tests: add TLS gold tests#13306
Conversation
There was a problem hiding this comment.
Pull request overview
This pull request adds new AuTest “gold test” coverage for several TLS behaviors in Apache Traffic Server, focusing on regression protection for renegotiation handling, TLS record sizing, and failure propagation for outbound TLS connections.
Changes:
- Added two gold tests (plus helper clients) to validate client-initiated TLS 1.2 renegotiation behavior when disallowed vs. allowed.
- Added a gold test (plus helper client) that verifies
proxy.config.ssl.max_record_sizeby measuring TLS application-data record sizes on the wire. - Added gold test coverage (plus helper origin/client) for outbound TLS origin failure modes, including connect failure surfacing as 5xx and mid-request-body origin resets failing promptly.
Reviewed changes
Copilot reviewed 10 out of 10 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| tests/gold_tests/tls/tls_renegotiation.test.py | Adds a gold test ensuring client renegotiation is refused safely and ATS continues serving requests. |
| tests/gold_tests/tls/tls_renegotiation_client.py | Adds a helper script that drives openssl s_client to trigger a renegotiation attempt against ATS. |
| tests/gold_tests/tls/tls_renegotiation_allowed.test.py | Adds a gold test ensuring renegotiation (when allowed) is answered promptly rather than stalling. |
| tests/gold_tests/tls/tls_renegotiation_allowed_client.py | Adds a helper script that detects whether renegotiation completes/refuses promptly vs. stalls. |
| tests/gold_tests/tls/tls_record_size.test.py | Adds a gold test validating the max_record_size clamp on a large TLS download. |
| tests/gold_tests/tls/tls_record_size_client.py | Adds a helper client using ssl.MemoryBIO to capture ciphertext and measure TLS record sizes. |
| tests/gold_tests/tls/tls_post_abort_origin.py | Adds a TLS origin helper that RSTs mid-request-body to simulate abortive upstream failure. |
| tests/gold_tests/tls/tls_post_abort_client.py | Adds a helper client that POSTs a large body and measures time-to-failure after origin abort. |
| tests/gold_tests/tls/tls_origin_post_abort.test.py | Adds a gold test asserting ATS fails promptly when a TLS origin resets mid-POST-body. |
| tests/gold_tests/tls/tls_origin_open_failed.test.py | Adds a gold test asserting a failed outbound TLS origin connection surfaces as a 5xx without crashing. |
ee54ceb to
bc32bb2
Compare
bc32bb2 to
33d8d05
Compare
| tr.Processes.Default.StartBefore(self._server) | ||
| tr.Processes.Default.StartBefore(self._ts) | ||
| tr.Processes.Default.Command = ( | ||
| f'python3 {os.path.join(Test.TestDirectory, "tls_record_size_client.py")} ' |
There was a problem hiding this comment.
For this and the other occurrences of this in this PR: instead of python3 for these, we typically use {sys.executable}. Again, mention this in the AGENTS.md file as well.
There was a problem hiding this comment.
Done — switched all the helper-launch Command strings in the PR to {sys.executable}. Added a note to the Writing Autests section of AGENTS.md.
| f'origin-{TestOriginPostAbort._origin_counter}', 'python3 {0} -p {1} -c {2} -d 1.0'.format( | ||
| os.path.join(Test.TestDirectory, 'tls_post_abort_origin.py'), Test.Variables.origin_port, | ||
| os.path.join(Test.Variables.AtsTestToolsDir, 'ssl', 'server.pem'))) |
There was a problem hiding this comment.
Please replace all .format() calls with f'...' strings in this PR.
While we're add it, please add a note about this in the AGENTS.md file in the section about writing autests.
There was a problem hiding this comment.
Done — converted every .format() call in the PR's files to f-strings, and added a note to the Writing Autests section of AGENTS.md.
| RECORD_OVERHEAD = 256 | ||
|
|
||
|
|
||
| def iter_record_lengths(buf): |
There was a problem hiding this comment.
Can you add type declarations for this?
There was a problem hiding this comment.
Added: iter_record_lengths(buf: bytes | bytearray) -> Iterator[tuple[int, int]], plus the flush/feed closures in the same function. Also annotated main() in tls_renegotiation_client.py for consistency, and added a line about annotating helper functions to the AGENTS.md note above.
|
One additional issue I noticed:
Signed, Codex (GPT-5) |
Increase autest coverage with the following tests: - TLS renegotiation, rejected by default and allowed when configured - the TLS record-size clamp, checked against on-the-wire record sizes - a failed outbound TLS origin connection surfaced as a 5xx - a TLS origin that resets the connection mid-request-body
33d8d05 to
86922d1
Compare
|
Tightened on both sides. The client now requires (a) some request-body bytes were sent, (b) a prompt failure, and (c) a 5xx status — a bare connection drop or any non-5xx now fails instead of passing. The test additionally asserts the origin printed |
|
Cherry-picked to 10.2.x |
Increase autest coverage with the following tests: - TLS renegotiation, rejected by default and allowed when configured - the TLS record-size clamp, checked against on-the-wire record sizes - a failed outbound TLS origin connection surfaced as a 5xx - a TLS origin that resets the connection mid-request-body (cherry picked from commit 3ce2acf)
Add autest coverage for several TLS behaviors:
proxy.config.ssl.allow_client_renegotiationis enabled.proxy.config.ssl.max_record_sizeclamp, verified by measuring theapplication-data record sizes on the wire, not just the response body.
transaction promptly instead of waiting for the inactivity timeout.
proxy.config.http.flow_control) on a TLS clientconnection: a slow reader makes the tunnel throttle the origin and unthrottle
as the buffered data drains, and the full response body must still arrive. This
path had no prior gold coverage.
ssl_multicert.yamlviatraffic_ctl config reload)while concurrent TLS handshakes are in flight: the swapped-in certificate must
take effect, every handshake must succeed, and ATS must not crash.