Skip to content

Commit 56fc62a

Browse files
DifferentialOrangeDifferentialOrange
committed
Add SSL tests
To run SSL tests, use Tarantool Enterprise 2.10 or newer and set TEST_TT_SSL=TRUE flag. The patch is based on a similar patch in tarantool/tarantool-python connector [1]. 1. tarantool/tarantool-python#220 Follows up igorcoding#22
1 parent dccc4a1 commit 56fc62a

File tree

7 files changed

+386
-0
lines changed

7 files changed

+386
-0
lines changed

tests/files/ssl/ca.crt

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,20 @@
1+
-----BEGIN CERTIFICATE-----
2+
MIIDLzCCAhegAwIBAgIUMwa7m6dtjVYPK5iZAMX8YUuHtxEwDQYJKoZIhvcNAQEL
3+
BQAwJzELMAkGA1UEBhMCVVMxGDAWBgNVBAMMD0V4YW1wbGUtUm9vdC1DQTAeFw0y
4+
MjA2MTYwODQzMThaFw00NDExMTkwODQzMThaMCcxCzAJBgNVBAYTAlVTMRgwFgYD
5+
VQQDDA9FeGFtcGxlLVJvb3QtQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
6+
AoIBAQC923p9pD1ajiAPsM2W6cnjSkexHX2+sJeaLXL6zdFeUjLYRAnfzJ9xVih7
7+
91yWbuJ9OAswWmz83JrtSm1GqZpFucSz5pFqW2AVrhX5TezlxyH9QwPl+Scu1kCd
8+
+wu7Fgkuw7a0SOpYafPQ6smucCWbxkyZTNgysNuWswykal4VCWyekaY/OojEImoG
9+
smGOXe1Pr2x8XsiWVau1UJ0jj/vh5VzF05mletaUOoQ+iorIHAfnOm2K53jAZlNG
10+
X83VJ1ijSDwiKcnFKcQqlq2Zt88UpxMMv0UyFbDCrOj5qfBbAvzZj5IgUi/NvoZz
11+
M+lzwT+/0mADkAHB6EVa4R29zM+fAgMBAAGjUzBRMB0GA1UdDgQWBBSloRx6dBUI
12+
gJb0yzP2c5zQdQQ+2TAfBgNVHSMEGDAWgBSloRx6dBUIgJb0yzP2c5zQdQQ+2TAP
13+
BgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCCUEnzpu8hZAckICLR
14+
5JRDUiHJ3yJ5iv0b9ChNaz/AQBQGRE8bOPC2M/ZG1RuuQ8IbRbzK0fy1ty9KpG2D
15+
JC9iDL6zPOC3e5x2H8Gxbhvjz4QnHPbYTfdJSmX5tJyNIrJ77g4SW5g8eFApTHyY
16+
5KwRD3IDEu4pZNGsM7l0ODBC/4lvR8u7wPJDGyJBpE3uAKC20XqbG8BWm3kPb9+T
17+
wE4Ak/FEXcwARB0fJ6Jni9iK3TeReyB3rpsYJa4N9iY6f1qNy4qQZ8Va6EWPSNnB
18+
FhvCIYt4LdgM9ffUuHPrCX7qdgSNiL4VijgLaEHjFUUlLb6NHgQfYx/JG7wstiKs
19+
Syzb
20+
-----END CERTIFICATE-----

tests/files/ssl/empty

Whitespace-only changes.

tests/files/ssl/generate.sh

Lines changed: 35 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,35 @@
1+
#!/usr/bin/env bash
2+
set -xeuo pipefail
3+
# An example how-to re-generate testing certificates (because usually
4+
# TLS certificates have expiration dates and some day they will expire).
5+
#
6+
# The instruction is valid for:
7+
#
8+
# $ openssl version
9+
# OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)
10+
11+
cat <<EOF > domains_localhost.ext
12+
authorityKeyIdentifier=keyid,issuer
13+
basicConstraints=CA:FALSE
14+
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
15+
subjectAltName = @alt_names
16+
[alt_names]
17+
DNS.1 = localhost
18+
IP.1 = 127.0.0.1
19+
EOF
20+
21+
cat <<EOF > domains_invalidhost.ext
22+
authorityKeyIdentifier=keyid,issuer
23+
basicConstraints=CA:FALSE
24+
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
25+
subjectAltName = @alt_names
26+
[alt_names]
27+
DNS.1 = invalidhostname
28+
EOF
29+
30+
openssl req -x509 -nodes -new -sha256 -days 8192 -newkey rsa:2048 -keyout ca.key -out ca.pem -subj "/C=US/CN=Example-Root-CA"
31+
openssl x509 -outform pem -in ca.pem -out ca.crt
32+
33+
openssl req -new -nodes -newkey rsa:2048 -keyout localhost.key -out localhost.csr -subj "/C=US/ST=YourState/L=YourCity/O=Example-Certificates/CN=localhost"
34+
openssl x509 -req -sha256 -days 8192 -in localhost.csr -CA ca.pem -CAkey ca.key -CAcreateserial -extfile domains_localhost.ext -out localhost.crt
35+
openssl x509 -req -sha256 -days 8192 -in localhost.csr -CA ca.pem -CAkey ca.key -CAcreateserial -extfile domains_invalidhost.ext -out invalidhost.crt

