AuroraMiddleware/mbedtls
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Force IPv4 for gnutls-cli DTLS tests

Browse Source 
Depending on the settings of the local machine, gnutls-cli will either try
IPv4 or IPv6 when trying to connect to localhost. With TLS, whatever it tries
first, it will notice if any failure happens and try the other protocol if
necessary. With DTLS it can't do that. Unfortunately for now there isn't
really any good way to specify an address and hostname independently, though
that might come soon: https://gitlab.com/gnutls/gnutls/issues/344

A work around is to specify an address directly and then use --insecure to
ignore certificate hostname mismatch; that is OK for tests that are completely
unrelated to certificate verification (such as the recent fragmenting tests)
but unacceptable for others.

For that reason, don't specify a default hostname for gnutls-cli, but instead
let each test choose between `--insecure 127.0.0.1` and `localhost` (or
`--insecure '::1'` if desired).

Alternatives include:
- having test certificates with 127.0.0.1 as the hostname, but having an IP as
  the CN is unusual, and we would need to change our test certs;
- have our server open two sockets under the hood and listen on both IPv4 and
  IPv6 (that's what gnutls-serv does, and IMO it's a good thing) but that
obviously requires development and testing (esp. for windows compatibility)
- wait for a newer version of GnuTLS to be released, install it on the CI and
  developer machines, and use that in all tests - quite satisfying but can't
be done now (and puts stronger requirements on test environment).
This commit is contained in:
Manuel Pégourié-Gonnard 2018-08-23 19:07:15 +02:00
parent 68ae351dbe
commit 34aa187df6
1 changed files with 22 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

