From c2f46e9aa3b0dd91d46635b42f131609f8d14a72 Mon Sep 17 00:00:00 2001 From: Frantisek Sumsal Date: Mon, 21 Nov 2016 00:51:55 +0100 Subject: [PATCH 1/6] renego-and-resumption-NSS-with-OpenSSL: Extend coverage Fix: - add missing expect scripts - enable disabled phases * OpenSSL-NSS (client auth) * NSS-OpenSSL New: - NSS-OpenSSL renegotiation - NSS-OpenSSL renegotiation (client auth) - NSS-OpenSSL resumption [sessionID, ticket] - NSS-OpenSSL resumption (client auth) [session ID, ticket] Issues: - NSS-OpenSSL resumption (both) fails for DHE-DSS ciphers - OpenSSL-NSS resumption (client auth) - strsclnt doesn't like client certs --- .../Makefile | 3 +- .../nss-server.expect | 12 ++ .../openssl-client.expect | 13 ++ .../runtest.sh | 194 +++++++++++++++++- 4 files changed, 215 insertions(+), 7 deletions(-) create mode 100755 nss/Interoperability/renego-and-resumption-NSS-with-OpenSSL/nss-server.expect create mode 100644 nss/Interoperability/renego-and-resumption-NSS-with-OpenSSL/openssl-client.expect diff --git a/nss/Interoperability/renego-and-resumption-NSS-with-OpenSSL/Makefile b/nss/Interoperability/renego-and-resumption-NSS-with-OpenSSL/Makefile index 88f4916..9cf4af4 100644 --- a/nss/Interoperability/renego-and-resumption-NSS-with-OpenSSL/Makefile +++ b/nss/Interoperability/renego-and-resumption-NSS-with-OpenSSL/Makefile @@ -29,7 +29,8 @@ export TESTVERSION=1.0 BUILT_FILES= -FILES=$(METADATA) runtest.sh Makefile PURPOSE nss-client.expect +FILES=$(METADATA) runtest.sh Makefile PURPOSE nss-client.expect \ + nss-server.expect openssl-client.expect .PHONY: all install download clean diff --git a/nss/Interoperability/renego-and-resumption-NSS-with-OpenSSL/nss-server.expect b/nss/Interoperability/renego-and-resumption-NSS-with-OpenSSL/nss-server.expect new file mode 100755 index 0000000..47ca844 --- /dev/null +++ b/nss/Interoperability/renego-and-resumption-NSS-with-OpenSSL/nss-server.expect @@ -0,0 +1,12 @@ +#!/usr/bin/expect +set timeout 15 +spawn /bin/sh -c "$argv" +expect { + "Enter Password" { send "RedHatEnterpriseLinux6.6\r"; exp_continue } + eof { } + "client hello" { send "server hello\r"; + close} +} +set info [wait] +#puts "Return from wait: $info" +exit [lindex $info 3] diff --git a/nss/Interoperability/renego-and-resumption-NSS-with-OpenSSL/openssl-client.expect b/nss/Interoperability/renego-and-resumption-NSS-with-OpenSSL/openssl-client.expect new file mode 100644 index 0000000..fb20cbe --- /dev/null +++ b/nss/Interoperability/renego-and-resumption-NSS-with-OpenSSL/openssl-client.expect @@ -0,0 +1,13 @@ +#!/usr/bin/expect +set timeout 10 +spawn /bin/sh -c "$argv" +expect { + "Verify return code: 0 " { + send "GET / HTTP/1.0\r\r" + expect "Server: Generic Web Server" { + close + exit 0 + } + } +} +exit 1 diff --git a/nss/Interoperability/renego-and-resumption-NSS-with-OpenSSL/runtest.sh b/nss/Interoperability/renego-and-resumption-NSS-with-OpenSSL/runtest.sh index 53d9cba..d66a873 100755 --- a/nss/Interoperability/renego-and-resumption-NSS-with-OpenSSL/runtest.sh +++ b/nss/Interoperability/renego-and-resumption-NSS-with-OpenSSL/runtest.sh @@ -45,7 +45,7 @@ rlJournalStart rlAssertRpm --all rlRun "rlImport openssl/certgen" rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory" - rlRun "cp nss-client.expect $TmpDir" + rlRun "cp nss-{client,server}.expect openssl-client.expect $TmpDir" rlRun "pushd $TmpDir" rlRun "x509KeyGen ca" rlRun "x509KeyGen rsa-ca" @@ -410,7 +410,6 @@ rlJournalStart rlPhaseEnd done - if false; then rlPhaseStartTest "NSS server OpenSSL client ${C_NAME[$j]} cipher $prot protocol" rlLogInfo "Preparing