mirror of
https://codeberg.org/redict/redict.git
synced 2025-01-23 00:28:26 -05:00
8c291b97b9
This adds a new `tls-client-cert-file` and `tls-client-key-file` configuration directives which make it possible to use different certificates for the TLS-server and TLS-client functions of Redis. This is an optional directive. If it is not specified the `tls-cert-file` and `tls-key-file` directives are used for TLS client functions as well. Also, `utils/gen-test-certs.sh` now creates additional server-only and client-only certs and will skip intensive operations if target files already exist.
119 lines
4.1 KiB
Tcl
119 lines
4.1 KiB
Tcl
start_server {tags {"tls"}} {
|
|
if {$::tls} {
|
|
package require tls
|
|
|
|
test {TLS: Not accepting non-TLS connections on a TLS port} {
|
|
set s [redis [srv 0 host] [srv 0 port]]
|
|
catch {$s PING} e
|
|
set e
|
|
} {*I/O error*}
|
|
|
|
test {TLS: Verify tls-auth-clients behaves as expected} {
|
|
set s [redis [srv 0 host] [srv 0 port]]
|
|
::tls::import [$s channel]
|
|
catch {$s PING} e
|
|
assert_match {*error*} $e
|
|
|
|
r CONFIG SET tls-auth-clients no
|
|
|
|
set s [redis [srv 0 host] [srv 0 port]]
|
|
::tls::import [$s channel]
|
|
catch {$s PING} e
|
|
assert_match {PONG} $e
|
|
|
|
r CONFIG SET tls-auth-clients optional
|
|
|
|
set s [redis [srv 0 host] [srv 0 port]]
|
|
::tls::import [$s channel]
|
|
catch {$s PING} e
|
|
assert_match {PONG} $e
|
|
|
|
r CONFIG SET tls-auth-clients yes
|
|
|
|
set s [redis [srv 0 host] [srv 0 port]]
|
|
::tls::import [$s channel]
|
|
catch {$s PING} e
|
|
assert_match {*error*} $e
|
|
}
|
|
|
|
test {TLS: Verify tls-protocols behaves as expected} {
|
|
r CONFIG SET tls-protocols TLSv1.2
|
|
|
|
set s [redis [srv 0 host] [srv 0 port] 0 1 {-tls1.2 0}]
|
|
catch {$s PING} e
|
|
assert_match {*I/O error*} $e
|
|
|
|
set s [redis [srv 0 host] [srv 0 port] 0 1 {-tls1.2 1}]
|
|
catch {$s PING} e
|
|
assert_match {PONG} $e
|
|
|
|
r CONFIG SET tls-protocols ""
|
|
}
|
|
|
|
test {TLS: Verify tls-ciphers behaves as expected} {
|
|
r CONFIG SET tls-protocols TLSv1.2
|
|
r CONFIG SET tls-ciphers "DEFAULT:-AES128-SHA256"
|
|
|
|
set s [redis [srv 0 host] [srv 0 port] 0 1 {-cipher "-ALL:AES128-SHA256"}]
|
|
catch {$s PING} e
|
|
assert_match {*I/O error*} $e
|
|
|
|
set s [redis [srv 0 host] [srv 0 port] 0 1 {-cipher "-ALL:AES256-SHA256"}]
|
|
catch {$s PING} e
|
|
assert_match {PONG} $e
|
|
|
|
r CONFIG SET tls-ciphers "DEFAULT"
|
|
|
|
set s [redis [srv 0 host] [srv 0 port] 0 1 {-cipher "-ALL:AES128-SHA256"}]
|
|
catch {$s PING} e
|
|
assert_match {PONG} $e
|
|
|
|
r CONFIG SET tls-protocols ""
|
|
r CONFIG SET tls-ciphers "DEFAULT"
|
|
}
|
|
|
|
test {TLS: Verify tls-prefer-server-ciphers behaves as expected} {
|
|
r CONFIG SET tls-protocols TLSv1.2
|
|
r CONFIG SET tls-ciphers "AES128-SHA256:AES256-SHA256"
|
|
|
|
set s [redis [srv 0 host] [srv 0 port] 0 1 {-cipher "AES256-SHA256:AES128-SHA256"}]
|
|
catch {$s PING} e
|
|
assert_match {PONG} $e
|
|
|
|
assert_equal "AES256-SHA256" [dict get [::tls::status [$s channel]] cipher]
|
|
|
|
r CONFIG SET tls-prefer-server-ciphers yes
|
|
|
|
set s [redis [srv 0 host] [srv 0 port] 0 1 {-cipher "AES256-SHA256:AES128-SHA256"}]
|
|
catch {$s PING} e
|
|
assert_match {PONG} $e
|
|
|
|
assert_equal "AES128-SHA256" [dict get [::tls::status [$s channel]] cipher]
|
|
|
|
r CONFIG SET tls-protocols ""
|
|
r CONFIG SET tls-ciphers "DEFAULT"
|
|
}
|
|
|
|
test {TLS: Verify tls-cert-file is also used as a client cert if none specified} {
|
|
set master [srv 0 client]
|
|
set master_host [srv 0 host]
|
|
set master_port [srv 0 port]
|
|
|
|
# Use a non-restricted client/server cert for the replica
|
|
set redis_crt [format "%s/tests/tls/redis.crt" [pwd]]
|
|
set redis_key [format "%s/tests/tls/redis.key" [pwd]]
|
|
|
|
start_server [list overrides [list tls-cert-file $redis_crt tls-key-file $redis_key] \
|
|
omit [list tls-client-cert-file tls-client-key-file]] {
|
|
set replica [srv 0 client]
|
|
$replica replicaof $master_host $master_port
|
|
wait_for_condition 30 100 {
|
|
[string match {*master_link_status:up*} [$replica info replication]]
|
|
} else {
|
|
fail "Can't authenticate to master using just tls-cert-file!"
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|