3
. $(dirname $0)/../include.rc
4
. $(dirname $0)/../volume.rc
7
$CLI --xml volume status $1 | sed -n '/.*<port>\([0-9]*\).*/s//\1/p'
12
while [ $i -lt $CONFIG_UPDATE_TIMEOUT ] ; do
15
mounted=`mount|awk -v m=$1 '
17
($3 == m) {r = "Y"; exit;}
20
if [ "x${mounted}" = "xY" ] ; then
21
ls $M0 2>/dev/null || continue
26
if [ "x${mounted}" = "xY" ] ; then
27
ls $M0 2>/dev/null || mounted="N"
34
ssl_opt="-verify 3 -verify_return_error -CAfile $SSL_CA"
35
ssl_opt="$ssl_opt -crl_check_all -CApath $TMPDIR"
36
cmd="echo "" | openssl s_client $ssl_opt $@ 2>/dev/null"
37
CIPHER=$(eval $cmd | awk -F "Cipher is" '{print $2}' | tr -d '[:space:]' | awk -F " " '{print $1}')
38
if [ "x${CIPHER}" = "x" -o "x${CIPHER}" = "x0000" -o "x${CIPHER}" = "x(NONE)" ] ; then
45
#Validate the cipher to pass EXPECT test case before call openssl_connect
47
cmd="echo "" | openssl s_client $@ 2> /dev/null"
48
cipher=$(eval $cmd |awk -F "Cipher is" '{print $2}' | tr -d '[:space:]' | awk -F " " '{print $1}')
49
if [ "x${cipher}" = "x" -o "x${cipher}" = "x0000" -o "x${cipher}" = "x(NONE)" ] ; then
60
TMPDIR=`mktemp -d /tmp/${0##*/}.XXXXXX`
63
SSL_KEY=$TMPDIR/self.key
64
SSL_CSR=$TMPDIR/self.csr
65
SSL_CERT=$TMPDIR/self.crt
67
SSL_CFG=$TMPDIR/openssl.cnf
68
SSL_CRL=$TMPDIR/crl.pem
70
sed "s|@TMPDIR@|${TMPDIR}|" `pwd`/`dirname $0`/openssl.cnf.in > $SSL_CFG
76
TEST openssl genrsa -out $SSL_KEY 2048 2>/dev/null
77
TEST openssl req -config $SSL_CFG -new -key $SSL_KEY -x509 \
78
-subj /CN=CA -out $SSL_CA
79
TEST openssl req -config $SSL_CFG -new -key $SSL_KEY \
80
-subj /CN=$H0 -out $SSL_CSR
82
echo "01" > $TMPDIR/serial
83
TEST touch $TMPDIR/index.txt $TMPDIR/index.txx.attr
84
TEST mkdir -p $TMPDIR/certs $TMPDIR/newcerts $TMPDIR/crl
85
TEST openssl ca -batch -config $SSL_CFG -in $SSL_CSR -out $SSL_CERT 2>&1
88
CRLHASH=`openssl x509 -hash -fingerprint -noout -in $SSL_CA|sed -n '1s/$/.r0/p'`
89
ln -sf $SSL_CRL $TMPDIR/$CRLHASH
90
TEST openssl ca -config $SSL_CFG -gencrl -out $SSL_CRL 2>&1
93
TEST $CLI volume create $V0 $H0:$B0/1
94
TEST $CLI volume set $V0 server.ssl on
95
TEST $CLI volume set $V0 client.ssl on
96
TEST $CLI volume set $V0 ssl.private-key $SSL_KEY
97
TEST $CLI volume set $V0 ssl.own-cert $SSL_CERT
98
TEST $CLI volume set $V0 ssl.ca-list $SSL_CA
99
TEST $CLI volume start $V0
100
EXPECT_WITHIN $CHILD_UP_TIMEOUT "1" online_brick_count
102
BRICK_PORT=`brick_port $V0`
105
EXPECT "Y" openssl_connect -connect $H0:$BRICK_PORT
107
# Test SSLv2 protocol fails
108
EXPECT "N" openssl_connect -ssl2 -connect $H0:$BRICK_PORT
110
# Test SSLv3 protocol fails
111
EXPECT "N" openssl_connect -ssl3 -connect $H0:$BRICK_PORT
113
TLS10="$(openssl_connect -tls1 -connect $H0:$BRICK_PORT)"
114
TLS11="$(openssl_connect -tls1_1 -connect $H0:$BRICK_PORT)"
115
TLS12="$(openssl_connect -tls1_2 -connect $H0:$BRICK_PORT)"
116
TLS13="$(openssl_connect -tls1_3 -connect $H0:$BRICK_PORT)"
