tlsutil: Testing hostname verification

This commit is contained in:
Armon Dadgar 2015-05-11 16:05:39 -07:00
parent b9d640aa3b
commit 7ab35416fb
2 changed files with 117 additions and 3 deletions

View File

@ -6,6 +6,7 @@ import (
"fmt"
"io/ioutil"
"net"
"strings"
"time"
)
@ -157,11 +158,14 @@ func (c *Config) OutgoingTLSWrapper() (DCWrapper, error) {
return nil, nil
}
// Strip the trailing '.' from the domain if any
domain := strings.TrimSuffix(c.Domain, ".")
// Generate the wrapper based on hostname verification
if c.VerifyServerHostname {
wrapper := func(dc string, conn net.Conn) (net.Conn, error) {
conf := *tlsConfig
conf.ServerName = "server." + dc + "." + c.Domain
conf.ServerName = "server." + dc + "." + domain
return WrapTLSClient(conn, &conf)
}
return wrapper, nil

View File

@ -7,6 +7,8 @@ import (
"io/ioutil"
"net"
"testing"
"github.com/hashicorp/yamux"
)
func TestConfig_AppendCA_None(t *testing.T) {
@ -191,8 +193,16 @@ func startTLSServer(config *Config) (net.Conn, chan error) {
}
client, server := net.Pipe()
// Use yamux to buffer the reads, otherwise it's easy to deadlock
muxConf := yamux.DefaultConfig()
serverSession, _ := yamux.Server(server, muxConf)
clientSession, _ := yamux.Client(client, muxConf)
clientConn, _ := clientSession.Open()
serverConn, _ := serverSession.Accept()
go func() {
tlsServer := tls.Server(server, tlsConfigServer)
tlsServer := tls.Server(serverConn, tlsConfigServer)
if err := tlsServer.Handshake(); err != nil {
errc <- err
}
@ -206,7 +216,107 @@ func startTLSServer(config *Config) (net.Conn, chan error) {
io.Copy(ioutil.Discard, tlsServer)
tlsServer.Close()
}()
return client, errc
return clientConn, errc
}
func TestConfig_outgoingWrapper_OK(t *testing.T) {
config := &Config{
CAFile: "../test/hostname/CertAuth.crt",
CertFile: "../test/hostname/Alice.crt",
KeyFile: "../test/hostname/Alice.key",
VerifyServerHostname: true,
Domain: "consul",
}
client, errc := startTLSServer(config)
if client == nil {
t.Fatalf("startTLSServer err: %v", <-errc)
}
wrap, err := config.OutgoingTLSWrapper()
if err != nil {
t.Fatalf("OutgoingTLSWrapper err: %v", err)
}
tlsClient, err := wrap("dc1", client)
if err != nil {
t.Fatalf("wrapTLS err: %v", err)
}
defer tlsClient.Close()
if err := tlsClient.(*tls.Conn).Handshake(); err != nil {
t.Fatalf("write err: %v", err)
}
err = <-errc
if err != nil {
t.Fatalf("server: %v", err)
}
}
func TestConfig_outgoingWrapper_BadDC(t *testing.T) {
config := &Config{
CAFile: "../test/hostname/CertAuth.crt",
CertFile: "../test/hostname/Alice.crt",
KeyFile: "../test/hostname/Alice.key",
VerifyServerHostname: true,
Domain: "consul",
}
client, errc := startTLSServer(config)
if client == nil {
t.Fatalf("startTLSServer err: %v", <-errc)
}
wrap, err := config.OutgoingTLSWrapper()
if err != nil {
t.Fatalf("OutgoingTLSWrapper err: %v", err)
}
tlsClient, err := wrap("dc2", client)
if err != nil {
t.Fatalf("wrapTLS err: %v", err)
}
defer tlsClient.Close()
err = tlsClient.(*tls.Conn).Handshake()
if _, ok := err.(x509.HostnameError); !ok {
t.Fatalf("should get hostname err: %v", err)
}
<-errc
}
func TestConfig_outgoingWrapper_BadCert(t *testing.T) {
config := &Config{
CAFile: "../test/ca/root.cer",
CertFile: "../test/key/ourdomain.cer",
KeyFile: "../test/key/ourdomain.key",
VerifyServerHostname: true,
Domain: "consul",
}
client, errc := startTLSServer(config)
if client == nil {
t.Fatalf("startTLSServer err: %v", <-errc)
}
wrap, err := config.OutgoingTLSWrapper()
if err != nil {
t.Fatalf("OutgoingTLSWrapper err: %v", err)
}
tlsClient, err := wrap("dc1", client)
if err != nil {
t.Fatalf("wrapTLS err: %v", err)
}
defer tlsClient.Close()
err = tlsClient.(*tls.Conn).Handshake()
if _, ok := err.(x509.HostnameError); !ok {
t.Fatalf("should get hostname err: %v", err)
}
<-errc
}
func TestConfig_wrapTLS_OK(t *testing.T) {