Fix testproxy e2e tests for older versions of openssl and libressl

OpenSSL 0.9.8zh and 1.0.0s do not support TLSv11. LibreSSL 2.2.7 uses other cipher names too. LibreSSL 2.7.4 (since 2.3.0) does not support TLSv10.
4 years ago · 9ac5a93823
parent 9ff63a1639
commit 9ac5a93823
7 changed files with 578 additions and 3 deletions
--- a/Mk/bin/install-opt.sh
+++ b/Mk/bin/install-opt.sh
@ -8,12 +8,18 @@ if [ -z "$EVENT" ]; then
 	exit 1
 fi

+# TLSv1 == TLSv10 == SSLv3
+NO_TLS10= no
+NO_TLS11= no
+
 case "$SSL" in
 openssl-0.9.*)
 	SSLURL=https://www.openssl.org/source/old/0.9.x/$SSL.tar.gz
+	NO_TLS11= yes
 	;;
 openssl-1.0.0*)
 	SSLURL=https://www.openssl.org/source/old/1.0.0/$SSL.tar.gz
+	NO_TLS11= yes
 	;;
 openssl-1.0.1*)
 	SSLURL=https://www.openssl.org/source/old/1.0.1/$SSL.tar.gz
@ -30,6 +36,10 @@ openssl-1.1.1*)
 openssl-*)
 	SSLURL=https://www.openssl.org/source/$SSL.tar.gz
 	;;
+libressl-2.7.4*)
+	SSLURL=http://ftp.fau.de/pub/OpenBSD/LibreSSL/$SSL.tar.gz
+	NO_TLS10= yes
+	;;
 libressl-*)
 	#SSLURL=https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/$SSL.tar.gz
 	SSLURL=http://ftp.fau.de/pub/OpenBSD/LibreSSL/$SSL.tar.gz
@ -39,6 +49,8 @@ libressl-*)
 	;;
 esac

+export NO_TLS11
+
 case "$EVENT" in
 libevent-2.1.8)
 	EVENTURL=https://github.com/libevent/libevent/releases/download/release-2.1.8-stable/libevent-2.1.8-stable.tar.gz
--- a/tests/testproxy/GNUmakefile
+++ b/tests/testproxy/GNUmakefile
@ -10,8 +10,18 @@ buildlp:

 test: buildsslproxy buildlp
 	sudo LD_LIBRARY_PATH=$(LD_LIBRARY_PATH) ./lp/lp -f ./lp/lp.conf -o Debug=no -o Daemon=yes -o User=nobody
+ifeq ($(NO_TLS10),yes)
+	sudo LD_LIBRARY_PATH=$(LD_LIBRARY_PATH) ../../src/sslproxy -f sslproxy_no_tls10.conf -o Debug=no -o Daemon=yes -o User=nobody
+	$(TESTPROXY) -f testharness_no_tls10.json -l 4
+else
+ifeq ($(NO_TLS11),yes)
+	sudo LD_LIBRARY_PATH=$(LD_LIBRARY_PATH) ../../src/sslproxy -f sslproxy_no_tls11.conf -o Debug=no -o Daemon=yes -o User=nobody
+	$(TESTPROXY) -f testharness_no_tls11.json -l 4
+else
 	sudo LD_LIBRARY_PATH=$(LD_LIBRARY_PATH) ../../src/sslproxy -f sslproxy.conf -o Debug=no -o Daemon=yes -o User=nobody
 	$(TESTPROXY) -f testharness.json -l 4
+endif
+endif
 	sudo pkill sslproxy
 	sudo pkill lp

--- a/tests/testproxy/ssl_testset_1.json
+++ b/tests/testproxy/ssl_testset_1.json
@ -59,9 +59,9 @@
          "assert": {
            "current_cipher_name": {
              "match": [
-                "^DHE-\\w+-\\w+-\\w+",
-                "\\w+-\\w+-SEED-\\w+",
-                "\\w+-\\w+-\\w+-SHA$"
+                "^(DHE|IDEA)-\\w+-\\w+",
+                "\\w+-(SEED|CBC)-\\w+",
