use of org.carapaceproxy.server.config.SSLCertificateConfiguration in project carapaceproxy by diennea.
the class SSLSNITest method testTLSVersion.
@Test
public void testTLSVersion() throws Exception {
String nonLocalhost = InetAddress.getLocalHost().getCanonicalHostName();
String certificate = TestUtils.deployResource("localhost.p12", tmpDir.getRoot());
stubFor(get(urlEqualTo("/index.html")).willReturn(aResponse().withStatus(200).withHeader("Content-Type", "text/html").withHeader("Content-Length", "it <b>works</b> !!".length() + "").withBody("it <b>works</b> !!")));
TestEndpointMapper mapper = new TestEndpointMapper("localhost", wireMockRule.port(), true);
// TLS 1.3 support checking
try (HttpProxyServer server = new HttpProxyServer(mapper, tmpDir.getRoot())) {
server.addCertificate(new SSLCertificateConfiguration(nonLocalhost, certificate, "testproxy", STATIC));
server.addListener(new NetworkListenerConfiguration(nonLocalhost, 0, true, false, null, nonLocalhost, null, null, "TLSv1.3"));
server.start();
int port = server.getLocalPort();
try (RawHttpClient client = new RawHttpClient(nonLocalhost, port, true, nonLocalhost)) {
RawHttpClient.HttpResponse resp = client.executeRequest("GET /index.html HTTP/1.1\r\nHost: localhost\r\nConnection: close\r\n\r\n");
assertTrue(resp.toString().contains("it <b>works</b> !!"));
SSLSession session = client.getSSLSocket().getSession();
assertTrue("TLSv1.3".equals(session.getProtocol()));
}
}
// default ssl protocol version support checking
for (String proto : DEFAULT_SSL_PROTOCOLS) {
try (HttpProxyServer server = new HttpProxyServer(mapper, tmpDir.getRoot())) {
server.addCertificate(new SSLCertificateConfiguration(nonLocalhost, certificate, "testproxy", STATIC));
server.addListener(new NetworkListenerConfiguration(nonLocalhost, 0, true, false, null, nonLocalhost, null, null, proto));
server.start();
int port = server.getLocalPort();
try (RawHttpClient client = new RawHttpClient(nonLocalhost, port, true, nonLocalhost)) {
RawHttpClient.HttpResponse resp = client.executeRequest("GET /index.html HTTP/1.1\r\nHost: localhost\r\nConnection: close\r\n\r\n");
assertTrue(resp.toString().contains("it <b>works</b> !!"));
SSLSession session = client.getSSLSocket().getSession();
assertEquals(proto, session.getProtocol());
}
}
}
try (HttpProxyServer server = new HttpProxyServer(mapper, tmpDir.getRoot())) {
server.addCertificate(new SSLCertificateConfiguration(nonLocalhost, certificate, "testproxy", STATIC));
server.addListener(new NetworkListenerConfiguration(nonLocalhost, 0, true, false, null, nonLocalhost, null, null));
server.start();
int port = server.getLocalPort();
try (RawHttpClient client = new RawHttpClient(nonLocalhost, port, true, nonLocalhost)) {
RawHttpClient.HttpResponse resp = client.executeRequest("GET /index.html HTTP/1.1\r\nHost: localhost\r\nConnection: close\r\n\r\n");
assertTrue(resp.toString().contains("it <b>works</b> !!"));
SSLSession session = client.getSSLSocket().getSession();
assertTrue(DEFAULT_SSL_PROTOCOLS.contains(session.getProtocol()));
}
}
// wrong ssl protocol version checking
TestUtils.assertThrows(ConfigurationNotValidException.class, () -> {
try (HttpProxyServer server = new HttpProxyServer(mapper, tmpDir.getRoot())) {
server.addCertificate(new SSLCertificateConfiguration(nonLocalhost, certificate, "testproxy", STATIC));
server.addListener(new NetworkListenerConfiguration(nonLocalhost, 0, true, false, null, nonLocalhost, null, null, "TLSvWRONG"));
}
});
}
use of org.carapaceproxy.server.config.SSLCertificateConfiguration in project carapaceproxy by diennea.
the class CertificatesTest method testUploadTypedCertificatesWithDaysBeforeRenewal.
