caleb-brown/redict
1
0
Fork 0
mirror of https://codeberg.org/redict/redict.git synced 2025-01-22 08:08:53 -05:00
Code Issues Actions Packages Projects Releases Wiki Activity
main
redict/tests/unit/tls.tcl
Drew DeVault 50ee0f5be8 all: let's go LGPL over GPL 
Based on feedback from interested parties
2024-03-21 20:11:44 +01:00

165 lines
5.6 KiB
Tcl
Raw Permalink Blame History

# SPDX-FileCopyrightText: 2024 Redict Contributors
# SPDX-FileCopyrightText: 2024 Salvatore Sanfilippo <antirez at gmail dot com>
#
# SPDX-License-Identifier: BSD-3-Clause
# SPDX-License-Identifier: LGPL-3.0-only
start_server {tags {"tls"}} {
if {$::tls} {
package require tls
test {TLS: Not accepting non-TLS connections on a TLS port} {
set s [redict [srv 0 host] [srv 0 port]]
catch {$s PING} e
set e
} {*I/O error*}
test {TLS: Verify tls-auth-clients behaves as expected} {
set s [redict [srv 0 host] [srv 0 port]]
::tls::import [$s channel]
catch {$s PING} e
assert_match {*error*} $e
r CONFIG SET tls-auth-clients no
set s [redict [srv 0 host] [srv 0 port]]
::tls::import [$s channel]
catch {$s PING} e
assert_match {PONG} $e
r CONFIG SET tls-auth-clients optional
set s [redict [srv 0 host] [srv 0 port]]
::tls::import [$s channel]
catch {$s PING} e
assert_match {PONG} $e
r CONFIG SET tls-auth-clients yes
set s [redict [srv 0 host] [srv 0 port]]
::tls::import [$s channel]
catch {$s PING} e
assert_match {*error*} $e
}
test {TLS: Verify tls-protocols behaves as expected} {
r CONFIG SET tls-protocols TLSv1.2
set s [redict [srv 0 host] [srv 0 port] 0 1 {-tls1.2 0}]
catch {$s PING} e
assert_match {*I/O error*} $e
set s [redict [srv 0 host] [srv 0 port] 0 1 {-tls1.2 1}]
catch {$s PING} e
assert_match {PONG} $e
r CONFIG SET tls-protocols ""
}
test {TLS: Verify tls-ciphers behaves as expected} {
r CONFIG SET tls-protocols TLSv1.2
r CONFIG SET tls-ciphers "DEFAULT:-AES128-SHA256"
set s [redict [srv 0 host] [srv 0 port] 0 1 {-cipher "-ALL:AES128-SHA256"}]
catch {$s PING} e
assert_match {*I/O error*} $e
set s [redict [srv 0 host] [srv 0 port] 0 1 {-cipher "-ALL:AES256-SHA256"}]
catch {$s PING} e
assert_match {PONG} $e
r CONFIG SET tls-ciphers "DEFAULT"
set s [redict [srv 0 host] [srv 0 port] 0 1 {-cipher "-ALL:AES128-SHA256"}]
catch {$s PING} e
assert_match {PONG} $e
r CONFIG SET tls-protocols ""
r CONFIG SET tls-ciphers "DEFAULT"
}
test {TLS: Verify tls-prefer-server-ciphers behaves as expected} {
r CONFIG SET tls-protocols TLSv1.2
r CONFIG SET tls-ciphers "AES128-SHA256:AES256-SHA256"
set s [redict [srv 0 host] [srv 0 port] 0 1 {-cipher "AES256-SHA256:AES128-SHA256"}]
catch {$s PING} e
assert_match {PONG} $e
assert_equal "AES256-SHA256" [dict get [::tls::status [$s channel]] cipher]
r CONFIG SET tls-prefer-server-ciphers yes
set s [redict [srv 0 host] [srv 0 port] 0 1 {-cipher "AES256-SHA256:AES128-SHA256"}]
catch {$s PING} e
assert_match {PONG} $e
assert_equal "AES128-SHA256" [dict get [::tls::status [$s channel]] cipher]
r CONFIG SET tls-protocols ""
r CONFIG SET tls-ciphers "DEFAULT"
}
test {TLS: Verify tls-cert-file is also used as a client cert if none specified} {
set master [srv 0 client]
set master_host [srv 0 host]
set master_port [srv 0 port]
# Use a non-restricted client/server cert for the replica
set redict_crt [format "%s/tests/tls/redict.crt" [pwd]]
set redict_key [format "%s/tests/tls/redict.key" [pwd]]
start_server [list overrides [list tls-cert-file $redict_crt tls-key-file $redict_key] \
omit [list tls-client-cert-file tls-client-key-file]] {
set replica [srv 0 client]
$replica replicaof $master_host $master_port
wait_for_condition 30 100 {
[string match {*master_link_status:up*} [$replica info replication]]
} else {
fail "Can't authenticate to master using just tls-cert-file!"
}
}
}
test {TLS: switch between tcp and tls ports} {
set srv_port [srv 0 port]
# TLS
set rd [redict [srv 0 host] $srv_port 0 1]
$rd PING
# TCP
$rd CONFIG SET tls-port 0
$rd CONFIG SET port $srv_port
$rd close
set rd [redict [srv 0 host] $srv_port 0 0]
$rd PING
# TLS
$rd CONFIG SET port 0
$rd CONFIG SET tls-port $srv_port
$rd close
set rd [redict [srv 0 host] $srv_port 0 1]
$rd PING
$rd close
}
test {TLS: Working with an encrypted keyfile} {
# Create an encrypted version
set keyfile [lindex [r config get tls-key-file] 1]
set keyfile_encrypted "$keyfile.encrypted"
exec -ignorestderr openssl rsa -in $keyfile -out $keyfile_encrypted -aes256 -passout pass:1234 2>/dev/null
# Using it without a password fails
catch {r config set tls-key-file $keyfile_encrypted} e
assert_match {*Unable to update TLS*} $e
# Now use a password
r config set tls-key-file-pass 1234
r config set tls-key-file $keyfile_encrypted
}
}
}
Reference in New Issue View Git Blame Copy Permalink