tempesta-tech · krizhanovsky · Jul 31, 2019 · Jun 12, 2019 · Jun 19, 2019 · Jun 20, 2019
diff --git a/framework/tester.py b/framework/tester.py
@@ -65,6 +65,9 @@ def __create_client_deproxy(self, client, ssl):
         addr = fill_template(client['addr'], client)
         port = int(fill_template(client['port'], client))
         clt = deproxy_client.DeproxyClient(addr=addr, port=port, ssl=ssl)
+        if ssl:
+            server_hostname = fill_template(client['ssl_hostname'], client)
+            clt.set_server_hostname(server_hostname)
         return clt
 
     def __create_client_wrk(self, client, ssl):

diff --git a/helpers/analyzer.py b/helpers/analyzer.py
@@ -35,11 +35,7 @@ def __init__(self, node, host, count=0,
         self.captured = 0
         self.packets = []
         self.dump_file = '/tmp/tmp_packet_dump'
-        str_ports = ""
-        for port in ports:
-            if str_ports:
-                str_ports += " or "
-            str_ports += 'tcp port %s' % port
+        str_ports = ' or '.join(('tcp port %s' % p) for p in ports)
         cmd = 'timeout %s tcpdump -i any %s -w - %s || true'
         count_flag = ('-c %s' % count) if count else ''
         self.cmd = cmd % (timeout, count_flag, str_ports)

diff --git a/helpers/deproxy.py b/helpers/deproxy.py
@@ -9,10 +9,10 @@
 a test with heavy load condition.
 
 TODO Why do we implement HttpMessage, Request, and Response on our own instead
-of using HTTPMessage, HTTPRequest, and HTTPResponse correspondingly fro httplib?
-Rewrite the code to use httplib or other standard (present in CentOS and
-Debian distros) package or write a reasining comment why can't we use standard
-tools.
+of using HTTPMessage, HTTPRequest, and HTTPResponse correspondingly from
+httplib? Rewrite the code to use httplib or other standard (available in CentOS
+and Debian distros) package or write a reasoning comment why can't we use
+standard tools.
 """
 from __future__ import print_function
 import abc
@@ -542,6 +542,10 @@ def __init__(self, ssl=False):
         self.ssl = ssl
         self.want_read = False
         self.want_write = True # TLS CLientHello is the first one
+        self.server_hostname = None
+
+    def set_server_hostname(self, server_hostname):
+        self.server_hostname = server_hostname
 
     def save_handlers(self):
         """
@@ -587,8 +591,9 @@ def handle_connect(self):
         self.writable = self.tls_handshake_writable
         self.readable = self.tls_handshake_readable
         try:
-            self.socket = ssl.wrap_socket(self.socket,
-                                          do_handshake_on_connect=False)
+            self.socket = ssl.SSLSocket(self.socket,
+                                        do_handshake_on_connect=False,
+                                        server_hostname=self.server_hostname)
         except IOError as tls_e:
             tf_cfg.dbg(2, 'Deproxy: cannot establish TLS connection')
             raise tls_e

diff --git a/tests_disabled.json b/tests_disabled.json
@@ -121,6 +121,14 @@
             "name" : "tls.test_tls_handshake.TlsVhostHandshakeTest.test_empty_sni_default",
             "reason" : "Bug #1308: Tempesta doesn't send TLS alerts."
         },
+        {
+            "name" : "tls.test_tls_handshake.TlsHandshakeTest.test_many_ciphers",
+            "reason" : "Bug #1308: Tempesta doesn't send TLS alerts."
+        },
+        {
+            "name" : "tls.test_tls_handshake.TlsHandshakeTest.test_fuzzing",
+            "reason" : "Bug #1318: crash on ttls_recv()."
+        },
         {
             "name" : "tls.test_tls_integrity",
             "reason" : "Bug #1283: all messages longer than 4096 aren't processed."

diff --git a/tls/handshake.py b/tls/handshake.py
@@ -391,6 +391,8 @@ def try_tls_vers(self, version):
         resp = tls_sock.recv(100)
         tls_sock.close()
         if resp.startswith(GOOD_RESP):
+            if self.verbose:
+                print("bad response:\n%s\n" % resp)
             return False
         return True
 

diff --git a/tls/test_tls_cert.py b/tls/test_tls_cert.py
@@ -312,6 +312,7 @@ class TlsDuplicateCerts(tester.TempestaTest):
             'addr' : "${tempesta_ip}",
             'port' : '443',
             'ssl' : True,
+            'ssl_hostname' : 'tempesta-tech.com'
         },
     ]
 
