From 12f3f7b7988ae71cfb067c5dfa8b4e90484e8887 Mon Sep 17 00:00:00 2001 From: midchildan Date: Mon, 29 May 2023 01:19:15 +0900 Subject: [PATCH 1/4] Fix forward-non-http autest for OpenSSL 3.0 --- tests/gold_tests/tls/test-nc-s_client.sh | 4 ++-- tests/gold_tests/tls/tls_forward_nonhttp.test.py | 5 ++++- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/tests/gold_tests/tls/test-nc-s_client.sh b/tests/gold_tests/tls/test-nc-s_client.sh index 8aaf1192987..c9193236d87 100644 --- a/tests/gold_tests/tls/test-nc-s_client.sh +++ b/tests/gold_tests/tls/test-nc-s_client.sh @@ -15,5 +15,5 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. -nc -l -p $1 -c 'echo -e "This is a reply"' -o test.out & -echo "This is a test" | openssl s_client -servername bar.com -connect localhost:$2 -ign_eof +nc -l -p "$1" -c 'echo -e "This is a reply"' -o test.out & +echo "This is a test" | openssl s_client -servername bar.com -connect "localhost:$2" -ign_eof "${@:3}" diff --git a/tests/gold_tests/tls/tls_forward_nonhttp.test.py b/tests/gold_tests/tls/tls_forward_nonhttp.test.py index dd5304c4c40..43d781cdb99 100644 --- a/tests/gold_tests/tls/tls_forward_nonhttp.test.py +++ b/tests/gold_tests/tls/tls_forward_nonhttp.test.py @@ -64,7 +64,10 @@ tr = Test.AddTestRun("forward-non-http") tr.Setup.Copy("test-nc-s_client.sh") -tr.Processes.Default.Command = "sh test-nc-s_client.sh {1} {0}".format(ts.Variables.ssl_port, ts.Variables.s_client_port) +cmd_args = ["sh", "test-nc-s_client.sh", str(ts.Variables.s_client_port), str(ts.Variables.ssl_port)] +if Condition.HasOpenSSLVersion("3.0.0"): + cmd_args += ["-ignore_unexpected_eof"] +tr.Processes.Default.Command = " ".join(cmd_args) tr.ReturnCode = 0 tr.Processes.Default.StartBefore(nameserver) tr.Processes.Default.StartBefore(Test.Processes.ts) From df95358e099c313cccdec6541c8de73cd18a6f1b Mon Sep 17 00:00:00 2001 From: midchildan Date: Mon, 29 May 2023 01:20:10 +0900 Subject: [PATCH 2/4] Fix tls-verify-override autest for OpenSSL 3.0 --- tests/gold_tests/tls/tls_verify_override.test.py | 4 ++-- tests/gold_tests/tls/tls_verify_override_base.test.py | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/gold_tests/tls/tls_verify_override.test.py b/tests/gold_tests/tls/tls_verify_override.test.py index 7989d3055ce..1d216e6b02f 100644 --- a/tests/gold_tests/tls/tls_verify_override.test.py +++ b/tests/gold_tests/tls/tls_verify_override.test.py @@ -73,7 +73,7 @@ 'map http://bar.com/overridesignature https://bar.com:{0} @plugin=conf_remap.so @pparam=proxy.config.ssl.client.verify.server.properties=SIGNATURE @plugin=conf_remap.so @pparam=proxy.config.ssl.client.verify.server.policy=ENFORCED'.format( server_foo.Variables.SSL_Port)) ts.Disk.remap_config.AddLine( - 'map http://bar.com/overridenone https://bar.com:{0} @plugin=conf_remap.so @pparam=proxy.config.ssl.client.verify.server.properties=NONE @plugin=conf_remap.so @pparam=proxy.config.ssl.client.verify.server.policy=ENFORCED"'.format( + 'map http://bar.com/overridenone https://bar.com:{0} @plugin=conf_remap.so @pparam=proxy.config.ssl.client.verify.server.properties=NONE @plugin=conf_remap.so @pparam=proxy.config.ssl.client.verify.server.policy=ENFORCED'.format( server_foo.Variables.SSL_Port)) ts.Disk.remap_config.AddLine( 'map http://bar.com/overrideenforced https://bar.com:{0} @plugin=conf_remap.so @pparam=proxy.config.ssl.client.verify.server.policy=ENFORCED'.format( @@ -252,7 +252,7 @@ # checks on random.com should fail with message only ts.Disk.diags_log.Content = Testers.ContainsExpression( - r"WARNING: