#issuecomment-115730361
@zwoop we can if you want, but these are all just adding tests for features that already exist-- So I would lean towards not requiring tickets.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] trafficserver pull request: Integration test for TLS ticket key ro...
Posted by zeb209 <gi...@git.apache.org>.
Github user zeb209 commented on the pull request:
https://github.com/apache/trafficserver/pull/189#issuecomment-96041018
No, you do not have to atomically add the new key. What you can do is you push a new key to a cluster, then you wait a few minutes, say 20, until all of them receive the new key. Then you do a `traffic_line -x' to the boxes. There is no such a thing called "atomically" in a ATS cluster.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] trafficserver pull request: Integration test for TLS ticket key ro...
Posted by zwoop <gi...@git.apache.org>.
Github user zwoop commented on the pull request:
https://github.com/apache/trafficserver/pull/189#issuecomment-112872925
Thomas: Should we start making Jiras's for these new tsqa features ? It'd be nice to track what is being added outside of other code changes.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] trafficserver pull request: Integration test for TLS ticket key ro...
Posted by zeb209 <gi...@git.apache.org>.
Github user zeb209 commented on the pull request:
https://github.com/apache/trafficserver/pull/189#issuecomment-96037112
ATS does not review tickets using the middle key. Here is how it works. When you rotate the key, you push a new key to the head of the key file and remove one from the tail of the file. The new key will be used to encrypt session tickets and the rest are only used to decrypt session tickets. The middle keys are not used to encrypt any more because they are retired and only used to resume sessions.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] trafficserver pull request: Integration test for TLS ticket key ro...
Posted by jacksontj <gi...@git.apache.org>.
Github user jacksontj commented on a diff in the pull request:
https://github.com/apache/trafficserver/pull/189#discussion_r29015424
--- Diff: ci/new_tsqa/tests/test_tls_ticket_key_rotation.py ---
@@ -0,0 +1,175 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import logging
+from OpenSSL import SSL
+import socket
+import subprocess
+import time
+
+import helpers
+import tsqa.utils
+
+import os
+import tsqa.utils
+
+# helper function to get the path of a program.
+def which(program):
+ def is_exe(fpath):
+ return os.path.isfile(fpath) and os.access(fpath, os.X_OK)
+ fpath, fname = os.path.split(program)
+ if fpath:
+ if is_exe(program):
+ return program
+ else:
+ for path in os.environ["PATH"].split(os.pathsep):
+ path = path.strip('"')
+ exe_file = os.path.join(path, program)
+ if is_exe(exe_file):
+ return exe_file
+ return None
+"""
+ Test TLS session resumption through session tickets and TLS ticket key rotation.
+"""
+class TestTLSTicketKeyRotation(helpers.EnvironmentCase):
+ @classmethod
+ def setUpEnv(cls, env):
+ '''
+ This function is responsible for setting up the environment for this fixture
+ This includes everything pre-daemon start
+ '''
+
+ # add an SSL port to ATS
+ cls.ssl_port = tsqa.utils.bind_unused_port()[1]
+ cls.configs['records.config']['CONFIG']['proxy.config.http.server_ports'] += ' {0}:ssl'.format(cls.ssl_port)
+ cls.configs['records.config']['CONFIG']['proxy.config.diags.debug.enabled'] = 1
+ cls.configs['records.config']['CONFIG']['proxy.config.diags.debug.tags'] = 'ssl'
+
+ # configure SSL multicert
+
+ cls.configs['ssl_multicert.config'].add_line('dest_ip=* ssl_cert_name={0} ssl_key_name={1} ticket_key_name={2}'.format(helpers.tests_file_path('rsa_keys/server.crt'), helpers.tests_file_path('rsa_keys/server.key'), helpers.tests_file_path('rsa_keys/ssl_ticket.key')))
+
+ def _get_cert(self, addr):
+ '''
+ Return the certificate for addr.
