Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

multi ssl bug #1818

Merged
merged 19 commits into from
Jul 10, 2020
Merged

multi ssl bug #1818

Show file tree
Hide file tree
Changes from 8 commits
Commits
Show all changes
19 commits
Select commit Hold shift + click to select a range
c683e98
reproduce multi ssl bug
johzchen Jul 8, 2020
4535639
reproduce multi ssl bug
johzchen Jul 8, 2020
582ca4f
fix multi ssl bug
johzchen Jul 8, 2020
4f53374
fix errlog match
johzchen Jul 8, 2020
42cf8c2
remove /apisix/admin/ssl/2
johzchen Jul 8, 2020
c86e625
fix lint
johzchen Jul 8, 2020
2d9d3ba
fix test cases and typo
johzchen Jul 8, 2020
2042d0d
fix typo
johzchen Jul 8, 2020
2b48fa4
fix redis version
johzchen Jul 9, 2020
38f1f9a
for testing
johzchen Jul 9, 2020
932ac63
test
johzchen Jul 9, 2020
fdaebea
recover osx runner script
johzchen Jul 9, 2020
117f675
reverse snis for log
johzchen Jul 9, 2020
fe92a00
temporarily disabled osx travis runner
johzchen Jul 9, 2020
824ba58
rollback to avoid conflicts
johzchen Jul 9, 2020
a7cde0f
sleep more time for triggering error
johzchen Jul 9, 2020
7b63989
test cases for multi ssl certs
johzchen Jul 10, 2020
baa1af9
fix typo
johzchen Jul 10, 2020
22bdec0
remove additional test cases
johzchen Jul 10, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .travis/osx_openresty_runner.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ export_or_prefix() {

before_install() {
HOMEBREW_NO_AUTO_UPDATE=1 brew install perl cpanminus etcd luarocks openresty/brew/openresty-debug redis@3.2
brew upgrade go
brew install go@1.13

sudo sed -i "" "s/requirepass/#requirepass/g" /usr/local/etc/redis.conf
brew services start redis@3.2
Expand Down
13 changes: 6 additions & 7 deletions apisix/http/router/radixtree_sni.lua
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -80,7 +80,6 @@ local function create_router(ssl_items)
end
end

local
idx = idx + 1
route_items[idx] = {
paths = sni,
Expand Down Expand Up @@ -151,15 +150,15 @@ function _M.match_and_set(api_ctx)
local sni
sni, err = ngx_ssl.server_name()
if type(sni) ~= "string" then
return false, "failed to fetch SNI: " .. (err or "not found")
return false, "failed to fetch SSL certificate: " .. (err or "not found")
end

core.log.debug("sni: ", sni)

local sni_rev = sni:reverse()
local ok = radixtree_router:dispatch(sni_rev, nil, api_ctx)
if not ok then
core.log.warn("not found any valid sni configuration")
core.log.warn("failed to find any SSL certificate by SNI: ", sni)
return false
membphis marked this conversation as resolved.
Show resolved Hide resolved
end

Expand All @@ -172,14 +171,14 @@ function _M.match_and_set(api_ctx)
end
end
if not matched then
core.log.warn("not found any valid sni configuration, matched sni: ",
core.json.delay_encode(api_ctx.matched_sni, true), " current sni: ", sni)
core.log.warn("failed to find any SSL certificate by SNI: ",
sni, " matched SNIs: ", core.json.delay_encode(api_ctx.matched_sni, true))
return false
end
else
if str_find(sni_rev, ".", #api_ctx.matched_sni, true) then
core.log.warn("not found any valid sni configuration, matched sni: ",
api_ctx.matched_sni:reverse(), " current sni: ", sni)
core.log.warn("failed to find any SSL certificate by SNI: ",
sni, " matched SNI: ", api_ctx.matched_sni:reverse())
return false
end
end
Expand Down
134 changes: 114 additions & 20 deletions t/router/radixtree-sni.t
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -207,7 +207,7 @@ GET /t
connected: 1
failed to do SSL handshake: certificate host mismatch
--- error_log
not found any valid sni configuration
failed to find any SSL certificate by SNI



Expand Down Expand Up @@ -448,15 +448,15 @@ location /t {
local ssl_key = t.read_file("conf/cert/test2.key")
local data = {cert = ssl_cert, key = ssl_key, sni = "*.test2.com"}

local code, body = t.test('/apisix/admin/ssl/1',
local code, body = t.test('/apisix/admin/ssl/2',
nic-chen marked this conversation as resolved.
Show resolved Hide resolved
ngx.HTTP_PUT,
core.json.encode(data),
[[{
"node": {
"value": {
"sni": "*.test2.com"
},
"key": "/apisix/ssl/1"
"key": "/apisix/ssl/2"
},
"action": "set"
}]]
Expand Down Expand Up @@ -521,7 +521,82 @@ lua ssl server name: "www.test2.com"



=== TEST 11: client request: aa.bb.test2.com
=== TEST 11: client request: test.com again
nic-chen marked this conversation as resolved.
Show resolved Hide resolved
--- config
listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl;

location /t {
content_by_lua_block {
-- etcd sync
ngx.sleep(0.2)

do
local sock = ngx.socket.tcp()

sock:settimeout(2000)

local ok, err = sock:connect("unix:$TEST_NGINX_HTML_DIR/nginx.sock")
if not ok then
ngx.say("failed to connect: ", err)
return
end

ngx.say("connected: ", ok)

local sess, err = sock:sslhandshake(nil, "test.com", false)
if not sess then
ngx.say("failed to do SSL handshake: ", err)
return
end

ngx.say("ssl handshake: ", type(sess))

local req = "GET /hello HTTP/1.0\r\nHost: test.com\r\nConnection: close\r\n\r\n"
local bytes, err = sock:send(req)
if not bytes then
ngx.say("failed to send http request: ", err)
return
end

ngx.say("sent http request: ", bytes, " bytes.")