@Test
@Parameters({ "acme", "manual" })
public void testUploadTypedCertificatesWithDaysBeforeRenewal(String type) throws Exception {
configureAndStartServer();
int port = server.getLocalPort();
DynamicCertificatesManager dynCertsMan = server.getDynamicCertificatesManager();
KeyPair endUserKeyPair = KeyPairUtils.createKeyPair(DEFAULT_KEYPAIRS_SIZE);
Certificate[] chain = generateSampleChain(endUserKeyPair, false);
byte[] chainData = createKeystore(chain, endUserKeyPair.getPrivate());
try (RawHttpClient client = new RawHttpClient("localhost", DEFAULT_ADMIN_PORT)) {
// Create
HttpResponse resp = uploadCertificate("localhost2", "type=" + type + "&daysbeforerenewal=10", chainData, client, credentials);
if (type.equals("manual")) {
assertTrue(resp.getBodyString().contains("ERROR: param 'daysbeforerenewal' available for type 'acme' only"));
} else {
CertificateData data = dynCertsMan.getCertificateDataForDomain("localhost2");
assertNotNull(data);
assertEquals(10, data.getDaysBeforeRenewal());
}
// negative value
resp = uploadCertificate("localhost-negative", "type=" + type + "&daysbeforerenewal=-10", chainData, client, credentials);
if (type.equals("manual")) {
assertTrue(resp.getBodyString().contains("ERROR: param 'daysbeforerenewal' available for type 'acme' only"));
} else {
assertTrue(resp.getBodyString().contains("ERROR: param 'daysbeforerenewal' has to be a positive number"));
}
// default value
uploadCertificate("localhost-default", "type=" + type, chainData, client, credentials);
CertificateData data = dynCertsMan.getCertificateDataForDomain("localhost-default");
assertNotNull(data);
assertEquals(type.equals("manual") ? 0 : DEFAULT_DAYS_BEFORE_RENEWAL, data.getDaysBeforeRenewal());
// Update
uploadCertificate("localhost2", "type=" + type + "&daysbeforerenewal=45", chainData, client, credentials);
if (type.equals("manual")) {
assertTrue(resp.getBodyString().contains("ERROR: param 'daysbeforerenewal' available for type 'acme' only"));
} else {
data = dynCertsMan.getCertificateDataForDomain("localhost2");
assertNotNull(data);
assertEquals(45, data.getDaysBeforeRenewal());
}
// negative value
resp = uploadCertificate("localhost2", "type=" + type + "&daysbeforerenewal=-10", chainData, client, credentials);
if (type.equals("manual")) {
assertTrue(resp.getBodyString().contains("ERROR: param 'daysbeforerenewal' available for type 'acme' only"));
} else {
assertTrue(resp.getBodyString().contains("ERROR: param 'daysbeforerenewal' has to be a positive number"));
}
// default value
uploadCertificate("localhost2", "type=" + type, chainData, client, credentials);
data = dynCertsMan.getCertificateDataForDomain("localhost2");
assertNotNull(data);
assertEquals(type.equals("manual") ? 0 : DEFAULT_DAYS_BEFORE_RENEWAL, data.getDaysBeforeRenewal());
// changing the type (acme <-> manual)
String other = type.equals("manual") ? "acme" : "manual";
uploadCertificate("localhost2", "type=" + other, chainData, client, credentials);
data = dynCertsMan.getCertificateDataForDomain("localhost2");
assertNotNull(data);
assertEquals(other.equals("manual") ? 0 : DEFAULT_DAYS_BEFORE_RENEWAL, data.getDaysBeforeRenewal());
SSLCertificateConfiguration config = server.getCurrentConfiguration().getCertificates().get("localhost2");
assertEquals(other.equals("manual") ? 0 : DEFAULT_DAYS_BEFORE_RENEWAL, config.getDaysBeforeRenewal());
// checking for "certificate.X.daysbeforerenewal" property delete
ConfigurationStore store = server.getDynamicConfigurationStore();
assertEquals(other.equals("acme"), store.anyPropertyMatches((k, v) -> {
if (k.matches("certificate\\.[0-9]+\\.hostname") && v.equals("localhost2")) {
return store.getProperty(k.replace("hostname", "daysbeforerenewal"), null) != null;
}
return false;
}));
}
}
use of org.carapaceproxy.server.config.SSLCertificateConfiguration in project carapaceproxy by diennea.
the class CacheTest method testBootSslRelativeCertificatePath.
@Test
public void testBootSslRelativeCertificatePath() throws Exception {
String certificate = TestUtils.deployResource("localhost.p12", tmpDir.getRoot());
stubFor(get(urlEqualTo("/index.html")).willReturn(aResponse().withStatus(200).withHeader("Content-Type", "text/html").withHeader("Content-Length", "it <b>works</b> !!".length() + "").withBody("it <b>works</b> !!")));
TestEndpointMapper mapper = new TestEndpointMapper("localhost", wireMockRule.port(), true);
EndpointKey key = new EndpointKey("localhost", wireMockRule.port());
EndpointStats stats;
try (HttpProxyServer server = new HttpProxyServer(mapper, tmpDir.getRoot())) {
server.addCertificate(new SSLCertificateConfiguration("localhost", "localhost.p12", "testproxy", STATIC));
server.addListener(new NetworkListenerConfiguration("localhost", 0, true, false, null, "localhost", null, null));
server.start();
}
}
use of org.carapaceproxy.server.config.SSLCertificateConfiguration in project carapaceproxy by diennea.
the class SimpleHTTPProxyTest method testSsl.
@Test
public void testSsl() throws Exception {
HttpTestUtils.overideJvmWideHttpsVerifier();
String certificate = TestUtils.deployResource("ia.p12", tmpDir.getRoot());
String caCertificate = TestUtils.deployResource("ca.p12", tmpDir.getRoot());
stubFor(get(urlEqualTo("/index.html?redir")).willReturn(aResponse().withStatus(200).withHeader("Content-Type", "text/html").withBody("it <b>works</b> !!")));
TestEndpointMapper mapper = new TestEndpointMapper("localhost", wireMockRule.port());
EndpointKey key = new EndpointKey("localhost", wireMockRule.port());
try (HttpProxyServer server = new HttpProxyServer(mapper, tmpDir.getRoot())) {
server.addCertificate(new SSLCertificateConfiguration("localhost", certificate, "changeit", STATIC));
server.addListener(new NetworkListenerConfiguration("localhost", 0, true, false, null, "localhost", caCertificate, "changeit"));
server.start();
int port = server.getLocalPort();
// not found
try {
String s = IOUtils.toString(new URL("https://localhost:" + port + "/index.html?not-found").toURI(), "utf-8");
System.out.println("s:" + s);
fail();
} catch (FileNotFoundException ok) {
}
// proxy
{
String s = IOUtils.toString(new URL("https://localhost:" + port + "/index.html?redir").toURI(), "utf-8");
System.out.println("s:" + s);
assertEquals("it <b>works</b> !!", s);
}
}
}
use of org.carapaceproxy.server.config.SSLCertificateConfiguration in project carapaceproxy by diennea.
the class RawClientTest method testClosedProxy.
