Revert "Remove reference to client.verify.server from tests and other…

… bits (apache#7639)"

This reverts commit 8f25b6b.

doc/developer-guide/api/types/TSOverridableConfigKey.en.rst

@@ -143,6 +143,7 @@ Enumeration Members
 .. c:enumerator:: TS_CONFIG_HTTP_ALLOW_HALF_OPEN
 .. c:enumerator:: TS_CONFIG_HTTP_PER_SERVER_CONNECTION_MAX
 .. c:enumerator:: TS_CONFIG_HTTP_PER_SERVER_CONNECTION_MATCH
+.. c:enumerator:: TS_CONFIG_SSL_CLIENT_VERIFY_SERVER
 .. c:enumerator:: TS_CONFIG_SSL_CLIENT_VERIFY_SERVER_POLICY
 .. c:enumerator:: TS_CONFIG_SSL_CLIENT_VERIFY_SERVER_PROPERTIES
 .. c:enumerator:: TS_CONFIG_SSL_CLIENT_SNI_POLICY

include/ts/apidefs.h.in

@@ -849,6 +849,7 @@ typedef enum {
   TS_CONFIG_HTTP_SERVER_MIN_KEEP_ALIVE_CONNS,
   TS_CONFIG_HTTP_PER_SERVER_CONNECTION_MAX,
   TS_CONFIG_HTTP_PER_SERVER_CONNECTION_MATCH,
+  TS_CONFIG_SSL_CLIENT_VERIFY_SERVER,
   TS_CONFIG_SSL_CLIENT_VERIFY_SERVER_POLICY,
   TS_CONFIG_SSL_CLIENT_VERIFY_SERVER_PROPERTIES,
   TS_CONFIG_SSL_CLIENT_SNI_POLICY,

lib/perl/lib/Apache/TS/AdminClient.pm

@@ -579,6 +579,7 @@ The Apache Traffic Server Administration Manual will explain what these strings
  proxy.config.ssl.client.cert.path
  proxy.config.ssl.client.private_key.filename
  proxy.config.ssl.client.private_key.path
+ proxy.config.ssl.client.verify.server
  proxy.config.ssl.server.cert_chain.filename
  proxy.config.ssl.server.cert.path
  proxy.config.ssl.server.cipher_suite

plugins/lua/ts_lua_http_config.c

@@ -132,6 +132,7 @@ typedef enum {
   TS_LUA_CONFIG_HTTP_ALLOW_MULTI_RANGE                        = TS_CONFIG_HTTP_ALLOW_MULTI_RANGE,
   TS_LUA_CONFIG_HTTP_REQUEST_BUFFER_ENABLED                   = TS_CONFIG_HTTP_REQUEST_BUFFER_ENABLED,
   TS_LUA_CONFIG_HTTP_ALLOW_HALF_OPEN                          = TS_CONFIG_HTTP_ALLOW_HALF_OPEN,
+  TS_LUA_CONFIG_SSL_CLIENT_VERIFY_SERVER                      = TS_CONFIG_SSL_CLIENT_VERIFY_SERVER,
   TS_LUA_CONFIG_SSL_CLIENT_VERIFY_SERVER_POLICY               = TS_CONFIG_SSL_CLIENT_VERIFY_SERVER_POLICY,
   TS_LUA_CONFIG_SSL_CLIENT_VERIFY_SERVER_PROPERTIES           = TS_CONFIG_SSL_CLIENT_VERIFY_SERVER_PROPERTIES,
   TS_LUA_CONFIG_SSL_CLIENT_SNI_POLICY                         = TS_CONFIG_SSL_CLIENT_SNI_POLICY,
@@ -259,6 +260,7 @@ ts_lua_var_item ts_lua_http_config_vars[] = {
   TS_LUA_MAKE_VAR_ITEM(TS_LUA_CONFIG_HTTP_ALLOW_MULTI_RANGE),
   TS_LUA_MAKE_VAR_ITEM(TS_LUA_CONFIG_HTTP_REQUEST_BUFFER_ENABLED),
   TS_LUA_MAKE_VAR_ITEM(TS_LUA_CONFIG_HTTP_ALLOW_HALF_OPEN),
+  TS_LUA_MAKE_VAR_ITEM(TS_CONFIG_SSL_CLIENT_VERIFY_SERVER),
   TS_LUA_MAKE_VAR_ITEM(TS_CONFIG_SSL_CLIENT_VERIFY_SERVER_POLICY),
   TS_LUA_MAKE_VAR_ITEM(TS_CONFIG_SSL_CLIENT_VERIFY_SERVER_PROPERTIES),
   TS_LUA_MAKE_VAR_ITEM(TS_CONFIG_SSL_CLIENT_SNI_POLICY),

