Merge remote-tracking branch 'origin/topic/johanna/cert-validation'

* origin/topic/johanna/cert-validation: and still use the hash for notice suppression. add knob to revert to old validation behavior Update certificate validation script - new version will cache valid intermediate chains that it encounters on the wire and use those to try to validate chains that might be missing intermediate certificates. BIT-1332 #merged
2025-10-09 01:58:20 +00:00 · 2015-03-17 09:07:51 -07:00 · 2015-03-17 09:07:51 -07:00 · 0cfe431f15
commit 0cfe431f15
parent 62a3a23a2b d208c95e9a
11 changed files with 234 additions and 32 deletions
--- a/testing/btest/scripts/policy/protocols/ssl/validate-certs-cluster.bro
+++ b/testing/btest/scripts/policy/protocols/ssl/validate-certs-cluster.bro
@ -0,0 +1,37 @@
+# @TEST-SERIALIZE: comm
+#
+# @TEST-EXEC: btest-bg-run manager-1 "cp ../cluster-layout.bro . && CLUSTER_NODE=manager-1 bro %INPUT"
+# @TEST-EXEC: sleep 1
+# @TEST-EXEC: btest-bg-run proxy-1   "cp ../cluster-layout.bro . && CLUSTER_NODE=proxy-1 bro %INPUT"
+# @TEST-EXEC: btest-bg-run proxy-2   "cp ../cluster-layout.bro . && CLUSTER_NODE=proxy-2 bro %INPUT"
+# @TEST-EXEC: sleep 1
+# @TEST-EXEC: btest-bg-run worker-1  "cp ../cluster-layout.bro . && CLUSTER_NODE=worker-1 bro --pseudo-realtime -C -r $TRACES/tls/missing-intermediate.pcap %INPUT"
+# @TEST-EXEC: btest-bg-run worker-2  "cp ../cluster-layout.bro . && CLUSTER_NODE=worker-2 bro --pseudo-realtime -C -r $TRACES/tls/missing-intermediate.pcap %INPUT"
+# @TEST-EXEC: btest-bg-wait 10
+# @TEST-EXEC: cat manager-1/ssl*.log > ssl.log
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-file-ids btest-diff ssl.log
+#
+
+redef Log::default_rotation_interval = 0secs;
+
+@TEST-START-FILE cluster-layout.bro
+redef Cluster::nodes = {
+	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp, $workers=set("worker-1", "worker-2")],
+	["proxy-1"] = [$node_type=Cluster::PROXY,     $ip=127.0.0.1, $p=37758/tcp, $manager="manager-1", $workers=set("worker-1", "worker-2")],
+	["proxy-2"] = [$node_type=Cluster::PROXY,     $ip=127.0.0.1, $p=37759/tcp, $manager="manager-1", $workers=set("worker-2")],
+	["worker-1"] = [$node_type=Cluster::WORKER,   $ip=127.0.0.1, $p=37760/tcp, $manager="manager-1", $proxy="proxy-1", $interface="eth0"],
+	["worker-2"] = [$node_type=Cluster::WORKER,   $ip=127.0.0.1, $p=37761/tcp, $manager="manager-1", $proxy="proxy-1", $interface="eth1"],
+};
+@TEST-END-FILE
+
+event terminate_me() {
+	terminate();
+}
+
+event remote_connection_closed(p: event_peer) {
+	schedule 1sec { terminate_me() };
+}
+
+
+@load base/frameworks/cluster
+@load protocols/ssl/validate-certs.bro
--- a/testing/btest/scripts/policy/protocols/ssl/validate-certs-no-cache.bro
+++ b/testing/btest/scripts/policy/protocols/ssl/validate-certs-no-cache.bro
@ -0,0 +1,6 @@
+# @TEST-EXEC: bro -C -r $TRACES/tls/missing-intermediate.pcap %INPUT
+# @TEST-EXEC: btest-diff ssl.log
+
+@load protocols/ssl/validate-certs.bro
+
+redef SSL::ssl_cache_intermediate_ca = F;
--- a/testing/btest/scripts/policy/protocols/ssl/validate-certs.bro
+++ b/testing/btest/scripts/policy/protocols/ssl/validate-certs.bro
@ -1,4 +1,7 @@
 # @TEST-EXEC: bro -r $TRACES/tls/tls-expired-cert.trace %INPUT
-# @TEST-EXEC: btest-diff ssl.log
+# @TEST-EXEC: cat ssl.log > ssl-all.log
+# @TEST-EXEC: bro -C -r $TRACES/tls/missing-intermediate.pcap %INPUT
+# @TEST-EXEC: cat ssl.log >> ssl-all.log
+# @TEST-EXEC: btest-diff ssl-all.log

-@load protocols/ssl/validate-certs
+@load protocols/ssl/validate-certs.bro