@Test
@Parameters({ "http", "https" })
public void testClosedProxy(String scheme) throws Exception {
String certificate = TestUtils.deployResource("localhost.p12", tmpDir.getRoot());
// Proxy requests have to use "localhost:port" as endpoint instead of the one in the url (ex yahoo.com)
// in order to avoid open proxy vulnerability
TestEndpointMapper mapper = new TestEndpointMapper("localhost", wireMockRule.port(), true);
EndpointKey key = new EndpointKey("localhost", wireMockRule.port());
try (HttpProxyServer server = new HttpProxyServer(mapper, tmpDir.getRoot())) {
server.addCertificate(new SSLCertificateConfiguration("localhost", "localhost.p12", "testproxy", STATIC));
server.addListener(new NetworkListenerConfiguration("localhost", 0, scheme.equals("https"), false, null, "localhost", null, null));
server.start();
int port = server.getLocalPort();
try (RawHttpClient client = new RawHttpClient("localhost", port, scheme.equals("https"))) {
stubFor(get("/index.html?p1=v1&p2=https://localhost/index.html?p=1").withQueryParams(Map.of("p1", equalTo("v1"), "p2", equalTo("https://localhost/index.html?p=1"))).willReturn(aResponse().withStatus(200).withHeader("Content-Type", "text/html").withHeader("Content-Length", "it <b>works</b> !!".length() + "").withBody("it <b>works</b> !!")));
String s = client.executeRequest("GET " + scheme + "://yahoo.com/index.html?p1=v1&p2=https://localhost/index.html?p=1 HTTP/1.1 \r\nHost: localhost\r\n\r\n").getBodyString();
assertEquals("it <b>works</b> !!", s);
s = client.get("/index.html?p1=v1&p2=https://localhost/index.html?p=1").getBodyString();
assertEquals("it <b>works</b> !!", s);
stubFor(get("/index.html").willReturn(aResponse().withStatus(200).withHeader("Content-Type", "text/html").withHeader("Content-Length", "it <b>works</b> !!".length() + "").withBody("it <b>works</b> !!")));
s = client.executeRequest("GET " + scheme + "://yahoo.com/index.html HTTP/1.1 \r\nHost: localhost\r\n\r\n").getBodyString();
assertEquals("it <b>works</b> !!", s);
s = client.get("/index.html").getBodyString();
assertEquals("it <b>works</b> !!", s);
stubFor(get("/?p1=v1&p2=https://localhost/index.html?p=1").withQueryParams(Map.of("p1", equalTo("v1"), "p2", equalTo("https://localhost/index.html?p=1"))).willReturn(aResponse().withStatus(200).withHeader("Content-Type", "text/html").withHeader("Content-Length", "it <b>works</b> !!".length() + "").withBody("it <b>works</b> !!")));
s = client.executeRequest("GET " + scheme + "://yahoo.com/?p1=v1&p2=https://localhost/index.html?p=1 HTTP/1.1 \r\nHost: localhost\r\n\r\n").getBodyString();
assertEquals("it <b>works</b> !!", s);
s = client.get("/?p1=v1&p2=https://localhost/index.html?p=1").getBodyString();
assertEquals("it <b>works</b> !!", s);
s = client.executeRequest("GET " + scheme + "://yahoo.com?p1=v1&p2=https://localhost/index.html?p=1 HTTP/1.1 \r\nHost: localhost\r\n\r\n").getBodyString();
assertEquals("it <b>works</b> !!", s);
s = client.get("?p1=v1&p2=https://localhost/index.html?p=1").getBodyString();
assertEquals("it <b>works</b> !!", s);
stubFor(get("/").willReturn(aResponse().withStatus(200).withHeader("Content-Type", "text/html").withHeader("Content-Length", "it <b>works</b> !!".length() + "").withBody("it <b>works</b> !!")));
s = client.executeRequest("GET " + scheme + "://yahoo.com/ HTTP/1.1 \r\nHost: localhost\r\n\r\n").getBodyString();
assertEquals("it <b>works</b> !!", s);
s = client.get("/").getBodyString();
assertEquals("it <b>works</b> !!", s);
s = client.executeRequest("GET " + scheme + "://yahoo.com HTTP/1.1 \r\nHost: localhost\r\n\r\n").getBodyString();
assertEquals("it <b>works</b> !!", s);
}
}
}
Aggregations