proxy/http/HttpConfig.h

@@ -603,6 +603,7 @@ struct OverridableHttpConfigParams {
   //////////////////////////////
   // server verification mode //
   //////////////////////////////
+  MgmtByte ssl_client_verify_server         = 0;
   char *ssl_client_verify_server_policy     = nullptr;
   char *ssl_client_verify_server_properties = nullptr;
   char *ssl_client_sni_policy               = nullptr;

src/shared/overridable_txn_vars.cc

@@ -155,6 +155,7 @@ const std::unordered_map<std::string_view, std::tuple<const TSOverridableConfigK
      {"proxy.config.http.connect.dead.policy", {TS_CONFIG_HTTP_CONNECT_DEAD_POLICY, TS_RECORDDATATYPE_INT}},
      {"proxy.config.http.parent_proxy.per_parent_connect_attempts",
       {TS_CONFIG_HTTP_PER_PARENT_CONNECT_ATTEMPTS, TS_RECORDDATATYPE_INT}},
+     {"proxy.config.ssl.client.verify.server", {TS_CONFIG_SSL_CLIENT_VERIFY_SERVER, TS_RECORDDATATYPE_INT}},
      {"proxy.config.ssl.client.verify.server.policy", {TS_CONFIG_SSL_CLIENT_VERIFY_SERVER_POLICY, TS_RECORDDATATYPE_STRING}},
      {"proxy.config.ssl.client.verify.server.properties",
       {TS_CONFIG_SSL_CLIENT_VERIFY_SERVER_PROPERTIES, TS_RECORDDATATYPE_STRING}},

src/traffic_server/InkAPI.cc

@@ -8839,6 +8839,9 @@ _conf_to_memberp(TSOverridableConfigKey conf, OverridableHttpConfigParams *overr
   case TS_CONFIG_HTTP_FORWARD_CONNECT_METHOD:
     ret = _memberp_to_generic(&overridableHttpConfig->forward_connect_method, conv);
     break;
+  case TS_CONFIG_SSL_CLIENT_VERIFY_SERVER:
+    ret = _memberp_to_generic(&overridableHttpConfig->ssl_client_verify_server, conv);
+    break;
   case TS_CONFIG_SSL_CLIENT_VERIFY_SERVER_POLICY:
   case TS_CONFIG_SSL_CLIENT_VERIFY_SERVER_PROPERTIES:
   case TS_CONFIG_SSL_CLIENT_SNI_POLICY:

src/traffic_server/InkAPITest.cc

@@ -8689,6 +8689,7 @@ std::array<std::string_view, TS_CONFIG_LAST_ENTRY> SDK_Overridable_Configs = {
    OutboundConnTrack::CONFIG_VAR_MIN,
    OutboundConnTrack::CONFIG_VAR_MAX,
    OutboundConnTrack::CONFIG_VAR_MATCH,
+   "proxy.config.ssl.client.verify.server",
    "proxy.config.ssl.client.verify.server.policy",
    "proxy.config.ssl.client.verify.server.properties",
    "proxy.config.ssl.client.sni_policy",

tests/gold_tests/chunked_encoding/chunked_encoding.test.py

@@ -72,6 +72,8 @@
                                'proxy.config.ssl.server.cert.path': '{0}'.format(ts.Variables.SSLDir),
                                'proxy.config.ssl.server.private_key.path': '{0}'.format(ts.Variables.SSLDir),
                                'proxy.config.ssl.client.verify.server.policy': 'PERMISSIVE',
+                               'proxy.config.ssl.client.verify.server': 0,
+                               'proxy.config.ssl.server.cipher_suite': 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:RC4-SHA:RC4-MD5:AES128-SHA:AES256-SHA:DES-CBC3-SHA!SRP:!DSS:!PSK:!aNULL:!eNULL:!SSLv2',
                                })
 
