diff options
author | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2015-05-22 19:09:19 +0000 |
---|---|---|
committer | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2015-05-22 19:09:19 +0000 |
commit | 5d9881f43c337ce8b3ba8bc28f1dcf051fb042f8 (patch) | |
tree | a585486d1528464f445e235c085821a3abd96971 | |
parent | c47718f730ee96979d5efc4f74fe2bb5a03a76d2 (diff) |
Add tests for relayd TLS inspection with plain SSL and HTTPS.
-rw-r--r-- | regress/usr.sbin/relayd/Client.pm | 10 | ||||
-rw-r--r-- | regress/usr.sbin/relayd/Makefile | 5 | ||||
-rw-r--r-- | regress/usr.sbin/relayd/Relayd.pm | 9 | ||||
-rw-r--r-- | regress/usr.sbin/relayd/Server.pm | 10 | ||||
-rw-r--r-- | regress/usr.sbin/relayd/args-https-inspect.pl | 27 | ||||
-rw-r--r-- | regress/usr.sbin/relayd/args-https.pl | 1 | ||||
-rw-r--r-- | regress/usr.sbin/relayd/args-ssl-inspect.pl | 21 | ||||
-rw-r--r-- | regress/usr.sbin/relayd/args-ssl.pl | 1 |
8 files changed, 76 insertions, 8 deletions
diff --git a/regress/usr.sbin/relayd/Client.pm b/regress/usr.sbin/relayd/Client.pm index 8d4edd84df6..fd987f93bb1 100644 --- a/regress/usr.sbin/relayd/Client.pm +++ b/regress/usr.sbin/relayd/Client.pm @@ -1,6 +1,6 @@ -# $OpenBSD: Client.pm,v 1.9 2014/12/31 01:25:07 bluhm Exp $ +# $OpenBSD: Client.pm,v 1.10 2015/05/22 19:09:18 bluhm Exp $ -# Copyright (c) 2010-2014 Alexander Bluhm <bluhm@openbsd.org> +# Copyright (c) 2010-2015 Alexander Bluhm <bluhm@openbsd.org> # # Permission to use, copy, modify, and distribute this software for any # purpose with or without fee is hereby granted, provided that the above @@ -60,6 +60,12 @@ sub child { ) or die ref($self), " $iosocket socket connect failed: $!,$SSL_ERROR"; print STDERR "connect sock: ",$cs->sockhost()," ",$cs->sockport(),"\n"; print STDERR "connect peer: ",$cs->peerhost()," ",$cs->peerport(),"\n"; + if ($self->{ssl}) { + print STDERR "ssl version: ",$cs->get_sslversion(),"\n"; + print STDERR "ssl cipher: ",$cs->get_cipher(),"\n"; + print STDERR "ssl peer certificate:\n", + $cs->dump_peer_certificate(); + } *STDIN = *STDOUT = $self->{cs} = $cs; } diff --git a/regress/usr.sbin/relayd/Makefile b/regress/usr.sbin/relayd/Makefile index 90fd808148e..7c958cd8a9c 100644 --- a/regress/usr.sbin/relayd/Makefile +++ b/regress/usr.sbin/relayd/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.10 2014/12/31 01:25:07 bluhm Exp $ +# $OpenBSD: Makefile,v 1.11 2015/05/22 19:09:18 bluhm Exp $ # The following ports must be installed for the regression tests: # p5-IO-Socket-INET6 object interface for AF_INET and AF_INET6 domain sockets @@ -67,7 +67,7 @@ run-regress-$a: $a # create certificates for TLS .for ip in ${REMOTE_ADDR} 127.0.0.1 -${ip}.crt: +${ip}.crt: ca.crt openssl req -batch -new -subj /L=OpenBSD/O=relayd-regress/OU=relay/CN=${ip}/ -nodes -newkey rsa -keyout ${ip}.key -x509 -out $@ .if empty (REMOTE_SSH) ${SUDO} cp 127.0.0.1.crt /etc/ssl/ @@ -75,6 +75,7 @@ ${ip}.crt: .else scp ${REMOTE_ADDR}.crt root@${REMOTE_SSH}:/etc/ssl/ scp ${REMOTE_ADDR}.key root@${REMOTE_SSH}:/etc/ssl/private/ + scp ca.crt ca.key ${REMOTE_SSH}: .endif .endfor diff --git a/regress/usr.sbin/relayd/Relayd.pm b/regress/usr.sbin/relayd/Relayd.pm index 1328978471e..d4fdbf0bfac 100644 --- a/regress/usr.sbin/relayd/Relayd.pm +++ b/regress/usr.sbin/relayd/Relayd.pm @@ -1,6 +1,6 @@ -# $OpenBSD: Relayd.pm,v 1.14 2015/05/17 22:49:03 bluhm Exp $ +# $OpenBSD: Relayd.pm,v 1.15 2015/05/22 19:09:18 bluhm Exp $ -# Copyright (c) 2010-2014 Alexander Bluhm <bluhm@openbsd.org> +# Copyright (c) 2010-2015 Alexander Bluhm <bluhm@openbsd.org> # # Permission to