Closed Bug 114964 Opened 23 years ago Closed 23 years ago

QA tests don't test multiple SSL handshakes on one connection

Categories

(NSS :: Test, enhancement, P2)

Product:
NSS
Component:
Test
Type:
enhancement

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: nelson, Assigned: sonja.mirtitsch)

Details

Attachments

(4 files)

patch
2.68 KB, patch
Details | Diff | Splinter Review
sslauth.txt
2.74 KB, text/plain
Details
output.log
99.66 KB, text/plain
Details
results
17.74 KB, text/html
Details 
This "bug" requests additional SSL testing in the SSL QA tests to make
them more complete.

Bug 114787 reported a crash that occured whenever a second (or subsequent)
SSL/TLS handshake was done on a TCP connection.  That bug was a regression
introduced by a change to SSL in NSS 3.4 on November 4. This bug was not 
caught by the QA tests at the time the regression was introduced because 
the QA tests apparently do not test the case where multiple SSL handshakes
are done on a single TCP connection.  

The "selfserv" test server already has the ability to test multiple SSL
connections on a TCP connection in conjunction with SSL client authentication
(which is the usual cause of multiple handshakes, now that SSL Step-Up is 
mostly a thing of the past).  This is controlled by the number of "-r" 
arguments on the command line.  The number of -r argument is interpreted
as follows:

number   number of
of -r's  handshakes            Meaning
-------  -------  -----------------------------------------------
none        1     do not request or require client authentication

  1         1     request but do not require client authentication 

  2         1     request and require client authentication

  3         2     do not request or require client auth on first handshake,
                  request but do not require client auth on second handshake

  4         2     do not request or require client auth on first handshake,
                  request and require client auth on second handshake

I request that the present tests of client authentication, which all use
1 or 2 -r's, be supplemented with new tests that use 3 or 4 -r's, so 
that we test all 4 combinations.
Priority: -- → P2
Target Milestone: --- → 3.4
I have lots of changes in the ssl script that wait for review and I would like
to check the first change in, before making the next addition
Depends on: 73098
taking off dependency since other fix was checked in in the meantime (Ian reviewed)
Status: NEW → ASSIGNED
No longer depends on: 73098
Attached patch patchSplinter Review 

    
    

    
  

      
      
      
      

        Attached file
          
        sslauth.txt
      

    


  

    
    

    
  

      
      
      
      

        Attached file
          
        output.log
      

    


  

    
    

    
  

      
      
      
      

        Attached file
          
        results
      

    


  

    
    

    
  
I'd like to check in the changes, please review
Whiteboard: review needed

    
    

    
  
This looks OK to me, but with two comments:

1. In the first column, the old test cases used values of 0 and 254.   
   The new test cases use 0 and 1.  I'm surprised that the new test
   cases don't use the same values as the old ones there.

2. instead of using -r_-r_-r you could use -rrr



    
    

    
  
1 is what the tstclnt returns in this case - maybe someone should review
tstclnt.c to find out why if that is unexpected? Thanks for letting me know
about the simplified option, I'll keep it in mind for the future.
Status: ASSIGNED → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED

    
    

    
  
One of the failures that we could only recognize from the output.log has been
more than 1 cache miss - at the moment I can only test for more than 2 since the
script that evaluates the output.log is still a shell script (should be
re-written in perl)
line:
dewey.1/output.log:0 cache hits; 2 cache misses, 0 cache not reusable 

Status: RESOLVED → REOPENED
Resolution: FIXED → ---

    
    

    
  
please Nelson or Wan-Teh, let me know if the scripts still need to do strict
testing regarding the cache misses. It would be very hard to implement this in
the shell script.
Thanks
Whiteboard: review needed → one more review needed

    
    

    
  
2 cache misses is the expected and correct number when doing two full
SSL handshakes on the same connection.  

Testing the number of cache misses is important on stress tests, but 
IMO is not vital for these simple functionality tests.

    
    

    
  
Yes I realize this, but the script, being a dumb shell vs a smart perl script is
not context sensitive, and can't determine if it is evaluating a stress test
message or a auth test message

    
    

    
  
You could add another column to the table of test cases, which is the 
expected number of cache misses, and then compare the result with 
that number in the shell script.  It might require adding another 
positional parameter to some shell script subroutine.

    
    

    
  
I just noticed that the output line from the strsclnt looks different than from
the tstclnt - so this way the fix is fairly trivial.
It might still be a good idea to put the expected number of cache misses in the
.txt file as you suggested, and do the pass fail evaluation right from the
ssl.sh script where it belongs instead of putting it into the qa_stat script. I
will file a seperate QA bug on it.
thanks

Whiteboard: one more review needed

    
    

    
  
workaround in QA stat, seperate bug files on adding # of expected cache misses
to .txt files
Status: REOPENED → RESOLVED
Closed: 23 years ago23 years ago
Resolution: --- → FIXED

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: