You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@trafficserver.apache.org by ffcai <gi...@git.apache.org> on 2015/04/24 13:14:18 UTC
[GitHub] trafficserver pull request: add init test for SSL Termination
GitHub user ffcai opened a pull request:
https://github.com/apache/trafficserver/pull/192
add init test for SSL Termination
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/ffcai/trafficserver tsqa-test_ssl_server
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/trafficserver/pull/192.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #192
----
commit fbe17adb8cacfd0ecb5214b188deeb86d8065830
Author: Feifei Cai <ff...@yahoo-inc.com>
Date: 2015-04-24T11:11:36Z
add init test for SSL Termination
----
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] trafficserver pull request: add init test for SSL Termination
Posted by ffcai <gi...@git.apache.org>.
Github user ffcai commented on the pull request:
https://github.com/apache/trafficserver/pull/192#issuecomment-95907499
Hi @jacksontj , here I use another bundle of certificates because I encounter some warning/error when test with openssl/curl/requests.
1. When generate certificate for Intermediate CA, we need to specify **X509v3 extensions** as follows:
```
X509v3 Basic Constraints:
CA:TRUE
```
Or we would get errors when test with openssl commands.
http://serverfault.com/a/486835
2. It would be better to set **Subject Alternative Name** in leaf certificate, to prevent warning in requests.
```python
>>> import requests
>>> r = requests.get('https://www.example.com:4443', verify='/home/ffcai/apache/trafficserver/ci/new_tsqa/files/rsa_keys3/ca.crt')
/usr/lib/python2.6/site-packages/requests/packages/urllib3/connection.py:251: SecurityWarning: Certificate has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/shazow/urllib3/issues/497 for details.)
SecurityWarning
```
3. To enable the E2E https test, we need a customized DNS resolver, to hit localhost for like hostname www.example.com. Seems that requests does not support this yet. There's some hacky way, but I would like to find a simple way, like curl's option `--resolve` http://superuser.com/a/794062
Could you please take a look at this bundle of certificates? If you agree with it, I'll update about how to generate the Root CA, Intermediate CA and leaf certificate. It's generated by a handy bash script, without complicated configurations.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] trafficserver pull request: add init test for SSL Termination
Posted by ffcai <gi...@git.apache.org>.
Github user ffcai closed the pull request at:
https://github.com/apache/trafficserver/pull/192
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] trafficserver pull request: add init test for SSL Termination
Posted by ffcai <gi...@git.apache.org>.
Github user ffcai commented on the pull request:
https://github.com/apache/trafficserver/pull/192#issuecomment-162109692
I need to fix the conflict issue and will send a new PR later.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] trafficserver pull request: add init test for SSL Termination
Posted by jacksontj <gi...@git.apache.org>.
Github user jacksontj commented on the pull request:
https://github.com/apache/trafficserver/pull/192#issuecomment-134744374
Well, when accessing the certs that are checked in today you usually call a library method which returns the path to the cert. If we want to make that library call lazily create the certs (similar to how the env_cache works) we can do that-- it is just another moving part (although you won't have to worry about the certs expiring potentially).
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] trafficserver pull request: add init test for SSL Termination
Posted by jacksontj <gi...@git.apache.org>.
Github user jacksontj commented on the pull request:
https://github.com/apache/trafficserver/pull/192#issuecomment-98012067
@ffcai Assuming the tests still pass that should be fine :)
I just finished replacing the old tsqa-- so sadly you now have a merge conflict :(
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] trafficserver pull request: add init test for SSL Termination
Posted by ffcai <gi...@git.apache.org>.
Github user ffcai commented on the pull request:
https://github.com/apache/trafficserver/pull/192#issuecomment-134052924
Hi @repodude ,
Sorry for reply so late...
Well, I've considered using a script to generate certificates. In fact, I'm doing this in my local test environment. However, I have some concern on introducing complexity to our tests. With some off-the-shelf certificates, we can focus our effect on the test itself. What do you think about these two options @jacksontj ?
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] trafficserver pull request: add init test for SSL Termination
Posted by jacksontj <gi...@git.apache.org>.
Github user jacksontj commented on the pull request:
https://github.com/apache/trafficserver/pull/192#issuecomment-115725233
@PSUdaemon Yea, i can commit this-- there's just a merge conflict :). @ffcai Do you want to do the merge? Or should I?
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] trafficserver pull request: add init test for SSL Termination
Posted by repodude <gi...@git.apache.org>.
Github user repodude commented on the pull request:
https://github.com/apache/trafficserver/pull/192#issuecomment-118970165
Hey Feifei,
I'm curious why are we incorporating a static pre-generated certificate, rather than, perhaps a script that just generates one to be used for testing.
One issue I see with incorporating a static test cert is the expiration time. The ones in this patch expire April 29, 2016.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] trafficserver pull request: add init test for SSL Termination
Posted by ffcai <gi...@git.apache.org>.
Github user ffcai commented on the pull request:
https://github.com/apache/trafficserver/pull/192#issuecomment-116747013
Hi @jacksontj , I'll fix the conflict and do the merge.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] trafficserver pull request: add init test for SSL Termination
Posted by jacksontj <gi...@git.apache.org>.
Github user jacksontj commented on the pull request:
https://github.com/apache/trafficserver/pull/192#issuecomment-119040683
We've been doing that for all of the tests actually. In my tests at least
I'm not verifying the validity of the cert-- since I can check to make sure
its the exact one that I want. This saves some CPU for the test boxes, and
more importantly removes a moving part for the tests.
On Mon, Jul 6, 2015 at 12:26 PM, repodude <no...@github.com> wrote:
> Hey Feifei,
>
> I'm curious why are we incorporating a static pre-generated certificate,
> rather than, perhaps a script that just generates one to be used for
> testing.
>
> One issue I see with incorporating a static test cert is the expiration
> time. The ones in this patch expire April 29, 2016.
>
> —
> Reply to this email directly or view it on GitHub
> <https://github.com/apache/trafficserver/pull/192#issuecomment-118970165>.
>
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] trafficserver pull request: add init test for SSL Termination
Posted by PSUdaemon <gi...@git.apache.org>.
Github user PSUdaemon commented on the pull request:
https://github.com/apache/trafficserver/pull/192#issuecomment-112873763
@jacksontj - You going to commit this?
Should we create JIRA's for tsqa?
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---