Skip to content

Commit e935ef8

Browse files
DifferentialOrangeDifferentialOrange
committed
Add SSL tests
To run SSL tests, use Tarantool Enterprise 2.10 or newer and set TEST_TT_SSL=TRUE flag. The patch is based on similar patch in tarantool/tarantool-python connector [1]. 1. tarantool/tarantool-python#220 Follows up igorcoding#22
1 parent 0e9b087 commit e935ef8

File tree

7 files changed

+385
-0
lines changed

7 files changed

+385
-0
lines changed

tests/files/ssl/ca.crt

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,20 @@
1+
-----BEGIN CERTIFICATE-----
2+
MIIDLzCCAhegAwIBAgIUMwa7m6dtjVYPK5iZAMX8YUuHtxEwDQYJKoZIhvcNAQEL
3+
BQAwJzELMAkGA1UEBhMCVVMxGDAWBgNVBAMMD0V4YW1wbGUtUm9vdC1DQTAeFw0y
4+
MjA2MTYwODQzMThaFw00NDExMTkwODQzMThaMCcxCzAJBgNVBAYTAlVTMRgwFgYD
5+
VQQDDA9FeGFtcGxlLVJvb3QtQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
6+
AoIBAQC923p9pD1ajiAPsM2W6cnjSkexHX2+sJeaLXL6zdFeUjLYRAnfzJ9xVih7
7+
91yWbuJ9OAswWmz83JrtSm1GqZpFucSz5pFqW2AVrhX5TezlxyH9QwPl+Scu1kCd
8+
+wu7Fgkuw7a0SOpYafPQ6smucCWbxkyZTNgysNuWswykal4VCWyekaY/OojEImoG
9+
smGOXe1Pr2x8XsiWVau1UJ0jj/vh5VzF05mletaUOoQ+iorIHAfnOm2K53jAZlNG
10+
X83VJ1ijSDwiKcnFKcQqlq2Zt88UpxMMv0UyFbDCrOj5qfBbAvzZj5IgUi/NvoZz
11+
M+lzwT+/0mADkAHB6EVa4R29zM+fAgMBAAGjUzBRMB0GA1UdDgQWBBSloRx6dBUI
12+
gJb0yzP2c5zQdQQ+2TAfBgNVHSMEGDAWgBSloRx6dBUIgJb0yzP2c5zQdQQ+2TAP
13+
BgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCCUEnzpu8hZAckICLR
14+
5JRDUiHJ3yJ5iv0b9ChNaz/AQBQGRE8bOPC2M/ZG1RuuQ8IbRbzK0fy1ty9KpG2D
15+
JC9iDL6zPOC3e5x2H8Gxbhvjz4QnHPbYTfdJSmX5tJyNIrJ77g4SW5g8eFApTHyY
16+
5KwRD3IDEu4pZNGsM7l0ODBC/4lvR8u7wPJDGyJBpE3uAKC20XqbG8BWm3kPb9+T
17+
wE4Ak/FEXcwARB0fJ6Jni9iK3TeReyB3rpsYJa4N9iY6f1qNy4qQZ8Va6EWPSNnB
18+
FhvCIYt4LdgM9ffUuHPrCX7qdgSNiL4VijgLaEHjFUUlLb6NHgQfYx/JG7wstiKs
19+
Syzb
20+
-----END CERTIFICATE-----

tests/files/ssl/empty

Whitespace-only changes.

tests/files/ssl/generate.sh

Lines changed: 35 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,35 @@
1+
#!/usr/bin/env bash
2+
set -xeuo pipefail
3+
# An example how-to re-generate testing certificates (because usually
4+
# TLS certificates have expiration dates and some day they will expire).
5+
#
6+
# The instruction is valid for:
7+
#
8+
# $ openssl version
9+
# OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)
10+
11+
cat <<EOF > domains_localhost.ext
12+
authorityKeyIdentifier=keyid,issuer
13+
basicConstraints=CA:FALSE
14+
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
15+
subjectAltName = @alt_names
16+
[alt_names]
17+
DNS.1 = localhost
18+
IP.1 = 127.0.0.1
19+
EOF
20+
21+
cat <<EOF > domains_invalidhost.ext
22+
authorityKeyIdentifier=keyid,issuer
23+
basicConstraints=CA:FALSE
24+
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
25+
subjectAltName = @alt_names
26+
[alt_names]
27+
DNS.1 = invalidhostname
28+
EOF
29+
30+
openssl req -x509 -nodes -new -sha256 -days 8192 -newkey rsa:2048 -keyout ca.key -out ca.pem -subj "/C=US/CN=Example-Root-CA"
31+
openssl x509 -outform pem -in ca.pem -out ca.crt
32+
33+
openssl req -new -nodes -newkey rsa:2048 -keyout localhost.key -out localhost.csr -subj "/C=US/ST=YourState/L=YourCity/O=Example-Certificates/CN=localhost"
34+
openssl x509 -req -sha256 -days 8192 -in localhost.csr -CA ca.pem -CAkey ca.key -CAcreateserial -extfile domains_localhost.ext -out localhost.crt
35+
openssl x509 -req -sha256 -days 8192 -in localhost.csr -CA ca.pem -CAkey ca.key -CAcreateserial -extfile domains_invalidhost.ext -out invalidhost.crt