NSS database" rlRun "mkdir nssdb/" @@ -451,7 +450,6 @@ rlJournalStart fi rlRun "rm -rf nssdb/" 0 "Clean up NSS database" rlPhaseEnd - fi rlPhaseStartTest "OpenSSL server NSS client ${C_NAME[$j]} cipher $prot protocol client auth renegotiation" rlLogInfo "Preparing NSS database" @@ -496,7 +494,7 @@ rlJournalStart # looks like strsclnt can't handle client certificates with OpenSSL if false; then for sess in sessionID ticket; do - rlPhaseStartTest "OpenSSL server NSS client ${C_NAME[$j]} cipher $prot protocol client authentication $sess resumption" + rlPhaseStartTest "OpenSSL server NSS client ${C_NAME[$j]} cipher $prot protocol client auth $sess resumption" rlLogInfo "Preparing NSS database" rlRun "mkdir nssdb/" rlRun "certutil -N --empty-password -d sql:./nssdb/" @@ -547,7 +545,192 @@ rlJournalStart done fi - if false; then + rlPhaseStartTest "NSS server OpenSSL client ${C_NAME[$j]} cipher $prot protocol renegotiation" + rlLogInfo "Preparing NSS database" + rlRun "mkdir nssdb/" + rlRun "certutil -N --empty-password -d sql:./nssdb/" + rlRun "certutil -A -d sql:./nssdb/ -n ca -t 'cC,,' -a -i $(x509Cert ca)" + rlRun "certutil -A -d sql:./nssdb/ -n subca -t ',,' -a -i ${C_SUBCA[$j]}" + rlRun "pk12util -i $(x509Key --pkcs12 --with-cert ${C_KEY[$j]%%/*}) -d sql:./nssdb -W ''" + + rlLogInfo "Test proper" + declare -a options=() + options+=(${SERVER_UTIL} -d sql:./nssdb/ -p 4433 -V tls1.0: + -c :${C_ID[$j]} -H 1) + if [[ ${C_KEY[$j]} =~ 'ecdsa' ]]; then + options+=(-e ${C_KEY[$j]%%/*}) + elif [[ ${C_KEY[$j]} =~ 'dsa' ]]; then + options+=(-S ${C_KEY[$j]%%/*}) + else + options+=(-n ${C_KEY[$j]%%/*}) + fi + rlRun "expect nss-server.expect ${options[*]} >server.log 2>server.err &" + nss_pid=$! + rlRun "rlWaitForSocket 4433 -p $nss_pid" + options=(openssl s_client) + options+=(-CAfile $(x509Cert ca)) + options+=(-cipher ${C_OPENSSL[$j]}) + options+=(-connect localhost:4433) + if [[ $prot == "tls1_1" ]]; then + options+=(-tls1_1) + fi + rlRun -s "(sleep 0.5; echo R; sleep 0.5; echo Q) | ${options[*]}" + rlRun "kill $nss_pid" + rlRun "rlWait -s SIGKILL $nss_pid" 143 + rlAssertGrep "RENEGOTIATING" "$rlRun_LOG" + rlRun "grep -A 10 RENEGOTIATING $rlRun_LOG | grep 'verify return:1'" + if ! rlGetPhaseState; then + rlRun "cat server.log" 0 "Server stdout" + rlRun "cat server.err" 0 "Server stderr" + fi + rlRun "rm -rf nssdb/" 0 "Clean up NSS database" + rlPhaseEnd + + rlPhaseStartTest "NSS server OpenSSL client ${C_NAME[$j]} cipher $prot protocol client auth renegotiation" + rlLogInfo "Preparing NSS database" + rlRun "mkdir nssdb/" + rlRun "certutil -N --empty-password -d sql:./nssdb/" + rlRun "certutil -A -d sql:./nssdb/ -n ca -t 'cCT,,' -a -i $(x509Cert ca)" + rlRun "certutil -A -d sql:./nssdb/ -n subca -t ',,' -a -i ${C_SUBCA[$j]}" + rlRun "pk12util -i $(x509Key --pkcs12 --with-cert ${C_KEY[$j]%%/*}) -d sql:./nssdb -W ''" + + rlLogInfo "Test proper" + declare -a options=() + options+=(${SERVER_UTIL} -d sql:./nssdb/ -p 4433 -V tls1.0: -rr + -c :${C_ID[$j]} -H 1) + if [[ ${C_KEY[$j]} =~ 'ecdsa' ]]; then + options+=(-e ${C_KEY[$j]%%/*}) + elif [[ ${C_KEY[$j]} =~ 'dsa' ]]; then + options+=(-S ${C_KEY[$j]%%/*}) + else + options+=(-n ${C_KEY[$j]%%/*}) + fi + rlRun "expect nss-server.expect ${options[*]} >server.log 2>server.err &" + nss_pid=$! + rlRun "rlWaitForSocket 4433 -p $nss_pid" + options=(openssl s_client) + options+=(-CAfile $(x509Cert ca)) + options+=(-cipher ${C_OPENSSL[$j]}) + options+=(-connect localhost:4433) + options+=(-cert ${C_CLNT_CERT[$j]} -key ${C_CLNT_KEY[$j]}) + if [[ $prot == "tls1_1" ]]; then + options+=(-tls1_1) + fi + rlRun -s "(sleep 0.5; echo R; sleep 0.5; echo Q) | ${options[*]}" + rlRun "kill $nss_pid" + rlRun "rlWait -s SIGKILL $nss_pid" 143 + rlAssertGrep "RENEGOTIATING" "$rlRun_LOG" + rlRun "grep -A 10 RENEGOTIATING $rlRun_LOG | grep 'verify return:1'" + if ! rlGetPhaseState; then + rlRun "cat server.log" 0 "Server stdout" + rlRun "cat server.err" 0 "Server stderr" + fi + rlRun "rm -rf nssdb/" 0 "Clean up NSS database" + rlPhaseEnd + + for sess in sessionID ticket; do + rlPhaseStartTest "NSS server OpenSSL client ${C_NAME[$j]} cipher $prot protocol $sess resumption" + rlLogInfo "Preparing NSS database" + rlRun "mkdir nssdb/" + rlRun "certutil -N --empty-password -d sql:./nssdb/" + rlRun "certutil -A -d sql:./nssdb/ -n ca -t 'cC,,' -a -i $(x509Cert ca)" + rlRun "certutil -A -d sql:./nssdb/ -n subca -t ',,' -a -i ${C_SUBCA[$j]}" + rlRun "pk12util -i $(x509Key --pkcs12 --with-cert ${C_KEY[$j]%%/*}) -d sql:./nssdb -W ''" + + rlLogInfo "Test proper" + declare -a options=() + options+=(${SERVER_UTIL} -d sql:./nssdb/ -p 4433 -V tls1.0: + -c :${C_ID[$j]} -H 1) + if [[ ${C_KEY[$j]} =~ 'ecdsa' ]]; then + options+=(-e ${C_KEY[$j]%%/*}) + elif [[ ${C_KEY[$j]} =~ 'dsa' ]]; then + options+=(-S ${C_KEY[$j]%%/*}) + else + options+=(-n ${C_KEY[$j]%%/*}) + fi + rlRun "expect nss-server.expect ${options[*]} >server.log 2>server.err &" + nss_pid=$! + rlRun "rlWaitForSocket 4433 -p $nss_pid" + options=(openssl s_client) + options+=(-CAfile $(x509Cert ca)) + options+=(-cipher ${C_OPENSSL[$j]}) + options+=(-connect localhost:4433) + if [[ $sess == "sessionID" ]]; then + options+=(-no_ticket) + fi + if [[ $prot == "tls1_1" ]]; then + options+=(-tls1_1) + fi + rlRun -s "${options[*]} -sess_out sess.pem server.log 2>server.err &" + nss_pid=$! + rlRun "rlWaitForSocket 4433 -p $nss_pid" + options=(openssl s_client) + options+=(-CAfile $(x509Cert ca)) + options+=(-cipher ${C_OPENSSL[$j]}) + options+=(-connect localhost:4433) + options+=(-cert ${C_CLNT_CERT[$j]} -key ${C_CLNT_KEY[$j]}) + if [[ $sess == "sessionID" ]]; then + options+=(-no_ticket) + fi + if [[ $prot == "tls1_1" ]]; then + options+=(-tls1_1) + fi + rlRun -s "${options[*]} -sess_out sess.pem Date: Wed, 23 Nov 2016 13:16:56 +0100 Subject: [PATCH 2/6] Enable SessionTicket extension in selfserv --- .../renego-and-resumption-NSS-with-OpenSSL/runtest.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nss/Interoperability/renego-and-resumption-NSS-with-OpenSSL/runtest.sh b/nss/Interoperability/renego-and-resumption-NSS-with-OpenSSL/runtest.sh index d66a873..0c94e46 100755 --- a/nss/Interoperability/renego-and-resumption-NSS-with-OpenSSL/runtest.sh +++ b/nss/Interoperability/renego-and-resumption-NSS-with-OpenSSL/runtest.sh @@ -640,7 +640,7 @@ rlJournalStart rlLogInfo "Test proper" declare -a options=() options+=(${SERVER_UTIL} -d sql:./nssdb/ -p 4433 -V tls1.0: - -c :${C_ID[$j]} -H 1) + -c :${C_ID[$j]} -u -H 1) if [[ ${C_KEY[$j]} =~ 'ecdsa' ]]; then options+=(-e ${C_KEY[$j]%%/*}) elif [[ ${C_KEY[$j]} =~ 'dsa' ]]; then From df29411ccbb83db466e740300c9cc9f1b8d5e1d0 Mon Sep 17 00:00:00 2001 From: Frantisek Sumsal Date: Sun, 27 Nov 2016 21:46:20 +0100 Subject: [PATCH 3/6] Sort test phases --- .../runtest.sh | 221 +++++++++--------- 1 file changed, 111 insertions(+), 110 deletions(-) diff --git a/nss/Interoperability/renego-and-resumption-NSS-with-OpenSSL/runtest.sh b/nss/Interoperability/renego-and-resumption-NSS-with-OpenSSL/runtest.sh index 0c94e46..fcb3e8f 100755 --- a/nss/Interoperability/renego-and-resumption-NSS-with-OpenSSL/runtest.sh +++ b/nss/Interoperability/renego-and-resumption-NSS-with-OpenSSL/runtest.sh @@ -343,17 +343,27 @@ rlJournalStart continue fi - rlPhaseStartTest "OpenSSL server NSS client ${C_NAME[$j]} cipher $prot protocol renegotiation" + rlPhaseStartTest "OpenSSL server NSS client ${C_NAME[$j]} cipher $prot protocol client auth renegotiation" + rlLogInfo "Preparing NSS database" + rlRun "mkdir nssdb/" + rlRun "certutil -N --empty-password -d sql:./nssdb/" + rlRun "certutil -A -d sql:./nssdb/ -n ca -t 'cC,,' -a -i $(x509Cert ca)" + rlRun "certutil -A -d sql:./nssdb/ -n subca -t ',,' -a -i ${C_SUBCA[$j]}" + clnt_nickname="${C_CLNT_KEY[$j]%%/*}" + rlRun "pk12util -i $(x509Key --pkcs12 --with-cert $clnt_nickname) -d sql:./nssdb -W ''" + + rlLogInfo "Test proper" options=(openssl s_server -www -key ${C_KEY[$j]}) options+=(-cert ${C_CERT[$j]}) options+=(-CAfile '<(cat $(x509Cert ca) ${C_SUBCA[$j]})') options+=(-cipher ${C_OPENSSL[$j]}) + options+=(-Verify 1 -verify_return_error) rlRun "${options[*]} >server.log 2>server.err &" openssl_pid=$! rlRun "rlWaitForSocket 4433 -p $openssl_pid" options=(${CLIENT_UTIL}) options+=(-h localhost -p 4433) - options+=(-d sql:./ca-db/) + options+=(-d sql:./nssdb/) options+=(-c :${C_ID[$j]}) options+=(-r 1) if [[ $prot == "tls1_2" ]]; then @@ -361,6 +371,7 @@ rlJournalStart else options+=(-V tls1.0:tls1.1) fi + options+=(-n $clnt_nickname) rlRun -s "expect nss-client.expect ${options[*]}" rlAssertGrep "New, TLSv1/SSLv3," "$rlRun_LOG" rlRun "kill $openssl_pid" @@ -369,10 +380,10 @@ rlJournalStart rlRun "cat server.log" 0 "Server stdout" rlRun "cat server.err" 0 "Server stderr" fi + rlRun "rm -rf nssdb/" rlPhaseEnd - for sess in sessionID ticket; do - rlPhaseStartTest "OpenSSL server NSS client ${C_NAME[$j]} cipher $prot protocol $sess resumption" + rlPhaseStartTest "OpenSSL server NSS client ${C_NAME[$j]} cipher $prot protocol renegotiation" options=(openssl s_server -www -key ${C_KEY[$j]}) options+=(-cert ${C_CERT[$j]}) options+=(-CAfile '<(cat $(x509Cert ca) ${C_SUBCA[$j]})') @@ -380,27 +391,18 @@ rlJournalStart rlRun "${options[*]} >server.log 2>server.err &" openssl_pid=$! rlRun "rlWaitForSocket 4433 -p $openssl_pid" - options=($STRSCLNT_UTIL) - options+=(-p 4433) + options=(${CLIENT_UTIL}) + options+=(-h localhost -p 4433) options+=(-d sql:./ca-db/) - options+=(-c 100 -P 20) - options+=(-C :${C_ID[$j]}) - if [[ $sess == ticket ]]; then - options+=(-u) - fi + options+=(-c :${C_ID[$j]}) + options+=(-r 1) if [[ $prot == "tls1_2" ]]; then options+=(-V tls1.0:) else options+=(-V tls1.0:tls1.1) fi - options+=(localhost) - rlRun -s "${options[*]}" 1 - rlAssertGrep "80 cache hits" "$rlRun_LOG" - if [[ $sess == ticket ]]; then - rlAssertGrep "80 stateless resumes" $rlRun_LOG - else - rlAssertGrep "0 stateless resumes" $rlRun_LOG - fi + rlRun -s "expect nss-client.expect ${options[*]}" + rlAssertGrep "New, TLSv1/SSLv3," "$rlRun_LOG" rlRun "kill $openssl_pid" rlRun "rlWait -s SIGKILL $openssl_pid" 143 if ! rlGetPhaseState; then @@ -408,88 +410,45 @@ rlJournalStart rlRun "cat server.err" 0 "Server stderr" fi rlPhaseEnd - done - - rlPhaseStartTest "NSS server OpenSSL client ${C_NAME[$j]} cipher $prot protocol" - rlLogInfo "Preparing NSS database" - rlRun "mkdir nssdb/" - rlRun "certutil -N --empty-password -d sql:./nssdb/" - rlRun "certutil -A -d sql:./nssdb/ -n ca -t 'cC,,' -a -i $(x509Cert ca)" - rlRun "certutil -A -d sql:./nssdb/ -n subca -t ',,' -a -i ${C_SUBCA[$j]}" - rlRun "pk12util -i $(x509Key --pkcs12 --with-cert ${C_KEY[$j]%%/*}) -d sql:./nssdb -W ''" - rlLogInfo "Test proper" - declare -a options=() - options+=(${SERVER_UTIL} -d sql:./nssdb/ -p 4433 -V tls1.0: - -c :${C_ID[$j]} -H 1) - if [[ ${C_KEY[$j]} =~ 'ecdsa' ]]; then - options+=(-e ${C_KEY[$j]%%/*}) - elif [[ ${C_KEY[$j]} =~ 'dsa' ]]; then - options+=(-S ${C_KEY[$j]%%/*}) - else - options+=(-n ${C_KEY[$j]%%/*}) - fi - rlRun "expect nss-server.expect ${options[*]} >server.log 2>server.err &" - nss_pid=$! - rlRun "rlWaitForSocket 4433 -p $nss_pid" - options=(openssl s_client) - options+=(-CAfile $(x509Cert ca)) - options+=(-cipher ${C_OPENSSL[$j]}) - options+=(-connect localhost:4433) - if [[ $prot == "tls1_1" ]]; then - options+=(-tls1_1) - fi - rlRun -s "expect openssl-client.expect ${options[*]}" - rlRun "kill $nss_pid" - rlRun "rlWait -s SIGKILL $nss_pid" 143 - rlAssertGrep "GET / HTTP/1.0" "$rlRun_LOG" - rlAssertGrep "Server: Generic Web Server" "$rlRun_LOG" - if ! rlGetPhaseState; then - rlRun "cat server.log" 0 "Server stdout" - rlRun "cat server.err" 0 "Server stderr" - fi - rlRun "rm -rf nssdb/" 0 "Clean up NSS database" - rlPhaseEnd - - rlPhaseStartTest "OpenSSL server NSS client ${C_NAME[$j]} cipher $prot protocol client auth renegotiation" - rlLogInfo "Preparing NSS database" - rlRun "mkdir nssdb/" - rlRun "certutil -N --empty-password -d sql:./nssdb/" - rlRun "certutil -A -d sql:./nssdb/ -n ca -t 'cC,,' -a -i $(x509Cert ca)" - rlRun "certutil -A -d sql:./nssdb/ -n subca -t ',,' -a -i ${C_SUBCA[$j]}" - clnt_nickname="${C_CLNT_KEY[$j]%%/*}" - rlRun "pk12util -i $(x509Key --pkcs12 --with-cert $clnt_nickname) -d sql:./nssdb -W ''" - - rlLogInfo "Test proper" + for sess in sessionID ticket; do + rlPhaseStartTest "OpenSSL server NSS client ${C_NAME[$j]} cipher $prot protocol $sess resumption" options=(openssl s_server -www -key ${C_KEY[$j]}) options+=(-cert ${C_CERT[$j]}) options+=(-CAfile '<(cat $(x509Cert ca) ${C_SUBCA[$j]})') options+=(-cipher ${C_OPENSSL[$j]}) - options+=(-Verify 1 -verify_return_error) rlRun "${options[*]} >server.log 2>server.err &" openssl_pid=$! rlRun "rlWaitForSocket 4433 -p $openssl_pid" - options=(${CLIENT_UTIL}) - options+=(-h localhost -p 4433) - options+=(-d sql:./nssdb/) - options+=(-c :${C_ID[$j]}) - options+=(-r 1) + options=($STRSCLNT_UTIL) + options+=(-p 4433) + options+=(-d sql:./ca-db/) + options+=(-c 100 -P 20) + options+=(-C :${C_ID[$j]}) + if [[ $sess == ticket ]]; then + options+=(-u) + fi if [[ $prot == "tls1_2" ]]; then options+=(-V tls1.0:) else options+=(-V tls1.0:tls1.1) fi - options+=(-n $clnt_nickname) - rlRun -s "expect nss-client.expect ${options[*]}" - rlAssertGrep "New, TLSv1/SSLv3," "$rlRun_LOG" + options+=(localhost) + rlRun -s "${options[*]}" 1 + rlAssertGrep "80 cache hits" "$rlRun_LOG" + if [[ $sess == ticket ]]; then + rlAssertGrep "80 stateless resumes" $rlRun_LOG + else + rlAssertGrep "0 stateless resumes" $rlRun_LOG + fi rlRun "kill $openssl_pid" rlRun "rlWait -s SIGKILL $openssl_pid" 143 if ! rlGetPhaseState; then rlRun "cat server.log" 0 "Server stdout" rlRun "cat server.err" 0 "Server stderr" fi - rlRun "rm -rf nssdb/" rlPhaseEnd + done # looks like strsclnt can't handle client certificates with OpenSSL if false; then @@ -545,7 +504,7 @@ rlJournalStart done fi - rlPhaseStartTest "NSS server OpenSSL client ${C_NAME[$j]} cipher $prot protocol renegotiation" + rlPhaseStartTest "NSS server OpenSSL client ${C_NAME[$j]} cipher $prot protocol" rlLogInfo "Preparing NSS database" rlRun "mkdir nssdb/" rlRun "certutil -N --empty-password -d sql:./nssdb/" @@ -574,11 +533,11 @@ rlJournalStart if [[ $prot == "tls1_1" ]]; then options+=(-tls1_1) fi - rlRun -s "(sleep 0.5; echo R; sleep 0.5; echo Q) | ${options[*]}" + rlRun -s "expect openssl-client.expect ${options[*]}" rlRun "kill $nss_pid" rlRun "rlWait -s SIGKILL $nss_pid" 143 - rlAssertGrep "RENEGOTIATING" "$rlRun_LOG" - rlRun "grep -A 10 RENEGOTIATING $rlRun_LOG | grep 'verify return:1'" + rlAssertGrep "GET / HTTP/1.0" "$rlRun_LOG" + rlAssertGrep "Server: Generic Web Server" "$rlRun_LOG" if ! rlGetPhaseState; then rlRun "cat server.log" 0 "Server stdout" rlRun "cat server.err" 0 "Server stderr" @@ -586,7 +545,7 @@ rlJournalStart rlRun "rm -rf nssdb/" 0 "Clean up NSS database" rlPhaseEnd - rlPhaseStartTest "NSS server OpenSSL client ${C_NAME[$j]} cipher $prot protocol client auth renegotiation" + rlPhaseStartTest "NSS server OpenSSL client ${C_NAME[$j]} cipher $prot protocol client auth" rlLogInfo "Preparing NSS database" rlRun "mkdir nssdb/" rlRun "certutil -N --empty-password -d sql:./nssdb/" @@ -616,11 +575,11 @@ rlJournalStart if [[ $prot == "tls1_1" ]]; then options+=(-tls1_1) fi - rlRun -s "(sleep 0.5; echo R; sleep 0.5; echo Q) | ${options[*]}" + rlRun -s "expect openssl-client.expect ${options[*]}" + rlAssertGrep "GET / HTTP/1.0" "$rlRun_LOG" + rlAssertGrep "Server: Generic Web Server" "$rlRun_LOG" rlRun "kill $nss_pid" rlRun "rlWait -s SIGKILL $nss_pid" 143 - rlAssertGrep "RENEGOTIATING" "$rlRun_LOG" - rlRun "grep -A 10 RENEGOTIATING $rlRun_LOG | grep 'verify return:1'" if ! rlGetPhaseState; then rlRun "cat server.log" 0 "Server stdout" rlRun "cat server.err" 0 "Server stderr" @@ -628,8 +587,7 @@ rlJournalStart rlRun "rm -rf nssdb/" 0 "Clean up NSS database" rlPhaseEnd - for sess in sessionID ticket; do - rlPhaseStartTest "NSS server OpenSSL client ${C_NAME[$j]} cipher $prot protocol $sess resumption" + rlPhaseStartTest "NSS server OpenSSL client ${C_NAME[$j]} cipher $prot protocol renegotiation" rlLogInfo "Preparing NSS database" rlRun "mkdir nssdb/" rlRun "certutil -N --empty-password -d sql:./nssdb/" @@ -640,7 +598,7 @@ rlJournalStart rlLogInfo "Test proper" declare -a options=() options+=(${SERVER_UTIL} -d sql:./nssdb/ -p 4433 -V tls1.0: - -c :${C_ID[$j]} -u -H 1) + -c :${C_ID[$j]} -H 1) if [[ ${C_KEY[$j]} =~ 'ecdsa' ]]; then options+=(-e ${C_KEY[$j]%%/*}) elif [[ ${C_KEY[$j]} =~ 'dsa' ]]; then @@ -655,32 +613,22 @@ rlJournalStart options+=(-CAfile $(x509Cert ca)) options+=(-cipher ${C_OPENSSL[$j]}) options+=(-connect localhost:4433) - if [[ $sess == "sessionID" ]]; then - options+=(-no_ticket) - fi if [[ $prot == "tls1_1" ]]; then options+=(-tls1_1) fi - rlRun -s "${options[*]} -sess_out sess.pem server.log 2>server.err &" + nss_pid=$! + rlRun "rlWaitForSocket 4433 -p $nss_pid" + options=(openssl s_client) + options+=(-CAfile $(x509Cert ca)) + options+=(-cipher ${C_OPENSSL[$j]}) + options+=(-connect localhost:4433) if [[ $sess == "sessionID" ]]; then options+=(-no_ticket) fi @@ -731,7 +721,8 @@ rlJournalStart rlPhaseEnd done - rlPhaseStartTest "NSS server OpenSSL client ${C_NAME[$j]} cipher $prot protocol client auth" + for sess in sessionID ticket; do + rlPhaseStartTest "NSS server OpenSSL client ${C_NAME[$j]} cipher $prot protocol client auth $sess resumption" rlLogInfo "Preparing NSS database" rlRun "mkdir nssdb/" rlRun "certutil -N --empty-password -d sql:./nssdb/" @@ -758,12 +749,20 @@ rlJournalStart options+=(-cipher ${C_OPENSSL[$j]}) options+=(-connect localhost:4433) options+=(-cert ${C_CLNT_CERT[$j]} -key ${C_CLNT_KEY[$j]}) + if [[ $sess == "sessionID" ]]; then + options+=(-no_ticket) + fi if [[ $prot == "tls1_1" ]]; then options+=(-tls1_1) fi - rlRun -s "expect openssl-client.expect ${options[*]}" - rlAssertGrep "GET / HTTP/1.0" "$rlRun_LOG" - rlAssertGrep "Server: Generic Web Server" "$rlRun_LOG" + rlRun -s "${options[*]} -sess_out sess.pem Date: Mon, 