tests/files/ssl/invalidhost.crt

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,22 @@
1+
-----BEGIN CERTIFICATE-----
2+
MIIDkjCCAnqgAwIBAgIUV7NbprG6FEvrSP0kZ7pT9s7eN7swDQYJKoZIhvcNAQEL
3+
BQAwJzELMAkGA1UEBhMCVVMxGDAWBgNVBAMMD0V4YW1wbGUtUm9vdC1DQTAeFw0y
4+
MjA2MTYwODQzMThaFw00NDExMTkwODQzMThaMGcxCzAJBgNVBAYTAlVTMRIwEAYD
5+
VQQIDAlZb3VyU3RhdGUxETAPBgNVBAcMCFlvdXJDaXR5MR0wGwYDVQQKDBRFeGFt
6+
cGxlLUNlcnRpZmljYXRlczESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG
7+
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqGqKNkOVMGeIClmjLRf02UhtpYcGYVmiblpB
8+
rqbI7eXKKIXMm4ppEEC/1YMVx/iYNYUK0xXxtzZUe1R6L5PYKAm1X+EQ4Sipyj/s
9+
J+qsHxC65mavKB0ylZLZxAjZbiqBBYWwt0uz6ihHAtNXmoBzCE/mTRI3vTOd+CGQ
10+
EI5pLGB85UuyvTfMKFwV9cTfltqGNyAZ670TFxtIwLeGuExfAFTVyofFWb8Kniby
11+
EwKm/1giFl0HrKsHzPljKjlug6lcUeGxooTUJ9sxe6zPYGy2c6EqyV62/UVzgxv9
12+
LNejeh3vlFmQbeawrwvQSMNi+sVuiaYmq/FIw5e4pUYUTjf+SQIDAQABo3YwdDAf
13+
BgNVHSMEGDAWgBSloRx6dBUIgJb0yzP2c5zQdQQ+2TAJBgNVHRMEAjAAMAsGA1Ud
14+
DwQEAwIE8DAaBgNVHREEEzARgg9pbnZhbGlkaG9zdG5hbWUwHQYDVR0OBBYEFNpJ
15+
/WkoMwKCdo0w0HV8aYm1m7ayMA0GCSqGSIb3DQEBCwUAA4IBAQC2tCfqPF2QrieZ
16+
5632SyuX9oDzBCPQv2vi68QRtL+VxjmJ+IPLHdpZ96jTM7pYIAQ5QVm357JXLixU
17+
NJ0eqgGIFrY4Evx91AGEAX20Ccn8CCXK3LsG1z1UWrvH/txEyOecuLCukaDI5ejq
18+
z1/CKJhxF7bBfukfG2X8qWqqUNRQpkdQObMwZ6Np/GhITIDldxRMIaP05pUGPybR
19+
CrEiC5F5lwgVAwlNhnfJuBcH3XMKWFZuiyur3O6PfSmUByainSnLY94RefofyEct
20+
t20ikQssE6XcX/soTtmwOvIGHHMGcuKBbTwlF0dxv9pLrikpXrv0sf3mT+abUqND
21+
oPmVcDJp
22+
-----END CERTIFICATE-----

