2
0

test_17_ssl_use.py 14 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309
  1. #!/usr/bin/env python3
  2. # -*- coding: utf-8 -*-
  3. #***************************************************************************
  4. # _ _ ____ _
  5. # Project ___| | | | _ \| |
  6. # / __| | | | |_) | |
  7. # | (__| |_| | _ <| |___
  8. # \___|\___/|_| \_\_____|
  9. #
  10. # Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
  11. #
  12. # This software is licensed as described in the file COPYING, which
  13. # you should have received as part of this distribution. The terms
  14. # are also available at https://curl.se/docs/copyright.html.
  15. #
  16. # You may opt to use, copy, modify, merge, publish, distribute and/or sell
  17. # copies of the Software, and permit persons to whom the Software is
  18. # furnished to do so, under the terms of the COPYING file.
  19. #
  20. # This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
  21. # KIND, either express or implied.
  22. #
  23. # SPDX-License-Identifier: curl
  24. #
  25. ###########################################################################
  26. #
  27. import difflib
  28. import filecmp
  29. import json
  30. import logging
  31. import os
  32. from datetime import timedelta
  33. import pytest
  34. from testenv import Env, CurlClient, LocalClient, ExecResult
  35. log = logging.getLogger(__name__)
  36. class TestSSLUse:
  37. @pytest.fixture(autouse=True, scope='class')
  38. def _class_scope(self, env, nghttpx):
  39. if env.have_h3():
  40. nghttpx.start_if_needed()
  41. @pytest.fixture(autouse=True, scope='function')
  42. def _function_scope(self, request, env, httpd):
  43. httpd.clear_extra_configs()
  44. if 'httpd' not in request.node._fixtureinfo.argnames:
  45. httpd.reload_if_config_changed()
  46. def test_17_01_sslinfo_plain(self, env: Env, nghttpx, repeat):
  47. proto = 'http/1.1'
  48. curl = CurlClient(env=env)
  49. url = f'https://{env.authority_for(env.domain1, proto)}/curltest/sslinfo'
  50. r = curl.http_get(url=url, alpn_proto=proto)
  51. assert r.json['HTTPS'] == 'on', f'{r.json}'
  52. assert 'SSL_SESSION_ID' in r.json, f'{r.json}'
  53. assert 'SSL_SESSION_RESUMED' in r.json, f'{r.json}'
  54. assert r.json['SSL_SESSION_RESUMED'] == 'Initial', f'{r.json}'
  55. @pytest.mark.parametrize("tls_max", ['1.2', '1.3'])
  56. def test_17_02_sslinfo_reconnect(self, env: Env, tls_max):
  57. proto = 'http/1.1'
  58. count = 3
  59. exp_resumed = 'Resumed'
  60. xargs = ['--sessionid', '--tls-max', tls_max, f'--tlsv{tls_max}']
  61. if env.curl_uses_lib('gnutls'):
  62. if tls_max == '1.3':
  63. exp_resumed = 'Initial' # 1.2 works in GnuTLS, but 1.3 does not, TODO
  64. if env.curl_uses_lib('libressl'):
  65. if tls_max == '1.3':
  66. exp_resumed = 'Initial' # 1.2 works in LibreSSL, but 1.3 does not, TODO
  67. if env.curl_uses_lib('wolfssl'):
  68. if tls_max == '1.3':
  69. exp_resumed = 'Initial' # 1.2 works in wolfSSL, but 1.3 does not, TODO
  70. if env.curl_uses_lib('rustls-ffi'):
  71. exp_resumed = 'Initial' # Rustls does not support sessions, TODO
  72. if env.curl_uses_lib('bearssl') and tls_max == '1.3':
  73. pytest.skip('BearSSL does not support TLSv1.3')
  74. if env.curl_uses_lib('mbedtls') and tls_max == '1.3':
  75. pytest.skip('mbedtls TLSv1.3 session resume not working in 3.6.0')
  76. curl = CurlClient(env=env)
  77. # tell the server to close the connection after each request
  78. urln = f'https://{env.authority_for(env.domain1, proto)}/curltest/sslinfo?'\
  79. f'id=[0-{count-1}]&close'
  80. r = curl.http_download(urls=[urln], alpn_proto=proto, with_stats=True,
  81. extra_args=xargs)
  82. r.check_response(count=count, http_status=200)
  83. # should have used one connection for each request, sessions after
  84. # first should have been resumed
  85. assert r.total_connects == count, r.dump_logs()
  86. for i in range(count):
  87. dfile = curl.download_file(i)
  88. assert os.path.exists(dfile)
  89. with open(dfile) as f:
  90. djson = json.load(f)
  91. assert djson['HTTPS'] == 'on', f'{i}: {djson}'
  92. if i == 0:
  93. assert djson['SSL_SESSION_RESUMED'] == 'Initial', f'{i}: {djson}'
  94. else:
  95. assert djson['SSL_SESSION_RESUMED'] == exp_resumed, f'{i}: {djson}'
  96. # use host name with trailing dot, verify handshake
  97. @pytest.mark.parametrize("proto", ['http/1.1', 'h2', 'h3'])
  98. def test_17_03_trailing_dot(self, env: Env, proto):
  99. if proto == 'h3' and not env.have_h3():
  100. pytest.skip("h3 not supported")
  101. curl = CurlClient(env=env)
  102. domain = f'{env.domain1}.'
