package ProFTPD::Tests::Modules::mod_proxy::tls; use lib qw(t/lib); use base qw(ProFTPD::TestSuite::Child); use strict; use Carp; use File::Copy; use File::Path qw(mkpath); use File::Spec; use IO::Handle; use IO::Socket::INET; use Time::HiRes qw(gettimeofday tv_interval usleep); use ProFTPD::TestSuite::FTP; use ProFTPD::TestSuite::Utils qw(:auth :config :running :test :testsuite); $| = 1; my $order = 0; my $TESTS = { proxy_reverse_frontend_tls_login => { order => ++$order, test_class => [qw(forking mod_tls reverse)], }, proxy_reverse_frontend_tls_login_failed => { order => ++$order, test_class => [qw(forking mod_tls reverse)], }, proxy_reverse_frontend_tls_login_tlslogin => { order => ++$order, test_class => [qw(forking mod_tls reverse)], }, proxy_reverse_frontend_tls_list_pasv => { order => ++$order, test_class => [qw(forking mod_tls reverse)], }, proxy_reverse_backend_tls_login => { order => ++$order, test_class => [qw(forking mod_tls reverse)], }, proxy_reverse_backend_tls_implicit_login => { order => ++$order, test_class => [qw(forking mod_tls reverse)], }, proxy_reverse_backend_tls_login_cached_session => { order => ++$order, test_class => [qw(forking mod_tls mod_tls_shmcache reverse)], }, proxy_reverse_backend_tls_login_cached_ticket => { order => ++$order, test_class => [qw(forking mod_tls reverse)], }, proxy_reverse_backend_tls_login_client_auth => { order => ++$order, test_class => [qw(forking mod_tls reverse)], }, # This will fail with older OpenSSL versions, and TLSv1.3 sessions; see: # https://github.com/openssl/openssl/issues/7261 proxy_reverse_backend_tls_login_psk => { order => ++$order, test_class => [qw(forking mod_tls reverse)], }, proxy_reverse_backend_tls_login_failed_unknown_ca => { order => ++$order, test_class => [qw(forking mod_tls reverse)], }, # TODO: Investigate why this fails unexpectedly when TLSv1.3 is used proxy_reverse_backend_tls_login_failed_missing_client_auth => { order => ++$order, test_class => [qw(forking mod_tls reverse)], }, proxy_reverse_backend_tls_login_tlsv13_issue197 => { order => ++$order, test_class => [qw(forking mod_tls reverse)], }, proxy_reverse_backend_tls_list_pasv => { order => ++$order, test_class => [qw(forking mod_tls reverse)], }, proxy_reverse_frontend_backend_tls_roundrobin_login_after_host => { order => ++$order, test_class => [qw(forking mod_tls reverse)], }, proxy_reverse_frontend_backend_tls_peruser_login_after_host => { order => ++$order, test_class => [qw(forking mod_tls reverse)], }, proxy_reverse_frontend_backend_tls_list_pasv => { order => ++$order, test_class => [qw(forking mod_tls reverse)], }, proxy_reverse_frontend_backend_tls_list_port => { order => ++$order, test_class => [qw(forking mod_tls reverse)], }, proxy_reverse_frontend_backend_tls_nlst_pasv_error_issue244 => { order => ++$order, test_class => [qw(bug forking mod_tls reverse)], }, proxy_reverse_frontend_backend_tls_nlst_port_error_issue244 => { order => ++$order, test_class => [qw(bug forking mod_tls reverse)], }, proxy_reverse_frontend_backend_tls_abort => { order => ++$order, test_class => [qw(forking mod_tls reverse)], }, proxy_reverse_frontend_tls_json_peruser => { order => ++$order, test_class => [qw(forking mod_tls reverse)], }, proxy_reverse_config_backend_tls_engine_auto_unavail => { order => ++$order, test_class => [qw(forking mod_tls reverse)], }, proxy_reverse_config_backend_tls_engine_auto_ftps_uri_unavail => { order => ++$order, test_class => [qw(forking mod_tls reverse)], }, proxy_reverse_config_backend_tls_engine_on_unavail => { order => ++$order, test_class => [qw(forking mod_tls reverse)], }, proxy_reverse_config_backend_tls_engine_match_client_ftp => { order => ++$order, test_class => [qw(forking mod_tls reverse)], }, proxy_reverse_config_backend_tls_engine_match_client_ftps_explicit => { order => ++$order, test_class => [qw(forking mod_tls reverse)], }, proxy_reverse_config_backend_tls_engine_match_client_ftps_implicit => { order => ++$order, test_class => [qw(forking mod_tls reverse)], }, proxy_reverse_config_backend_tls_connect_policy_per_user => { order => ++$order, test_class => [qw(forking mod_tls reverse)], }, proxy_reverse_config_backend_tls_connect_policy_per_user_failed_unknown_ca => { order => ++$order, test_class => [qw(forking mod_tls reverse)], }, proxy_reverse_config_backend_tls_verify_server_off => { order => ++$order, test_class => [qw(forking mod_tls reverse)], }, proxy_reverse_config_backend_tls_no_session_cache => { order => ++$order, test_class => [qw(forking mod_tls mod_tls_shmcache reverse)], }, proxy_reverse_config_backend_tls_ctrl_use_direct_data_transfers_pasv => { order => ++$order, test_class => [qw(forking mod_tls reverse)], }, proxy_reverse_config_frontend_backend_tls_required_use_direct_data_transfers_pasv => { order => ++$order, test_class => [qw(forking mod_tls reverse)], }, proxy_reverse_proxy_protocol_v2_tlv_ssl => { order => ++$order, test_class => [qw(forking mod_proxy_protocol mod_tls reverse)], }, proxy_forward_frontend_tls_noproxyauth_login => { order => ++$order, test_class => [qw(forking mod_tls forward)], }, proxy_forward_backend_tls_login => { order => ++$order, test_class => [qw(forking mod_tls forward)], }, proxy_forward_backend_tls_implicit_login => { order => ++$order, test_class => [qw(forking mod_tls forward)], }, proxy_forward_backend_tls_login_failed_unknown_ca => { order => ++$order, test_class => [qw(forking mod_tls forward)], }, proxy_forward_config_backend_tls_engine_match_client_ftp => { order => ++$order, test_class => [qw(forking mod_tls forward)], }, proxy_forward_config_backend_tls_engine_match_client_ftps_explicit => { order => ++$order, test_class => [qw(forking mod_tls forward)], }, proxy_forward_config_backend_tls_engine_match_client_ftps_implicit => { order => ++$order, test_class => [qw(forking mod_tls forward)], }, proxy_forward_backend_tls_list_pasv => { order => ++$order, test_class => [qw(forking mod_tls forward)], }, proxy_forward_frontend_backend_tls_login_after_host => { order => ++$order, test_class => [qw(forking mod_tls forward)], }, proxy_forward_frontend_backend_tls_list_pasv => { order => ++$order, test_class => [qw(forking mod_tls forward)], }, # ProxyTLSTransferProtection Required # # frontend FTP, backend FTPS, passive transfer, LIST # frontend FTP, backend FTPS, active transfer, LIST # frontend FTP, backend FTPS, passive transfer, STOR # frontend FTP, backend FTPS, active transfer, STOR # # frontend FTPS, backend FTPS, passive transfer, LIST # frontend FTPS, backend FTPS, active transfer, LIST # frontend FTPS, backend FTPS, passive transfer, STOR # frontend FTPS, backend FTPS, active transfer, STOR proxy_forward_frontend_plain_backend_tls_list_pasv_tls_xfer_policy_required => { order => ++$order, test_class => [qw(forking mod_tls forward)], }, proxy_forward_frontend_plain_backend_tls_list_port_tls_xfer_policy_required => { order => ++$order, test_class => [qw(forking mod_tls forward)], }, proxy_forward_frontend_plain_backend_tls_stor_pasv_tls_xfer_policy_required => { order => ++$order, test_class => [qw(forking mod_tls forward)], }, proxy_forward_frontend_plain_backend_tls_stor_port_tls_xfer_policy_required => { order => ++$order, test_class => [qw(forking mod_tls forward)], }, proxy_forward_frontend_backend_tls_list_pasv_tls_xfer_policy_required => { order => ++$order, test_class => [qw(forking mod_tls forward)], }, proxy_forward_frontend_backend_tls_list_port_tls_xfer_policy_required => { order => ++$order, test_class => [qw(forking mod_tls forward)], }, proxy_forward_frontend_backend_tls_stor_pasv_tls_xfer_policy_required => { order => ++$order, test_class => [qw(forking mod_tls forward)], }, proxy_forward_frontend_backend_tls_stor_port_tls_xfer_policy_required => { order => ++$order, test_class => [qw(forking mod_tls forward)], }, # ProxyTLSTransferProtection Clear # # frontend FTP, backend FTPS, passive transfer, LIST # frontend FTP, backend FTPS, active transfer, LIST # frontend FTP, backend FTPS, passive transfer, STOR # frontend FTP, backend FTPS, active transfer, STOR # # frontend FTPS, backend FTPS, passive transfer, LIST # frontend FTPS, backend FTPS, active transfer, LIST # frontend FTPS, backend FTPS, passive transfer, STOR # frontend FTPS, backend FTPS, active transfer, STOR proxy_forward_frontend_plain_backend_tls_list_pasv_tls_xfer_policy_clear => { order => ++$order, test_class => [qw(forking mod_tls forward)], }, proxy_forward_frontend_plain_backend_tls_list_port_tls_xfer_policy_clear => { order => ++$order, test_class => [qw(forking mod_tls forward)], }, proxy_forward_frontend_plain_backend_tls_stor_pasv_tls_xfer_policy_clear => { order => ++$order, test_class => [qw(forking mod_tls forward)], }, proxy_forward_frontend_plain_backend_tls_stor_port_tls_xfer_policy_clear => { order => ++$order, test_class => [qw(forking mod_tls forward)], }, proxy_forward_frontend_backend_tls_list_pasv_tls_xfer_policy_clear => { order => ++$order, test_class => [qw(forking mod_tls forward)], }, proxy_forward_frontend_backend_tls_list_port_tls_xfer_policy_clear => { order => ++$order, test_class => [qw(forking mod_tls forward)], }, proxy_forward_frontend_backend_tls_stor_pasv_tls_xfer_policy_clear => { order => ++$order, test_class => [qw(forking mod_tls forward)], }, proxy_forward_frontend_backend_tls_stor_port_tls_xfer_policy_clear => { order => ++$order, test_class => [qw(forking mod_tls forward)], }, # ProxyTLSTransferProtection Client # # frontend FTP, backend FTPS, passive transfer, LIST # frontend FTP, backend FTPS, active transfer, LIST # frontend FTP, backend FTPS, passive transfer, STOR # frontend FTP, backend FTPS, active transfer, STOR # # frontend FTPS, backend FTPS, passive transfer, LIST # frontend FTPS, backend FTPS, active transfer, LIST # frontend FTPS, backend FTPS, passive transfer, STOR # frontend FTPS, backend FTPS, active transfer, STOR proxy_forward_frontend_plain_backend_tls_list_pasv_tls_xfer_policy_client => { order => ++$order, test_class => [qw(forking mod_tls forward)], }, proxy_forward_frontend_plain_backend_tls_list_port_tls_xfer_policy_client => { order => ++$order, test_class => [qw(forking mod_tls forward)], }, proxy_forward_frontend_plain_backend_tls_stor_pasv_tls_xfer_policy_client => { order => ++$order, test_class => [qw(forking mod_tls forward)], }, proxy_forward_frontend_plain_backend_tls_stor_port_tls_xfer_policy_client => { order => ++$order, test_class => [qw(forking mod_tls forward)], }, proxy_forward_frontend_backend_tls_list_pasv_tls_xfer_policy_client => { order => ++$order, test_class => [qw(forking mod_tls forward)], }, proxy_forward_frontend_backend_tls_list_port_tls_xfer_policy_client => { order => ++$order, test_class => [qw(forking mod_tls forward)], }, proxy_forward_frontend_backend_tls_stor_pasv_tls_xfer_policy_client => { order => ++$order, test_class => [qw(forking mod_tls forward)], }, proxy_forward_frontend_backend_tls_stor_port_tls_xfer_policy_client => { order => ++$order, test_class => [qw(forking mod_tls forward)], }, proxy_forward_config_backend_tls_ctrl_use_direct_data_transfers_pasv => { order => ++$order, test_class => [qw(forking mod_tls forward)], }, proxy_forward_config_frontend_backend_tls_required_use_direct_data_transfers_pasv => { order => ++$order, test_class => [qw(forking mod_tls forward)], }, }; sub new { return shift()->SUPER::new(@_); } sub list_tests { return testsuite_get_runnable_tests($TESTS); } sub set_up { my $self = shift; $self->SUPER::set_up(@_); my $psk_file = File::Spec->rel2abs('t/etc/modules/mod_tls/psk.dat'); unless (chmod(0400, $psk_file)) { die("Can't set perms on $psk_file: $!"); } } sub get_reverse_proxy_config { my $tmpdir = shift; my $log_file = shift; my $vhost_port = shift; my $table_dir = File::Spec->rel2abs("$tmpdir/var/proxy"); my $config = { ProxyEngine => 'on', ProxyLog => $log_file, ProxyReverseServers => "ftp://127.0.0.1:$vhost_port", ProxyRole => 'reverse', ProxyTables => $table_dir, ProxyTLSVerifyServer => 'off', }; return $config; } sub get_forward_proxy_config { my $tmpdir = shift; my $log_file = shift; my $vhost_port = shift; my $table_dir = File::Spec->rel2abs("$tmpdir/var/proxy"); my $config = { ProxyEngine => 'on', ProxyLog => $log_file, ProxyRole => 'forward', ProxyTables => $table_dir, ProxyTLSVerifyServer => 'off', Class => { 'forward-proxy' => { From => '127.0.0.1', ProxyForwardEnabled => 'on', }, }, }; return $config; } sub ftp_list { my $self = shift; my $client = shift; my $skip_quit = shift; $skip_quit = 0 unless defined($skip_quit); my $conn = $client->list_raw(); unless ($conn) { die("Failed to LIST: " . $client->response_code() . ' ' . $client->response_msg()); } my $buf; $conn->read($buf, 8192, 10); eval { $conn->close() }; if ($ENV{TEST_VERBOSE}) { print STDERR "LIST:\n$buf\n"; } my $resp_code = $client->response_code(); my $resp_msg = $client->response_msg(); $self->assert_transfer_ok($resp_code, $resp_msg); unless ($skip_quit) { ($resp_code, $resp_msg) = $client->quit(); my $expected = 221; $self->assert($expected == $resp_code, test_msg("Expected response code $expected, got $resp_code")); $expected = 'Goodbye.'; $self->assert($expected eq $resp_msg, test_msg("Expected response message '$expected', got '$resp_msg'")); } 1; } sub ftp_upload { my $self = shift; my $client = shift; my $path = shift; my $conn = $client->stor_raw($path); unless ($conn) { die("Failed to STOR $path: " . $client->response_code() . ' ' . $client->response_msg()); } my $buf = 'AbCdEfGh' x 81920; $conn->write($buf, length($buf), 10); eval { $conn->close() }; my $resp_code = $client->response_code(); my $resp_msg = $client->response_msg(); $self->assert_transfer_ok($resp_code, $resp_msg); 1; } sub proxy_reverse_frontend_tls_login { my $self = shift; my $tmpdir = $self->{tmpdir}; my $config_file = "$tmpdir/proxy.conf"; my $pid_file = File::Spec->rel2abs("$tmpdir/proxy.pid"); my $scoreboard_file = File::Spec->rel2abs("$tmpdir/proxy.scoreboard"); my $log_file = test_get_logfile(); my $auth_user_file = File::Spec->rel2abs("$tmpdir/proxy.passwd"); my $auth_group_file = File::Spec->rel2abs("$tmpdir/proxy.group"); my $user = 'proftpd'; my $passwd = 'test'; my $group = 'ftpd'; my $home_dir = File::Spec->rel2abs($tmpdir); my $uid = 500; my $gid = 500; # Make sure that, if we're running as root, that the home directory has # permissions/privs set for the account we create if ($< == 0) { unless (chmod(0755, $home_dir)) { die("Can't set perms on $home_dir to 0755: $!"); } unless (chown($uid, $gid, $home_dir)) { die("Can't set owner of $home_dir to $uid/$gid: $!"); } } auth_user_write($auth_user_file, $user, $passwd, $uid, $gid, $home_dir, '/bin/bash'); auth_group_write($auth_group_file, $group, $gid, $user); my $cert_file = File::Spec->rel2abs("$ENV{PROFTPD_TEST_DIR}/t/etc/modules/mod_tls/server-cert.pem"); my $ca_file = File::Spec->rel2abs("$ENV{PROFTPD_TEST_DIR}/t/etc/modules/mod_tls/ca-cert.pem"); my $vhost_port = ProFTPD::TestSuite::Utils::get_high_numbered_port(); $vhost_port += 12; my $proxy_config = get_reverse_proxy_config($tmpdir, $log_file, $vhost_port); my $config = { PidFile => $pid_file, ScoreboardFile => $scoreboard_file, SystemLog => $log_file, TraceLog => $log_file, Trace => 'DEFAULT:10 event:0 lock:0 scoreboard:0 signal:0 proxy:20 proxy.ftp.conn:20 proxy.ftp.ctrl:20 proxy.ftp.data:20 proxy.ftp.msg:20', AuthUserFile => $auth_user_file, AuthGroupFile => $auth_group_file, SocketBindTight => 'on', IfModules => { 'mod_proxy.c' => $proxy_config, 'mod_tls.c' => { TLSEngine => 'on', TLSLog => $log_file, TLSRequired => 'on', TLSRSACertificateFile => $cert_file, TLSCACertificateFile => $ca_file, }, 'mod_delay.c' => { DelayEngine => 'off', }, }, }; my ($port, $config_user, $config_group) = config_write($config_file, $config); if (open(my $fh, ">> $config_file")) { print $fh < Port $vhost_port ServerName "Real Server" AuthUserFile $auth_user_file AuthGroupFile $auth_group_file AuthOrder mod_auth_file.c