Add regression testing for https_port ECDH parameter loading

configure.ac

@@ -1029,6 +1029,7 @@ SQUID_CHECK_LIB_WORKS(gnutls,[
   PKG_CHECK_MODULES([LIBGNUTLS],[gnutls >= 3.4.0],[
     CPPFLAGS="$LIBGNUTLS_CFLAGS $CPPFLAGS"
     AC_CHECK_HEADERS(gnutls/gnutls.h gnutls/x509.h gnutls/abstract.h)
+    AC_PATH_PROG(CERTTOOL_BIN, certtool)
   ],[:])
 ])
 
@@ -1110,11 +1111,13 @@ AS_IF([test "x$with_openssl" = "xyes"],[
     SQUID_CHECK_OPENSSL_CONST_SSL_SESSION_CB_ARG
     SQUID_CHECK_OPENSSL_CONST_X509_GET0_SIGNATURE_ARGS
     SQUID_CHECK_OPENSSL_TXTDB
+    AC_PATH_PROG(OPENSSL_BIN, openssl)
   ])
   AS_IF([test "x$SSLLIB" = "x"],[AC_MSG_ERROR([Required OpenSSL library not found])])
 ])
 AC_MSG_NOTICE([OpenSSL library support: ${with_openssl:=no} ${LIBOPENSSL_PATH} ${LIBOPENSSL_LIBS}])
 AM_CONDITIONAL(ENABLE_SSL,[ test "x$with_openssl" = "xyes" ])
+AM_CONDITIONAL(ENABLE_CERT_TESTS,[ test "x$with_openssl" = "xyes" -o "x$with_gnutls" != "xno"])
 AC_SUBST(SSLLIB)
 
 # Kerberos support libraries: MIT

src/security/KeyData.cc

@@ -148,7 +148,8 @@ Security::KeyData::loadX509PrivateKeyFromFile()
     Ssl::ReadPrivateKeyFromFile(keyFilename, pkey, cb);
 
     if (pkey && !X509_check_private_key(cert.get(), pkey.get())) {
-        debugs(83, DBG_IMPORTANT, "WARNING: '" << privateKeyFile << "' X509_check_private_key() failed");
+        const auto x = ERR_get_error();
+        debugs(83, DBG_IMPORTANT, "WARNING: '" << privateKeyFile << "' X509_check_private_key() failed: " << ErrorString(x));
         pkey.reset();
     }
 

src/security/ServerOptions.cc

@@ -474,6 +474,20 @@ Security::ServerOptions::updateContextConfig(Security::ContextPointer &ctx)
         }
     }
 
+    // log ciphers enabled for this context
+    if (const auto *enabledCiphers = SSL_CTX_get_ciphers(ctx.get())) {
+        int i = 0;
+	while (const auto *value = sk_SSL_CIPHER_value(enabledCiphers, ++i)) {
+	    debugs(83, 5, "Enabled cipher: " << value);
+	}
+    } else {
+        debugs(83, DBG_CRITICAL, "ERROR: No ciphers enabled with " <<
+               (tlsMinVersion.isEmpty() ? "" : " tls-min-version=") << tlsMinVersion <<
+               (sslOptions.isEmpty() ? "" : " tls-options=") << sslOptions <<
+               (sslCipher.isEmpty() ? "" : " cipher=") << sslCipher);
+        return false;
+    }
+
     Ssl::MaybeSetupRsaCallback(ctx);
 #endif
 
@@ -521,9 +535,11 @@ Security::ServerOptions::updateContextClientCa(Security::ContextPointer &ctx)
 void
 Security::ServerOptions::updateContextEecdh(Security::ContextPointer &ctx)
 {
+    debugs(83, 8, "dh=" << dh << ", eecdhCurve=" << eecdhCurve << ", dhParamsFile=" << dhParamsFile);
+
     // set Elliptic Curve details into the server context
     if (!eecdhCurve.isEmpty()) {
-        debugs(83, 9, "Setting Ephemeral ECDH curve to " << eecdhCurve << ".");
+        debugs(83, 8, "Setting Ephemeral ECDH curve to " << eecdhCurve << ".");
 
 #if USE_OPENSSL && OPENSSL_VERSION_NUMBER >= 0x0090800fL && !defined(OPENSSL_NO_ECDH)
 
@@ -566,6 +582,7 @@ Security::ServerOptions::updateContextEecdh(Security::ContextPointer &ctx)
     // set DH parameters into the server context
 #if USE_OPENSSL
     if (parsedDhParams) {
+        debugs(83, 8, "setting DH parameters from " << dhParamsFile);
         SSL_CTX_set_tmp_dh(ctx.get(), parsedDhParams.get());
     }
 #endif

test-suite/Makefile.am

@@ -21,6 +21,7 @@ LDADD = \
 EXTRA_PROGRAMS = mem_node_test splay
 
 EXTRA_DIST = \
+	mk-tls-test-certs.sh \
 	$(srcdir)/squidconf/* \
 	test-functionality.sh \
 	test-sources.sh \
@@ -112,9 +113,30 @@ VirtualDeleteOperator_SOURCES = \
 	VirtualDeleteOperator.cc \
 	stub_libmem.cc
 