 ts.Disk.remap_config.AddLine(

tests/gold_tests/chunked_encoding/chunked_encoding_h2.test.py

@@ -40,6 +40,7 @@
     'proxy.config.ssl.server.cert.path': '{0}'.format(ts.Variables.SSLDir),
     'proxy.config.ssl.server.private_key.path': '{0}'.format(ts.Variables.SSLDir),
     'proxy.config.ssl.client.verify.server.policy': 'PERMISSIVE',
+    'proxy.config.ssl.server.cipher_suite': 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:RC4-SHA:RC4-MD5:AES128-SHA:AES256-SHA:DES-CBC3-SHA!SRP:!DSS:!PSK:!aNULL:!eNULL:!SSLv2',
 })
 
 ts.Disk.remap_config.AddLine(

tests/gold_tests/continuations/double_h2.test.py

@@ -57,6 +57,8 @@
     'proxy.config.ssl.server.cert.path': '{0}'.format(ts.Variables.SSLDir),
     'proxy.config.ssl.server.private_key.path': '{0}'.format(ts.Variables.SSLDir),
     'proxy.config.cache.enable_read_while_writer': 0,
+    'proxy.config.ssl.client.verify.server': 0,
+    'proxy.config.ssl.server.cipher_suite': 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:RC4-SHA:RC4-MD5:AES128-SHA:AES256-SHA:DES-CBC3-SHA!SRP:!DSS:!PSK:!aNULL:!eNULL:!SSLv2',
     'proxy.config.http2.max_concurrent_streams_in': 65535
 })
 

tests/gold_tests/h2/h2disable.test.py

@@ -49,6 +49,7 @@
     'proxy.config.diags.debug.tags': 'http|ssl',
     'proxy.config.ssl.server.cert.path': '{0}'.format(ts.Variables.SSLDir),
     'proxy.config.ssl.server.private_key.path': '{0}'.format(ts.Variables.SSLDir),
+    'proxy.config.ssl.server.cipher_suite': 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:RC4-SHA:RC4-MD5:AES128-SHA:AES256-SHA:DES-CBC3-SHA!SRP:!DSS:!PSK:!aNULL:!eNULL:!SSLv2',
     'proxy.config.url_remap.pristine_host_hdr': 1,
     'proxy.config.accept_threads': 1
 })

tests/gold_tests/h2/h2disable_no_accept_threads.test.py

@@ -49,6 +49,7 @@
     'proxy.config.diags.debug.tags': 'http|ssl',
     'proxy.config.ssl.server.cert.path': '{0}'.format(ts.Variables.SSLDir),
     'proxy.config.ssl.server.private_key.path': '{0}'.format(ts.Variables.SSLDir),
+    'proxy.config.ssl.server.cipher_suite': 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:RC4-SHA:RC4-MD5:AES128-SHA:AES256-SHA:DES-CBC3-SHA!SRP:!DSS:!PSK:!aNULL:!eNULL:!SSLv2',
     'proxy.config.url_remap.pristine_host_hdr': 1,
     'proxy.config.accept_threads': 0
 })

tests/gold_tests/h2/h2enable.test.py

@@ -48,6 +48,7 @@
     'proxy.config.diags.debug.tags': 'http|ssl',
     'proxy.config.ssl.server.cert.path': '{0}'.format(ts.Variables.SSLDir),
     'proxy.config.ssl.server.private_key.path': '{0}'.format(ts.Variables.SSLDir),
+    'proxy.config.ssl.server.cipher_suite': 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:RC4-SHA:RC4-MD5:AES128-SHA:AES256-SHA:DES-CBC3-SHA!SRP:!DSS:!PSK:!aNULL:!eNULL:!SSLv2',
     'proxy.config.url_remap.pristine_host_hdr': 1,
     'proxy.config.accept_threads': 1,
     'proxy.config.http.server_ports': '{0}:ssl:proto=http {1}'.format(ts.Variables.ssl_port, ts.Variables.port)

tests/gold_tests/h2/h2enable_no_accept_threads.test.py

@@ -48,6 +48,7 @@
     'proxy.config.diags.debug.tags': 'http|ssl',
     'proxy.config.ssl.server.cert.path': '{0}'.format(ts.Variables.SSLDir),
     'proxy.config.ssl.server.private_key.path': '{0}'.format(ts.Variables.SSLDir),
+    'proxy.config.ssl.server.cipher_suite': 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:RC4-SHA:RC4-MD5:AES128-SHA:AES256-SHA:DES-CBC3-SHA!SRP:!DSS:!PSK:!aNULL:!eNULL:!SSLv2',
     'proxy.config.url_remap.pristine_host_hdr': 1,
     'proxy.config.http.server_ports': '{0}:ssl:proto=http {1}'.format(ts.Variables.ssl_port, ts.Variables.port),
     'proxy.config.accept_threads': 0

