Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Correctly handle the case when TLS is disabled #4150

Merged
merged 5 commits into from
Oct 16, 2023
Merged

Correctly handle the case when TLS is disabled #4150

merged 5 commits into from
Oct 16, 2023

Conversation

chrzaszcz
Copy link
Member

@chrzaszcz chrzaszcz commented Oct 13, 2023
edited

When the TLS section is missing, then according to the documentation STARTTLS should be rejected. This was not the case: the feature was advertised, and a TLS upgrade performed by a client (who was informed about the support) resulted in a crash.

This PR fixes these issues:

  • STARTTLS is only advertised when enabled.
  • Upgrade attempt results in a correct failure element, as described in RFC 6120

The tests are updated to check these conditions, and to correctly verify the features for optional and required STARTTLS as well.

The bugs were discovered accidentally when checking esl/mongooseim-docker#42. The statement about TLS disabled by default is changed in the docs, because it most likely confused the reporter of that issue.

@mongoose-im

This comment was marked as outdated.

Sign in to view
@codecov
Copy link

codecov bot commented Oct 13, 2023
edited

Codecov Report

All modified lines are covered by tests ✅

Comparison is base (355991b) 84.05% compared to head (ebe60bb) 84.05%.
Report is 6 commits behind head on master.

Additional details and impacted files 
@@           Coverage Diff           @@
##           master    #4150   +/-   ##
=======================================
  Coverage   84.05%   84.05%           
=======================================
  Files         561      561           
  Lines       34050    34053    +3     
=======================================
+ Hits        28620    28623    +3     
  Misses       5430     5430
Files Coverage Δ
src/c2s/mongoose_c2s.erl 88.18% <100.00%> (+0.04%) ⬆️
src/c2s/mongoose_c2s_stanzas.erl 100.00% <100.00%> (ø)

... and 10 files with indirect coverage changes

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@chrzaszcz chrzaszcz mentioned this pull request Oct 13, 2023
Closed
@mongoose-im

This comment was marked as outdated.

Sign in to view
@mongoose-im

This comment was marked as outdated.

Sign in to view
@mongoose-im

This comment was marked as outdated.

Sign in to view
@mongoose-im

This comment was marked as outdated.

Sign in to view
@chrzaszcz
Add tests for STARTTLS
53932f9 
- When STARTTLS is disabled, no features should be advertised,
  and TLS upgrade should be rejected
- STARTTLS features should be correctly advertised before and after
  performing the TLS upgrade

Also: reorganize tests, making group and test names more intuitive

testf
@chrzaszcz
Parallelize more tests in connect_SUITE
7a085cb
@chrzaszcz
Advertise STARTTLS only when enabled (no TLS section = disabled)
0c4cc3e
@chrzaszcz
Do not accept STARTTLS if it is disabled
37706b5 
Previously STARTTLS would be attempted, resulting in a crash.
Now the result is a failure, as defined in RFC 6120, section 5.4.2.2
@chrzaszcz
Make docs for TLS more obvious
ebe60bb
@mongoose-im

This comment was marked as outdated.

Sign in to view
@mongoose-im
Copy link
Collaborator

mongoose-im commented Oct 13, 2023
edited

elasticsearch_and_cassandra_26 / elasticsearch_and_cassandra_mnesia / ebe60bb
Reports root/ big
OK: 369 / Failed: 0 / User-skipped: 38 / Auto-skipped: 0

small_tests_25 / small_tests / ebe60bb
Reports root / small

small_tests_26_arm64 / small_tests / ebe60bb
Reports root / small

small_tests_26 / small_tests / ebe60bb
Reports root / small

ldap_mnesia_25 / ldap_mnesia / ebe60bb
Reports root/ big
OK: 2307 / Failed: 0 / User-skipped: 865 / Auto-skipped: 0

dynamic_domains_mysql_redis_26 / mysql_redis / ebe60bb
Reports root/ big
OK: 4239 / Failed: 1 / User-skipped: 144 / Auto-skipped: 0

