summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAlexander Bluhm <bluhm@cvs.openbsd.org>2015-05-22 19:09:19 +0000
committerAlexander Bluhm <bluhm@cvs.openbsd.org>2015-05-22 19:09:19 +0000
commit5d9881f43c337ce8b3ba8bc28f1dcf051fb042f8 (patch)
treea585486d1528464f445e235c085821a3abd96971
parentc47718f730ee96979d5efc4f74fe2bb5a03a76d2 (diff)
Add tests for relayd TLS inspection with plain SSL and HTTPS.
-rw-r--r--regress/usr.sbin/relayd/Client.pm10
-rw-r--r--regress/usr.sbin/relayd/Makefile5
-rw-r--r--regress/usr.sbin/relayd/Relayd.pm9
-rw-r--r--regress/usr.sbin/relayd/Server.pm10
-rw-r--r--regress/usr.sbin/relayd/args-https-inspect.pl27
-rw-r--r--regress/usr.sbin/relayd/args-https.pl1
-rw-r--r--regress/usr.sbin/relayd/args-ssl-inspect.pl21
-rw-r--r--regress/usr.sbin/relayd/args-ssl.pl1
8 files changed, 76 insertions, 8 deletions
diff --git a/regress/usr.sbin/relayd/Client.pm b/regress/usr.sbin/relayd/Client.pm
index 8d4edd84df6..fd987f93bb1 100644
--- a/regress/usr.sbin/relayd/Client.pm
+++ b/regress/usr.sbin/relayd/Client.pm
@@ -1,6 +1,6 @@
-# $OpenBSD: Client.pm,v 1.9 2014/12/31 01:25:07 bluhm Exp $
+# $OpenBSD: Client.pm,v 1.10 2015/05/22 19:09:18 bluhm Exp $
-# Copyright (c) 2010-2014 Alexander Bluhm <bluhm@openbsd.org>
+# Copyright (c) 2010-2015 Alexander Bluhm <bluhm@openbsd.org>
#
# Permission to use, copy, modify, and distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
@@ -60,6 +60,12 @@ sub child {
) or die ref($self), " $iosocket socket connect failed: $!,$SSL_ERROR";
print STDERR "connect sock: ",$cs->sockhost()," ",$cs->sockport(),"\n";
print STDERR "connect peer: ",$cs->peerhost()," ",$cs->peerport(),"\n";
+ if ($self->{ssl}) {
+ print STDERR "ssl version: ",$cs->get_sslversion(),"\n";
+ print STDERR "ssl cipher: ",$cs->get_cipher(),"\n";
+ print STDERR "ssl peer certificate:\n",
+ $cs->dump_peer_certificate();
+ }
*STDIN = *STDOUT = $self->{cs} = $cs;
}
diff --git a/regress/usr.sbin/relayd/Makefile b/regress/usr.sbin/relayd/Makefile
index 90fd808148e..7c958cd8a9c 100644
--- a/regress/usr.sbin/relayd/Makefile
+++ b/regress/usr.sbin/relayd/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.10 2014/12/31 01:25:07 bluhm Exp $
+# $OpenBSD: Makefile,v 1.11 2015/05/22 19:09:18 bluhm Exp $
# The following ports must be installed for the regression tests:
# p5-IO-Socket-INET6 object interface for AF_INET and AF_INET6 domain sockets
@@ -67,7 +67,7 @@ run-regress-$a: $a
# create certificates for TLS
.for ip in ${REMOTE_ADDR} 127.0.0.1
-${ip}.crt:
+${ip}.crt: ca.crt
openssl req -batch -new -subj /L=OpenBSD/O=relayd-regress/OU=relay/CN=${ip}/ -nodes -newkey rsa -keyout ${ip}.key -x509 -out $@
.if empty (REMOTE_SSH)
${SUDO} cp 127.0.0.1.crt /etc/ssl/
@@ -75,6 +75,7 @@ ${ip}.crt:
.else
scp ${REMOTE_ADDR}.crt root@${REMOTE_SSH}:/etc/ssl/
scp ${REMOTE_ADDR}.key root@${REMOTE_SSH}:/etc/ssl/private/
+ scp ca.crt ca.key ${REMOTE_SSH}:
.endif
.endfor
diff --git a/regress/usr.sbin/relayd/Relayd.pm b/regress/usr.sbin/relayd/Relayd.pm
index 1328978471e..d4fdbf0bfac 100644
--- a/regress/usr.sbin/relayd/Relayd.pm
+++ b/regress/usr.sbin/relayd/Relayd.pm
@@ -1,6 +1,6 @@
-# $OpenBSD: Relayd.pm,v 1.14 2015/05/17 22:49:03 bluhm Exp $
+# $OpenBSD: Relayd.pm,v 1.15 2015/05/22 19:09:18 bluhm Exp $
-# Copyright (c) 2010-2014 Alexander Bluhm <bluhm@openbsd.org>
+# Copyright (c) 2010-2015 Alexander Bluhm <bluhm@openbsd.org>