+CLEANFILES += \
+	ca-mid-root-rsa.pem \
+	ca-mid-rsa.crt \
+	ca-mid-rsa.pem \
+	ca-mid-rsa.pkey \
+	ca-root-rsa.crt \
+	ca-root-rsa.pem \
+	ca-root-rsa.pkey \
+	leaf-root-rsa.pem \
+	leaf-chain-nokey-rsa.pem \
+	leaf-key-rsa.pem \
+	leaf-rsa.crt \
+	leaf-rsa.pkey
+
+if ENABLE_CERT_TESTS
+generate-test-certificates:
+	$(srcdir)/mk-tls-test-certs.sh "$(OPENSSL_BIN)" "$(CERTTOOL_BIN)"
+else
+generate-test-certificates:
+endif
+
 installcheck-local: squid-conf-tests
 
-squid-conf-tests: $(srcdir)/test-squid-conf.sh $(top_builddir)/src/squid.conf.default $(srcdir)/squidconf/*
+squid-conf-tests: generate-test-certificates $(srcdir)/test-squid-conf.sh $(top_builddir)/src/squid.conf.default $(srcdir)/squidconf/*
 	@instructionFiles="$(srcdir)/squidconf/*.conf.instructions"; \
 	for instructionFile in $$instructionFiles; do \
 		cfgBasename=`basename $$instructionFile .instructions`; \
@@ -148,3 +170,5 @@ CLEANFILES += \
 	squid-stderr.log \
 	squid-stderr.log.next \
 	squid-stderr.log.unmatched
+
+.PHONY: generate-test-certificates