carboncopy_SUITE:one2one:dropped_client_doesnt_create_duplicate_carbons 
{error,
  {{badmatch,
     [{xmlel,<<"message">>,
        [{<<"from">>,
        <<"alice_dropped_client_doesnt_create_duplicate_carbons_585@domain.example.com">>},
         {<<"to">>,
        <<"alice_dropped_client_doesnt_create_duplicate_carbons_585@domain.example.com/res2">>},
         {<<"xmlns">>,<<"jabber:client">>},
         {<<"type">>,<<"chat">>}],
        [{xmlel,<<"sent">>,
           [{<<"xmlns">>,<<"urn:xmpp:carbons:2">>}],
           [{xmlel,<<"forwarded">>,
            [{<<"xmlns">>,<<"urn:xmpp:forward:0">>}],
            [{xmlel,<<"message">>,
               [{<<"from">>,
                 <<"alice_dropped_client_doesnt_create_duplicate_carbons_585@domain.example.com/res1">>},
                {<<"type">>,<<"chat">>},
                {<<"to">>,
                 <<"bob_dropped_client_doesnt_create_duplicate_carbons_585@domain.example.com/res1">>},
                {<<"xmlns">>,<<"jabber:client">>}],
               [{xmlel,<<"body">>,[],
                  [{xmlcdata,
                     <<"And pious action">>}]}]}]}]}]}]},
   [{carboncopy_SUITE,
      '-dropped_client_doesnt_create_duplicate_carbons/1-fun-0-',4,
      [{file,
         "/home/circleci/project/big_tests/tests/carboncopy_SUITE.erl"},
       {line,189}]},
    {escalus_story,story,4,
      [{file,
         "/home/circleci/project/big_tests/_build/default/lib/escalus/src/escalus_story.erl"},
       {line,72}]},
    {test_server,ts_tc,3,[{file,"test_server.erl"},{line,1793}]},
    {test_server,run_test_c...

Report log

dynamic_domains_pgsql_mnesia_25 / pgsql_mnesia / ebe60bb
Reports root/ big
OK: 4272 / Failed: 0 / User-skipped: 112 / Auto-skipped: 0

ldap_mnesia_26 / ldap_mnesia / ebe60bb
Reports root/ big
OK: 2307 / Failed: 0 / User-skipped: 865 / Auto-skipped: 0

dynamic_domains_mssql_mnesia_26 / odbc_mssql_mnesia / ebe60bb
Reports root/ big
OK: 4269 / Failed: 0 / User-skipped: 115 / Auto-skipped: 0

dynamic_domains_pgsql_mnesia_26 / pgsql_mnesia / ebe60bb
Reports root/ big
OK: 4272 / Failed: 0 / User-skipped: 112 / Auto-skipped: 0

internal_mnesia_26 / internal_mnesia / ebe60bb
Reports root/ big
OK: 2457 / Failed: 0 / User-skipped: 715 / Auto-skipped: 0

pgsql_cets_26 / pgsql_cets / ebe60bb
Reports root/ big
OK: 4659 / Failed: 0 / User-skipped: 121 / Auto-skipped: 0

pgsql_mnesia_25 / pgsql_mnesia / ebe60bb
Reports root/ big
OK: 4661 / Failed: 0 / User-skipped: 119 / Auto-skipped: 0

mysql_redis_26 / mysql_redis / ebe60bb
Reports root/ big
OK: 4641 / Failed: 0 / User-skipped: 139 / Auto-skipped: 0

pgsql_mnesia_26 / pgsql_mnesia / ebe60bb
Reports root/ big
OK: 4661 / Failed: 0 / User-skipped: 119 / Auto-skipped: 0

mssql_mnesia_26 / odbc_mssql_mnesia / ebe60bb
Reports root/ big
OK: 4658 / Failed: 0 / User-skipped: 122 / Auto-skipped: 0

dynamic_domains_mysql_redis_26 / mysql_redis / ebe60bb
Reports root/ big
OK: 4240 / Failed: 0 / User-skipped: 144 / Auto-skipped: 0

@chrzaszcz chrzaszcz marked this pull request as ready for review October 14, 2023 06:35
NelsonVides
NelsonVides approved these changes Oct 16, 2023
View reviewed changes
Copy link
Collaborator

@NelsonVides NelsonVides left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice, very nice, good catch! 🔥

@NelsonVides NelsonVides merged commit c858cec into master Oct 16, 2023
4 checks passed
@NelsonVides NelsonVides deleted the fix-starttls-disabled branch October 16, 2023 08:24
@chrzaszcz chrzaszcz added this to the 6.2.0 milestone Dec 11, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@NelsonVides NelsonVides NelsonVides approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
6.2.0
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@chrzaszcz @mongoose-im @NelsonVides