use, copy, modify, and distribute this software for any # purpose with or without fee is hereby granted, provided that the above @@ -72,6 +72,11 @@ sub new { die ref($self), " invalid forward $self->{forward}" unless grep { /splice/ } @protocol; print $fh "${proto}protocol proto-$test {"; + if ($self->{inspectssl}) { + $self->{listenssl} = $self->{forwardssl} = 1; + print $fh "\n\ttls ca cert ca.crt"; + print $fh "\n\ttls ca key ca.key password ''"; + } # substitute variables in config file foreach (@protocol) { s/(\$[a-z]+)/$1/eeg; diff --git a/regress/usr.sbin/relayd/Server.pm b/regress/usr.sbin/relayd/Server.pm index a860eeb82e5..0ab32b7e5e2 100644 --- a/regress/usr.sbin/relayd/Server.pm +++ b/regress/usr.sbin/relayd/Server.pm @@ -1,6 +1,6 @@ -# $OpenBSD: Server.pm,v 1.7 2014/12/31 01:25:07 bluhm Exp $ +# $OpenBSD: Server.pm,v 1.8 2015/05/22 19:09:18 bluhm Exp $ -# Copyright (c) 2010-2014 Alexander Bluhm <bluhm@openbsd.org> +# Copyright (c) 2010-2015 Alexander Bluhm <bluhm@openbsd.org> # # Permission to use, copy, modify, and distribute this software for any # purpose with or without fee is hereby granted, provided that the above @@ -67,6 +67,12 @@ sub child { " socket accept failed: $!,$SSL_ERROR"; print STDERR "accept sock: ",$as->sockhost()," ",$as->sockport(),"\n"; print STDERR "accept peer: ",$as->peerhost()," ",$as->peerport(),"\n"; + if ($self->{ssl}) { + print STDERR "ssl version: ",$as->get_sslversion(),"\n"; + print STDERR "ssl cipher: ",$as->get_cipher(),"\n"; + print STDERR "ssl peer certificate:\n", + $as->dump_peer_certificate(); + } *STDIN = *STDOUT = $self->{as} = $as; } diff --git a/regress/usr.sbin/relayd/args-https-inspect.pl b/regress/usr.sbin/relayd/args-https-inspect.pl new file mode 100644 index 00000000000..5db6c695ab9 --- /dev/null +++ b/regress/usr.sbin/relayd/args-https-inspect.pl @@ -0,0 +1,27 @@ +# test https connection over http relay with TLS inspection + +use strict; +use warnings; + +our %args = ( + client => { + func => \&http_client, + ssl => 1, + loggrep => 'Issuer.*/OU=ca/', + }, + relayd => { + protocol => [ "http", + "match request header log foo", + "match response header log bar", + ], + inspectssl => 1, + }, + server => { + func => \&http_server, + ssl => 1, + }, + len => 251, + md5 => "bc3a3f39af35fe5b1687903da2b00c7f", +); + +1; diff --git a/regress/usr.sbin/relayd/args-https.pl b/regress/usr.sbin/relayd/args-https.pl index ed2c9212406..325eaead08b 100644 --- a/regress/usr.sbin/relayd/args-https.pl +++ b/regress/usr.sbin/relayd/args-https.pl @@ -7,6 +7,7 @@ our %args = ( client => { func => \&http_client, ssl => 1, + loggrep => 'Issuer.*/OU=relay/', }, relayd => { protocol => [ "http", diff --git a/regress/usr.sbin/relayd/args-ssl-inspect.pl b/regress/usr.sbin/relayd/args-ssl-inspect.pl new file mode 100644 index 00000000000..3c360494eaa --- /dev/null +++ b/regress/usr.sbin/relayd/args-ssl-inspect.pl @@ -0,0 +1,21 @@ +# test both client and server ssl connection with TLS inspection + +use strict; +use warnings; + +our %args = ( + client => { + ssl => 1, + loggrep => 'Issuer.*/OU=ca/', + }, + relayd => { + inspectssl => 1, + }, + server => { + ssl => 1, + }, + len => 251, + md5 => "bc3a3f39af35fe5b1687903da2b00c7f", +); + +1; diff --git a/regress/usr.sbin/relayd/args-ssl.pl b/regress/usr.sbin/relayd/args-ssl.pl index 31a9e58b1c0..e75c68ebd3b 100644 --- a/regress/usr.sbin/relayd/args-ssl.pl +++ b/regress/usr.sbin/relayd/args-ssl.pl @@ -6,6 +6,7 @@ use warnings; our %args = ( client => { ssl => 1, + loggrep => 'Issuer.*/OU=relay/', }, relayd => { forwardssl => 1, |