tests/files/ssl/invalidhost.crt

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,22 @@
1+
-----BEGIN CERTIFICATE-----
2+
MIIDkjCCAnqgAwIBAgIUV7NbprG6FEvrSP0kZ7pT9s7eN7swDQYJKoZIhvcNAQEL
3+
BQAwJzELMAkGA1UEBhMCVVMxGDAWBgNVBAMMD0V4YW1wbGUtUm9vdC1DQTAeFw0y
4+
MjA2MTYwODQzMThaFw00NDExMTkwODQzMThaMGcxCzAJBgNVBAYTAlVTMRIwEAYD
5+
VQQIDAlZb3VyU3RhdGUxETAPBgNVBAcMCFlvdXJDaXR5MR0wGwYDVQQKDBRFeGFt
6+
cGxlLUNlcnRpZmljYXRlczESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG
7+
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqGqKNkOVMGeIClmjLRf02UhtpYcGYVmiblpB
8+
rqbI7eXKKIXMm4ppEEC/1YMVx/iYNYUK0xXxtzZUe1R6L5PYKAm1X+EQ4Sipyj/s
9+
J+qsHxC65mavKB0ylZLZxAjZbiqBBYWwt0uz6ihHAtNXmoBzCE/mTRI3vTOd+CGQ
10+
EI5pLGB85UuyvTfMKFwV9cTfltqGNyAZ670TFxtIwLeGuExfAFTVyofFWb8Kniby
11+
EwKm/1giFl0HrKsHzPljKjlug6lcUeGxooTUJ9sxe6zPYGy2c6EqyV62/UVzgxv9
12+
LNejeh3vlFmQbeawrwvQSMNi+sVuiaYmq/FIw5e4pUYUTjf+SQIDAQABo3YwdDAf
13+
BgNVHSMEGDAWgBSloRx6dBUIgJb0yzP2c5zQdQQ+2TAJBgNVHRMEAjAAMAsGA1Ud
14+
DwQEAwIE8DAaBgNVHREEEzARgg9pbnZhbGlkaG9zdG5hbWUwHQYDVR0OBBYEFNpJ
15+
/WkoMwKCdo0w0HV8aYm1m7ayMA0GCSqGSIb3DQEBCwUAA4IBAQC2tCfqPF2QrieZ
16+
5632SyuX9oDzBCPQv2vi68QRtL+VxjmJ+IPLHdpZ96jTM7pYIAQ5QVm357JXLixU
17+
NJ0eqgGIFrY4Evx91AGEAX20Ccn8CCXK3LsG1z1UWrvH/txEyOecuLCukaDI5ejq
18+
z1/CKJhxF7bBfukfG2X8qWqqUNRQpkdQObMwZ6Np/GhITIDldxRMIaP05pUGPybR
19+
CrEiC5F5lwgVAwlNhnfJuBcH3XMKWFZuiyur3O6PfSmUByainSnLY94RefofyEct
20+
t20ikQssE6XcX/soTtmwOvIGHHMGcuKBbTwlF0dxv9pLrikpXrv0sf3mT+abUqND
21+
oPmVcDJp
22+
-----END CERTIFICATE-----