tests/files/ssl/localhost.crt

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,22 @@
1+
-----BEGIN CERTIFICATE-----
2+
MIIDkjCCAnqgAwIBAgIUI7y4bpqOVjvp9aEzUlsSO4pZgjAwDQYJKoZIhvcNAQEL
3+
BQAwJzELMAkGA1UEBhMCVVMxGDAWBgNVBAMMD0V4YW1wbGUtUm9vdC1DQTAeFw0y
4+
MjA2MTYwODQzMThaFw00NDExMTkwODQzMThaMGcxCzAJBgNVBAYTAlVTMRIwEAYD
5+
VQQIDAlZb3VyU3RhdGUxETAPBgNVBAcMCFlvdXJDaXR5MR0wGwYDVQQKDBRFeGFt
6+
cGxlLUNlcnRpZmljYXRlczESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG
7+
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqGqKNkOVMGeIClmjLRf02UhtpYcGYVmiblpB
8+
rqbI7eXKKIXMm4ppEEC/1YMVx/iYNYUK0xXxtzZUe1R6L5PYKAm1X+EQ4Sipyj/s
9+
J+qsHxC65mavKB0ylZLZxAjZbiqBBYWwt0uz6ihHAtNXmoBzCE/mTRI3vTOd+CGQ
10+
EI5pLGB85UuyvTfMKFwV9cTfltqGNyAZ670TFxtIwLeGuExfAFTVyofFWb8Kniby
11+
EwKm/1giFl0HrKsHzPljKjlug6lcUeGxooTUJ9sxe6zPYGy2c6EqyV62/UVzgxv9
12+
LNejeh3vlFmQbeawrwvQSMNi+sVuiaYmq/FIw5e4pUYUTjf+SQIDAQABo3YwdDAf
13+
BgNVHSMEGDAWgBSloRx6dBUIgJb0yzP2c5zQdQQ+2TAJBgNVHRMEAjAAMAsGA1Ud
14+
DwQEAwIE8DAaBgNVHREEEzARgglsb2NhbGhvc3SHBH8AAAEwHQYDVR0OBBYEFNpJ
15+
/WkoMwKCdo0w0HV8aYm1m7ayMA0GCSqGSIb3DQEBCwUAA4IBAQC2UFwSoqAMfg1h
16+
xhYauemq13+JXPOnfoR74WzJc8Wva51Bqr8YpVxXU8GCViZKdWi/6sT5h//M4Zrp
17+
wmcUruAQinRUy7RzKoXFHL7g6hQOE440gqaePE/PvjTde8l7FeiGTCSfAqIIFpsz
18+
8YhVajenrzt9ppaHnad/N59uCnIULZrezRq8wJl8Zw82IR/Szcu/4O/tSimYuleY
19+
pNX1h5w2mfpNmKeXkseU8cid1GhCnBg2FK6t6xZ4sSCL2nlpNKsbYvLg5rViRavO
20+
7roUcU4BKK5NnGuYOPKYycSpC500V+shnCq4vTZSsPTOT2dHdMMK5HguxzHxixQv
21+
yPeWBYqy
22+
-----END CERTIFICATE-----

