Home » Eclipse Projects » Eclipse Titan » Using TLS/DTLS with Titan test ports part2 (TLS/TCP with the IPL4 test port)
| Using TLS/DTLS with Titan test ports part2 [message #1754281] |
Thu, 16 February 2017 07:46 |
|
Dear all,
first, a few afterthoughts:
-in the previous post, we have presented a client usage example and we will continue to do so, as client use cases are more frequent, hence more relevant;
however, the test ports can be used in server mode just as well: they will have to be configured as listeners, the needed server cerificates have to be generated and used etc.
For exact details, see the documentation.
-security methods, ciphers and so on are negotiated during handshake; in some cases it is possible to restrict/enforce certain methods/ciphers via configuration.
Again, the test port documentation will offer details.
Chapter 3. The IPL4 test port (https://github.com/eclipse/titan.TestPorts.IPL4asp) in TLS/TCP mode (requires https://github.com/eclipse/titan.TestPorts.Common_Components.Socket-API)
The IPL4asp is a general purpose test port providing access to several transport layers over the Internet Protocols in an extensible manner.
The most important features are the support of multiple IP addresses of both IPv4 and IPv6 and the extensibility by the user of
base functionalities with session specific ones using either TTCN or external C++ function.
The IPL4asp test port has been demanded by projects to produce very high load,
therefore performance must always be a key factor during design and implementation.
The IPL4asp test port replaces the earlier UDP, TCP ( with SSL support) and SCTP test ports,
providing backward compatibility as far as possible, in order to reduce maintenance efforts.
Besides UDP, TCP and SCTP, SSL can also be used as transport channel (as in DTLS/UDP, TLS/TCP, DTLS/SCTP ). The same version of OpenSSL library must be used as in Titan.
DTLS with SRTP, described in
Datagram Transport Layer Security (DTLS) Extension to Establish Keys for the Secure Real-time Transport Protocol (SRTP) http://tools.ietf.org/html/rfc5764
is also supported, with the exception of demultiplexing method described in section 5.1.2 Reception. The test port assumes SRTP packets if SRTP is configured for the association.
The legacy test ports UDPasp, TCPasp, HTTPmsg are simpler to use but not updated anymore; so for production code I'd recommend using IPL4 as it probably is more future-proof.
The condition of using security services is to compile the test port with OpenSSL; for this, the following additions are needed in the Makefile:
:
OPENSSL_DIR = /usr/local/openssl #OpenSSL installation library
:
# Flags for the C++ preprocessor (and makedepend as well):
CPPFLAGS = -D$(PLATFORM) -I$(TTCN3_DIR)/include -DIPL4_USE_SSL -I$(OPENSSL_DIR)/include
:
LINUX_LIBS = -lxml2 -lssl
:
Here's the TTCN-3 code used; please observe that building up/tearing down an SSL connection is slightly different than for the TCPasp test port.
module TCP_IPL4_Test {
modulepar {
charstring tsp_hostname:="127.0.0.1"//"www.eclipse.org"
integer tsp_portnumber:=1443
}
import from IPL4asp_Types all;
import from IPL4asp_PortType all;
type component GeneralComp
{
port IPL4asp_PT p;
timer t;
var IPL4asp_Types.Result c_res:= { errorCode := omit, connId := omit, os_error_code:=omit, os_error_text:= omit };
}
type component SystemComp
{
port IPL4asp_PT p;
}
template ASP_Send t_data0(in integer p_id ) :={
connId:=p_id,
proto:=omit,
msg:=char2oct("HEAD / HTTP/1.0")& '0D0A'O &char2oct("Host: "&tsp_hostname)& '0D0A'O & '0D0A'O & '0D0A'O //pre-encoded
}
testcase TC_TCPTest() runs on GeneralComp system SystemComp {
var IPL4asp_Types.Result vl_result;
var integer v_cid
map(self:p, system:p);
vl_result := c_res;
vl_result :=f_IPL4_connect(
p,
tsp_hostname,
tsp_portnumber,
"",//default 0.0.0.0 will be used
0,//random port will be used
-1,
{ssl := {} },
{}
)
log("connect result",vl_result)
if (not(ispresent(vl_result.connId)))
{
log("Could not connect");
stop;
}
v_cid:=vl_result.connId
p.send(t_data0(v_cid));
t.start(5.0)
alt
{
[] p.receive {repeat};
[] t.timeout{log("Bye")}
}
vl_result := c_res;
vl_result := f_IPL4_close(p, v_cid)
log("close result",vl_result)
setverdict(pass);
}
control{
execute(TC_TCPTest());
}
}
Port parameters used in the config file:
[TESTPORT_PARAMETERS]
*.p.debug := "Yes"
*.p.ssl_reconnect_attempts := "100"
*.p.ssl_verify_certificate := "Yes"
*.p.ssl_trustedCAlist_file:= "/etc/ssl/certs/ca-certificates.crt"//Ubuntu 16.04
*.p.ssl_allowed_ciphers_list:="ECDHE-RSA-AES256-SHA"
The generated log:
01:11:06.372075 - TTCN-3 Main Test Component started on ntaf. Version: CRL 113 200/6 R1A.
