def test_ssl(self):
'''Test https'''
(tmpdir, srvcert_pem, srvkey_pem, clientcert_pem, clientkey_pem,
cacert_pem) = testlib_ssl.gen_ssl()
self._prepare_ssl(srvkey_pem, srvcert_pem)
testlib.recursive_rm(tmpdir)
# modern wget now returns 5 on ssl validation errors
if self.lsb_release['Release'] <= 9.10:
expected = 1
else:
expected = 5
# Cert is self-signed, make sure wget says so
if self.lsb_release['Release'] <= 8.04:
error_str = 'ERROR: Certificate verification error for localhost'
else:
error_str = "ERROR: cannot verify localhost's certificate"
self._test_url_wget("https://localhost/", error_str, expected=expected)
# Let's try an SSL page without validating the self-signed cert
test_str = testlib_httpd.create_html_page(self.html_page)
self._test_url_wget("https://localhost/" + \
os.path.basename(self.html_page), test_str, extra_opts=['--no-check-certificate'])
def test_ssl(self):
'''Test https'''
(tmpdir, srvcert_pem, srvkey_pem, clientcert_pem, clientkey_pem,
cacert_pem) = testlib_ssl.gen_ssl()
self._prepare_ssl(srvkey_pem, srvcert_pem)
testlib.recursive_rm(tmpdir)
self._test_url_lftp("https://localhost/")
test_str = testlib_httpd.create_html_page(self.html_page)
self._test_url_lftp("https://localhost/" + \
os.path.basename(self.html_page), test_str)
def test_update_ca_certificates_usr(self):
'''Test update-ca-certificates for local CA (/usr)'''
self.local_ca = "/usr/share/ca-certificates/testlib.crt"
# Create a CA, update /etc/hosts and create a test page
(tmpdir, srvcert_pem, srvkey_pem, clientcert_pem, clientkey_pem,
cacert_pem) = testlib_ssl.gen_ssl()
self._prepare_ssl(srvkey_pem, srvcert_pem)
testlib.config_replace(self.hosts_file, "127.0.0.1 server", True)
test_str = testlib_httpd.create_html_page(self.html_page)
# First, try to access the self-signed server
self._w3m_cmd("https://server/" + \
os.path.basename(self.html_page), test_str, verify=False)
self._w3m_cmd("https://server/" + \
os.path.basename(self.html_page), "unable to get local issuer certificate")
# Next, install the local CA
shutil.copy(cacert_pem, self.local_ca)
testlib.config_replace(self.ca_certificates_conf,
os.path.basename(self.local_ca) + '\n', True)
testlib.recursive_rm(tmpdir)
rc, report = testlib.cmd(['update-ca-certificates'])
expected = 0
result = 'Got exit code %d, expected %d\n' % (rc, expected)
self.assertEquals(expected, rc, result + report)
# Now try to access it
self._w3m_cmd("https://server/" + \
os.path.basename(self.html_page), test_str)
# Next, remove the installed CA
testlib.config_restore(self.ca_certificates_conf)
os.unlink(self.local_ca)
rc, report = testlib.cmd(['update-ca-certificates'])
expected = 0
result = 'Got exit code %d, expected %d\n' % (rc, expected)
self.assertEquals(expected, rc, result + report)
# Last, try to access the self-signed server again
self._w3m_cmd("https://server/" + \
os.path.basename(self.html_page), test_str, verify=False)
self._w3m_cmd("https://server/" + \
os.path.basename(self.html_page), "unable to get local issuer certificate")
def test_https(self):
'''Test https'''
(tmpdir, srvcert_pem, srvkey_pem, clientcert_pem, clientkey_pem,
cacert_pem) = testlib_ssl.gen_ssl()
shutil.copy(srvkey_pem, self.ssl_key)
shutil.copy(srvcert_pem, self.ssl_crt)
testlib.recursive_rm(tmpdir)
testlib.config_replace(self.default_vhost, '''
server {
listen 443;
server_name localhost;
root %s;
index index.html index.htm index.nginx-debian.html;
ssl on;
ssl_certificate cert.pem;
ssl_certificate_key cert.key;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
ssl_prefer_server_ciphers on;
location / {
try_files $uri $uri/ =404;
}
}
''' % self.document_root, append=True)
self.daemon.restart()
self._test_url("https://localhost/", "Welcome to nginx")
test_str = testlib_httpd.create_html_page(self.html_page)
self._test_url("https://localhost/" + \
os.path.basename(self.html_page), test_str)
def test_https_selfsigned(self):
'''Test https self-signed'''
(self.tempdir, srvcert_pem, srvkey_pem, clientcert_pem, clientkey_pem, cacert_pem) = testlib_ssl.gen_ssl()
# fire up a server
self.listener = os.fork()
if self.listener == 0:
args = ['/bin/sh', '-c', 'exec /usr/bin/gnutls-serv --http -p 4443 --x509keyfile %s --x509certfile %s --x509cafile %s >/dev/null 2>&1' % (srvkey_pem, srvcert_pem, cacert_pem)]
os.execv(args[0], args)
sys.exit(0)
time.sleep(1)
# Make sure it doesn't verify
self._lynx_cmd("https://127.0.0.1:4443/", expected=1)
# Now try again, ignoring the error
self.lynx_cfg = os.path.join(self.tempdir, "lynx.cfg")
contents = '''FORCE_SSL_PROMPT:yes\n'''
testlib.config_replace(self.lynx_cfg, contents)
os.environ['LYNX_CFG'] = self.lynx_cfg
self._lynx_cmd("https://127.0.0.1:4443/", expected=0)
os.environ['LYNX_TRACE_FILE'] = "testlib-Lynx.trace"
self._lynx_cmd("https://127.0.0.1:4443/", expected=0,
extra_args=['-trace', '-tlog'])
trace = os.path.expanduser("~/%s" % os.environ['LYNX_TRACE_FILE'])
self.assertTrue(os.path.exists(trace), "Could not find '%s'" % trace)
results = open(trace).read()
terms = ['HTParsePort 4443',
'Validating CNs in',
'ssl_host',
'cert_host',
'UNVERIFIED connection to 127.0.0.1 (cert=CN<server>)',
'Certificate issued by:']
for search in terms:
self.assertTrue(search in results, "Could not fine '%s' in:\n%s" % (search, results))
# CVE-2012-5821
search = 'SSL error:self signed certificate-Continue?'
