Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The certificate sometimes does not work? #1583

Closed
RWDai opened this issue Jun 1, 2023 · 5 comments · Fixed by #1585
Closed

The certificate sometimes does not work? #1583

RWDai opened this issue Jun 1, 2023 · 5 comments · Fixed by #1585
Labels
bug Something isn't working
Milestone
3.0.1

Comments

@RWDai
Copy link

RWDai commented Jun 1, 2023
edited
Loading

What is the current bug behavior?

The certificate sometimes does not get enabled when making a request.

Steps to reproduce

GET https://www.postman.com/

HTTP 200
[Asserts]
certificate "Subject" == "C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=postman.com"

and output is:

error: can not parse certificate - Missing '=' in {v}
error: Assert failure
  --> _test.hurl:5:0
   |
 5 | certificate "Subject" == "C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=postman.com"
   |   actual:   none
   |   expected: string <C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=postman.com>
   |

and my curl output is (cmd : curl --insecure 'https://www.postman.com/' -v )

*   Trying 162.159.129.53:443...
* TCP_NODELAY set
* Connected to www.postman.com (162.159.129.53) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=US; ST=California; L=San Francisco; O=Cloudflare, Inc.; CN=postman.com
*  start date: May 24 00:00:00 2023 GMT
*  expire date: May 22 23:59:59 2024 GMT
*  issuer: C=US; O=Cloudflare, Inc.; CN=Cloudflare Inc ECC CA-3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x561ecbcfc320)
> GET / HTTP/2
> Host: www.postman.com
> user-agent: curl/7.68.0
> accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 256)!
< HTTP/2 200
< date: Thu, 01 Jun 2023 06:34:26 GMT
< content-type: text/html; charset=utf-8
< vary: Accept-Encoding
< content-security-policy: default-src 'self' *.postman.co *.postman.com *.pstmn.io; base-uri 'self'; font-src 'self' data: *.getpostman.com *.postman.co *.cdn.postman.com fonts.gstatic.com www.postman.com fonts.googleapis.com cdnjs.cloudflare.com; frame-ancestors 'none'; frame-src looker.postman.co dl-preview-container.pstmn.io js.stripe.com hooks.stripe.com chart-embed.service.newrelic.com https://app.datadoghq.com/graph/embed https://app.datadoghq.eu/graph/embed https://youtube.com https://www.youtube.com https://player.vimeo.com https://www.google.com/recaptcha/ https://recaptcha.google.com/recaptcha/; child-src 'self' *.postman.co *.postman.com blob:; worker-src 'self' *.postman.co *.cdn.postman.com blob:; object-src 'self'; img-src https: data:; script-src 'self' 'unsafe-inline' 'unsafe-eval' 'strict-dynamic' *.nr-data.net *.getpostman.com *.postman.co *.cdn.postman.com *.pstmn.io code.jquery.com google-analytics.com www.postman.com googletagmanager.com ssl.google-analytics.com cdnjs.cloudflare.com https://bi.pst.tech js-agent.newrelic.com js.stripe.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ 'nonce-tymvt9p8R4W7PJYdZfo/GQ=='; style-src 'self' 'unsafe-inline' *.getpostman.com *.postman.co *.cdn.postman.com *.pstmn.io www.postman.com fonts.gstatic.com fonts.googleapis.com tagmanager.google.com cdnjs.cloudflare.com; connect-src https://api.stripe.com http: ws://localhost:10533 https: wss://*.postman.co wss://*.gw.postman.com; report-uri https://sentry.postmanlabs.com/api/572/security/?sentry_key=9d37d7431bdc4c528702ec4d89fc93f7&sentry_environment=production
< x-content-security-policy: default-src 'self' *.postman.co *.postman.com *.pstmn.io; base-uri 'self'; font-src 'self' data: *.getpostman.com *.postman.co *.cdn.postman.com fonts.gstatic.com www.postman.com fonts.googleapis.com cdnjs.cloudflare.com; frame-ancestors 'none'; frame-src looker.postman.co dl-preview-container.pstmn.io js.stripe.com hooks.stripe.com chart-embed.service.newrelic.com https://app.datadoghq.com/graph/embed https://app.datadoghq.eu/graph/embed https://youtube.com https://www.youtube.com https://player.vimeo.com https://www.google.com/recaptcha/ https://recaptcha.google.com/recaptcha/; child-src 'self' *.postman.co *.postman.com blob:; worker-src 'self' *.postman.co *.cdn.postman.com blob:; object-src 'self'; img-src https: data:; script-src 'self' 'unsafe-inline' 'unsafe-eval' 'strict-dynamic' *.nr-data.net *.getpostman.com *.postman.co *.cdn.postman.com *.pstmn.io code.jquery.com google-analytics.com www.postman.com googletagmanager.com ssl.google-analytics.com cdnjs.cloudflare.com https://bi.pst.tech js-agent.newrelic.com js.stripe.