  103. url = f'https://{env.authority_for(domain, proto)}/curltest/sslinfo'
  104. r = curl.http_get(url=url, alpn_proto=proto)
  105. assert r.exit_code == 0, f'{r}'
  106. assert r.json, f'{r}'
  107. if proto != 'h3': # we proxy h3
  108. # the SNI the server received is without trailing dot
  109. assert r.json['SSL_TLS_SNI'] == env.domain1, f'{r.json}'
  110. # use host name with double trailing dot, verify handshake
  111. @pytest.mark.parametrize("proto", ['http/1.1', 'h2', 'h3'])
  112. def test_17_04_double_dot(self, env: Env, proto):
  113. if proto == 'h3' and not env.have_h3():
  114. pytest.skip("h3 not supported")
  115. if proto == 'h3' and env.curl_uses_lib('wolfssl'):
  116. pytest.skip("wolfSSL HTTP/3 peer verification does not properly check")
  117. curl = CurlClient(env=env)
  118. domain = f'{env.domain1}..'
  119. url = f'https://{env.authority_for(domain, proto)}/curltest/sslinfo'
  120. r = curl.http_get(url=url, alpn_proto=proto, extra_args=[
  121. '-H', f'Host: {env.domain1}',
  122. ])
  123. if r.exit_code == 0:
  124. assert r.json, f'{r.stdout}'
  125. # the SNI the server received is without trailing dot
  126. if proto != 'h3': # we proxy h3
  127. assert r.json['SSL_TLS_SNI'] == env.domain1, f'{r.json}'
  128. assert False, f'should not have succeeded: {r.json}'
  129. # 7 - Rustls rejects a servername with .. during setup
  130. # 35 - LibreSSL rejects setting an SNI name with trailing dot
  131. # 60 - peer name matching failed against certificate
  132. assert r.exit_code in [7, 35, 60], f'{r}'
  133. # use ip address for connect
  134. @pytest.mark.parametrize("proto", ['http/1.1', 'h2', 'h3'])
  135. def test_17_05_ip_addr(self, env: Env, proto):
  136. if env.curl_uses_lib('bearssl'):
  137. pytest.skip("BearSSL does not support cert verification with IP addresses")
  138. if env.curl_uses_lib('mbedtls'):
  139. pytest.skip("mbedTLS does not support cert verification with IP addresses")
  140. if proto == 'h3' and not env.have_h3():
  141. pytest.skip("h3 not supported")
  142. curl = CurlClient(env=env)
  143. domain = f'127.0.0.1'
  144. url = f'https://{env.authority_for(domain, proto)}/curltest/sslinfo'
  145. r = curl.http_get(url=url, alpn_proto=proto)
  146. assert r.exit_code == 0, f'{r}'
  147. assert r.json, f'{r}'
  148. if proto != 'h3': # we proxy h3
  149. # the SNI should not have been used
  150. assert 'SSL_TLS_SNI' not in r.json, f'{r.json}'
  151. # use localhost for connect
  152. @pytest.mark.parametrize("proto", ['http/1.1', 'h2', 'h3'])
  153. def test_17_06_localhost(self, env: Env, proto):
  154. if proto == 'h3' and not env.have_h3():
  155. pytest.skip("h3 not supported")
  156. curl = CurlClient(env=env)
  157. domain = f'localhost'
  158. url = f'https://{env.authority_for(domain, proto)}/curltest/sslinfo'
  159. r = curl.http_get(url=url, alpn_proto=proto)
  160. assert r.exit_code == 0, f'{r}'
  161. assert r.json, f'{r}'
  162. if proto != 'h3': # we proxy h3
  163. assert r.json['SSL_TLS_SNI'] == domain, f'{r.json}'
  164. @staticmethod
  165. def gen_test_17_07_list():
  166. tls13_tests = [
