You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by ja...@apache.org on 2015/06/30 03:36:06 UTC
[1/3] trafficserver git commit: Remove server.key and server.crt
since tsqa has a pair. Address comments by jacksontj.
Repository: trafficserver
Updated Branches:
refs/heads/master 1a160e13e -> 551e9a0e6
Remove server.key and server.crt since tsqa has a pair.
Address comments by jacksontj.
Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo
Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/9f9e611c
Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/9f9e611c
Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/9f9e611c
Branch: refs/heads/master
Commit: 9f9e611c8eaa750cb3c52194d29aaafdc3474cb0
Parents: 56da67c
Author: Bin Zeng <bz...@linkedin.com>
Authored: Fri Apr 24 11:54:26 2015 -0700
Committer: Thomas Jackson <ja...@apache.org>
Committed: Mon Jun 29 18:07:25 2015 -0700
----------------------------------------------------------------------
ci/new_tsqa/files/rsa_keys/server.crt | 16 --------------
ci/new_tsqa/files/rsa_keys/server.key | 15 -------------
.../tests/test_tls_ticket_key_rotation.py | 23 +++++++++-----------
3 files changed, 10 insertions(+), 44 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/9f9e611c/ci/new_tsqa/files/rsa_keys/server.crt
----------------------------------------------------------------------
diff --git a/ci/new_tsqa/files/rsa_keys/server.crt b/ci/new_tsqa/files/rsa_keys/server.crt
deleted file mode 100644
index db84788..0000000
--- a/ci/new_tsqa/files/rsa_keys/server.crt
+++ /dev/null
@@ -1,16 +0,0 @@
------BEGIN CERTIFICATE-----
-MIICfzCCAegCCQD5X+YRIXU9pTANBgkqhkiG9w0BAQUFADCBgzELMAkGA1UEBhMC
-VVMxCzAJBgNVBAgMAkNBMQswCQYDVQQHDAJNVjEQMA4GA1UECgwHSGFja2luZzER
-MA8GA1UECwwIU2VjdXJpdHkxEjAQBgNVBAMMCTEyNy4wLjAuMTEhMB8GCSqGSIb3
-DQEJARYSYnplbmdAbGlua2VkaW4uY29tMB4XDTE0MDcyOTE2NDgxOVoXDTI0MDcy
-NjE2NDgxOVowgYMxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTELMAkGA1UEBwwC
-TVYxEDAOBgNVBAoMB0hhY2tpbmcxETAPBgNVBAsMCFNlY3VyaXR5MRIwEAYDVQQD
-DAkxMjcuMC4wLjExITAfBgkqhkiG9w0BCQEWEmJ6ZW5nQGxpbmtlZGluLmNvbTCB
-nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAsHvcPHDgPj5kHTRFi9vXsKXmxwl7
-qzrQIh3r0psocbL02YY0n0aQzAoToGiDjXNu7+Ldg52UHj85WQXmkJlw+kau4i/7
-+FPnY/XeW0CNp7emW9XeZlGtu3XTHxGviS2XCsOWhKZkdL6b3cbxt3EzeFveSC2z
-/inYSnFDTfx+sE0CAwEAATANBgkqhkiG9w0BAQUFAAOBgQBFFugtKZHQSSr++bcm
-IYNZu2XVWJIzZAvvUyLwzNiTyo1sWF6E7IqtBJMjfhAGp8iKgTewaJJIPFqYZScV
-X03VMRUPN0YOVGVbzrZs+mgo8IgvXb/gzpgisbLMNbOyffh6rFOc44TYJKb1ogxw
-E67cvhwsvvLIvlcaI77B3vO6iQ==
------END CERTIFICATE-----
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/9f9e611c/ci/new_tsqa/files/rsa_keys/server.key
----------------------------------------------------------------------
diff --git a/ci/new_tsqa/files/rsa_keys/server.key b/ci/new_tsqa/files/rsa_keys/server.key
deleted file mode 100644
index a6805d5..0000000
--- a/ci/new_tsqa/files/rsa_keys/server.key
+++ /dev/null
@@ -1,15 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIICXAIBAAKBgQCwe9w8cOA+PmQdNEWL29ewpebHCXurOtAiHevSmyhxsvTZhjSf
-RpDMChOgaIONc27v4t2DnZQePzlZBeaQmXD6Rq7iL/v4U+dj9d5bQI2nt6Zb1d5m
-Ua27ddMfEa+JLZcKw5aEpmR0vpvdxvG3cTN4W95ILbP+KdhKcUNN/H6wTQIDAQAB
-AoGARM+2enaEaKCJBn4IE9UfD0hQaBDBgG0JFBRYi6Blr5dYMqxKPkQUVwoixuuZ
-R4DXo37wYc4CH50FLjnHwV+ilb0mvqRYPTwVOlUIRpvN9CHS8RZmccmUwxtTG128
-81hFAz0VJBQ0+SHvha8XGCBfbQAEjHxIYORrHOKs/4KO+MECQQDebyVdBRTmvAF/