+ '''
+ ctx = SSL.Context(SSL.SSLv23_METHOD)
+ # Set up client
+ sock = SSL.Connection(ctx, socket.socket(socket.AF_INET, socket.SOCK_STREAM))
+ sock.connect(addr)
+ sock.do_handshake()
+ return sock.get_peer_certificate()
+
+ def test_tls_ticket_resumption(self):
+ '''
+ Make sure the new ticket key is loaded
+ '''
+ addr = ('127.0.0.1', self.ssl_port)
+ self._get_cert(addr)
--- End diff --
Are we supposed to do something with the cert returned? This should either have some asserts (to verify something) or not be here.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] trafficserver pull request: Integration test for TLS ticket key ro...
Posted by jacksontj <gi...@git.apache.org>.
Github user jacksontj commented on the pull request:
https://github.com/apache/trafficserver/pull/189#issuecomment-96907871
The point I'm trying to make (apparently not very effectively) is that the current implementation makes it *very* difficult to have the same set of keys on all boxes within a given site-- when a simple change (renewing out of the middle) makes it significantly less work.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] trafficserver pull request: Integration test for TLS ticket key ro...
Posted by jacksontj <gi...@git.apache.org>.
Github user jacksontj commented on the pull request:
https://github.com/apache/trafficserver/pull/189#issuecomment-96041983
All that means is I have to run traffic line at the same time everywhere,
which just moves the atomicity requirement.
On Apr 24, 2015 12:22 PM, "Bin" <no...@github.com> wrote:
> No, you do not have to atomically add the new key. What you can do is you
> push a new key to a cluster, then you wait a few minutes, say 20, until all
> of them receive the new key. Then you do a `traffic_line -x' to the boxes.
> There is no such a thing called "atomically" in a ATS cluster.
>
> —
> Reply to this email directly or view it on GitHub
> <https://github.com/apache/trafficserver/pull/189#issuecomment-96041018>.
>
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] trafficserver pull request: Integration test for TLS ticket key ro...
Posted by zeb209 <gi...@git.apache.org>.
Github user zeb209 commented on the pull request:
https://github.com/apache/trafficserver/pull/189#issuecomment-115743209
@jacksontj is there any technical reason why this pull request has not been merged?
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] trafficserver pull request: Integration test for TLS ticket key ro...
Posted by jacksontj <gi...@git.apache.org>.
Github user jacksontj commented on the pull request:
https://github.com/apache/trafficserver/pull/189#issuecomment-98012180
@zeb209 Per our offline discussion we can add the tests for assigning a key out of the middle later. Before we merge this in though, can you do a git mv and a squash? I just finished removing the old tsqa, and I want to make sure you get the karma for the test :)
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] trafficserver pull request: Integration test for TLS ticket key ro...
Posted by zeb209 <gi...@git.apache.org>.
Github user zeb209 commented on the pull request:
https://github.com/apache/trafficserver/pull/189#issuecomment-116772011
@jacksontj if there is no question, can you please merge the pull request?
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] trafficserver pull request: Integration test for TLS ticket key ro...
Posted by zeb209 <gi...@git.apache.org>.
Github user zeb209 commented on the pull request:
https://github.com/apache/trafficserver/pull/189#issuecomment-104432343
It has been rebased. Should be able to be applied cleanly.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] trafficserver pull request: Integration test for TLS ticket key ro...
Posted by zeb209 <gi...@git.apache.org>.
Github user zeb209 commented on the pull request:
https://github.com/apache/trafficserver/pull/189#issuecomment-102466395
Will get to it real soon. :)
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] trafficserver pull request: Integration test for TLS ticket key ro...
Posted by jacksontj <gi...@git.apache.org>.
Github user jacksontj commented on the pull request:
https://github.com/apache/trafficserver/pull/189#issuecomment-96100469
The issue comes in with clients that move between ATS boxes. For example,
if a user hits box A and gets a ticket encrypted with the newest key, its
completely possible that it will then send a request to box B which hasn't
yet recieved that newest key, meaning that we will not honor the ticket and
will force a handshake.
