mirror of
https://gitlab.winehq.org/wine/wine-gecko.git
synced 2024-09-13 09:24:08 -07:00
Bug 933109: Add tests to verify that we retry OCSP when we have a cached Unknown response, r=keeler
--HG-- extra : rebase_source : 4e73c5812e75adf053f2158a88a6a8e58307c9d7
This commit is contained in:
parent
ceb99e8d8f
commit
a25f2cd58a
@ -153,11 +153,12 @@ function run_test() {
|
||||
do_get_profile();
|
||||
add_tls_server_setup("<test-server-name>");
|
||||
|
||||
add_connection_test("<test-name-1>.example.com", Cr.<expected result>,
|
||||
<ocsp stapling enabled>);
|
||||
add_connection_test("<test-name-1>.example.com",
|
||||
getXPCOMStatusFromNSS(SEC_ERROR_xxx),
|
||||
function() { ... },
|
||||
function(aTransportSecurityInfo) { ... });
|
||||
[...]
|
||||
add_connection_test("<test-name-n>.example.com", Cr.<expected result>,
|
||||
<ocsp stapling enabled>);
|
||||
add_connection_test("<test-name-n>.example.com", Cr.NS_OK);
|
||||
|
||||
run_next_test();
|
||||
}
|
||||
@ -251,14 +252,10 @@ function add_connection_test(aHost, aExpectedResult,
|
||||
aBeforeConnect();
|
||||
}
|
||||
connectTo(aHost).then(function(conn) {
|
||||
dump("hello #0\n");
|
||||
do_check_eq(conn.result, aExpectedResult);
|
||||
dump("hello #0.5\n");
|
||||
if (aWithSecurityInfo) {
|
||||
dump("hello #1\n");
|
||||
aWithSecurityInfo(conn.transport.securityInfo
|
||||
.QueryInterface(Ci.nsITransportSecurityInfo));
|
||||
dump("hello #2\n");
|
||||
}
|
||||
run_next_test();
|
||||
});
|
||||
|
87
security/manager/ssl/tests/unit/test_ocsp_unknown_caching.js
Normal file
87
security/manager/ssl/tests/unit/test_ocsp_unknown_caching.js
Normal file
@ -0,0 +1,87 @@
|
||||
// -*- Mode: javascript; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
|
||||
// This Source Code Form is subject to the terms of the Mozilla Public
|
||||
// License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
// file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
"use strict";
|
||||
|
||||
let gFetchCount = 0;
|
||||
|
||||
function run_test() {
|
||||
do_get_profile();
|
||||
Services.prefs.setBoolPref("security.ssl.enable_ocsp_stapling", true);
|
||||
add_tls_server_setup("OCSPStaplingServer");
|
||||
|
||||
let ocspResponder = new HttpServer();
|
||||
ocspResponder.registerPrefixHandler("/", function(request, response) {
|
||||
++gFetchCount;
|
||||
|
||||
do_print("gFetchCount: " + gFetchCount);
|
||||
|
||||
if (gFetchCount != 2) {
|
||||
do_print("returning 500 Internal Server Error");
|
||||
|
||||
response.setStatusLine(request.httpVersion, 500, "Internal Server Error");
|
||||
let body = "Refusing to return a response";
|
||||
response.bodyOutputStream.write(body, body.length);
|
||||
return;
|
||||
}
|
||||
|
||||
do_print("returning 200 OK");
|
||||
|
||||
let nickname = "localhostAndExampleCom";
|
||||
do_print("Generating ocsp response for '" + nickname + "'");
|
||||
let args = [ ["good", nickname, "unused" ] ];
|
||||
let ocspResponses = generateOCSPResponses(args, "tlsserver");
|
||||
let goodResponse = ocspResponses[0];
|
||||
|
||||
response.setStatusLine(request.httpVersion, 200, "OK");
|
||||
response.setHeader("Content-Type", "application/ocsp-response");
|
||||
response.bodyOutputStream.write(goodResponse, goodResponse.length);
|
||||
});
|
||||
ocspResponder.start(8080);
|
||||
|
||||
// This test assumes that OCSPStaplingServer uses the same cert for
|
||||
// ocsp-stapling-unknown.example.com and ocsp-stapling-none.example.com.
|
||||
|
||||
// Get an Unknown response for the *.exmaple.com cert and put it in the
|
||||
// OCSP cache.
|
||||
add_connection_test("ocsp-stapling-unknown.example.com",
|
||||
getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNKNOWN_CERT),
|
||||
clearSessionCache);
|
||||
add_test(function() { do_check_eq(gFetchCount, 0); run_next_test(); });
|
||||
|
||||
// A failure to retrieve an OCSP response must result in the cached Unkown
|
||||
// response being recognized and honored.
|
||||
add_connection_test("ocsp-stapling-none.example.com",
|
||||
getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNKNOWN_CERT),
|
||||
clearSessionCache);
|
||||
add_test(function() { do_check_eq(gFetchCount, 1); run_next_test(); });
|
||||
|
||||
// A valid Good response from the OCSP responder must override the cached
|
||||
// Unknown response.
|
||||
//
|
||||
// Note that We need to make sure that the Unknown response and the Good
|
||||
// response have different thisUpdate timestamps; otherwise, the Good
|
||||
// response will be seen as "not newer" and it won't replace the existing
|
||||
// entry.
|
||||
add_test(function() {
|
||||
let duration = 1200;
|
||||
do_print("Sleeping for " + duration + "ms");
|
||||
let timer = Cc["@mozilla.org/timer;1"].createInstance(Ci.nsITimer);
|
||||
timer.initWithCallback(run_next_test, duration, Ci.nsITimer.TYPE_ONE_SHOT);
|
||||
});
|
||||
add_connection_test("ocsp-stapling-none.example.com", Cr.NS_OK,
|
||||
clearSessionCache);
|
||||
add_test(function() { do_check_eq(gFetchCount, 2); run_next_test(); });
|
||||
|
||||
// The Good response retrieved from the previous fetch must have replaced
|
||||
// the Unknown response in the cache, resulting in the catched Good response
|
||||
// being returned and no fetch.
|
||||
add_connection_test("ocsp-stapling-none.example.com", Cr.NS_OK,
|
||||
clearSessionCache);
|
||||
add_test(function() { do_check_eq(gFetchCount, 2); run_next_test(); });
|
||||
|
||||
add_test(function() { ocspResponder.stop(run_next_test); run_next_test(); });
|
||||
|
||||
run_next_test();
|
||||
}
|
@ -35,6 +35,8 @@ run-sequentially = hardcoded ports
|
||||
fail-if = os == "android"
|
||||
[test_ocsp_stapling_expired.js]
|
||||
run-sequentially = hardcoded ports
|
||||
[test_ocsp_unknown_caching.js]
|
||||
run-sequentially = hardcoded ports
|
||||
# Bug 676972: test fails consistently on Android
|
||||
fail-if = os == "android"
|
||||
[test_sts_ipv4_ipv6.js]
|
||||
|
Loading…
Reference in New Issue
Block a user