01:11:06.372163 - TTCN Logger v2.2 options: TimeStampFormat:=Time; LogEntityName:=No; LogEventTypes:=No; SourceInfoFormat:=Single; *.FileMask:=LOG_ALL; *.ConsoleMask:=ERROR | USER; LogFileSize:=0; LogFileNumber:=1; DiskFullAction:=Error
01:11:06.372348 - Connected to MC.
01:11:06.372863 - Executing control part of module TCP_IPL4_Test.
01:11:06.372903 TCP_IPL4_Test.ttcn:88 Execution of control part in module TCP_IPL4_Test started.
01:11:06.372956 TCP_IPL4_Test.ttcn:40 Test case TC_TCPTest started.
01:11:06.372980 TCP_IPL4_Test.ttcn:40 Initializing variables, timers and ports of component type TCP_IPL4_Test.GeneralComp inside testcase TC_TCPTest.
01:11:06.373052 TCP_IPL4_Test.ttcn:40 Port p was started.
01:11:06.373080 TCP_IPL4_Test.ttcn:40 Component type TCP_IPL4_Test.GeneralComp was initialized.
01:11:06.373098 TCP_IPL4_Test.ttcn:45 Mapping port mtc:p to system:p.
01:11:06.373157 TCP_IPL4_Test.ttcn:45 Port p was mapped to system:p.
01:11:06.373212 TCP_IPL4_Test.ttcn:45 Map operation of mtc:p to system:p finished.
01:11:06.373241 TCP_IPL4_Test.ttcn:49 entering f__IPL4__PROVIDER__connect: :0 -> www.eclipse.org:443 / SSL
01:11:06.881737 TCP_IPL4_Test.ttcn:60 connect result{
errorCode := omit,
connId := 1,
os_error_code := omit,
os_error_text := omit
}
01:11:06.881978 TCP_IPL4_Test.ttcn:71 Sent on p to system @IPL4asp_Types.ASP_Send : {
connId := 1,
proto := omit,
msg := '48454144202F20485454502F312E300D0A486F73743A207777772E65636C697073652E6F72670D0A0D0A0D0A'O ("HEAD / HTTP/1.0\r
Host: www.eclipse.org\r
\r
\r
")
}
01:11:06.882287 TCP_IPL4_Test.ttcn:72 Start timer t: 5 s
01:11:07.080862 TCP_IPL4_Test.ttcn:73 Message enqueued on p from system @IPL4asp_Types.ASP_RecvFrom : {
connId := 1,
remName := "www.eclipse.org",
remPort := 443,
locName := "192.168.139.129",
locPort := 46407,
proto := {
ssl := { }
},
userData := 0,
msg := '485454502F312E3120323030204F4B0D0A446174653A205475652C2031342046656220323031372030393A31313A303820474D540D0A5365727665723A204170616368650D0A457870697265733A204D6F6E2C203236204A756C20313939372030353A30303A303020474D540D0A4C6173742D4D6F6469666965643A205475652C2031342046656220323031372030393A31313A303820474D540D0A63616368652D436F6E74726F6C3A206E6F2D73746F72652C206E6F2D63616368652C206D7573742D726576616C69646174650D0A63616368652D436F6E74726F6C3A20706F73742D636865636B3D302C207072652D636865636B3D300D0A507261676D613A206E6F2D63616368650D0A5365742D436F6F6B69653A205048505345535349443D39686A316D363831666B7470676C6276326538706571756174723369307262713B20706174683D2F3B20487474704F6E6C790D0A582D4E6F646549443A207777772D766D350D0A582D4672616D652D4F7074696F6E733A2053414D454F524947494E0D0A566172793A204163636570742D456E636F64696E670D0A436F6E6E656374696F6E3A20636C6F73650D0A436F6E74656E742D547970653A20746578742F68746D6C3B20636861727365743D7574662D380D0A0D0A'O
("HTTP/1.1 200 OK\r
Date: Tue, 14 Feb 2017 09:11:08 GMT\r
Server: Apache\r
Expires: Mon, 26 Jul 1997 05:00:00 GMT\r