tests/files/ssl/localhost.crt

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,22 @@
1+
-----BEGIN CERTIFICATE-----
2+
MIIDkjCCAnqgAwIBAgIUI7y4bpqOVjvp9aEzUlsSO4pZgjAwDQYJKoZIhvcNAQEL
3+
BQAwJzELMAkGA1UEBhMCVVMxGDAWBgNVBAMMD0V4YW1wbGUtUm9vdC1DQTAeFw0y
4+
MjA2MTYwODQzMThaFw00NDExMTkwODQzMThaMGcxCzAJBgNVBAYTAlVTMRIwEAYD
5+
VQQIDAlZb3VyU3RhdGUxETAPBgNVBAcMCFlvdXJDaXR5MR0wGwYDVQQKDBRFeGFt
6+
cGxlLUNlcnRpZmljYXRlczESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG
7+
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqGqKNkOVMGeIClmjLRf02UhtpYcGYVmiblpB
8+
rqbI7eXKKIXMm4ppEEC/1YMVx/iYNYUK0xXxtzZUe1R6L5PYKAm1X+EQ4Sipyj/s
9+
J+qsHxC65mavKB0ylZLZxAjZbiqBBYWwt0uz6ihHAtNXmoBzCE/mTRI3vTOd+CGQ
10+
EI5pLGB85UuyvTfMKFwV9cTfltqGNyAZ670TFxtIwLeGuExfAFTVyofFWb8Kniby
11+
EwKm/1giFl0HrKsHzPljKjlug6lcUeGxooTUJ9sxe6zPYGy2c6EqyV62/UVzgxv9
12+
LNejeh3vlFmQbeawrwvQSMNi+sVuiaYmq/FIw5e4pUYUTjf+SQIDAQABo3YwdDAf
13+
BgNVHSMEGDAWgBSloRx6dBUIgJb0yzP2c5zQdQQ+2TAJBgNVHRMEAjAAMAsGA1Ud
14+
DwQEAwIE8DAaBgNVHREEEzARgglsb2NhbGhvc3SHBH8AAAEwHQYDVR0OBBYEFNpJ
15+
/WkoMwKCdo0w0HV8aYm1m7ayMA0GCSqGSIb3DQEBCwUAA4IBAQC2UFwSoqAMfg1h
16+
xhYauemq13+JXPOnfoR74WzJc8Wva51Bqr8YpVxXU8GCViZKdWi/6sT5h//M4Zrp
17+
wmcUruAQinRUy7RzKoXFHL7g6hQOE440gqaePE/PvjTde8l7FeiGTCSfAqIIFpsz
18+
8YhVajenrzt9ppaHnad/N59uCnIULZrezRq8wJl8Zw82IR/Szcu/4O/tSimYuleY
19+
pNX1h5w2mfpNmKeXkseU8cid1GhCnBg2FK6t6xZ4sSCL2nlpNKsbYvLg5rViRavO
20+
7roUcU4BKK5NnGuYOPKYycSpC500V+shnCq4vTZSsPTOT2dHdMMK5HguxzHxixQv
21+
yPeWBYqy
22+
-----END CERTIFICATE-----