28 Nov 2016 00:16:33 +0100 Subject: [PATCH 4/6] Add the last two missing combinations - NSS-OpenSSL - NSS-OpenSSL with client auth --- .../runtest.sh | 77 +++++++++++++++++-- 1 file changed, 72 insertions(+), 5 deletions(-) diff --git a/nss/Interoperability/renego-and-resumption-NSS-with-OpenSSL/runtest.sh b/nss/Interoperability/renego-and-resumption-NSS-with-OpenSSL/runtest.sh index fcb3e8f..227c678 100755 --- a/nss/Interoperability/renego-and-resumption-NSS-with-OpenSSL/runtest.sh +++ b/nss/Interoperability/renego-and-resumption-NSS-with-OpenSSL/runtest.sh @@ -343,7 +343,34 @@ rlJournalStart continue fi - rlPhaseStartTest "OpenSSL server NSS client ${C_NAME[$j]} cipher $prot protocol client auth renegotiation" + rlPhaseStartTest "OpenSSL server NSS client ${C_NAME[$j]} cipher $prot protocol" + options=(openssl s_server -www -key ${C_KEY[$j]}) + options+=(-cert ${C_CERT[$j]}) + options+=(-CAfile '<(cat $(x509Cert ca) ${C_SUBCA[$j]})') + options+=(-cipher ${C_OPENSSL[$j]}) + rlRun "${options[*]} >server.log 2>server.err &" + openssl_pid=$! + rlRun "rlWaitForSocket 4433 -p $openssl_pid" + options=(${CLIENT_UTIL}) + options+=(-h localhost -p 4433) + options+=(-d sql:./ca-db/) + options+=(-c :${C_ID[$j]}) + if [[ $prot == "tls1_2" ]]; then + options+=(-V tls1.0:) + else + options+=(-V tls1.0:tls1.1) + fi + rlRun -s "${options[*]} <<< 'GET /'" + rlAssertGrep "New, TLSv1/SSLv3," "$rlRun_LOG" + rlRun "kill $openssl_pid" + rlRun "rlWait -s SIGKILL $openssl_pid" 143 + if ! rlGetPhaseState; then + rlRun "cat server.log" 0 "Server stdout" + rlRun "cat server.err" 0 "Server stderr" + fi + rlPhaseEnd + + rlPhaseStartTest "OpenSSL server NSS client ${C_NAME[$j]} cipher $prot protocol client auth" rlLogInfo "Preparing NSS database" rlRun "mkdir nssdb/" rlRun "certutil -N --empty-password -d sql:./nssdb/" @@ -365,14 +392,13 @@ rlJournalStart options+=(-h localhost -p 4433) options+=(-d sql:./nssdb/) options+=(-c :${C_ID[$j]}) - options+=(-r 1) if [[ $prot == "tls1_2" ]]; then options+=(-V tls1.0:) else options+=(-V tls1.0:tls1.1) fi options+=(-n $clnt_nickname) - rlRun -s "expect nss-client.expect ${options[*]}" + rlRun -s "${options[*]} <<< 'GET /'" rlAssertGrep "New, TLSv1/SSLv3," "$rlRun_LOG" rlRun "kill $openssl_pid" rlRun "rlWait -s SIGKILL $openssl_pid" 143 @@ -383,6 +409,7 @@ rlJournalStart rlRun "rm -rf nssdb/" rlPhaseEnd + rlPhaseStartTest "OpenSSL server NSS client ${C_NAME[$j]} cipher $prot protocol renegotiation" options=(openssl s_server -www -key ${C_KEY[$j]}) options+=(-cert ${C_CERT[$j]}) @@ -411,6 +438,46 @@ rlJournalStart fi rlPhaseEnd + rlPhaseStartTest "OpenSSL server NSS client ${C_NAME[$j]} cipher $prot protocol client auth renegotiation" + rlLogInfo "Preparing NSS database" + rlRun "mkdir nssdb/" + rlRun "certutil -N --empty-password -d sql:./nssdb/" + rlRun "certutil -A -d sql:./nssdb/ -n ca -t 'cC,,' -a -i $(x509Cert ca)" + rlRun "certutil -A -d sql:./nssdb/ -n subca -t ',,' -a -i ${C_SUBCA[$j]}" + clnt_nickname="${C_CLNT_KEY[$j]%%/*}" + rlRun "pk12util -i $(x509Key --pkcs12 --with-cert $clnt_nickname) -d sql:./nssdb -W ''" + + rlLogInfo "Test proper" + options=(openssl s_server -www -key ${C_KEY[$j]}) + options+=(-cert ${C_CERT[$j]}) + options+=(-CAfile '<(cat $(x509Cert ca) ${C_SUBCA[$j]})') + options+=(-cipher ${C_OPENSSL[$j]}) + options+=(-Verify 1 -verify_return_error) + rlRun "${options[*]} >server.log 2>server.err &" + openssl_pid=$! + rlRun "rlWaitForSocket 4433 -p $openssl_pid" + options=(${CLIENT_UTIL}) + options+=(-h localhost -p 4433) + options+=(-d sql:./nssdb/) + options+=(-c :${C_ID[$j]}) + options+=(-r 