Remove broken mtls code
This commit is contained in:
Dirkjan Ochtman
Benjamin Fry
parent
978235f7cd
commit
cde6f908c2
|
|
@ -90,9 +90,6 @@ dns-over-tls = []
|
|||
tls-openssl = ["dns-over-openssl"]
|
||||
tls = ["dns-over-openssl"]
|
||||
|
||||
# WARNING: there is a bug in the mutual tls auth code at the moment see issue #100
|
||||
# mtls = ["hickory-client/mtls"]
|
||||
|
||||
webpki-roots = ["hickory-client/webpki-roots", "hickory-server/webpki-roots"]
|
||||
native-certs = ["hickory-client/native-certs", "hickory-server/native-certs"]
|
||||
|
||||
|
|
|
|||
|
|
@ -73,9 +73,6 @@ serde-config = ["serde", "url/serde"]
|
|||
# enables experimental the mDNS (multicast) feature
|
||||
mdns = ["socket2/all"]
|
||||
|
||||
# WARNING: there is a bug in the mutual tls auth code at the moment see issue #100
|
||||
# mtls = ["tls"]
|
||||
|
||||
wasm-bindgen = ["wasm-bindgen-crate", "js-sys"]
|
||||
|
||||
backtrace = ["dep:backtrace"]
|
||||
|
|
|
|||
|
|
@ -42,15 +42,7 @@ use crate::{iocompat::AsyncIoTokioAsStd, DnsStreamHandle};
|
|||
#[test]
|
||||
#[cfg_attr(target_os = "macos", ignore)] // TODO: add back once https://github.com/sfackler/rust-native-tls/issues/143 is fixed
|
||||
fn test_tls_client_stream_ipv4() {
|
||||
tls_client_stream_test(IpAddr::V4(Ipv4Addr::new(127, 0, 0, 1)), false)
|
||||
}
|
||||
|
||||
// FIXME: mtls is disabled at the moment, it causes a hang on Linux, and is currently not supported on macOS
|
||||
#[cfg(feature = "mtls")]
|
||||
#[test]
|
||||
#[cfg(not(target_os = "macos"))]
|
||||
fn test_tls_client_stream_ipv4_mtls() {
|
||||
tls_client_stream_test(IpAddr::V4(Ipv4Addr::new(127, 0, 0, 1)), true)
|
||||
tls_client_stream_test(IpAddr::V4(Ipv4Addr::new(127, 0, 0, 1)))
|
||||
}
|
||||
|
||||
#[test]
|
||||
|
|
@ -74,7 +66,7 @@ fn read_file(path: &str) -> Vec<u8> {
|
|||
}
|
||||
|
||||
#[allow(unused, unused_mut)]
|
||||
fn tls_client_stream_test(server_addr: IpAddr, mtls: bool) {
|
||||
fn tls_client_stream_test(server_addr: IpAddr) {
|
||||
let succeeded = Arc::new(atomic::AtomicBool::new(false));
|
||||
let succeeded_clone = succeeded.clone();
|
||||
thread::Builder::new()
|
||||
|
|
@ -117,28 +109,6 @@ fn tls_client_stream_test(server_addr: IpAddr, mtls: bool) {
|
|||
.spawn(move || {
|
||||
let mut tls = TlsAcceptor::builder(identity);
|
||||
|
||||
// #[cfg(target_os = "linux")]
|
||||
// {
|
||||
// let mut openssl_builder = tls.builder_mut();
|
||||
// let mut openssl_ctx_builder = openssl_builder.builder_mut();
|
||||
|
||||
// let mut mode = openssl::ssl::SslVerifyMode::empty();
|
||||
|
||||
// // TODO: mtls tests hang on Linux...