-2zt5jvWkSvUX49n0SLsok2pH2nConvKwQ2J0I6wXw4sNSnbsDik6pJjDFx/rLZpz
-OfcRLUvRAkEAyx2bZE1r5M3y7HGM6rmRv5zP86wFsoPryxFVi4t9ZHSynkarSNWA
-4YGT44MsctYrij4eSqztBiIGBbtVnwsHvQJAQEJRw/a03BeSQ1Kdcvem5Ui2V6l+
-jMD6OLWlrY5gn4YTzHIbHjwz+kWGhVdu1bEdnhBxBWNH2FQ7W3ByfObeEQJBAK9p
-VEedLS6eRcq4jbAwrpRCQrz3tLvkfgATakNnJdVZiuBxu37dE76sfyGeqQZLu7JZ
-zyNCkDgZrgXJMTp29ikCQDdSanJybsmPxcjcjH/VmO058Hpt7+vRIsUljdKmdC0k
-Duzl8xSbIcKScQcrsPwpOr1SsiR6XFMqJxCiHLx/vMU=
------END RSA PRIVATE KEY-----
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/9f9e611c/ci/new_tsqa/tests/test_tls_ticket_key_rotation.py
----------------------------------------------------------------------
diff --git a/ci/new_tsqa/tests/test_tls_ticket_key_rotation.py b/ci/new_tsqa/tests/test_tls_ticket_key_rotation.py
index d617384..3b9bc77 100644
--- a/ci/new_tsqa/tests/test_tls_ticket_key_rotation.py
+++ b/ci/new_tsqa/tests/test_tls_ticket_key_rotation.py
@@ -60,9 +60,9 @@ class TestTLSTicketKeyRotation(helpers.EnvironmentCase):
# configure SSL multicert
- cls.configs['ssl_multicert.config'].add_line('dest_ip=* ssl_cert_name={0} ssl_key_name={1} ticket_key_name={2}'.format(helpers.tests_file_path('rsa_keys/server.crt'), helpers.tests_file_path('rsa_keys/server.key'), helpers.tests_file_path('rsa_keys/ssl_ticket.key')))
+ cls.configs['ssl_multicert.config'].add_line('dest_ip=* ssl_cert_name={0} ssl_key_name={1} ticket_key_name={2}'.format(helpers.tests_file_path('rsa_keys/ca.crt'), helpers.tests_file_path('rsa_keys/ca.key'), helpers.tests_file_path('rsa_keys/ssl_ticket.key')))
- def _get_cert(self, addr):
+ def start_connection(self, addr):
'''
Return the certificate for addr.
'''
@@ -71,14 +71,13 @@ class TestTLSTicketKeyRotation(helpers.EnvironmentCase):
sock = SSL.Connection(ctx, socket.socket(socket.AF_INET, socket.SOCK_STREAM))
sock.connect(addr)
sock.do_handshake()
- return sock.get_peer_certificate()
def test_tls_ticket_resumption(self):
'''
Make sure the new ticket key is loaded
'''
addr = ('127.0.0.1', self.ssl_port)
- self._get_cert(addr)
+ self.start_connection(addr)
# openssl s_client -connect 127.0.0.1:443 -tls1 < /dev/null
sess = os.path.join(self.environment.layout.logdir, 'sess')
@@ -92,7 +91,7 @@ class TestTLSTicketKeyRotation(helpers.EnvironmentCase):
if text.startswith("TLS session ticket:"):
ticket_exists = True
break
- self.assertTrue(ticket_exists)
+ self.assertTrue(ticket_exists, "Sesssion tickets are not received")
# check whether the session has been reused
reused = False
@@ -103,7 +102,7 @@ class TestTLSTicketKeyRotation(helpers.EnvironmentCase):
if text.startswith("Reused, TLSv1/SSLv3,"):
reused = True
break
- self.assertTrue(reused)
+ self.assertTrue(reused, "TLS session was not reused!")
# negative test case. The session is not reused.
reused = False
@@ -114,14 +113,14 @@ class TestTLSTicketKeyRotation(helpers.EnvironmentCase):
if text.startswith("Reused, TLSv1/SSLv3,"):
reused = True
break
- self.assertFalse(reused)
+ self.assertFalse(reused, "TLS session has been reused!")
def test_tls_ticket_rotation(self):
'''
Make sure the new ticket key is loaded
'''
addr = ('127.0.0.1', self.ssl_port)
- self._get_cert(addr)
+ self.start_connection(addr)
'''
openssl s_client -connect server_ip:ssl_port -tls1 < /dev/null
@@ -149,10 +148,9 @@ class TestTLSTicketKeyRotation(helpers.EnvironmentCase):
break
except Exception:
++count
- # If we have waited more than 30 seconds and the command still failed, quit here.
