raboof/pekko
1
0
Fork 0
Code Issues Pull requests Projects Releases 6 Packages Wiki Activity Actions 11

Test hostname verification (#27355)

Browse source
This commit is contained in:
Arnout Engelen 2019-07-16 15:32:50 +02:00 committed by GitHub
parent 10c2b0714a
commit c3e8a968d9
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
6 changed files with 69 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

1
.gitignore vendored
View file

@ -38,7 +38,6 @@
.tags_sorted_by_file .tags_sorted_by_file
.target .target
.worksheet .worksheet
Makefile
TAGS TAGS
_akka_cluster/ _akka_cluster/
_dump _dump

17
akka-remote/src/test/resources/Makefile Normal file
View file

@ -0,0 +1,17 @@
all: truststore keystore
truststore: domain.crt
keytool -importcert -file domain.crt -keystore truststore -deststorepass changeme
keystore: domain.crt domain.key
openssl pkcs12 -export -inkey domain.key -passin pass:changeme -in domain.crt -out keystore -passout pass:changeme
domain.crt: domain.csr domain.key
openssl x509 -req -in domain.csr -sha256 -extfile <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:localhost")) -out domain.crt -extensions SAN -signkey domain.key
domain.csr:
openssl req -new -sha256 -key domain.key -subj "/C=ZA/ST=web/O=Lightbend/CN=akka-remote" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:localhost")) -out domain.csr -passout pass:changeme
.PHONY: clean
clean:
rm domain.crt domain.csr keystore truststore

BIN
akka-remote/src/test/resources/keystore
View file

Binary file not shown.

BIN
akka-remote/src/test/resources/truststore
View file

Binary file not shown.

2
akka-remote/src/test/scala/akka/remote/artery/ArterySpecSupport.scala
View file

@ -22,7 +22,7 @@ object ArterySpecSupport {
provider = remote provider = remote
serialize-creators = off serialize-creators = off
} }
akka.remote.warn-about-direct-use = off remote.warn-about-direct-use = off
remote.artery { remote.artery {
enabled = on enabled = on
canonical { canonical {

57
akka-remote/src/test/scala/akka/remote/artery/tcp/TlsTcpSpec.scala
View file

@ -25,6 +25,8 @@ import com.typesafe.config.Config
import com.typesafe.config.ConfigFactory import com.typesafe.config.ConfigFactory
import javax.net.ssl.SSLEngine import javax.net.ssl.SSLEngine
import akka.testkit.EventFilter
class TlsTcpWithDefaultConfigSpec extends TlsTcpSpec(ConfigFactory.empty()) class TlsTcpWithDefaultConfigSpec extends TlsTcpSpec(ConfigFactory.empty())
class TlsTcpWithSHA1PRNGSpec class TlsTcpWithSHA1PRNGSpec
@ -183,22 +185,65 @@ class TlsTcpWithHostnameVerificationSpec
akka.remote.artery.ssl.config-ssl-engine { akka.remote.artery.ssl.config-ssl-engine {
hostname-verification = on hostname-verification = on
} }
akka.remote.use-unsafe-remote-features-without-cluster = on
akka.loggers = ["akka.testkit.TestEventListener"]
""").withFallback(TlsTcpSpec.config)) """).withFallback(TlsTcpSpec.config))
with ImplicitSender { with ImplicitSender {
val systemB = newRemoteSystem(name = Some("systemB"))
val addressB = address(systemB)
val rootB = RootActorPath(addressB)
"Artery with TLS/TCP and hostname-verification=on" must { "Artery with TLS/TCP and hostname-verification=on" must {
"reject invalid" in { "fail when the name in the server certificate does not match" in {
// this test only makes sense with tls-tcp transport // this test only makes sense with tls-tcp transport
if (!arteryTcpTlsEnabled()) if (!arteryTcpTlsEnabled())
pending pending
val systemB = newRemoteSystem(
// The subjectAltName is 'localhost', so connecting to '127.0.0.1' should not
// work when using hostname verification:
extraConfig = Some("""akka.remote.artery.canonical.hostname = "127.0.0.1""""),
name = Some("systemB"))
val addressB = address(systemB)
val rootB = RootActorPath(addressB)
systemB.actorOf(TestActors.echoActorProps, "echo")
EventFilter
.warning(
pattern =
"outbound connection to \\[akka://systemB@127.0.0.1:.*" +
"Upstream failed, cause: SSLHandshakeException: General SSLEngine problem",
occurrences = 3)
.intercept {
system.actorSelection(rootB / "user" / "echo") ! Identify("echo")
}
expectNoMessage(2.seconds)
systemB.terminate()
}
"succeed when the name in the server certificate matches" in {
if (!arteryTcpTlsEnabled())
pending
val systemB = newRemoteSystem(
extraConfig = Some("""
// The subjectAltName is 'localhost', so this is how we want to be known:
akka.remote.artery.canonical.hostname = "localhost"
// Though we will still bind to 127.0.0.1 (make sure it's not ipv6)
akka.remote.artery.bind.hostname = "127.0.0.1"
"""),
name = Some("systemB"))
val addressB = address(systemB)
val rootB = RootActorPath(addressB)
systemB.actorOf(TestActors.echoActorProps, "echo") systemB.actorOf(TestActors.echoActorProps, "echo")
system.actorSelection(rootB / "user" / "echo") ! Identify("echo") system.actorSelection(rootB / "user" / "echo") ! Identify("echo")
expectNoMessage(2.seconds) val id = expectMsgType[ActorIdentity]
id.ref.get ! "42"
expectMsg("42")
systemB.terminate()
} }
} }
} }