AllowOverride off WtmpLog off TransferLog none EOC unless (close($fh)) { die("Can't write $config_file: $!"); } } else { die("Can't open $config_file: $!"); } require Net::FTPSSL; # Open pipes, for use between the parent and child processes. Specifically, # the child will indicate when it's done with its test by writing a message # to the parent. my ($rfh, $wfh); unless (pipe($rfh, $wfh)) { die("Can't open pipe: $!"); } my $ex; # Fork child $self->handle_sigchld(); defined(my $pid = fork()) or die("Can't fork: $!"); if ($pid) { eval { # Give the server a chance to start up sleep(2); my $client_opts = { Encryption => 'E', Port => $port, }; if ($ENV{TEST_VERBOSE}) { $client_opts->{Debug} = 1; } my $client = Net::FTPSSL->new('127.0.0.1', %$client_opts); unless ($client) { die("Can't connect to FTPS server: " . IO::Socket::SSL::errstr()); } unless ($client->login($user, $passwd)) { die("Can't login: " . $client->last_message()); } $client->quit(); }; if ($@) { $ex = $@; } $wfh->print("done\n"); $wfh->flush(); } else { eval { server_wait($config_file, $rfh) }; if ($@) { warn($@); exit 1; } exit 0; } # Stop server server_stop($pid_file); $self->assert_child_ok($pid); if ($ex) { test_append_logfile($log_file, $ex); unlink($log_file); die($ex); } unlink($log_file); } sub proxy_reverse_frontend_tls_login_failed { my $self = shift; my $tmpdir = $self->{tmpdir}; my $config_file = "$tmpdir/proxy.conf"; my $pid_file = File::Spec->rel2abs("$tmpdir/proxy.pid"); my $scoreboard_file = File::Spec->rel2abs("$tmpdir/proxy.scoreboard"); my $log_file = test_get_logfile(); my $auth_user_file = File::Spec->rel2abs("$tmpdir/proxy.passwd"); my $auth_group_file = File::Spec->rel2abs("$tmpdir/proxy.group"); my $user = 'proftpd'; my $passwd = 'test'; my $group = 'ftpd'; my $home_dir = File::Spec->rel2abs($tmpdir); my $uid = 500; my $gid = 500; # Make sure that, if we're running as root, that the home directory has # permissions/privs set for the account we create if ($< == 0) { unless (chmod(0755, $home_dir)) { die("Can't set perms on $home_dir to 0755: $!"); } unless (chown($uid, $gid, $home_dir)) { die("Can't set owner of $home_dir to $uid/$gid: $!"); } } auth_user_write($auth_user_file, $user, $passwd, $uid, $gid, $home_dir, '/bin/bash'); auth_group_write($auth_group_file, $group, $gid, $user); my $cert_file = File::Spec->rel2abs("$ENV{PROFTPD_TEST_DIR}/t/etc/modules/mod_tls/server-cert.pem"); my $ca_file = File::Spec->rel2abs("$ENV{PROFTPD_TEST_DIR}/t/etc/modules/mod_tls/ca-cert.pem"); my $vhost_port = ProFTPD::TestSuite::Utils::get_high_numbered_port(); $vhost_port += 12; my $proxy_config = get_reverse_proxy_config($tmpdir, $log_file, $vhost_port); my $config = { PidFile => $pid_file, ScoreboardFile => $scoreboard_file, SystemLog => $log_file, TraceLog => $log_file, Trace => 'DEFAULT:10 event:0 lock:0 scoreboard:0 signal:0 proxy:20 proxy.ftp.conn:20 proxy.ftp.ctrl:20 proxy.ftp.data:20 proxy.ftp.msg:20', AuthUserFile => $auth_user_file, AuthGroupFile => $auth_group_file, SocketBindTight => 'on', IfModules => { 'mod_proxy.c' => $proxy_config, 'mod_tls.c' => { TLSEngine => 'on', TLSLog => $log_file, TLSRequired => 'on', TLSRSACertificateFile => $cert_file, TLSCACertificateFile => $ca_file, }, 'mod_delay.c' => { DelayEngine => 'off', }, }, }; my ($port, $config_user, $config_group) = config_write($config_file, $config); if (open(my $fh, ">> $config_file")) { print $fh < Port $vhost_port ServerName "Real Server" AuthUserFile $auth_user_file AuthGroupFile $auth_group_file AuthOrder mod_auth_file.c AllowOverride off WtmpLog off TransferLog none EOC unless (close($fh)) { die("Can't write $config_file: $!"); } } else { die("Can't open $config_file: $!"); } require Net::FTPSSL; # Open pipes, for use between the parent and child processes. Specifically, # the child will indicate when it's done with its test by writing a message # to the parent. my ($rfh, $wfh); unless (pipe($rfh, $wfh)) { die("Can't open pipe: $!"); } my $ex; # Fork child $self->handle_sigchld(); defined(my $pid = fork()) or die("Can't fork: $!"); if ($pid) { eval { # Give the server a chance to start up sleep(2); my $client_opts = { Encryption => 'E', Port => $port, }; if ($ENV{TEST_VERBOSE}) { $client_opts->{Debug} = 1; } my $client = Net::FTPSSL->new('127.0.0.1', %$client_opts); unless ($client) { die("Can't connect to FTPS server: " . IO::Socket::SSL::errstr()); } if ($client->login($user, 'foobar')) { die("Login succeeded unexpectedly"); } my $resp_msg = $client->last_message(); $client->quit(); my $expected = '530 Login incorrect.'; $self->assert($expected eq $resp_msg, test_msg("Expected response message '$expected', got '$resp_msg'")); }; if ($@) { $ex = $@; } $wfh->print("done\n"); $wfh->flush(); } else { eval { server_wait($config_file, $rfh) }; if ($@) { warn($@); exit 1; } exit 0; } # Stop server server_stop($pid_file); $self->assert_child_ok($pid); if ($ex) { test_append_logfile($log_file, $ex); unlink($log_file); die($ex); } unlink($log_file); } sub proxy_reverse_frontend_tls_login_tlslogin { my $self = shift; my $tmpdir = $self->{tmpdir}; my $config_file = "$tmpdir/proxy.conf"; my $pid_file = File::Spec->rel2abs("$tmpdir/proxy.pid"); my $scoreboard_file = File::Spec->rel2abs("$tmpdir/proxy.scoreboard"); my $log_file = test_get_logfile(); my $auth_user_file = File::Spec->rel2abs("$tmpdir/proxy.passwd"); my $auth_group_file = File::Spec->rel2abs("$tmpdir/proxy.group"); my $user = 'proftpd'; my $passwd = 'test'; my $group = 'ftpd'; my $home_dir = File::Spec->rel2abs($tmpdir); my $uid = 500; my $gid = 500; # Make sure that, if we're running as root, that the home directory has # permissions/privs set for the account we create if ($< == 0) { unless (chmod(0755, $home_dir)) { die("Can't set perms on $home_dir to 0755: $!"); } unless (chown($uid, $gid, $home_dir)) { die("Can't set owner of $home_dir to $uid/$gid: $!"); } } auth_user_write($auth_user_file, $user, $passwd, $uid, $gid, $home_dir, '/bin/bash'); auth_group_write($auth_group_file, $group, $gid, $user); my $server_cert_file = File::Spec->rel2abs("$ENV{PROFTPD_TEST_DIR}/t/etc/modules/mod_tls/server-cert.pem"); my $client_cert_file = File::Spec->rel2abs("$ENV{PROFTPD_TEST_DIR}/t/etc/modules/mod_tls/client-cert.pem"); my $ca_file = File::Spec->rel2abs("$ENV{PROFTPD_TEST_DIR}/t/etc/modules/mod_tls/ca-cert.pem"); my $vhost_port = ProFTPD::TestSuite::Utils::get_high_numbered_port(); $vhost_port += 12; my $proxy_config = get_reverse_proxy_config($tmpdir, $log_file, $vhost_port); my $tlslogin_file = File::Spec->rel2abs("$tmpdir/.tlslogin"); unless (copy($client_cert_file, $tlslogin_file)) { die("Can't copy $client_cert_file to $tlslogin_file: $!"); } my $config = { PidFile => $pid_file, ScoreboardFile => $scoreboard_file, SystemLog => $log_file, TraceLog => $log_file, Trace => 'DEFAULT:10 event:0 lock:0 scoreboard:0 signal:0 auth:10 tls:20 proxy:20 proxy.conn:20 proxy.ftp.conn:20 proxy.ftp.ctrl:20 proxy.ftp.data:20 proxy.ftp.msg:20 proxy.tls:20', AuthUserFile => $auth_user_file, AuthGroupFile => $auth_group_file, SocketBindTight => 'on', IfModules => { 'mod_proxy.c' => $proxy_config, 'mod_tls.c' => { TLSEngine => 'on', TLSLog => $log_file, TLSRequired => 'on', TLSRSACertificateFile => $server_cert_file, TLSCACertificateFile => $ca_file, TLSOptions => 'AllowDotLogin', }, 'mod_delay.c' => { DelayEngine => 'off', }, }, }; my ($port, $config_user, $config_group) = config_write($config_file, $config); if (open(my $fh, ">> $config_file")) { print $fh < Port $vhost_port ServerName "Real Server" AuthUserFile $auth_user_file AuthGroupFile $auth_group_file AuthOrder mod_auth_file.c AllowOverride off WtmpLog off TransferLog none EOC unless (close($fh)) { die("Can't write $config_file: $!"); } } else { die("Can't open $config_file: $!"); } require Net::FTPSSL; # Open pipes, for use between the parent and child processes. Specifically, # the child will indicate when it's done with its test by writing a message # to the parent. my ($rfh, $wfh); unless (pipe($rfh, $wfh)) { die("Can't open pipe: $!"); } my $ex; # Fork child $self->handle_sigchld(); defined(my $pid = fork()) or die("Can't fork: $!"); if ($pid) { eval { # Give the server a chance to start up sleep(2); # IO::Socket::SSL options my $ssl_opts = { SSL_use_cert => 1, SSL_cert_file => $client_cert_file, SSL_key_file => $client_cert_file, SSL_ca_file => $ca_file, }; my $client_opts = { Encryption => 'E', Port => $port, SSL_Client_Certificate => $ssl_opts, }; if ($ENV{TEST_VERBOSE}) { $client_opts->{Debug} = 1; } my $client = Net::FTPSSL->new('127.0.0.1', %$client_opts); unless ($client) { die("Can't connect to FTPS server: " . IO::Socket::SSL::errstr()); } unless ($client->_user($user)) { die("USER error: " . $client->last_message()); } my $resp_msg = $client->last_message(); $client->quit(); # Even though we configured mod_tls on the proxy to allow .tlslogin, # mod_proxy does not actually invoke that functionality. And for good # reason. If mod_tls/mod_proxy allowed the DotLogin, then the client # would not need to send a password. But the backend FTP session is NOT # configured for DotLogin, which means that that WILL need a password. # # Thus expecting the 331 response code here is correct. my $expected = "331 Password required for $user"; $self->assert($expected eq $resp_msg, test_msg("Expected response message '$expected', got '$resp_msg'")); }; if ($@) { $ex = $@; } $wfh->print("done\n"); $wfh->flush(); } else { eval { server_wait($config_file, $rfh) }; if ($@) { warn($@); exit 1; } exit 0; } # Stop server server_stop($pid_file); $self->assert_child_ok($pid); if ($ex) { test_append_logfile($log_file, $ex); unlink($log_file); die($ex); } unlink($log_file); } sub proxy_reverse_frontend_tls_list_pasv { my $self = shift; my $tmpdir = $self->{tmpdir}; my $config_file = "$tmpdir/proxy.conf"; my $pid_file = File::Spec->rel2abs("$tmpdir/proxy.pid"); my $scoreboard_file = File::Spec->rel2abs("$tmpdir/proxy.scoreboard"); my $log_file = test_get_logfile(); my $auth_user_file = File::Spec->rel2abs("$tmpdir/proxy.passwd"); my $auth_group_file = File::Spec->rel2abs("$tmpdir/proxy.group"); my $user = 'proftpd'; my $passwd = 'test'; my $group = 'ftpd'; my $home_dir = File::Spec->rel2abs($tmpdir); my $uid = 500; my $gid = 500; # Make sure that, if we're running as root, that the home directory has # permissions/privs set for the account we create if ($< == 0) { unless (chmod(0755, $home_dir)) { die("Can't set perms on $home_dir to 0755: $!"); } unless (chown($uid, $gid, $home_dir)) { die("Can't set owner of $home_dir to $uid/$gid: $!"); } } auth_user_write($auth_user_file, $user, $passwd, $uid, $gid, $home_dir, '/bin/bash'); auth_group_write($auth_group_file, $group, $gid, $user); my $cert_file = File::Spec->rel2abs("$ENV{PROFTPD_TEST_DIR}/t/etc/modules/mod_tls/server-cert.pem"); my $ca_file = File::Spec->rel2abs("$ENV{PROFTPD_TEST_DIR}/t/etc/modules/mod_tls/ca-cert.pem"); my $vhost_port = ProFTPD::TestSuite::Utils::get_high_numbered_port(); $vhost_port += 12; my $proxy_config = get_reverse_proxy_config($tmpdir, $log_file, $vhost_port); my $config = { PidFile => $pid_file, ScoreboardFile => $scoreboard_file, SystemLog => $log_file, TraceLog => $log_file, Trace => 'DEFAULT:10 event:0 lock:0 netio:20 scoreboard:0 signal:0 proxy:20 proxy.inet:20 proxy.netio:20 proxy.reverse:20 proxy.ftp.conn:20 proxy.ftp.ctrl:20 proxy.ftp.data:20 proxy.ftp.msg:20 tls:20', AuthUserFile => $auth_user_file, AuthGroupFile => $auth_group_file, SocketBindTight => 'on', IfModules => { 'mod_proxy.c' => $proxy_config, 'mod_tls.c' => { TLSEngine => 'on', TLSLog => $log_file, TLSRequired => 'on', TLSRSACertificateFile => $cert_file, TLSCACertificateFile => $ca_file, TLSOptions => 'NoSessionReuseRequired EnableDiags', TLSTimeoutHandshake => 5, }, 'mod_delay.c' => { DelayEngine => 'off', }, }, }; my ($port, $config_user, $config_group) = config_write($config_file, $config); if (open(my $fh, ">> $config_file")) { print $fh < Port $vhost_port ServerName "Real Server" AuthUserFile $auth_user_file AuthGroupFile $auth_group_file AuthOrder mod_auth_file.c AllowOverride off WtmpLog off TransferLog none EOC unless (close($fh)) { die("Can't write $config_file: $!"); } } else { die("Can't open $config_file: $!"); } require Net::FTPSSL; # Open pipes, for use between the parent and child processes. Specifically, # the child will indicate when it's done with its test by writing a message # to the parent. my ($rfh, $wfh); unless (pipe($rfh, $wfh)) { die("Can't open pipe: $!"); } my $ex; # Fork child $self->handle_sigchld(); defined(my $pid = fork()) or die("Can't fork: $!"); if ($pid) { eval { # Give the server a chance to start up sleep(2); my $ssl_opts = { SSL_ca_file => $ca_file, }; my $client_opts = { Encryption => 'E', Port => $port, SSL_Client_Certificate => $ssl_opts, }; if ($ENV{TEST_VERBOSE}) { $client_opts->{Debug} = 1; } my $client = Net::FTPSSL->new('127.0.0.1', %$client_opts); unless ($client) { die("Can't connect to FTPS server: " . IO::Socket::SSL::errstr()); } unless ($client->login($user, $passwd)) { die("Can't login: " . $client->last_message()); } my $res = $client->list(); unless ($res) { die("LIST failed unexpectedly: " . $client->last_message() . "(" . IO::Socket::SSL::errstr() . ")"); } my $resp_msg = $client->last_message(); $client->quit(); my $expected = '226 Transfer complete'; $self->assert($expected eq $resp_msg, test_msg("Expected response '$expected', got '$resp_msg'")); }; if ($@) { $ex = $@; } $wfh->print("done\n"); $wfh->flush(); } else { eval { server_wait($config_file, $rfh, 20) }; if ($@) { warn($@); exit 1; } exit 0; } # Stop server server_stop($pid_file); $self->assert_child_ok($pid); if ($ex) { test_append_logfile($log_file, $ex); unlink($log_file); die($ex); } unlink($log_file); } sub proxy_reverse_backend_tls_login { my $self = shift; my $tmpdir = $self->{tmpdir}; my $setup = test_setup($tmpdir, 'proxy'); my $cert_file = File::Spec->rel2abs("$ENV{PROFTPD_TEST_DIR}/t/etc/modules/mod_tls/server-cert.pem"); my $ca_file = File::Spec->rel2abs("$ENV{PROFTPD_TEST_DIR}/t/etc/modules/mod_tls/ca-cert.pem"); my $vhost_port = ProFTPD::TestSuite::Utils::get_high_numbered_port(); $vhost_port += 12; my $proxy_config = get_reverse_proxy_config($tmpdir, $setup->{log_file}, $vhost_port); $proxy_config->{ProxyTLSEngine} = 'auto'; $proxy_config->{ProxyTLSCACertificateFile} = $ca_file; if ($ENV{TEST_VERBOSE}) { $proxy_config->{ProxyTLSOptions} = 'EnableDiags'; } my $config = { PidFile => $setup->{pid_file}, ScoreboardFile => $setup->{scoreboard_file}, SystemLog => $setup->{log_file}, TraceLog => $setup->{log_file}, Trace => 'DEFAULT:10 event:0 lock:0 scoreboard:0 signal:0 proxy:20 proxy.db:20 proxy.netio:20 proxy.tls:20 proxy.ftp.conn:20 proxy.ftp.ctrl:20 proxy.ftp.data:20 proxy.ftp.msg:20 proxy.ftp.sess:20 tls:20', AuthUserFile => $setup->{auth_user_file}, AuthGroupFile => $setup->{auth_group_file}, SocketBindTight => 'on', IfModules => { 'mod_proxy.c' => $proxy_config, 'mod_delay.c' => { DelayEngine => 'off', }, }, Limit => { LOGIN => { DenyUser => $setup->{user}, }, }, }; my ($port, $config_user, $config_group) = config_write($setup->{config_file}, $config); if (open(my $fh, ">> $setup->{config_file}")) { print $fh < Port $vhost_port ServerName "Real Server" AuthUserFile $setup->{auth_user_file} AuthGroupFile $setup->{auth_group_file} AuthOrder mod_auth_file.c AllowOverride off WtmpLog off TransferLog none TLSEngine on TLSLog $setup->{log_file} TLSRequired on TLSRSACertificateFile $cert_file TLSCACertificateFile $ca_file TLSOptions EnableDiags EOC unless (close($fh)) { die("Can't write $setup->{config_file}: $!"); } } else { die("Can't open $setup->{config_file}: $!"); } # Open pipes, for use between the parent and child processes. Specifically, # the child will indicate when it's done with its test by writing a message # to the parent. my ($rfh, $wfh); unless (pipe($rfh, $wfh)) { die("Can't open pipe: $!"); } my $ex; # Fork child $self->handle_sigchld(); defined(my $pid = fork()) or die("Can't fork: $!"); if ($pid) { eval { # Give the server a chance to start up sleep(2); my $client = ProFTPD::TestSuite::FTP->new('127.0.0.1', $port); $client->login($setup->{user}, $setup->{passwd}); $client->quit(); }; if ($@) { $ex = $@; } $wfh->print("done\n"); $wfh->flush(); } else { eval { server_wait($setup->{config_file}, $rfh) }; if ($@) { warn($@); exit 1; } exit 0; } # Stop server server_stop($setup->{pid_file}); $self->assert_child_ok($pid); test_cleanup($setup->{log_file}, $ex); } sub proxy_reverse_backend_tls_implicit_login { my $self = shift; my $tmpdir = $self->{tmpdir}; my $setup = test_setup($tmpdir, 'proxy'); # Skip this test on GitHub, as it fails unnecessarily there. return if $ENV{PROFTPD_TEST_CI} eq 'github'; my $cert_file = File::Spec->rel2abs("$ENV{PROFTPD_TEST_DIR}/t/etc/modules/mod_tls/server-cert.pem"); my $ca_file = File::Spec->rel2abs("$ENV{PROFTPD_TEST_DIR}/t/etc/modules/mod_tls/ca-cert.pem"); my $proxy_config = get_reverse_proxy_config($tmpdir, $setup->{log_file}, 990); $proxy_config->{ProxyReverseServers} = 'ftps://demo:password@test.rebex.net:990'; $proxy_config->{ProxyTimeoutConnect} = '10s'; $proxy_config->{ProxyTLSEngine} = 'auto'; $proxy_config->{ProxyTLSCACertificateFile} = $ca_file; $proxy_config->{ProxyTLSVerifyServer} = 'off'; if ($ENV{TEST_VERBOSE}) { $proxy_config->{ProxyTLSOptions} = 'EnableDiags'; } my $config = { PidFile => $setup->{pid_file}, ScoreboardFile => $setup->{scoreboard_file}, SystemLog => $setup->{log_file}, TraceLog => $setup->{log_file}, Trace => 'DEFAULT:10 event:0 lock:0 scoreboard:0 signal:0 proxy:20 proxy.conn:20 proxy.db:20 proxy.netio:20 proxy.tls:20 proxy.ftp.conn:20 proxy.ftp.ctrl:20 proxy.ftp.data:20 proxy.ftp.msg:20 proxy.ftp.sess:20 proxy.netio:20 proxy.tls:20 netio:20 tls:20', AuthUserFile => $setup->{auth_user_file}, AuthGroupFile => $setup->{auth_group_file}, SocketBindTight => 'on', IfModules => { 'mod_proxy.c' => $proxy_config, 'mod_delay.c' => { DelayEngine => 'off', }, }, Limit => { LOGIN => { DenyUser => $setup->{user}, }, }, }; my ($port, $config_user, $config_group) = config_write($setup->{config_file}, $config); # Open pipes, for use between the parent and child processes. Specifically, # the child will indicate when it's done with its test by writing a message # to the parent. my ($rfh, $wfh); unless (pipe($rfh, $wfh)) { die("Can't open pipe: $!"); } my $ex; # Fork child $self->handle_sigchld(); defined(my $pid = fork()) or die("Can't fork: $!"); if ($pid) { eval { # Give the server a chance to start up sleep(3); my $client = ProFTPD::TestSuite::FTP->new('127.0.0.1', $port, 0, 10, 15); $client->login($setup->{user}, $setup->{passwd}); $client->quit(); }; if ($@) { $ex = $@; } $wfh->print("done\n"); $wfh->flush(); } else { eval { server_wait($setup->{config_file}, $rfh) }; if ($@) { warn($@); exit 1; } exit 0; } # Stop server server_stop($setup->{pid_file}); $self->assert_child_ok($pid); test_cleanup($setup->{log_file}, $ex); } # TODO: Note that this test is used for manually reviewing the generated logs; # it does NOT currently fail if session caching fails (although it should). sub proxy_reverse_backend_tls_login_cached_session { my $self = shift; my $tmpdir = $self->{tmpdir}; my $config_file = "$tmpdir/proxy.conf"; my $pid_file = File::Spec->rel2abs("$tmpdir/proxy.pid"); my $scoreboard_file = File::Spec->rel2abs("$tmpdir/proxy.scoreboard"); my $log_file = test_get_logfile(); my $auth_user_file = File::Spec->rel2abs("$tmpdir/proxy.passwd"); my $auth_group_file = File::Spec->rel2abs("$tmpdir/proxy.group"); my $user = 'proftpd'; my $passwd = 'test'; my $group = 'ftpd'; my $home_dir = File::Spec->rel2abs($tmpdir); my $uid = 500; my $gid = 500; # Make sure that, if we're running as root, that the home directory has # permissions/privs set for the account we create if ($< == 0) { unless (chmod(0755, $home_dir)) { die("Can't set perms on $home_dir to 0755: $!"); } unless (chown($uid, $gid, $home_dir)) { die("Can't set owner of $home_dir to $uid/$gid: $!"); } } auth_user_write($auth_user_file, $user, $passwd, $uid, $gid, $home_dir, '/bin/bash'); auth_group_write($auth_group_file, $group, $gid, $user); my $cert_file = File::Spec->rel2abs("$ENV{PROFTPD_TEST_DIR}/t/etc/modules/mod_tls/server-cert.pem"); my $ca_file = File::Spec->rel2abs("$ENV{PROFTPD_TEST_DIR}/t/etc/modules/mod_tls/ca-cert.pem"); my $cache_file = File::Spec->rel2abs("$tmpdir/tls-shmcache.dat"); my $vhost_port = ProFTPD::TestSuite::Utils::get_high_numbered_port(); $vhost_port += 12; my $proxy_config = get_reverse_proxy_config($tmpdir, $log_file, $vhost_port); $proxy_config->{ProxyTLSEngine} = 'auto'; $proxy_config->{ProxyTLSCACertificateFile} = $ca_file; if ($ENV{TEST_VERBOSE}) { $proxy_config->{ProxyTLSOptions} = 'EnableDiags'; } my $config = { PidFile => $pid_file, ScoreboardFile => $scoreboard_file, SystemLog => $log_file, TraceLog => $log_file, Trace => 'DEFAULT:10 event:0 lock:0 scoreboard:0 signal:0 proxy:20 proxy.db:20 proxy.netio:20 proxy.tls:20 proxy.ftp.conn:20 proxy.ftp.ctrl:20 proxy.ftp.data:20 proxy.ftp.msg:20 proxy.ftp.sess:20', AuthUserFile => $auth_user_file, AuthGroupFile => $auth_group_file, SocketBindTight => 'on', IfModules => { 'mod_proxy.c' => $proxy_config, 'mod_delay.c' => { DelayEngine => 'off', }, 'mod_tls_shmcache.c' => { TLSSessionCache => "shm:/file=$cache_file", }, }, Limit => { LOGIN => { DenyUser => $user, }, }, }; my ($port, $config_user, $config_group) = config_write($config_file, $config); if (open(my $fh, ">> $config_file")) { print $fh < Port $vhost_port ServerName "Real Server" AuthUserFile $auth_user_file AuthGroupFile $auth_group_file AuthOrder mod_auth_file.c AllowOverride off WtmpLog off TransferLog none TLSEngine on TLSLog $log_file TLSRequired on TLSRSACertificateFile $cert_file TLSCACertificateFile $ca_file EOC unless (close($fh)) { die("Can't write $config_file: $!"); } } else { die("Can't open $config_file: $!"); } # Open pipes, for use between the parent and child processes. Specifically, # the child will indicate when it's done with its test by writing a message # to the parent. my ($rfh, $wfh); unless (pipe($rfh, $wfh)) { die("Can't open pipe: $!"); } my $ex; # Fork child $self->handle_sigchld(); defined(my $pid = fork()) or die("Can't fork: $!"); if ($pid) { eval { # Give the server a chance to start up sleep(2); for (my $i = 0; $i < 3; $i++) { my $client = ProFTPD::TestSuite::FTP->new('127.0.0.1', $port); $client->login($user, $passwd); $client->quit(); } }; if ($@) { $ex = $@; } $wfh->print("done\n"); $wfh->flush(); } else { eval { server_wait($config_file, $rfh) }; if ($@) { warn($@); exit 1; } exit 0; } # Stop server server_stop($pid_file); $self->assert_child_ok($pid); if ($ex) { test_append_logfile($log_file, $ex); unlink($log_file); die($ex); } unlink($log_file); } # TODO: Note that this test is used for manually reviewing the generated logs; # it does NOT currently fail if ticket caching fails (although it should). sub proxy_reverse_backend_tls_login_cached_ticket { my $self = shift; my $tmpdir = $self->{tmpdir}; my $config_file = "$tmpdir/proxy.conf"; my $pid_file = File::Spec->rel2abs("$tmpdir/proxy.pid"); my $scoreboard_file = File::Spec->rel2abs("$tmpdir/proxy.scoreboard"); my $log_file = test_get_logfile(); my $auth_user_file = File::Spec->rel2abs("$tmpdir/proxy.passwd"); my $auth_group_file = File::Spec->rel2abs("$tmpdir/proxy.group"); my $user = 'proftpd'; my $passwd = 'test'; my $group = 'ftpd'; my $home_dir = File::Spec->rel2abs($tmpdir); my $uid = 500; my $gid = 500; # Make sure that, if we're running as root, that the home directory has # permissions/privs set for the account we create if ($< == 0) { unless (chmod(0755, $home_dir)) { die("Can't set perms on $home_dir to 0755: $!"); } unless (chown($uid, $gid, $home_dir)) { die("Can't set owner of $home_dir to $uid/$gid: $!"); } } auth_user_write($auth_user_file, $user, $passwd, $uid, $gid, $home_dir, '/bin/bash'); auth_group_write($auth_group_file, $group, $gid, $user); my $cert_file = File::Spec->rel2abs("$ENV{PROFTPD_TEST_DIR}/t/etc/modules/mod_tls/server-cert.pem"); my $ca_file = File::Spec->rel2abs("$ENV{PROFTPD_TEST_DIR}/t/etc/modules/mod_tls/ca-cert.pem"); my $cache_file = File::Spec->rel2abs("$tmpdir/tls-shmcache.dat"); my $vhost_port = ProFTPD::TestSuite::Utils::get_high_numbered_port(); $vhost_port += 12; my $proxy_config = get_reverse_proxy_config($tmpdir, $log_file, $vhost_port); $proxy_config->{ProxyTLSEngine} = 'auto'; $proxy_config->{ProxyTLSCACertificateFile} = $ca_file; if ($ENV{TEST_VERBOSE}) { $proxy_config->{ProxyTLSOptions} = 'EnableDiags NoSessionCache'; } my $config = { PidFile => $pid_file, ScoreboardFile => $scoreboard_file, SystemLog => $log_file, TraceLog => $log_file, Trace => 'DEFAULT:10 event:0 lock:0 scoreboard:0 signal:0 proxy:20 proxy.db:20 proxy.netio:20 proxy.tls:20 proxy.ftp.conn:20 proxy.ftp.ctrl:20 proxy.ftp.data:20 proxy.ftp.msg:20 proxy.ftp.sess:20 tls:20', AuthUserFile => $auth_user_file, AuthGroupFile => $auth_group_file, SocketBindTight => 'on', IfModules => { 'mod_proxy.c' => $proxy_config, 'mod_delay.c' => { DelayEngine => 'off', }, }, Limit => { LOGIN => { DenyUser => $user, }, }, }; my ($port, $config_user, $config_group) = config_write($config_file, $config); if (open(my $fh, ">> $config_file")) { print $fh < # Recommended practice is to diable server-side session caching entirely, # if you are going to use client-side session tickets. Why? It # reduces the number of places where a session's master secret are held # in memory for "long" periods of time. TLSSessionCache off Port $vhost_port ServerName "Real Server" AuthUserFile $auth_user_file AuthGroupFile $auth_group_file AuthOrder mod_auth_file.c AllowOverride off WtmpLog off TransferLog none TLSEngine on TLSLog $log_file TLSRequired on TLSRSACertificateFile $cert_file TLSCACertificateFile $ca_file TLSSessionTickets on TLSStapling on TLSOptions EnableDiags EOC unless (close($fh)) { die("Can't write $config_file: $!"); } } else { die("Can't open $config_file: $!"); } # Open pipes, for use between the parent and child processes. Specifically, # the child will indicate when it's done with its test by writing a message # to the parent. my ($rfh, $wfh); unless (pipe($rfh, $wfh)) { die("Can't open pipe: $!"); } my $ex; # Fork child $self->handle_sigchld(); defined(my $pid = fork()) or die("Can't fork: $!"); if ($pid) { eval { # Give the server a chance to start up sleep(2); for (my $i = 0; $i < 3; $i++) { my $client = ProFTPD::TestSuite::FTP->new('127.0.0.1', $port, undef, 2); $client->login($user, $passwd); $client->list(); $client->quit(); } }; if ($@) { $ex = $@; } $wfh->print("done\n"); $wfh->flush(); } else { eval { server_wait($config_file, $rfh) }; if ($@) { warn($@); exit 1; } exit 0; } # Stop server server_stop($pid_file); $self->assert_child_ok($pid); if ($ex) { test_append_logfile($log_file, $ex); unlink($log_file); die($ex); } unlink($log_file); } sub proxy_reverse_backend_tls_login_client_auth { my $self = shift; my $tmpdir = $self->{tmpdir}; my $config_file = "$tmpdir/proxy.conf"; my $pid_file = File::Spec->rel2abs("$tmpdir/proxy.pid"); my $scoreboard_file = File::Spec->rel2abs("$tmpdir/proxy.scoreboard"); my $log_file = test_get_logfile(); my $auth_user_file = File::Spec->rel2abs("$tmpdir/proxy.passwd"); my $auth_group_file = File::Spec->rel2abs("$tmpdir/proxy.group"); my $user = 'proftpd'; my $passwd = 'test'; my $group = 'ftpd'; my $home_dir = File::Spec->rel2abs($tmpdir); my $uid = 500; my $gid = 500; # Make sure that, if we're running as root, that the home directory has # permissions/privs set for the account we create if ($< == 0) { unless (chmod(0755, $home_dir)) { die("Can't set perms on $home_dir to 0755: $!"); } unless (chown($uid, $gid, $home_dir)) { die("Can't set owner of $home_dir to $uid/$gid: $!"); } } auth_user_write($auth_user_file, $user, $passwd, $uid, $gid, $home_dir, '/bin/bash'); auth_group_write($auth_group_file, $group, $gid, $user); my $server_cert_file = File::Spec->rel2abs("$ENV{PROFTPD_TEST_DIR}/t/etc/modules/mod_tls/server-cert.pem"); my $client_cert_file = File::Spec->rel2abs("$ENV{PROFTPD_TEST_DIR}/t/etc/modules/mod_tls/client-cert.pem"); my $ca_file = File::Spec->rel2abs("$ENV{PROFTPD_TEST_DIR}/t/etc/modules/mod_tls/ca-cert.pem"); my $vhost_port = ProFTPD::TestSuite::Utils::get_high_numbered_port(); $vhost_port += 12; my $proxy_config = get_reverse_proxy_config($tmpdir, $log_file, $vhost_port); $proxy_config->{ProxyTLSEngine} = 'auto'; $proxy_config->{ProxyTLSCACertificateFile} = $ca_file; $proxy_config->{ProxyTLSCertificateFile} = $client_cert_file; if ($ENV{TEST_VERBOSE}) { $proxy_config->{ProxyTLSOptions} = 'EnableDiags'; } my $config = { PidFile => $pid_file, ScoreboardFile => $scoreboard_file, SystemLog => $log_file, TraceLog => $log_file, Trace => 'DEFAULT:10 event:0 lock:0 scoreboard:0 signal:0 proxy:20 proxy.db:20 proxy.netio:20 proxy.tls:20 proxy.ftp.conn:20 proxy.ftp.ctrl:20 proxy.ftp.data:20 proxy.ftp.msg:20 proxy.ftp.sess:20', AuthUserFile => $auth_user_file, AuthGroupFile => $auth_group_file, SocketBindTight => 'on', IfModules => { 'mod_proxy.c' => $proxy_config, 'mod_delay.c' => { DelayEngine => 'off', }, }, Limit => { LOGIN => { DenyUser => $user, }, }, }; my ($port, $config_user, $config_group) = config_write($config_file, $config); if (open(my $fh, ">> $config_file")) { print $fh < Port $vhost_port ServerName "Real Server" AuthUserFile $auth_user_file AuthGroupFile $auth_group_file AuthOrder mod_auth_file.c AllowOverride off WtmpLog off TransferLog none TLSEngine on TLSLog $log_file TLSRequired on TLSRSACertificateFile $server_cert_file TLSCACertificateFile $ca_file TLSVerifyClient on EOC unless (close($fh)) { die("Can't write $config_file: $!"); } } else { die("Can't open $config_file: $!"); } # Open pipes, for use between the parent and child processes. Specifically, # the child will indicate when it's done with its test by writing a message # to the parent. my ($rfh, $wfh); unless (pipe($rfh, $wfh)) { die("Can't open pipe: $!"); } my $ex; # Fork child $self->handle_sigchld(); defined(my $pid = fork()) or die("Can't fork: $!"); if ($pid) { eval { # Give the server a chance to start up sleep(2); my $client = ProFTPD::TestSuite::FTP->new('127.0.0.1', $port); $client->login($user, $passwd); $client->quit(); }; if ($@) { $ex = $@; } $wfh->print("done\n"); $wfh->flush(); } else { eval { server_wait($config_file, $rfh) }; if ($@) { warn($@); exit 1; } exit 0; } # Stop server server_stop($pid_file); $self->assert_child_ok($pid); if ($ex) { test_append_logfile($log_file, $ex); unlink($log_file); die($ex); } unlink($log_file); } sub proxy_reverse_backend_tls_login_psk { my $self = shift; my $tmpdir = $self->{tmpdir}; my $config_file = "$tmpdir/proxy.conf"; my $pid_file = File::Spec->rel2abs("$tmpdir/proxy.pid"); my $scoreboard_file = File::Spec->rel2abs("$tmpdir/proxy.scoreboard"); my $log_file = test_get_logfile(); my $auth_user_file = File::Spec->rel2abs("$tmpdir/proxy.passwd"); my $auth_group_file = File::Spec->rel2abs("$tmpdir/proxy.group"); my $user = 'proftpd'; my $passwd = 'test'; my $group = 'ftpd'; my $home_dir = File::Spec->rel2abs($tmpdir); my $uid = 500; my $gid = 500; # Make sure that, if we're running as root, that the home directory has # permissions/privs set for the account we create if ($< == 0) { unless (chmod(0755, $home_dir)) { die("Can't set perms on $home_dir to 0755: $!"); } unless (chown($uid, $gid, $home_dir)) { die("Can't set owner of $home_dir to $uid/$gid: $!"); } } auth_user_write($auth_user_file, $user, $passwd, $uid, $gid, $home_dir, '/bin/bash'); auth_group_write($auth_group_file, $group, $gid, $user); my $server_cert_file = File::Spec->rel2abs("$ENV{PROFTPD_TEST_DIR}/t/etc/modules/mod_tls/server-cert.pem"); my $client_cert_file = File::Spec->rel2abs("$ENV{PROFTPD_TEST_DIR}/t/etc/modules/mod_tls/client-cert.pem"); my $ca_file = File::Spec->rel2abs("$ENV{PROFTPD_TEST_DIR}/t/etc/modules/mod_tls/ca-cert.pem"); my $psk_file = File::Spec->rel2abs('t/etc/modules/mod_tls/psk.dat'); my $psk_id = "proxy"; my $vhost_port = ProFTPD::TestSuite::Utils::get_high_numbered_port(); $vhost_port += 12; my $proxy_config = get_reverse_proxy_config($tmpdir, $log_file, $vhost_port); $proxy_config->{ProxyTLSEngine} = 'auto'; $proxy_config->{ProxyTLSCACertificateFile} = $ca_file; $proxy_config->{ProxyTLSCertificateFile} = $client_cert_file; $proxy_config->{ProxyTLSCipherSuite} = "PSK"; $proxy_config->{ProxyTLSPreSharedKey} = "$psk_id hex:$psk_file"; $proxy_config->{ProxyTLSProtocol} = 'TLSv1.2'; if ($ENV{TEST_VERBOSE}) { $proxy_config->{ProxyTLSOptions} = 'EnableDiags'; } my $config = { PidFile => $pid_file, ScoreboardFile => $scoreboard_file, SystemLog => $log_file, TraceLog => $log_file, Trace => 'DEFAULT:10 event:0 lock:0 scoreboard:0 signal:0 proxy:20 proxy.db:20 proxy.netio:20 proxy.tls:20 proxy.ftp.conn:20 proxy.ftp.ctrl:20 proxy.ftp.data:20 proxy.ftp.msg:20 proxy.ftp.sess:20', AuthUserFile => $auth_user_file, AuthGroupFile => $auth_group_file, SocketBindTight => 'on', IfModules => { 'mod_proxy.c' => $proxy_config, 'mod_delay.c' => { DelayEngine => 'off', }, }, Limit => { LOGIN => { DenyUser => $user, }, }, }; my ($port, $config_user, $config_group) = config_write($config_file, $config); if (open(my $fh, ">> $config_file")) { print $fh < Port $vhost_port ServerName "Real Server" AuthUserFile $auth_user_file AuthGroupFile $auth_group_file AuthOrder mod_auth_file.c AllowOverride off WtmpLog off TransferLog none TLSEngine on TLSLog $log_file TLSRequired on TLSRSACertificateFile $server_cert_file TLSCACertificateFile $ca_file TLSProtocol TLSv1.2 TLSCipherSuite PSK TLSPreSharedKey $psk_id hex:$psk_file TLSOptions EnableDiags EOC unless (close($fh)) { die("Can't write $config_file: $!"); } } else { die("Can't open $config_file: $!"); } # Open pipes, for use between the parent and child processes. Specifically, # the child will indicate when it's done with its test by writing a message # to the parent. my ($rfh, $wfh); unless (pipe($rfh, $wfh)) { die("Can't open pipe: $!"); } my $ex; # Fork child $self->handle_sigchld(); defined(my $pid = fork()) or die("Can't fork: $!"); if ($pid) { eval { # Give the server a chance to start up sleep(2); my $client = ProFTPD::TestSuite::FTP->new('127.0.0.1', $port); $client->login($user, $passwd); $client->quit(); }; if ($@) { $ex = $@; } $wfh->print("done\n"); $wfh->flush(); } else { eval { server_wait($config_file, $rfh) }; if ($@) { warn($@); exit 1; } exit 0; } # Stop server server_stop($pid_file); $self->assert_child_ok($pid); if ($ex) { test_append_logfile($log_file, $ex); unlink($log_file); die($ex); } unlink($log_file); } sub proxy_reverse_backend_tls_login_failed_unknown_ca { my $self = shift; my $tmpdir = $self->{tmpdir}; my $config_file = "$tmpdir/proxy.conf"; my $pid_file = File::Spec->rel2abs("$tmpdir/proxy.pid"); my $scoreboard_file = File::Spec->rel2abs("$tmpdir/proxy.scoreboard"); my $log_file = test_get_logfile(); my $auth_user_file = File::Spec->rel2abs("$tmpdir/proxy.passwd"); my $auth_group_file = File::Spec->rel2abs("$tmpdir/proxy.group"); my $user = 'proftpd'; my $passwd = 'test'; my $group = 'ftpd'; my $home_dir = File::Spec->rel2abs($tmpdir); my $uid = 500; my $gid = 500; # Make sure that, if we're running as root, that the home directory has # permissions/privs set for the account we create if ($< == 0) { unless (chmod(0755, $home_dir)) { die("Can't set perms on $home_dir to 0755: $!"); } unless (chown($uid, $gid, $home_dir)) { die("Can't set owner of $home_dir to $uid/$gid: $!"); } } auth_user_write($auth_user_file, $user, $passwd, $uid, $gid, $home_dir, '/bin/bash'); auth_group_write($auth_group_file, $group, $gid, $user); my $cert_file = File::Spec->rel2abs("$ENV{PROFTPD_TEST_DIR}/t/etc/modules/mod_tls/server-cert.pem"); my $ca_file = File::Spec->rel2abs("$ENV{PROFTPD_TEST_DIR}/t/etc/modules/mod_tls/ca-cert.pem"); my $vhost_port = ProFTPD::TestSuite::Utils::get_high_numbered_port(); $vhost_port += 12; my $proxy_config = get_reverse_proxy_config($tmpdir, $log_file, $vhost_port); $proxy_config->{ProxyTLSEngine} = 'auto'; $proxy_config->{ProxyTLSVerifyServer} = 'on'; if ($ENV{TEST_VERBOSE}) { $proxy_config->{ProxyTLSOptions} = 'EnableDiags'; } my $config = { PidFile => $pid_file, ScoreboardFile => $scoreboard_file, SystemLog => $log_file, TraceLog => $log_file, Trace => 'DEFAULT:10 event:0 lock:0 scoreboard:0 signal:0 proxy:20 proxy.db:20 proxy.netio:20 proxy.tls:20 proxy.ftp.conn:20 proxy.ftp.ctrl:20 proxy.ftp.data:20 proxy.ftp.msg:20 proxy.ftp.sess:20', AuthUserFile => $auth_user_file, AuthGroupFile => $auth_group_file, SocketBindTight => 'on', IfModules => { 'mod_proxy.c' => $proxy_config, 'mod_delay.c' => { DelayEngine => 'off', }, }, Limit => { LOGIN => { DenyUser => $user, }, }, }; my ($port, $config_user, $config_group) = config_write($config_file, $config); if (open(my $fh, ">> $config_file")) { print $fh < Port $vhost_port ServerName "Real Server" AuthUserFile $auth_user_file AuthGroupFile $auth_group_file AuthOrder mod_auth_file.c AllowOverride off WtmpLog off TransferLog none TLSEngine on TLSLog $log_file TLSRequired on TLSRSACertificateFile $cert_file TLSCACertificateFile $ca_file EOC unless (close($fh)) { die("Can't write $config_file: $!"); } } else { die("Can't open $config_file: $!"); } # Open pipes, for use between the parent and child processes. Specifically, # the child will indicate when it's done with its test by writing a message # to the parent. my ($rfh, $wfh); unless (pipe($rfh, $wfh)) { die("Can't open pipe: $!"); } my $ex; # Fork child $self->handle_sigchld(); defined(my $pid = fork()) or die("Can't fork: $!"); if ($pid) { eval { # Give the server a chance to start up sleep(2); eval { ProFTPD::TestSuite::FTP->new('127.0.0.1', $port, 0, 0) }; unless ($@) { die("Connect succeeded unexpectedly"); } }; if ($@) { $ex = $@; } $wfh->print("done\n"); $wfh->flush(); } else { eval { server_wait($config_file, $rfh) }; if ($@) { warn($@); exit 1; } exit 0; } # Stop server server_stop($pid_file); $self->assert_child_ok($pid); if ($ex) { test_append_logfile($log_file, $ex); unlink($log_file); die($ex); } unlink($log_file); } sub proxy_reverse_backend_tls_login_failed_missing_client_auth { my $self = shift; my $tmpdir = $self->{tmpdir}; my $config_file = "$tmpdir/proxy.conf"; my $pid_file = File::Spec->rel2abs("$tmpdir/proxy.pid"); my $scoreboard_file = File::Spec->rel2abs("$tmpdir/proxy.scoreboard"); my $log_file = test_get_logfile(); my $auth_user_file = File::Spec->rel2abs("$tmpdir/proxy.passwd"); my $auth_group_file = File::Spec->rel2abs("$tmpdir/proxy.group"); my $user = 'proftpd'; my $passwd = 'test'; my $group = 'ftpd'; my $home_dir = File::Spec->rel2abs($tmpdir); my $uid = 500; my $gid = 500; # Make sure that, if we're running as root, that the home directory has # permissions/privs set for the account we create if ($< == 0) { unless (chmod(0755, $home_dir)) { die("Can't set perms on $home_dir to 0755: $!"); } unless (chown($uid, $gid, $home_dir)) { die("Can't set owner of $home_dir to $uid/$gid: $!"); } } auth_user_write($auth_user_file, $user, $passwd, $uid, $gid, $home_dir, '/bin/bash'); auth_group_write($auth_group_file, $group, $gid, $user); my $server_cert_file = File::Spec->rel2abs("$ENV{PROFTPD_TEST_DIR}/t/etc/modules/mod_tls/server-cert.pem"); my $client_cert_file = File::Spec->rel2abs("$ENV{PROFTPD_TEST_DIR}/t/etc/modules/mod_tls/client-cert.pem"); my $ca_file = File::Spec->rel2abs("$ENV{PROFTPD_TEST_DIR}/t/etc/modules/mod_tls/ca-cert.pem"); my $vhost_port = ProFTPD::TestSuite::Utils::get_high_numbered_port(); $vhost_port += 12; my $proxy_config = get_reverse_proxy_config($tmpdir, $log_file, $vhost_port); $proxy_config->{ProxyTLSEngine} = 'auto'; $proxy_config->{ProxyTLSCACertificateFile} = $ca_file; # $proxy_config->{ProxyTLSCertificateFile} = $client_cert_file; $proxy_config->{ProxyTLSProtocol} = 'TLSv1.2'; if ($ENV{TEST_VERBOSE}) { $proxy_config->{ProxyTLSOptions} = 'EnableDiags'; } my $config = { PidFile => $pid_file, ScoreboardFile => $scoreboard_file, SystemLog => $log_file, TraceLog => $log_file, Trace => 'DEFAULT:10 event:0 lock:0 scoreboard:0 signal:0 proxy:20 proxy.db:20 proxy.netio:20 proxy.tls:20 proxy.ftp.conn:20 proxy.ftp.ctrl:20 proxy.ftp.data:20 proxy.ftp.msg:20 proxy.ftp.sess:20', AuthUserFile => $auth_user_file, AuthGroupFile => $auth_group_file, SocketBindTight => 'on', IfModules => { 'mod_proxy.c' => $proxy_config, 'mod_delay.c' => { DelayEngine => 'off', }, }, Limit => { LOGIN => { DenyUser => $user, }, }, }; my ($port, $config_user, $config_group) = config_write($config_file, $config); if (open(my $fh, ">> $config_file")) { print $fh < Port $vhost_port ServerName "Real Server" AuthUserFile $auth_user_file AuthGroupFile $auth_group_file AuthOrder mod_auth_file.c AllowOverride off WtmpLog off TransferLog none TLSEngine on TLSLog $log_file TLSRequired on TLSRSACertificateFile $server_cert_file TLSCACertificateFile $ca_file TLSVerifyClient on EOC unless (close($fh)) { die("Can't write $config_file: $!"); } } else { die("Can't open $config_file: $!"); } # Open pipes, for use between the parent and child processes. Specifically, # the child will indicate when it's done with its test by writing a message # to the parent. my ($rfh, $wfh); unless (pipe($rfh, $wfh)) { die("Can't open pipe: $!"); } my $ex; # Fork child $self->handle_sigchld(); defined(my $pid = fork()) or die("Can't fork: $!"); if ($pid) { eval { # Give the server a chance to start up sleep(2); eval { ProFTPD::TestSuite::FTP->new('127.0.0.1', $port, 0, 0) }; unless ($@) { die("Connection succeeded unexpectedly"); } }; if ($@) { $ex = $@; } $wfh->print("done\n"); $wfh->flush(); } else { eval { server_wait($config_file, $rfh) }; if ($@) { warn($@); exit 1; } exit 0; } # Stop server server_stop($pid_file); $self->assert_child_ok($pid); if ($ex) { test_append_logfile($log_file, $ex); unlink($log_file); die($ex); } unlink($log_file); } sub proxy_reverse_backend_tls_login_tlsv13_issue197 { my $self = shift; my $tmpdir = $self->{tmpdir}; my $setup = test_setup($tmpdir, 'proxy'); my $cert_file = File::Spec->rel2abs("$ENV{PROFTPD_TEST_DIR}/t/etc/modules/mod_tls/server-cert.pem"); my $ca_file = File::Spec->rel2abs("$ENV{PROFTPD_TEST_DIR}/t/etc/modules/mod_tls/ca-cert.pem"); my $vhost_port = ProFTPD::TestSuite::Utils::get_high_numbered_port(); $vhost_port += 12; my $proxy_config = get_reverse_proxy_config($tmpdir, $setup->{log_file}, $vhost_port); $proxy_config->{ProxyTLSEngine} = 'auto'; $proxy_config->{ProxyTLSCACertificateFile} = $ca_file; $proxy_config->{ProxyTLSProtocol} = 'TLSv1.3'; if ($ENV{TEST_VERBOSE}) { $proxy_config->{ProxyTLSOptions} = 'EnableDiags'; } my $config = { PidFile => $setup->{pid_file}, ScoreboardFile => $setup->{scoreboard_file}, SystemLog => $setup->{log_file}, TraceLog => $setup->{log_file}, Trace => 'DEFAULT:10 event:0 lock:0 scoreboard:0 signal:0 proxy:20 proxy.db:20 proxy.netio:20 proxy.tls:20 proxy.ftp.conn:20 proxy.ftp.ctrl:20 proxy.ftp.data:20 proxy.ftp.msg:20 proxy.ftp.sess:20 tls:20', AuthUserFile => $setup->{auth_user_file}, AuthGroupFile => $setup->{auth_group_file}, SocketBindTight => 'on', IfModules => { 'mod_proxy.c' => $proxy_config, 'mod_delay.c' => { DelayEngine => 'off', }, }, Limit => { LOGIN => { DenyUser => $setup->{user}, }, }, }; my ($port, $config_user, $config_group) = config_write($setup->{config_file}, $config); if (open(my $fh, ">> $setup->{config_file}")) { print $fh < Port $vhost_port ServerName "Real Server" AuthUserFile $setup->{auth_user_file} AuthGroupFile $setup->{auth_group_file} AuthOrder mod_auth_file.c AllowOverride off WtmpLog off TransferLog none TLSEngine on TLSLog $setup->{log_file} TLSRequired on TLSProtocol TLSv1.3 TLSRSACertificateFile $cert_file TLSCACertificateFile $ca_file TLSOptions EnableDiags EOC unless (close($fh)) { die("Can't write $setup->{config_file}: $!"); } } else { die("Can't open $setup->{config_file}: $!"); } # Open pipes, for use between the parent and child processes. Specifically, # the child will indicate when it's done with its test by writing a message # to the parent. my ($rfh, $wfh); unless (pipe($rfh, $wfh)) { die("Can't open pipe: $!"); } my $ex; # Fork child $self->handle_sigchld(); defined(my $pid = fork()) or die("Can't fork: $!"); if ($pid) { eval { # Give the server a chance to start up sleep(2); my $client = ProFTPD::TestSuite::FTP->new('127.0.0.1', $port); $client->login($setup->{user}, $setup->{passwd}); $client->quit(); }; if ($@) { $ex = $@; } $wfh->print("done\n"); $wfh->flush(); } else { eval { server_wait($setup->{config_file}, $rfh) }; if ($@) { warn($@); exit 1; } exit 0; } # Stop server server_stop($setup->{pid_file}); $self->assert_child_ok($pid); test_cleanup($setup->{log_file}, $ex); } sub proxy_reverse_backend_tls_list_pasv { my $self = shift; my $tmpdir = $self->{tmpdir}; my $config_file = "$tmpdir/proxy.conf"; my $pid_file = File::Spec->rel2abs("$tmpdir/proxy.pid"); my $scoreboard_file = File::Spec->rel2abs("$tmpdir/proxy.scoreboard"); my $log_file = test_get_logfile(); my $auth_user_file = File::Spec->rel2abs("$tmpdir/proxy.passwd"); my $auth_group_file = File::Spec->rel2abs("$tmpdir/proxy.group"); my $user = 'proftpd'; my $passwd = 'test'; my $group = 'ftpd'; my $home_dir = File::Spec->rel2abs($tmpdir); my $uid = 500; my $gid = 500; # Make sure that, if we're running as root, that the home directory has # permissions/privs set for the account we create if ($< == 0) { unless (chmod(0755, $home_dir)) { die("Can't set perms on $home_dir to 0755: $!"); } unless (chown($uid, $gid, $home_dir)) { die("Can't set owner of $home_dir to $uid/$gid: $!"); } } auth_user_write($auth_user_file, $user, $passwd, $uid, $gid, $home_dir, '/bin/bash'); auth_group_write($auth_group_file, $group, $gid, $user); my $cert_file = File::Spec->rel2abs("$ENV{PROFTPD_TEST_DIR}/t/etc/modules/mod_tls/server-cert.pem"); my $ca_file = File::Spec->rel2abs("$ENV{PROFTPD_TEST_DIR}/t/etc/modules/mod_tls/ca-cert.pem"); my $vhost_port = ProFTPD::TestSuite::Utils::get_high_numbered_port(); $vhost_port += 12; my $proxy_config = get_reverse_proxy_config($tmpdir, $log_file, $vhost_port); $proxy_config->{ProxyTLSEngine} = 'auto'; $proxy_config->{ProxyTLSCACertificateFile} = $ca_file; if ($ENV{TEST_VERBOSE}) { $proxy_config->{ProxyTLSOptions} = 'EnableDiags'; } my $config = { PidFile => $pid_file, ScoreboardFile => $scoreboard_file, SystemLog => $log_file, TraceLog => $log_file, Trace => 'DEFAULT:10 event:10 lock:0 netio:20 scoreboard:0 signal:0 proxy:20 proxy.db:20 proxy.netio:20 proxy.tls:20 proxy.reverse:20 proxy.ftp.conn:20 proxy.ftp.ctrl:20 proxy.ftp.data:20 proxy.ftp.msg:20 proxy.ftp.sess:20 tls:20', AuthUserFile => $auth_user_file, AuthGroupFile => $auth_group_file, SocketBindTight => 'on', IfModules => { 'mod_proxy.c' => $proxy_config, 'mod_delay.c' => { DelayEngine => 'off', }, }, Limit => { LOGIN => { DenyUser => $user, }, }, }; my ($port, $config_user, $config_group) = config_write($config_file, $config); if (open(my $fh, ">> $config_file")) { print $fh < Port $vhost_port ServerName "Real Server" AuthUserFile $auth_user_file AuthGroupFile $auth_group_file AuthOrder mod_auth_file.c AllowOverride off WtmpLog off TransferLog none TLSEngine on TLSLog $log_file TLSRequired on TLSRSACertificateFile $cert_file TLSCACertificateFile $ca_file TLSOptions EnableDiags EOC unless (close($fh)) { die("Can't write $config_file: $!"); } } else { die("Can't open $config_file: $!"); } # Open pipes, for use between the parent and child processes. Specifically, # the child will indicate when it's done with its test by writing a message # to the parent. my ($rfh, $wfh); unless (pipe($rfh, $wfh)) { die("Can't open pipe: $!"); } my $ex; # Fork child $self->handle_sigchld(); defined(my $pid = fork()) or die("Can't fork: $!"); if ($pid) { eval { # Give the server a chance to start up sleep(2); my $client = ProFTPD::TestSuite::FTP->new('127.0.0.1', $port); $client->login($user, $passwd); my $conn = $client->list_raw(); unless ($conn) { die("Failed to LIST: " . $client->response_code() . ' ' . $client->response_msg()); } my $buf; $conn->read($buf, 8192, 5); eval { $conn->close() }; my $resp_code = $client->response_code(); my $resp_msg = $client->response_msg(); $self->assert_transfer_ok($resp_code, $resp_msg); $client->quit(); }; if ($@) { $ex = $@; } $wfh->print("done\n"); $wfh->flush(); } else { eval { server_wait($config_file, $rfh, 20) }; if ($@) { warn($@); exit 1; } exit 0; } # Stop server server_stop($pid_file); $self->assert_child_ok($pid); if ($ex) { test_append_logfile($log_file, $ex); unlink($log_file); die($ex); } unlink($log_file); } sub proxy_reverse_frontend_backend_tls_roundrobin_login_after_host { my $self = shift; my $tmpdir = $self->{tmpdir}; my $setup = test_setup($tmpdir, 'proxy'); my $cert_file = File::Spec->rel2abs("$ENV{PROFTPD_TEST_DIR}/t/etc/modules/mod_tls/server-cert.pem"); my $ca_file = File::Spec->rel2abs("$ENV{PROFTPD_TEST_DIR}/t/etc/modules/mod_tls/ca-cert.pem"); my $vhost_port = ProFTPD::TestSuite::Utils::get_high_numbered_port(); $vhost_port += 12; my $host = 'ftp.castaglia.org'; my $config = { PidFile => $setup->{pid_file}, ScoreboardFile => $setup->{scoreboard_file}, SystemLog => $setup->{log_file}, TraceLog => $setup->{log_file}, Trace => 'DEFAULT:10 event:0 lock:0 netio:20 scoreboard:0 signal:0 proxy:20 proxy.netio:20 proxy.db:20 proxy.reverse:20 proxy.tls:20 proxy.ftp.conn:20 proxy.ftp.ctrl:20 proxy.ftp.data:20 proxy.ftp.msg:20 proxy.ftp.sess:20 tls:20', AuthUserFile => $setup->{auth_user_file}, AuthGroupFile => $setup->{auth_group_file}, AuthOrder => 'mod_auth_file.c', DefaultServer => 'on', ServerName => '"Default Server"', SocketBindTight => 'on', IfModules => { 'mod_tls.c' => { TLSEngine => 'on', TLSLog => $setup->{log_file}, TLSRequired => 'on', TLSRSACertificateFile => $cert_file, TLSCACertificateFile => $ca_file, TLSOptions => 'NoSessionReuseRequired EnableDiags', TLSTimeoutHandshake => 5, TLSVerifyClient => 'off', TLSVerifyServer => 'off', }, 'mod_delay.c' => { DelayEngine => 'off', }, }, Limit => { LOGIN => { DenyUser => $setup->{user}, }, }, }; my ($port, $config_user, $config_group) = config_write($setup->{config_file}, $config); if (open(my $fh, ">> $setup->{config_file}")) { my $tables_dir = File::Spec->rel2abs("$tmpdir/var/proxy"); print $fh < ProxyTables $tables_dir Port $port ServerAlias $host ServerName "Namebased Server" AuthUserFile $setup->{auth_user_file} AuthGroupFile $setup->{auth_group_file} AuthOrder mod_auth_file.c DelayEngine off ProxyEngine on ProxyLog $setup->{log_file} ProxyRole reverse ProxyReverseServers ftp://127.0.0.1:$vhost_port ProxyReverseConnectPolicy RoundRobin ProxyTLSEngine auto ProxyTLSCACertificateFile $ca_file ProxyTLSOptions EnableDiags ProxyTLSVerifyServer off TLSEngine on TLSLog $setup->{log_file} TLSRequired on TLSRSACertificateFile $cert_file TLSCACertificateFile $ca_file TLSVerifyClient off TLSVerifyServer off TLSOptions EnableDiags NoSessionReuseRequired Port $vhost_port ServerName "Real Server" AuthUserFile $setup->{auth_user_file} AuthGroupFile $setup->{auth_group_file} AuthOrder mod_auth_file.c AllowOverride off WtmpLog off TransferLog none TLSEngine on TLSLog $setup->{log_file} TLSRequired on TLSRSACertificateFile $cert_file TLSCACertificateFile $ca_file TLSVerifyClient off TLSVerifyServer off TLSOptions EnableDiags NoSessionReuseRequired EOC unless (close($fh)) { die("Can't write $setup->{config_file}: $!"); } } else { die("Can't open $setup->{config_file}: $!"); } require Net::FTPSSL; # Open pipes, for use between the parent and child processes. Specifically, # the child will indicate when it's done with its test by writing a message # to the parent. my ($rfh, $wfh); unless (pipe($rfh, $wfh)) { die("Can't open pipe: $!"); } my $ex; # Fork child $self->handle_sigchld(); defined(my $pid = fork()) or die("Can't fork: $!"); if ($pid) { eval { # Give the server a chance to start up sleep(2); my $ssl_opts = { SSL_hostname => $host, SSL_ca_file => $ca_file, # Yes, this is a deliberate choice. Sigh. SSL_verifycn_scheme => 'none', }; my $client_opts = { Encryption => 'E', Port => $port, SSL_Client_Certificate => $ssl_opts, }; if ($ENV{TEST_VERBOSE}) { $client_opts->{Debug} = 1; } my $client = Net::FTPSSL->new('127.0.0.1', %$client_opts); unless ($client) { die("Can't connect to FTPS server: " . IO::Socket::SSL::errstr()); } unless ($client->quot('HOST', $host)) { die("HOST failed: " . $client->last_message()); } unless ($client->login($setup->{user}, $setup->{passwd})) { die("Can't login: " . $client->last_message()); } my $res = $client->list(); unless ($res) { die("LIST failed unexpectedly: " . $client->last_message() . "(" . IO::Socket::SSL::errstr() . ")"); } my $resp_msg = $client->last_message(); my $expected = '226 Transfer complete'; $self->assert($expected eq $resp_msg, test_msg("Expected response '$expected', got '$resp_msg'")); # Do the LIST again; there are some reports that a first transfer # might succeed, but subsequent ones will fail. $res = $client->list(); unless ($res) { die("LIST failed unexpectedly: " . $client->last_message() . "(" . IO::Socket::SSL::errstr() . ")"); } $resp_msg = $client->last_message(); $client->quit(); $expected = '226 Transfer complete'; $self->assert($expected eq $resp_msg, test_msg("Expected response '$expected', got '$resp_msg'")); }; if ($@) { $ex = $@; } $wfh->print("done\n"); $wfh->flush(); } else { eval { server_wait($setup->{config_file}, $rfh, 20) }; if ($@) { warn($@); exit 1; } exit 0; } # Stop server server_stop($setup->{pid_file}); $self->assert_child_ok($pid); test_cleanup($setup->{log_file}, $ex); } sub proxy_reverse_frontend_backend_tls_peruser_login_after_host { my $self = shift; my $tmpdir = $self->{tmpdir}; my $config_file = "$tmpdir/proxy.conf"; my $pid_file = File::Spec->rel2abs("$tmpdir/proxy.pid"); my $scoreboard_file = File::Spec->rel2abs("$tmpdir/proxy.scoreboard"); my $log_file = test_get_logfile(); my $auth_user_file = File::Spec->rel2abs("$tmpdir/proxy.passwd"); my $auth_group_file = File::Spec->rel2abs("$tmpdir/proxy.group"); my $user = 'proftpd'; my $passwd = 'test'; my $group = 'ftpd'; my $home_dir = File::Spec->rel2abs($tmpdir); my $uid = 500; my $gid = 500; # Make sure that, if we're running as root, that the home directory has # permissions/privs set for the account we create if ($< == 0) { unless (chmod(0755, $home_dir)) { die("Can't set perms on $home_dir to 0755: $!"); } unless (chown($uid, $gid, $home_dir)) { die("Can't set owner of $home_dir to $uid/$gid: $!"); } } auth_user_write($auth_user_file, $user, $passwd, $uid, $gid, $home_dir, '/bin/bash'); auth_group_write($auth_group_file, $group, $gid, $user); my $cert_file = File::Spec->rel2abs("$ENV{PROFTPD_TEST_DIR}/t/etc/modules/mod_tls/server-cert.pem"); my $ca_file = File::Spec->rel2abs("$ENV{PROFTPD_TEST_DIR}/t/etc/modules/mod_tls/ca-cert.pem"); my $vhost_port = ProFTPD::TestSuite::Utils::get_high_numbered_port(); $vhost_port += 12; my $host = 'localhost'; my $config = { PidFile => $pid_file, ScoreboardFile => $scoreboard_file, SystemLog => $log_file, TraceLog => $log_file, Trace => 'DEFAULT:10 event:0 lock:0 netio:20 scoreboard:0 signal:0 proxy:20 proxy.netio:20 proxy.db:20 proxy.reverse:20 proxy.tls:20 proxy.ftp.conn:20 proxy.ftp.ctrl:20 proxy.ftp.data:20 proxy.ftp.msg:20 proxy.ftp.sess:20 tls:20', AuthUserFile => $auth_user_file, AuthGroupFile => $auth_group_file, DefaultServer => 'on', ServerName => '"Default Server"', SocketBindTight => 'on', IfModules => { 'mod_tls.c' => { TLSEngine => 'on', TLSLog => $log_file, TLSRequired => 'on', TLSRSACertificateFile => $cert_file, TLSCACertificateFile => $ca_file, TLSOptions => 'NoSessionReuseRequired EnableDiags', TLSTimeoutHandshake => 5, TLSVerifyClient => 'off', TLSVerifyServer => 'off', }, 'mod_delay.c' => { DelayEngine => 'off', }, }, Limit => { LOGIN => { DenyUser => $user, }, }, }; my ($port, $config_user, $config_group) = config_write($config_file, $config); if (open(my $fh, ">> $config_file")) { my $tables_dir = File::Spec->rel2abs("$tmpdir/var/proxy"); my $vhost_port2 = $vhost_port - 7; print $fh < ProxyTables $tables_dir Port $port ServerAlias $host ServerName "Namebased Server" AuthUserFile $auth_user_file AuthGroupFile $auth_group_file AuthOrder mod_auth_file.c DelayEngine off ProxyEngine on ProxyLog $log_file ProxyRole reverse ProxyReverseConnectPolicy PerUser ProxyReverseServers ftp://127.0.0.1:$vhost_port ftp://127.0.0.1:$vhost_port2 ProxyTimeoutConnect 1sec ProxyTLSEngine auto ProxyTLSCACertificateFile $ca_file ProxyTLSOptions EnableDiags ProxyTLSVerifyServer off TLSEngine on TLSLog $log_file TLSRequired on TLSRSACertificateFile $cert_file TLSCACertificateFile $ca_file TLSVerifyClient off TLSVerifyServer off TLSOptions EnableDiags NoSessionReuseRequired Port $vhost_port ServerName "Real Server" AuthUserFile $auth_user_file AuthGroupFile $auth_group_file AuthOrder mod_auth_file.c AllowOverride off WtmpLog off TransferLog none TLSEngine on TLSLog $log_file TLSRequired on TLSRSACertificateFile $cert_file TLSCACertificateFile $ca_file TLSVerifyClient off TLSVerifyServer off TLSOptions EnableDiags NoSessionReuseRequired Port $vhost_port2 ServerName "Other Real Server" AuthUserFile $auth_user_file AuthGroupFile $auth_group_file AuthOrder mod_auth_file.c AllowOverride off WtmpLog off TransferLog none TLSEngine on TLSLog $log_file TLSRequired on TLSRSACertificateFile $cert_file TLSCACertificateFile $ca_file TLSVerifyClient off TLSVerifyServer off TLSOptions EnableDiags NoSessionReuseRequired EOC unless (close($fh)) { die("Can't write $config_file: $!"); } } else { die("Can't open $config_file: $!"); } require Net::FTPSSL; # Open pipes, for use between the parent and child processes. Specifically, # the child will indicate when it's done with its test by writing a message # to the parent. my ($rfh, $wfh); unless (pipe($rfh, $wfh)) { die("Can't open pipe: $!"); } my $ex; # Fork child $self->handle_sigchld(); defined(my $pid = fork()) or die("Can't fork: $!"); if ($pid) { eval { # Give the server a chance to start up sleep(2); my $ssl_opts = { SSL_hostname => $host, SSL_ca_file => $ca_file, # Yes, this is a deliberate choice. Sigh. SSL_verifycn_scheme => 'none', }; my $client_opts = { Encryption => 'E', Port => $port, SSL_Client_Certificate => $ssl_opts, }; if ($ENV{TEST_VERBOSE}) { $client_opts->{Debug} = 1; } my $client = Net::FTPSSL->new('127.0.0.1', %$client_opts); unless ($client) { die("Can't connect to FTPS server: " . IO::Socket::SSL::errstr()); } unless ($client->quot('HOST', $host)) { die("HOST failed: " . $client->last_message()); } unless ($client->login($user, $passwd)) { die("Can't login: " . $client->last_message()); } my $res = $client->list(); unless ($res) { die("LIST failed unexpectedly: " . $client->last_message() . "(" . IO::Socket::SSL::errstr() . ")"); } my $resp_msg = $client->last_message(); my $expected = '226 Transfer complete'; $self->assert($expected eq $resp_msg, test_msg("Expected response '$expected', got '$resp_msg'")); # Do the LIST again; there are some reports that a first transfer # might succeed, but subsequent ones will fail. $res = $client->list(); unless ($res) { die("LIST failed unexpectedly: " . $client->last_message() . "(" . IO::Socket::SSL::errstr() . ")"); } $resp_msg = $client->last_message(); $client->quit(); $expected = '226 Transfer complete'; $self->assert($expected eq $resp_msg, test_msg("Expected response '$expected', got '$resp_msg'")); }; if ($@) { $ex = $@; } $wfh->print("done\n"); $wfh->flush(); } else { eval { server_wait($config_file, $rfh, 20) }; if ($@) { warn($@); exit 1; } exit 0; } # Stop server server_stop($pid_file); $self->assert_child_ok($pid); if ($ex) { test_append_logfile($log_file, $ex); unlink($log_file); die($ex); } unlink($log_file); } sub proxy_reverse_frontend_backend_tls_list_pasv { my $self = shift; my $tmpdir = $self->{tmpdir}; my $setup = test_setup($tmpdir, 'proxy'); my $cert_file = File::Spec->rel2abs("$ENV{PROFTPD_TEST_DIR}/t/etc/modules/mod_tls/server-cert.pem"); my $ca_file = File::Spec->rel2abs("$ENV{PROFTPD_TEST_DIR}/t/etc/modules/mod_tls/ca-cert.pem"); my $vhost_port = ProFTPD::TestSuite::Utils::get_high_numbered_port(); $vhost_port += 12; my $proxy_config = get_reverse_proxy_config($tmpdir, $setup->{log_file}, $vhost_port); $proxy_config->{ProxyTLSEngine} = 'auto'; $proxy_config->{ProxyTLSCACertificateFile} = $ca_file; if ($ENV{TEST_VERBOSE}) { $proxy_config->{ProxyTLSOptions} = 'EnableDiags'; } my $config = { PidFile => $setup->{pid_file}, ScoreboardFile => $setup->{scoreboard_file}, SystemLog => $setup->{log_file}, TraceLog => $setup->{log_file}, Trace => 'DEFAULT:10 event:0 lock:0 netio:20 scoreboard:0 signal:0 proxy:20 proxy.netio:20 proxy.db:20 proxy.reverse:20 proxy.tls:20 proxy.ftp.conn:20 proxy.ftp.ctrl:20 proxy.ftp.data:20 proxy.ftp.msg:20 proxy.ftp.sess:20 tls:20', AuthUserFile => $setup->{auth_user_file}, AuthGroupFile => $setup->{auth_group_file}, AuthOrder => 'mod_auth_file.c', SocketBindTight => 'on', IfModules => { 'mod_proxy.c' => $proxy_config, 'mod_tls.c' => { TLSEngine => 'on', TLSLog => $setup->{log_file}, TLSRequired => 'on', TLSRSACertificateFile => $cert_file, TLSCACertificateFile => $ca_file, TLSOptions => 'NoSessionReuseRequired EnableDiags', TLSTimeoutHandshake => 5, TLSVerifyClient => 'off', TLSVerifyServer => 'off', }, 'mod_delay.c' => { DelayEngine => 'off', }, }, Limit => { LOGIN => { DenyUser => $setup->{user}, }, }, }; my ($port, $config_user, $config_group) = config_write($setup->{config_file}, $config); if (open(my $fh, ">> $setup->{config_file}")) { print $fh < Port $vhost_port ServerName "Real Server" AuthUserFile $setup->{auth_user_file} AuthGroupFile $setup->{auth_group_file} AuthOrder mod_auth_file.c AllowOverride off WtmpLog off TransferLog none TLSEngine on TLSLog $setup->{log_file} TLSRequired on TLSRSACertificateFile $cert_file TLSCACertificateFile $ca_file TLSVerifyClient off TLSVerifyServer off TLSOptions EnableDiags NoSessionReuseRequired EOC unless (close($fh)) { die("Can't write $setup->{config_file}: $!"); } } else { die("Can't open $setup->{config_file}: $!"); } require Net::FTPSSL; # Open pipes, for use between the parent and child processes. Specifically, # the child will indicate when it's done with its test by writing a message # to the parent. my ($rfh, $wfh); unless (pipe($rfh, $wfh)) { die("Can't open pipe: $!"); } my $ex; # Fork child $self->handle_sigchld(); defined(my $pid = fork()) or die("Can't fork: $!"); if ($pid) { eval { # Give the server a chance to start up sleep(2); my $ssl_opts = { SSL_verify_mode => $IO::Socket::SSL::SSL_VERIFY_NONE, }; my $client_opts = { Encryption => 'E', Port => $port, SSL_Client_Certificate => $ssl_opts, }; if ($ENV{TEST_VERBOSE}) { $client_opts->{Debug} = 1; } my $client = Net::FTPSSL->new('127.0.0.1', %$client_opts); unless ($client) { die("Can't connect to FTPS server: " . IO::Socket::SSL::errstr()); } unless ($client->login($setup->{user}, $setup->{passwd})) { die("Can't login: " . $client->last_message()); } my $res = $client->list(); unless ($res) { die("LIST failed unexpectedly: " . $client->last_message() . "(" . IO::Socket::SSL::errstr() . ")"); } my $resp_msg = $client->last_message(); my $expected = '226 Transfer complete'; $self->assert($expected eq $resp_msg, test_msg("Expected response '$expected', got '$resp_msg'")); # Do the LIST again; there are some reports that a first transfer # might succeed, but subsequent ones will fail. for (my $i = 0; $i < 3; $i++) { $res = $client->list(); unless ($res) { die("LIST failed unexpectedly: " . $client->last_message() . "(" . IO::Socket::SSL::errstr() . ")"); } $resp_msg = $client->last_message(); $expected = '226 Transfer complete'; $self->assert($expected eq $resp_msg, test_msg("Expected response '$expected', got '$resp_msg'")); } $client->quit(); }; if ($@) { $ex = $@; } $wfh->print("done\n"); $wfh->flush(); } else { eval { server_wait($setup->{config_file}, $rfh, 20) }; if ($@) { warn($@); exit 1; } exit 0; } # Stop server server_stop($setup->{pid_file}); $self->assert_child_ok($pid); test_cleanup($setup->{log_file}, $ex); } sub proxy_reverse_frontend_backend_tls_list_port { my $self = shift; my $tmpdir = $self->{tmpdir}; my $setup = test_setup($tmpdir, 'proxy'); my $cert_file = File::Spec->rel2abs("$ENV{PROFTPD_TEST_DIR}/t/etc/modules/mod_tls/server-cert.pem"); my $ca_file = File::Spec->rel2abs("$ENV{PROFTPD_TEST_DIR}/t/etc/modules/mod_tls/ca-cert.pem"); my $vhost_port = ProFTPD::TestSuite::Utils::get_high_numbered_port(); $vhost_port += 12; my $proxy_config = get_reverse_proxy_config($tmpdir, $setup->{log_file}, $vhost_port); $proxy_config->{ProxyTLSEngine} = 'auto'; $proxy_config->{ProxyTLSCACertificateFile} = $ca_file; # For this test, we want to force the use of PORT for the backend data # transfers. $proxy_config->{ProxyDataTransferPolicy} = 'PORT'; if ($ENV{TEST_VERBOSE}) { $proxy_config->{ProxyTLSOptions} = 'EnableDiags'; } my $config = { PidFile => $setup->{pid_file}, ScoreboardFile => $setup->{scoreboard_file}, SystemLog => $setup->{log_file}, TraceLog => $setup->{log_file}, Trace => 'DEFAULT:10 event:0 lock:0 netio:20 scoreboard:0 signal:0 proxy:20 proxy.netio:20 proxy.db:20 proxy.reverse:20 proxy.tls:20 proxy.ftp.conn:20 proxy.ftp.ctrl:20 proxy.ftp.data:20 proxy.ftp.msg:20 proxy.ftp.sess:20 tls:20', AuthUserFile => $setup->{auth_user_file}, AuthGroupFile => $setup->{auth_group_file}, AuthOrder => 'mod_auth_file.c', SocketBindTight => 'on', IfModules => { 'mod_proxy.c' => $proxy_config, 'mod_tls.c' => { TLSEngine => 'on', TLSLog => $setup->{log_file}, TLSRequired => 'on', TLSRSACertificateFile => $cert_file, TLSCACertificateFile => $ca_file, TLSOptions => 'NoSessionReuseRequired EnableDiags', TLSTimeoutHandshake => 5, TLSVerifyClient => 'off', TLSVerifyServer => 'off', }, 'mod_delay.c' => { DelayEngine => 'off', }, }, Limit => { LOGIN => { DenyUser => $setup->{user}, }, }, }; my ($port, $config_user, $config_group) = config_write($setup->{config_file}, $config); if (open(my $fh, ">> $setup->{config_file}")) { print $fh < Port $vhost_port ServerName "Real Server" AuthUserFile $setup->{auth_user_file} AuthGroupFile $setup->{auth_group_file} AuthOrder mod_auth_file.c AllowOverride off WtmpLog off TransferLog none TLSEngine on TLSLog $setup->{log_file} TLSRequired on TLSRSACertificateFile $cert_file TLSCACertificateFile $ca_file TLSVerifyClient off TLSVerifyServer off TLSOptions EnableDiags NoSessionReuseRequired EOC unless (close($fh)) { die("Can't write $setup->{config_file}: $!"); } } else { die("Can't open $setup->{config_file}: $!"); } require Net::FTPSSL; # Open pipes, for use between the parent and child processes. Specifically, # the child will indicate when it's done with its test by writing a message # to the parent. my ($rfh, $wfh); unless (pipe($rfh, $wfh)) { die("Can't open pipe: $!"); } my $ex; # Fork child $self->handle_sigchld(); defined(my $pid = fork()) or die("Can't fork: $!"); if ($pid) { eval { # Give the server a chance to start up sleep(2); my $ssl_opts = { SSL_verify_mode => $IO::Socket::SSL::SSL_VERIFY_NONE, }; my $client_opts = { Encryption => 'E', Port => $port, SSL_Client_Certificate => $ssl_opts, }; if ($ENV{TEST_VERBOSE}) { $client_opts->{Debug} = 1; } my $client = Net::FTPSSL->new('127.0.0.1', %$client_opts); unless ($client) { die("Can't connect to FTPS server: " . IO::Socket::SSL::errstr()); } unless ($client->login($setup->{user}, $setup->{passwd})) { die("Can't login: " . $client->last_message()); } my $res = $client->list(); unless ($res) { die("LIST failed unexpectedly: " . $client->last_message() . "(" . IO::Socket::SSL::errstr() . ")"); } my $resp_msg = $client->last_message(); my $expected = '226 Transfer complete'; $self->assert($expected eq $resp_msg, test_msg("Expected response '$expected', got '$resp_msg'")); # Do the LIST again; there are some reports that a first transfer # might succeed, but subsequent ones will fail. for (my $i = 0; $i < 3; $i++) { $res = $client->list(); unless ($res) { die("LIST failed unexpectedly: " . $client->last_message() . "(" . IO::Socket::SSL::errstr() . ")"); } $resp_msg = $client->last_message(); $expected = '226 Transfer complete'; $self->assert($expected eq $resp_msg, test_msg("Expected response '$expected', got '$resp_msg'")); } $client->quit(); }; if ($@) { $ex = $@; } $wfh->print("done\n"); $wfh->flush(); } else { eval { server_wait($setup->{config_file}, $rfh, 20) }; if ($@) { warn($@); exit 1; } exit 0; } # Stop server server_stop($setup->{pid_file}); $self->assert_child_ok($pid); test_cleanup($setup->{log_file}, $ex); } sub proxy_reverse_frontend_backend_tls_nlst_pasv_error_issue244 { my $self = shift; my $tmpdir = $self->{tmpdir}; my $setup = test_setup($tmpdir, 'proxy'); my $cert_file = File::Spec->rel2abs("$ENV{PROFTPD_TEST_DIR}/t/etc/modules/mod_tls/server-cert.pem"); my $ca_file = File::Spec->rel2abs("$ENV{PROFTPD_TEST_DIR}/t/etc/modules/mod_tls/ca-cert.pem"); my $vhost_port = ProFTPD::TestSuite::Utils::get_high_numbered_port(); $vhost_port += 12; my $proxy_config = get_reverse_proxy_config($tmpdir, $setup->{log_file}, $vhost_port); $proxy_config->{ProxyTLSEngine} = 'auto'; $proxy_config->{ProxyTLSCACertificateFile} = $ca_file; if ($ENV{TEST_VERBOSE}) { $proxy_config->{ProxyTLSOptions} = 'EnableDiags'; } my $config = { PidFile => $setup->{pid_file}, ScoreboardFile => $setup->{scoreboard_file}, SystemLog => $setup->{log_file}, TraceLog => $setup->{log_file}, Trace => 'netio:20 proxy:20 proxy.netio:20 proxy.db:20 proxy.reverse:20 proxy.tls:20 proxy.ftp.conn:20 proxy.ftp.ctrl:20 proxy.ftp.data:20 proxy.ftp.msg:20 proxy.ftp.sess:20 proxy.ftp.xfer:20 tls:20', AuthUserFile => $setup->{auth_user_file}, AuthGroupFile => $setup->{auth_group_file}, AuthOrder => 'mod_auth_file.c', SocketBindTight => 'on', IfModules => { 'mod_proxy.c' => $proxy_config, 'mod_tls.c' => { TLSEngine => 'on', TLSLog => $setup->{log_file}, TLSRequired => 'on', TLSRSACertificateFile => $cert_file, TLSCACertificateFile => $ca_file, TLSOptions => 'NoSessionReuseRequired EnableDiags', TLSTimeoutHandshake => 5, TLSVerifyClient => 'off', TLSVerifyServer => 'off', }, 'mod_delay.c' => { DelayEngine => 'off', }, }, Limit => { LOGIN => { DenyUser => $setup->{user}, }, }, }; my ($port, $config_user, $config_group) = config_write($setup->{config_file}, $config); if (open(my $fh, ">> $setup->{config_file}")) { print $fh < Port $vhost_port ServerName "Real Server" AuthUserFile $setup->{auth_user_file} AuthGroupFile $setup->{auth_group_file} AuthOrder mod_auth_file.c AllowOverride off WtmpLog off TransferLog none TLSEngine on TLSLog $setup->{log_file} TLSRequired on TLSRSACertificateFile $cert_file TLSCACertificateFile $ca_file TLSVerifyClient off TLSVerifyServer off TLSOptions EnableDiags NoSessionReuseRequired EOC unless (close($fh)) { die("Can't write $setup->{config_file}: $!"); } } else { die("Can't open $setup->{config_file}: $!"); } require Net::FTPSSL; # Open pipes, for use between the parent and child processes. Specifically, # the child will indicate when it's done with its test by writing a message # to the parent. my ($rfh, $wfh); unless (pipe($rfh, $wfh)) { die("Can't open pipe: $!"); } my $ex; # Fork child $self->handle_sigchld(); defined(my $pid = fork()) or die("Can't fork: $!"); if ($pid) { eval { # Give the server a chance to start up sleep(2); my $ssl_opts = { SSL_verify_mode => $IO::Socket::SSL::SSL_VERIFY_NONE, }; my $client_opts = { Encryption => 'E', Port => $port, SSL_Client_Certificate => $ssl_opts, }; if ($ENV{TEST_VERBOSE}) { $client_opts->{Debug} = 1; } my $client = Net::FTPSSL->new('127.0.0.1', %$client_opts); unless ($client) { die("Can't connect to FTPS server: " . IO::Socket::SSL::errstr()); } unless ($client->login($setup->{user}, $setup->{passwd})) { die("Can't login: " . $client->last_message()); } my $bad_path = '/foo/bar/baz'; my $res = $client->nlst($bad_path); if ($res) { die("NLST $bad_path succeeded unexpectedly"); } my $resp_msg = $client->last_message(); my $expected = "450 $bad_path: No such file or directory"; $self->assert($expected eq $resp_msg, test_msg("Expected response '$expected', got '$resp_msg'")); # Do the NLST again; there are some reports that a first transfer # might succeed, but subsequent ones will fail. for (my $i = 0; $i < 3; $i++) { $res = $client->nlst($bad_path); if ($res) { die("NLST $bad_path succeeded unexpectedly"); } $resp_msg = $client->last_message(); $self->assert($expected eq $resp_msg, test_msg("Expected response '$expected', got '$resp_msg'")); } $client->quit(); }; if ($@) { $ex = $@; } $wfh->print("done\n"); $wfh->flush(); } else { eval { server_wait($setup->{config_file}, $rfh, 20) }; if ($@) { warn($@); exit 1; } exit 0; } # Stop server server_stop($setup->{pid_file}); $self->assert_child_ok($pid); test_cleanup($setup->{log_file}, $ex); } sub proxy_reverse_frontend_backend_tls_nlst_port_error_issue244 { my $self = shift; my $tmpdir = $self->{tmpdir}; my $setup = test_setup($tmpdir, 'proxy'); my $cert_file = File::Spec->rel2abs("$ENV{PROFTPD_TEST_DIR}/t/etc/modules/mod_tls/server-cert.pem"); my $ca_file = File::Spec->rel2abs("$ENV{PROFTPD_TEST_DIR}/t/etc/modules/mod_tls/ca-cert.pem"); my $vhost_port = ProFTPD::TestSuite::Utils::get_high_numbered_port(); $vhost_port += 12; my $proxy_config = get_reverse_proxy_config($tmpdir, $setup->{log_file}, $vhost_port); $proxy_config->{ProxyTLSEngine} = 'auto'; $proxy_config->{ProxyTLSCACertificateFile} = $ca_file; # For this test, we want to force the use of PORT for the backend data # transfers. $proxy_config->{ProxyDataTransferPolicy} = 'PORT'; if ($ENV{TEST_VERBOSE}) { $proxy_config->{ProxyTLSOptions} = 'EnableDiags'; } my $config = { PidFile => $setup->{pid_file}, ScoreboardFile => $setup->{scoreboard_file}, SystemLog => $setup->{log_file}, TraceLog => $setup->{log_file}, Trace => 'netio:20 proxy:20 proxy.netio:20 proxy.db:20 proxy.reverse:20 proxy.tls:20 proxy.ftp.conn:20 proxy.ftp.ctrl:20 proxy.ftp.data:20 proxy.ftp.msg:20 proxy.ftp.sess:20 proxy.ftp.xfer:20 tls:20', AuthUserFile => $setup->{auth_user_file}, AuthGroupFile => $setup->{auth_group_file}, AuthOrder => 'mod_auth_file.c', SocketBindTight => 'on', IfModules => { 'mod_proxy.c' => $proxy_config, 'mod_tls.c' => { TLSEngine => 'on', TLSLog => $setup->{log_file}, TLSRequired => 'on', TLSRSACertificateFile => $cert_file, TLSCACertificateFile => $ca_file, TLSOptions => 'NoSessionReuseRequired EnableDiags', TLSTimeoutHandshake => 5, TLSVerifyClient => 'off', TLSVerifyServer => 'off', }, 'mod_delay.c' => { DelayEngine => 'off', }, }, Limit => { LOGIN => { DenyUser => $setup->{user}, }, }, }; my ($port, $config_user, $config_group) = config_write($setup->{config_file}, $config); if (open(my $fh, ">> $setup->{config_file}")) { print $fh < Port $vhost_port ServerName "Real Server" AuthUserFile $setup->{auth_user_file} AuthGroupFile $setup->{auth_group_file} AuthOrder mod_auth_file.c AllowOverride off WtmpLog off TransferLog none TLSEngine on TLSLog $setup->{log_file} TLSRequired on TLSRSACertificateFile $cert_file TLSCACertificateFile $ca_file TLSVerifyClient off TLSVerifyServer off TLSOptions EnableDiags NoSessionReuseRequired EOC unless (close($fh)) { die("Can't write $setup->{config_file}: $!"); } } else { die("Can't open $setup->{config_file}: $!"); } require Net::FTPSSL; # Open pipes, for use between the parent and child processes. Specifically, # the child will indicate when it's done with its test by writing a message # to the parent. my ($rfh, $wfh); unless (pipe($rfh, $wfh)) { die("Can't open pipe: $!"); } my $ex; # Fork child $self->handle_sigchld(); defined(my $pid = fork()) or die("Can't fork: $!"); if ($pid) { eval { # Give the server a chance to start up sleep(2); my $ssl_opts = { SSL_verify_mode => $IO::Socket::SSL::SSL_VERIFY_NONE, }; my $client_opts = { Encryption => 'E', Port => $port, SSL_Client_Certificate => $ssl_opts, }; if ($ENV{TEST_VERBOSE}) { $client_opts->{Debug} = 1; } my $client = Net::FTPSSL->new('127.0.0.1', %$client_opts); unless ($client) { die("Can't connect to FTPS server: " . IO::Socket::SSL::errstr()); } unless ($client->login($setup->{user}, $setup->{passwd})) { die("Can't login: " . $client->last_message()); } my $bad_path = '/foo/bar/baz'; my $res = $client->nlst($bad_path); if ($res) { die("NLST $bad_path succeeded unexpectedly"); } my $resp_msg = $client->last_message(); my $expected = "450 $bad_path: No such file or directory"; $self->assert($expected eq $resp_msg, test_msg("Expected response '$expected', got '$resp_msg'")); # Do the NLST again; there are some reports that a first transfer # might succeed, but subsequent ones will fail. for (my $i = 0; $i < 3; $i++) { $res = $client->nlst($bad_path); if ($res) { die("NLST $bad_path succeeded unexpectedly"); } $resp_msg = $client->last_message(); $self->assert($expected eq $resp_msg, test_msg("Expected response '$expected', got '$resp_msg'")); } $client->quit(); }; if ($@) { $ex = $@; } $wfh->print("done\n"); $wfh->flush(); } else { eval { server_wait($setup->{config_file}, $rfh, 20) }; if ($@) { warn($@); exit 1; } exit 0; } # Stop server server_stop($setup->{pid_file}); $self->assert_child_ok($pid); test_cleanup($setup->{log_file}, $ex); } sub proxy_reverse_frontend_backend_tls_abort { my $self = shift; my $tmpdir = $self->{tmpdir}; my $setup = test_setup($tmpdir, 'proxy'); my $cert_file = File::Spec->rel2abs("$ENV{PROFTPD_TEST_DIR}/t/etc/modules/mod_tls/server-cert.pem"); my $ca_file = File::Spec->rel2abs("$ENV{PROFTPD_TEST_DIR}/t/etc/modules/mod_tls/ca-cert.pem"); my $vhost_port = ProFTPD::TestSuite::Utils::get_high_numbered_port(); $vhost_port += 12; my $proxy_config = get_reverse_proxy_config($tmpdir, $setup->{log_file}, $vhost_port); $proxy_config->{ProxyTLSEngine} = 'auto'; $proxy_config->{ProxyTLSCACertificateFile} = $ca_file; $proxy_config->{ProxyTLSVerifyServer} = 'off'; if ($ENV{TEST_VERBOSE}) { $proxy_config->{ProxyTLSOptions} = 'EnableDiags'; } my $config = { PidFile => $setup->{pid_file}, ScoreboardFile => $setup->{scoreboard_file}, SystemLog => $setup->{log_file}, TraceLog => $setup->{log_file}, Trace => 'DEFAULT:10 event:0 lock:0 netio:20 scoreboard:0 signal:0 proxy:20 proxy.netio:20 proxy.db:20 proxy.reverse:20 proxy.tls:20 proxy.ftp.conn:20 proxy.ftp.ctrl:20 proxy.ftp.data:20 proxy.ftp.msg:20 proxy.ftp.sess:20 tls:20', AuthUserFile => $setup->{auth_user_file}, AuthGroupFile => $setup->{auth_group_file}, SocketBindTight => 'on', IfModules => { 'mod_proxy.c' => $proxy_config, 'mod_tls.c' => { TLSEngine => 'on', TLSLog => $setup->{log_file}, TLSRequired => 'on', TLSRSACertificateFile => $cert_file, TLSCACertificateFile => $ca_file, TLSOptions => 'NoSessionReuseRequired EnableDiags', TLSTimeoutHandshake => 5, TLSVerifyClient => 'off', TLSVerifyServer => 'off', }, 'mod_delay.c' => { DelayEngine => 'off', }, }, Limit => { LOGIN => { DenyUser => $setup->{user}, }, }, }; my ($port, $config_user, $config_group) = config_write($setup->{config_file}, $config); if (open(my $fh, ">> $setup->{config_file}")) { print $fh < Port $vhost_port ServerName "Real Server" AuthUserFile $setup->{auth_user_file} AuthGroupFile $setup->{auth_group_file} AuthOrder mod_auth_file.c AllowOverride off WtmpLog off TransferLog none TLSEngine on TLSLog $setup->{log_file} TLSRequired on TLSRSACertificateFile $cert_file TLSCACertificateFile $ca_file TLSVerifyClient off TLSVerifyServer off TLSOptions EnableDiags NoSessionReuseRequired EOC unless (close($fh)) { die("Can't write $setup->{config_file}: $!"); } } else { die("Can't open $setup->{config_file}: $!"); } require Net::FTPSSL; # Open pipes, for use between the parent and child processes. Specifically, # the child will indicate when