tests/gold_tests/h2/h2spec.test.py

@@ -50,6 +50,7 @@
     'proxy.config.http.insert_response_via_str': 1,
     'proxy.config.ssl.server.cert.path': '{0}'.format(ts.Variables.SSLDir),
     'proxy.config.ssl.server.private_key.path': '{0}'.format(ts.Variables.SSLDir),
+    'proxy.config.ssl.client.verify.server': 0,
     'proxy.config.diags.debug.enabled': 0,
     'proxy.config.diags.debug.tags': 'http',
 })

tests/gold_tests/h2/http2.test.py

@@ -130,6 +130,8 @@
     'proxy.config.diags.debug.tags': 'http',
     'proxy.config.ssl.server.cert.path': '{0}'.format(ts.Variables.SSLDir),
     'proxy.config.ssl.server.private_key.path': '{0}'.format(ts.Variables.SSLDir),
+    'proxy.config.ssl.client.verify.server': 0,
+    'proxy.config.ssl.server.cipher_suite': 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:RC4-SHA:RC4-MD5:AES128-SHA:AES256-SHA:DES-CBC3-SHA!SRP:!DSS:!PSK:!aNULL:!eNULL:!SSLv2',
     'proxy.config.http2.active_timeout_in': 3,
     'proxy.config.http2.max_concurrent_streams_in': 65535,
 })

tests/gold_tests/h2/http2_priority.test.py

@@ -58,6 +58,8 @@
     'proxy.config.http2.no_activity_timeout_in': 3,
     'proxy.config.ssl.server.cert.path': '{0}'.format(ts.Variables.SSLDir),
     'proxy.config.ssl.server.private_key.path': '{0}'.format(ts.Variables.SSLDir),
+    'proxy.config.ssl.client.verify.server': 0,
+    'proxy.config.ssl.server.cipher_suite': 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:RC4-SHA:RC4-MD5:AES128-SHA:AES256-SHA:DES-CBC3-SHA!SRP:!DSS:!PSK:!aNULL:!eNULL:!SSLv2',
     'proxy.config.diags.debug.enabled': 1,
     'proxy.config.diags.debug.tags': 'http2',
 })

tests/gold_tests/h2/httpbin.test.py

@@ -56,6 +56,8 @@
     'proxy.config.http.insert_response_via_str': 1,
     'proxy.config.ssl.server.cert.path': '{0}'.format(ts.Variables.SSLDir),
     'proxy.config.ssl.server.private_key.path': '{0}'.format(ts.Variables.SSLDir),
+    'proxy.config.ssl.client.verify.server': 0,
+    'proxy.config.ssl.server.cipher_suite': 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:RC4-SHA:RC4-MD5:AES128-SHA:AES256-SHA:DES-CBC3-SHA!SRP:!DSS:!PSK:!aNULL:!eNULL:!SSLv2',
     'proxy.config.diags.debug.enabled': 1,
     'proxy.config.diags.debug.tags': 'http2',
 

tests/gold_tests/ip_allow/ip_allow.test.py

@@ -90,6 +90,8 @@
     'proxy.config.ssl.server.cert.path': '{0}'.format(ts.Variables.SSLDir),
     'proxy.config.ssl.server.private_key.path': '{0}'.format(ts.Variables.SSLDir),
     'proxy.config.ssl.client.verify.server.policy': 'PERMISSIVE',
+    'proxy.config.ssl.client.verify.server': 0,
+    'proxy.config.ssl.server.cipher_suite': 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:RC4-SHA:RC4-MD5:AES128-SHA:AES256-SHA:DES-CBC3-SHA!SRP:!DSS:!PSK:!aNULL:!eNULL:!SSLv2',
     'proxy.config.http2.active_timeout_in': 3,
     'proxy.config.http2.max_concurrent_streams_in': 65535,
 })

tests/gold_tests/pluginTest/lua/lua_watermark.test.py

@@ -57,6 +57,10 @@
 # Test for watermark debug output
 ts.Streams.All = Testers.ContainsExpression(r"WMbytes\(31337\)", "Upstream watermark should be properly set")
 
