New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement positive/negative tests for peer verification #1035
Comments
@maggyero, given your expertise in contributing #1030, would you mind tackling this issue too? Thanks in advance. |
In my experience this is a royal PITA to automate testing of peer verification since standard TLS peer verification usually involves hostname comparison. How about we introduce some examples that use tls-gen instead and learn/document the behavior that way? |
Hi Michael - I have some ideas for testing it that I want to try first,
falling back to your suggestion if needed.
…On Fri, May 4, 2018, 7:56 PM Michael Klishin ***@***.***> wrote:
In my experience this is a royal PITA to automate testing of peer
verification since standard TLS peer verification usually involves hostname
comparison. How about we introduce some examples that use tls-gen
<https://github.com/michaelklishin/tls-gen> instead and learn/document
the behavior that way?
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#1035 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/ABX9KpJLAHT7JCbw3weCzQVuCQDXpG6dks5tvRTdgaJpZM4TxexH>
.
|
Hi @vitaly-krugl and @michaelklishin. I'm not a T.L.S. specialist but maybe I could help. First I noticed that you rely on the RFC 2818 (published in May 2000) describes two methods to match a domain name against a certificate:
So the new standard is to set the domain names in the In order to generate a C.A.-signed certificate with a SAN section, the two key things are:
This is the best openssl.cnf example file (with all the
@michaelklishin The good thing with the SAN section is that, contrary to the Subject section, you can specify multiple domain names (using multiple |
Thanks @maggyero! |
I suggest that Pika adopts tls-gen's basic profile (possibly with some tweaks and improvements) for tests instead of reinventing the wheel :) We already do that in one doc guide, in fact. |
@maggyero thanks good to know. That deserves a couple of sections in RabbitMQ's TLS and Management plugin guides, in fact. |
See discussion in issue #464 for additional background.
See also issue #744.
In pika master targeting pika v1.0.0 release, the connection parameters support passing
SSLContext
andserver_hostname
via SSLOptions. This enables the app to control all the SSL features called out in the description of this issue. In particular:context.verify_mode = ssl.CERT_REQUIRED
; andSSLSocket.do_handshake()
to callssl.match_hostname()
, which is supported since python 2.7.9.At this point, I am thinking about having the new positive/negative MITM tests in the following acceptance test scripts:
create_streaming_connection()
tests:ssl.CERT_REQUIRED
,context.check_hostname = True
and aserver_hostname
that matches the one in the server certificate and connects successfully;ssl.CERT_REQUIRED
,context.check_hostname = True
and aserver_hostname
that doesn't match the one in the server certificate and fails to connect as the result of mismatchedserver_hostname
; andNOTE: We presently have some certs in https://github.com/pika/pika/tree/master/testdata/. This would be a good place to store additional cert(s) needed by the tests, should we need more. Also, when creating additional certs for the tests, have the cert expiration date really far out so we don't have to revisit this for a while.
The text was updated successfully, but these errors were encountered: