Skip to content

tests: add TLS gold tests#13306

Merged
moonchen merged 1 commit into
apache:masterfrom
moonchen:pre-tls/tls-test-coverage
Jun 25, 2026
Merged

tests: add TLS gold tests#13306
moonchen merged 1 commit into
apache:masterfrom
moonchen:pre-tls/tls-test-coverage

Conversation

@moonchen

@moonchen moonchen commented Jun 21, 2026

Copy link
Copy Markdown
Contributor

Add autest coverage for several TLS behaviors:

  • TLS renegotiation: rejected by default, and answered promptly when
    proxy.config.ssl.allow_client_renegotiation is enabled.
  • The proxy.config.ssl.max_record_size clamp, verified by measuring the
    application-data record sizes on the wire, not just the response body.
  • A failed outbound TLS origin connection, surfaced to the client as a 5xx.
  • A TLS origin that resets the connection mid-request-body, which must fail the
    transaction promptly instead of waiting for the inactivity timeout.
  • HTTP tunnel flow control (proxy.config.http.flow_control) on a TLS client
    connection: a slow reader makes the tunnel throttle the origin and unthrottle
    as the buffered data drains, and the full response body must still arrive. This
    path had no prior gold coverage.
  • Certificate/SNI reload (ssl_multicert.yaml via traffic_ctl config reload)
    while concurrent TLS handshakes are in flight: the swapped-in certificate must
    take effect, every handshake must succeed, and ATS must not crash.

Copilot AI review requested due to automatic review settings June 21, 2026 02:25
@moonchen moonchen added this to the 11.0.0 milestone Jun 21, 2026
@moonchen moonchen self-assigned this Jun 21, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This pull request adds new AuTest “gold test” coverage for several TLS behaviors in Apache Traffic Server, focusing on regression protection for renegotiation handling, TLS record sizing, and failure propagation for outbound TLS connections.

Changes:

  • Added two gold tests (plus helper clients) to validate client-initiated TLS 1.2 renegotiation behavior when disallowed vs. allowed.
  • Added a gold test (plus helper client) that verifies proxy.config.ssl.max_record_size by measuring TLS application-data record sizes on the wire.
  • Added gold test coverage (plus helper origin/client) for outbound TLS origin failure modes, including connect failure surfacing as 5xx and mid-request-body origin resets failing promptly.

Reviewed changes

Copilot reviewed 10 out of 10 changed files in this pull request and generated no comments.

Show a summary per file
File Description
tests/gold_tests/tls/tls_renegotiation.test.py Adds a gold test ensuring client renegotiation is refused safely and ATS continues serving requests.
tests/gold_tests/tls/tls_renegotiation_client.py Adds a helper script that drives openssl s_client to trigger a renegotiation attempt against ATS.
tests/gold_tests/tls/tls_renegotiation_allowed.test.py Adds a gold test ensuring renegotiation (when allowed) is answered promptly rather than stalling.
tests/gold_tests/tls/tls_renegotiation_allowed_client.py Adds a helper script that detects whether renegotiation completes/refuses promptly vs. stalls.
tests/gold_tests/tls/tls_record_size.test.py Adds a gold test validating the max_record_size clamp on a large TLS download.
tests/gold_tests/tls/tls_record_size_client.py Adds a helper client using ssl.MemoryBIO to capture ciphertext and measure TLS record sizes.
tests/gold_tests/tls/tls_post_abort_origin.py Adds a TLS origin helper that RSTs mid-request-body to simulate abortive upstream failure.
tests/gold_tests/tls/tls_post_abort_client.py Adds a helper client that POSTs a large body and measures time-to-failure after origin abort.
tests/gold_tests/tls/tls_origin_post_abort.test.py Adds a gold test asserting ATS fails promptly when a TLS origin resets mid-POST-body.
tests/gold_tests/tls/tls_origin_open_failed.test.py Adds a gold test asserting a failed outbound TLS origin connection surfaces as a 5xx without crashing.

@moonchen moonchen force-pushed the pre-tls/tls-test-coverage branch 2 times, most recently from ee54ceb to bc32bb2 Compare June 21, 2026 19:43
Copilot AI review requested due to automatic review settings June 21, 2026 19:43

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 14 out of 14 changed files in this pull request and generated 1 comment.

Comment thread tests/gold_tests/tls/tls_record_size_client.py Outdated
@moonchen moonchen force-pushed the pre-tls/tls-test-coverage branch from bc32bb2 to 33d8d05 Compare June 21, 2026 19:59
@ezelkow1 ezelkow1 requested a review from Copilot June 22, 2026 22:23
@bryancall bryancall requested a review from bneradt June 22, 2026 22:25

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 14 out of 14 changed files in this pull request and generated no new comments.

tr.Processes.Default.StartBefore(self._server)
tr.Processes.Default.StartBefore(self._ts)
tr.Processes.Default.Command = (
f'python3 {os.path.join(Test.TestDirectory, "tls_record_size_client.py")} '

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For this and the other occurrences of this in this PR: instead of python3 for these, we typically use {sys.executable}. Again, mention this in the AGENTS.md file as well.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done — switched all the helper-launch Command strings in the PR to {sys.executable}. Added a note to the Writing Autests section of AGENTS.md.

Comment on lines +80 to +82
f'origin-{TestOriginPostAbort._origin_counter}', 'python3 {0} -p {1} -c {2} -d 1.0'.format(
os.path.join(Test.TestDirectory, 'tls_post_abort_origin.py'), Test.Variables.origin_port,
os.path.join(Test.Variables.AtsTestToolsDir, 'ssl', 'server.pem')))

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please replace all .format() calls with f'...' strings in this PR.

While we're add it, please add a note about this in the AGENTS.md file in the section about writing autests.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done — converted every .format() call in the PR's files to f-strings, and added a note to the Writing Autests section of AGENTS.md.

RECORD_OVERHEAD = 256


def iter_record_lengths(buf):

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you add type declarations for this?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added: iter_record_lengths(buf: bytes | bytearray) -> Iterator[tuple[int, int]], plus the flush/feed closures in the same function. Also annotated main() in tls_renegotiation_client.py for consistency, and added a line about annotating helper functions to the AGENTS.md note above.

@bneradt

bneradt commented Jun 23, 2026

Copy link
Copy Markdown
Contributor

One additional issue I noticed:

  • tests/gold_tests/tls/tls_post_abort_client.py:67: the helper treats any response header from ATS as a prompt failure and returns PASS as long as it arrives before the threshold. That can make tls_origin_post_abort.test.py pass without exercising the TLS origin reset path: if the origin never starts, the remap breaks, ATS rejects the request before forwarding the body, or the TLS handshake fails immediately, the client still sees outcome = 'response received' and passes. Please tighten this so the test proves the intended scenario, for example by checking a 5xx status plus origin-side markers (request headers received, connection reset sent) and/or requiring some request-body bytes to be sent before the failure.

Signed, Codex (GPT-5)

Increase autest coverage with the following tests:

- TLS renegotiation, rejected by default and allowed when configured
- the TLS record-size clamp, checked against on-the-wire record sizes
- a failed outbound TLS origin connection surfaced as a 5xx
- a TLS origin that resets the connection mid-request-body
@moonchen moonchen force-pushed the pre-tls/tls-test-coverage branch from 33d8d05 to 86922d1 Compare June 24, 2026 00:00
@moonchen

Copy link
Copy Markdown
Contributor Author

Tightened on both sides. The client now requires (a) some request-body bytes were sent, (b) a prompt failure, and (c) a 5xx status — a bare connection drop or any non-5xx now fails instead of passing. The test additionally asserts the origin printed request headers received and connection reset sent.

@moonchen moonchen requested a review from bneradt June 24, 2026 14:23
@moonchen moonchen merged commit 3ce2acf into apache:master Jun 25, 2026
15 checks passed
@github-project-automation github-project-automation Bot moved this to For v10.2.0 in ATS v10.2.x Jun 25, 2026
@cmcfarlen cmcfarlen moved this from For v10.2.0 to Picked v10.2.0 in ATS v10.2.x Jun 26, 2026
@cmcfarlen cmcfarlen removed this from the 11.0.0 milestone Jun 26, 2026
@cmcfarlen cmcfarlen added this to the 10.2.0 milestone Jun 26, 2026
@cmcfarlen

Copy link
Copy Markdown
Contributor

Cherry-picked to 10.2.x

cmcfarlen pushed a commit that referenced this pull request Jun 26, 2026
Increase autest coverage with the following tests:

- TLS renegotiation, rejected by default and allowed when configured
- the TLS record-size clamp, checked against on-the-wire record sizes
- a failed outbound TLS origin connection surfaced as a 5xx
- a TLS origin that resets the connection mid-request-body

(cherry picked from commit 3ce2acf)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

Status: Picked v10.2.0

Development

Successfully merging this pull request may close these issues.

4 participants