+ # If we have tried 30 times and the command still failed, quit here.
if count > 30:
- self.assertTrue(False)
- time.sleep(1)
+ self.assertTrue(False, "Failed to get the number of renewed keys!")
signal_cmd = os.path.join(self.environment.layout.bindir, 'traffic_line') + ' -x'
tsqa.utils.run_sync_command(signal_cmd, stdout=subprocess.PIPE, shell=True)
@@ -168,8 +166,7 @@ class TestTLSTicketKeyRotation(helpers.EnvironmentCase):
except Exception:
++count
if count > 30:
- self.assertTrue(False)
- time.sleep(1)
+ self.assertTrue(False, "Failed to get the number of renewed keys!")
# the number of ticket keys renewed has been increased.
self.assertNotEqual(old_renewed, cur_renewed)
[2/3] trafficserver git commit: Integration test for TLS ticket key
rotation.
Posted by ja...@apache.org.
Integration test for TLS ticket key rotation.
Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo
Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/56da67cc
Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/56da67cc
Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/56da67cc
Branch: refs/heads/master
Commit: 56da67cc84167e5704df68199d65c0e8a598360b
Parents: 1a160e1
Author: Bin Zeng <bz...@linkedin.com>
Authored: Wed Apr 22 16:37:45 2015 -0700
Committer: Thomas Jackson <ja...@apache.org>
Committed: Mon Jun 29 18:07:25 2015 -0700
----------------------------------------------------------------------
ci/new_tsqa/files/rsa_keys/server.crt | 16 ++
ci/new_tsqa/files/rsa_keys/server.key | 15 ++
.../tests/test_tls_ticket_key_rotation.py | 175 +++++++++++++++++++
3 files changed, 206 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/56da67cc/ci/new_tsqa/files/rsa_keys/server.crt
----------------------------------------------------------------------
diff --git a/ci/new_tsqa/files/rsa_keys/server.crt b/ci/new_tsqa/files/rsa_keys/server.crt
new file mode 100644
index 0000000..db84788
--- /dev/null
+++ b/ci/new_tsqa/files/rsa_keys/server.crt
@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE-----
+MIICfzCCAegCCQD5X+YRIXU9pTANBgkqhkiG9w0BAQUFADCBgzELMAkGA1UEBhMC
+VVMxCzAJBgNVBAgMAkNBMQswCQYDVQQHDAJNVjEQMA4GA1UECgwHSGFja2luZzER
+MA8GA1UECwwIU2VjdXJpdHkxEjAQBgNVBAMMCTEyNy4wLjAuMTEhMB8GCSqGSIb3
+DQEJARYSYnplbmdAbGlua2VkaW4uY29tMB4XDTE0MDcyOTE2NDgxOVoXDTI0MDcy
+NjE2NDgxOVowgYMxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTELMAkGA1UEBwwC
+TVYxEDAOBgNVBAoMB0hhY2tpbmcxETAPBgNVBAsMCFNlY3VyaXR5MRIwEAYDVQQD
+DAkxMjcuMC4wLjExITAfBgkqhkiG9w0BCQEWEmJ6ZW5nQGxpbmtlZGluLmNvbTCB
+nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAsHvcPHDgPj5kHTRFi9vXsKXmxwl7
+qzrQIh3r0psocbL02YY0n0aQzAoToGiDjXNu7+Ldg52UHj85WQXmkJlw+kau4i/7
++FPnY/XeW0CNp7emW9XeZlGtu3XTHxGviS2XCsOWhKZkdL6b3cbxt3EzeFveSC2z
+/inYSnFDTfx+sE0CAwEAATANBgkqhkiG9w0BAQUFAAOBgQBFFugtKZHQSSr++bcm
+IYNZu2XVWJIzZAvvUyLwzNiTyo1sWF6E7IqtBJMjfhAGp8iKgTewaJJIPFqYZScV
+X03VMRUPN0YOVGVbzrZs+mgo8IgvXb/gzpgisbLMNbOyffh6rFOc44TYJKb1ogxw
+E67cvhwsvvLIvlcaI77B3vO6iQ==
+-----END CERTIFICATE-----
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/56da67cc/ci/new_tsqa/files/rsa_keys/server.key
----------------------------------------------------------------------
diff --git a/ci/new_tsqa/files/rsa_keys/server.key b/ci/new_tsqa/files/rsa_keys/server.key
new file mode 100644
index 0000000..a6805d5
--- /dev/null
+++ b/ci/new_tsqa/files/rsa_keys/server.key
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXAIBAAKBgQCwe9w8cOA+PmQdNEWL29ewpebHCXurOtAiHevSmyhxsvTZhjSf
+RpDMChOgaIONc27v4t2DnZQePzlZBeaQmXD6Rq7iL/v4U+dj9d5bQI2nt6Zb1d5m
