Add TLS connection info to response object

[robingustafsson]

This PR adds TLS version, cipher suite and OCSP stapled response information to each HTTP response object, implementing #298.

Example usage:

import http from "k6/http";
import { check } from "k6";

export let options = {
    tlsCipherSuites: [
        "TLS_RSA_WITH_RC4_128_SHA",
        "TLS_RSA_WITH_AES_128_GCM_SHA256",
    ],
    tlsVersion: {
        min: "ssl3.0",
        max: "tls1.2"
    }
};

export default function() {
    let res = http.get("https://sha256.badssl.com");
    check(res, {
        "is TLSv1.2": (r) => r.tls_version === "tls1.2",
        "is sha256 cipher suite": (r) => r.tls_cipher_suite === "TLS_RSA_WITH_AES_128_GCM_SHA256"
    });
};

and

import http from "k6/http";
import { check } from "k6";

export default function() {
    let res = http.get("https://stackoverflow.com");
    check(res, {
        "is OCSP response good": (r) => r.ocsp.stapled_response.status === "good"
    });
};

The OCSP stapled_response object also contains the following properties:

• ocsp.stapled_response.revocation_reason: a string
• ocsp.stapled_response.produced_at: a date string
• ocsp.stapled_response.this_update: a date string
• ocsp.stapled_response.next_update: a date string
• ocsp.stapled_response.revoked_at: a date string

[robingustafsson]

Draft (hidden) documentation is now also available at:

• https://docs.k6.io/v1.0/docs/ssl-tls
• https://docs.k6.io/v1.0/docs/ssl-tls-version-and-cipher-suites
• https://docs.k6.io/v1.0/docs/online-certificate-status-protocol-ocsp

[liclac]

I want to make a structural change here, because for the first time in k6' history, we have a use for constants.

Making this easy-to-read string comparisons (ocsp.status === "good") sounds good in theory, until someone typo's it as "god" and suddenly we're refusing to trust any authority short of a holy scripture. And while that's a fairly easy one to catch, what about "tls1.2" vs "TLS1.2"?

The change I'm proposing is:

1. Change the module definition from simply type HTTP struct{}, to:

   type HTTP struct{
       SSL_3_0, TLS_1_0, TLS_1_1, TLS_1_2 string
   }
   
   func New() *HTTP {
       return &HTTP{
           SSL_3_0: "ssl3.0",
           // ...
       }
   }

2. Change js/modules/index.go from &http.HTTP{} to http.New(), and for consistency, also do this for all modules + their unit tests.

The actual naming of the constants is up for debate, and I think OCSP status may be better implemented as a tristate bool (*bool, true/false/null).

[liclac]

Please merge this into the import block below.

[liclac]

Is this indirection really needed...?

[robingustafsson]

Probably not, maybe it should just be res.ocsp_response on the JS side?

[liclac]

Or maybe even just res.ocsp?

[liclac]

You can shorten this down to if tlsState := res.TLS; tlsState != nil {.

[robingustafsson]

👍 typical Go noob mistake 😄

[liclac]

This is redundant.

[liclac]

Let's make this a helper function, then assign resp.OCSP.StapledResponse to a fully initialized object. These switches are real lengthy.

[liclac]

This should be in a format we can compare on the JS side... UNIX timestamps?

(I'm also kind of questioning what purpose it will serve for a load test script; I suppose it could be useful for logging, but not much more.)

[robingustafsson]

Yeah, should we use JS Date objects or Epoch milliseconds (to compare with Date.now() and Date.getTime()) when exposing to JS? Had the same question in the cookie PR.

[liclac]

Just in the interest of performance, I think maybe giving a UNIX timestamp would be better than instancing whole date objects every time. The JS-native way seems to be to deal with milliseconds for them, so then you can just do new Date(revokedAt).

[liclac]

These versions are nigh identical and would do better templated than copypasted.

[robingustafsson]

Ok, will look into that.

[liclac]

I'd also like TLS version and OCSP status to be added as tags to responses.

[robingustafsson]

@liclac Haha, ocsp.status === "god" is of course the status when you've successfully infiltrated a CA with a HTTP request 😄

Agree on the use of constants for TLS version and cipher suites. I'll change the OCSP status to use constants as well. IMHO that's more clear when reading than a tristate.

[robingustafsson]

@liclac Requested changes have now been done, please have another look.

[liclac]

Newline, please.

[liclac]

Newline, please.

[liclac]

These constants should honestly be global consts, passing in the HTTP object just to read them feels silly.

[liclac]

This struct is honestly getting big enough that I'd split it off into a response.go file.

[liclac]

tlsState is longer than res.TLS. As far as shorthands go, that's pretty lousy.

[robingustafsson]

@liclac Requested changes have been made.