  167. [None, True],
  168. [['TLS_AES_128_GCM_SHA256'], True],
  169. [['TLS_AES_256_GCM_SHA384'], False],
  170. [['TLS_CHACHA20_POLY1305_SHA256'], True],
  171. [['TLS_AES_256_GCM_SHA384',
  172. 'TLS_CHACHA20_POLY1305_SHA256'], True],
  173. ]
  174. tls12_tests = [
  175. [None, True],
  176. [['ECDHE-ECDSA-AES128-GCM-SHA256', 'ECDHE-RSA-AES128-GCM-SHA256'], True],
  177. [['ECDHE-ECDSA-AES256-GCM-SHA384', 'ECDHE-RSA-AES256-GCM-SHA384'], False],
  178. [['ECDHE-ECDSA-CHACHA20-POLY1305', 'ECDHE-RSA-CHACHA20-POLY1305'], True],
  179. [['ECDHE-ECDSA-AES256-GCM-SHA384', 'ECDHE-RSA-AES256-GCM-SHA384',
  180. 'ECDHE-ECDSA-CHACHA20-POLY1305', 'ECDHE-RSA-CHACHA20-POLY1305'], True],
  181. ]
  182. ret = []
  183. for tls_proto in ['TLSv1.3 +TLSv1.2', 'TLSv1.3', 'TLSv1.2']:
  184. for [ciphers13, succeed13] in tls13_tests:
  185. for [ciphers12, succeed12] in tls12_tests:
  186. ret.append([tls_proto, ciphers13, ciphers12, succeed13, succeed12])
  187. return ret
  188. @pytest.mark.parametrize("tls_proto, ciphers13, ciphers12, succeed13, succeed12", gen_test_17_07_list())
  189. def test_17_07_ssl_ciphers(self, env: Env, httpd, tls_proto, ciphers13, ciphers12, succeed13, succeed12):
  190. # to test setting cipher suites, the AES 256 ciphers are disabled in the test server
  191. httpd.set_extra_config('base', [
  192. 'SSLCipherSuite SSL'
  193. ' ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256'
  194. ':ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305',
  195. 'SSLCipherSuite TLSv1.3'
  196. ' TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256',
  197. f'SSLProtocol {tls_proto}'
  198. ])
  199. httpd.reload_if_config_changed()
  200. proto = 'http/1.1'
  201. curl = CurlClient(env=env)
  202. url = f'https://{env.authority_for(env.domain1, proto)}/curltest/sslinfo'
  203. # SSL backend specifics
  204. if env.curl_uses_lib('gnutls'):
  205. pytest.skip('GnuTLS does not support setting ciphers')
  206. elif env.curl_uses_lib('boringssl'):
  207. if ciphers13 is not None:
  208. pytest.skip('BoringSSL does not support setting TLSv1.3 ciphers')
  209. elif env.curl_uses_lib('schannel'): # not in CI, so untested
  210. if ciphers12 is not None:
  211. pytest.skip('Schannel does not support setting TLSv1.2 ciphers by name')
  212. elif env.curl_uses_lib('bearssl'):
  213. if tls_proto == 'TLSv1.3':
  214. pytest.skip('BearSSL does not support TLSv1.3')
  215. tls_proto = 'TLSv1.2'
  216. elif env.curl_uses_lib('sectransp'): # not in CI, so untested
  217. if tls_proto == 'TLSv1.3':
  218. pytest.skip('Secure Transport does not support TLSv1.3')
  219. tls_proto = 'TLSv1.2'
  220. # test
  221. extra_args = ['--tls13-ciphers', ':'.join(ciphers13)] if ciphers13 else []
  222. extra_args += ['--ciphers', ':'.join(ciphers12)] if ciphers12 else []
  223. r = curl.http_get(url=url, alpn_proto=proto, extra_args=extra_args)
  224. if tls_proto != 'TLSv1.2' and succeed13:
  225. assert r.exit_code == 0, r.dump_logs()
  226. assert r.json['HTTPS'] == 'on', r.dump_logs()
  227. assert r.json['SSL_PROTOCOL'] == 'TLSv1.3', r.dump_logs()