|
||||
// if mtls {
|
||||
// // mode = SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
|
||||
|
||||
// // let mut store = X509StoreBuilder::new().unwrap();
|
||||
// // let root_ca = X509::from_der(&root_cert_der_copy).unwrap();
|
||||
// // store.add_cert(root_ca).unwrap();
|
||||
// // openssl_ctx_builder.set_verify_cert_store(store.build()).unwrap();
|
||||
// } else {
|
||||
// mode.insert(SSL_VERIFY_NONE);
|
||||
// }
|
||||
|
||||
// openssl_ctx_builder.set_verify(mode);
|
||||
// }
|
||||
|
||||
// TODO: add CA on macOS
|
||||
|
||||
let tls = tls.build().expect("tls build failed");
|
||||
|
|
@ -199,11 +169,6 @@ fn tls_client_stream_test(server_addr: IpAddr, mtls: bool) {
|
|||
let mut builder = TlsStreamBuilder::<AsyncIoTokioAsStd<TokioTcpStream>>::new();
|
||||
builder.add_ca(trust_chain);
|
||||
|
||||
// fix MTLS
|
||||
// if mtls {
|
||||
// config_mtls(&root_pkey, &root_name, &root_cert, &mut builder);
|
||||
// }
|
||||
|
||||
let (stream, mut sender) = builder.build(server_addr, dns_name.to_string());
|
||||
|
||||
// TODO: there is a race failure here... a race with the server thread most likely...
|
||||
|
|
@ -226,20 +191,3 @@ fn tls_client_stream_test(server_addr: IpAddr, mtls: bool) {
|
|||
succeeded.store(true, std::sync::atomic::Ordering::Relaxed);
|
||||
server_handle.join().expect("server thread failed");
|
||||
}
|
||||
|
||||
// TODO: fix MTLS
|
||||
// #[allow(unused_variables)]
|
||||
// fn config_mtls(root_pkey: &PKey,
|
||||
// root_name: &X509Name,
|
||||
// root_cert: &X509,
|
||||
// builder: &mut TlsStreamBuilder) {
|
||||
// // signed by the same root cert
|
||||
// let client_name = "resolv.example.com";
|
||||
// let (_ /*client_pkey*/, _ /*client_cert*/, client_identity) =
|
||||
// cert(client_name, root_pkey, root_name, root_cert);
|
||||
// let client_identity =
|
||||
// native_tls::Pkcs12::from_der(&client_identity.to_der().unwrap(), "mypass").unwrap();
|
||||
|
||||
// #[cfg(feature = "mtls")]
|
||||
// builder.identity(client_identity);
|
||||
// }
|
||||
|
|
|
|||
|
|
@ -13,8 +13,6 @@ use std::pin::Pin;
|
|||
|
||||
use futures_util::TryFutureExt;
|
||||
use native_tls::Certificate;
|
||||
#[cfg(feature = "mtls")]
|
||||
use native_tls::Pkcs12;
|
||||
use tokio_native_tls::TlsStream as TokioTlsStream;
|
||||
|
||||
use crate::error::ProtoError;
|
||||
|
|
@ -46,12 +44,6 @@ impl<S: DnsTcpStream> TlsClientStreamBuilder<S> {
|
|||
self.0.add_ca(ca);
|
||||
}
|
||||
|
||||
/// Client side identity for client auth in TLS (aka mutual TLS auth)
|
||||
#[cfg(feature = "mtls")]
|
||||
pub fn identity(&mut self, pkcs12: Pkcs12) {
|
||||
self.0.identity(pkcs12);
|
||||
}
|
||||
|
||||
/// Sets the address to connect from.
|
||||
pub fn bind_addr(&mut self, bind_addr: SocketAddr) {
|
||||
self.0.bind_addr(bind_addr);
|
||||
|
|
|
|||
|
|
@ -86,12 +86,6 @@ impl<S: DnsTcpStream> TlsStreamBuilder<S> {
|
|||
self.ca_chain.push(ca);
|
||||
}
|
||||
|
||||
/// Client side identity for client auth in TLS (aka mutual TLS auth)
|
||||
#[cfg(feature = "mtls")]
|
||||
pub fn identity(&mut self, identity: Identity) {
|
||||
self.identity = Some(identity);
|
||||
}
|
||||
|
||||
/// Sets the address to connect from.