@@ -368,7 +369,7 @@ def gen_cert(host_name, alg=None):
 
     def test_duplicate(self):
         self.gen_cert("tempesta")
-        self.gen_cert("tempesta2")
+        self.gen_cert("tempesta_dup")
 
         deproxy_srv = self.get_server('0')
         deproxy_srv.start()
@@ -387,7 +388,7 @@ def test_duplicate(self):
 
     def test_2_diff_certs(self):
         self.gen_cert("tempesta")
-        self.gen_cert("tempesta2", 'rsa')
+        self.gen_cert("tempesta_dup", 'rsa')
 
         deproxy_srv = self.get_server('0')
         deproxy_srv.start()

diff --git a/tls/test_tls_handshake.py b/tls/test_tls_handshake.py
@@ -43,8 +43,6 @@ class TlsHandshakeTest(tester.TempestaTest):
             }
             vhost tempesta-tech.com {
                 proxy_pass srv_grp1;
-# TODO                tls_certificate ${general_workdir}/tempesta.crt;
-# TODO               tls_certificate_key ${general_workdir}/tempesta.key;
             }
             http_chain {
                 host == "tempesta-tech.com" -> tempesta-tech.com;
@@ -86,7 +84,13 @@ def test_many_ciphers(self):
         hs12.ciphers = [i for i in xrange(2000)] # TTLS_HS_CS_MAX_SZ = 984
         # Test compressions as well - they're just ignored anyway.
         hs12.compressions = [i for i in xrange(15)]
-        self.assertTrue(hs12.do_12(), "Extra ciphers aren't ignored")
+        warns = dmesg.count_warnings(WARN)
+        # Tempesta must send a TLS alert raising TLSProtocolError exception.
+        # Nginx/OpenSSL sends DECODE_ERROR FATAL alert for the ClientHello.
+        with self.assertRaises(tls.TLSProtocolError):
+            hs12.do_12()
+        self.assertEqual(dmesg.count_warnings(WARN), warns + 1,
+                         "No warning about bad ClientHello")
 
     def test_long_sni(self):
         """ Also tests receiving of TLS alert. """
@@ -107,7 +111,6 @@ def test_empty_sni_default(self):
         self.assertTrue(hs12.do_12(), "Empty SNI isn't accepted by default")
 
     def test_bad_sni(self):
-        # FIXME Two or more certificates configured, please use custom_cert option in Tempesta configuration
         self.start_all()
         hs12 = TlsHandshake(addr='127.0.0.1', port=443)
         hs12.sni = ["bad.server.name"]
@@ -196,12 +199,14 @@ def test_fuzzing(self):
                 try:
                     res = tls_conn.do_12(fuzzer)
                     self.assertFalse(res, "Got request on fuzzed connection")
-                except socket.error:
-                    pass # broken pipe is expected
+                except:
+                    # Broken pipe socket error and TLS fatal alerts are
+                    # expected in the test.
+                    pass
 
     def test_old_handshakes(self):
         self.start_all()
-        res = TlsHandshakeStandard(addr='127.0.0.1', port=443).do_old()
+        res = TlsHandshakeStandard(addr='127.0.0.1', port=443, verbose=True).do_old()
         self.assertTrue(res, "Wrong old handshake result: %s" % res)
 
 
@@ -241,10 +246,12 @@ class TlsVhostHandshakeTest(tester.TempestaTest):
             srv_group be1 { server ${server_ip}:8000; }
             srv_group be2 { server ${server_ip}:8001; }
 
+            # Ensure that vhost1 only is using the global certificate.
+            tls_certificate ${general_workdir}/vhost1.crt;
+            tls_certificate_key ${general_workdir}/vhost1.key;
+
             vhost vhost1.net {
                 proxy_pass be1;
-                tls_certificate ${general_workdir}/vhost1.crt;
-                tls_certificate_key ${general_workdir}/vhost1.key;
             }
 
             vhost vhost2.net {