+Ua27ddMfEa+JLZcKw5aEpmR0vpvdxvG3cTN4W95ILbP+KdhKcUNN/H6wTQIDAQAB
+AoGARM+2enaEaKCJBn4IE9UfD0hQaBDBgG0JFBRYi6Blr5dYMqxKPkQUVwoixuuZ
+R4DXo37wYc4CH50FLjnHwV+ilb0mvqRYPTwVOlUIRpvN9CHS8RZmccmUwxtTG128
+81hFAz0VJBQ0+SHvha8XGCBfbQAEjHxIYORrHOKs/4KO+MECQQDebyVdBRTmvAF/
+2zt5jvWkSvUX49n0SLsok2pH2nConvKwQ2J0I6wXw4sNSnbsDik6pJjDFx/rLZpz
+OfcRLUvRAkEAyx2bZE1r5M3y7HGM6rmRv5zP86wFsoPryxFVi4t9ZHSynkarSNWA
+4YGT44MsctYrij4eSqztBiIGBbtVnwsHvQJAQEJRw/a03BeSQ1Kdcvem5Ui2V6l+
+jMD6OLWlrY5gn4YTzHIbHjwz+kWGhVdu1bEdnhBxBWNH2FQ7W3ByfObeEQJBAK9p
+VEedLS6eRcq4jbAwrpRCQrz3tLvkfgATakNnJdVZiuBxu37dE76sfyGeqQZLu7JZ
+zyNCkDgZrgXJMTp29ikCQDdSanJybsmPxcjcjH/VmO058Hpt7+vRIsUljdKmdC0k
+Duzl8xSbIcKScQcrsPwpOr1SsiR6XFMqJxCiHLx/vMU=
+-----END RSA PRIVATE KEY-----
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/56da67cc/ci/new_tsqa/tests/test_tls_ticket_key_rotation.py
----------------------------------------------------------------------
diff --git a/ci/new_tsqa/tests/test_tls_ticket_key_rotation.py b/ci/new_tsqa/tests/test_tls_ticket_key_rotation.py
new file mode 100644
index 0000000..d617384
--- /dev/null
+++ b/ci/new_tsqa/tests/test_tls_ticket_key_rotation.py
@@ -0,0 +1,175 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import logging
+from OpenSSL import SSL
+import socket
+import subprocess
+import time
+
+import helpers
+import tsqa.utils
+
+import os
+import tsqa.utils
+
+# helper function to get the path of a program.
+def which(program):
+ def is_exe(fpath):
+ return os.path.isfile(fpath) and os.access(fpath, os.X_OK)
+ fpath, fname = os.path.split(program)
+ if fpath:
+ if is_exe(program):
+ return program
+ else:
+ for path in os.environ["PATH"].split(os.pathsep):
+ path = path.strip('"')
+ exe_file = os.path.join(path, program)
+ if is_exe(exe_file):
+ return exe_file
+ return None
+"""
+ Test TLS session resumption through session tickets and TLS ticket key rotation.
+"""
+class TestTLSTicketKeyRotation(helpers.EnvironmentCase):
+ @classmethod
+ def setUpEnv(cls, env):
+ '''
+ This function is responsible for setting up the environment for this fixture
+ This includes everything pre-daemon start
+ '''
+
+ # add an SSL port to ATS
+ cls.ssl_port = tsqa.utils.bind_unused_port()[1]
+ cls.configs['records.config']['CONFIG']['proxy.config.http.server_ports'] += ' {0}:ssl'.format(cls.ssl_port)
+ cls.configs['records.config']['CONFIG']['proxy.config.diags.debug.enabled'] = 1
+ cls.configs['records.config']['CONFIG']['proxy.config.diags.debug.tags'] = 'ssl'
+
+ # configure SSL multicert
+
+ cls.configs['ssl_multicert.config'].add_line('dest_ip=* ssl_cert_name={0} ssl_key_name={1} ticket_key_name={2}'.format(helpers.tests_file_path('rsa_keys/server.crt'), helpers.tests_file_path('rsa_keys/server.key'), helpers.tests_file_path('rsa_keys/ssl_ticket.key')))
+
+ def _get_cert(self, addr):
+ '''
+ Return the certificate for addr.
+ '''
+ ctx = SSL.Context(SSL.SSLv23_METHOD)
+ # Set up client
+ sock = SSL.Connection(ctx, socket.socket(socket.AF_INET, socket.SOCK_STREAM))
+ sock.connect(addr)
+ sock.do_handshake()
+ return sock.get_peer_certificate()
+
+ def test_tls_ticket_resumption(self):
+ '''
+ Make sure the new ticket key is loaded
+ '''
+ addr = ('127.0.0.1', self.ssl_port)
+ self._get_cert(addr)
+
+ # openssl s_client -connect 127.0.0.1:443 -tls1 < /dev/null
+ sess = os.path.join(self.environment.layout.logdir, 'sess')
+ ticket_cmd = 'echo | openssl s_client -connect {0}:{1} -sess_out {2}'.format(addr[0], addr[1], sess);
+
+ # check whether TLS session tickets are received by s_client.