self.assertTrue(search in results, "Could not fine '%s' in:\n%s" % (search, results))
if self.listener:
os.kill(self.listener, 15)
os.waitpid(self.listener, 0)
def test_https_badkey(self):
'''Test https mismatched keys'''
(self.tempdir, srvcert_pem, srvkey_pem, clientcert_pem, clientkey_pem, cacert_pem) = testlib_ssl.gen_ssl()
# fire up a server
self.listener = os.fork()
if self.listener == 0:
args = ['/bin/sh', '-c', 'exec /usr/bin/gnutls-serv --http -p 4443 --x509keyfile %s --x509certfile %s --x509cafile %s >/dev/null 2>&1' % (clientkey_pem, srvcert_pem, cacert_pem)]
os.execv(args[0], args)
sys.exit(0)
time.sleep(1)
# Make sure it doesn't verify
self._lynx_cmd("https://127.0.0.1:4443/", expected=1)
if self.listener:
os.kill(self.listener, 15)
os.waitpid(self.listener, 0)
def test_ssl_no_verify(self):
'''Test https (self signed/no ca cert)'''
(tmpdir, srvcert_pem, srvkey_pem, clientcert_pem, clientkey_pem, cacert_pem) = testlib_ssl.gen_ssl()
self._prepare_ssl(srvkey_pem, srvcert_pem)
ca = os.path.join(self.tempdir, os.path.basename(cacert_pem))
shutil.copy(cacert_pem, ca)
testlib.recursive_rm(tmpdir)
# We need to add server to the hosts file, or w3m errors while
# validating the cert's CN before the NUL byte check
testlib.config_replace(self.hosts_file, "127.0.0.1 server", True)
test_str = testlib_httpd.create_html_page(self.html_page)
cmdline = "w3m -dump https://server/" + os.path.basename(self.html_page)
child = pexpect.spawn(cmdline)
time.sleep(1.0)
child.expect(".*unable to get local issuer certificate.*", timeout=2)
child.sendline('y')
time.sleep(1.0)
child.kill(0)
def test_ssl(self):
'''Test https (self signed with ca cert)'''
(tmpdir, srvcert_pem, srvkey_pem, clientcert_pem, clientkey_pem, cacert_pem) = testlib_ssl.gen_ssl()
self._prepare_ssl(srvkey_pem, srvcert_pem)
ca = os.path.join(self.tempdir, os.path.basename(cacert_pem))
shutil.copy(cacert_pem, ca)
testlib.recursive_rm(tmpdir)
# We need to add server to the hosts file, or w3m errors while
# validating the cert's CN before the NUL byte check
testlib.config_replace(self.hosts_file, "127.0.0.1 server", True)
#cmdline = "w3m -dump -o ssl_ca_file=" + ca + " https://localhost"
test_str = testlib_httpd.create_html_page(self.html_page)
self._w3m_cmd("https://server/" + \
os.path.basename(self.html_page), test_str, extra_args=['-o', 'ssl_ca_file=' + ca])
def setUp(self):
'''Setup mechanisms'''
ServerCommon._setUp(self)
ServerCommon._stop(self)
if self.lsb_release['Release'] == 6.06:
return True
self.sslhandle, self.sslname = testlib.mkstemp_fill('''SHOW VARIABLES LIKE 'have_ssl';''', dir="/tmp")
(self.tmpdir, self.srvcert_pem, self.srvkey_pem, self.clientcert_pem, self.clientkey_pem, self.cacert_pem) = testlib_ssl.gen_ssl()
subprocess.call(['chown', '-R', 'mysql', self.tmpdir])
self.hosts = "/etc/hosts"
testlib.config_replace(self.hosts, "", True)
subprocess.call(['sed', '-i', 's/^\\(127.0.0.1.*\\)/\\1 server client/g', self.hosts])
self.mycnf = "/etc/mysql/my.cnf"
testlib.config_replace(self.mycnf, "", True)
subprocess.call(['sed', '-i', 's,^\[mysqld\],[mysqld]\\nssl\\n\\nssl-ca=' + self.cacert_pem + '\\nssl-cert=' + self.srvcert_pem + '\\nssl-key=' + self.srvkey_pem + '\\nlog = /var/log/mysql.log\\n,g', self.mycnf])
subprocess.call(['sed', '-i', 's,^\[client\],[client]\\nssl\\n\\nssl-ca=' + self.cacert_pem + '\\nssl-cert=' + self.clientcert_pem + '\\nssl-key=' + self.clientkey_pem + '\\nssl-verify-server-cert = false\\n,g', self.mycnf])
ServerCommon._restart(self)