Last-Modified: Tue, 14 Feb 2017 09:11:08 GMT\r
cache-Control: no-store, no-cache, must-revalidate\r
cache-Control: post-check=0, pre-check=0\r
Pragma: no-cache\r
Set-Cookie: PHPSESSID=9hj1m681fktpglbv2e8pequatr3i0rbq; path=/; HttpOnly\r
X-NodeID: www-vm5\r
X-Frame-Options: SAMEORIGIN\r
Vary: Accept-Encoding\r
Connection: close\r
Content-Type: text/html; charset=utf-8\r
\r
")
} id 1
01:11:07.080970 TCP_IPL4_Test.ttcn:73 Message enqueued on p from system @Socket_API_Definitions.PortEvent : {
connClosed := {
connId := 1,
remName := "www.eclipse.org",
remPort := 443,
locName := "192.168.139.129",
locPort := 46407,
proto := {
ssl := { }
},
userData := 0
}
} id 2
01:11:07.081269 TCP_IPL4_Test.ttcn:75 Receive operation on port p succeeded, message from system(): @IPL4asp_Types.ASP_RecvFrom: {
connId := 1,
remName := "www.eclipse.org",
remPort := 443,
locName := "192.168.139.129",
locPort := 46407,
proto := {
ssl := { }
},
userData := 0,
msg := '485454502F312E3120323030204F4B0D0A446174653A205475652C2031342046656220323031372030393A31313A303820474D540D0A5365727665723A204170616368650D0A457870697265733A204D6F6E2C203236204A756C20313939372030353A30303A303020474D540D0A4C6173742D4D6F6469666965643A205475652C2031342046656220323031372030393A31313A303820474D540D0A63616368652D436F6E74726F6C3A206E6F2D73746F72652C206E6F2D63616368652C206D7573742D726576616C69646174650D0A63616368652D436F6E74726F6C3A20706F73742D636865636B3D302C207072652D636865636B3D300D0A507261676D613A206E6F2D63616368650D0A5365742D436F6F6B69653A205048505345535349443D39686A316D363831666B7470676C6276326538706571756174723369307262713B20706174683D2F3B20487474704F6E6C790D0A582D4E6F646549443A207777772D766D350D0A582D4672616D652D4F7074696F6E733A2053414D454F524947494E0D0A566172793A204163636570742D456E636F64696E670D0A436F6E6E656374696F6E3A20636C6F73650D0A436F6E74656E742D547970653A20746578742F68746D6C3B20636861727365743D7574662D380D0A0D0A'O
("HTTP/1.1 200 OK\r
Date: Tue, 14 Feb 2017 09:11:08 GMT\r
Server: Apache\r
Expires: Mon, 26 Jul 1997 05:00:00 GMT\r
Last-Modified: Tue, 14 Feb 2017 09:11:08 GMT\r
cache-Control: no-store, no-cache, must-revalidate\r
cache-Control: post-check=0, pre-check=0\r
Pragma: no-cache\r
Set-Cookie: PHPSESSID=9hj1m681fktpglbv2e8pequatr3i0rbq; path=/; HttpOnly\r
X-NodeID: www-vm5\r
X-Frame-Options: SAMEORIGIN\r
Vary: Accept-Encoding\r
Connection: close\r
Content-Type: text/html; charset=utf-8\r
\r
")
} id 1
01:11:07.081385 TCP_IPL4_Test.ttcn:75 Message with id 1 was extracted from the queue of p.
01:11:07.081426 TCP_IPL4_Test.ttcn:75 Receive operation on port p succeeded, message from system(): @Socket_API_Definitions.PortEvent: {
connClosed := {
connId := 1,
remName := "www.eclipse.org",
remPort := 443,
locName := "192.168.139.129",
locPort := 46407,
proto := {
ssl := { }
},
userData := 0
}
} id 2
01:11:07.081452 TCP_IPL4_Test.ttcn:75 Message with id 2 was extracted from the queue of p.