+                "\\w+-\\w+-SHA$"
              ],
              "!match": [
                "ECDHE-[A-Z0-9]+-[A-Z0-9]+-[A-Z0-9]+-[A-Z0-9]+",
--- a/tests/testproxy/sslproxy_no_tls10.conf
+++ b/tests/testproxy/sslproxy_no_tls10.conf
@ -0,0 +1,240 @@
+# TestProxy test configuration for sslproxy v0.7.0
+
+# Global options
+#User _sslproxy
+#Group _sslproxy
+#Chroot /var/run/sslproxy
+PidFile /var/run/sslproxy.pid
+#Daemon yes
+Debug yes
+DebugLevel 4
+#OpenFilesLimit 1024
+#LeafCerts /etc/sslproxy/leaf.key
+#LeafKeyRSABits 2048
+#OpenSSLEngine cloudhsm
+#TargetCertDir /etc/sslproxy/target
+#WriteGenCertsDir /var/log/sslproxy
+#WriteAllCertsDir /var/log/sslproxy
+#ConnectLog /var/log/sslproxy/connect.log
+#ContentLog /var/log/sslproxy/content.log
+#ContentLogDir /var/log/sslproxy/content
+#ContentLogPathSpec /var/log/sslproxy/%X/%u-%s-%d-%T.log
+#LogProcInfo yes
+#PcapLog /var/log/sslproxy/content.pcap
+#PcapLogDir /var/log/sslproxy/pcap
+#PcapLogPathSpec /var/log/sslproxy/%X/%u-%s-%d-%T.pcap
+#MirrorIf lo
+#MirrorTarget 192.0.2.1
+#MasterKeyLog /var/log/sslproxy/masterkeys.log
+LogStats yes
+StatsPeriod 1
+ConnIdleTimeout 120
+ExpiredConnCheckPeriod 10
+SSLShutdownRetryDelay 100
+UserDBPath users.db
+
+# Default ProxySpec options (cloned to each proxyspec)
+CACert ca.crt
+CAKey ca.key
+#ClientCert /etc/sslproxy/client.crt
+#ClientKey /etc/sslproxy/client.key
+#CAChain /etc/sslproxy/chain.crt
+#CRL http://example.com/example.crl
+#DenyOCSP yes
+#Passthrough yes
+#DHGroupParams /etc/sslproxy/dh.pem
+#ECDHCurve prime256v1
+#SSLCompression no
+#ForceSSLProto tls12
+#DisableSSLProto tls10
+#MinSSLProto tls10
+#MaxSSLProto tls12
+#Ciphers MEDIUM:HIGH
+#NATEngine netfilter
+#RemoveHTTPAcceptEncoding no
+#RemoveHTTPReferer yes
+VerifyPeer no
+#AllowWrongHost no
+#UserAuth no
+#UserTimeout 300
+#UserAuthURL https://192.168.0.1/userdblogin.php
+#ValidateProto no
+#MaxHTTPHeaderSize 8192
+#PassSite example.com
+#PassSite example.com 192.168.0.1
+#PassSite example.com soner
+#PassSite *.google.com * android
+
+# Tests for tcp connection over ssl proxyspec
+ProxySpec https 127.0.0.1 8441 up:8080 127.0.0.1 9441
+ProxySpec {
+	Proto https
+	Addr 127.0.0.1
+	Port 8442
+	DivertPort 8080
+	TargetAddr 127.0.0.1
+	TargetPort 9442
+	ValidateProto yes
+}
+
+# Tests for ssl connection on tcp proxyspec
+ProxySpec {
+	Proto http
+	Addr 127.0.0.1
+	Port 8183
+	DivertPort 8080
+	TargetAddr 127.0.0.1
+	TargetPort 9183
+	ValidateProto yes
+}
+
+# Tests for HTTP GET method validation
+ProxySpec {
+	Proto http
+	Addr 127.0.0.1
+	Port 8184
+	DivertPort 8080