On Fri, Apr 24, 2015 at 12:35 PM, Bin <no...@github.com> wrote:
> No you don't. You just run "traffic_line -x" whenever you think they all
> have the new key. Some boxes will run "traffic_line -x" a few minutes later
> than the others. It does not matter. The number of session tickets
> encrypted with the new key will be small. Typically one rotation cycle is a
> few hours such as 24, or 36. A few seconds is like nothing.
>
> —
> Reply to this email directly or view it on GitHub
> <https://github.com/apache/trafficserver/pull/189#issuecomment-96043182>.
>
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] trafficserver pull request: Integration test for TLS ticket key ro...
Posted by jacksontj <gi...@git.apache.org>.
Github user jacksontj commented on the pull request:
https://github.com/apache/trafficserver/pull/189#issuecomment-95759799
@zeb209 Do you need to make new certs? there are ssl certs already generated in the test tree (might not have existed when you started)
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] trafficserver pull request: Integration test for TLS ticket key ro...
Posted by PSUdaemon <gi...@git.apache.org>.
Github user PSUdaemon commented on the pull request:
https://github.com/apache/trafficserver/pull/189#issuecomment-112872594
@jacksontj - Are you going to commit this?
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] trafficserver pull request: Integration test for TLS ticket key ro...
Posted by zeb209 <gi...@git.apache.org>.
Github user zeb209 commented on the pull request:
https://github.com/apache/trafficserver/pull/189#issuecomment-95372538
jacksontj is the best person to look at.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] trafficserver pull request: Integration test for TLS ticket key ro...
Posted by jacksontj <gi...@git.apache.org>.
Github user jacksontj commented on a diff in the pull request:
https://github.com/apache/trafficserver/pull/189#discussion_r29015514
--- Diff: ci/new_tsqa/tests/test_tls_ticket_key_rotation.py ---
@@ -0,0 +1,175 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import logging
+from OpenSSL import SSL
+import socket
+import subprocess
+import time
+
+import helpers
+import tsqa.utils
+
+import os
+import tsqa.utils
+
+# helper function to get the path of a program.
+def which(program):
+ def is_exe(fpath):
+ return os.path.isfile(fpath) and os.access(fpath, os.X_OK)
+ fpath, fname = os.path.split(program)
+ if fpath:
+ if is_exe(program):
+ return program
+ else:
+ for path in os.environ["PATH"].split(os.pathsep):
+ path = path.strip('"')
+ exe_file = os.path.join(path, program)
+ if is_exe(exe_file):
+ return exe_file
+ return None
+"""
+ Test TLS session resumption through session tickets and TLS ticket key rotation.
+"""
+class TestTLSTicketKeyRotation(helpers.EnvironmentCase):
+ @classmethod
+ def setUpEnv(cls, env):
+ '''
+ This function is responsible for setting up the environment for this fixture
+ This includes everything pre-daemon start
+ '''
+
+ # add an SSL port to ATS
+ cls.ssl_port = tsqa.utils.bind_unused_port()[1]
+ cls.configs['records.config']['CONFIG']['proxy.config.http.server_ports'] += ' {0}:ssl'.format(cls.ssl_port)
+ cls.configs['records.config']['CONFIG']['proxy.config.diags.debug.enabled'] = 1
+ cls.configs['records.config']['CONFIG']['proxy.config.diags.debug.tags'] = 'ssl'
+
+ # configure SSL multicert
+
+ cls.configs['ssl_multicert.config'].add_line('dest_ip=* ssl_cert_name={0} ssl_key_name={1} ticket_key_name={2}'.format(helpers.tests_file_path('rsa_keys/server.crt'), helpers.tests_file_path('rsa_keys/server.key'), helpers.tests_file_path('rsa_keys/ssl_ticket.key')))
+
+ def _get_cert(self, addr):
+ '''
+ Return the certificate for addr.