tests/files/ssl/localhost.key

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,28 @@
1+
-----BEGIN PRIVATE KEY-----
2+
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCoaoo2Q5UwZ4gK
3+
WaMtF/TZSG2lhwZhWaJuWkGupsjt5coohcybimkQQL/VgxXH+Jg1hQrTFfG3NlR7
4+
VHovk9goCbVf4RDhKKnKP+wn6qwfELrmZq8oHTKVktnECNluKoEFhbC3S7PqKEcC
5+
01eagHMIT+ZNEje9M534IZAQjmksYHzlS7K9N8woXBX1xN+W2oY3IBnrvRMXG0jA
6+
t4a4TF8AVNXKh8VZvwqeJvITAqb/WCIWXQesqwfM+WMqOW6DqVxR4bGihNQn2zF7
7+
rM9gbLZzoSrJXrb9RXODG/0s16N6He+UWZBt5rCvC9BIw2L6xW6Jpiar8UjDl7il
8+
RhRON/5JAgMBAAECggEAHWxlorbadvcziYlhDIUJsjdo7pkhOHtSOUDcBlEdvBBg
9+
KgW8OjVrhxsk2L7a3JG2N+17N2c3UGi1yEk5QpwsEMynay2VRx0VUuApmEyzzwab
10+
fJrWgaXeO0sJcCoSoKBc47PYbKGVeHSaeWgmfzfvQPXCmNb0tYGx2NK2Smoy/j1B
11+
lXgODPkXHuzj0LOA3OkapgrxqHpN+kPjAfaY8vKYBQ8lbROT3kjgjqEzykC3bCzj
12+
ZNZArGovBRAGr7dvjdh791g3hN2cAgIWhTg4zu8N6gf18G1l4bH8nmRzWT/z7eJi
13+
QvmGjXVPUEpBcWRZuHms5cGcxb7V6smvuJp4v1n+rQKBgQDa1rqNwVlk1Jo0oT5U
14+
KUyJwjaVXa3Foy5oR/T66UDIEBiMEonfI/miMlwXRXdhC1WQTeddk5vX+pn3ISZT
15+
mN6zwz2NGE1i4GmOLIG9a9JkCSPffqDiwYFd2uhbTfKNehIHOC4Xdg/UGz+vOGFZ
16+
MxYiSrytYK6svgHjHlFPp/uP9QKBgQDFA9wVmE76FqVC7crA7Djkyt4cRU5LEILO
17+
qp4AxWE8HU/vlht4PhVA/dgMTNkVLiyrSgTGm15FQKZWe2FMVaAnRcmLy6bRpcAM
18+
fP4HNtwjRWHx1Q4lMRZLrZPO0W8RXUqgMgGd3w1kyJK/C9wnD/01h+3lAnJ1cHlD
19+
5jub6RDkhQKBgQCUciSKFCY3p6ATI23MWVd5+yxblfhSoKbSRj2AFsnC7Gg6XDj6
20+
DMVBqTee8ZhRVAbupGnVqFOG5o+ae/orqv8mocIW++1CrUftEXPQsls9UJXs/VDV
21+
gL3olJ4ZkX5/SdcA3rMlZwjFsNY6XdxrTaQuDtR+J59Vvm45Sk+N4T1cIQKBgG9d
22+
zSzP2eT4pBZ/QJtpbIe4PXGRo74+6RJV09bvvBU1JJh0K7b+sRj55QSe9B9K6Kky
23+
wBxcex9+eghs2gVCabOJeXJyfiwIG9VzWk1Nr4aok8MWAlb3tni099ZzAOu55pND
24+
cTKCgZm0327rD1ltal62Jb3MclL8by/4lz18s7XZAoGBANSv/AdjlJUQ++9I+P1+
25+
g7rgrfWKLyQ8FSljO7dAOWsDjrFHSi2f2HCh3URcKqzdjG+/iK+MyKUlaUZDLCzf
26+
QNgI+7n5I/aHfhRWo7ytRPTd78Gyw/lDGW3Pz8MzXJ4pVDgr2UB7KN91/Rx9dJfN
27+
3K04YR/TSpwB0Nug+5a1XuGh
28+
-----END PRIVATE KEY-----

