@Test public void testRedirectFromSSL() throws Exception { HttpServer redirectServer = vertx.createHttpServer(new HttpServerOptions() .setSsl(true) .setKeyStoreOptions(Cert.SERVER_JKS.get()) .setHost(DEFAULT_HTTP_HOST) .setPort(DEFAULT_HTTP_PORT) ).requestHandler(req -> { req.response().setStatusCode(303).putHeader("location", "http://" + DEFAULT_HTTP_HOST + ":4043/" + DEFAULT_TEST_URI).end(); }); startServer(redirectServer); RequestOptions options = new RequestOptions().setHost(DEFAULT_HTTP_HOST).setURI(DEFAULT_TEST_URI).setPort(4043); testTLS(Cert.NONE, Trust.SERVER_JKS, Cert.NONE, Trust.NONE) .clientSSL(true) .serverSSL(false) .requestOptions(options) .followRedirects(true) .pass(); } }
@Test public void testRedirectToSSL() throws Exception { HttpServer redirectServer = vertx.createHttpServer(new HttpServerOptions() .setHost(DEFAULT_HTTP_HOST) .setPort(DEFAULT_HTTP_PORT) ).requestHandler(req -> { req.response().setStatusCode(303).putHeader("location", "https://" + DEFAULT_HTTP_HOST + ":4043/" + DEFAULT_TEST_URI).end(); }); startServer(redirectServer); RequestOptions options = new RequestOptions().setHost(DEFAULT_HTTP_HOST).setURI(DEFAULT_TEST_URI).setPort(DEFAULT_HTTP_PORT); testTLS(Cert.NONE, Trust.SERVER_JKS, Cert.SERVER_JKS, Trust.NONE) .clientSSL(false) .serverSSL(true) .requestOptions(options) .followRedirects(true) .pass(); }
@Test // Access https server via connect proxy with a hostname that doesn't resolve // the hostname may resolve at the proxy if that is accessing another DNS // we simulate this by mapping the hostname to localhost:xxx in the test proxy code public void testHttpsProxyUnknownHost() throws Exception { startProxy(null, ProxyType.HTTP); proxy.setForceUri("localhost:4043"); testTLS(Cert.NONE, Trust.SERVER_JKS, Cert.SERVER_JKS, Trust.NONE).useProxy(ProxyType.HTTP) .connectHostname("doesnt-resolve.host-name").clientTrustAll().clientVerifyHost(false).pass(); assertNotNull("connection didn't access the proxy", proxy.getLastUri()); assertEquals("hostname resolved but it shouldn't be", "doesnt-resolve.host-name:4043", proxy.getLastUri()); assertEquals("Host header doesn't contain target host", "doesnt-resolve.host-name:4043", proxy.getLastRequestHeaders().get("Host")); assertEquals("Host header doesn't contain target host", HttpMethod.CONNECT, proxy.getLastMethod()); }
@Test // Specify some matching TLS protocols public void testTLSInvalidProtocolVersion() throws Exception { testTLS(Cert.NONE, Trust.NONE, Cert.SERVER_JKS, Trust.NONE).clientTrustAll().serverEnabledSecureTransportProtocol(new String[]{"HelloWorld"}).fail(); }
@Test // Specify some matching TLS protocols public void testTLSMatchingProtocolVersions() throws Exception { testTLS(Cert.NONE, Trust.NONE, Cert.SERVER_JKS, Trust.NONE).clientTrustAll().serverEnabledSecureTransportProtocol(new String[]{"SSLv2Hello", "TLSv1", "TLSv1.1", "TLSv1.2"}).pass(); }
@Test // Access https server via socks proxy with a hostname that doesn't resolve // the hostname may resolve at the proxy if that is accessing another DNS // we simulate this by mapping the hostname to localhost:xxx in the test proxy code public void testSocksProxyUnknownHost() throws Exception { startProxy(null, ProxyType.SOCKS5); proxy.setForceUri("localhost:4043"); testTLS(Cert.NONE, Trust.SERVER_JKS, Cert.SERVER_JKS, Trust.NONE).useProxy(ProxyType.SOCKS5) .connectHostname("doesnt-resolve.host-name").clientTrustAll().clientVerifyHost(false).pass(); assertNotNull("connection didn't access the proxy", proxy.getLastUri()); assertEquals("hostname resolved but it shouldn't be", "doesnt-resolve.host-name:4043", proxy.getLastUri()); } }
@Test // Client trusts all server certs public void testClearClientRequestAbsSetClear() throws Exception { String absoluteURI = "http://" + DEFAULT_HTTP_HOST + ":4043/" + DEFAULT_TEST_URI; testTLS(Cert.NONE, Trust.SERVER_JKS, Cert.SERVER_JKS, Trust.NONE).clientSSL(false).serverSSL(false).requestProvider(c -> c.requestAbs(HttpMethod.POST, absoluteURI)).pass(); }