+# These are needed for 8.x only since Lua errors go to diags in 8.x, newer versions go to stdout
+#ts.Disk.diags_log.Content = Testers.ContainsExpression("failed to get node's reconfigure time while checking script registration", "This test is a failure test")
+#ts.Disk.diags_log.Content = Testers.ContainsExpression("failed to get node's reconfigure time while registering script", "This test is a failure test")
+
 # Test if watermark upstream is set
 tr = Test.AddTestRun("Lua Watermark")
 tr.Processes.Default.Command = "curl -v http://127.0.0.1:{0}".format(ts.Variables.port)

tests/gold_tests/pluginTest/slice/slice_regex.test.py

@@ -55,6 +55,7 @@
 
 server.addResponse("sessionlog.json", request_header_chk, response_header_chk)
 
+#block_bytes = 7
 body = "lets go surfin now"
 
 request_header_txt = {"headers":

tests/gold_tests/pluginTest/sslheaders/sslheaders.test.py

@@ -51,6 +51,12 @@
     'proxy.config.http.server_ports': (
         'ipv4:{0} ipv4:{1}:proto=http2;http:ssl ipv6:{0} ipv6:{1}:proto=http2;http:ssl'
         .format(ts.Variables.port, ts.Variables.ssl_port)),
+    #    'proxy.config.ssl.client.verify.server':  0,
+    #    'proxy.config.ssl.server.cipher_suite': 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:RC4-SHA:RC4-MD5:AES128-SHA:AES256-SHA:DES-CBC3-SHA!SRP:!DSS:!PSK:!aNULL:!eNULL:!SSLv2',
+    #    'proxy.config.url_remap.pristine_host_hdr' : 1,
+    #    'proxy.config.ssl.client.certification_level': 2,
+    #    'proxy.config.ssl.CA.cert.filename': '{0}/signer.pem'.format(ts.Variables.SSLDir),
+    #    'proxy.config.ssl.TLSv1_3': 0
 })
 
 ts.Disk.ssl_multicert_config.AddLine(

tests/gold_tests/pluginTest/traffic_dump/traffic_dump.test.py

@@ -55,6 +55,7 @@
 
     'proxy.config.ssl.server.cert.path': ts.Variables.SSLDir,
     'proxy.config.ssl.server.private_key.path': ts.Variables.SSLDir,
+    'proxy.config.ssl.client.verify.server': 0,
     'proxy.config.url_remap.pristine_host_hdr': 1,
     'proxy.config.ssl.CA.cert.filename': f'{ts.Variables.SSLDir}/signer.pem',
     'proxy.config.exec_thread.autoconfig.scale': 1.0,

tests/gold_tests/pluginTest/traffic_dump/traffic_dump_sni_filter.test.py

@@ -48,6 +48,7 @@
 
     'proxy.config.ssl.server.cert.path': ts.Variables.SSLDir,
     'proxy.config.ssl.server.private_key.path': ts.Variables.SSLDir,
+    'proxy.config.ssl.client.verify.server': 0,
     'proxy.config.url_remap.pristine_host_hdr': 1,
     'proxy.config.ssl.CA.cert.filename': f'{ts.Variables.SSLDir}/signer.pem',
     'proxy.config.exec_thread.autoconfig.scale': 1.0,

tests/gold_tests/remap/remap_https.test.py

@@ -47,6 +47,8 @@
     # enable ssl port
     'proxy.config.http.server_ports': '{0} {1}:proto=http2;http:ssl'.format(ts.Variables.port, ts.Variables.ssl_port),
     'proxy.config.ssl.client.verify.server.policy': 'PERMISSIVE',
+    'proxy.config.ssl.client.verify.server': 0,
+    'proxy.config.ssl.server.cipher_suite': 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:RC4-SHA:RC4-MD5:AES128-SHA:AES256-SHA:DES-CBC3-SHA!SRP:!DSS:!PSK:!aNULL:!eNULL:!SSLv2',
 })
 
