Google Git
Sign in
apache / trafficserver / 71c7dbd44c744f95b48b19bae7e88e0139d6d284 / . / tests / gold_tests / tls / tls_0rtt_server.test.py
blob: 69a7f75b10c370e7a465a012aa70869bbb5f996a [file] [log] [blame]
'''
'''
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
import sys
Test.Summary = '''
Test ATS TLSv1.3 0-RTT support
'''
# Checking only OpenSSL version allows you to run this test with BoringSSL (and it should pass).
Test.SkipUnless(
Condition.HasOpenSSLVersion('1.1.1'),
)
ts1 = Test.MakeATSProcess('ts1', enable_tls=True)
ts2 = Test.MakeATSProcess('ts2', enable_tls=True)
server = Test.MakeOriginServer('server')
request_header1 = {
'headers': 'GET / HTTP/1.1\r\nHost: www.example.com\r\n\r\n',
'timestamp': '1469733493.993',
'body': ''
}
response_header1 = {
'headers': 'HTTP/1.1 200 OK\r\nConnection: close\r\n\r\n',
'timestamp': '1469733493.993',
'body': 'curl test'
}
request_header2 = {
'headers': 'GET /early_get HTTP/1.1\r\nHost: www.example.com\r\n\r\n',
'timestamp': '1469733493.993',
'body': ''
}
response_header2 = {
'headers': 'HTTP/1.1 200 OK\r\nConnection: close\r\n\r\n',
'timestamp': '1469733493.993',
'body': 'early data accepted'
}
request_header3 = {
'headers': 'POST /early_post HTTP/1.1\r\nHost: www.example.com\r\nContent-Length: 11\r\n\r\n',
'timestamp': '1469733493.993',
'body': 'knock knock'
}
response_header3 = {
'headers': 'HTTP/1.1 200 OK\r\nServer: uServer\r\nConnection: close\r\nTransfer-Encoding: chunked\r\n\r\n',
'timestamp': '1415926535.898',
'body': ''
}
request_header4 = {
'headers': 'GET /early_multi_1 HTTP/1.1\r\nHost: www.example.com\r\n\r\n',
'timestamp': '1469733493.993',
'body': ''
}
response_header4 = {
'headers': 'HTTP/1.1 200 OK\r\nConnection: close\r\n\r\n',
'timestamp': '1469733493.993',
'body': 'early data accepted multi_1'
}
request_header5 = {
'headers': 'GET /early_multi_2 HTTP/1.1\r\nHost: www.example.com\r\n\r\n',
'timestamp': '1469733493.993',
'body': ''
}
response_header5 = {
'headers': 'HTTP/1.1 200 OK\r\nConnection: close\r\n\r\n',
'timestamp': '1469733493.993',
'body': 'early data accepted multi_2'
}
request_header6 = {
'headers': 'GET /early_multi_3 HTTP/1.1\r\nHost: www.example.com\r\n\r\n',
'timestamp': '1469733493.993',
'body': ''
}
response_header6 = {
'headers': 'HTTP/1.1 200 OK\r\nConnection: close\r\n\r\n',
'timestamp': '1469733493.993',
'body': 'early data accepted multi_3'
}
server.addResponse('sessionlog.json', request_header1, response_header1)
server.addResponse('sessionlog.json', request_header2, response_header2)
server.addResponse('sessionlog.json', request_header3, response_header3)
server.addResponse('sessionlog.json', request_header4, response_header4)
server.addResponse('sessionlog.json', request_header5, response_header5)
server.addResponse('sessionlog.json', request_header6, response_header6)
ts1.addSSLfile('ssl/server.pem')
ts1.addSSLfile('ssl/server.key')
ts1.Setup.Copy('test-0rtt-s_client.py')
ts1.Setup.Copy('h2_early_decode.py')
ts1.Setup.Copy('early_h1_get.txt')
ts1.Setup.Copy('early_h1_post.txt')
ts1.Setup.Copy('early_h2_get.txt')
ts1.Setup.Copy('early_h2_post.txt')
ts1.Setup.Copy('early_h2_multi1.txt')
ts1.Setup.Copy('early_h2_multi2.txt')
ts1.Disk.records_config.update({
'proxy.config.diags.debug.enabled': 1,
'proxy.config.diags.debug.tags': 'http|ssl_early_data|ssl',
'proxy.config.exec_thread.autoconfig.enabled': 0,
'proxy.config.exec_thread.limit': 8,
'proxy.config.ssl.server.cert.path': '{0}'.format(ts1.Variables.SSLDir),
'proxy.config.ssl.server.private_key.path': '{0}'.format(ts1.Variables.SSLDir),
'proxy.config.ssl.session_cache.value': 2,
'proxy.config.ssl.session_cache.size': 512000,
'proxy.config.ssl.session_cache.timeout': 7200,
'proxy.config.ssl.session_cache.num_buckets': 32768,
'proxy.config.ssl.server.session_ticket.enable': 1,
'proxy.config.ssl.server.max_early_data': 16384,
'proxy.config.ssl.server.allow_early_data_params': 0,
'proxy.config.ssl.server.cipher_suite': 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'
})
ts1.Disk.ssl_multicert_config.AddLine(
'dest_ip=* ssl_cert_name=server.pem ssl_key_name=server.key'
)
ts1.Disk.remap_config.AddLine(
'map / http://127.0.0.1:{0}'.format(server.Variables.Port)
)
ts1.Disk.sni_yaml.AddLines([
'sni:',
'- fqdn: example-no.com',
' server_max_early_data: 0'
])
ts2.Disk.records_config.update({
'proxy.config.diags.debug.enabled': 1,
'proxy.config.diags.debug.tags': 'http|ssl_early_data|ssl',
'proxy.config.exec_thread.autoconfig.enabled': 0,
'proxy.config.exec_thread.limit': 8,
'proxy.config.ssl.server.cert.path': '{0}'.format(ts1.Variables.SSLDir),
'proxy.config.ssl.server.private_key.path': '{0}'.format(ts1.Variables.SSLDir),
'proxy.config.ssl.session_cache.value': 2,
'proxy.config.ssl.session_cache.size': 512000,
'proxy.config.ssl.session_cache.timeout': 7200,
'proxy.config.ssl.session_cache.num_buckets': 32768,
'proxy.config.ssl.server.session_ticket.enable': 1,
'proxy.config.ssl.server.max_early_data': 0,
'proxy.config.ssl.server.allow_early_data_params': 0,
'proxy.config.ssl.server.cipher_suite': 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'
})
ts2.Disk.ssl_multicert_config.AddLine(
'dest_ip=* ssl_cert_name=server.pem ssl_key_name=server.key'
)
ts2.Disk.remap_config.AddLine(
'map / http://127.0.0.1:{0}'.format(server.Variables.Port)
)
ts2.Disk.sni_yaml.AddLines([
'sni:',
'- fqdn: example-yes.com',
' server_max_early_data: 16384'
])
tr = Test.AddTestRun('Basic Curl Test')
tr.Processes.Default.Command = 'curl -k --resolve example.com:{0}:127.0.0.1 https://example.com:{0}'.format(ts1.Variables.ssl_port)
tr.Processes.Default.ReturnCode = 0
tr.Processes.Default.StartBefore(server)
tr.Processes.Default.StartBefore(ts1)
tr.Processes.Default.Streams.All = Testers.ContainsExpression('curl test', 'Making sure the basics still work')
tr.Processes.Default.Streams.All += Testers.ExcludesExpression('early data accepted', '')
tr.StillRunningAfter = server
tr.StillRunningAfter += ts1
tr = Test.AddTestRun('TLSv1.3 0-RTT Support (HTTP/1.1 GET)')
tr.Processes.Default.Command = f'{sys.executable} test-0rtt-s_client.py -p {ts1.Variables.ssl_port} -v h1 -t get -r {Test.RunDirectory}'
tr.Processes.Default.ReturnCode = 0
tr.Processes.Default.Streams.All = Testers.ContainsExpression('early data accepted', '')
tr.Processes.Default.Streams.All += Testers.ExcludesExpression('curl test', '')
tr.StillRunningAfter = server
tr.StillRunningAfter += ts1
tr = Test.AddTestRun('TLSv1.3 0-RTT Support (HTTP/1.1 POST)')
tr.Processes.Default.Command = f'{sys.executable} test-0rtt-s_client.py -p {ts1.Variables.ssl_port} -v h1 -t post -r {Test.RunDirectory}'
tr.Processes.Default.ReturnCode = 0
tr.Processes.Default.Streams.All = Testers.ContainsExpression('HTTP/1.1 425 Too Early', '')
tr.Processes.Default.Streams.All += Testers.ExcludesExpression('curl test', '')
tr.Processes.Default.Streams.All += Testers.ExcludesExpression('early data accepted', '')
tr.StillRunningAfter = server
tr.StillRunningAfter += ts1
tr = Test.AddTestRun('TLSv1.3 0-RTT Support (HTTP/2 GET)')
tr.Processes.Default.Command = f'{sys.executable} test-0rtt-s_client.py -p {ts1.Variables.ssl_port} -v h2 -t get -r {Test.RunDirectory}'
tr.Processes.Default.ReturnCode = 0
tr.Processes.Default.Streams.All = Testers.ContainsExpression('early data accepted', '')
tr.Processes.Default.Streams.All += Testers.ExcludesExpression('curl test', '')
tr.StillRunningAfter = server
tr.StillRunningAfter += ts1
tr = Test.AddTestRun('TLSv1.3 0-RTT Support (HTTP/2 POST)')
tr.Processes.Default.Command = f'{sys.executable} test-0rtt-s_client.py -p {ts1.Variables.ssl_port} -v h2 -t post -r {Test.RunDirectory}'
tr.Processes.Default.ReturnCode = 0
tr.Processes.Default.Streams.All = Testers.ContainsExpression(':status 425', 'Only safe methods are allowed')
tr.Processes.Default.Streams.All += Testers.ExcludesExpression('curl test', '')