@Test // Client trusts all server certs public void testClearClientRequestOptionsSetClear() throws Exception { RequestOptions options = new RequestOptions().setHost(DEFAULT_HTTP_HOST).setURI(DEFAULT_TEST_URI).setPort(4043).setSsl(false); testTLS(Cert.NONE, Trust.SERVER_JKS, Cert.SERVER_JKS, Trust.NONE).clientSSL(false).serverSSL(false).requestOptions(options).pass(); }
@Test // Client specifies cert and it is required public void testTLSClientCertPKCS12RequiredOpenSSL() throws Exception { testTLS(Cert.CLIENT_PKCS12, Trust.SERVER_JKS, Cert.SERVER_JKS, Trust.CLIENT_JKS).clientOpenSSL().requiresClientAuth().pass(); }
protected TLSTest testTLS(Cert<?> clientCert, Trust<?> clientTrust, Cert<?> serverCert, Trust<?> serverTrust) throws Exception { return new TLSTest(clientCert, clientTrust, serverCert, serverTrust); }
@Test // Specify some non matching cipher suites public void testTLSNonMatchingCipherSuites() throws Exception { testTLS(Cert.NONE, Trust.NONE, Cert.SERVER_JKS, Trust.NONE).clientTrustAll().serverEnabledCipherSuites(new String[]{"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256"}).clientEnabledCipherSuites(new String[]{"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"}).fail(); }
@Test // Client trusts all server certs public void testSSLClientRequestOptionsSetSSL() throws Exception { RequestOptions options = new RequestOptions().setHost(DEFAULT_HTTP_HOST).setPort(4043).setURI(DEFAULT_TEST_URI).setSsl(true); testTLS(Cert.NONE, Trust.SERVER_JKS, Cert.SERVER_JKS, Trust.NONE).clientSSL(true).requestOptions(options).pass(); }
@Test // Specify some matching cipher suites public void testTLSMatchingCipherSuites() throws Exception { testTLS(Cert.NONE, Trust.NONE, Cert.SERVER_JKS, Trust.NONE).clientTrustAll().serverEnabledCipherSuites(ENABLED_CIPHER_SUITES).pass(); }
@Test // Client trusts all server certs public void testTLSClientTrustAll() throws Exception { testTLS(Cert.NONE, Trust.NONE, Cert.SERVER_JKS, Trust.NONE).clientTrustAll().pass(); }
@Test // Server specifies cert that the client trusts (not trust all) public void testTLSClientTrustServerCertWithPEMOpenSSL() throws Exception { testTLS(Cert.NONE, Trust.SERVER_PEM, Cert.SERVER_JKS, Trust.NONE).clientOpenSSL().pass(); }
@Test // Client and server uses ALPN public void testAlpn() throws Exception { testTLS(Cert.NONE, Trust.SERVER_JKS, Cert.SERVER_JKS, Trust.NONE).serverUsesAlpn().clientUsesAlpn().pass(); }
private void testProxyWithSNI(ProxyType proxyType) throws Exception { startProxy(null, proxyType); X509Certificate cert = testTLS(Cert.NONE, Trust.SNI_JKS_HOST2, Cert.SNI_JKS, Trust.NONE) .serverSni() .useProxy(proxyType) .requestOptions(new RequestOptions().setSsl(true).setPort(4043).setHost("host2.com")) .pass() .clientPeerCert(); assertNotNull("connection didn't access the proxy", proxy.getLastUri()); assertEquals("hostname resolved but it shouldn't be", "host2.com:4043", proxy.getLastUri()); assertEquals("host2.com", TestUtils.cnOf(cert)); }
@Test public void testSNISubjectAlternativeNameWildcardMatchPKCS12() throws Exception { X509Certificate cert = testTLS(Cert.NONE, Trust.SNI_JKS_HOST5, Cert.SNI_PKCS12, Trust.NONE) .serverSni() .requestOptions(new RequestOptions().setSsl(true).setPort(4043).setHost("www.host5.com")) .pass() .clientPeerCert(); assertEquals("host5.com", TestUtils.cnOf(cert)); }
@Test // Client provides SNI unknown to the server and server responds with the default certificate (first) public void testSNIUnknownServerName2() throws Exception { TLSTest test = testTLS(Cert.NONE, Trust.SERVER_JKS, Cert.SNI_JKS, Trust.NONE) .serverSni() .clientVerifyHost(false) .requestOptions(new RequestOptions().setSsl(true).setPort(4043).setHost("unknown.com")) .pass(); assertEquals("localhost", TestUtils.cnOf(test.clientPeerCert())); assertEquals("unknown.com", test.indicatedServerName); }
@Test public void testSNISubjectAltenativeNameCNMatch2() throws Exception { X509Certificate cert = testTLS(Cert.NONE, Trust.SNI_JKS_HOST5, Cert.SNI_JKS, Trust.NONE) .serverSni() .clientVerifyHost(false) .requestOptions(new RequestOptions().setSsl(true).setPort(4043).setHost("host5.com")) .pass() .clientPeerCert(); assertEquals("host5.com", TestUtils.cnOf(cert)); }