+ stdout, _ = tsqa.utils.run_sync_command(ticket_cmd, stdout=subprocess.PIPE, shell=True)
+ ticket_exists = False
+ for line in stdout.splitlines():
+ text = line.strip()
+ if text.startswith("TLS session ticket:"):
+ ticket_exists = True
+ break
+ self.assertTrue(ticket_exists)
+
+ # check whether the session has been reused
+ reused = False
+ ticket_cmd = 'echo | openssl s_client -connect {0}:{1} -sess_in {2}'.format(addr[0], addr[1], sess);
+ stdout, _ = tsqa.utils.run_sync_command(ticket_cmd, stdout=subprocess.PIPE, shell=True)
+ for line in stdout.splitlines():
+ text = line.strip()
+ if text.startswith("Reused, TLSv1/SSLv3,"):
+ reused = True
+ break
+ self.assertTrue(reused)
+
+ # negative test case. The session is not reused.
+ reused = False
+ ticket_cmd = 'echo | openssl s_client -connect {0}:{1}'.format(addr[0], addr[1]);
+ stdout, _ = tsqa.utils.run_sync_command(ticket_cmd, stdout=subprocess.PIPE, shell=True)
+ for line in stdout.splitlines():
+ text = line.strip()
+ if text.startswith("Reused, TLSv1/SSLv3,"):
+ reused = True
+ break
+ self.assertFalse(reused)
+
+ def test_tls_ticket_rotation(self):
+ '''
+ Make sure the new ticket key is loaded
+ '''
+ addr = ('127.0.0.1', self.ssl_port)
+ self._get_cert(addr)
+
+ '''
+ openssl s_client -connect server_ip:ssl_port -tls1 < /dev/null
+ '''
+
+ # Generate and push a new ticket key
+ rotate_cmd = 'openssl rand 48 -base64 > {0}'.format(helpers.tests_file_path('rsa_keys/ssl_ticket.key'))
+ stdout, _ = tsqa.utils.run_sync_command(rotate_cmd, stdout=subprocess.PIPE, shell=True)
+
+ # touch the ssl_multicert.config file
+ ssl_multicert = os.path.join(self.environment.layout.sysconfdir, 'ssl_multicert.config')
+
+ read_renewed_cmd = os.path.join(self.environment.layout.bindir, 'traffic_line') + ' -r proxy.process.ssl.total_ticket_keys_renewed'
+
+ # Check whether the config file exists.
+ self.assertTrue(os.path.isfile(ssl_multicert), ssl_multicert)
+ touch_cmd = which('touch') + ' ' + ssl_multicert
+ tsqa.utils.run_sync_command(touch_cmd, stdout=subprocess.PIPE, shell=True)
+
+ count = 0
+ while True:
+ try:
+ stdout, _ = tsqa.utils.run_sync_command(read_renewed_cmd, stdout=subprocess.PIPE, shell=True)
+ old_renewed = stdout
+ break
+ except Exception:
+ ++count
+ # If we have waited more than 30 seconds and the command still failed, quit here.
+ if count > 30:
+ self.assertTrue(False)
+ time.sleep(1)
+
+ signal_cmd = os.path.join(self.environment.layout.bindir, 'traffic_line') + ' -x'
+ tsqa.utils.run_sync_command(signal_cmd, stdout=subprocess.PIPE, shell=True)
+
+ # wait for the ticket keys to be sucked in by traffic_server.
+ count = 0
+ while True:
+ try:
+ stdout, _ = tsqa.utils.run_sync_command(read_renewed_cmd, stdout=subprocess.PIPE, shell=True)
+ cur_renewed = stdout
+ if old_renewed != cur_renewed:
+ break
+ except Exception:
+ ++count
+ if count > 30:
+ self.assertTrue(False)
+ time.sleep(1)
+
+ # the number of ticket keys renewed has been increased.
+ self.assertNotEqual(old_renewed, cur_renewed)
[3/3] trafficserver git commit: Move test_tls_ticket_key_rotation.py
to tsqa directory
Posted by ja...@apache.org.