|
||||
pub fn bind_addr(&mut self, bind_addr: SocketAddr) {
|
||||
self.bind_addr = Some(bind_addr);
|
||||
|
|
|
|||
|
|
@ -11,8 +11,6 @@ use std::net::SocketAddr;
|
|||
use std::pin::Pin;
|
||||
|
||||
use futures_util::TryFutureExt;
|
||||
#[cfg(feature = "mtls")]
|
||||
use openssl::pkcs12::Pkcs12;
|
||||
use openssl::x509::X509;
|
||||
use tokio_openssl::SslStream as TokioTlsStream;
|
||||
|
||||
|
|
@ -54,12 +52,6 @@ impl<S: DnsTcpStream> TlsClientStreamBuilder<S> {
|
|||
Ok(())
|
||||
}
|
||||
|
||||
/// Client side identity for client auth in TLS (aka mutual TLS auth)
|
||||
#[cfg(feature = "mtls")]
|
||||
pub fn identity(&mut self, pkcs12: Pkcs12) {
|
||||
self.0.identity(pkcs12);
|
||||
}
|
||||
|
||||
/// Sets the address to connect from.
|
||||
pub fn bind_addr(&mut self, bind_addr: SocketAddr) {
|
||||
self.0.bind_addr(bind_addr);
|
||||
|
|
|
|||
|
|
@ -170,12 +170,6 @@ impl<S: DnsTcpStream> TlsStreamBuilder<S> {
|
|||
self.ca_chain.push(ca);
|
||||
}
|
||||
|
||||
/// Client side identity for client auth in TLS (aka mutual TLS auth)
|
||||
#[cfg(feature = "mtls")]
|
||||
pub fn identity(&mut self, pkcs12: ParsedPkcs12) {
|
||||
self.identity = Some(pkcs12);
|
||||
}
|
||||
|
||||
/// Sets the address to connect from.
|
||||
pub fn bind_addr(&mut self, bind_addr: SocketAddr) {
|
||||
self.bind_addr = Some(bind_addr);
|
||||
|
|
|
|||
|
|
@ -18,7 +18,6 @@ use std::{thread, time};
|
|||
|
||||
use openssl::pkey::PKey;
|
||||
use openssl::ssl::*;
|
||||
use openssl::x509::store::X509StoreBuilder;
|
||||
use openssl::x509::*;
|
||||
|
||||
use futures_util::stream::StreamExt;
|
||||
|
|
@ -36,20 +35,12 @@ use crate::{iocompat::AsyncIoTokioAsStd, DnsStreamHandle};
|
|||
// #[cfg(not(target_os = "linux"))]
|
||||
#[test]
|
||||
fn test_tls_client_stream_ipv4() {
|
||||
tls_client_stream_test(IpAddr::V4(Ipv4Addr::new(127, 0, 0, 1)), false)
|
||||
}
|
||||
|
||||
// FIXME: mtls is disabled at the moment, it causes a hang on Linux, and is currently not supported on macOS
|
||||
#[cfg(feature = "mtls")]
|
||||
#[test]
|
||||
#[cfg(not(target_os = "macos"))] // ignored until Travis-CI fixes IPv6
|
||||
fn test_tls_client_stream_ipv4_mtls() {
|
||||
tls_client_stream_test(IpAddr::V4(Ipv4Addr::new(127, 0, 0, 1)), true)
|
||||
tls_client_stream_test(IpAddr::V4(Ipv4Addr::new(127, 0, 0, 1)))
|
||||
}
|
||||
|
||||
#[test]
|
||||
fn test_tls_client_stream_ipv6() {
|
||||
tls_client_stream_test(IpAddr::V6(Ipv6Addr::new(0, 0, 0, 0, 0, 0, 0, 1)), false)
|
||||
tls_client_stream_test(IpAddr::V6(Ipv6Addr::new(0, 0, 0, 0, 0, 0, 0, 1)))
|
||||
}
|
||||
|
||||
const TEST_BYTES: &[u8; 8] = b"DEADBEEF";
|
||||
|
|
@ -65,7 +56,7 @@ fn read_file(path: &str) -> Vec<u8> {
|
|||
}
|
||||
|
