You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@trafficserver.apache.org by ffcai <gi...@git.apache.org> on 2015/04/24 13:14:18 UTC

[GitHub] trafficserver pull request: add init test for SSL Termination

GitHub user ffcai opened a pull request:

    https://github.com/apache/trafficserver/pull/192

    add init test for SSL Termination

    

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/ffcai/trafficserver tsqa-test_ssl_server

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/trafficserver/pull/192.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #192
    
----
commit fbe17adb8cacfd0ecb5214b188deeb86d8065830
Author: Feifei Cai <ff...@yahoo-inc.com>
Date:   2015-04-24T11:11:36Z

    add init test for SSL Termination

----


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] trafficserver pull request: add init test for SSL Termination

Posted by ffcai <gi...@git.apache.org>.
Github user ffcai commented on the pull request:

    https://github.com/apache/trafficserver/pull/192#issuecomment-95907499
  
    Hi @jacksontj , here I use another bundle of certificates because I encounter some warning/error when test with openssl/curl/requests.
    
    1. When generate certificate for Intermediate CA, we need to specify **X509v3 extensions** as follows:
    
       ```
               X509v3 Basic Constraints:
                   CA:TRUE
       ```
       Or we would get errors when test with openssl commands.
       http://serverfault.com/a/486835
    
    2. It would be better to set **Subject Alternative Name** in leaf certificate, to prevent warning in requests.
    
       ```python
       >>> import requests
       >>> r = requests.get('https://www.example.com:4443', verify='/home/ffcai/apache/trafficserver/ci/new_tsqa/files/rsa_keys3/ca.crt')
       /usr/lib/python2.6/site-packages/requests/packages/urllib3/connection.py:251: SecurityWarning: Certificate has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/shazow/urllib3/issues/497 for details.)
         SecurityWarning
       ```
    
    3. To enable the E2E https test, we need a customized DNS resolver, to hit localhost for like hostname www.example.com. Seems that requests does not support this yet. There's some hacky way, but I would like to find a simple way, like curl's option `--resolve` http://superuser.com/a/794062
    
    Could you please take a look at this bundle of certificates? If you agree with it, I'll update about how to generate the Root CA, Intermediate CA and leaf certificate. It's generated by a handy bash script, without complicated configurations.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] trafficserver pull request: add init test for SSL Termination

Posted by ffcai <gi...@git.apache.org>.
Github user ffcai closed the pull request at:

    https://github.com/apache/trafficserver/pull/192


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] trafficserver pull request: add init test for SSL Termination

Posted by ffcai <gi...@git.apache.org>.
Github user ffcai commented on the pull request:

    https://github.com/apache/trafficserver/pull/192#issuecomment-162109692
  
    I need to fix the conflict issue and will send a new PR later.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] trafficserver pull request: add init test for SSL Termination

Posted by jacksontj <gi...@git.apache.org>.
Github user jacksontj commented on the pull request:

    https://github.com/apache/trafficserver/pull/192#issuecomment-134744374
  
    Well, when accessing the certs that are checked in today you usually call a library method which returns the path to the cert. If we want to make that library call lazily create the certs (similar to how the env_cache works) we can do that-- it is just another moving part (although you won't have to worry about the certs expiring potentially).


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] trafficserver pull request: add init test for SSL Termination

Posted by jacksontj <gi...@git.apache.org>.
Github user jacksontj commented on the pull request:

    https://github.com/apache/trafficserver/pull/192#issuecomment-98012067
  
    @ffcai Assuming the tests still pass that should be fine :) 
    
    I just finished replacing the old tsqa-- so sadly you now have a merge conflict :(


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] trafficserver pull request: add init test for SSL Termination

Posted by ffcai <gi...@git.apache.org>.
Github user ffcai commented on the pull request:

    https://github.com/apache/trafficserver/pull/192#issuecomment-134052924
  
    Hi @repodude ,
    
    Sorry for reply so late...
    Well, I've considered using a script to generate certificates. In fact, I'm doing this in my local test environment. However, I have some concern on introducing complexity to our tests. With some off-the-shelf certificates, we can focus our effect on the test itself. What do you think about these two options @jacksontj ?


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] trafficserver pull request: add init test for SSL Termination

Posted by jacksontj <gi...@git.apache.org>.
Github user jacksontj commented on the pull request:

    https://github.com/apache/trafficserver/pull/192#issuecomment-115725233
  
    @PSUdaemon Yea, i can commit this-- there's just a merge conflict :). @ffcai Do you want to do the merge? Or should I?


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] trafficserver pull request: add init test for SSL Termination

Posted by repodude <gi...@git.apache.org>.
Github user repodude commented on the pull request:

    https://github.com/apache/trafficserver/pull/192#issuecomment-118970165
  
    Hey Feifei,   
    I'm curious why are we incorporating a static pre-generated certificate, rather than, perhaps a script that just generates one to be used for testing.
    
    One issue I see with incorporating a static test cert is the expiration time.   The ones in this patch expire April 29, 2016.



---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] trafficserver pull request: add init test for SSL Termination

Posted by ffcai <gi...@git.apache.org>.
Github user ffcai commented on the pull request:

    https://github.com/apache/trafficserver/pull/192#issuecomment-116747013
  
    Hi @jacksontj , I'll fix the conflict and do the merge.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] trafficserver pull request: add init test for SSL Termination

Posted by jacksontj <gi...@git.apache.org>.
Github user jacksontj commented on the pull request:

    https://github.com/apache/trafficserver/pull/192#issuecomment-119040683
  
    We've been doing that for all of the tests actually. In my tests at least
    I'm not verifying the validity of the cert-- since I can check to make sure
    its the exact one that I want. This saves some CPU for the test boxes, and
    more importantly removes a moving part for the tests.
    
    On Mon, Jul 6, 2015 at 12:26 PM, repodude <no...@github.com> wrote:
    
    > Hey Feifei,
    >
    > I'm curious why are we incorporating a static pre-generated certificate,
    > rather than, perhaps a script that just generates one to be used for
    > testing.
    >
    > One issue I see with incorporating a static test cert is the expiration
    > time. The ones in this patch expire April 29, 2016.
    >
    > —
    > Reply to this email directly or view it on GitHub
    > <https://github.com/apache/trafficserver/pull/192#issuecomment-118970165>.
    >



---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] trafficserver pull request: add init test for SSL Termination

Posted by PSUdaemon <gi...@git.apache.org>.
Github user PSUdaemon commented on the pull request:

    https://github.com/apache/trafficserver/pull/192#issuecomment-112873763
  
    @jacksontj - You going to commit this?
    
    Should we create JIRA's for tsqa?


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---