Archives
/
SSLproxy
mirror of https://github.com/sonertari/SSLproxy
2
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add tls13 support

Browse Source 
Add e2e tests for tls13 too
pull/48/head
Soner Tari 4 years ago
parent 9da7437919
commit ee41c72666
7 changed files with 193 additions and 21 deletions
Show Stats Download Patch File Download Diff File

34
src/opts.c
Unescape Escape View File

@ -112,7 +112,7 @@ opts_new(void)
opts->sslmethod = SSLv23_method;
#if (OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)) || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER >= 0x20702000L)
opts->minsslversion = TLS1_VERSION;
opts->maxsslversion = TLS1_2_VERSION;
opts->maxsslversion = TLS1_3_VERSION;
#endif /* OPENSSL_VERSION_NUMBER >= 0x10100000L */
opts->remove_http_referer = 1;
opts->verify_peer = 1;
@ -451,6 +451,9 @@ opts_proto_dbg_dump(opts_t *opts)
#ifdef HAVE_TLSV12
(opts->sslversion == TLS1_2_VERSION) ? "tls12" :
#endif /* HAVE_TLSV12 */
#ifdef HAVE_TLSV13
(opts->sslversion == TLS1_3_VERSION) ? "tls13" :
#endif /* HAVE_TLSV13 */
#endif /* OPENSSL_VERSION_NUMBER >= 0x10100000L */
"negotiate",
#ifdef HAVE_SSLV2
@ -471,6 +474,9 @@ opts_proto_dbg_dump(opts_t *opts)
"",
#ifdef HAVE_TLSV12
opts->no_tls12 ? " -tls12" :
#endif /* HAVE_TLSV12 */
#ifdef HAVE_TLSV13
opts->no_tls13 ? " -tls13" :
#endif /* HAVE_TLSV12 */
"",
#if (OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)) || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER >= 0x20702000L)
@ -486,6 +492,9 @@ opts_proto_dbg_dump(opts_t *opts)
#ifdef HAVE_TLSV12
(opts->minsslversion == TLS1_2_VERSION) ? ">=tls12" :
#endif /* HAVE_TLSV12 */
#ifdef HAVE_TLSV13
(opts->minsslversion == TLS1_3_VERSION) ? ">=tls13" :
#endif /* HAVE_TLSV13 */
"",
#ifdef HAVE_SSLV3
(opts->maxsslversion == SSL3_VERSION) ? "<=ssl3" :
@ -499,6 +508,9 @@ opts_proto_dbg_dump(opts_t *opts)
#ifdef HAVE_TLSV12
(opts->maxsslversion == TLS1_2_VERSION) ? "<=tls12" :
#endif /* HAVE_TLSV12 */
#ifdef HAVE_TLSV13
(opts->maxsslversion == TLS1_3_VERSION) ? "<=tls13" :
#endif /* HAVE_TLSV13 */
""
#else /* OPENSSL_VERSION_NUMBER < 0x10100000L */
"", ""
@ -1460,6 +1472,11 @@ opts_force_proto(opts_t *opts, const char *argv0, const char *optarg)
opts->sslversion = TLS1_2_VERSION;
} else
#endif /* HAVE_TLSV12 */
#ifdef HAVE_TLSV13
if (!strcmp(optarg, "tls13")) {
opts->sslversion = TLS1_3_VERSION;
} else
#endif /* HAVE_TLSV13 */
#endif /* OPENSSL_VERSION_NUMBER >= 0x10100000L */
{
fprintf(stderr, "%s: Unsupported SSL/TLS protocol '%s'\n",
@ -1503,6 +1520,11 @@ opts_disable_proto(opts_t *opts, const char *argv0, const char *optarg)
opts->no_tls12 = 1;
} else
#endif /* HAVE_TLSV12 */
#ifdef HAVE_TLSV13
if (!strcmp(optarg, "tls13")) {
opts->no_tls13 = 1;
} else
#endif /* HAVE_TLSV13 */
{
fprintf(stderr, "%s: Unsupported SSL/TLS protocol '%s'\n",
argv0, optarg);
@ -1537,6 +1559,11 @@ opts_set_min_proto(UNUSED opts_t *opts, const char *argv0, const char *optarg)
opts->minsslversion = TLS1_2_VERSION;
} else
#endif /* HAVE_TLSV12 */
#ifdef HAVE_TLSV13
if (!strcmp(optarg, "tls13")) {
opts->minsslversion = TLS1_3_VERSION;
} else
#endif /* HAVE_TLSV13 */
#endif /* OPENSSL_VERSION_NUMBER >= 0x10100000L */
{
fprintf(stderr, "%s: Unsupported SSL/TLS protocol '%s'\n",
@ -1572,6 +1599,11 @@ opts_set_max_proto(UNUSED opts_t *opts, const char *argv0, const char *optarg)
opts->maxsslversion = TLS1_2_VERSION;
} else
#endif /* HAVE_TLSV12 */
#ifdef HAVE_TLSV13
if (!strcmp(optarg, "tls13")) {
opts->maxsslversion = TLS1_3_VERSION;
} else
#endif /* HAVE_TLSV13 */
#endif /* OPENSSL_VERSION_NUMBER >= 0x10100000L */
{
fprintf(stderr, "%s: Unsupported SSL/TLS protocol '%s'\n",