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ 'nonce-tymvt9p8R4W7PJYdZfo/GQ=='; style-src 'self' 'unsafe-inline' *.getpostman.com *.postman.co *.cdn.postman.com *.pstmn.io www.postman.com fonts.gstatic.com fonts.googleapis.com tagmanager.google.com cdnjs.cloudflare.com; connect-src https://api.stripe.com http: ws://localhost:10533 https: wss://*.postman.co wss://*.gw.postman.com; report-uri https://sentry.postmanlabs.com/api/572/security/?sentry_key=9d37d7431bdc4c528702ec4d89fc93f7&sentry_environment=production
< x-webkit-csp: default-src 'self' *.postman.co *.postman.com *.pstmn.io; base-uri 'self'; font-src 'self' data: *.getpostman.com *.postman.co *.cdn.postman.com fonts.gstatic.com www.postman.com fonts.googleapis.com cdnjs.cloudflare.com; frame-ancestors 'none'; frame-src looker.postman.co dl-preview-container.pstmn.io js.stripe.com hooks.stripe.com chart-embed.service.newrelic.com https://app.datadoghq.com/graph/embed https://app.datadoghq.eu/graph/embed https://youtube.com https://www.youtube.com https://player.vimeo.com https://www.google.com/recaptcha/ https://recaptcha.google.com/recaptcha/; child-src 'self' *.postman.co *.postman.com blob:; worker-src 'self' *.postman.co *.cdn.postman.com blob:; object-src 'self'; img-src https: data:; script-src 'self' 'unsafe-inline' 'unsafe-eval' 'strict-dynamic' *.nr-data.net *.getpostman.com *.postman.co *.cdn.postman.com *.pstmn.io code.jquery.com google-analytics.com www.postman.com googletagmanager.com ssl.google-analytics.com cdnjs.cloudflare.com https://bi.pst.tech js-agent.newrelic.com js.stripe.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ 'nonce-tymvt9p8R4W7PJYdZfo/GQ=='; style-src 'self' 'unsafe-inline' *.getpostman.com *.postman.co *.cdn.postman.com *.pstmn.io www.postman.com fonts.gstatic.com fonts.googleapis.com tagmanager.google.com cdnjs.cloudflare.com; connect-src https://api.stripe.com http: ws://localhost:10533 https: wss://*.postman.co wss://*.gw.postman.com; report-uri https://sentry.postmanlabs.com/api/572/security/?sentry_key=9d37d7431bdc4c528702ec4d89fc93f7&sentry_environment=production
< x-frame-options: DENY
< strict-transport-security: max-age=15552000; includeSubDomains; preload
< x-content-type-options: nosniff
< referrer-policy: no-referrer-when-downgrade
< x-xss-protection: 1; mode=block
< set-cookie: _SERVICE_PUB_ID=; Path=/; Expires=Thu, 01 Jan 1970 00:00:00 GMT
< cache-control: no-store
< x-cache: Miss from cloudfront
< via: 1.1 7efc93d7f67e563b72814c54dcdf3062.cloudfront.net (CloudFront)
< x-amz-cf-pop: SFO5-C3
< x-amz-cf-id: LLxGWAtz35dVVz9QcqdJjYkVuZbMNUhamEAY2_OizLPt-oiNhWg2uQ==
< cf-cache-status: DYNAMIC
< set-cookie: postman.sid=; Path=/; Expires=Thu, 01 Jan 1970 00:00:00 GMT
< set-cookie: postman.sid=; Domain=www.postman.com; Path=/; Expires=Thu, 01 Jan 1970 00:00:00 GMT
< set-cookie: _SERVICE_PUB_ID=; Domain=www.postman.com; Path=/; Expires=Thu, 01 Jan 1970 00:00:00 GMT
< set-cookie: __cf_bm=vkYJDmUBaqgmNWYXfSxVOn4wQ7o7uZghp5XinIXf0zM-1685601266-0-AXeQjLdrAXWNCpenQgw67ZQRrtEl1Pj6b/m04TbLU3unnC+2cV4QRxkly95Am076zeKoBOzQThguns3zfNtFBak=; path=/; expires=Thu, 01-Jun-23 07:04:26 GMT; domain=.postman.com; HttpOnly; Secure; SameSite=None
< set-cookie: _cfuvid=4b2ymUeRLmFbhxIpvxDgNd7g76c2QHaf5C0zeEb6YFw-1685601266380-0-604800000; path=/; domain=.postman.com; HttpOnly; Secure; SameSite=None
< server: cloudflare
< cf-ray: 7d056e47ac6d238d-SJC
<
<
......... Omitting unimportant content
* Connection #0 to host www.postman.com left intact
</body></html>%

