Skip to content

Functional test for HTTPS #737

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
17 tasks done
krizhanovsky opened this issue May 29, 2017 · 1 comment
Closed
17 tasks done

Functional test for HTTPS #737

krizhanovsky opened this issue May 29, 2017 · 1 comment
Assignees
@krizhanovsky
Labels
test
Milestone
0.7 - HTTP/2

Comments

@krizhanovsky
Copy link
Contributor

krizhanovsky commented May 29, 2017
edited
Loading

Need to develop functional tests for following HTTPS aspects. Consider original mbedTLS test suite for porting to implement the validations.

TLS tests

  • stress test for new HTTPS connections establishing
  • Test data consistency transfered through Tempesta (e.g. compare hash of an original file and received on client side). Responses and requests passed to Tempesta must have different sizes.
  • Exceeding processing limits in handshake messages, e.g. more than TTLS_HS_CS_MAX_SZ cipher suites, other limits also must be tested
  • Test certificates and private keys for RSA and EC ciphers and SHA256 and SHA512 hash. Unsupported certs (e.g. signed with SHA1) must be correctly declined by Tempesta FW (add a note to the Wiki)
  • Try to establish SSL {1,2,3}.0 and TLS 1.{0,1} and verify that the connections are correctly terminated
  • correct blocking of TLS messages (handshake, data, alerts, change cipher spec) with incorrect header values (type, version, length etc.) on all TLS session phases (not only handshakes)
  • TLS false start (TLS: False Start #834, ALPN is required on client side). (The RFC seems dead, so we're not going to implement it)
  • per-vhost certificates handling and SNI extensions for different vhosts listening on the same IP (Per-vhost TLS configuration #715)
  • TLS extensions described in RFC 6066 (not all of them are supported), including wrong extension size and types in ClientHello
  • TLS ticket-based (RFC 5077) sessions resumption (we don't support old-fashion session resumption by session ID) (The functionality isn't implemented yet, so the test was moved to TLS sessions resumption #1054.)
  • HSTS, depends on HTTP: transform custom HTTP headers #511 since Strict-Transport-Security header must be added and Custom HTTP redirects #856. Test the new header together with a redirection. (The full support of HSTS requires HTTP redirects (Custom HTTP redirects #856) while simple header additional is already tested in vhost/test_add_hdr.py, so there is nothing to do at this time and I just added the test requirement to Custom HTTP redirects #856.)
  • Some attacks from RFC 7457 are good to test (regardless most of them are outdated)
  • stale certificates with overdue less than 1-minute don't pass validation.
  • dynamic optimal TLS record size: egress TLS records have size as min(send_buffer, cwnd, rwnd) and a received decrypts a TLS record from Tempesta after single transmission.
  • send TLS records by 1 byte to test the FSM robustness.
  • Frankencert fuzzing (see the original paper) including SSL {1,2,3}.0 emulation. (We have not certificates validation logic).
  • send file using sendfile or from cache (TLS: Memory corruption #1217)

Consider to use TLSfuzzer, thc-ssl-dos, and ssl-dos tools for long running CI tests.

Deproxy HTTPS support

Nowadays most HTTP transactions are over TLS and there are almost no plain-text HTTP any more, so please update existing tests (e.g. for web cache) to use HTTPS as well as plain text. HTTPS mode must be default for the tests hereafter.

The effort for HTTPS deproxy was made in https://github.com/tempesta-tech/tempesta-test/compare/vlad-https , but the solution seems too complicated and error prone (see https://github.com/tempesta-tech/tempesta-test/pull/96/files#r293164966). Probably it makes sense to use httplib.HTTPSConnection with ready HTTP message abstractions for deproxy rather than ssl module plus our home brew HTTP messages.
@krizhanovsky krizhanovsky added this to the 0.5.0 Web Server milestone May 29, 2017
@krizhanovsky krizhanovsky self-assigned this May 29, 2017
@krizhanovsky krizhanovsky assigned intelfx and unassigned krizhanovsky Aug 3, 2017
@krizhanovsky krizhanovsky modified the milestones: 0.5.0 Web Server, 0.6 KTLS Jan 8, 2018
@krizhanovsky krizhanovsky assigned vladtcvs and unassigned intelfx Jan 8, 2018
@krizhanovsky krizhanovsky mentioned this issue Mar 12, 2018
Merged
@vladtcvs vladtcvs mentioned this issue May 15, 2018
Closed
@krizhanovsky krizhanovsky self-assigned this Jul 1, 2018
krizhanovsky added a commit that referenced this issue Dec 16, 2018
@krizhanovsky
* Fix build w/o DEBUG
8f3013c 
* Remove x509 unit test since it uses obsoleted ciphers and hashes.
  #737 is extended by a point to load and test various certs.
* Couple minor fixes for unit tests.
* Several cleanups
krizhanovsky added a commit that referenced this issue Dec 25, 2018
@krizhanovsky
* Fix build w/o DEBUG
88202f7 
* Remove x509 unit test since it uses obsoleted ciphers and hashes.
  #737 is extended by a point to load and test various certs.
* Couple minor fixes for unit tests.
* Several cleanups
This was referenced Feb 16, 2019
Closed
Closed
This was referenced Jun 13, 2019
Closed
Merged
This was referenced Jun 27, 2019
Closed
Open
@krizhanovsky
Copy link
Contributor Author

Done with tempesta-tech/tempesta-test#103

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@krizhanovsky krizhanovsky

Labels
test
Projects
None yet
Milestone
0.7 - HTTP/2
Development

No branches or pull requests
4 participants
@krizhanovsky @intelfx @vladtcvs @vankoven