+	TargetAddr 127.0.0.1
+	TargetPort 9184
+	ValidateProto yes
+}
+ProxySpec {
+	Proto https
+	Addr 127.0.0.1
+	Port 8444
+	DivertPort 8080
+	TargetAddr 127.0.0.1
+	TargetPort 9444
+	ValidateProto yes
+}
+
+# Tests for HTTP POST method validation
+ProxySpec {
+	Proto http
+	Addr 127.0.0.1
+	Port 8185
+	DivertPort 8080
+	TargetAddr 127.0.0.1
+	TargetPort 9185
+	ValidateProto yes
+}
+ProxySpec {
+	Proto https
+	Addr 127.0.0.1
+	Port 8445
+	DivertPort 8080
+	TargetAddr 127.0.0.1
+	TargetPort 9445
+	ValidateProto yes
+}
+
+# Tests for SSL configuration
+# Tests for SSL configuration: tls11 only
+ProxySpec {
+	Proto https
+	Addr 127.0.0.1
+	Port 8450
+	DivertPort 8080
+	TargetAddr 127.0.0.1
+	TargetPort 9450
+	ForceSSLProto tls11
+}
+# Tests for SSL configuration: tls12 only
+ProxySpec {
+	Proto https
+	Addr 127.0.0.1
+	Port 8451
+	DivertPort 8080
+	TargetAddr 127.0.0.1
+	TargetPort 9451
+	ForceSSLProto tls12
+}
+
+# Tests for HTTP request headers: SSLproxy, Connection, Upgrade, Keep-Alive, Accept-Encoding, Via, X-Forwarded-For, and Referer
+ProxySpec http 127.0.0.1 8180 up:8080 127.0.0.1 9180
+ProxySpec https 127.0.0.1 8446 up:8080 127.0.0.1 9446
+
+# Tests for HTTP response headers: Public-Key-Pins, Public-Key-Pins-Report-Only, Strict-Transport-Security, Expect-CT, Alternate-Protocol, Upgrade, OCSP request
+ProxySpec http 127.0.0.1 8181 up:8080 127.0.0.1 9181
+ProxySpec https 127.0.0.1 8447 up:8080 127.0.0.1 9447
+
+# Tests for HTTP response headers: Deny OCSP request, remove Accept-Encoding, and do not remove Referer
+ProxySpec {
+	Proto http
+	Addr 127.0.0.1
+	Port 8186
+	DivertPort 8080
+	TargetAddr 127.0.0.1
+	TargetPort 9186
+	DenyOCSP yes
+	RemoveHTTPAcceptEncoding yes
+	RemoveHTTPReferer no
+}
+ProxySpec {
+	Proto https
+	Addr 127.0.0.1
+	Port 8448
+	DivertPort 8080
+	TargetAddr 127.0.0.1
+	TargetPort 9448
+	DenyOCSP yes
+	RemoveHTTPAcceptEncoding yes
+	RemoveHTTPReferer no
+}
+
+# Tests for Passthrough
+ProxySpec {
+	Proto https
+	Addr 127.0.0.1
+	Port 8454
+	DivertPort 8080
+	TargetAddr 127.0.0.1
+	TargetPort 9454
+	Passthrough yes
+	VerifyPeer yes
+}
+
+# Tests for VerifyPeer
+ProxySpec https 127.0.0.1 8455 up:8080 127.0.0.1 9455
+ProxySpec {
+	Proto https
+	Addr 127.0.0.1
+	Port 8456
+	DivertPort 8080
+	TargetAddr 127.0.0.1
+	TargetPort 9456
+	VerifyPeer yes
+}
+
+# Tests for CACert/CAKey
+ProxySpec https 127.0.0.1 8457 up:8080 127.0.0.1 9457
+ProxySpec {
+	Proto https
+	Addr 127.0.0.1
+	Port 8458
+	DivertPort 8080
+	TargetAddr 127.0.0.1
+	TargetPort 9458
+	CACert ca2.crt
+	CAKey ca2.key
+}
+
+# Tests for UserAuth
+ProxySpec {