What is the expected correct behavior?

Subject can't be none!

Execution context

  • Hurl Version (hurl --version): 3.0.0
  • Operating system and version: Linux ubuntu 5.15.0-71-generic #78~20.04.1-Ubuntu SMP Wed Apr 19 11:26:48 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux

Possible fixes
@RWDai RWDai added the bug Something isn't working label Jun 1, 2023
@RWDai
Copy link
Author

RWDai commented Jun 1, 2023
edited
Loading

eg2:

GET https://www.cloudflare.com/

HTTP 200
[Asserts]
certificate "Subject" == "C=US; ST=California; L=San Francisco; O=Cloudflare, Inc.; CN=www.cloudflare.com"

output:

error: can not parse certificate - Missing '=' in {v}
error: Assert failure
  --> _test.hurl:5:0
   |
 5 | certificate "Subject" == "C=US; ST=California; L=San Francisco; O=Cloudflare, Inc.; CN=www.cloudflare.com"
   |   actual:   none
   |   expected: string <C=US; ST=California; L=San Francisco; O=Cloudflare, Inc.; CN=www.cloudflare.com>
   |

@RWDai
Copy link
Author

RWDai commented Jun 1, 2023

If there are multiple requests in a hurl file, the next subject will be 'none'

eg:

GET https://www.postman-echo.com/get

HTTP 200
[Asserts]
certificate "Subject" == "CN=postman-echo.com"

GET https://www.postman-echo.com/get

HTTP 200
[Asserts]
certificate "Subject" == "CN=postman-echo.com"

and output:

error: Assert failure
  --> _test.hurl:11:0
   |
11 | certificate "Subject" == "CN=postman-echo.com"
   |   actual:   none
   |   expected: string <CN=postman-echo.com>
   |

@fabricereix
Copy link
Collaborator

thanks @RWDai for reporting the bug and your detailed feedback.
We will fix in the next release.

@jcamiel
Copy link
Collaborator

jcamiel commented Jun 1, 2023

FYI, the bug is triggered on Subjectwhen one of the key of the subject has a comma :

  • Subject C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=postman.com
  • O=Cloudflare, Inc. the , triggers a logic error in Hurl

@jcamiel jcamiel modified the milestones: 4.0.0, 3.0.1 Jun 1, 2023
@fabricereix fabricereix linked a pull request Jun 1, 2023 that will close this issue
Do not parse key/value in certificate subject/issue any more #1585
Merged
@chenrui333 chenrui333 mentioned this issue Jun 1, 2023
Merged
@jcamiel
Copy link
Collaborator

jcamiel commented Jun 1, 2023

@RWDai we've released a hotfix version 3.0.1 that should fix this bug (see release note)
Thanks for the bug report!

@jcamiel jcamiel closed this as completed Jun 1, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
3.0.1
Development

Successfully merging a pull request may close this issue.

Do not parse key/value in certificate subject/issue any more Orange-OpenSource/hurl
3 participants
@fabricereix @jcamiel @RWDai