  228. assert ciphers13 is None or r.json['SSL_CIPHER'] in ciphers13, r.dump_logs()
  229. elif tls_proto == 'TLSv1.2' and succeed12:
  230. assert r.exit_code == 0, r.dump_logs()
  231. assert r.json['HTTPS'] == 'on', r.dump_logs()
  232. assert r.json['SSL_PROTOCOL'] == 'TLSv1.2', r.dump_logs()
  233. assert ciphers12 is None or r.json['SSL_CIPHER'] in ciphers12, r.dump_logs()
  234. else:
  235. assert r.exit_code != 0, r.dump_logs()
  236. @pytest.mark.parametrize("proto", ['http/1.1', 'h2', 'h3'])
  237. def test_17_08_cert_status(self, env: Env, proto):
  238. if proto == 'h3' and not env.have_h3():
  239. pytest.skip("h3 not supported")
  240. if not env.curl_uses_lib('openssl') and \
  241. not env.curl_uses_lib('gnutls') and \
  242. not env.curl_uses_lib('quictls'):
  243. pytest.skip("TLS library does not support --cert-status")
  244. curl = CurlClient(env=env)
  245. domain = f'localhost'
  246. url = f'https://{env.authority_for(domain, proto)}/'
  247. r = curl.http_get(url=url, alpn_proto=proto, extra_args=[
  248. '--cert-status'
  249. ])
  250. # CURLE_SSL_INVALIDCERTSTATUS, our certs have no OCSP info
  251. assert r.exit_code == 91, f'{r}'
  252. @staticmethod
  253. def gen_test_17_09_list():
  254. ret = []
  255. for tls_proto in ['TLSv1', 'TLSv1.1', 'TLSv1.2', 'TLSv1.3']:
  256. for max_ver in range(0, 5):
  257. for min_ver in range(-2, 4):
  258. ret.append([tls_proto, max_ver, min_ver])
  259. return ret
  260. @pytest.mark.parametrize("tls_proto, max_ver, min_ver", gen_test_17_09_list())
  261. def test_17_09_ssl_min_max(self, env: Env, httpd, tls_proto, max_ver, min_ver):
  262. httpd.set_extra_config('base', [
  263. f'SSLProtocol {tls_proto}',
  264. 'SSLCipherSuite ALL:@SECLEVEL=0',
  265. ])
  266. httpd.reload_if_config_changed()
  267. proto = 'http/1.1'
  268. curl = CurlClient(env=env)
  269. url = f'https://{env.authority_for(env.domain1, proto)}/curltest/sslinfo'
  270. # SSL backend specifics
  271. if env.curl_uses_lib('bearssl'):
  272. supported = ['TLSv1', 'TLSv1.1', 'TLSv1.2', None]
  273. elif env.curl_uses_lib('sectransp'): # not in CI, so untested
  274. supported = ['TLSv1', 'TLSv1.1', 'TLSv1.2', None]
  275. elif env.curl_uses_lib('gnutls'):
  276. supported = ['TLSv1', 'TLSv1.1', 'TLSv1.2', 'TLSv1.3']
  277. elif env.curl_uses_lib('quiche'):
  278. supported = ['TLSv1', 'TLSv1.1', 'TLSv1.2', 'TLSv1.3']
  279. else: # most SSL backends dropped support for TLSv1.0, TLSv1.1
  280. supported = [None, None, 'TLSv1.2', 'TLSv1.3']
  281. # test
  282. extra_args = [[], ['--tlsv1'], ['--tlsv1.0'], ['--tlsv1.1'], ['--tlsv1.2'], ['--tlsv1.3']][min_ver+2] + \
  283. [['--tls-max', '1.0'], ['--tls-max', '1.1'], ['--tls-max', '1.2'], ['--tls-max', '1.3'], []][max_ver]
  284. r = curl.http_get(url=url, alpn_proto=proto, extra_args=extra_args)
  285. if max_ver >= min_ver and tls_proto in supported[max(0, min_ver):min(max_ver, 3)+1]:
  286. assert r.exit_code == 0 , r.dump_logs()
  287. assert r.json['HTTPS'] == 'on', r.dump_logs()
  288. assert r.json['SSL_PROTOCOL'] == tls_proto, r.dump_logs()
  289. else:
  290. assert r.exit_code != 0, r.dump_logs()