01:11:11.888024 TCP_IPL4_Test.ttcn:76 Timeout t: 5 s
01:11:11.888129 TCP_IPL4_Test.ttcn:76 Bye
01:11:11.888214 TCP_IPL4_Test.ttcn:82 p: f__IPL4__close: proto {
unspecified := { }
} connId 1
01:11:11.888256 TCP_IPL4_Test.ttcn:83 close result{
errorCode := ERROR_INVALID_INPUT_PARAMETER (2),
connId := omit,
os_error_code := omit,
os_error_text := omit
}
01:11:11.888314 TCP_IPL4_Test.ttcn:85 setverdict(pass): none -> pass
01:11:11.888354 TCP_IPL4_Test.ttcn:85 Terminating component type TCP_IPL4_Test.GeneralComp.
01:11:11.888379 TCP_IPL4_Test.ttcn:85 Removing unterminated mapping between port p and system:p.
01:11:11.888408 TCP_IPL4_Test.ttcn:85 Port p was unmapped from system:p.
01:11:11.888451 TCP_IPL4_Test.ttcn:85 Port p was stopped.
01:11:11.888475 TCP_IPL4_Test.ttcn:85 Component type TCP_IPL4_Test.GeneralComp was shut down inside testcase TC_TCPTest.
01:11:11.888529 TCP_IPL4_Test.ttcn:85 Waiting for PTCs to finish.
01:11:11.888987 TCP_IPL4_Test.ttcn:85 Setting final verdict of the test case.
01:11:11.889027 TCP_IPL4_Test.ttcn:85 Local verdict of MTC: pass
01:11:11.889051 TCP_IPL4_Test.ttcn:85 No PTCs were created.
01:11:11.889072 TCP_IPL4_Test.ttcn:85 Test case TC_TCPTest finished. Verdict: pass
01:11:11.889097 TCP_IPL4_Test.ttcn:89 Execution of control part in module TCP_IPL4_Test finished.
01:11:11.889714 - Verdict statistics: 0 none (0.00 %), 1 pass (100.00 %), 0 inconc (0.00 %), 0 fail (0.00 %), 0 error (0.00 %).
01:11:11.889769 - Test execution summary: 1 test case was executed. Overall verdict: pass
01:11:11.889788 - Exit was requested from MC. Terminating MTC.
So what happens exactly? Here's the brief log summary:
-f_IPL4_connect() returns a valid connectionId; no error is registered
-Titan sends a pre-encoded "HEAD / HTTP/1.0\r\nHost: www.eclipse.org\r\n\r\n\r\n" to the server
-this is responded with:
"HTTP/1.1 200 OK\r\n
Date: Tue, 14 Feb 2017 09:10:23 GMT\r\n
Server: Apache\r\n
Expires: Mon, 26 Jul 1997 05:00:00 GMT\r\n
Last-Modified: Tue, 14 Feb 2017 09:10:23 GMT\r\n
cache-Control: no-store, no-cache, must-revalidate\r\n
cache-Control: post-check=0, pre-check=0\r\n
Pragma: no-cache\r\n
Set-Cookie: PHPSESSID=beq2fvt9lmipfu63cgpglocnrcbu1n6c; path=/; HttpOnly\r\n
X-NodeID: www-vm5\r\n
X-Frame-Options: SAMEORIGIN\r\n
Vary: Accept-Encoding\r\n
Connection: close\r\n
Content-Type: text/html; charset=utf-8\r\n\r\n"
-then the server closes conection:
{ connClosed := { connId := 1, remName := "www.eclipse.org", remPort := 443, locName := "192.168.139.129", locPort := 46407, proto := { ssl := { } }, userData := 0 } }
-so the final f__IPL4__close: proto { unspecified := { } }
returns
{ errorCode := ERROR_INVALID_INPUT_PARAMETER (2), connId := omit, os_error_code := omit, os_error_text := omit }
as the connection is already closed.
Note: In the above case f_IPL4_connect(... ssl:={}... ) and f_IPL4_close() have been used to establish/tear down the TLS connection.
This could also have been done in steps, layer by layer:
f_IPL4_connect(... tcp:={}... ) builds up a TCP connection
f_IPL4_startTLS() starts TLS over the previously established TCP
f_IPL4_stopTLS() shuts down TLS but leaves TCP untouched; a new TLS can be started
f_IPL4_close() closes the TCP connection
Please find attached the complete log in debug mode and the code archive.
Best regards
Elemer
|
|
|
Goto Forum:
Current Time: Wed Apr 24 18:42:33 GMT 2024
Powered by FUDForum. Page generated in 0.03918 seconds |
] 
Search
Help
Register
Login
Home
