mirror of
https://github.com/facebook/sapling.git
synced 2024-10-10 16:57:49 +03:00
Add support for TLS ticket encryption based on internal seeds
Summary: Synchronise encryption keys between multiple hosts. Reviewed By: kulshrax, mingtaoy Differential Revision: D13296482 fbshipit-source-id: 5fdb1d818b9b9c90be0f3f69d3cc01ac05cbac77
This commit is contained in:
parent
ecd3daefe4
commit
b2746d95a1
@ -363,6 +363,12 @@ fn main() -> Result<()> {
|
||||
.value_name("PATH")
|
||||
.help("path to the ssl ca file"),
|
||||
)
|
||||
.arg(
|
||||
Arg::with_name("ssl-ticket-seeds")
|
||||
.long("ssl-ticket-seeds")
|
||||
.value_name("PATH")
|
||||
.help("path to the ssl ticket seeds"),
|
||||
)
|
||||
.arg(
|
||||
Arg::with_name("myrouter-port")
|
||||
.long("myrouter-port")
|
||||
@ -423,6 +429,10 @@ fn main() -> Result<()> {
|
||||
.value_of("ssl-ca")
|
||||
.expect("must specify CA")
|
||||
.to_string();
|
||||
let ticket_seed = matches
|
||||
.value_of("ssl-ticket-seeds")
|
||||
.unwrap_or(secure_utils::fb_tls::SEED_PATH)
|
||||
.to_string();
|
||||
|
||||
let ssl = secure_utils::SslConfig {
|
||||
cert,
|
||||
@ -430,7 +440,12 @@ fn main() -> Result<()> {
|
||||
ca_pem,
|
||||
};
|
||||
let acceptor = secure_utils::build_tls_acceptor_builder(ssl.clone())?;
|
||||
Some(secure_utils::fb_tls_acceptor_builder(ssl.clone(), acceptor)?)
|
||||
Some(secure_utils::fb_tls::tls_acceptor_builder(
|
||||
root_logger.clone(),
|
||||
ssl.clone(),
|
||||
acceptor,
|
||||
ticket_seed,
|
||||
)?)
|
||||
} else {
|
||||
None
|
||||
};
|
||||
|
@ -205,8 +205,10 @@ function apiserver {
|
||||
--ssl-ca "$TESTDIR/testcert.crt" \
|
||||
--ssl-private-key "$TESTDIR/testcert.key" \
|
||||
--ssl-certificate "$TESTDIR/testcert.crt" \
|
||||
--ssl-ticket-seeds "$TESTDIR/server.pem.seeds" \
|
||||
--do-not-init-cachelib >> "$TESTTMP/apiserver.out" 2>&1 &
|
||||
echo $! >> "$DAEMON_PIDS"
|
||||
export APISERVER_PID=$!
|
||||
echo "$APISERVER_PID" >> "$DAEMON_PIDS"
|
||||
}
|
||||
|
||||
function no_ssl_apiserver {
|
||||
|
1
tests/integration/server.pem.seeds
Normal file
1
tests/integration/server.pem.seeds
Normal file
@ -0,0 +1 @@
|
||||
{"old": ["0cdb7746c57e4069f84192f5b73905e040e46439b6afe886ba048fc40700416bb1986ab97729d35cf8b9a3dee0d717a6"], "new": ["cfb5cca1d5715dae1ddecb97e1302dc816238f23c7cb89b6e514961b0bc9e9297c04dac377004000dc31450da1af0f8f"], "current": ["7fe165ba823b01abb8c1b4768a1846070ce9b0dbd3efa52bde4a20d45a89c6d1c8b21fda6d2b33f8ea005f616abf028a"]}
|
@ -289,6 +289,25 @@ test TLS Session/Ticket resumption when using client certs
|
||||
$ if [ "$RUN1" == "$RUN2" ]; then echo "SUCCESS"; fi
|
||||
SUCCESS
|
||||
|
||||
test TLS Tickets use encryption keys from seeds - sessions should persist across restarts
|
||||
$ kill -9 $APISERVER_PID && wait $APISERVER_PID
|
||||
$TESTTMP.sh: * Killed * (glob)
|
||||
[137]
|
||||
$ truncate -s 0 "$TESTTMP/apiserver.out"
|
||||
$ apiserver -H "[::1]" -p $APISERVER_PORT
|
||||
$ wait_for_apiserver
|
||||
$ echo -e "GET /health_check HTTP/1.1\r\n" | s_client -sess_in $TMPFILE -state | grep -E "^SSL_connect"
|
||||
SSL_connect:before/connect initialization
|
||||
SSL_connect:SSLv3 write client hello A
|
||||
SSL_connect:SSLv3 read server hello A
|
||||
SSL_connect:SSLv3 read finished A
|
||||
SSL_connect:SSLv3 write change cipher spec A
|
||||
SSL_connect:SSLv3 write finished A
|
||||
SSL_connect:SSLv3 flush data
|
||||
SSL3 alert read:warning:close notify
|
||||
SSL3 alert write:warning:close notify
|
||||
[1]
|
||||
|
||||
test download LFS (GET request)
|
||||
$ sslcurl $APISERVER/repo/lfs/download/$SHA > output
|
||||
$ diff output - <<< $TEST_CONTENT
|
||||
|
Loading…
Reference in New Issue
Block a user