Move test_tls_ticket_key_rotation.py to tsqa directory
This closes #189
Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo
Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/551e9a0e
Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/551e9a0e
Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/551e9a0e
Branch: refs/heads/master
Commit: 551e9a0e6796a4cc0e8baf35bc4c3888f61274aa
Parents: 9f9e611
Author: Bin Zeng <bz...@linkedin.com>
Authored: Thu May 21 14:42:22 2015 -0700
Committer: Thomas Jackson <ja...@apache.org>
Committed: Mon Jun 29 18:30:40 2015 -0700
----------------------------------------------------------------------
.../tests/test_tls_ticket_key_rotation.py | 172 -------------------
ci/tsqa/tests/test_tls_ticket_key_rotation.py | 172 +++++++++++++++++++
2 files changed, 172 insertions(+), 172 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/551e9a0e/ci/new_tsqa/tests/test_tls_ticket_key_rotation.py
----------------------------------------------------------------------
diff --git a/ci/new_tsqa/tests/test_tls_ticket_key_rotation.py b/ci/new_tsqa/tests/test_tls_ticket_key_rotation.py
deleted file mode 100644
index 3b9bc77..0000000
--- a/ci/new_tsqa/tests/test_tls_ticket_key_rotation.py
+++ /dev/null
@@ -1,172 +0,0 @@
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements. See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership. The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-import logging
-from OpenSSL import SSL
-import socket
-import subprocess
-import time
-
-import helpers
-import tsqa.utils
-
-import os
-import tsqa.utils
-
-# helper function to get the path of a program.
-def which(program):
- def is_exe(fpath):
- return os.path.isfile(fpath) and os.access(fpath, os.X_OK)
- fpath, fname = os.path.split(program)
- if fpath:
- if is_exe(program):
- return program
- else:
- for path in os.environ["PATH"].split(os.pathsep):
- path = path.strip('"')
- exe_file = os.path.join(path, program)
- if is_exe(exe_file):
- return exe_file
- return None
-"""
- Test TLS session resumption through session tickets and TLS ticket key rotation.
-"""
-class TestTLSTicketKeyRotation(helpers.EnvironmentCase):
- @classmethod
- def setUpEnv(cls, env):
- '''
- This function is responsible for setting up the environment for this fixture
- This includes everything pre-daemon start
- '''
-
- # add an SSL port to ATS
- cls.ssl_port = tsqa.utils.bind_unused_port()[1]
- cls.configs['records.config']['CONFIG']['proxy.config.http.server_ports'] += ' {0}:ssl'.format(cls.ssl_port)
- cls.configs['records.config']['CONFIG']['proxy.config.diags.debug.enabled'] = 1
- cls.configs['records.config']['CONFIG']['proxy.config.diags.debug.tags'] = 'ssl'
-
- # configure SSL multicert
-
- cls.configs['ssl_multicert.config'].add_line('dest_ip=* ssl_cert_name={0} ssl_key_name={1} ticket_key_name={2}'.format(helpers.tests_file_path('rsa_keys/ca.crt'), helpers.tests_file_path('rsa_keys/ca.key'), helpers.tests_file_path('rsa_keys/ssl_ticket.key')))
-
- def start_connection(self, addr):
- '''
- Return the certificate for addr.
- '''
- ctx = SSL.Context(SSL.SSLv23_METHOD)
- # Set up client
- sock = SSL.Connection(ctx, socket.socket(socket.AF_INET, socket.SOCK_STREAM))
- sock.connect(addr)
- sock.do_handshake()
-
- def test_tls_ticket_resumption(self):
- '''
- Make sure the new ticket key is loaded
- '''
- addr = ('127.0.0.1', self.ssl_port)
- self.start_connection(addr)
-
- # openssl s_client -connect 127.0.0.1:443 -tls1 < /dev/null
- sess = os.path.join(self.environment.layout.logdir, 'sess')
- ticket_cmd = 'echo | openssl s_client -connect {0}:{1} -sess_out {2}'.format(addr[0], addr[1], sess);
-
- # check whether TLS session tickets are received by s_client.
- stdout, _ = tsqa.utils.run_sync_command(ticket_cmd, stdout=subprocess.PIPE, shell=True)
- ticket_exists = False
- for line in stdout.splitlines():
- text = line.strip()
- if text.startswith("TLS session ticket:"):
- ticket_exists = True
- break
- self.assertTrue(ticket_exists, "Sesssion tickets are not received")
-
- # check whether the session has been reused
- reused = False
- ticket_cmd = 'echo | openssl s_client -connect {0}:{1} -sess_in {2}'.format(addr[0], addr[1], sess);
- stdout, _ = tsqa.utils.run_sync_command(ticket_cmd, stdout=subprocess.PIPE, shell=True)
- for line in stdout.splitlines():
- text = line.strip()
- if text.startswith("Reused, TLSv1/SSLv3,"):
- reused = True
- break
- self.assertTrue(reused, "TLS session was not reused!")
-
- # negative test case. The session is not reused.
- reused = False
- ticket_cmd = 'echo | openssl s_client -connect {0}:{1}'.format(addr[0], addr[1]);
- stdout, _ = tsqa.utils.run_sync_command(ticket_cmd, stdout=subprocess.PIPE, shell=True)
- for line in stdout.splitlines():
- text = line.strip()
- if text.startswith("Reused, TLSv1/SSLv3,"):
- reused = True
- break
- self.assertFalse(reused, "TLS session has been reused!")