tests/test_ssl.py

Lines changed: 259 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,259 @@
1+
import asyncio
2+
import unittest
3+
import os
4+
5+
import asynctnt
6+
from asynctnt.exceptions import SSLError
7+
from asynctnt.instance import TarantoolSyncInstance
8+
from tests import BaseTarantoolTestCase
9+
10+
def is_test_ssl():
11+
env = os.getenv("TEST_TT_SSL")
12+
if env:
13+
env = env.upper()
14+
return env == "1" or env == "TRUE"
15+
return False
16+
17+
18+
@unittest.skipIf(not is_test_ssl(), "TEST_TT_SSL is not set.")
19+
class SSLTestCase(BaseTarantoolTestCase):
20+
DO_CONNECT = False
21+
22+
ssl_files_dir = os.path.join(os.getcwd(), 'tests', 'files', 'ssl')
23+
cert_file = os.path.join(ssl_files_dir, "localhost.crt")
24+
invalidhost_cert_file = os.path.join(ssl_files_dir, "invalidhost.crt")
25+
key_file = os.path.join(ssl_files_dir, "localhost.key")
26+
ca_file = os.path.join(ssl_files_dir, "ca.crt")
27+
empty_file = os.path.join(ssl_files_dir, "empty")
28+
invalid_file = "any_invalid_path"
29+
30+
async def test__connect(self):
31+
if self.in_docker:
32+
self.skipTest('Skipping as running inside the docker')
33+
return
34+
35+
class SslTestSubcase:
36+
def __init__(self,
37+
name="",
38+
expectSSLError=False,
39+
expectTimeoutError=False,
40+
server_transport=asynctnt.Transport.SSL,
41+
server_key_file=None,
42+
server_cert_file=None,
43+
server_ca_file=None,
44+
server_ciphers=None,
45+
client_transport=asynctnt.Transport.SSL,
46+
client_cert_file=None,
47+
client_key_file=None,
48+
client_ca_file=None,
49+
client_ciphers=None):
50+
self.name = name
51+
self.expectSSLError = expectSSLError
52+
self.expectTimeoutError = expectTimeoutError
53+
self.server_transport = server_transport
54+
self.server_key_file = server_key_file
55+
self.server_cert_file = server_cert_file
56+
self.server_ca_file = server_ca_file
57+
self.server_ciphers = server_ciphers
58+
self.client_transport = client_transport
59+
self.client_cert_file = client_cert_file
60+
self.client_key_file = client_key_file
61+
self.client_ca_file = client_ca_file
62+
self.client_ciphers = client_ciphers
63+
64+
# Requirements from Tarantool Enterprise Edition manual:
65+
# https://www.tarantool.io/en/enterprise_doc/security/#configuration
66+
#
67+
# For a server:
68+
# ssl_key_file - mandatory
69+
# ssl_cert_file - mandatory
70+
# ssl_ca_file - optional
71+
# ssl_ciphers - optional
72+
#
73+
# For a client:
74+
# ssl_key_file - optional, mandatory if server.CaFile set
75+
# ssl_cert_file - optional, mandatory if server.CaFile set
76+
# ssl_ca_file - optional
77+
# ssl_ciphers - optional
78+
testcases = [
79+
SslTestSubcase(
80+
name="no_ssl_server",
81+
expectSSLError=True,
82+
server_transport=asynctnt.Transport.DEFAULT),
83+
SslTestSubcase(
84+
name="key_crt_server",
85+
server_key_file=self.key_file,
86+
server_cert_file=self.cert_file),
87+
SslTestSubcase(
88+
name="no_ssl_client",
89+
expectTimeoutError=True,
90+
server_key_file=self.key_file,
91+
server_cert_file=self.cert_file,
92+
client_transport=asynctnt.Transport.DEFAULT),
93+
SslTestSubcase(
94+
name="key_crt_server_and_client",
95+
server_key_file=self.key_file,
96+
server_cert_file=self.cert_file,
97+
client_key_file=self.key_file,
98+
client_cert_file=self.cert_file),
99+
SslTestSubcase(
100+
name="key_crt_ca_server",
101+
expectSSLError=True,
102+
server_key_file=self.key_file,
103+
server_cert_file=self.cert_file,
104+
server_ca_file=self.ca_file),
105+
SslTestSubcase(
106+
name="key_crt_ca_server_and_crt_client",
107+
expectSSLError=True,
108+
server_key_file=self.key_file,
109+
server_cert_file=self.cert_file,
110+
server_ca_file=self.ca_file,
111+
client_cert_file=self.cert_file),
112+
SslTestSubcase(
113+
name="key_crt_ca_server_and_key_crt_client",
114+
server_key_file=self.key_file,
115+
server_cert_file=self.cert_file,
116+
server_ca_file=self.ca_file,
117+
client_key_file=self.key_file,
118+
client_cert_file=self.cert_file),
119+
SslTestSubcase(
120+
name="key_crt_ca_server_and_client",
121+
server_key_file=self.key_file,
122+
server_cert_file=self.cert_file,
123+
server_ca_file=self.ca_file,
124+
client_key_file=self.key_file,
125+
client_cert_file=self.cert_file,
126+
client_ca_file=self.ca_file),
127+
SslTestSubcase(
128+
name="key_invalidhost_crt_ca_server_and_key_crt_ca_client",
129+
# A Tarantool implementation does not check hostname. It's
130+
# the expected behavior. We don't do that too.
131+
server_key_file=self.key_file,