while true do
local line, err = sock:receive()
if not line then
-- ngx.say("failed to receive response status line: ", err)
break
end

ngx.say("received: ", line)
end

local ok, err = sock:close()
ngx.say("close: ", ok, " ", err)
end -- do
-- collectgarbage()
}
}
--- request
GET /t
--- response_body eval
qr{connected: 1
ssl handshake: userdata
sent http request: 58 bytes.
received: HTTP/1.1 200 OK
received: Content-Type: text/plain
received: Connection: close
received: Server: \w+
received: \nreceived: hello world
close: 1 nil}
--- error_log
lua ssl server name: "test.com"
--- no_error_log
[error]
[alert]



=== TEST 12: client request: aa.bb.test2.com
--- config
listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl;

Expand Down Expand Up @@ -561,14 +636,14 @@ connected: 1
failed to do SSL handshake: certificate host mismatch
--- error_log
lua ssl server name: "aa.bb.test2.com"
not found any valid sni configuration, matched sni: *.test2.com current sni: aa.bb.test2.com
failed to find any SSL certificate by SNI: aa.bb.test2.com matched SNI: *.test2.com
--- no_error_log
[error]
[alert]



=== TEST 12: disable ssl(sni: *.test2.com)
=== TEST 13: disable ssl(sni: *.test2.com)
--- config
location /t {
content_by_lua_block {
Expand All @@ -577,15 +652,15 @@ location /t {

local data = {status = 0}

local code, body = t.test('/apisix/admin/ssl/1',
local code, body = t.test('/apisix/admin/ssl/2',
ngx.HTTP_PATCH,
core.json.encode(data),
[[{
"node": {
"value": {
"status": 0
},
"key": "/apisix/ssl/1"
"key": "/apisix/ssl/2"
},
"action": "set"
}]]
Expand All @@ -604,7 +679,7 @@ passed



=== TEST 13: client request: www.test2.com -- failed by disable
=== TEST 14: client request: www.test2.com -- failed by disable
--- config
listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl;

Expand Down Expand Up @@ -650,7 +725,7 @@ lua ssl server name: "www.test2.com"



=== TEST 14: enable ssl(sni: *.test2.com)
=== TEST 15: enable ssl(sni: *.test2.com)
--- config
location /t {
content_by_lua_block {
Expand All @@ -659,15 +734,15 @@ location /t {

local data = {status = 1}

local code, body = t.test('/apisix/admin/ssl/1',
local code, body = t.test('/apisix/admin/ssl/2',
ngx.HTTP_PATCH,
core.json.encode(data),
[[{
"node": {
"value": {
"status": 1
},
"key": "/apisix/ssl/1"
"key": "/apisix/ssl/2"
},
"action": "set"
}]]
Expand All @@ -686,7 +761,7 @@ passed



=== TEST 15: client request: www.test2.com again
=== TEST 16: client request: www.test2.com again
--- config
listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl;

Expand Down Expand Up @@ -732,7 +807,7 @@ lua ssl server name: "www.test2.com"



=== TEST 16: set ssl(snis: {test2.com, *.test2.com})
=== TEST 17: set ssl(snis: {test2.com, *.test2.com})
--- config
location /t {
content_by_lua_block {
Expand Down Expand Up @@ -770,7 +845,7 @@ passed



=== TEST 17: client request: test2.com
=== TEST 18: client request: test2.com
--- config
listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl;

Expand Down Expand Up @@ -816,7 +891,27 @@ lua ssl server name: "test2.com"



=== TEST 18: client request: aa.bb.test2.com -- snis un-include
=== TEST 19: remove ssl2
--- config
location /t {
content_by_lua_block {
local core = require("apisix.core")
local t = require("lib.test_admin")

local code, body = t.test('/apisix/admin/ssl/2', ngx.HTTP_DELETE)

ngx.status = code
ngx.say(body)
}
}
--- request
GET /t
--- no_error_log
[error]



=== TEST 20: client request: aa.bb.test2.com -- snis un-include
--- config
listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl;

Expand Down Expand Up @@ -856,14 +951,14 @@ connected: 1
failed to do SSL handshake: certificate host mismatch
--- error_log
lua ssl server name: "aa.bb.test2.com"
not found any valid sni configuration, matched sni: ["moc.2tset","moc.2tset.*"] current sni: aa.bb.test2.com
failed to find any SSL certificate by SNI: aa.bb.test2.com matched SNIs: ["moc.2tset","moc.2tset.*"]
nic-chen marked this conversation as resolved.
Show resolved Hide resolved
--- no_error_log
[error]
[alert]



=== TEST 19: set ssl(encrypt ssl key with another iv)
=== TEST 21: set ssl(encrypt ssl key with another iv)
--- config
location /t {
content_by_lua_block {
Expand Down Expand Up @@ -901,10 +996,9 @@ passed



=== TEST 20: client request: test2.com
=== TEST 22: client request: test2.com
--- config
listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl;

location /t {
content_by_lua_block {
-- etcd sync
Expand Down