3
src/opts.h
Unescape Escape View File

@ -65,6 +65,9 @@ typedef struct opts {
#ifdef HAVE_TLSV12
unsigned int no_tls12 : 1;
#endif /* HAVE_TLSV12 */
#ifdef HAVE_TLSV13
unsigned int no_tls13 : 1;
#endif /* HAVE_TLSV13 */
unsigned int passthrough : 1;
unsigned int deny_ocsp : 1;
char *ciphers;

10
src/ssl.h
Unescape Escape View File

@ -170,6 +170,9 @@ X509 * ssl_ssl_cert_get(SSL *);
#ifdef SSL_OP_NO_TLSv1_2
#define HAVE_TLSV12
#endif /* SSL_OP_NO_TLSv1_2 */
#ifdef SSL_OP_NO_TLSv1_3
#define HAVE_TLSV13
#endif /* SSL_OP_NO_TLSv1_3 */
#ifdef HAVE_SSLV2
#define SSL2_S "ssl2 "
@ -196,7 +199,12 @@ X509 * ssl_ssl_cert_get(SSL *);
#else /* !HAVE_TLSV12 */
#define TLS12_S ""
#endif /* !HAVE_TLSV12 */
#define SSL_PROTO_SUPPORT_S SSL2_S SSL3_S TLS10_S TLS11_S TLS12_S
#ifdef HAVE_TLSV13
#define TLS13_S "tls13 "
#else /* !HAVE_TLSV13 */
#define TLS13_S ""
#endif /* !HAVE_TLSV13 */
#define SSL_PROTO_SUPPORT_S SSL2_S SSL3_S TLS10_S TLS11_S TLS12_S TLS13_S
void ssl_openssl_version(void);
int ssl_init(void) WUNRES;

