-# $OpenBSD: Client.pm,v 1.9 2014/12/31 01:25:07 bluhm Exp $
+# $OpenBSD: Client.pm,v 1.10 2015/05/22 19:09:18 bluhm Exp $
-# Copyright (c) 2010-2014 Alexander Bluhm <bluhm@openbsd.org>
+# Copyright (c) 2010-2015 Alexander Bluhm <bluhm@openbsd.org>
#
# Permission to use, copy, modify, and distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
) or die ref($self), " $iosocket socket connect failed: $!,$SSL_ERROR";
print STDERR "connect sock: ",$cs->sockhost()," ",$cs->sockport(),"\n";
print STDERR "connect peer: ",$cs->peerhost()," ",$cs->peerport(),"\n";
+ if ($self->{ssl}) {
+ print STDERR "ssl version: ",$cs->get_sslversion(),"\n";
+ print STDERR "ssl cipher: ",$cs->get_cipher(),"\n";
+ print STDERR "ssl peer certificate:\n",
+ $cs->dump_peer_certificate();
+ }
*STDIN = *STDOUT = $self->{cs} = $cs;
}
-# $OpenBSD: Makefile,v 1.10 2014/12/31 01:25:07 bluhm Exp $
+# $OpenBSD: Makefile,v 1.11 2015/05/22 19:09:18 bluhm Exp $
# The following ports must be installed for the regression tests:
# p5-IO-Socket-INET6 object interface for AF_INET and AF_INET6 domain sockets
# create certificates for TLS
.for ip in ${REMOTE_ADDR} 127.0.0.1
-${ip}.crt:
+${ip}.crt: ca.crt
openssl req -batch -new -subj /L=OpenBSD/O=relayd-regress/OU=relay/CN=${ip}/ -nodes -newkey rsa -keyout ${ip}.key -x509 -out $@
.if empty (REMOTE_SSH)
${SUDO} cp 127.0.0.1.crt /etc/ssl/
.else
scp ${REMOTE_ADDR}.crt root@${REMOTE_SSH}:/etc/ssl/
scp ${REMOTE_ADDR}.key root@${REMOTE_SSH}:/etc/ssl/private/
+ scp ca.crt ca.key ${REMOTE_SSH}:
.endif
.endfor
-# $OpenBSD: Relayd.pm,v 1.14 2015/05/17 22:49:03 bluhm Exp $
+# $OpenBSD: Relayd.pm,v 1.15 2015/05/22 19:09:18 bluhm Exp $
-# Copyright (c) 2010-2014 Alexander Bluhm <bluhm@openbsd.org>
+# Copyright (c) 2010-2015 Alexander Bluhm <bluhm@openbsd.org>
#
# Permission to use, copy, modify, and distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
die ref($self), " invalid forward $self->{forward}"
unless grep { /splice/ } @protocol;
print $fh "${proto}protocol proto-$test {";
+ if ($self->{inspectssl}) {
+ $self->{listenssl} = $self->{forwardssl} = 1;
+ print $fh "\n\ttls ca cert ca.crt";
+ print $fh "\n\ttls ca key ca.key password ''";
+ }
# substitute variables in config file
foreach (@protocol) {
s/(\$[a-z]+)/$1/eeg;
-# $OpenBSD: Server.pm,v 1.7 2014/12/31 01:25:07 bluhm Exp $
+# $OpenBSD: Server.pm,v 1.8 2015/05/22 19:09:18 bluhm Exp $
-# Copyright (c) 2010-2014 Alexander Bluhm <bluhm@openbsd.org>
+# Copyright (c) 2010-2015 Alexander Bluhm <bluhm@openbsd.org>
#
# Permission to use, copy, modify, and distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
" socket accept failed: $!,$SSL_ERROR";
print STDERR "accept sock: ",$as->sockhost()," ",$as->sockport(),"\n";
print STDERR "accept peer: ",$as->peerhost()," ",$as->peerport(),"\n";
+ if ($self->{ssl}) {
+ print STDERR "ssl version: ",$as->get_sslversion(),"\n";
+ print STDERR "ssl cipher: ",$as->get_cipher(),"\n";
+ print STDERR "ssl peer certificate:\n",
+ $as->dump_peer_certificate();
+ }
*STDIN = *STDOUT = $self->{as} = $as;
}
--- /dev/null
+# test https connection over http relay with TLS inspection
+
+use strict;
+use warnings;
+
+our %args = (
+ client => {
+ func => \&http_client,
+ ssl => 1,
+ loggrep => 'Issuer.*/OU=ca/',
+ },
+ relayd => {
+ protocol => [ "http",
+ "match request header log foo",
+ "match response header log bar",
+ ],
+ inspectssl => 1,
+ },
+ server => {
+ func => \&http_server,
+ ssl => 1,
+ },
+ len => 251,
+ md5 => "bc3a3f39af35fe5b1687903da2b00c7f",
+);
+
+1;
client => {
func => \&http_client,
ssl => 1,
+ loggrep => 'Issuer.*/OU=relay/',
},
relayd => {
protocol => [ "http",
--- /dev/null
+# test both client and server ssl connection with TLS inspection
+
+use strict;
+use warnings;
+
+our %args = (
+ client => {
+ ssl => 1,
+ loggrep => 'Issuer.*/OU=ca/',
+ },
+ relayd => {
+ inspectssl => 1,
+ },
+ server => {
+ ssl => 1,
+ },
+ len => 251,
+ md5 => "bc3a3f39af35fe5b1687903da2b00c7f",
+);
+
+1;
our %args = (
client => {
ssl => 1,
+ loggrep => 'Issuer.*/OU=relay/',
},
relayd => {
forwardssl => 1,
projects / openbsd / commitdiff