52
tests/ssl-opt.sh
View File

@ -765,7 +765,7 @@ P_PXY="$P_PXY server_addr=127.0.0.1 server_port=$SRV_PORT listen_addr=127.0.0.1
O_SRV="$O_SRV -accept $SRV_PORT -dhparam data_files/dhparams.pem"
O_CLI="$O_CLI -connect localhost:+SRV_PORT"
G_SRV="$G_SRV -p $SRV_PORT"
G_CLI="$G_CLI -p +SRV_PORT localhost"
G_CLI="$G_CLI -p +SRV_PORT"
if [ -n "${OPENSSL_LEGACY:-}" ]; then
O_LEGACY_SRV="$O_LEGACY_SRV -accept $SRV_PORT -dhparam data_files/dhparams.pem"
@ -777,7 +777,7 @@ if [ -n "${GNUTLS_NEXT_SERV:-}" ]; then
fi
if [ -n "${GNUTLS_NEXT_CLI:-}" ]; then
G_NEXT_CLI="$G_NEXT_CLI -p +SRV_PORT localhost"
G_NEXT_CLI="$G_NEXT_CLI -p +SRV_PORT"
fi
# Allow SHA-1, because many of our test certificates use it
@ -2118,7 +2118,7 @@ run_test "Renego ext: gnutls server unsafe, client break legacy" \
requires_gnutls
run_test "Renego ext: gnutls client strict, server default" \
"$P_SRV debug_level=3" \
"$G_CLI --priority=NORMAL:%SAFE_RENEGOTIATION" \
"$G_CLI --priority=NORMAL:%SAFE_RENEGOTIATION localhost" \
0 \
-s "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
-s "server hello, secure renegotiation extension"
@ -2126,7 +2126,7 @@ run_test "Renego ext: gnutls client strict, server default" \
requires_gnutls
run_test "Renego ext: gnutls client unsafe, server default" \
"$P_SRV debug_level=3" \
"$G_CLI --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
"$G_CLI --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION localhost" \
0 \
-S "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
-S "server hello, secure renegotiation extension"
@ -2134,7 +2134,7 @@ run_test "Renego ext: gnutls client unsafe, server default" \
requires_gnutls
run_test "Renego ext: gnutls client unsafe, server break legacy" \
"$P_SRV debug_level=3 allow_legacy=-1" \
"$G_CLI --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
"$G_CLI --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION localhost" \
1 \
-S "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
-S "server hello, secure renegotiation extension"
@ -2145,7 +2145,7 @@ requires_gnutls
run_test "DER format: no trailing bytes" \
"$P_SRV crt_file=data_files/server5-der0.crt \
key_file=data_files/server5.key" \
"$G_CLI " \
"$G_CLI localhost" \
0 \
-c "Handshake was completed" \
@ -2153,7 +2153,7 @@ requires_gnutls
run_test "DER format: with a trailing zero byte" \
"$P_SRV crt_file=data_files/server5-der1a.crt \
key_file=data_files/server5.key" \
"$G_CLI " \
"$G_CLI localhost" \
0 \
-c "Handshake was completed" \
@ -2161,7 +2161,7 @@ requires_gnutls
run_test "DER format: with a trailing random byte" \
"$P_SRV crt_file=data_files/server5-der1b.crt \
key_file=data_files/server5.key" \
"$G_CLI " \
"$G_CLI localhost" \
0 \
-c "Handshake was completed" \
@ -2169,7 +2169,7 @@ requires_gnutls
run_test "DER format: with 2 trailing random bytes" \
"$P_SRV crt_file=data_files/server5-der2.crt \
key_file=data_files/server5.key" \
"$G_CLI " \
"$G_CLI localhost" \
0 \
-c "Handshake was completed" \
@ -2177,7 +2177,7 @@ requires_gnutls
run_test "DER format: with 4 trailing random bytes" \
"$P_SRV crt_file=data_files/server5-der4.crt \
key_file=data_files/server5.key" \
"$G_CLI " \
"$G_CLI localhost" \
0 \
-c "Handshake was completed" \
@ -2185,7 +2185,7 @@ requires_gnutls
run_test "DER format: with 8 trailing random bytes" \
"$P_SRV crt_file=data_files/server5-der8.crt \
key_file=data_files/server5.key" \
"$G_CLI " \
"$G_CLI localhost" \
0 \
-c "Handshake was completed" \
@ -2193,7 +2193,7 @@ requires_gnutls
run_test "DER format: with 9 trailing random bytes" \
"$P_SRV crt_file=data_files/server5-der9.crt \
key_file=data_files/server5.key" \
"$G_CLI " \
"$G_CLI localhost" \
0 \
-c "Handshake was completed" \
@ -3758,14 +3758,14 @@ run_test "Per-version suites: TLS 1.2" \
requires_gnutls
run_test "ClientHello without extensions, SHA-1 allowed" \
"$P_SRV debug_level=3" \
"$G_CLI --priority=NORMAL:%NO_EXTENSIONS:%DISABLE_SAFE_RENEGOTIATION" \
"$G_CLI --priority=NORMAL:%NO_EXTENSIONS:%DISABLE_SAFE_RENEGOTIATION localhost" \
0 \
-s "dumping 'client hello extensions' (0 bytes)"
requires_gnutls
run_test "ClientHello without extensions, SHA-1 forbidden in certificates on server" \
"$P_SRV debug_level=3 key_file=data_files/server2.key crt_file=data_files/server2.crt allow_sha1=0" \
"$G_CLI --priority=NORMAL:%NO_EXTENSIONS:%DISABLE_SAFE_RENEGOTIATION" \
"$G_CLI --priority=NORMAL:%NO_EXTENSIONS:%DISABLE_SAFE_RENEGOTIATION localhost" \
0 \
-s "dumping 'client hello extensions' (0 bytes)"
@ -5394,35 +5394,31 @@ run_test "DTLS fragmenting: gnutls server, DTLS 1.0" \
-c "fragmenting handshake message" \
-C "error"
# gnutls-cli always tries IPv6 first, and doesn't fall back to IPv4 with DTLS
requires_ipv6
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
requires_config_enabled MBEDTLS_RSA_C
requires_config_enabled MBEDTLS_ECDSA_C
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_gnutls
run_test "DTLS fragmenting: gnutls client, DTLS 1.2" \
"$P_SRV dtls=1 debug_level=2 server_addr=::1 \
"$P_SRV dtls=1 debug_level=2 \
crt_file=data_files/server7_int-ca.crt \
key_file=data_files/server7.key \
mtu=512 force_version=dtls1_2" \
"$G_CLI -u" \
"$G_CLI -u --insecure 127.0.0.1" \
0 \
-s "fragmenting handshake message"
# gnutls-cli always tries IPv6 first, and doesn't fall back to IPv4 with DTLS
requires_ipv6
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
requires_config_enabled MBEDTLS_RSA_C
requires_config_enabled MBEDTLS_ECDSA_C
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
requires_gnutls
run_test "DTLS fragmenting: gnutls client, DTLS 1.0" \
"$P_SRV dtls=1 debug_level=2 server_addr=::1 \
"$P_SRV dtls=1 debug_level=2 \
crt_file=data_files/server7_int-ca.crt \
key_file=data_files/server7.key \
mtu=512 force_version=dtls1" \
"$G_CLI -u" \
"$G_CLI -u --insecure 127.0.0.1" \
0 \
-s "fragmenting handshake message"
@ -5524,8 +5520,6 @@ run_test "DTLS fragmenting: 3d, gnutls server, DTLS 1.0" \
## We can re-enable them when a fixed version fo GnuTLS is available
## and installed in our CI system.
##
## # gnutls-cli always tries IPv6 first, and doesn't fall back to IPv4 with DTLS
## requires_ipv6
## requires_gnutls
## requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
## requires_config_enabled MBEDTLS_RSA_C
@ -5534,16 +5528,14 @@ run_test "DTLS fragmenting: 3d, gnutls server, DTLS 1.0" \
## client_needs_more_time 4
## run_test "DTLS fragmenting: 3d, gnutls client, DTLS 1.2" \
## -p "$P_PXY drop=8 delay=8 duplicate=8" \
## "$P_SRV dtls=1 debug_level=2 server_addr=::1 \
## "$P_SRV dtls=1 debug_level=2 \
## crt_file=data_files/server7_int-ca.crt \
## key_file=data_files/server7.key \
## hs_timeout=250-60000 mtu=512 force_version=dtls1_2" \
## "$G_CLI -u" \
## "$G_CLI -u --insecure 127.0.0.1" \
## 0 \
## -s "fragmenting handshake message"
##
## # gnutls-cli always tries IPv6 first, and doesn't fall back to IPv4 with DTLS
## requires_ipv6
## requires_gnutls
## requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
## requires_config_enabled MBEDTLS_RSA_C
@ -5552,11 +5544,11 @@ run_test "DTLS fragmenting: 3d, gnutls server, DTLS 1.0" \
## client_needs_more_time 4
## run_test "DTLS fragmenting: 3d, gnutls client, DTLS 1.0" \
## -p "$P_PXY drop=8 delay=8 duplicate=8" \
## "$P_SRV dtls=1 debug_level=2 server_addr=::1 \
## "$P_SRV dtls=1 debug_level=2 \
## crt_file=data_files/server7_int-ca.crt \
## key_file=data_files/server7.key \
## hs_timeout=250-60000 mtu=512 force_version=dtls1" \
## "$G_CLI -u" \
## "$G_CLI -u --insecure 127.0.0.1" \
## 0 \
## -s "fragmenting handshake message"