[
https://issues.apache.org/jira/browse/THRIFT-4084?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15873439#comment-15873439
]
ASF GitHub Bot commented on THRIFT-4084:
----------------------------------------
Github user nsuke commented on a diff in the pull request:
https://github.com/apache/thrift/pull/1197#discussion_r101907745
--- Diff: test/secure/test_secure.bash ---
@@ -0,0 +1,69 @@
+#!/bin/bash
+
+#
+# Checks various desired attributes in SSL/TLS implementations.
+#
+
+THRIFTHOST=localhost
+THRIFTPORT=9090
+
+while [[ $# -ge 1 ]]; do
+ arg="$1"
+ argIN=(${arg//=/ })
+
+ case ${argIN[0]} in
+ -h|--host)
+ THRIFTHOST=${argIN[1]}
+ shift # past argument
+ ;;
+ -p|--port)
+ THRIFTPORT=${argIN[1]}
+ shift # past argument
+ ;;
+ *)
+ # unknown option ignored
+ ;;
+ esac
+
+ shift # past argument or value
+done
+
+#
+# Negotiation Test Expectations
+#
+
+declare -A EXPECT_NEGOTIATE
+EXPECT_NEGOTIATE[ssl3]=0
+EXPECT_NEGOTIATE[tls1]=1
+EXPECT_NEGOTIATE[tls1_1]=1
+EXPECT_NEGOTIATE[tls1_2]=1
--- End diff --
Maybe split to multiple `tests.json` entries for no-ssl3 (and 2 ?) and tls
1.x tests ?
We wouldn't want any of the former in known_failures.
> Improve SSL security in thrift by adding a make cross client that checks to
> make sure SSLv3 protocol cannot be negotiated
> -------------------------------------------------------------------------------------------------------------------------
>
> Key: THRIFT-4084
> URL: https://issues.apache.org/jira/browse/THRIFT-4084
> Project: Thrift
> Issue Type: Improvement
> Components: Test Suite
> Affects Versions: 0.10.0
> Environment: Ubuntu Dockerfile
> Reporter: James E. King, III
> Assignee: James E. King, III
> Labels: cross-validation, security, ssl, tls
>
> Following code review discussions in THRIFT-3369, and seeing THRIFT-3165 in
> the backlog, I want to add a make cross "language" which isn't a language at
> all, but a test that checks to see if it is possible to negotiate at various
> SSL/TLS protocol versions. This would be a client-only test, likely just a
> bash script that leverages the openssl client and command line options to
> connect to a test server and see if it handshakes and negotiates protocol
> successfully.
> Without THRIFT-3165 implemented, it will ensure:
> * Can handshake using the universal SSLv23 context, however cannot negotiate
> SSLv3
> * Can negotiate TLSv1.0, TLSv1.1, and TLSv1.2
> With THRIFT-3165 it needs to change to ensure:
> * Can handshake using TLSv1.2 but not any other version
> The solution I came up with was to add a new client called "secure" to make
> crosstest. test_secure is a simple bash script that checks the appropriate
> rules above (the ones without THRIFT-3165, since it is not done), and I added
> "secure" to the list of cross test "languages" in the top level configure
> script.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
