Test hostname verification (#27355)

2019-07-16 15:32:50 +02:00 · 2019-07-16 15:32:50 +02:00 · c3e8a968d9
commit c3e8a968d9
parent 10c2b0714a
6 changed files with 69 additions and 8 deletions
--- a/.gitignore
+++ b/.gitignore
@ -38,7 +38,6 @@
 .tags_sorted_by_file
 .target
 .worksheet
-Makefile
 TAGS
 _akka_cluster/
 _dump
--- a/akka-remote/src/test/resources/Makefile
+++ b/akka-remote/src/test/resources/Makefile
@ -0,0 +1,17 @@
+all: truststore keystore
+
+truststore: domain.crt
+	keytool -importcert -file domain.crt -keystore truststore -deststorepass changeme
+
+keystore: domain.crt domain.key
+	openssl pkcs12 -export -inkey domain.key -passin pass:changeme -in domain.crt -out keystore -passout pass:changeme
+
+domain.crt: domain.csr domain.key
+	openssl x509 -req -in domain.csr -sha256 -extfile <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:localhost")) -out domain.crt -extensions SAN -signkey domain.key
+
+domain.csr:
+	openssl req -new -sha256 -key domain.key -subj "/C=ZA/ST=web/O=Lightbend/CN=akka-remote" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:localhost")) -out domain.csr -passout pass:changeme
+
+.PHONY: clean
+clean:
+	rm domain.crt domain.csr keystore truststore
--- a/akka-remote/src/test/resources/keystore
+++ b/akka-remote/src/test/resources/keystore
--- a/akka-remote/src/test/resources/truststore
+++ b/akka-remote/src/test/resources/truststore
--- a/akka-remote/src/test/scala/akka/remote/artery/ArterySpecSupport.scala
+++ b/akka-remote/src/test/scala/akka/remote/artery/ArterySpecSupport.scala
@ -22,7 +22,7 @@ object ArterySpecSupport {
        provider = remote
        serialize-creators = off
      }
-      akka.remote.warn-about-direct-use = off
+      remote.warn-about-direct-use = off
      remote.artery {
        enabled = on
        canonical {
--- a/akka-remote/src/test/scala/akka/remote/artery/tcp/TlsTcpSpec.scala
+++ b/akka-remote/src/test/scala/akka/remote/artery/tcp/TlsTcpSpec.scala
@ -25,6 +25,8 @@ import com.typesafe.config.Config
 import com.typesafe.config.ConfigFactory
 import javax.net.ssl.SSLEngine

+import akka.testkit.EventFilter
+
 class TlsTcpWithDefaultConfigSpec extends TlsTcpSpec(ConfigFactory.empty())

 class TlsTcpWithSHA1PRNGSpec
@ -183,22 +185,65 @@ class TlsTcpWithHostnameVerificationSpec
    akka.remote.artery.ssl.config-ssl-engine {
      hostname-verification = on
    }
+    akka.remote.use-unsafe-remote-features-without-cluster = on
+
+    akka.loggers = ["akka.testkit.TestEventListener"]
    """).withFallback(TlsTcpSpec.config))
    with ImplicitSender {

-  val systemB = newRemoteSystem(name = Some("systemB"))
-  val addressB = address(systemB)
-  val rootB = RootActorPath(addressB)
-
  "Artery with TLS/TCP and hostname-verification=on" must {
-    "reject invalid" in {
+    "fail when the name in the server certificate does not match" in {
      // this test only makes sense with tls-tcp transport
      if (!arteryTcpTlsEnabled())
        pending

+      val systemB = newRemoteSystem(
+        // The subjectAltName is 'localhost', so connecting to '127.0.0.1' should not
+        // work when using hostname verification:
+        extraConfig = Some("""akka.remote.artery.canonical.hostname = "127.0.0.1""""),
+        name = Some("systemB"))
+
+      val addressB = address(systemB)
+      val rootB = RootActorPath(addressB)
+
+      systemB.actorOf(TestActors.echoActorProps, "echo")
+      EventFilter
+        .warning(
+          pattern =
+            "outbound connection to \\[akka://systemB@127.0.0.1:.*" +
+            "Upstream failed, cause: SSLHandshakeException: General SSLEngine problem",
+          occurrences = 3)
+        .intercept {
+          system.actorSelection(rootB / "user" / "echo") ! Identify("echo")
+        }
+      expectNoMessage(2.seconds)
+      systemB.terminate()
+    }
+    "succeed when the name in the server certificate matches" in {
+      if (!arteryTcpTlsEnabled())
+        pending
+
+      val systemB = newRemoteSystem(
+        extraConfig = Some("""
+          // The subjectAltName is 'localhost', so this is how we want to be known:
+          akka.remote.artery.canonical.hostname = "localhost"
+
+          // Though we will still bind to 127.0.0.1 (make sure it's not ipv6)
+          akka.remote.artery.bind.hostname = "127.0.0.1"
+        """),
+        name = Some("systemB"))
+
+      val addressB = address(systemB)
+      val rootB = RootActorPath(addressB)
+
      systemB.actorOf(TestActors.echoActorProps, "echo")
      system.actorSelection(rootB / "user" / "echo") ! Identify("echo")
-      expectNoMessage(2.seconds)
+      val id = expectMsgType[ActorIdentity]
+
+      id.ref.get ! "42"
+      expectMsg("42")
+
+      systemB.terminate()
    }
  }
 }