tests/files/ssl/localhost.key

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,28 @@
1+
-----BEGIN PRIVATE KEY-----
2+
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCoaoo2Q5UwZ4gK
3+
WaMtF/TZSG2lhwZhWaJuWkGupsjt5coohcybimkQQL/VgxXH+Jg1hQrTFfG3NlR7
4+
VHovk9goCbVf4RDhKKnKP+wn6qwfELrmZq8oHTKVktnECNluKoEFhbC3S7PqKEcC
5+
01eagHMIT+ZNEje9M534IZAQjmksYHzlS7K9N8woXBX1xN+W2oY3IBnrvRMXG0jA
6+
t4a4TF8AVNXKh8VZvwqeJvITAqb/WCIWXQesqwfM+WMqOW6DqVxR4bGihNQn2zF7
7+
rM9gbLZzoSrJXrb9RXODG/0s16N6He+UWZBt5rCvC9BIw2L6xW6Jpiar8UjDl7il
8+
RhRON/5JAgMBAAECggEAHWxlorbadvcziYlhDIUJsjdo7pkhOHtSOUDcBlEdvBBg
9+
KgW8OjVrhxsk2L7a3JG2N+17N2c3UGi1yEk5QpwsEMynay2VRx0VUuApmEyzzwab
10+
fJrWgaXeO0sJcCoSoKBc47PYbKGVeHSaeWgmfzfvQPXCmNb0tYGx2NK2Smoy/j1B
11+
lXgODPkXHuzj0LOA3OkapgrxqHpN+kPjAfaY8vKYBQ8lbROT3kjgjqEzykC3bCzj
12+
ZNZArGovBRAGr7dvjdh791g3hN2cAgIWhTg4zu8N6gf18G1l4bH8nmRzWT/z7eJi
13+
QvmGjXVPUEpBcWRZuHms5cGcxb7V6smvuJp4v1n+rQKBgQDa1rqNwVlk1Jo0oT5U
14+
KUyJwjaVXa3Foy5oR/T66UDIEBiMEonfI/miMlwXRXdhC1WQTeddk5vX+pn3ISZT
15+
mN6zwz2NGE1i4GmOLIG9a9JkCSPffqDiwYFd2uhbTfKNehIHOC4Xdg/UGz+vOGFZ
16+
MxYiSrytYK6svgHjHlFPp/uP9QKBgQDFA9wVmE76FqVC7crA7Djkyt4cRU5LEILO
17+
qp4AxWE8HU/vlht4PhVA/dgMTNkVLiyrSgTGm15FQKZWe2FMVaAnRcmLy6bRpcAM
18+
fP4HNtwjRWHx1Q4lMRZLrZPO0W8RXUqgMgGd3w1kyJK/C9wnD/01h+3lAnJ1cHlD
19+
5jub6RDkhQKBgQCUciSKFCY3p6ATI23MWVd5+yxblfhSoKbSRj2AFsnC7Gg6XDj6
20+
DMVBqTee8ZhRVAbupGnVqFOG5o+ae/orqv8mocIW++1CrUftEXPQsls9UJXs/VDV
21+
gL3olJ4ZkX5/SdcA3rMlZwjFsNY6XdxrTaQuDtR+J59Vvm45Sk+N4T1cIQKBgG9d
22+
zSzP2eT4pBZ/QJtpbIe4PXGRo74+6RJV09bvvBU1JJh0K7b+sRj55QSe9B9K6Kky
23+
wBxcex9+eghs2gVCabOJeXJyfiwIG9VzWk1Nr4aok8MWAlb3tni099ZzAOu55pND
24+
cTKCgZm0327rD1ltal62Jb3MclL8by/4lz18s7XZAoGBANSv/AdjlJUQ++9I+P1+
25+
g7rgrfWKLyQ8FSljO7dAOWsDjrFHSi2f2HCh3URcKqzdjG+/iK+MyKUlaUZDLCzf
26+
QNgI+7n5I/aHfhRWo7ytRPTd78Gyw/lDGW3Pz8MzXJ4pVDgr2UB7KN91/Rx9dJfN
27+
3K04YR/TSpwB0Nug+5a1XuGh
28+
-----END PRIVATE KEY-----