132+
server_cert_file=self.invalidhost_cert_file,
133+
server_ca_file=self.ca_file,
134+
client_key_file=self.key_file,
135+
client_cert_file=self.cert_file,
136+
client_ca_file=self.ca_file),
137+
SslTestSubcase(
138+
name="key_crt_ca_server_and_client_invalid_crt",
139+
expectSSLError=True,
140+
client_key_file=self.key_file,
141+
server_cert_file=self.cert_file,
142+
server_ca_file=self.ca_file,
143+
server_key_file=self.key_file,
144+
client_cert_file=self.invalid_file,
145+
client_ca_file=self.ca_file),
146+
SslTestSubcase(
147+
name="key_crt_ca_server_and_client_invalid_key",
148+
expectSSLError=True,
149+
server_key_file=self.key_file,
150+
server_cert_file=self.cert_file,
151+
server_ca_file=self.ca_file,
152+
client_key_file=self.invalid_file,
153+
client_cert_file=self.cert_file,
154+
client_ca_file=self.ca_file),
155+
SslTestSubcase(
156+
name="key_crt_ca_server_and_client_invalid_ca",
157+
expectSSLError=True,
158+
server_key_file=self.key_file,
159+
server_cert_file=self.cert_file,
160+
server_ca_file=self.ca_file,
161+
client_key_file=self.key_file,
162+
client_cert_file=self.cert_file,
163+
client_ca_file=self.invalid_file),
164+
SslTestSubcase(
165+
name="key_crt_ca_server_and_client_empty_crt",
166+
expectSSLError=True,
167+
server_key_file=self.key_file,
168+
server_cert_file=self.cert_file,
169+
server_ca_file=self.ca_file,
170+
client_key_file=self.key_file,
171+
client_cert_file=self.empty_file,
172+
client_ca_file=self.ca_file),
173+
SslTestSubcase(
174+
name="key_crt_ca_server_and_client_empty_key",
175+
expectSSLError=True,
176+
server_key_file=self.key_file,
177+
server_cert_file=self.cert_file,
178+
server_ca_file=self.ca_file,
179+
client_key_file=self.empty_file,
180+
client_cert_file=self.cert_file,
181+
client_ca_file=self.ca_file),
182+
SslTestSubcase(
183+
name="key_crt_ca_server_and_client_empty_ca",
184+
expectSSLError=True,
185+
server_key_file=self.key_file,
186+
server_cert_file=self.cert_file,
187+
server_ca_file=self.ca_file,
188+
client_key_file=self.key_file,
189+
client_cert_file=self.cert_file,
190+
client_ca_file=self.empty_file),
191+
SslTestSubcase(
192+
name="key_crt_ca_ciphers_server_and_key_crt_ca_client",
193+
server_key_file=self.key_file,
194+
server_cert_file=self.cert_file,
195+
server_ca_file=self.ca_file,
196+
server_ciphers="ECDHE-RSA-AES256-GCM-SHA384",
197+
client_key_file=self.key_file,
198+
client_cert_file=self.cert_file,
199+
client_ca_file=self.ca_file),
200+
SslTestSubcase(
201+
name="key_crt_ca_ciphers_server_and_client",
202+
server_key_file=self.key_file,
203+
server_cert_file=self.cert_file,
204+
server_ca_file=self.ca_file,
205+
server_ciphers="ECDHE-RSA-AES256-GCM-SHA384",
206+
client_key_file=self.key_file,
207+
client_cert_file=self.cert_file,
208+
client_ca_file=self.ca_file,
209+
client_ciphers="ECDHE-RSA-AES256-GCM-SHA384"),
210+
SslTestSubcase(
211+
name="non_equal_ciphers",
212+
expectSSLError=True,
213+
server_key_file=self.key_file,
214+
server_cert_file=self.cert_file,
215+
server_ca_file=self.ca_file,
216+
server_ciphers="ECDHE-RSA-AES256-GCM-SHA384",
217+
client_key_file=self.key_file,
218+
client_cert_file=self.cert_file,
219+
client_ca_file=self.ca_file,
220+
client_ciphers="TLS_AES_128_GCM_SHA256"),
221+
]
222+
223+
for t in testcases:
224+
with self.subTest(msg=t.name):
225+
tnt = TarantoolSyncInstance(
226+
port=TarantoolSyncInstance.get_random_port(),
227+
transport=t.server_transport,
228+
ssl_key_file=t.server_key_file,
229+
ssl_cert_file=t.server_cert_file,
230+
ssl_ca_file=t.server_ca_file,
231+
ssl_ciphers=t.server_ciphers,
232+
applua=self.read_applua(),
233+
cleanup=self.TNT_CLEANUP,
234+
)
235+
236+
tnt.start()
237+
try:
238+
conn = await asynctnt.connect(host=tnt.host, port=tnt.port,
239+
transport=t.client_transport,
240+
ssl_key_file=t.client_key_file,
241+
ssl_cert_file=t.client_cert_file,
242+
ssl_ca_file=t.client_ca_file,
243+
ssl_ciphers=t.client_ciphers,
244+
reconnect_timeout=0)
245+
246+
tupl = [1, 'hello', 1, 4, 'what is up']
247+
await conn.insert(self.TESTER_SPACE_ID, tupl)
248+
res = await conn.select(self.TESTER_SPACE_NAME, tupl[0:1])
249+
self.assertResponseEqual(res[0], tupl, 'Tuple ok')
250+
except SSLError as e:
251+
if not t.expectSSLError:
252+
self.fail(e)
253+
except asyncio.exceptions.TimeoutError as e:
254+
if not t.expectTimeoutError:
255+
self.fail(e)
256+
except Exception as e:
257+
self.fail(e)
258+
finally:
259+
tnt.stop()

0 commit comments

Comments
 (0)