-
- def test_tls_ticket_rotation(self):
- '''
- Make sure the new ticket key is loaded
- '''
- addr = ('127.0.0.1', self.ssl_port)
- self.start_connection(addr)
-
- '''
- openssl s_client -connect server_ip:ssl_port -tls1 < /dev/null
- '''
-
- # Generate and push a new ticket key
- rotate_cmd = 'openssl rand 48 -base64 > {0}'.format(helpers.tests_file_path('rsa_keys/ssl_ticket.key'))
- stdout, _ = tsqa.utils.run_sync_command(rotate_cmd, stdout=subprocess.PIPE, shell=True)
-
- # touch the ssl_multicert.config file
- ssl_multicert = os.path.join(self.environment.layout.sysconfdir, 'ssl_multicert.config')
-
- read_renewed_cmd = os.path.join(self.environment.layout.bindir, 'traffic_line') + ' -r proxy.process.ssl.total_ticket_keys_renewed'
-
- # Check whether the config file exists.
- self.assertTrue(os.path.isfile(ssl_multicert), ssl_multicert)
- touch_cmd = which('touch') + ' ' + ssl_multicert
- tsqa.utils.run_sync_command(touch_cmd, stdout=subprocess.PIPE, shell=True)
-
- count = 0
- while True:
- try:
- stdout, _ = tsqa.utils.run_sync_command(read_renewed_cmd, stdout=subprocess.PIPE, shell=True)
- old_renewed = stdout
- break
- except Exception:
- ++count
- # If we have tried 30 times and the command still failed, quit here.
- if count > 30:
- self.assertTrue(False, "Failed to get the number of renewed keys!")
-
- signal_cmd = os.path.join(self.environment.layout.bindir, 'traffic_line') + ' -x'
- tsqa.utils.run_sync_command(signal_cmd, stdout=subprocess.PIPE, shell=True)
-
- # wait for the ticket keys to be sucked in by traffic_server.
- count = 0
- while True:
- try:
- stdout, _ = tsqa.utils.run_sync_command(read_renewed_cmd, stdout=subprocess.PIPE, shell=True)
- cur_renewed = stdout
- if old_renewed != cur_renewed:
- break
- except Exception:
- ++count
- if count > 30:
- self.assertTrue(False, "Failed to get the number of renewed keys!")
-
- # the number of ticket keys renewed has been increased.
- self.assertNotEqual(old_renewed, cur_renewed)
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/551e9a0e/ci/tsqa/tests/test_tls_ticket_key_rotation.py
----------------------------------------------------------------------
diff --git a/ci/tsqa/tests/test_tls_ticket_key_rotation.py b/ci/tsqa/tests/test_tls_ticket_key_rotation.py
new file mode 100644
index 0000000..3b9bc77
--- /dev/null
+++ b/ci/tsqa/tests/test_tls_ticket_key_rotation.py
@@ -0,0 +1,172 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import logging
+from OpenSSL import SSL
+import socket
+import subprocess
+import time
+
+import helpers
+import tsqa.utils
+
+import os
+import tsqa.utils
+
+# helper function to get the path of a program.
+def which(program):
+ def is_exe(fpath):
+ return os.path.isfile(fpath) and os.access(fpath, os.X_OK)
+ fpath, fname = os.path.split(program)
+ if fpath:
+ if is_exe(program):
+ return program
+ else:
+ for path in os.environ["PATH"].split(os.pathsep):
+ path = path.strip('"')
+ exe_file = os.path.join(path, program)
+ if is_exe(exe_file):
+ return exe_file
+ return None
+"""
+ Test TLS session resumption through session tickets and TLS ticket key rotation.
+"""
+class TestTLSTicketKeyRotation(helpers.EnvironmentCase):
+ @classmethod
+ def setUpEnv(cls, env):
+ '''
+ This function is responsible for setting up the environment for this fixture
+ This includes everything pre-daemon start
+ '''
+
+ # add an SSL port to ATS
+ cls.ssl_port = tsqa.utils.bind_unused_port()[1]
+ cls.configs['records.config']['CONFIG']['proxy.config.http.server_ports'] += ' {0}:ssl'.format(cls.ssl_port)
+ cls.configs['records.config']['CONFIG']['proxy.config.diags.debug.enabled'] = 1
+ cls.configs['records.config']['CONFIG']['proxy.config.diags.debug.tags'] = 'ssl'
+
+ # configure SSL multicert
+
+ cls.configs['ssl_multicert.config'].add_line('dest_ip=* ssl_cert_name={0} ssl_key_name={1} ticket_key_name={2}'.format(helpers.tests_file_path('rsa_keys/ca.crt'), helpers.tests_file_path('rsa_keys/ca.key'), helpers.tests_file_path('rsa_keys/ssl_ticket.key')))
+
+ def start_connection(self, addr):
+ '''
+ Return the certificate for addr.