tests/test_ssl.py

Lines changed: 258 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,258 @@
1+
import asyncio
2+
import unittest
3+
import os
4+
5+
import asynctnt
6+
from asynctnt.exceptions import SSLError
7+
from asynctnt.instance import TarantoolSyncInstance
8+
from tests import BaseTarantoolTestCase
9+
10+
def is_test_ssl():
11+
env = os.getenv("TEST_TT_SSL")
12+
if env:
13+
env = env.upper()
14+
return env == "1" or env == "TRUE"
15+
return False
16+
17+
18+
@unittest.skipIf(not is_test_ssl(), "TEST_TT_SSL is not set.")
19+
class SSLTestCase(BaseTarantoolTestCase):
20+
DO_CONNECT = False
21+
22+
ssl_files_dir = os.path.join(os.getcwd(), 'tests', 'files', 'ssl')
23+
cert_file = os.path.join(ssl_files_dir, "localhost.crt")
24+
invalidhost_cert_file = os.path.join(ssl_files_dir, "invalidhost.crt")
25+
key_file = os.path.join(ssl_files_dir, "localhost.key")
26+
ca_file = os.path.join(ssl_files_dir, "ca.crt")
27+
empty_file = os.path.join(ssl_files_dir, "empty")
28+
invalid_file = "any_invalid_path"
29+
30+
async def test__connect(self):
31+
class SslTestSubcase:
32+
def __init__(self,
33+
name="",
34+
expectSSLError=False,
35+
expectTimeoutError=False,
36+
server_transport=asynctnt.Transport.SSL,
37+
server_key_file=None,
38+
server_cert_file=None,
39+
server_ca_file=None,
40+
server_ciphers=None,
41+
client_transport=asynctnt.Transport.SSL,
42+
client_cert_file=None,
43+
client_key_file=None,
44+
client_ca_file=None,
45+
client_ciphers=None):
46+
self.name = name
47+
self.expectSSLError = expectSSLError
48+
self.expectTimeoutError = expectTimeoutError
49+
self.server_transport = server_transport
50+
self.server_key_file = server_key_file
51+
self.server_cert_file = server_cert_file
52+
self.server_ca_file = server_ca_file
53+
self.server_ciphers = server_ciphers
54+
self.client_transport = client_transport
55+
self.client_cert_file = client_cert_file
56+
self.client_key_file = client_key_file
57+
self.client_ca_file = client_ca_file
58+
self.client_ciphers = client_ciphers
59+
60+
# Requirements from Tarantool Enterprise Edition manual:
61+
# https://www.tarantool.io/en/enterprise_doc/security/#configuration
62+
#
63+
# For a server:
64+
# ssl_key_file - mandatory
65+
# ssl_cert_file - mandatory
66+
# ssl_ca_file - optional
67+
# ssl_ciphers - optional
68+
#
69+
# For a client:
70+
# ssl_key_file - optional, mandatory if server.CaFile set
71+
# ssl_cert_file - optional, mandatory if server.CaFile set
72+
# ssl_ca_file - optional
73+
# ssl_ciphers - optional
74+
testcases = [
75+
SslTestSubcase(
76+
name="no_ssl_server",
77+
expectSSLError=True,
78+
server_transport=asynctnt.Transport.DEFAULT),
79+
SslTestSubcase(
80+
name="key_crt_server",
81+
server_key_file=self.key_file,
82+
server_cert_file=self.cert_file),
83+
SslTestSubcase(
84+
name="no_ssl_client",
85+
expectTimeoutError=True,
86+
server_key_file=self.key_file,
87+
server_cert_file=self.cert_file,
88+
client_transport=asynctnt.Transport.DEFAULT),
89+
SslTestSubcase(
90+
name="key_crt_server_and_client",
91+
server_key_file=self.key_file,
92+
server_cert_file=self.cert_file,
93+
client_key_file=self.key_file,
94+
client_cert_file=self.cert_file),
95+
SslTestSubcase(
96+
name="key_crt_ca_server",
97+
expectSSLError=True,
98+
server_key_file=self.key_file,
99+
server_cert_file=self.cert_file,
100+
server_ca_file=self.ca_file),
101+
SslTestSubcase(
102+
name="key_crt_ca_server_and_crt_client",
103+
expectSSLError=True,
104+
server_key_file=self.key_file,
105+
server_cert_file=self.cert_file,
106+
server_ca_file=self.ca_file,
107+
client_cert_file=self.cert_file),
108+
SslTestSubcase(
109+
name="key_crt_ca_server_and_key_crt_client",
110+
server_key_file=self.key_file,
111+
server_cert_file=self.cert_file,
112+
server_ca_file=self.ca_file,
113+
client_key_file=self.key_file,
114+
client_cert_file=self.cert_file),
115+
SslTestSubcase(
116+
name="key_crt_ca_server_and_client",
117+
server_key_file=self.key_file,
118+
server_cert_file=self.cert_file,
119+
server_ca_file=self.ca_file,
120+
client_key_file=self.key_file,
121+
client_cert_file=self.cert_file,
122+
client_ca_file=self.ca_file),
123+
SslTestSubcase(
124+
name="key_invalidhost_crt_ca_server_and_key_crt_ca_client",
125+
# A Tarantool implementation does not check hostname. It's
126+
# the expected behavior. We don't do that too.
127+
server_key_file=self.key_file,
128+
server_cert_file=self.invalidhost_cert_file,
129+
server_ca_file=self.ca_file,
130+
