diff --git a/Sanity/tls12/Makefile b/Sanity/tls12/Makefile new file mode 100644 index 0000000..f2e0487 --- /dev/null +++ b/Sanity/tls12/Makefile @@ -0,0 +1,66 @@ +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Makefile of /CoreOS/lftp/Sanity/tls12 +# Description: Test TLS 1.2 support +# Author: Martin Frodl +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2016 Red Hat, Inc. +# +# This program is free software: you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation, either version 2 of +# the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see http://www.gnu.org/licenses/. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +export TEST=/CoreOS/lftp/Sanity/tls12 +export TESTVERSION=1.0 + +BUILT_FILES= + +FILES=$(METADATA) runtest.sh Makefile PURPOSE proftpd.conf fetch main.fmf + +.PHONY: all install download clean + +run: $(FILES) build + ./runtest.sh + +build: $(BUILT_FILES) + test -x runtest.sh || chmod a+x runtest.sh + +clean: + rm -f *~ $(BUILT_FILES) + + +include /usr/share/rhts/lib/rhts-make.include + +$(METADATA): Makefile + @echo "Owner: Martin Frodl " > $(METADATA) + @echo "Name: $(TEST)" >> $(METADATA) + @echo "TestVersion: $(TESTVERSION)" >> $(METADATA) + @echo "Path: $(TEST_DIR)" >> $(METADATA) + @echo "Description: Test TLS 1.2 support" >> $(METADATA) + @echo "Type: Sanity" >> $(METADATA) + @echo "TestTime: 5m" >> $(METADATA) + @echo "RunFor: lftp" >> $(METADATA) + @echo "Requires: lftp proftpd" >> $(METADATA) + @echo "RhtsRequires: library(openssl/certgen)" >> $(METADATA) + @echo "RhtsRequires: library(distribution/epel)" >> $(METADATA) + @echo "Priority: Normal" >> $(METADATA) + @echo "License: GPLv2+" >> $(METADATA) + @echo "Confidential: no" >> $(METADATA) + @echo "Destructive: no" >> $(METADATA) + @echo "Bug: 1363629" >> $(METADATA) + @echo "Releases: -RHEL4 -RHELClient5 -RHELServer5 -RHEL7 -RHEL-ALT-7" >> $(METADATA) + + rhts-lint $(METADATA) diff --git a/Sanity/tls12/PURPOSE b/Sanity/tls12/PURPOSE new file mode 100644 index 0000000..10342eb --- /dev/null +++ b/Sanity/tls12/PURPOSE @@ -0,0 +1,5 @@ +PURPOSE of /CoreOS/lftp/Sanity/tls12 +Description: Test TLS 1.2 support +Author: Martin Frodl +Bug summary: Unable to do TLSv1.2 negotiation with LFTP and GNUTLS +Bugzilla link: https://bugzilla.redhat.com/show_bug.cgi?id=1363629 diff --git a/Sanity/tls12/fetch b/Sanity/tls12/fetch new file mode 100644 index 0000000..6e7d875 --- /dev/null +++ b/Sanity/tls12/fetch @@ -0,0 +1,7 @@ +open localhost +set ssl:priority "NORMAL:+VERS-TLS1.2" +set net:max-retries 1 +login anonymous ftp@example.com +ls +get duck +bye diff --git a/Sanity/tls12/main.fmf b/Sanity/tls12/main.fmf new file mode 100644 index 0000000..843a9a8 --- /dev/null +++ b/Sanity/tls12/main.fmf @@ -0,0 +1,32 @@ +summary: Test TLS 1.2 support +description: | + Bug summary: Unable to do TLSv1.2 negotiation with LFTP and GNUTLS + Bugzilla link: https://bugzilla.redhat.com/show_bug.cgi?id=1363629 +component: +- lftp +test: ./runtest.sh +framework: beakerlib +require: +- library(openssl/certgen) +- library(distribution/epel) +recommend: +- lftp +- proftpd +duration: 5m +enabled: true +tag: +- NoRHEL4 +- NoRHEL5 +- NoRHEL7 +- TIPfail_infra +- TIPfail_samba +- TIPfail_systemd +- TIPpass +- TIPpass_Apps +- epel +relevancy: | + distro = rhel-4, rhel-5, rhel-7, rhel-alt-7: False + arch != i386, ppc64, x86_64: False +extra-nitrate: TC#0544315 +extra-summary: /CoreOS/lftp/Sanity/tls12 +extra-task: /CoreOS/lftp/Sanity/tls12 diff --git a/Sanity/tls12/proftpd.conf