88
tests/testproxy/ssl_testset_5.json
Unescape Escape View File

@ -1,5 +1,5 @@
{
"comment": "Tests for SSL configuration: Rejects unsupported SSL/TLS proto",
"comment": "Tests for SSL configuration: tls13 only",
"configs": {
"1": {
"proto": {
@ -8,16 +8,16 @@
"no_ssl3": "yes",
"no_tls10": "yes",
"no_tls11": "yes",
"no_tls12": "no",
"no_tls13": "yes"
"no_tls12": "yes",
"no_tls13": "no"
},
"client": {
"ip": "127.0.0.1",
"port": "8452"
"port": "8462"
},
"server": {
"ip": "127.0.0.1",
"port": "9452",
"port": "9462",
"crt": "server.crt",
"key": "server.key"
}
@ -25,20 +25,20 @@
"2": {
"proto": {
"proto": "ssl",
"no_ssl2": "yes",
"no_ssl3": "yes",
"no_ssl2": "no",
"no_ssl3": "no",
"no_tls10": "no",
"no_tls11": "yes",
"no_tls12": "yes",
"no_tls13": "yes"
"no_tls11": "no",
"no_tls12": "no",
"no_tls13": "no"
},
"client": {
"ip": "127.0.0.1",
"port": "8453"
"port": "8462"
},
"server": {
"ip": "127.0.0.1",
"port": "9453",
"port": "9462",
"crt": "server.crt",
"key": "server.key"
}
@ -46,17 +46,71 @@
},
"tests": {
"1": {
"comment": "Rejects tls10 over tls12 and tls12 over tls10 proxyspecs",
"comment": "Configures tls13 only",
"states": {
"1": {
"testend": "client",
"cmd": "sslconnectfail",
"payload": "GET / HTTP/1.1\r\nHost: example.com\r\n\r\n"
"cmd": "send",
"payload": "GET / HTTP/1.1\r\nHost: example.com\r\n\r\n",
"assert": {
"current_cipher_version": {
"==": [
"TLSv1.3"
],
"!match": [
"SSLv3",
"^TLSv1\\.[012]?$"
]
},
"ssl_proto_version": {
"==": [
"TLSv1.3"
],
"!=": [
"SSLv3"
],
"!match": [
"^TLSv1\\.[012]?$"
]
},
"ssl_state": {
"==": [
"SSLOK "
]
}
}
},
"2": {
"testend": "server",
"cmd": "timeout",
"payload": ""
"cmd": "recv",
"payload": "GET / HTTP/1.1\r\nHost: example.com\r\nConnection: close\r\n\r\n",
"assert": {
"current_cipher_version": {
"==": [
"TLSv1.3"
],
"!match": [
"SSLv3",
"^TLSv1\\.[012]?$"
]
},
"ssl_proto_version": {
"==": [
"TLSv1.3"
],
"!=": [
"SSLv3"
],
"!match": [
"^TLSv1\\.[012]?$"
]
},
"ssl_state": {
"==": [
"SSLOK "
]
}
}
}
}
}

64
tests/testproxy/ssl_testset_6.json
Unescape Escape View File

@ -0,0 +1,64 @@
{
"comment": "Tests for SSL configuration: Rejects unsupported SSL/TLS proto",
"configs": {
"1": {
"proto": {
"proto": "ssl",
"no_ssl2": "yes",
"no_ssl3": "yes",
"no_tls10": "yes",
"no_tls11": "yes",
"no_tls12": "no",
"no_tls13": "yes"
},
"client": {
"ip": "127.0.0.1",
"port": "8452"
},
"server": {
"ip": "127.0.0.1",
"port": "9452",
"crt": "server.crt",
"key": "server.key"
}
},
"2": {
"proto": {
"proto": "ssl",
"no_ssl2": "yes",
"no_ssl3": "yes",
"no_tls10": "no",
"no_tls11": "yes",
"no_tls12": "yes",
"no_tls13": "yes"
},
"client": {
"ip": "127.0.0.1",
"port": "8453"
},
"server": {
"ip": "127.0.0.1",
"port": "9453",
"crt": "server.crt",
"key": "server.key"
}
}
},
"tests": {
"1": {
"comment": "Rejects tls10 over tls12 and tls12 over tls10 proxyspecs",
"states": {
"1": {
"testend": "client",
"cmd": "sslconnectfail",
"payload": "GET / HTTP/1.1\r\nHost: example.com\r\n\r\n"
},
"2": {
"testend": "server",
"cmd": "timeout",
"payload": ""
}
}
}
}
}

10
tests/testproxy/sslproxy.conf
Unescape Escape View File

@ -160,6 +160,16 @@ ProxySpec {
TargetPort 9451
ForceSSLProto tls12
}
# Tests for SSL configuration: tls13 only
ProxySpec {
Proto https
Addr 127.0.0.1
Port 8462
DivertPort 8080
TargetAddr 127.0.0.1
TargetPort 9462
ForceSSLProto tls13
}
# Tests for SSL configuration: Rejects unsupported SSL/TLS proto
ProxySpec {
Proto https

5
tests/testproxy/testharness.json
Unescape Escape View File

@ -16,7 +16,8 @@
"2": "ssl_testset_2.json",
"3": "ssl_testset_3.json",
"4": "ssl_testset_4.json",
"5": "ssl_testset_5.json"
"5": "ssl_testset_5.json",
"6": "ssl_testset_6.json"
}
},
"3": {
@ -43,4 +44,4 @@
}
}
}
}
}

Write Preview
Loading…
Cancel
Save