client_key_file=self.key_file,
131+
client_cert_file=self.cert_file,
132+
client_ca_file=self.ca_file),
133+
SslTestSubcase(
134+
name="key_crt_ca_server_and_client_invalid_crt",
135+
expectSSLError=True,
136+
client_key_file=self.key_file,
137+
server_cert_file=self.cert_file,
138+
server_ca_file=self.ca_file,
139+
server_key_file=self.key_file,
140+
client_cert_file=self.invalid_file,
141+
client_ca_file=self.ca_file),
142+
SslTestSubcase(
143+
name="key_crt_ca_server_and_client_invalid_key",
144+
expectSSLError=True,
145+
server_key_file=self.key_file,
146+
server_cert_file=self.cert_file,
147+
server_ca_file=self.ca_file,
148+
client_key_file=self.invalid_file,
149+
client_cert_file=self.cert_file,
150+
client_ca_file=self.ca_file),
151+
SslTestSubcase(
152+
name="key_crt_ca_server_and_client_invalid_ca",
153+
expectSSLError=True,
154+
server_key_file=self.key_file,
155+
server_cert_file=self.cert_file,
156+
server_ca_file=self.ca_file,
157+
client_key_file=self.key_file,
158+
client_cert_file=self.cert_file,
159+
client_ca_file=self.invalid_file),
160+
SslTestSubcase(
161+
name="key_crt_ca_server_and_client_empty_crt",
162+
expectSSLError=True,
163+
server_key_file=self.key_file,
164+
server_cert_file=self.cert_file,
165+
server_ca_file=self.ca_file,
166+
client_key_file=self.key_file,
167+
client_cert_file=self.empty_file,
168+
client_ca_file=self.ca_file),
169+
SslTestSubcase(
170+
name="key_crt_ca_server_and_client_empty_key",
171+
expectSSLError=True,
172+
server_key_file=self.key_file,
173+
server_cert_file=self.cert_file,
174+
server_ca_file=self.ca_file,
175+
client_key_file=self.empty_file,
176+
client_cert_file=self.cert_file,
177+
client_ca_file=self.ca_file),
178+
SslTestSubcase(
179+
name="key_crt_ca_server_and_client_empty_ca",
180+
expectSSLError=True,
181+
server_key_file=self.key_file,
182+
server_cert_file=self.cert_file,
183+
server_ca_file=self.ca_file,
184+
client_key_file=self.key_file,
185+
client_cert_file=self.cert_file,
186+
client_ca_file=self.empty_file),
187+
SslTestSubcase(
188+
name="key_crt_ca_ciphers_server_and_key_crt_ca_client",
189+
server_key_file=self.key_file,
190+
server_cert_file=self.cert_file,
191+
server_ca_file=self.ca_file,
192+
server_ciphers="ECDHE-RSA-AES256-GCM-SHA384",
193+
client_key_file=self.key_file,
194+
client_cert_file=self.cert_file,
195+
client_ca_file=self.ca_file),
196+
SslTestSubcase(
197+
name="key_crt_ca_ciphers_server_and_client",
198+
server_key_file=self.key_file,
199+
server_cert_file=self.cert_file,
200+
server_ca_file=self.ca_file,
201+
server_ciphers="ECDHE-RSA-AES256-GCM-SHA384",
202+
client_key_file=self.key_file,
203+
client_cert_file=self.cert_file,
204+
client_ca_file=self.ca_file,
205+
client_ciphers="ECDHE-RSA-AES256-GCM-SHA384"),
206+
SslTestSubcase(
207+
name="non_equal_ciphers",
208+
expectSSLError=True,
209+
server_key_file=self.key_file,
210+
server_cert_file=self.cert_file,
211+
server_ca_file=self.ca_file,
212+
server_ciphers="ECDHE-RSA-AES256-GCM-SHA384",
213+
client_key_file=self.key_file,
214+
client_cert_file=self.cert_file,
215+
client_ca_file=self.ca_file,
216+
client_ciphers="TLS_AES_128_GCM_SHA256"),
217+
]
218+
for t in testcases:
219+
with self.subTest(msg=t.name):
220+
if self.in_docker:
221+
self.skipTest('Skipping as running inside the docker')
222+
return
223+
224+
tnt = TarantoolSyncInstance(
225+
port=TarantoolSyncInstance.get_random_port(),
226+
transport=t.server_transport,
227+
ssl_key_file=t.server_key_file,
228+
ssl_cert_file=t.server_cert_file,
229+
ssl_ca_file=t.server_ca_file,
230+
ssl_ciphers=t.server_ciphers,
231+
applua=self.read_applua(),
232+
cleanup=self.TNT_CLEANUP,
233+
)
234+
235+
tnt.start()
236+
try:
237+
conn = await asynctnt.connect(host=tnt.host, port=tnt.port,
238+
transport=t.client_transport,
239+
ssl_key_file=t.client_key_file,
240+
ssl_cert_file=t.client_cert_file,
241+
ssl_ca_file=t.client_ca_file,
242+
ssl_ciphers=t.client_ciphers,
243+
reconnect_timeout=0)
244+
245+
tupl = [1, 'hello', 1, 4, 'what is up']
246+
await conn.insert(self.TESTER_SPACE_ID, tupl)
247+
res = await conn.select(self.TESTER_SPACE_NAME, tupl[0:1])
248+
self.assertResponseEqual(res[0], tupl, 'Tuple ok')
249+
except SSLError as e:
250+
if not t.expectSSLError:
251+
self.fail(e)
252+
except asyncio.exceptions.TimeoutError as e:
253+
if not t.expectTimeoutError:
254+
self.fail(e)
255+
except Exception as e:
256+
self.fail(e)
257+
finally:
258+
tnt.stop()

0 commit comments

Comments
 (0)