+ '''
+ ctx = SSL.Context(SSL.SSLv23_METHOD)
+ # Set up client
+ sock = SSL.Connection(ctx, socket.socket(socket.AF_INET, socket.SOCK_STREAM))
+ sock.connect(addr)
+ sock.do_handshake()
+ return sock.get_peer_certificate()
+
+ def test_tls_ticket_resumption(self):
+ '''
+ Make sure the new ticket key is loaded
+ '''
+ addr = ('127.0.0.1', self.ssl_port)
+ self._get_cert(addr)
+
+ # openssl s_client -connect 127.0.0.1:443 -tls1 < /dev/null
+ sess = os.path.join(self.environment.layout.logdir, 'sess')
+ ticket_cmd = 'echo | openssl s_client -connect {0}:{1} -sess_out {2}'.format(addr[0], addr[1], sess);
+
+ # check whether TLS session tickets are received by s_client.
+ stdout, _ = tsqa.utils.run_sync_command(ticket_cmd, stdout=subprocess.PIPE, shell=True)
+ ticket_exists = False
+ for line in stdout.splitlines():
+ text = line.strip()
+ if text.startswith("TLS session ticket:"):
+ ticket_exists = True
+ break
+ self.assertTrue(ticket_exists)
+
+ # check whether the session has been reused
+ reused = False
+ ticket_cmd = 'echo | openssl s_client -connect {0}:{1} -sess_in {2}'.format(addr[0], addr[1], sess);
+ stdout, _ = tsqa.utils.run_sync_command(ticket_cmd, stdout=subprocess.PIPE, shell=True)
+ for line in stdout.splitlines():
+ text = line.strip()
+ if text.startswith("Reused, TLSv1/SSLv3,"):
+ reused = True
+ break
+ self.assertTrue(reused)
+
+ # negative test case. The session is not reused.
+ reused = False
+ ticket_cmd = 'echo | openssl s_client -connect {0}:{1}'.format(addr[0], addr[1]);
+ stdout, _ = tsqa.utils.run_sync_command(ticket_cmd, stdout=subprocess.PIPE, shell=True)
+ for line in stdout.splitlines():
+ text = line.strip()
+ if text.startswith("Reused, TLSv1/SSLv3,"):
+ reused = True
+ break
+ self.assertFalse(reused)
+
+ def test_tls_ticket_rotation(self):
+ '''
+ Make sure the new ticket key is loaded
+ '''
+ addr = ('127.0.0.1', self.ssl_port)
+ self._get_cert(addr)
+
+ '''
+ openssl s_client -connect server_ip:ssl_port -tls1 < /dev/null
+ '''
+
+ # Generate and push a new ticket key
+ rotate_cmd = 'openssl rand 48 -base64 > {0}'.format(helpers.tests_file_path('rsa_keys/ssl_ticket.key'))
+ stdout, _ = tsqa.utils.run_sync_command(rotate_cmd, stdout=subprocess.PIPE, shell=True)
+
+ # touch the ssl_multicert.config file
+ ssl_multicert = os.path.join(self.environment.layout.sysconfdir, 'ssl_multicert.config')
+
+ read_renewed_cmd = os.path.join(self.environment.layout.bindir, 'traffic_line') + ' -r proxy.process.ssl.total_ticket_keys_renewed'
+
+ # Check whether the config file exists.
+ self.assertTrue(os.path.isfile(ssl_multicert), ssl_multicert)
+ touch_cmd = which('touch') + ' ' + ssl_multicert
+ tsqa.utils.run_sync_command(touch_cmd, stdout=subprocess.PIPE, shell=True)
+
+ count = 0
+ while True:
+ try:
+ stdout, _ = tsqa.utils.run_sync_command(read_renewed_cmd, stdout=subprocess.PIPE, shell=True)
+ old_renewed = stdout
+ break
+ except Exception:
+ ++count
+ # If we have waited more than 30 seconds and the command still failed, quit here.
+ if count > 30:
+ self.assertTrue(False)
--- End diff --
You can define an error message as the second ard to this. That way if this fails the person running the tests can have a message instead of an assert True != False (https://docs.python.org/2/library/unittest.html#unittest.TestCase.assertTrue)
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] trafficserver pull request: Integration test for TLS ticket key ro...
Posted by zeb209 <gi...@git.apache.org>.
Github user zeb209 commented on the pull request:
https://github.com/apache/trafficserver/pull/189#issuecomment-117301497
Thanks!
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] trafficserver pull request: Integration test for TLS ticket key ro...
Posted by zeb209 <gi...@git.apache.org>.
Github user zeb209 commented on the pull request:
https://github.com/apache/trafficserver/pull/189#issuecomment-96752161
The premise of your approach is that the keys on all boxes have keys in sync, which is the same problem here. You try to encrypt new session tickets with the later half of the keys. But the later half themselves can be out of sync. It is the same problem. How do you make sure that all the boxes have the same keys in each half?
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] trafficserver pull request: Integration test for TLS ticket key ro...
Posted by jacksontj <gi...@git.apache.org>.
Github user jacksontj commented on a diff in the pull request:
https://github.com/apache/trafficserver/pull/189#discussion_r29015459
--- Diff: ci/new_tsqa/tests/test_tls_ticket_key_rotation.py ---
@@ -0,0 +1,175 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import logging
+from OpenSSL import SSL
+import socket
+import subprocess
+import time
+
+import helpers
+import tsqa.utils
+
+import os
+import tsqa.utils
+
+# helper function to get the path of a program.
+def which(program):
+ def is_exe(fpath):
+ return os.path.isfile(fpath) and os.access(fpath, os.X_OK)
+ fpath, fname = os.path.split(program)
+ if fpath:
+ if is_exe(program):
+ return program
+ else:
+ for path in os.environ["PATH"].split(os.pathsep):
+ path = path.strip('"')
+ exe_file = os.path.join(path, program)
+ if is_exe(exe_file):
+ return exe_file
+ return None
+"""
+ Test TLS session resumption through session tickets and TLS ticket key rotation.
+"""
+class TestTLSTicketKeyRotation(helpers.EnvironmentCase):
+ @classmethod
+ def setUpEnv(cls, env):
+ '''
+ This function is responsible for setting up the environment for this fixture
+ This includes everything pre-daemon start
+ '''
+
+ # add an SSL port to ATS
+ cls.ssl_port = tsqa.utils.bind_unused_port()[1]
+ cls.configs['records.config']['CONFIG']['proxy.config.http.server_ports'] += ' {0}:ssl'.format(cls.ssl_port)
+ cls.configs['records.config']['CONFIG']['proxy.config.diags.debug.enabled'] = 1
+ cls.configs['records.config']['CONFIG']['proxy.config.diags.debug.tags'] = 'ssl'
+
+ # configure SSL multicert
+
+ cls.configs['ssl_multicert.config'].add_line('dest_ip=* ssl_cert_name={0} ssl_key_name={1} ticket_key_name={2}'.format(helpers.tests_file_path('rsa_keys/server.crt'), helpers.tests_file_path('rsa_keys/server.key'), helpers.tests_file_path('rsa_keys/ssl_ticket.key')))
+
+ def _get_cert(self, addr):
+ '''
+ Return the certificate for addr.
+ '''
+ ctx = SSL.Context(SSL.SSLv23_METHOD)
+ # Set up client
+ sock = SSL.Connection(ctx, socket.socket(socket.AF_INET, socket.SOCK_STREAM))
+ sock.connect(addr)
+ sock.do_handshake()
+ return sock.get_peer_certificate()
+
+ def test_tls_ticket_resumption(self):
+ '''
+ Make sure the new ticket key is loaded
+ '''
+ addr = ('127.0.0.1', self.ssl_port)
+ self._get_cert(addr)
+
+ # openssl s_client -connect 127.0.0.1:443 -tls1 < /dev/null
+ sess = os.path.join(self.environment.layout.logdir, 'sess')
+ ticket_cmd = 'echo | openssl s_client -connect {0}:{1} -sess_out {2}'.format(addr[0], addr[1], sess);
+
+ # check whether TLS session tickets are received by s_client.