+ '''
+ ctx = SSL.Context(SSL.SSLv23_METHOD)
+ # Set up client
+ sock = SSL.Connection(ctx, socket.socket(socket.AF_INET, socket.SOCK_STREAM))
+ sock.connect(addr)
+ sock.do_handshake()
+
+ def test_tls_ticket_resumption(self):
+ '''
+ Make sure the new ticket key is loaded
+ '''
+ addr = ('127.0.0.1', self.ssl_port)
+ self.start_connection(addr)
+
+ # openssl s_client -connect 127.0.0.1:443 -tls1 < /dev/null
+ sess = os.path.join(self.environment.layout.logdir, 'sess')
+ ticket_cmd = 'echo | openssl s_client -connect {0}:{1} -sess_out {2}'.format(addr[0], addr[1], sess);
+
+ # check whether TLS session tickets are received by s_client.
+ stdout, _ = tsqa.utils.run_sync_command(ticket_cmd, stdout=subprocess.PIPE, shell=True)
+ ticket_exists = False
+ for line in stdout.splitlines():
+ text = line.strip()
+ if text.startswith("TLS session ticket:"):
+ ticket_exists = True
+ break
+ self.assertTrue(ticket_exists, "Sesssion tickets are not received")
+
+ # check whether the session has been reused
+ reused = False
+ ticket_cmd = 'echo | openssl s_client -connect {0}:{1} -sess_in {2}'.format(addr[0], addr[1], sess);
+ stdout, _ = tsqa.utils.run_sync_command(ticket_cmd, stdout=subprocess.PIPE, shell=True)
+ for line in stdout.splitlines():
+ text = line.strip()
+ if text.startswith("Reused, TLSv1/SSLv3,"):
+ reused = True
+ break
+ self.assertTrue(reused, "TLS session was not reused!")
+
+ # negative test case. The session is not reused.
+ reused = False
+ ticket_cmd = 'echo | openssl s_client -connect {0}:{1}'.format(addr[0], addr[1]);
+ stdout, _ = tsqa.utils.run_sync_command(ticket_cmd, stdout=subprocess.PIPE, shell=True)
+ for line in stdout.splitlines():
+ text = line.strip()
+ if text.startswith("Reused, TLSv1/SSLv3,"):
+ reused = True
+ break
+ self.assertFalse(reused, "TLS session has been reused!")
+
+ def test_tls_ticket_rotation(self):
+ '''
+ Make sure the new ticket key is loaded
+ '''
+ addr = ('127.0.0.1', self.ssl_port)
+ self.start_connection(addr)
+
+ '''
+ openssl s_client -connect server_ip:ssl_port -tls1 < /dev/null
+ '''
+
+ # Generate and push a new ticket key
+ rotate_cmd = 'openssl rand 48 -base64 > {0}'.format(helpers.tests_file_path('rsa_keys/ssl_ticket.key'))
+ stdout, _ = tsqa.utils.run_sync_command(rotate_cmd, stdout=subprocess.PIPE, shell=True)
+
+ # touch the ssl_multicert.config file
+ ssl_multicert = os.path.join(self.environment.layout.sysconfdir, 'ssl_multicert.config')
+
+ read_renewed_cmd = os.path.join(self.environment.layout.bindir, 'traffic_line') + ' -r proxy.process.ssl.total_ticket_keys_renewed'
+
+ # Check whether the config file exists.
+ self.assertTrue(os.path.isfile(ssl_multicert), ssl_multicert)
+ touch_cmd = which('touch') + ' ' + ssl_multicert
+ tsqa.utils.run_sync_command(touch_cmd, stdout=subprocess.PIPE, shell=True)
+
+ count = 0
+ while True:
+ try:
+ stdout, _ = tsqa.utils.run_sync_command(read_renewed_cmd, stdout=subprocess.PIPE, shell=True)
+ old_renewed = stdout
+ break
+ except Exception:
+ ++count
+ # If we have tried 30 times and the command still failed, quit here.
+ if count > 30:
+ self.assertTrue(False, "Failed to get the number of renewed keys!")
+
+ signal_cmd = os.path.join(self.environment.layout.bindir, 'traffic_line') + ' -x'
+ tsqa.utils.run_sync_command(signal_cmd, stdout=subprocess.PIPE, shell=True)
+
+ # wait for the ticket keys to be sucked in by traffic_server.
+ count = 0
+ while True:
+ try:
+ stdout, _ = tsqa.utils.run_sync_command(read_renewed_cmd, stdout=subprocess.PIPE, shell=True)
+ cur_renewed = stdout
+ if old_renewed != cur_renewed:
+ break
+ except Exception:
+ ++count
+ if count > 30:
+ self.assertTrue(False, "Failed to get the number of renewed keys!")
+
+ # the number of ticket keys renewed has been increased.
+ self.assertNotEqual(old_renewed, cur_renewed)