118
# TLS support depends on openssl version.
120
# TLS v1.0 requires openssl v0.9.6 or higher
121
# TLS v1.1 requires openssl v1.0.1 or higher
122
# TLS v1.2 requires openssl v1.0.1 or higher
123
# TLS v1.3 requires openssl v1.1.1 or higher
125
# If TLS is supported by the current version of openssl, at least one of the
126
# protocols should connect successfully. Otherwise all connections should fail.
128
if [[ "$(openssl version | awk '{ print $2; }')" < "0.9.6" ]]; then
134
EXPECT "${supp}" echo "${TLS10}${TLS11}${TLS12}${TLS13}"
136
# Test a HIGH CBC cipher
137
cph=`check_cipher -cipher AES256-SHA -connect $H0:$BRICK_PORT`
138
EXPECT "$cph" openssl_connect -cipher AES256-SHA -connect $H0:$BRICK_PORT
141
cph=`check_cipher -cipher EECDH -connect $H0:$BRICK_PORT`
142
EXPECT "$cph" openssl_connect -cipher EECDH -connect $H0:$BRICK_PORT
145
cph=`check_cipher -cipher DES-CBC3-MD5 -connect $H0:$BRICK_PORT`
146
EXPECT "$cph" openssl_connect -cipher DES-CBC3-MD5 -connect $H0:$BRICK_PORT
149
cph=`check_cipher -cipher RC4-SHA -connect $H0:$BRICK_PORT`
150
EXPECT "$cph" openssl_connect -cipher RC4-SHA -connect $H0:$BRICK_PORT
153
cph=`check_cipher -cipher NULL-SHA256 -connect $H0:$BRICK_PORT`
154
EXPECT "$cph" openssl_connect -cipher NULL-SHA256 -connect $H0:$BRICK_PORT
157
cph=`check_cipher -cipher AES256-SHA256 -connect $H0:$BRICK_PORT`
158
EXPECT "$cph" openssl_connect -cipher AES256-SHA256 -connect $H0:$BRICK_PORT
161
cph=`check_cipher -cipher AES256-GCM-SHA384 -connect $H0:$BRICK_PORT`
162
EXPECT "$cph" openssl_connect -cipher AES256-GCM-SHA384 -connect $H0:$BRICK_PORT
164
# Test DH fails without DH params
165
cph=`check_cipher -cipher EDH -connect $H0:$BRICK_PORT`
166
EXPECT "$cph" openssl_connect -cipher EDH -connect $H0:$BRICK_PORT
168
# Test DH with DH params
169
TEST $CLI volume set $V0 ssl.dh-param `pwd`/`dirname $0`/dh1024.pem
170
EXPECT "`pwd`/`dirname $0`/dh1024.pem" volume_option $V0 ssl.dh-param
171
TEST $CLI volume stop $V0
172
TEST $CLI volume start $V0
173
EXPECT_WITHIN $CHILD_UP_TIMEOUT "1" online_brick_count
174
BRICK_PORT=`brick_port $V0`
175
EXPECT "Y" openssl_connect -cipher EDH -connect $H0:$BRICK_PORT
177
# Test the cipher-list option
178
TEST $CLI volume set $V0 ssl.cipher-list AES256-SHA
179
EXPECT AES256-SHA volume_option $V0 ssl.cipher-list
180
TEST $CLI volume stop $V0
181
TEST $CLI volume start $V0
182
EXPECT_WITHIN $CHILD_UP_TIMEOUT "1" online_brick_count
183
BRICK_PORT=`brick_port $V0`
184
cph=`check_cipher -cipher AES256-SHA -connect $H0:$BRICK_PORT`
185
EXPECT "$cph" openssl_connect -cipher AES256-SHA -connect $H0:$BRICK_PORT
186
cph=`check_cipher -cipher AES128-SHA -connect $H0:$BRICK_PORT`
187
EXPECT "$cph" openssl_connect -cipher AES128-SHA -connect $H0:$BRICK_PORT
189
# Test the ec-curve option
190