 ts.Disk.remap_config.AddLine(

tests/gold_tests/timeout/tls_conn_timeout.test.py

@@ -69,6 +69,7 @@
 tr.Processes.Default.StartBefore(delay_post_connect, ready=When.PortOpen(Test.Variables.block_connect_port))
 tr.Processes.Default.Command = 'curl -H"Connection:close" -d "bob" -i http://127.0.0.1:{0}/connect_blocked --tlsv1.2'.format(
     ts.Variables.port)
+#tr.Processes.Default.TimeOut = 6
 tr.Processes.Default.Streams.All = Testers.ContainsExpression(
     "HTTP/1.1 502 connect failed", "Connect failed")
 tr.Processes.Default.ReturnCode = 0
@@ -93,6 +94,7 @@
 tr.Processes.Default.StartBefore(delay_get_connect, ready=When.PortOpen(Test.Variables.get_block_connect_port))
 tr.Processes.Default.Command = 'curl -H"Connection:close" -i http://127.0.0.1:{0}/get_connect_blocked --tlsv1.2'.format(
     ts.Variables.port)
+#tr.Processes.Default.TimeOut = 6
 tr.Processes.Default.Streams.All = Testers.ContainsExpression(
     "HTTP/1.1 502 connect failed", "Connect failed")
 tr.Processes.Default.ReturnCode = 0
@@ -113,6 +115,8 @@
 delay_post_connect.Streams.All += Testers.ExcludesExpression("TTFB delay", "Should not reach the TTFB delay logic")
 delay_post_ttfb.Streams.All = Testers.ContainsExpression("Accept try", "Should appear one time")
 delay_post_ttfb.Streams.All += Testers.ContainsExpression("TTFB delay", "Should reach the TTFB delay logic")
+# May fail due to port ready test
+#delay_post_ttfb.Streams.All += Testers.ExcludesExpression("Failed accept", "Accept should have succeeded")
 
 
 delay_get_connect.Streams.All = Testers.ContainsExpression(
@@ -121,3 +125,5 @@
 delay_get_ttfb.Streams.All = Testers.ContainsExpression(
     "Accept try", "Should appear at least two times (may be an extra one due to the port ready test)")
 delay_get_ttfb.Streams.All += Testers.ContainsExpression("TTFB delay", "Should reach the TTFB delay logic")
+# May fail due to port ready test
+#delay_get_ttfb.Streams.All += Testers.ExcludesExpression("Failed accept", "Accept should have succeeded")

tests/gold_tests/tls/tls.test.py

@@ -36,6 +36,7 @@
 testName = ""
 
 header_count = 378
+#header_count = 78
 
 header_string = "POST /post HTTP/1.1\r\nHost: www.example.com\r\nContent-Length:1000\r\n"
 
@@ -66,10 +67,8 @@
 ts.Disk.ssl_multicert_config.AddLine(
     'dest_ip=* ssl_cert_name=server.pem ssl_key_name=server.key'
 )
-ts.Disk.records_config.update({'proxy.config.ssl.server.cert.path': '{0}'.format(ts.Variables.SSLDir),
-                               'proxy.config.ssl.server.private_key.path': '{0}'.format(ts.Variables.SSLDir),
-                               'proxy.config.exec_thread.autoconfig.scale': 1.0,
-                               })
+ts.Disk.records_config.update({'proxy.config.ssl.server.cert.path': '{0}'.format(ts.Variables.SSLDir), 'proxy.config.ssl.server.private_key.path': '{0}'.format(ts.Variables.SSLDir), 'proxy.config.exec_thread.autoconfig.scale': 1.0, 'proxy.config.ssl.server.cipher_suite':
+                               'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:RC4-SHA:RC4-MD5:AES128-SHA:AES256-SHA:DES-CBC3-SHA!SRP:!DSS:!PSK:!aNULL:!eNULL:!SSLv2', })
 
 tr = Test.AddTestRun("Run-Test")
 tr.Command = './ssl-post 127.0.0.1 40 {0} {1}'.format(header_count, ts.Variables.ssl_port)

tests/gold_tests/tls/tls_check_cert_selection.test.py

@@ -53,6 +53,7 @@
 ts.Disk.records_config.update({
     'proxy.config.ssl.server.cert.path': '{0}'.format(ts.Variables.SSLDir),
     'proxy.config.ssl.server.private_key.path': '{0}'.format(ts.Variables.SSLDir),
+    'proxy.config.ssl.server.cipher_suite': 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:RC4-SHA:RC4-MD5:AES128-SHA:AES256-SHA:DES-CBC3-SHA!SRP:!DSS:!PSK:!aNULL:!eNULL:!SSLv2',
     'proxy.config.url_remap.pristine_host_hdr': 1,
     'proxy.config.dns.nameservers': '127.0.0.1:{0}'.format(dns.Variables.Port),
     'proxy.config.exec_thread.autoconfig.scale': 1.0,