+	Proto http
+	Addr 127.0.0.1
+	Port 8187
+	DivertPort 8080
+	TargetAddr 127.0.0.1
+	TargetPort 9187
+	UserAuth yes
+}
+ProxySpec {
+	Proto https
+	Addr 127.0.0.1
+	Port 8459
+	DivertPort 8080
+	TargetAddr 127.0.0.1
+	TargetPort 9459
+	UserAuth yes
+}
--- a/tests/testproxy/sslproxy_no_tls11.conf
+++ b/tests/testproxy/sslproxy_no_tls11.conf
@ -0,0 +1,231 @@
+# TestProxy test configuration for sslproxy v0.7.0
+
+# Global options
+#User _sslproxy
+#Group _sslproxy
+#Chroot /var/run/sslproxy
+PidFile /var/run/sslproxy.pid
+#Daemon yes
+Debug yes
+DebugLevel 4
+#OpenFilesLimit 1024
+#LeafCerts /etc/sslproxy/leaf.key
+#LeafKeyRSABits 2048
+#OpenSSLEngine cloudhsm
+#TargetCertDir /etc/sslproxy/target
+#WriteGenCertsDir /var/log/sslproxy
+#WriteAllCertsDir /var/log/sslproxy
+#ConnectLog /var/log/sslproxy/connect.log
+#ContentLog /var/log/sslproxy/content.log
+#ContentLogDir /var/log/sslproxy/content
+#ContentLogPathSpec /var/log/sslproxy/%X/%u-%s-%d-%T.log
+#LogProcInfo yes
+#PcapLog /var/log/sslproxy/content.pcap
+#PcapLogDir /var/log/sslproxy/pcap
+#PcapLogPathSpec /var/log/sslproxy/%X/%u-%s-%d-%T.pcap
+#MirrorIf lo
+#MirrorTarget 192.0.2.1
+#MasterKeyLog /var/log/sslproxy/masterkeys.log
+LogStats yes
+StatsPeriod 1
+ConnIdleTimeout 120
+ExpiredConnCheckPeriod 10
+SSLShutdownRetryDelay 100
+UserDBPath users.db
+
+# Default ProxySpec options (cloned to each proxyspec)
+CACert ca.crt
+CAKey ca.key
+#ClientCert /etc/sslproxy/client.crt
+#ClientKey /etc/sslproxy/client.key
+#CAChain /etc/sslproxy/chain.crt
+#CRL http://example.com/example.crl
+#DenyOCSP yes
+#Passthrough yes
+#DHGroupParams /etc/sslproxy/dh.pem
+#ECDHCurve prime256v1
+#SSLCompression no
+#ForceSSLProto tls12
+#DisableSSLProto tls10
+#MinSSLProto tls10
+#MaxSSLProto tls12
+#Ciphers MEDIUM:HIGH
+#NATEngine netfilter
+#RemoveHTTPAcceptEncoding no
+#RemoveHTTPReferer yes
+VerifyPeer no
+#AllowWrongHost no
+#UserAuth no
+#UserTimeout 300
+#UserAuthURL https://192.168.0.1/userdblogin.php
+#ValidateProto no
+#MaxHTTPHeaderSize 8192
+#PassSite example.com
+#PassSite example.com 192.168.0.1
+#PassSite example.com soner
+#PassSite *.google.com * android
+
+# Tests for tcp connection over ssl proxyspec
+ProxySpec https 127.0.0.1 8441 up:8080 127.0.0.1 9441
+ProxySpec {
+	Proto https
+	Addr 127.0.0.1
+	Port 8442
+	DivertPort 8080
+	TargetAddr 127.0.0.1
+	TargetPort 9442
+	ValidateProto yes
+}
+
+# Tests for ssl connection on tcp proxyspec
+ProxySpec {
+	Proto http
+	Addr 127.0.0.1
+	Port 8183
+	DivertPort 8080
+	TargetAddr 127.0.0.1
+	TargetPort 9183
+	ValidateProto yes
+}
+
+# Tests for HTTP GET method validation