Core server certificate verification failed for \(random.com\). Action=Continue Error=self signed certificate server=random.com\(127.0.0.1\) depth=0", + r"WARNING: Core server certificate verification failed for \(random.com\). Action=Continue Error=self.signed certificate server=random.com\(127.0.0.1\) depth=0", "Warning for self signed certificate") # permissive failure for bar.com ts.Disk.diags_log.Content += Testers.ContainsExpression( diff --git a/tests/gold_tests/tls/tls_verify_override_base.test.py b/tests/gold_tests/tls/tls_verify_override_base.test.py index 4063898bde9..0f974678713 100644 --- a/tests/gold_tests/tls/tls_verify_override_base.test.py +++ b/tests/gold_tests/tls/tls_verify_override_base.test.py @@ -241,7 +241,7 @@ # checks on random.com should fail with message only ts.Disk.diags_log.Content = Testers.ContainsExpression( - r"WARNING: Core server certificate verification failed for \(random.com\). Action=Continue Error=self signed certificate server=127.0.0.1\(127.0.0.1\) depth=0", + r"WARNING: Core server certificate verification failed for \(random.com\). Action=Continue Error=self.signed certificate server=127.0.0.1\(127.0.0.1\) depth=0", "Warning for self signed certificate") # permissive failure for bar.com ts.Disk.diags_log.Content += Testers.ContainsExpression( From fca40dd0e79fcf44707716055b29433125a64fb7 Mon Sep 17 00:00:00 2001 From: midchildan Date: Mon, 29 May 2023 01:21:14 +0900 Subject: [PATCH 3/4] Fix tls_client_versions autest with OpenSSL 3.0 --- tests/gold_tests/tls/tls_client_versions.test.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/gold_tests/tls/tls_client_versions.test.py b/tests/gold_tests/tls/tls_client_versions.test.py index 8d19c78669b..67b57f82c69 100644 --- a/tests/gold_tests/tls/tls_client_versions.test.py +++ b/tests/gold_tests/tls/tls_client_versions.test.py @@ -49,7 +49,7 @@ ts.Disk.records_config.update({ 'proxy.config.ssl.server.cert.path': '{0}'.format(ts.Variables.SSLDir), 'proxy.config.ssl.server.private_key.path': '{0}'.format(ts.Variables.SSLDir), - 'proxy.config.ssl.server.cipher_suite': 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:RC4-SHA:RC4-MD5:AES128-SHA:AES256-SHA:DES-CBC3-SHA!SRP:!DSS:!PSK:!aNULL:!eNULL:!SSLv2', + 'proxy.config.ssl.server.cipher_suite': 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:RC4-SHA:RC4-MD5:AES128-SHA:AES256-SHA:DES-CBC3-SHA!SRP:!DSS:!PSK:!aNULL:!eNULL:!SSLv2:@SECLEVEL=0', 'proxy.config.ssl.client.CA.cert.path': '{0}'.format(ts.Variables.SSLDir), 'proxy.config.url_remap.pristine_host_hdr': 1, 'proxy.config.ssl.TLSv1': 0, From 1e5e42acdc965195724f0a8793815a4af03475ec Mon Sep 17 00:00:00 2001 From: Brian Neradt Date: Thu, 29 Jun 2023 18:27:15 -0400 Subject: [PATCH 4/4] Update test-nc-s_client.sh Added an EOF to test-nc-s_client.sh --- tests/gold_tests/tls/test-nc-s_client.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/gold_tests/tls/test-nc-s_client.sh b/tests/gold_tests/tls/test-nc-s_client.sh index c7eedd07e81..f08574e045e 100644 --- a/tests/gold_tests/tls/test-nc-s_client.sh +++ b/tests/gold_tests/tls/test-nc-s_client.sh @@ -24,4 +24,4 @@ then ignore_unexpected_eof='-ignore_unexpected_eof' fi nc -l -p "$1" -c 'echo -e "This is a reply"' -o test.out & -echo "This is a test" | openssl s_client -servername bar.com -connect "localhost:$2" -ign_eof ${ignore_unexpected_eof} "${@:3}" \ No newline at end of file +echo "This is a test" | openssl s_client -servername bar.com -connect "localhost:$2" -ign_eof ${ignore_unexpected_eof} "${@:3}"