tls.tcl 5.3 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158
  1. start_server {tags {"tls"}} {
  2. if {$::tls} {
  3. package require tls
  4. test {TLS: Not accepting non-TLS connections on a TLS port} {
  5. set s [redis [srv 0 host] [srv 0 port]]
  6. catch {$s PING} e
  7. set e
  8. } {*I/O error*}
  9. test {TLS: Verify tls-auth-clients behaves as expected} {
  10. set s [redis [srv 0 host] [srv 0 port]]
  11. ::tls::import [$s channel]
  12. catch {$s PING} e
  13. assert_match {*error*} $e
  14. r CONFIG SET tls-auth-clients no
  15. set s [redis [srv 0 host] [srv 0 port]]
  16. ::tls::import [$s channel]
  17. catch {$s PING} e
  18. assert_match {PONG} $e
  19. r CONFIG SET tls-auth-clients optional
  20. set s [redis [srv 0 host] [srv 0 port]]
  21. ::tls::import [$s channel]
  22. catch {$s PING} e
  23. assert_match {PONG} $e
  24. r CONFIG SET tls-auth-clients yes
  25. set s [redis [srv 0 host] [srv 0 port]]
  26. ::tls::import [$s channel]
  27. catch {$s PING} e
  28. assert_match {*error*} $e
  29. }
  30. test {TLS: Verify tls-protocols behaves as expected} {
  31. r CONFIG SET tls-protocols TLSv1.2
  32. set s [redis [srv 0 host] [srv 0 port] 0 1 {-tls1.2 0}]
  33. catch {$s PING} e
  34. assert_match {*I/O error*} $e
  35. set s [redis [srv 0 host] [srv 0 port] 0 1 {-tls1.2 1}]
  36. catch {$s PING} e
  37. assert_match {PONG} $e
  38. r CONFIG SET tls-protocols ""
  39. }
  40. test {TLS: Verify tls-ciphers behaves as expected} {
  41. r CONFIG SET tls-protocols TLSv1.2
  42. r CONFIG SET tls-ciphers "DEFAULT:-AES128-SHA256"
  43. set s [redis [srv 0 host] [srv 0 port] 0 1 {-cipher "-ALL:AES128-SHA256"}]
  44. catch {$s PING} e
  45. assert_match {*I/O error*} $e
  46. set s [redis [srv 0 host] [srv 0 port] 0 1 {-cipher "-ALL:AES256-SHA256"}]
  47. catch {$s PING} e
  48. assert_match {PONG} $e
  49. r CONFIG SET tls-ciphers "DEFAULT"
  50. set s [redis [srv 0 host] [srv 0 port] 0 1 {-cipher "-ALL:AES128-SHA256"}]
  51. catch {$s PING} e
  52. assert_match {PONG} $e
  53. r CONFIG SET tls-protocols ""
  54. r CONFIG SET tls-ciphers "DEFAULT"
  55. }
  56. test {TLS: Verify tls-prefer-server-ciphers behaves as expected} {
  57. r CONFIG SET tls-protocols TLSv1.2
  58. r CONFIG SET tls-ciphers "AES128-SHA256:AES256-SHA256"
  59. set s [redis [srv 0 host] [srv 0 port] 0 1 {-cipher "AES256-SHA256:AES128-SHA256"}]
  60. catch {$s PING} e
  61. assert_match {PONG} $e
  62. assert_equal "AES256-SHA256" [dict get [::tls::status [$s channel]] cipher]
  63. r CONFIG SET tls-prefer-server-ciphers yes
  64. set s [redis [srv 0 host] [srv 0 port] 0 1 {-cipher "AES256-SHA256:AES128-SHA256"}]
  65. catch {$s PING} e
  66. assert_match {PONG} $e
  67. assert_equal "AES128-SHA256" [dict get [::tls::status [$s channel]] cipher]
  68. r CONFIG SET tls-protocols ""
  69. r CONFIG SET tls-ciphers "DEFAULT"
  70. }
  71. test {TLS: Verify tls-cert-file is also used as a client cert if none specified} {
  72. set master [srv 0 client]
  73. set master_host [srv 0 host]
  74. set master_port [srv 0 port]
  75. # Use a non-restricted client/server cert for the replica
  76. set redis_crt [format "%s/tests/tls/redis.crt" [pwd]]
  77. set redis_key [format "%s/tests/tls/redis.key" [pwd]]
  78. start_server [list overrides [list tls-cert-file $redis_crt tls-key-file $redis_key] \
  79. omit [list tls-client-cert-file tls-client-key-file]] {
  80. set replica [srv 0 client]
  81. $replica replicaof $master_host $master_port
  82. wait_for_condition 30 100 {
  83. [string match {*master_link_status:up*} [$replica info replication]]
  84. } else {
  85. fail "Can't authenticate to master using just tls-cert-file!"
  86. }
  87. }
  88. }
  89. test {TLS: switch between tcp and tls ports} {
  90. set srv_port [srv 0 port]
  91. # TLS
  92. set rd [redis [srv 0 host] $srv_port 0 1]
  93. $rd PING
  94. # TCP
  95. $rd CONFIG SET tls-port 0
  96. $rd CONFIG SET port $srv_port
  97. $rd close
  98. set rd [redis [srv 0 host] $srv_port 0 0]
  99. $rd PING
  100. # TLS
  101. $rd CONFIG SET port 0
  102. $rd CONFIG SET tls-port $srv_port
  103. $rd close
  104. set rd [redis [srv 0 host] $srv_port 0 1]
  105. $rd PING
  106. $rd close
  107. }
  108. test {TLS: Working with an encrypted keyfile} {
  109. # Create an encrypted version
  110. set keyfile [lindex [r config get tls-key-file] 1]
  111. set keyfile_encrypted "$keyfile.encrypted"
  112. exec -ignorestderr openssl rsa -in $keyfile -out $keyfile_encrypted -aes256 -passout pass:1234 2>/dev/null
  113. # Using it without a password fails
  114. catch {r config set tls-key-file $keyfile_encrypted} e
  115. assert_match {*Unable to update TLS*} $e
  116. # Now use a password
  117. r config set tls-key-file-pass 1234
  118. r config set tls-key-file $keyfile_encrypted
  119. }
  120. }
  121. }