Easier testing of TLS errors and feature that are visible to necko
Categories
(Core :: Networking: HTTP, task, P2)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox108 | --- | fixed |
People
(Reporter: dragana, Assigned: valentin)
References
(Blocks 4 open bugs)
Details
(Whiteboard: [necko-triaged])
Attachments
(1 file)
|
(deleted),
text/x-phabricator-request
|
Details |
There is a lot of nss features that are tidily related to necko, e.g. 0rtt, ECH, etc. Also, good testing for different TLS errors is desirable as well.
We have some tests, e.g. ECH test, etc.
We would like to have a server that is easy to set up, start and stop. The server should produce the following:
- rejects the client ClientHello.
- sends malformed ServerHello that will be rejected by the client.
- sends certificates that will be rejected by the client.
- has ECH configured (with different outcomes; we probably already have everything needed for this)
|
Reporter | |
Comment 1•3 years ago
|
||
NSS tolerates some errors and triggers a new connection in necko. We should have a server that would produce such behavior. There are multiple ways to get in such a situation, but a server that produces one such situation would be enough.
|
|
Reporter | |
Comment 2•3 years ago
|
||
Dennis, am I missing sommeting? Would you be able to help with this?
|
||
Comment 3•3 years ago
|
||
BoGo seems like a good option. We run it against NSS, although I haven't looked at the details and whether it needs some attention. You can spin up a broken TLS server fairly easily: relevant options.
Does it look like the right tool for your needs?
|
|
||
Updated•3 years ago
|
|
|
Reporter | |
Comment 5•2 years ago
|
||
The errors that will trigger a retry when 0RTT is used (see this code and this code):
- SSL_ERROR_PROTOCOL_VERSION_ALERT
- SSL_ERROR_BAD_MAC_ALERT
- SSL_ERROR_DOWNGRADE_WITH_EARLY_DATA
- SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT will be added in https://phabricator.services.mozilla.com/D139302
A retry will be triggered also due to a TLS version intolerance: https://searchfox.org/mozilla-central/rev/1fb9316c260bddcd5e6aa2ca1b04e46cb5afb7fd/security/manager/ssl/nsNSSIOLayer.cpp#968
We also want to test cases when a transaction is not restarted. For that, we should test when a SSL_ERROR_BAD_CERT_ALERT error is produced. Here we may also use a normal TLS server that is configured with the wrong certificate.
|
||
Comment 6•2 years ago
|
||
|
||
Updated•2 years ago
|
|
||
Updated•2 years ago
|
|
|
||
Updated•2 years ago
|
|
|
||
Updated•2 years ago
|
|
||
Comment 8•2 years ago
|
||
| bugherder | ||
|
||
Comment 9•2 years ago
|
||
Backed out changeset b9a80242b74c (bug 1754746) for causing xpc failures in security/manager/ssl/tests/unit/test_ev_certs.js
Backout link: https://hg.mozilla.org/integration/autoland/rev/045cb7a4ce9408d5c59b92d0eab7e0b674accdea
TEST-UNEXPECTED-FAIL | security/manager/ssl/tests/unit/test_ev_certs.js | xpcshell return code: 0
[task 2022-10-26T07:00:15.076Z] 07:00:15 INFO - TEST-INFO took 1474ms
[task 2022-10-26T07:00:15.076Z] 07:00:15 INFO - >>>>>>>
[task 2022-10-26T07:00:15.076Z] 07:00:15 INFO - (xpcshell/head.js) | test MAIN run_test pending (1)
[task 2022-10-26T07:00:15.076Z] 07:00:15 INFO - (xpcshell/head.js) | test run_next_test 0 pending (2)
[task 2022-10-26T07:00:15.077Z] 07:00:15 INFO - (xpcshell/head.js) | test MAIN run_test finished (2)
[task 2022-10-26T07:00:15.077Z] 07:00:15 INFO - running event loop
[task 2022-10-26T07:00:15.077Z] 07:00:15 INFO - security/manager/ssl/tests/unit/test_ev_certs.js | Starting plainExpectSuccessEVTests
[task 2022-10-26T07:00:15.077Z] 07:00:15 INFO - (xpcshell/head.js) | test plainExpectSuccessEVTests pending (2)
[task 2022-10-26T07:00:15.077Z] 07:00:15 INFO - TEST-PASS | security/manager/ssl/tests/unit/test_ev_certs.js | plainExpectSuccessEVTests - [plainExpectSuccessEVTests : 89] Binary util GenerateOCSPResponse should exist - true == true
[task 2022-10-26T07:00:15.077Z] 07:00:15 INFO - "argArray = sql:test_ev_certs,good,anyPolicy-int-path-ee,unused,0,/data/local/tmp/test_root/xpc/security/manager/ssl/tests/unit/0.ocsp"
[task 2022-10-26T07:00:15.077Z] 07:00:15 WARNING - TEST-UNEXPECTED-FAIL | security/manager/ssl/tests/unit/test_ev_certs.js | plainExpectSuccessEVTests - [plainExpectSuccessEVTests : 89] Process exit value should be 0 - 0 == 256
[task 2022-10-26T07:00:15.077Z] 07:00:15 INFO - test_ev_certs.js:asyncTestEV/<:89
[task 2022-10-26T07:00:15.078Z] 07:00:15 INFO - test_ev_certs.js:asyncTestEV:87
[task 2022-10-26T07:00:15.078Z] 07:00:15 INFO - test_ev_certs.js:ensureVerifiesAsEV:121
[task 2022-10-26T07:00:15.078Z] 07:00:15 INFO - test_ev_certs.js:plainExpectSuccessEVTests:214
[task 2022-10-26T07:00:15.078Z] 07:00:15 INFO - /data/local/tmp/test_root/xpc/head.js:_run_next_test/<:1775
[task 2022-10-26T07:00:15.078Z] 07:00:15 INFO - /data/local/tmp/test_root/xpc/head.js:_run_next_test:1775
[task 2022-10-26T07:00:15.078Z] 07:00:15 INFO - /data/local/tmp/test_root/xpc/head.js:run:819
[task 2022-10-26T07:00:15.078Z] 07:00:15 INFO - /data/local/tmp/test_root/xpc/head.js:_do_main:240
[task 2022-10-26T07:00:15.078Z] 07:00:15 INFO - /data/local/tmp/test_root/xpc/head.js:_execute_test:597
[task 2022-10-26T07:00:15.078Z] 07:00:15 INFO - -e:null:1
[task 2022-10-26T07:00:15.078Z] 07:00:15 INFO - exiting test
|
|
||
Comment 10•2 years ago
|
||
Backout merged to central: https://hg.mozilla.org/mozilla-central/rev/045cb7a4ce9408d5c59b92d0eab7e0b674accdea
|
Assignee | |
Updated•2 years ago
|
|
||
Comment 11•2 years ago
|
||
|
||
Comment 12•2 years ago
|
||
| bugherder | ||
Description
•