Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nss/renego-and-resumption-NSS-with-OpenSSL - test extension #7

Open
wants to merge 6 commits into
base: master
Choose a base branch
from
Open

nss/renego-and-resumption-NSS-with-OpenSSL - test extension #7

wants to merge 6 commits into from

Conversation

mrc0mmand
Copy link
Member

This PR extends the nss/renego-and-resumption-NSS-with-OpenSSL test to cover all combinations of settings for renegotiation and resumption protocols.

What's being tested (server-client):

  • OpenSSL-NSS - simple communication (NEW)
  • OpenSSL-NSS - simple communication with client authentication (NEW)
  • OpenSSL-NSS - renegotiation
  • OpenSSL-NSS - renegotiation with client authentication
  • OpenSSL-NSS - resumption (sessionID, SessionTicket)
  • OpenSSL-NSS - resumption (sessionID, SessionTicket) with client authentication (BUG)
  • NSS-OpenSSL - simple communication (FIXED)
  • NSS-OpenSSL - simple communication with client authentication (FIXED)
  • NSS-OpenSSL - renegotiation (NEW)
  • NSS-OpenSSL - renegotiation with client authentication (NEW)
  • NSS-OpenSSL - resumption (sessionID, SessionTicket) (NEW, BUG)
  • NSS-OpenSSL - resumption (sessionID, SessionTicket) with client authentication (NEW, BUG)

This PR must not be merged until following issues are resolved:

  • Beakerlib does not support CentOS in rlIsRHEL function
    • Discussed with devels, a new function rlIsCentos should be implemented soon
  • Segfault/server breakdown in NSS when using ECDHE-ECDSA ciphersuites
  • strsclnt cannot handle client certificates during session resumption
  • session resumption does not work for DHE-DSS ciphersuites

@mrc0mmand mrc0mmand mentioned this pull request Dec 4, 2016
Closed
@mrc0mmand mrc0mmand force-pushed the nss-renego-and-resumption branch from 420527f to 7225000 Compare December 5, 2016 09:37
tomato42
tomato42 reviewed Dec 6, 2016
View reviewed changes
nss/Interoperability/renego-and-resumption-NSS-with-OpenSSL/runtest.sh Outdated
if [[ $prot == "tls1_2" ]]; then
options+=(-V tls1.0:)
else
options+=(-V tls1.0:tls1.1)
fi
options+=(-n $clnt_nickname)
rlRun -s "expect nss-client.expect ${options[*]}"
rlRun -s "${options[*]} <<< 'GET /'"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

technically, it should be 'GET / HTTP/1.0\n\n'

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed, thanks.

nss/Interoperability/renego-and-resumption-NSS-with-OpenSSL/runtest.sh Outdated
@@ -640,7 +640,7 @@ rlJournalStart
rlLogInfo "Test proper"
declare -a options=()
options+=(${SERVER_UTIL} -d sql:./nssdb/ -p 4433 -V tls1.0:
-c :${C_ID[$j]} -H 1)
-c :${C_ID[$j]} -u -H 1)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

shouldn't it enable it only when session ticket is being tested?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It should, thanks. I also found out that one resumption phase is missing the -u option completely. That should be fixed as well.

mrc0mmand and others added 6 commits March 11, 2017 15:56
@mrc0mmand
renego-and-resumption-NSS-with-OpenSSL: Extend coverage
c2f46e9 
Fix:
    - add missing expect scripts
    - enable disabled phases
        * OpenSSL-NSS (client auth)
        * NSS-OpenSSL
New:
    - NSS-OpenSSL renegotiation
    - NSS-OpenSSL renegotiation (client auth)
    - NSS-OpenSSL resumption [sessionID, ticket]
    - NSS-OpenSSL resumption (client auth) [session ID, ticket]
Issues:
    - NSS-OpenSSL resumption (both) fails for DHE-DSS ciphers
    - OpenSSL-NSS resumption (client auth) - strsclnt doesn't like
      client certs
@mrc0mmand
Enable SessionTicket extension in selfserv
6de6494
@mrc0mmand
Sort test phases
df29411
@mrc0mmand
Add the last two missing combinations
897fc63 
- NSS-OpenSSL
- NSS-OpenSSL with client auth
@mrc0mmand
Fix GET requests
a05c4a5
@mrc0mmand
Enable SessionTicket extension only when it's tested
beb63d9
@mrc0mmand mrc0mmand force-pushed the nss-renego-and-resumption branch from ee4ddd5 to beb63d9 Compare March 11, 2017 14:56
@mrc0mmand mrc0mmand mentioned this pull request Mar 11, 2017
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tomato42 tomato42 tomato42 left review comments

Assignees
No one assigned
Labels
blocked
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@mrc0mmand @tomato42