b/Sanity/tls12/proftpd.conf new file mode 100644 index 0000000..4e9722b --- /dev/null +++ b/Sanity/tls12/proftpd.conf @@ -0,0 +1,20 @@ + + TLSEngine on + TLSRequired on + TLSRSACertificateFile /etc/pki/tls/certs/localhost.crt + TLSRSACertificateKeyFile /etc/pki/tls/private/localhost.key + TLSCipherSuite ALL:!ADH:!DES + TLSOptions AllowClientRenegotiations NoCertRequest NoSessionReuseRequired + TLSVerifyClient off + TLSProtocol TLSv1.2 + TLSLog /var/log/proftpd/tls.log + + + + + User ftp + Group ftp + UserAlias anonymous ftp + RequireValidShell off + + diff --git a/Sanity/tls12/runtest.sh b/Sanity/tls12/runtest.sh new file mode 100755 index 0000000..86efe99 --- /dev/null +++ b/Sanity/tls12/runtest.sh @@ -0,0 +1,93 @@ +#!/bin/bash +# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# runtest.sh of /CoreOS/lftp/Sanity/tls12 +# Description: Test TLS 1.2 support +# Author: Martin Frodl +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2016 Red Hat, Inc. +# +# This program is free software: you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation, either version 2 of +# the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see http://www.gnu.org/licenses/. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +# Include Beaker environment +. /usr/share/beakerlib/beakerlib.sh || exit 1 + +PACKAGES="lftp" + +rlJournalStart + rlPhaseStartSetup + rlRun "rlImport --all" || rlDie + rlAssertRpm --all + + if rlIsRHEL; then + if rlIsRHEL '<=7'; then + rlRun "yum -y --enablerepo epel --enablerepo epel-testing install proftpd" 0 "Install proftpd" + else + rlRun "yum -y --enablerepo epel --enablerepo epel-playground install proftpd" 0 "Install proftpd" + fi + fi + + CONF="/etc/proftpd.conf" + rlFileBackup ${CONF} + rlRun "cp proftpd.conf ${CONF}" 0 "Configuring FTP server" + + SYSCONF="/etc/sysconfig/proftpd" + rlFileBackup ${SYSCONF} + rlRun "echo 'PROFTPD_OPTIONS=\"-DANONYMOUS_FTP -DTLS\"' > ${SYSCONF}" 0 "Enabling anonymous access over TLS" + + rlRun "rlFileBackup --clean /var/ftp" 0 "Backing up FTP server contents" + rlRun "echo 'Quack!' > /var/ftp/duck" 0 "Creating a test file on FTP server" + + rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory" + rlRun "cp fetch ${TmpDir}" 0 "Copying lftp script to tmp directory" + rlRun "pushd ${TmpDir}" + + rlRun "x509KeyGen server" 0 "Generating server key pair" + rlRun "x509KeyGen ca" 0 "Generating CA certificate" + rlRun "x509SelfSign ca" 0 "Self-signing CA certificate" + rlRun "x509CertSign --CA ca server" 0 "Signing server certificate" + + rlFileBackup --clean /etc/pki + rlRun "cat $(x509Cert ca) >> /etc/pki/tls/certs/ca-bundle.crt" + rlRun "cp $(x509Cert server) /etc/pki/tls/certs/localhost.crt" + rlRun "cp $(x509Key server) /etc/pki/tls/private/localhost.key" + + rlRun "rlServiceStart proftpd" 0 "Starting FTP server" + rlPhaseEnd + + rlPhaseStartTest + rlRun -s "curl -v --ftp-ssl ftp://localhost/duck" 0 "Checking that FTP server is up and working properly" + rlAssertGrep 'Quack!' ${rlRun_LOG} + + rlRun -s "lftp -d -f ./fetch" 0 "Downloading test file with lftp" + rlAssertNotGrep 'A TLS packet with unexpected length was received' ${rlRun_LOG} + rlAssertExists "duck" + rlAssertGrep 'Quack!' "duck" + rlPhaseEnd + + rlPhaseStartCleanup + rlRun "rlServiceStop proftpd" 0 "Stopping FTP server" + rlRun "x509RmAlias server" + rlRun "x509RmAlias ca" + rlRun "popd" + rlRun "rm -r ${TmpDir}" 0 "Removing tmp directory" + rlFileRestore + rlPhaseEnd +rlJournalPrintText +rlJournalEnd