+ stdout, _ = tsqa.utils.run_sync_command(ticket_cmd, stdout=subprocess.PIPE, shell=True)
+ ticket_exists = False
+ for line in stdout.splitlines():
+ text = line.strip()
+ if text.startswith("TLS session ticket:"):
+ ticket_exists = True
+ break
+ self.assertTrue(ticket_exists)
+
+ # check whether the session has been reused
+ reused = False
+ ticket_cmd = 'echo | openssl s_client -connect {0}:{1} -sess_in {2}'.format(addr[0], addr[1], sess);
+ stdout, _ = tsqa.utils.run_sync_command(ticket_cmd, stdout=subprocess.PIPE, shell=True)
+ for line in stdout.splitlines():
+ text = line.strip()
+ if text.startswith("Reused, TLSv1/SSLv3,"):
+ reused = True
+ break
+ self.assertTrue(reused)
+
+ # negative test case. The session is not reused.
+ reused = False
+ ticket_cmd = 'echo | openssl s_client -connect {0}:{1}'.format(addr[0], addr[1]);
+ stdout, _ = tsqa.utils.run_sync_command(ticket_cmd, stdout=subprocess.PIPE, shell=True)
+ for line in stdout.splitlines():
+ text = line.strip()
+ if text.startswith("Reused, TLSv1/SSLv3,"):
+ reused = True
+ break
+ self.assertFalse(reused)
+
+ def test_tls_ticket_rotation(self):
+ '''
+ Make sure the new ticket key is loaded
+ '''
+ addr = ('127.0.0.1', self.ssl_port)
+ self._get_cert(addr)
+
+ '''
+ openssl s_client -connect server_ip:ssl_port -tls1 < /dev/null
--- End diff --
Leftover comment from debugging?
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] trafficserver pull request: Integration test for TLS ticket key ro...
Posted by zeb209 <gi...@git.apache.org>.
Github user zeb209 commented on the pull request:
https://github.com/apache/trafficserver/pull/189#issuecomment-96043182
No you don't. You just run "traffic_line -x" whenever you think they all have the new key. Some boxes will run "traffic_line -x" a few minutes later than the others. It does not matter. The number of session tickets encrypted with the new key will be small. Typically one rotation cycle is a few hours such as 24, or 36. A few seconds is like nothing.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] trafficserver pull request: Integration test for TLS ticket key ro...
Posted by jacksontj <gi...@git.apache.org>.
Github user jacksontj commented on the pull request:
https://github.com/apache/trafficserver/pull/189#issuecomment-96038933
With that behavior it means that you have yo atomically add the new key to
all hosts within a Colo, which is difficult to say the least. Since we
can't really guarantee that it is atomic we want some wiggle room, which
renewing out of the middle gives us.
On Apr 24, 2015 12:04 PM, "Bin" <no...@github.com> wrote:
> ATS does not review tickets using the middle key. Here is how it works.
> When you rotate the key, you push a new key to the head of the key file and
> remove one from the tail of the file. The new key will be used to encrypt
> session tickets and the rest are only used to decrypt session tickets. The
> middle keys are not used to encrypt any more because they are retired and
> only used to resume sessions.
>
> —
> Reply to this email directly or view it on GitHub
> <https://github.com/apache/trafficserver/pull/189#issuecomment-96037112>.
>
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] trafficserver pull request: Integration test for TLS ticket key ro...
Posted by jacksontj <gi...@git.apache.org>.
Github user jacksontj commented on the pull request:
https://github.com/apache/trafficserver/pull/189#issuecomment-95760782
Another thing, IIRC we were going to have ATS renew tickets using the middle (or at least not newest) ticket we should also test that :)
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] trafficserver pull request: Integration test for TLS ticket key ro...
Posted by jacksontj <gi...@git.apache.org>.
Github user jacksontj commented on the pull request:
https://github.com/apache/trafficserver/pull/189#issuecomment-101816775
@zeb209 Ping on the rebase :)
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] trafficserver pull request: Integration test for TLS ticket key ro...
Posted by asfgit <gi...@git.apache.org>.
Github user asfgit closed the pull request at:
https://github.com/apache/trafficserver/pull/189
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---