diff options
| author | Yossi Gottlieb <yossigo@gmail.com> | 2020-12-11 18:31:40 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-12-11 18:31:40 +0200 |
| commit | 8c291b97b95f2e011977b522acf77ead23e26f55 (patch) | |
| tree | 14935b675574e1f8f2cc79f90219de537c8fc0f0 /tests | |
| parent | 4e064fbab4d310b508593b46ed6ce539aea7aa25 (diff) | |
| download | redis-8c291b97b95f2e011977b522acf77ead23e26f55.tar.gz | |
TLS: Add different client cert support. (#8076)
This adds a new `tls-client-cert-file` and `tls-client-key-file`
configuration directives which make it possible to use different
certificates for the TLS-server and TLS-client functions of Redis.
This is an optional directive. If it is not specified the `tls-cert-file`
and `tls-key-file` directives are used for TLS client functions as well.
Also, `utils/gen-test-certs.sh` now creates additional server-only and client-only certs and will skip intensive operations if target files already exist.
Diffstat (limited to 'tests')
| -rw-r--r-- | tests/instances.tcl | 10 | ||||
| -rw-r--r-- | tests/support/benchmark.tcl | 4 | ||||
| -rw-r--r-- | tests/support/cli.tcl | 4 | ||||
| -rw-r--r-- | tests/support/redis.tcl | 4 | ||||
| -rw-r--r-- | tests/support/server.tcl | 15 | ||||
| -rw-r--r-- | tests/test_helper.tcl | 4 | ||||
| -rw-r--r-- | tests/unit/introspection.tcl | 2 | ||||
| -rw-r--r-- | tests/unit/tls.tcl | 21 |
8 files changed, 50 insertions, 14 deletions
diff --git a/tests/instances.tcl b/tests/instances.tcl index 156c92706..a9cc01008 100644 --- a/tests/instances.tcl +++ b/tests/instances.tcl @@ -76,8 +76,10 @@ proc spawn_instance {type base_port count {conf {}}} { puts $cfg "tls-replication yes" puts $cfg "tls-cluster yes" puts $cfg "port 0" - puts $cfg [format "tls-cert-file %s/../../tls/redis.crt" [pwd]] - puts $cfg [format "tls-key-file %s/../../tls/redis.key" [pwd]] + puts $cfg [format "tls-cert-file %s/../../tls/server.crt" [pwd]] + puts $cfg [format "tls-key-file %s/../../tls/server.key" [pwd]] + puts $cfg [format "tls-client-cert-file %s/../../tls/client.crt" [pwd]] + puts $cfg [format "tls-client-key-file %s/../../tls/client.key" [pwd]] puts $cfg [format "tls-dh-params-file %s/../../tls/redis.dh" [pwd]] puts $cfg [format "tls-ca-cert-file %s/../../tls/ca.crt" [pwd]] puts $cfg "loglevel debug" @@ -234,8 +236,8 @@ proc parse_options {} { package require tls 1.6 ::tls::init \ -cafile "$::tlsdir/ca.crt" \ - -certfile "$::tlsdir/redis.crt" \ - -keyfile "$::tlsdir/redis.key" + -certfile "$::tlsdir/client.crt" \ + -keyfile "$::tlsdir/client.key" set ::tls 1 } elseif {$opt eq "--help"} { puts "--single <pattern> Only runs tests specified by pattern." diff --git a/tests/support/benchmark.tcl b/tests/support/benchmark.tcl index ed75bfeda..3d08b76f5 100644 --- a/tests/support/benchmark.tcl +++ b/tests/support/benchmark.tcl @@ -1,7 +1,7 @@ proc redisbenchmark_tls_config {testsdir} { set tlsdir [file join $testsdir tls] - set cert [file join $tlsdir redis.crt] - set key [file join $tlsdir redis.key] + set cert [file join $tlsdir client.crt] + set key [file join $tlsdir client.key] set cacert [file join $tlsdir ca.crt] if {$::tls} { diff --git a/tests/support/cli.tcl b/tests/support/cli.tcl index d55487931..19e306e24 100644 --- a/tests/support/cli.tcl +++ b/tests/support/cli.tcl @@ -1,7 +1,7 @@ proc rediscli_tls_config {testsdir} { set tlsdir [file join $testsdir tls] - set cert [file join $tlsdir redis.crt] - set key [file join $tlsdir redis.key] + set cert [file join $tlsdir client.crt] + set key [file join $tlsdir client.key] set cacert [file join $tlsdir ca.crt] if {$::tls} { diff --git a/tests/support/redis.tcl b/tests/support/redis.tcl index 26b4510ac..9eb5b94e2 100644 --- a/tests/support/redis.tcl +++ b/tests/support/redis.tcl @@ -44,8 +44,8 @@ proc redis {{server 127.0.0.1} {port 6379} {defer 0} {tls 0} {tlsoptions {}}} { package require tls ::tls::init \ -cafile "$::tlsdir/ca.crt" \ - -certfile "$::tlsdir/redis.crt" \ - -keyfile "$::tlsdir/redis.key" \ + -certfile "$::tlsdir/client.crt" \ + -keyfile "$::tlsdir/client.key" \ {*}$tlsoptions set fd [::tls::socket $server $port] } else { diff --git a/tests/support/server.tcl b/tests/support/server.tcl index e5b167a35..1cddb7068 100644 --- a/tests/support/server.tcl +++ b/tests/support/server.tcl @@ -229,6 +229,7 @@ proc start_server {options {code undefined}} { # setup defaults set baseconfig "default.conf" set overrides {} + set omit {} set tags {} set keep_persistence false @@ -241,6 +242,9 @@ proc start_server {options {code undefined}} { "overrides" { set overrides $value } + "omit" { + set omit $value + } "tags" { # If we 'tags' contain multiple tags, quoted and seperated by spaces, # we want to get rid of the quotes in order to have a proper list @@ -306,8 +310,10 @@ proc start_server {options {code undefined}} { set data [split [exec cat "tests/assets/$baseconfig"] "\n"] set config {} if {$::tls} { - dict set config "tls-cert-file" [format "%s/tests/tls/redis.crt" [pwd]] - dict set config "tls-key-file" [format "%s/tests/tls/redis.key" [pwd]] + dict set config "tls-cert-file" [format "%s/tests/tls/server.crt" [pwd]] + dict set config "tls-key-file" [format "%s/tests/tls/server.key" [pwd]] + dict set config "tls-client-cert-file" [format "%s/tests/tls/client.crt" [pwd]] + dict set config "tls-client-key-file" [format "%s/tests/tls/client.key" [pwd]] dict set config "tls-dh-params-file" [format "%s/tests/tls/redis.dh" [pwd]] dict set config "tls-ca-cert-file" [format "%s/tests/tls/ca.crt" [pwd]] dict set config "loglevel" "debug" @@ -343,6 +349,11 @@ proc start_server {options {code undefined}} { dict set config $directive $arguments } + # remove directives that are marked to be omitted + foreach directive $omit { + dict unset config $directive + } + # write new configuration to temporary file set config_file [tmpfile redis.conf] create_server_config_file $config_file $config diff --git a/tests/test_helper.tcl b/tests/test_helper.tcl index 29ebdd7bb..3b8dc16da 100644 --- a/tests/test_helper.tcl +++ b/tests/test_helper.tcl @@ -602,8 +602,8 @@ for {set j 0} {$j < [llength $argv]} {incr j} { set ::tls 1 ::tls::init \ -cafile "$::tlsdir/ca.crt" \ - -certfile "$::tlsdir/redis.crt" \ - -keyfile "$::tlsdir/redis.key" + -certfile "$::tlsdir/client.crt" \ + -keyfile "$::tlsdir/client.key" } elseif {$opt eq {--host}} { set ::external 1 set ::host $arg diff --git a/tests/unit/introspection.tcl b/tests/unit/introspection.tcl index a250762f2..0a7f7a9c9 100644 --- a/tests/unit/introspection.tcl +++ b/tests/unit/introspection.tcl @@ -122,6 +122,8 @@ start_server {tags {"introspection"}} { tls-session-caching tls-cert-file tls-key-file + tls-client-cert-file + tls-client-key-file tls-dh-params-file tls-ca-cert-file tls-ca-cert-dir diff --git a/tests/unit/tls.tcl b/tests/unit/tls.tcl index bb5b6d034..a6c2f3c2c 100644 --- a/tests/unit/tls.tcl +++ b/tests/unit/tls.tcl @@ -93,5 +93,26 @@ start_server {tags {"tls"}} { r CONFIG SET tls-protocols "" r CONFIG SET tls-ciphers "DEFAULT" } + + test {TLS: Verify tls-cert-file is also used as a client cert if none specified} { + set master [srv 0 client] + set master_host [srv 0 host] + set master_port [srv 0 port] + + # Use a non-restricted client/server cert for the replica + set redis_crt [format "%s/tests/tls/redis.crt" [pwd]] + set redis_key [format "%s/tests/tls/redis.key" [pwd]] + + start_server [list overrides [list tls-cert-file $redis_crt tls-key-file $redis_key] \ + omit [list tls-client-cert-file tls-client-key-file]] { + set replica [srv 0 client] + $replica replicaof $master_host $master_port + wait_for_condition 30 100 { + [string match {*master_link_status:up*} [$replica info replication]] + } else { + fail "Can't authenticate to master using just tls-cert-file!" + } + } + } } } |