+ProxySpec {
+	Proto http
+	Addr 127.0.0.1
+	Port 8184
+	DivertPort 8080
+	TargetAddr 127.0.0.1
+	TargetPort 9184
+	ValidateProto yes
+}
+ProxySpec {
+	Proto https
+	Addr 127.0.0.1
+	Port 8444
+	DivertPort 8080
+	TargetAddr 127.0.0.1
+	TargetPort 9444
+	ValidateProto yes
+}
+
+# Tests for HTTP POST method validation
+ProxySpec {
+	Proto http
+	Addr 127.0.0.1
+	Port 8185
+	DivertPort 8080
+	TargetAddr 127.0.0.1
+	TargetPort 9185
+	ValidateProto yes
+}
+ProxySpec {
+	Proto https
+	Addr 127.0.0.1
+	Port 8445
+	DivertPort 8080
+	TargetAddr 127.0.0.1
+	TargetPort 9445
+	ValidateProto yes
+}
+
+# Tests for SSL configuration
+ProxySpec https 127.0.0.1 8443 up:8080 127.0.0.1 9443
+# Tests for SSL configuration: tls10 only
+ProxySpec {
+	Proto https
+	Addr 127.0.0.1
+	Port 8449
+	DivertPort 8080
+	TargetAddr 127.0.0.1
+	TargetPort 9449
+	ForceSSLProto tls10
+}
+
+# Tests for HTTP request headers: SSLproxy, Connection, Upgrade, Keep-Alive, Accept-Encoding, Via, X-Forwarded-For, and Referer
+ProxySpec http 127.0.0.1 8180 up:8080 127.0.0.1 9180
+ProxySpec https 127.0.0.1 8446 up:8080 127.0.0.1 9446
+
+# Tests for HTTP response headers: Public-Key-Pins, Public-Key-Pins-Report-Only, Strict-Transport-Security, Expect-CT, Alternate-Protocol, Upgrade, OCSP request
+ProxySpec http 127.0.0.1 8181 up:8080 127.0.0.1 9181
+ProxySpec https 127.0.0.1 8447 up:8080 127.0.0.1 9447
+
+# Tests for HTTP response headers: Deny OCSP request, remove Accept-Encoding, and do not remove Referer
+ProxySpec {
+	Proto http
+	Addr 127.0.0.1
+	Port 8186
+	DivertPort 8080
+	TargetAddr 127.0.0.1
+	TargetPort 9186
+	DenyOCSP yes
+	RemoveHTTPAcceptEncoding yes
+	RemoveHTTPReferer no
+}
+ProxySpec {
+	Proto https
+	Addr 127.0.0.1
+	Port 8448
+	DivertPort 8080
+	TargetAddr 127.0.0.1
+	TargetPort 9448
+	DenyOCSP yes
+	RemoveHTTPAcceptEncoding yes
+	RemoveHTTPReferer no
+}
+
+# Tests for Passthrough
+ProxySpec {
+	Proto https
+	Addr 127.0.0.1
+	Port 8454
+	DivertPort 8080
+	TargetAddr 127.0.0.1
+	TargetPort 9454
+	Passthrough yes
+	VerifyPeer yes
+}
+
+# Tests for VerifyPeer
+ProxySpec https 127.0.0.1 8455 up:8080 127.0.0.1 9455
+ProxySpec {
+	Proto https
+	Addr 127.0.0.1
+	Port 8456
+	DivertPort 8080
+	TargetAddr 127.0.0.1
+	TargetPort 9456
+	VerifyPeer yes
+}
+
+# Tests for CACert/CAKey
+ProxySpec https 127.0.0.1 8457 up:8080 127.0.0.1 9457
+ProxySpec {
+	Proto https
+	Addr 127.0.0.1
+	Port 8458
+	DivertPort 8080
+	TargetAddr 127.0.0.1
+	TargetPort 9458
+	CACert ca2.crt
+	CAKey ca2.key
+}
+
+# Tests for UserAuth
+ProxySpec {
+	Proto http
+	Addr 127.0.0.1
+	Port 8187