tr.Processes.Default.Streams.All += Testers.ExcludesExpression('early data accepted', '')
tr.StillRunningAfter = server
tr.StillRunningAfter += ts1
tr = Test.AddTestRun('TLSv1.3 0-RTT Support (HTTP/2 Multiplex)')
tr.Processes.Default.Command = f'{sys.executable} test-0rtt-s_client.py -p {ts1.Variables.ssl_port} -v h2 -t multi1 -r {Test.RunDirectory}'
tr.Processes.Default.ReturnCode = 0
tr.Processes.Default.Streams.All = Testers.ContainsExpression('early data accepted multi_1', '')
tr.Processes.Default.Streams.All += Testers.ContainsExpression('early data accepted multi_2', '')
tr.Processes.Default.Streams.All += Testers.ContainsExpression('early data accepted multi_3', '')
tr.Processes.Default.Streams.All += Testers.ExcludesExpression('curl test', '')
tr.StillRunningAfter = server
tr.StillRunningAfter += ts1
tr = Test.AddTestRun('TLSv1.3 0-RTT Support (HTTP/2 Multiplex with POST)')
tr.Processes.Default.Command = f'{sys.executable} test-0rtt-s_client.py -p {ts1.Variables.ssl_port} -v h2 -t multi2 -r {Test.RunDirectory}'
tr.Processes.Default.ReturnCode = 0
tr.Processes.Default.Streams.All = Testers.ContainsExpression('early data accepted multi_1', '')
tr.Processes.Default.Streams.All += Testers.ContainsExpression(':status 425', 'Only safe methods are allowed')
tr.Processes.Default.Streams.All += Testers.ContainsExpression('early data accepted multi_3', '')
tr.Processes.Default.Streams.All += Testers.ExcludesExpression('curl test', '')
tr.StillRunningAfter = server
tr.StillRunningAfter += ts1
tr = Test.AddTestRun('TLSv1.3 0-RTT Support (HTTP/1.1 GET) SNI Provided')
tr.Processes.Default.Command = f'{sys.executable} test-0rtt-s_client.py -p {ts1.Variables.ssl_port} -v h1 -t get -r {Test.RunDirectory} -s example.com'
tr.Processes.Default.ReturnCode = 0
tr.Processes.Default.Streams.All = Testers.ContainsExpression('early data accepted', '')
tr.Processes.Default.Streams.All += Testers.ExcludesExpression('curl test', '')
tr.StillRunningAfter = server
tr.StillRunningAfter += ts1
tr = Test.AddTestRun('TLSv1.3 0-RTT Support (HTTP/1.1 GET) Disabled By SNI Config')
tr.Processes.Default.Command = f'{sys.executable} test-0rtt-s_client.py -p {ts1.Variables.ssl_port} -v h1 -t get -r {Test.RunDirectory} -s example-no.com'
tr.Processes.Default.ReturnCode = 0
tr.Processes.Default.Streams.All = Testers.ExcludesExpression('early data accepted', '')
tr.Processes.Default.Streams.All += Testers.ExcludesExpression('curl test', '')
tr.StillRunningAfter = server
tr = Test.AddTestRun('TLSv1.3 0-RTT Support (HTTP/1.1 GET) Disabled In General')
tr.Processes.Default.Command = f'{sys.executable} test-0rtt-s_client.py -p {ts2.Variables.ssl_port} -v h1 -t get -r {Test.RunDirectory}'
tr.Processes.Default.ReturnCode = 0
tr.Processes.Default.StartBefore(ts2)
tr.Processes.Default.Streams.All = Testers.ExcludesExpression('early data accepted', '')
tr.Processes.Default.Streams.All += Testers.ExcludesExpression('curl test', '')
tr.StillRunningAfter = server
tr.StillRunningAfter += ts2
tr = Test.AddTestRun('TLSv1.3 0-RTT Support (HTTP/1.1 GET) Disabled In General SNI Provided')
tr.Processes.Default.Command = f'{sys.executable} test-0rtt-s_client.py -p {ts2.Variables.ssl_port} -v h1 -t get -r {Test.RunDirectory} -s example.com'
tr.Processes.Default.ReturnCode = 0
tr.Processes.Default.Streams.All = Testers.ExcludesExpression('early data accepted', '')
tr.Processes.Default.Streams.All += Testers.ExcludesExpression('curl test', '')
tr.StillRunningAfter = server
tr.StillRunningAfter += ts2
tr = Test.AddTestRun('TLSv1.3 0-RTT Support (HTTP/1.1 GET) Enabled By SNI Config')
tr.Processes.Default.Command = f'{sys.executable} test-0rtt-s_client.py -p {ts2.Variables.ssl_port} -v h1 -t get -r {Test.RunDirectory} -s example-yes.com'
tr.Processes.Default.ReturnCode = 0
tr.Processes.Default.Streams.All = Testers.ContainsExpression('early data accepted', '')
tr.Processes.Default.Streams.All += Testers.ExcludesExpression('curl test', '')