||||
#[allow(unused_mut)]
|
||||
fn tls_client_stream_test(server_addr: IpAddr, mtls: bool) {
|
||||
fn tls_client_stream_test(server_addr: IpAddr) {
|
||||
let succeeded = Arc::new(atomic::AtomicBool::new(false));
|
||||
let succeeded_clone = succeeded.clone();
|
||||
thread::Builder::new()
|
||||
|
|
@ -88,7 +79,6 @@ fn tls_client_stream_test(server_addr: IpAddr, mtls: bool) {
|
|||
println!("using server src path: {server_path}");
|
||||
|
||||
let root_cert_der = read_file(&format!("{server_path}/tests/test-data/ca.der"));
|
||||
let root_cert_der_copy = root_cert_der.clone();
|
||||
|
||||
// Generate X509 certificate
|
||||
let ca = X509::from_der(&root_cert_der).expect("could not read CA");
|
||||
|
|
@ -124,23 +114,8 @@ fn tls_client_stream_test(server_addr: IpAddr, mtls: bool) {
|
|||
|
||||
{
|
||||
let mut openssl_ctx_builder = &mut tls;
|
||||
|
||||
let mut mode = SslVerifyMode::empty();
|
||||
|
||||
// FIXME: mtls tests hang on Linux...
|
||||
if mtls {
|
||||
mode = SslVerifyMode::PEER | SslVerifyMode::FAIL_IF_NO_PEER_CERT;
|
||||
|
||||
let mut store = X509StoreBuilder::new().unwrap();
|
||||
let root_ca = X509::from_der(&root_cert_der_copy).unwrap();
|
||||
store.add_cert(root_ca).unwrap();
|
||||
openssl_ctx_builder
|
||||
.set_verify_cert_store(store.build())
|
||||
.unwrap();
|
||||
} else {
|
||||
mode.insert(SslVerifyMode::NONE);
|
||||
}
|
||||
|
||||
mode.insert(SslVerifyMode::NONE);
|
||||
openssl_ctx_builder.set_verify(mode);
|
||||
}
|
||||
|
||||
|
|
@ -206,12 +181,6 @@ fn tls_client_stream_test(server_addr: IpAddr, mtls: bool) {
|
|||
.with_root_certificates(roots)
|
||||
.with_no_client_auth();
|
||||
|
||||
// barrier.wait();
|
||||
// fix MTLS
|
||||
// if mtls {
|
||||
// config_mtls(&root_pkey, &root_name, &root_cert, &mut builder);
|
||||
// }
|
||||
|
||||
let (stream, mut sender) = tls_connect::<AsyncIoTokioAsStd<TokioTcpStream>>(
|
||||
server_addr,
|
||||
dns_name.to_string(),
|
||||
|
|
@ -237,20 +206,3 @@ fn tls_client_stream_test(server_addr: IpAddr, mtls: bool) {
|
|||
succeeded.store(true, std::sync::atomic::Ordering::Relaxed);
|
||||
server_handle.join().expect("server thread failed");
|
||||
}
|
||||
|
||||
// TODO: fix MTLS
|
||||
// #[allow(unused_variables)]
|
||||
// fn config_mtls(root_pkey: &PKey,
|
||||
// root_name: &X509Name,
|
||||
// root_cert: &X509,
|
||||
// builder: &mut TlsStreamBuilder) {
|
||||
// // signed by the same root cert
|
||||
// let client_name = "resolv.example.com";
|
||||
// let (_ /*client_pkey*/, _ /*client_cert*/, client_identity) =
|
||||
// cert(client_name, root_pkey, root_name, root_cert);
|
||||
// let client_identity =
|
||||
// native_tls::server_cert::from_der(&client_identity.to_der().unwrap(), "mypass").unwrap();