+	DivertPort 8080
+	TargetAddr 127.0.0.1
+	TargetPort 9187
+	UserAuth yes
+}
+ProxySpec {
+	Proto https
+	Addr 127.0.0.1
+	Port 8459
+	DivertPort 8080
+	TargetAddr 127.0.0.1
+	TargetPort 9459
+	UserAuth yes
+}
--- a/tests/testproxy/testharness_no_tls10.json
+++ b/tests/testproxy/testharness_no_tls10.json
@ -0,0 +1,41 @@
+{
+  "comment": "SSLproxy tests",
+  "testharnesses": {
+    "1": {
+      "comment": "HTTP tests",
+      "testsets": {
+        "1": "http_testset_1.json",
+        "2": "http_testset_2.json",
+        "3": "http_testset_3.json"
+      }
+    },
+    "2": {
+      "comment": "SSL config tests",
+      "testsets": {
+        "1": "ssl_testset_3.json",
+        "2": "ssl_testset_4.json"
+      }
+    },
+    "3": {
+      "comment": "Protocol validation tests",
+      "testsets": {
+        "1": "tcp_ssl_testends_testset_1.json",
+        "2": "ssl_tcp_testends_testset_1.json",
+        "3": "proto_validate_testset_1.json",
+        "4": "proto_validate_testset_2.json"
+      }
+    },
+    "4": {
+      "comment": "Various option tests",
+      "testsets": {
+        "1": "passthrough_testset_1.json",
+        "2": "verifypeer_testset_1.json",
+        "3": "verifypeer_testset_2.json",
+        "4": "ca_testset_1.json",
+        "5": "ca_testset_2.json",
+        "6": "userauth_testset_1.json",
+        "7": "userauth_testset_2.json"
+      }
+    }
+  }
+}
--- a/tests/testproxy/testharness_no_tls11.json
+++ b/tests/testproxy/testharness_no_tls11.json
@ -0,0 +1,41 @@
+{
+  "comment": "SSLproxy tests",
+  "testharnesses": {
+    "1": {
+      "comment": "HTTP tests",
+      "testsets": {
+        "1": "http_testset_1.json",
+        "2": "http_testset_2.json",
+        "3": "http_testset_3.json"
+      }
+    },
+    "2": {
+      "comment": "SSL config tests",
+      "testsets": {
+        "1": "ssl_testset_1.json",
+        "2": "ssl_testset_2.json"
+      }
+    },
+    "3": {
+      "comment": "Protocol validation tests",
+      "testsets": {
+        "1": "tcp_ssl_testends_testset_1.json",
+        "2": "ssl_tcp_testends_testset_1.json",
+        "3": "proto_validate_testset_1.json",
+        "4": "proto_validate_testset_2.json"
+      }
+    },
+    "4": {
+      "comment": "Various option tests",
+      "testsets": {
+        "1": "passthrough_testset_1.json",
+        "2": "verifypeer_testset_1.json",
+        "3": "verifypeer_testset_2.json",
+        "4": "ca_testset_1.json",
+        "5": "ca_testset_2.json",
+        "6": "userauth_testset_1.json",
+        "7": "userauth_testset_2.json"
+      }
+    }
+  }
+}