#
# Permission to use, copy, modify, and distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
@@ -72,6 +72,11 @@ sub new {
die ref($self), " invalid forward $self->{forward}"
unless grep { /splice/ } @protocol;
print $fh "${proto}protocol proto-$test {";
+ if ($self->{inspectssl}) {
+ $self->{listenssl} = $self->{forwardssl} = 1;
+ print $fh "\n\ttls ca cert ca.crt";
+ print $fh "\n\ttls ca key ca.key password ''";
+ }
# substitute variables in config file
foreach (@protocol) {
s/(\$[a-z]+)/$1/eeg;
diff --git a/regress/usr.sbin/relayd/Server.pm b/regress/usr.sbin/relayd/Server.pm
index a860eeb82e5..0ab32b7e5e2 100644
--- a/regress/usr.sbin/relayd/Server.pm
+++ b/regress/usr.sbin/relayd/Server.pm
@@ -1,6 +1,6 @@
-# $OpenBSD: Server.pm,v 1.7 2014/12/31 01:25:07 bluhm Exp $
+# $OpenBSD: Server.pm,v 1.8 2015/05/22 19:09:18 bluhm Exp $
-# Copyright (c) 2010-2014 Alexander Bluhm <bluhm@openbsd.org>
+# Copyright (c) 2010-2015 Alexander Bluhm <bluhm@openbsd.org>
#
# Permission to use, copy, modify, and distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
@@ -67,6 +67,12 @@ sub child {
" socket accept failed: $!,$SSL_ERROR";
print STDERR "accept sock: ",$as->sockhost()," ",$as->sockport(),"\n";
print STDERR "accept peer: ",$as->peerhost()," ",$as->peerport(),"\n";
+ if ($self->{ssl}) {
+ print STDERR "ssl version: ",$as->get_sslversion(),"\n";
+ print STDERR "ssl cipher: ",$as->get_cipher(),"\n";
+ print STDERR "ssl peer certificate:\n",
+ $as->dump_peer_certificate();
+ }
*STDIN = *STDOUT = $self->{as} = $as;
}
diff --git a/regress/usr.sbin/relayd/args-https-inspect.pl b/regress/usr.sbin/relayd/args-https-inspect.pl
new file mode 100644
index 00000000000..5db6c695ab9
--- /dev/null
+++ b/regress/usr.sbin/relayd/args-https-inspect.pl
@@ -0,0 +1,27 @@
+# test https connection over http relay with TLS inspection
+
+use strict;
+use warnings;
+
+our %args = (
+ client => {
+ func => \&http_client,
+ ssl => 1,
+ loggrep => 'Issuer.*/OU=ca/',
+ },
+ relayd => {
+ protocol => [ "http",
+ "match request header log foo",
+ "match response header log bar",
+ ],
+ inspectssl => 1,
+ },
+ server => {
+ func => \&http_server,
+ ssl => 1,
+ },
+ len => 251,
+ md5 => "bc3a3f39af35fe5b1687903da2b00c7f",
+);
+
+1;
diff --git a/regress/usr.sbin/relayd/args-https.pl b/regress/usr.sbin/relayd/args-https.pl
index ed2c9212406..325eaead08b 100644
--- a/regress/usr.sbin/relayd/args-https.pl
+++ b/regress/usr.sbin/relayd/args-https.pl
@@ -7,6 +7,7 @@ our %args = (
client => {
func => \&http_client,
ssl => 1,
+ loggrep => 'Issuer.*/OU=relay/',
},
relayd => {
protocol => [ "http",
diff --git a/regress/usr.sbin/relayd/args-ssl-inspect.pl b/regress/usr.sbin/relayd/args-ssl-inspect.pl
new file mode 100644
index 00000000000..3c360494eaa
--- /dev/null
+++ b/regress/usr.sbin/relayd/args-ssl-inspect.pl
@@ -0,0 +1,21 @@
+# test both client and server ssl connection with TLS inspection
+
+use strict;
+use warnings;
+
+our %args = (
+ client => {
+ ssl => 1,
+ loggrep => 'Issuer.*/OU=ca/',
+ },
+ relayd => {
+ inspectssl => 1,
+ },
+ server => {
+ ssl => 1,
+ },
+ len => 251,
+ md5 => "bc3a3f39af35fe5b1687903da2b00c7f",
+);
+
+1;
diff --git a/regress/usr.sbin/relayd/args-ssl.pl b/regress/usr.sbin/relayd/args-ssl.pl
index 31a9e58b1c0..e75c68ebd3b 100644
--- a/regress/usr.sbin/relayd/args-ssl.pl
+++ b/regress/usr.sbin/relayd/args-ssl.pl
@@ -6,6 +6,7 @@ use warnings;
our %args = (
client => {
ssl => 1,
+ loggrep => 'Issuer.*/OU=relay/',
},
relayd => {
forwardssl => 1,