TEST $CLI volume set $V0 ssl.cipher-list EECDH:EDH:!TLSv1
191
EXPECT EECDH:EDH:!TLSv1 volume_option $V0 ssl.cipher-list
192
TEST $CLI volume stop $V0
193
TEST $CLI volume start $V0
194
EXPECT_WITHIN $CHILD_UP_TIMEOUT "1" online_brick_count
195
BRICK_PORT=`brick_port $V0`
196
cph=`check_cipher -cipher AES256-SHA -connect $H0:$BRICK_PORT`
197
EXPECT "$cph" openssl_connect -cipher AES256-SHA -connect $H0:$BRICK_PORT
198
cph=`check_cipher -cipher EECDH -connect $H0:$BRICK_PORT`
199
EXPECT "$cph" openssl_connect -cipher EECDH -connect $H0:$BRICK_PORT
201
TEST $CLI volume set $V0 ssl.ec-curve invalid
202
EXPECT invalid volume_option $V0 ssl.ec-curve
203
TEST $CLI volume stop $V0
204
TEST $CLI volume start $V0
205
EXPECT_WITHIN $CHILD_UP_TIMEOUT "1" online_brick_count
206
BRICK_PORT=`brick_port $V0`
207
cph=`check_cipher -cipher EECDH -connect $H0:$BRICK_PORT`
208
EXPECT "$cph" openssl_connect -cipher EECDH -connect $H0:$BRICK_PORT
210
TEST $CLI volume set $V0 ssl.ec-curve secp521r1
211
EXPECT secp521r1 volume_option $V0 ssl.ec-curve
212
TEST $CLI volume stop $V0
213
TEST $CLI volume start $V0
214
EXPECT_WITHIN $CHILD_UP_TIMEOUT "1" online_brick_count
215
BRICK_PORT=`brick_port $V0`
216
EXPECT "Y" openssl_connect -cipher EECDH -connect $H0:$BRICK_PORT
219
TEST $CLI volume set $V0 ssl.crl-path $TMPDIR
220
EXPECT $TMPDIR volume_option $V0 ssl.crl-path
221
$GFS --volfile-id=$V0 --volfile-server=$H0 $M0
222
EXPECT "Y" wait_mount $M0
223
TEST_FILE=`mktemp $M0/${0##*/}.XXXXXX`
224
TEST test -f $TEST_FILE
225
EXPECT_WITHIN $UMOUNT_TIMEOUT "Y" force_umount $M0
227
TEST openssl ca -batch -config $SSL_CFG -revoke $SSL_CERT 2>&1
228
TEST openssl ca -config $SSL_CFG -gencrl -out $SSL_CRL 2>&1
231
# Although client fails to mount without restarting the server after crl-path
232
# is set when no actual crl file is found on the client, it would also fail
233
# when server is restarted for the same reason. Since the socket initialization
234
# code is the same for client and server, the crl verification flags need to
235
# be turned off for the client to avoid SSL searching for CRLs in the
236
# ssl.crl-path. If no CRL files are found in the ssl.crl-path, SSL fails the
237
# connect() attempt on the client.
238
TEST $CLI volume stop $V0
239
TEST $CLI volume start $V0
240
$GFS --volfile-id=$V0 --volfile-server=$H0 $M0
241
EXPECT "N" wait_mount $M0
242
TEST ! test -f $TEST_FILE
243
EXPECT_WITHIN $UMOUNT_TIMEOUT "Y" force_umount $M0
245
# Succeed with CRL disabled
246
TEST $CLI volume stop $V0
247
TEST $CLI volume set $V0 ssl.crl-path NULL
248
EXPECT NULL volume_option $V0 ssl.crl-path
249
TEST $CLI volume start $V0
250
$GFS --volfile-id=$V0 --volfile-server=$H0 $M0
251
EXPECT "Y" wait_mount $M0
252
TEST test -f $TEST_FILE
254
EXPECT_WITHIN $UMOUNT_TIMEOUT "Y" force_umount $M0