|
||||
|
||||
// #[cfg(feature = "mtls")]
|
||||
// builder.identity(client_identity);
|
||||
// }
|
||||
|
|
|
|||
|
|
@ -17,7 +17,6 @@ use std::{thread, time};
|
|||
use futures_util::stream::StreamExt;
|
||||
use openssl::pkey::*;
|
||||
use openssl::ssl::*;
|
||||
use openssl::x509::store::X509StoreBuilder;
|
||||
use openssl::x509::*;
|
||||
use tokio::net::TcpStream as TokioTcpStream;
|
||||
use tokio::runtime::Runtime;
|
||||
|
|
@ -30,7 +29,6 @@ use openssl::pkcs12::*;
|
|||
use openssl::rsa::*;
|
||||
use openssl::x509::extension::*;
|
||||
|
||||
use hickory_proto::tcp::Connect;
|
||||
use hickory_proto::xfer::SerialMessage;
|
||||
use hickory_proto::{iocompat::AsyncIoTokioAsStd, DnsStreamHandle};
|
||||
|
||||
|
|
@ -42,27 +40,19 @@ use hickory_proto::openssl::TlsStreamBuilder;
|
|||
// #[cfg(not(target_os = "linux"))]
|
||||
#[test]
|
||||
fn test_tls_client_stream_ipv4() {
|
||||
tls_client_stream_test(IpAddr::V4(Ipv4Addr::new(127, 0, 0, 1)), false)
|
||||
}
|
||||
|
||||
// FIXME: mtls is disabled at the moment, it causes a hang on Linux, and is currently not supported on macOS
|
||||
#[cfg(feature = "mtls")]
|
||||
#[test]
|
||||
#[cfg(not(target_os = "macos"))] // ignored until Travis-CI fixes IPv6
|
||||
fn test_tls_client_stream_ipv4_mtls() {
|
||||
tls_client_stream_test(IpAddr::V4(Ipv4Addr::new(127, 0, 0, 1)), true)
|
||||
tls_client_stream_test(IpAddr::V4(Ipv4Addr::new(127, 0, 0, 1)))
|
||||
}
|
||||
|
||||
#[test]
|
||||
fn test_tls_client_stream_ipv6() {
|
||||
tls_client_stream_test(IpAddr::V6(Ipv6Addr::new(0, 0, 0, 0, 0, 0, 0, 1)), false)
|
||||
tls_client_stream_test(IpAddr::V6(Ipv6Addr::new(0, 0, 0, 0, 0, 0, 0, 1)))
|
||||
}
|
||||
|
||||
const TEST_BYTES: &[u8; 8] = b"DEADBEEF";
|
||||
const TEST_BYTES_LEN: usize = 8;
|
||||
|
||||
#[allow(unused_mut)]
|
||||
fn tls_client_stream_test(server_addr: IpAddr, mtls: bool) {
|
||||
fn tls_client_stream_test(server_addr: IpAddr) {
|
||||
let succeeded = Arc::new(atomic::AtomicBool::new(false));
|
||||
let succeeded_clone = succeeded.clone();
|
||||
thread::Builder::new()
|
||||
|
|
@ -97,9 +87,6 @@ fn tls_client_stream_test(server_addr: IpAddr, mtls: bool) {
|
|||
|
||||
let send_recv_times = 4;
|
||||
|
||||
// an in and out server
|
||||
let root_cert_der_copy = root_cert_der.clone();
|
||||
|
||||
let server_handle = thread::Builder::new()
|
||||
.name("test_tls_client_stream:server".to_string())
|
||||
.spawn(move || {
|
||||
|
|
@ -126,23 +113,8 @@ fn tls_client_stream_test(server_addr: IpAddr, mtls: bool) {
|
|||
|
||||
{
|
||||
let mut openssl_ctx_builder = &mut tls;
|
||||
|
||||
let mut mode = SslVerifyMode::empty();
|
||||
|
||||
// FIXME: mtls tests hang on Linux...