1) + if [[ $prot == "tls1_2" ]]; then + options+=(-V tls1.0:) + else + options+=(-V tls1.0:tls1.1) + fi + options+=(-n $clnt_nickname) + rlRun -s "expect nss-client.expect ${options[*]}" + rlAssertGrep "New, TLSv1/SSLv3," "$rlRun_LOG" + rlRun "kill $openssl_pid" + rlRun "rlWait -s SIGKILL $openssl_pid" 143 + if ! rlGetPhaseState; then + rlRun "cat server.log" 0 "Server stdout" + rlRun "cat server.err" 0 "Server stderr" + fi + rlRun "rm -rf nssdb/" + rlPhaseEnd + for sess in sessionID ticket; do rlPhaseStartTest "OpenSSL server NSS client ${C_NAME[$j]} cipher $prot protocol $sess resumption" options=(openssl s_server -www -key ${C_KEY[$j]}) @@ -534,10 +601,10 @@ rlJournalStart options+=(-tls1_1) fi rlRun -s "expect openssl-client.expect ${options[*]}" - rlRun "kill $nss_pid" - rlRun "rlWait -s SIGKILL $nss_pid" 143 rlAssertGrep "GET / HTTP/1.0" "$rlRun_LOG" rlAssertGrep "Server: Generic Web Server" "$rlRun_LOG" + rlRun "kill $nss_pid" + rlRun "rlWait -s SIGKILL $nss_pid" 143 if ! rlGetPhaseState; then rlRun "cat server.log" 0 "Server stdout" rlRun "cat server.err" 0 "Server stderr" From a05c4a5efc9735fd7cd1fec047283ce7728f824b Mon Sep 17 00:00:00 2001 From: Frantisek Sumsal Date: Sun, 18 Dec 2016 19:53:27 +0100 Subject: [PATCH 5/6] Fix GET requests --- .../renego-and-resumption-NSS-with-OpenSSL/runtest.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nss/Interoperability/renego-and-resumption-NSS-with-OpenSSL/runtest.sh b/nss/Interoperability/renego-and-resumption-NSS-with-OpenSSL/runtest.sh index 227c678..a9e6ae3 100755 --- a/nss/Interoperability/renego-and-resumption-NSS-with-OpenSSL/runtest.sh +++ b/nss/Interoperability/renego-and-resumption-NSS-with-OpenSSL/runtest.sh @@ -360,7 +360,7 @@ rlJournalStart else options+=(-V tls1.0:tls1.1) fi - rlRun -s "${options[*]} <<< 'GET /'" + rlRun -s "${options[*]} <<< 'GET / HTTP/1.0\n\n'" rlAssertGrep "New, TLSv1/SSLv3," "$rlRun_LOG" rlRun "kill $openssl_pid" rlRun "rlWait -s SIGKILL $openssl_pid" 143 @@ -398,7 +398,7 @@ rlJournalStart options+=(-V tls1.0:tls1.1) fi options+=(-n $clnt_nickname) - rlRun -s "${options[*]} <<< 'GET /'" + rlRun -s "${options[*]} <<< 'GET / HTTP/1.0\n\n'" rlAssertGrep "New, TLSv1/SSLv3," "$rlRun_LOG" rlRun "kill $openssl_pid" rlRun "rlWait -s SIGKILL $openssl_pid" 143 From beb63d962b9f58d85807c17cdb664347738f786f Mon Sep 17 00:00:00 2001 From: Frantisek Sumsal Date: Sun, 18 Dec 2016 21:25:25 +0100 Subject: [PATCH 6/6] Enable SessionTicket extension only when it's tested --- .../renego-and-resumption-NSS-with-OpenSSL/runtest.sh | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/nss/Interoperability/renego-and-resumption-NSS-with-OpenSSL/runtest.sh b/nss/Interoperability/renego-and-resumption-NSS-with-OpenSSL/runtest.sh index a9e6ae3..6bc529e 100755 --- a/nss/Interoperability/renego-and-resumption-NSS-with-OpenSSL/runtest.sh +++ b/nss/Interoperability/renego-and-resumption-NSS-with-OpenSSL/runtest.sh @@ -749,7 +749,10 @@ rlJournalStart rlLogInfo "Test proper" declare -a options=() options+=(${SERVER_UTIL} -d sql:./nssdb/ -p 4433 -V tls1.0: - -c :${C_ID[$j]} -u -H 1) + -c :${C_ID[$j]} -H 1) + if [[ $sess == "ticket" ]]; then + options+=(-u) + fi if [[ ${C_KEY[$j]} =~ 'ecdsa' ]]; then options+=(-e ${C_KEY[$j]%%/*}) elif [[ ${C_KEY[$j]} =~ 'dsa' ]]; then @@ -801,6 +804,9 @@ rlJournalStart declare -a options=() options+=(${SERVER_UTIL} -d sql:./nssdb/ -p 4433 -V tls1.0: -rr -c :${C_ID[$j]} -H 1) + if [[ $sess == "ticket" ]]; then + options+=(-u) + fi if [[ ${C_KEY[$j]} =~ 'ecdsa' ]]; then options+=(-e ${C_KEY[$j]%%/*}) elif [[ ${C_KEY[$j]} =~ 'dsa' ]]; then