test-suite/mk-tls-test-certs.sh

@@ -0,0 +1,227 @@
+#!/bin/sh -e
+
+#
+# test certificates and keys
+#
+
+OPENSSL="$1"
+CERTTOOL="$2"
+
+if test -n "$OPENSSL"; then
+
+	#
+	# self-signed root CA
+	#
+	echo "
+		[ ca ]
+		default_ca= test_CA
+		[ test_CA ]
+		default_days= 365
+		default_md= sha256
+		preserve= no
+		[ req ]
+		distinguished_name= root_ca_distinguished_name
+		prompt= no
+		x509_extensions= root_ca_extensions
+		[ root_ca_distinguished_name ]
+		organizationName= Example.Org
+		commonName= Test CA. Do not Trust
+		[ root_ca_extensions ]
+		basicConstraints = CA:true
+	" > example.org-ca
+
+	$OPENSSL version
+
+	$OPENSSL req -newkey rsa:2048 -x509 -nodes -set_serial 1 \
+		-config example.org-ca \
+		-keyout ca-root-rsa.pkey.tmp \
+		-out ca-root-rsa.crt
+
+	$OPENSSL rsa -in ca-root-rsa.pkey.tmp -out ca-root-rsa.pkey
+
+	rm -f ca-root-rsa.pkey.tmp example.org-ca
+
+	#
+	# intermediary CA, signed by root
+	#
+	echo "
+		[ ca ]
+		default_ca= test_CA
+		[ test_CA ]
+		default_md= sha256
+		preserve= no
+		[ req ]
+		distinguished_name= root_ca_distinguished_name
+		prompt= no
+		x509_extensions= root_ca_extensions
+		[ root_ca_distinguished_name ]
+		organizationName= Example.Net
+		commonName= Test CA. Do not Trust
+		[ root_ca_extensions ]
+		basicConstraints= CA:true
+	" > example.net-ca
+
+	$OPENSSL genrsa -out ca-mid-rsa.pkey.tmp 4096
+
+	$OPENSSL req -new -sha256 -set_serial 2 \
+		-config example.net-ca \
+		-key ca-mid-rsa.pkey.tmp \
+		-out ca-mid-rsa.csr
+
+	$OPENSSL rsa -in ca-mid-rsa.pkey.tmp -out ca-mid-rsa.pkey
+
+	# CA signs Intermediate
+	$OPENSSL x509 -req -days 365 \
+		-in ca-mid-rsa.csr \
+		-CA ca-root-rsa.crt -CAkey ca-root-rsa.pkey -set_serial 2 \
+		-out ca-mid-rsa.crt
+
+	rm -f ca-mid-rsa.csr ca-mid-rsa.pkey.tmp example.net-ca
+
+	#
+	# Standard leaf / server certificate
+	#
+	echo "
+		[ ca ]
+		default_ca= test_CA
+		[ test_CA ]
+		default_md= sha1
+		preserve= no
+		[ req ]
+		distinguished_name= user_distinguished_name
+		prompt= no
+		x509_extensions= user_extensions
+		[ user_distinguished_name ]
+		organizationName= Example.Com
+		commonName= Test CA. Do not Trust
+		[ user_extensions ]
+		basicConstraints= CA:false
+	" >example.com-leaf
+
+	$OPENSSL genrsa -out leaf-rsa.pkey.tmp 4096
+
+	$OPENSSL req -new -sha256 -set_serial 3 \
+		-config example.com-leaf \
+		-key leaf-rsa.pkey.tmp \
+		-out leaf-rsa.csr
+
+	$OPENSSL rsa -in leaf-rsa.pkey.tmp -out leaf-rsa.pkey
+
+	$OPENSSL x509 -req -days 365 \
+		-in leaf-rsa.csr \
+		-CA ca-root-rsa.crt -CAkey ca-root-rsa.pkey -set_serial 3 \
+		-out leaf-rsa.crt
+
+	rm -f leaf-rsa.csr leaf-rsa.pkey.tmp example.com-leaf
+
+	#
+	# PEM files with CA chain
+	#
+	cat ca-root-rsa.pkey ca-root-rsa.crt > ca-root-rsa.pem
+	cat ca-mid-rsa.pkey ca-mid-rsa.crt > ca-mid-rsa.pem
+	cat ca-mid-rsa.pkey ca-mid-rsa.crt ca-root-rsa.crt > ca-mid-root-rsa.pem
+	cat leaf-rsa.pkey leaf-rsa.crt ca-root-rsa.crt > leaf-root-rsa.pem
+	cat leaf-rsa.pkey leaf-rsa.crt > leaf-key-rsa.pem
+	cat leaf-rsa.crt ca-root-rsa.crt > leaf-chain-nokey-rsa.pem
+
+	#
+	# Diffie-Hellman parameters
+	#
+	$OPENSSL dhparam -out dh-params.pem 2048
+
+	#
+	# Elliptic Curve parameters
+	#
+	$OPENSSL ecparam -name secp256k1 \
+		-out ecdh-curve-only.pem
+
+	$OPENSSL ecparam -name secp256k1 \
+		-param_enc explicit \
+		-out ecdh-params.pem
+
+	$OPENSSL ecparam -name secp256k1 \
+		-param_enc explicit \
+		-genkey \
+		-out ecdh-key.pem
+
+elif test -n "$CERTTOOL"; then
+
+	#
+	# self-signed root CA
+	#
+	echo "
+		organization = \"Example.Org\"
+		cn = \"Test CA. Do not Trust\"
+		dc = \"example.org\"
+		expiration_days = 365
+		ca
+		cert_signing_key
+		crl_signing_key
+		" > example.org-ca
+
+	$CERTTOOL --version
+
+	$CERTTOOL --generate-privkey --rsa --outfile ca-root-rsa.pkey
+
+	$CERTTOOL --generate-self-signed --template example.org-ca \
+		--rsa --load-privkey ca-root-rsa.pkey --outfile ca-root-rsa.crt
+
+	rm example.org-ca
+
+	#
+	# intermediary CA, signed by root
+	#
+	echo "
+	organization = \"Example.Net\"
+	cn = \"Test CA. Do not Trust\"
+	dc = \"example.net\"
+	expiration_days = 365
+	ca
+	cert_signing_key
+	crl_signing_key
+	" > example.net-ca
+
+	$CERTTOOL --generate-privkey --rsa --outfile ca-mid-rsa.pkey
+
+	$CERTTOOL --generate-certificate --load-privkey ca-mid-rsa.pkey \
+		--load-ca-certificate ca-root-rsa.crt --load-ca-privkey ca-root-rsa.pkey \
+		--template example.net-ca --outfile ca-mid-rsa.crt
+
+	rm example.net-ca
+
+	#
+	# Standard leaf / server certificate
+	#
+	echo "
+	organization = \"Example.Com\"
+	cn = \"Test CA. Do not Trust\"
+	dc = \"example.com\"
+	expiration_days = 365
+	tls_www_server
+	" >example.com-leaf
+
+	$CERTTOOL --generate-privkey --rsa --outfile leaf-rsa.pkey
+
+	$CERTTOOL --generate-certificate --load-privkey leaf-rsa.pkey \
+		--load-ca-certificate ca-root-rsa.crt --load-ca-privkey ca-root-rsa.pkey \
+		--template example.com-leaf --outfile leaf-rsa.crt
+
+	rm -f example.com-leaf
+
+	#
+	# PEM files with CA chain
+	#
+	cat ca-root-rsa.pkey ca-root-rsa.crt > ca-root-rsa.pem
+	cat ca-mid-rsa.pkey ca-mid-rsa.crt > ca-mid-rsa.pem
+	cat ca-mid-rsa.pkey ca-mid-rsa.crt ca-root-rsa.crt > ca-mid-root-rsa.pem
+	cat leaf-rsa.pkey leaf-rsa.crt ca-root-rsa.crt > leaf-root-rsa.pem
+	cat leaf-rsa.pkey leaf-rsa.crt > leaf-key-rsa.pem
+	cat leaf-rsa.crt ca-root-rsa.crt > leaf-chain-nokey-rsa.pem
+
+else
+	echo "WARNING: cannot find a tool to generate certificates"
+	echo "Usage: $0 <openssl> <certtool>"
+	echo "At least one of the two parameters must be given."
+	echo "Use an empty string to skip the first parameter."
+	exit 1;
+fi