|
||||
if mtls {
|
||||
mode = SslVerifyMode::PEER | SslVerifyMode::FAIL_IF_NO_PEER_CERT;
|
||||
|
||||
let mut store = X509StoreBuilder::new().unwrap();
|
||||
let root_ca = X509::from_der(&root_cert_der_copy).unwrap();
|
||||
store.add_cert(root_ca).unwrap();
|
||||
openssl_ctx_builder
|
||||
.set_verify_cert_store(store.build())
|
||||
.unwrap();
|
||||
} else {
|
||||
mode.insert(SslVerifyMode::NONE);
|
||||
}
|
||||
|
||||
mode.insert(SslVerifyMode::NONE);
|
||||
openssl_ctx_builder.set_verify(mode);
|
||||
}
|
||||
|
||||
|
|
@ -206,10 +178,6 @@ fn tls_client_stream_test(server_addr: IpAddr, mtls: bool) {
|
|||
let mut builder = TlsStreamBuilder::<AsyncIoTokioAsStd<TokioTcpStream>>::new();
|
||||
builder.add_ca(trust_chain);
|
||||
|
||||
if mtls {
|
||||
config_mtls(&root_pkey, &root_name, &root_cert, &mut builder);
|
||||
}
|
||||
|
||||
let (stream, mut sender) = builder.build(server_addr, subject_name.to_string());
|
||||
|
||||
// TODO: there is a race failure here... a race with the server thread most likely...
|
||||
|
|
@ -232,30 +200,6 @@ fn tls_client_stream_test(server_addr: IpAddr, mtls: bool) {
|
|||
server_handle.join().expect("server thread failed");
|
||||
}
|
||||
|
||||
#[allow(unused_variables)]
|
||||
fn config_mtls<S: Connect>(
|
||||
root_pkey: &PKey<Private>,
|
||||
root_name: &X509Name,
|
||||
root_cert: &X509,
|
||||
builder: &mut TlsStreamBuilder<S>,
|
||||
) {
|
||||
#[cfg(feature = "mtls")]
|
||||
{
|
||||
// signed by the same root cert
|
||||
let client_name = "resolv.example.com";
|
||||
let (_ /*client_pkey*/, _ /*client_cert*/, client_identity) =
|
||||
cert(client_name, root_pkey, root_name, root_cert);
|
||||
|
||||
let client_identity = Pkcs12::from_der(&client_identity)
|
||||
.and_then(|p| p.parse("mypass"))
|
||||
.expect("Pkcs12::from_der");
|
||||
let client_identity =
|
||||
Pkcs12::from_der(&client_identity.to_der().unwrap(), "mypass").unwrap();
|
||||
|
||||
builder.identity(client_identity);
|
||||
}
|
||||
}
|
||||
|
||||
/// Generates a root certificate
|
||||
fn root_ca() -> (PKey<Private>, X509Name, X509) {
|
||||
let subject_name = "root.example.com";
|
||||
|
|
|
|||
|
|
@ -103,9 +103,6 @@ tls = ["dns-over-openssl"]
|
|||
webpki-roots = ["hickory-resolver/webpki-roots"]
|
||||
native-certs = ["hickory-resolver/native-certs"]
|
||||
|
||||
# WARNING: there is a bug in the mutual tls auth code at the moment see issue #100
|
||||
# mtls = ["hickory-client/mtls"]
|
||||
|
||||
testing = []
|
||||
|
||||
[lib]
|
||||
|
|
|
|||
Loading…
Reference in New Issue
Block a user