it's done with its test by writing a message # to the parent. my ($rfh, $wfh); unless (pipe($rfh, $wfh)) { die("Can't open pipe: $!"); } my $ex; # Fork child $self->handle_sigchld(); defined(my $pid = fork()) or die("Can't fork: $!"); if ($pid) { eval { # Give the server a chance to start up sleep(2); my $ssl_opts = { SSL_verify_mode => $IO::Socket::SSL::SSL_VERIFY_NONE, }; my $client_opts = { Encryption => 'E', Port => $port, SSL_Client_Certificate => $ssl_opts, }; if ($ENV{TEST_VERBOSE}) { $client_opts->{Debug} = 1; } my $client = Net::FTPSSL->new('127.0.0.1', %$client_opts); unless ($client) { die("Can't connect to FTPS server: " . IO::Socket::SSL::errstr()); } unless ($client->login($setup->{user}, $setup->{passwd})) { die("Can't login: " . $client->last_message()); } my $res = $client->_abort(); unless ($res) { die("ABOR failed unexpectedly: " . $client->last_message() . "(" . IO::Socket::SSL::errstr() . ")"); } my $resp_msg = $client->last_message(); my $expected = '226 Abort successful'; $self->assert($expected eq $resp_msg, test_msg("Expected response '$expected', got '$resp_msg'")); $client->quit(); }; if ($@) { $ex = $@; } $wfh->print("done\n"); $wfh->flush(); } else { eval { server_wait($setup->{config_file}, $rfh, 20) }; if ($@) { warn($@); exit 1; } exit 0; } # Stop server server_stop($setup->{pid_file}); $self->assert_child_ok($pid); test_cleanup($setup->{log_file}, $ex); } sub proxy_reverse_frontend_tls_json_peruser { my $self = shift; my $tmpdir = $self->{tmpdir}; my $config_file = "$tmpdir/proxy.conf"; my $pid_file = File::Spec->rel2abs("$tmpdir/proxy.pid"); my $scoreboard_file = File::Spec->rel2abs("$tmpdir/proxy.scoreboard"); my $log_file = test_get_logfile(); my $auth_user_file = File::Spec->rel2abs("$tmpdir/proxy.passwd"); my $auth_group_file = File::Spec->rel2abs("$tmpdir/proxy.group"); my $user = 'proftpd'; my $passwd = 'test'; my $group = 'ftpd'; my $home_dir = File::Spec->rel2abs($tmpdir); my $uid = 500; my $gid = 500; # Make sure that, if we're running as root, that the home directory has # permissions/privs set for the account we create if ($< == 0) { unless (chmod(0755, $home_dir)) { die("Can't set perms on $home_dir to 0755: $!"); } unless (chown($uid, $gid, $home_dir)) { die("Can't set owner of $home_dir to $uid/$gid: $!"); } } auth_user_write($auth_user_file, $user, $passwd, $uid, $gid, $home_dir, '/bin/bash'); auth_group_write($auth_group_file, $group, $gid, $user); my $cert_file = File::Spec->rel2abs("$ENV{PROFTPD_TEST_DIR}/t/etc/modules/mod_tls/server-cert.pem"); my $ca_file = File::Spec->rel2abs("$ENV{PROFTPD_TEST_DIR}/t/etc/modules/mod_tls/ca-cert.pem"); my $vhost_port = ProFTPD::TestSuite::Utils::get_high_numbered_port(); $vhost_port += 12; my $proxy_config = get_reverse_proxy_config($tmpdir, $log_file, $vhost_port); my $proxy_hosts_path = File::Spec->rel2abs("$tmpdir/$user.json"); if (open(my $fh, "> $proxy_hosts_path")) { print $fh "[\n \"ftp://127.0.0.1:$vhost_port\"\n]\n"; unless (close($fh)) { die("Can't write $proxy_hosts_path: $!"); } } else { die("Can't open $proxy_hosts_path: $!"); } my $proxy_hosts_file = File::Spec->rel2abs("$tmpdir/%U.json"); # Make sure that mod_proxy correctly handles a list of backend servers # read from a file. $proxy_config->{ProxyReverseServers} = "file:$proxy_hosts_file"; $proxy_config->{ProxyReverseConnectPolicy} = 'PerUser'; $proxy_config->{ProxyTLSEngine} = 'off'; $proxy_config->{ProxyTLSCACertificateFile} = $ca_file; if ($ENV{TEST_VERBOSE}) { $proxy_config->{ProxyTLSOptions} = 'EnableDiags'; } my $config = { PidFile => $pid_file, ScoreboardFile => $scoreboard_file, SystemLog => $log_file, TraceLog => $log_file, Trace => 'proxy:20 proxy.db:20 proxy.reverse:20 proxy.tls:20', AuthUserFile => $auth_user_file, AuthGroupFile => $auth_group_file, SocketBindTight => 'on', IfModules => { 'mod_proxy.c' => $proxy_config, 'mod_tls.c' => { TLSEngine => 'on', TLSLog => $log_file, TLSRequired => 'on', TLSRSACertificateFile => $cert_file, TLSCACertificateFile => $ca_file, TLSOptions => 'NoSessionReuseRequired', TLSTimeoutHandshake => 5, TLSVerifyClient => 'off', TLSVerifyServer => 'off', }, 'mod_delay.c' => { DelayEngine => 'off', }, }, Limit => { LOGIN => { DenyUser => $user, }, }, }; my ($port, $config_user, $config_group) = config_write($config_file, $config); if (open(my $fh, ">> $config_file")) { print $fh < Port $vhost_port ServerName "Real Server" AuthUserFile $auth_user_file AuthGroupFile $auth_group_file AuthOrder mod_auth_file.c AllowOverride off WtmpLog off TransferLog none TLSEngine off TLSLog $log_file TLSRequired on TLSRSACertificateFile $cert_file TLSCACertificateFile $ca_file TLSVerifyClient off TLSVerifyServer off TLSOptions NoSessionReuseRequired EOC unless (close($fh)) { die("Can't write $config_file: $!"); } } else { die("Can't open $config_file: $!"); } require Net::FTPSSL; # Open pipes, for use between the parent and child processes. Specifically, # the child will indicate when it's done with its test by writing a message # to the parent. my ($rfh, $wfh); unless (pipe($rfh, $wfh)) { die("Can't open pipe: $!"); } my $ex; # Fork child $self->handle_sigchld(); defined(my $pid = fork()) or die("Can't fork: $!"); if ($pid) { eval { # Give the server a chance to start up sleep(2); my $ssl_opts = { SSL_verify_mode => $IO::Socket::SSL::SSL_VERIFY_NONE, }; my $client_opts = { Encryption => 'E', Port => $port, SSL_Client_Certificate => $ssl_opts, }; if ($ENV{TEST_VERBOSE}) { $client_opts->{Debug} = 1; } my $client = Net::FTPSSL->new('127.0.0.1', %$client_opts); unless ($client) { die("Can't connect to FTPS server: " . IO::Socket::SSL::errstr()); } unless ($client->login($user, $passwd)) { die("Can't login: " . $client->last_message()); } my $res = $client->list(); unless ($res) { die("LIST failed unexpectedly: " . $client->last_message() . "(" . IO::Socket::SSL::errstr() . ")"); } my $resp_msg = $client->last_message(); my $expected = '226 Transfer complete'; $self->assert($expected eq $resp_msg, test_msg("Expected response '$expected', got '$resp_msg'")); # Do the LIST again; there are some reports that a first transfer # might succeed, but subsequent ones will fail. $res = $client->list(); unless ($res) { die("LIST failed unexpectedly: " . $client->last_message() . "(" . IO::Socket::SSL::errstr() . ")"); } $resp_msg = $client->last_message(); $client->quit(); $expected = '226 Transfer complete'; $self->assert($expected eq $resp_msg, test_msg("Expected response '$expected', got '$resp_msg'")); }; if ($@) { $ex = $@; } $wfh->print("done\n"); $wfh->flush(); } else { eval { server_wait($config_file, $rfh, 20) }; if ($@) { warn($@); exit 1; } exit 0; } # Stop server server_stop($pid_file); $self->assert_child_ok($pid); if ($ex) { test_append_logfile($log_file, $ex); unlink($log_file); die($ex); } unlink($log_file); } sub proxy_reverse_config_backend_tls_engine_auto_unavail { my $self = shift; my $tmpdir = $self->{tmpdir}; my $config_file = "$tmpdir/proxy.conf"; my $pid_file = File::Spec->rel2abs("$tmpdir/proxy.pid"); my $scoreboard_file = File::Spec->rel2abs("$tmpdir/proxy.scoreboard"); my $log_file = test_get_logfile(); my $auth_user_file = File::Spec->rel2abs("$tmpdir/proxy.passwd"); my $auth_group_file = File::Spec->rel2abs("$tmpdir/proxy.group"); my $user = 'proftpd'; my $passwd = 'test'; my $group = 'ftpd'; my $home_dir = File::Spec->rel2abs($tmpdir); my $uid = 500; my $gid = 500; # Make sure that, if we're running as root, that the home directory has # permissions/privs set for the account we create if ($< == 0) { unless (chmod(0755, $home_dir)) { die("Can't set perms on $home_dir to 0755: $!"); } unless (chown($uid, $gid, $home_dir)) { die("Can't set owner of $home_dir to $uid/$gid: $!"); } } auth_user_write($auth_user_file, $user, $passwd, $uid, $gid, $home_dir, '/bin/bash'); auth_group_write($auth_group_file, $group, $gid, $user); my $cert_file = File::Spec->rel2abs("$ENV{PROFTPD_TEST_DIR}/t/etc/modules/mod_tls/server-cert.pem"); my $ca_file = File::Spec->rel2abs("$ENV{PROFTPD_TEST_DIR}/t/etc/modules/mod_tls/ca-cert.pem"); my $vhost_port = ProFTPD::TestSuite::Utils::get_high_numbered_port(); $vhost_port += 12; my $proxy_config = get_reverse_proxy_config($tmpdir, $log_file, $vhost_port); $proxy_config->{ProxyTLSEngine} = 'auto'; $proxy_config->{ProxyTLSCACertificateFile} = $ca_file; if ($ENV{TEST_VERBOSE}) { $proxy_config->{ProxyTLSOptions} = 'EnableDiags'; } my $config = { PidFile => $pid_file, ScoreboardFile => $scoreboard_file, SystemLog => $log_file, TraceLog => $log_file, Trace => 'DEFAULT:10 event:0 lock:0 scoreboard:0 signal:0 proxy:20 proxy.db:20 proxy.netio:20 proxy.tls:20 proxy.ftp.conn:20 proxy.ftp.ctrl:20 proxy.ftp.data:20 proxy.ftp.msg:20 proxy.ftp.sess:20', AuthUserFile => $auth_user_file, AuthGroupFile => $auth_group_file, SocketBindTight => 'on', IfModules => { 'mod_proxy.c' => $proxy_config, 'mod_delay.c' => { DelayEngine => 'off', }, }, Limit => { LOGIN => { DenyUser => $user, }, }, }; my ($port, $config_user, $config_group) = config_write($config_file, $config); if (open(my $fh, ">> $config_file")) { print $fh < Port $vhost_port ServerName "Real Server" AuthUserFile $auth_user_file AuthGroupFile $auth_group_file AuthOrder mod_auth_file.c AllowOverride off WtmpLog off TransferLog none EOC unless (close($fh)) { die("Can't write $config_file: $!"); } } else { die("Can't open $config_file: $!"); } # Open pipes, for use between the parent and child processes. Specifically, # the child will indicate when it's done with its test by writing a message # to the parent. my ($rfh, $wfh); unless (pipe($rfh, $wfh)) { die("Can't open pipe: $!"); } my $ex; # Fork child $self->handle_sigchld(); defined(my $pid = fork()) or die("Can't fork: $!"); if ($pid) { eval { # Give the server a chance to start up sleep(2); my $client = ProFTPD::TestSuite::FTP->new('127.0.0.1', $port); $client->login($user, $passwd); $client->quit(); }; if ($@) { $ex = $@; } $wfh->print("done\n"); $wfh->flush(); } else { eval { server_wait($config_file, $rfh) }; if ($@) { warn($@); exit 1; } exit 0; } # Stop server server_stop($pid_file); $self->assert_child_ok($pid); if ($ex) { test_append_logfile($log_file, $ex); unlink($log_file); die($ex); } unlink($log_file); } sub proxy_reverse_config_backend_tls_engine_auto_ftps_uri_unavail { my $self = shift; my $tmpdir = $self->{tmpdir}; my $config_file = "$tmpdir/proxy.conf"; my $pid_file = File::Spec->rel2abs("$tmpdir/proxy.pid"); my $scoreboard_file = File::Spec->rel2abs("$tmpdir/proxy.scoreboard"); my $log_file = test_get_logfile(); my $auth_user_file = File::Spec->rel2abs("$tmpdir/proxy.passwd"); my $auth_group_file = File::Spec->rel2abs("$tmpdir/proxy.group"); my $user = 'proftpd'; my $passwd = 'test'; my $group = 'ftpd'; my $home_dir = File::Spec->rel2abs($tmpdir); my $uid = 500; my $gid = 500; # Make sure that, if we're running as root, that the home directory has # permissions/privs set for the account we create if ($< == 0) { unless (chmod(0755, $home_dir)) { die("Can't set perms on $home_dir to 0755: $!"); } unless (chown($uid, $gid, $home_dir)) { die("Can't set owner of $home_dir to $uid/$gid: $!"); } } auth_user_write($auth_user_file, $user, $passwd, $uid, $gid, $home_dir, '/bin/bash'); auth_group_write($auth_group_file, $group, $gid, $user); my $cert_file = File::Spec->rel2abs("$ENV{PROFTPD_TEST_DIR}/t/etc/modules/mod_tls/server-cert.pem"); my $ca_file = File::Spec->rel2abs("$ENV{PROFTPD_TEST_DIR}/t/etc/modules/mod_tls/ca-cert.pem"); my $vhost_port = ProFTPD::TestSuite::Utils::get_high_numbered_port(); $vhost_port += 12; my $proxy_config = get_reverse_proxy_config($tmpdir, $log_file, $vhost_port); # Note: deliberately use a URI here with the 'ftps' scheme, to indicate # that FTPS is REQUIRED for that server. $proxy_config->{ProxyReverseServers} = "ftps://127.0.0.1:$vhost_port"; $proxy_config->{ProxyTLSEngine} = 'auto'; $proxy_config->{ProxyTLSCACertificateFile} = $ca_file; if ($ENV{TEST_VERBOSE}) { $proxy_config->{ProxyTLSOptions} = 'EnableDiags'; } my $config = { PidFile => $pid_file, ScoreboardFile => $scoreboard_file, SystemLog => $log_file, TraceLog => $log_file, Trace => 'DEFAULT:10 event:0 lock:0 scoreboard:0 signal:0 proxy:20 proxy.db:20 proxy.netio:20 proxy.tls:20 proxy.ftp.conn:20 proxy.ftp.ctrl:20 proxy.ftp.data:20 proxy.ftp.msg:20 proxy.ftp.sess:20', AuthUserFile => $auth_user_file, AuthGroupFile => $auth_group_file, SocketBindTight => 'on', IfModules => { 'mod_proxy.c' => $proxy_config, 'mod_delay.c' => { DelayEngine => 'off', }, }, Limit => { LOGIN => { DenyUser => $user, }, }, }; my ($port, $config_user, $config_group) = config_write($config_file, $config); if (open(my $fh, ">> $config_file")) { print $fh < Port $vhost_port ServerName "Real Server" AuthUserFile $auth_user_file AuthGroupFile $auth_group_file AuthOrder mod_auth_file.c AllowOverride off WtmpLog off TransferLog none EOC unless (close($fh)) { die("Can't write $config_file: $!"); } } else { die("Can't open $config_file: $!"); } # Open pipes, for use between the parent and child processes. Specifically, # the child will indicate when it's done with its test by writing a message # to the parent. my ($rfh, $wfh); unless (pipe($rfh, $wfh)) { die("Can't open pipe: $!"); } my $ex; # Fork child $self->handle_sigchld(); defined(my $pid = fork()) or die("Can't fork: $!"); if ($pid) { eval { # Give the server a chance to start up sleep(2); eval { ProFTPD::TestSuite::FTP->new('127.0.0.1', $port, 0, 0) }; unless ($@) { die("Connection succeeded unexpectedly"); } }; if ($@) { $ex = $@; } $wfh->print("done\n"); $wfh->flush(); } else { eval { server_wait($config_file, $rfh) }; if ($@) { warn($@); exit 1; } exit 0; } # Stop server server_stop($pid_file); $self->assert_child_ok($pid); if ($ex) { test_append_logfile($log_file, $ex); unlink($log_file); die($ex); } unlink($log_file); } sub proxy_reverse_config_backend_tls_engine_on_unavail { my $self = shift; my $tmpdir = $self->{tmpdir}; my $config_file = "$tmpdir/proxy.conf"; my $pid_file = File::Spec->rel2abs("$tmpdir/proxy.pid"); my $scoreboard_file = File::Spec->rel2abs("$tmpdir/proxy.scoreboard"); my $log_file = test_get_logfile(); my $auth_user_file = File::Spec->rel2abs("$tmpdir/proxy.passwd"); my $auth_group_file = File::Spec->rel2abs("$tmpdir/proxy.group"); my $user = 'proftpd'; my $passwd = 'test'; my $group = 'ftpd'; my $home_dir = File::Spec->rel2abs($tmpdir); my $uid = 500; my $gid = 500; # Make sure that, if we're running as root, that the home directory has # permissions/privs set for the account we create if ($< == 0) { unless (chmod(0755, $home_dir)) { die("Can't set perms on $home_dir to 0755: $!"); } unless (chown($uid, $gid, $home_dir)) { die("Can't set owner of $home_dir to $uid/$gid: $!"); } } auth_user_write($auth_user_file, $user, $passwd, $uid, $gid, $home_dir, '/bin/bash'); auth_group_write($auth_group_file, $group, $gid, $user); my $cert_file = File::Spec->rel2abs("$ENV{PROFTPD_TEST_DIR}/t/etc/modules/mod_tls/server-cert.pem"); my $ca_file = File::Spec->rel2abs("$ENV{PROFTPD_TEST_DIR}/t/etc/modules/mod_tls/ca-cert.pem"); my $vhost_port = ProFTPD::TestSuite::Utils::get_high_numbered_port(); $vhost_port += 12; my $proxy_config = get_reverse_proxy_config($tmpdir, $log_file, $vhost_port); $proxy_config->{ProxyTLSEngine} = 'on'; $proxy_config->{ProxyTLSCACertificateFile} = $ca_file; if ($ENV{TEST_VERBOSE}) { $proxy_config->{ProxyTLSOptions} = 'EnableDiags'; } my $config = { PidFile => $pid_file, ScoreboardFile => $scoreboard_file, SystemLog => $log_file, TraceLog => $log_file, Trace => 'DEFAULT:10 event:0 lock:0 scoreboard:0 signal:0 proxy:20 proxy.db:20 proxy.netio:20 proxy.tls:20 proxy.ftp.conn:20 proxy.ftp.ctrl:20 proxy.ftp.data:20 proxy.ftp.msg:20 proxy.ftp.sess:20', AuthUserFile => $auth_user_file, AuthGroupFile => $auth_group_file, SocketBindTight => 'on', IfModules => { 'mod_proxy.c' => $proxy_config, 'mod_delay.c' => { DelayEngine => 'off', }, }, Limit => { LOGIN => { DenyUser => $user, }, }, }; my ($port, $config_user, $config_group) = config_write($config_file, $config); if (open(my $fh, ">> $config_file")) { print $fh < Port $vhost_port ServerName "Real Server" AuthUserFile $auth_user_file AuthGroupFile $auth_group_file AuthOrder mod_auth_file.c AllowOverride off WtmpLog off TransferLog none EOC unless (close($fh)) { die("Can't write $config_file: $!"); } } else { die("Can't open $config_file: $!"); } # Open pipes, for use between the parent and child processes. Specifically, # the child will indicate when it's done with its test by writing a message # to the parent. my ($rfh, $wfh); unless (pipe($rfh, $wfh)) { die("Can't open pipe: $!"); } my $ex; # Fork child $self->handle_sigchld(); defined(my $pid = fork()) or die("Can't fork: $!"); if ($pid) { eval { # Give the server a chance to start up sleep(2); eval { ProFTPD::TestSuite::FTP->new('127.0.0.1', $port, 0, 0) }; unless ($@) { die("Connection succeeded unexpectedly"); } }; if ($@) { $ex = $@; } $wfh->print("done\n"); $wfh->flush(); } else { eval { server_wait($config_file, $rfh) }; if ($@) { warn($@); exit 1; } exit 0; } # Stop server server_stop($pid_file); $self->assert_child_ok($pid); if ($ex) { test_append_logfile($log_file, $ex); unlink($log_file); die($ex); } unlink($log_file); } sub proxy_reverse_config_backend_tls_engine_match_client_ftp { my $self = shift; my $tmpdir = $self->{tmpdir}; my $setup = test_setup($tmpdir, 'proxy'); my $cert_file = File::Spec->rel2abs("$ENV{PROFTPD_TEST_DIR}/t/etc/modules/mod_tls/server-cert.pem"); my $ca_file = File::Spec->rel2abs("$ENV{PROFTPD_TEST_DIR}/t/etc/modules/mod_tls/ca-cert.pem"); my $vhost_port = ProFTPD::TestSuite::Utils::get_high_numbered_port(); $vhost_port += 12; my $proxy_config = get_reverse_proxy_config($tmpdir, $setup->{log_file}, $vhost_port); $proxy_config->{ProxyTLSEngine} = 'MatchClient'; $proxy_config->{ProxyTLSCACertificateFile} = $ca_file; if ($ENV{TEST_VERBOSE}) { $proxy_config->{ProxyTLSOptions} = 'EnableDiags'; } my $config = { PidFile => $setup->{pid_file}, ScoreboardFile => $setup->{scoreboard_file}, SystemLog => $setup->{log_file}, TraceLog => $setup->{log_file}, Trace => 'DEFAULT:10 event:0 lock:0 scoreboard:0 signal:0 proxy:20 proxy.db:20 proxy.netio:20 proxy.tls:20 proxy.ftp.conn:20 proxy.ftp.ctrl:20 proxy.ftp.data:20 proxy.ftp.msg:20 proxy.ftp.sess:20 proxy.tls:20', AuthUserFile => $setup->{auth_user_file}, AuthGroupFile => $setup->{auth_group_file}, SocketBindTight => 'on', IfModules => { 'mod_proxy.c' => $proxy_config, 'mod_delay.c' => { DelayEngine => 'off', }, }, Limit => { LOGIN => { DenyUser => $setup->{user}, }, }, }; my ($port, $config_user, $config_group) = config_write($setup->{config_file}, $config); if (open(my $fh, ">> $setup->{config_file}")) { print $fh < Port $vhost_port ServerName "Real Server" AuthUserFile $setup->{auth_user_file} AuthGroupFile $setup->{auth_group_file} AuthOrder mod_auth_file.c AllowOverride off WtmpLog off TransferLog none EOC unless (close($fh)) { die("Can't write $setup->{config_file}: $!"); } } else { die("Can't open $setup->{config_file}: $!"); } # Open pipes, for use between the parent and child processes. Specifically, # the child will indicate when it's done with its test by writing a message # to the parent. my ($rfh, $wfh); unless (pipe($rfh, $wfh)) { die("Can't open pipe: $!"); } my $ex; # Fork child $self->handle_sigchld(); defined(my $pid = fork()) or die("Can't fork: $!"); if ($pid) { eval { # Give the server a chance to start up sleep(2); my $client = ProFTPD::TestSuite::FTP->new('127.0.0.1', $port, 0, 0); $client->login($setup->{user}, $setup->{passwd}); $client->quit(); }; if ($@) { $ex = $@; } $wfh->print("done\n"); $wfh->flush(); } else { eval { server_wait($setup->{config_file}, $rfh) }; if ($@) { warn($@); exit 1; } exit 0; } # Stop server server_stop($setup->{pid_file}); $self->assert_child_ok($pid); test_cleanup($setup->{log_file}, $ex); } sub proxy_reverse_config_backend_tls_engine_match_client_ftps_explicit { my $self = shift; my $tmpdir = $self->{tmpdir}; my $setup = test_setup($tmpdir, 'proxy'); my $cert_file = File::Spec->rel2abs("$ENV{PROFTPD_TEST_DIR}/t/etc/modules/mod_tls/server-cert.pem"); my $ca_file = File::Spec->rel2abs("$ENV{PROFTPD_TEST_DIR}/t/etc/modules/mod_tls/ca-cert.pem"); my $vhost_port = ProFTPD::TestSuite::Utils::get_high_numbered_port(); $vhost_port += 12; my $proxy_config = get_reverse_proxy_config($tmpdir, $setup->{log_file}, $vhost_port); $proxy_config->{ProxyReverseConnectPolicy} = 'PerUser'; $proxy_config->{ProxyTLSEngine} = 'MatchClient'; $proxy_config->{ProxyTLSCACertificateFile} = $ca_file; if ($ENV{TEST_VERBOSE}) { $proxy_config->{ProxyTLSOptions} = 'EnableDiags'; } my $config = { PidFile => $setup->{pid_file}, ScoreboardFile => $setup->{scoreboard_file}, SystemLog => $setup->{log_file}, TraceLog => $setup->{log_file}, Trace => 'DEFAULT:10 event:0 lock:0 scoreboard:0 signal:0 proxy:20 proxy.db:20 proxy.netio:20 proxy.tls:20 proxy.ftp.conn:20 proxy.ftp.ctrl:20 proxy.ftp.data:20 proxy.ftp.msg:20 proxy.ftp.sess:20 proxy.tls:20', AuthUserFile => $setup->{auth_user_file}, AuthGroupFile => $setup->{auth_group_file}, SocketBindTight => 'on', IfModules => { 'mod_proxy.c' => $proxy_config, 'mod_delay.c' => { DelayEngine => 'off', }, 'mod_tls.c' => { TLSEngine => 'on', TLSLog => $setup->{log_file}, TLSRequired => 'on', TLSRSACertificateFile => $cert_file, TLSCACertificateFile => $ca_file, }, }, Limit => { LOGIN => { DenyUser => $setup->{user}, }, }, }; my ($port, $config_user, $config_group) = config_write($setup->{config_file}, $config); if (open(my $fh, ">> $setup->{config_file}")) { print $fh < Port $vhost_port ServerName "Real Server" AuthUserFile $setup->{auth_user_file} AuthGroupFile $setup->{auth_group_file} AuthOrder mod_auth_file.c AllowOverride off WtmpLog off TransferLog none TLSEngine on TLSLog $setup->{log_file} TLSRequired on TLSRSACertificateFile $cert_file TLSCACertificateFile $ca_file TLSOptions EnableDiags EOC unless (close($fh)) { die("Can't write $setup->{config_file}: $!"); } } else { die("Can't open $setup->{config_file}: $!"); } # Open pipes, for use between the parent and child processes. Specifically, # the child will indicate when it's done with its test by writing a message # to the parent. my ($rfh, $wfh); unless (pipe($rfh, $wfh)) { die("Can't open pipe: $!"); } require Net::FTPSSL; my $ex; # Fork child $self->handle_sigchld(); defined(my $pid = fork()) or die("Can't fork: $!"); if ($pid) { eval { # Give the server a chance to start up sleep(2); my $client_opts = { Encryption => 'E', Port => $port, }; if ($ENV{TEST_VERBOSE}) { $client_opts->{Debug} = 1; } my $client = Net::FTPSSL->new('127.0.0.1', %$client_opts); unless ($client) { die("Can't connect to FTPS server: " . IO::Socket::SSL::errstr()); } unless ($client->login($setup->{user}, $setup->{passwd})) { die("Can't login: " . $client->last_message()); } $client->quit(); }; if ($@) { $ex = $@; } $wfh->print("done\n"); $wfh->flush(); } else { eval { server_wait($setup->{config_file}, $rfh) }; if ($@) { warn($@); exit 1; } exit 0; } # Stop server server_stop($setup->{pid_file}); $self->assert_child_ok($pid); test_cleanup($setup->{log_file}, $ex); } sub proxy_reverse_config_backend_tls_engine_match_client_ftps_implicit { my $self = shift; my $tmpdir = $self->{tmpdir}; my $setup = test_setup($tmpdir, 'proxy'); my $cert_file = File::Spec->rel2abs("$ENV{PROFTPD_TEST_DIR}/t/etc/modules/mod_tls/server-cert.pem"); my $ca_file = File::Spec->rel2abs("$ENV{PROFTPD_TEST_DIR}/t/etc/modules/mod_tls/ca-cert.pem"); my $vhost_port = ProFTPD::TestSuite::Utils::get_high_numbered_port(); $vhost_port += 12; my $proxy_config = get_reverse_proxy_config($tmpdir, $setup->{log_file}, $vhost_port); $proxy_config->{ProxyReverseConnectPolicy} = 'PerUser'; $proxy_config->{ProxyTLSEngine} = 'MatchClient'; $proxy_config->{ProxyTLSCACertificateFile} = $ca_file; if ($ENV{TEST_VERBOSE}) { $proxy_config->{ProxyTLSOptions} = 'EnableDiags'; } my $config = { PidFile => $setup->{pid_file}, ScoreboardFile => $setup->{scoreboard_file}, SystemLog => $setup->{log_file}, TraceLog => $setup->{log_file}, Trace => 'DEFAULT:10 event:0 lock:0 scoreboard:0 signal:0 proxy:20 proxy.db:20 proxy.netio:20 proxy.tls:20 proxy.ftp.conn:20 proxy.ftp.ctrl:20 proxy.ftp.data:20 proxy.ftp.msg:20 proxy.ftp.sess:20 proxy.tls:20', AuthUserFile => $setup->{auth_user_file}, AuthGroupFile => $setup->{auth_group_file}, SocketBindTight => 'on', IfModules => { 'mod_proxy.c' => $proxy_config, 'mod_delay.c' => { DelayEngine => 'off', }, 'mod_tls.c' => { TLSEngine => 'on', TLSLog => $setup->{log_file}, TLSRequired => 'on', TLSRSACertificateFile => $cert_file, TLSCACertificateFile => $ca_file, TLSOptions => 'UseImplicitSSL', }, }, Limit => { LOGIN => { DenyUser => $setup->{user}, }, }, }; my ($port, $config_user, $config_group) = config_write($setup->{config_file}, $config); if (open(my $fh, ">> $setup->{config_file}")) { print $fh < Port $vhost_port ServerName "Real Server" AuthUserFile $setup->{auth_user_file} AuthGroupFile $setup->{auth_group_file} AuthOrder mod_auth_file.c AllowOverride off WtmpLog off TransferLog none TLSEngine on TLSLog $setup->{log_file} TLSRequired on TLSRSACertificateFile $cert_file TLSCACertificateFile $ca_file TLSOptions EnableDiags UseImplicitSSL EOC unless (close($fh)) { die("Can't write $setup->{config_file}: $!"); } } else { die("Can't open $setup->{config_file}: $!"); } # Open pipes, for use between the parent and child processes. Specifically, # the child will indicate when it's done with its test by writing a message # to the parent. my ($rfh, $wfh); unless (pipe($rfh, $wfh)) { die("Can't open pipe: $!"); } require Net::FTPSSL; my $ex; # Fork child $self->handle_sigchld(); defined(my $pid = fork()) or die("Can't fork: $!"); if ($pid) { eval { # Give the server a chance to start up sleep(2); my $client_opts = { Encryption => 'I', Port => $port, }; if ($ENV{TEST_VERBOSE}) { $client_opts->{Debug} = 1; } my $client = Net::FTPSSL->new('127.0.0.1', %$client_opts); unless ($client) { die("Can't connect to FTPS server: " . IO::Socket::SSL::errstr()); } unless ($client->login($setup->{user}, $setup->{passwd})) { die("Can't login: " . $client->last_message()); } $client->quit(); }; if ($@) { $ex = $@; } $wfh->print("done\n"); $wfh->flush(); } else { eval { server_wait($setup->{config_file}, $rfh) }; if ($@) { warn($@); exit 1; } exit 0; } # Stop server server_stop($setup->{pid_file}); $self->assert_child_ok($pid); test_cleanup($setup->{log_file}, $ex); } sub proxy_reverse_config_backend_tls_connect_policy_per_user { my $self = shift; my $tmpdir = $self->{tmpdir}; my $config_file = "$tmpdir/proxy.conf"; my $pid_file = File::Spec->rel2abs("$tmpdir/proxy.pid"); my $scoreboard_file = File::Spec->rel2abs("$tmpdir/proxy.scoreboard"); my $log_file = test_get_logfile(); my $auth_user_file = File::Spec->rel2abs("$tmpdir/proxy.passwd"); my $auth_group_file = File::Spec->rel2abs("$tmpdir/proxy.group"); my $user = 'proftpd'; my $passwd = 'test'; my $group = 'ftpd'; my $home_dir = File::Spec->rel2abs($tmpdir); my $uid = 500; my $gid = 500; # Make sure that, if we're running as root, that the home directory has # permissions/privs set for the account we create if ($< == 0) { unless (chmod(0755, $home_dir)) { die("Can't set perms on $home_dir to 0755: $!"); } unless (chown($uid, $gid, $home_dir)) { die("Can't set owner of $home_dir to $uid/$gid: $!"); } } auth_user_write($auth_user_file, $user, $passwd, $uid, $gid, $home_dir, '/bin/bash'); auth_group_write($auth_group_file, $group, $gid, $user); my $cert_file = File::Spec->rel2abs("$ENV{PROFTPD_TEST_DIR}/t/etc/modules/mod_tls/server-cert.pem"); my $ca_file = File::Spec->rel2abs("$ENV{PROFTPD_TEST_DIR}/t/etc/modules/mod_tls/ca-cert.pem"); my $vhost_port = ProFTPD::TestSuite::Utils::get_high_numbered_port(); $vhost_port += 12; my $vhost_port2 = $vhost_port - 7; my $proxy_config = get_reverse_proxy_config($tmpdir, $log_file, $vhost_port); $proxy_config->{ProxyTLSEngine} = 'auto'; $proxy_config->{ProxyTLSCACertificateFile} = $ca_file; $proxy_config->{ProxyRetryCount} = 1; $proxy_config->{ProxyTimeoutConnect} = '2sec'; $proxy_config->{ProxyReverseConnectPolicy} = 'PerUser'; $proxy_config->{ProxyReverseServers} = "ftp://127.0.0.1:$vhost_port ftp://127.0.0.1:$vhost_port2"; my $nbackends = 2; if ($ENV{TEST_VERBOSE}) { $proxy_config->{ProxyTLSOptions} = 'EnableDiags'; } my $config = { PidFile => $pid_file, ScoreboardFile => $scoreboard_file, SystemLog => $log_file, TraceLog => $log_file, Trace => 'DEFAULT:10 event:0 lock:0 response:20 scoreboard:0 signal:0 proxy:20 proxy.db:20 proxy.netio:20 proxy.reverse:20 proxy.tls:20 proxy.ftp.conn:20 proxy.ftp.ctrl:20 proxy.ftp.data:20 proxy.ftp.msg:20 proxy.ftp.sess:20 tls:20', AuthUserFile => $auth_user_file, AuthGroupFile => $auth_group_file, SocketBindTight => 'on', IfModules => { 'mod_proxy.c' => $proxy_config, 'mod_delay.c' => { DelayEngine => 'off', }, }, Limit => { LOGIN => { DenyUser => $user, }, }, }; my ($port, $config_user, $config_group) = config_write($config_file, $config); if (open(my $fh, ">> $config_file")) { print $fh < Port $vhost_port ServerName "Real Server" AuthUserFile $auth_user_file AuthGroupFile $auth_group_file AuthOrder mod_auth_file.c AllowOverride off WtmpLog off TransferLog none TLSEngine on TLSLog $log_file TLSRequired on TLSRSACertificateFile $cert_file TLSCACertificateFile $ca_file Port $vhost_port2 ServerName "Other Real Server" AuthUserFile $auth_user_file AuthGroupFile $auth_group_file AuthOrder mod_auth_file.c AllowOverride off TransferLog none WtmpLog off TLSEngine on TLSLog $log_file TLSRequired on TLSRSACertificateFile $cert_file TLSCACertificateFile $ca_file EOC unless (close($fh)) { die("Can't write $config_file: $!"); } } else { die("Can't open $config_file: $!"); } # Open pipes, for use between the parent and child processes. Specifically, # the child will indicate when it's done with its test by writing a message # to the parent. my ($rfh, $wfh); unless (pipe($rfh, $wfh)) { die("Can't open pipe: $!"); } my $ex; # Fork child $self->handle_sigchld(); defined(my $pid = fork()) or die("Can't fork: $!"); if ($pid) { eval { # Give the server a chance to start up sleep(2); for (my $i = 0; $i < $nbackends+1; $i++) { my $client = ProFTPD::TestSuite::FTP->new('127.0.0.1', $port, 0, 0); $client->login($user, $passwd); ftp_list($self, $client); } }; if ($@) { $ex = $@; } $wfh->print("done\n"); $wfh->flush(); } else { eval { server_wait($config_file, $rfh, 15) }; if ($@) { warn($@); exit 1; } exit 0; } # Stop server server_stop($pid_file); $self->assert_child_ok($pid); if ($ex) { test_append_logfile($log_file, $ex); unlink($log_file); die($ex); } unlink($log_file); } sub proxy_reverse_config_backend_tls_connect_policy_per_user_failed_unknown_ca { my $self = shift; my $tmpdir = $self->{tmpdir}; my $config_file = "$tmpdir/proxy.conf"; my $pid_file = File::Spec->rel2abs("$tmpdir/proxy.pid"); my $scoreboard_file = File::Spec->rel2abs("$tmpdir/proxy.scoreboard"); my $log_file = test_get_logfile(); my $auth_user_file = File::Spec->rel2abs("$tmpdir/proxy.passwd"); my $auth_group_file = File::Spec->rel2abs("$tmpdir/proxy.group"); my $user = 'proftpd'; my $passwd = 'test'; my $group = 'ftpd'; my $home_dir = File::Spec->rel2abs($tmpdir); my $uid = 500; my $gid = 500; # Make sure that, if we're running as root, that the home directory has # permissions/privs set for the account we create if ($< == 0) { unless (chmod(0755, $home_dir)) { die("Can't set perms on $home_dir to 0755: $!"); } unless (chown($uid, $gid, $home_dir)) { die("Can't set owner of $home_dir to $uid/$gid: $!"); } } auth_user_write($auth_user_file, $user, $passwd, $uid, $gid, $home_dir, '/bin/bash'); auth_group_write($auth_group_file, $group, $gid, $user); my $cert_file = File::Spec->rel2abs("$ENV{PROFTPD_TEST_DIR}/t/etc/modules/mod_tls/server-cert.pem"); my $ca_file = File::Spec->rel2abs("$ENV{PROFTPD_TEST_DIR}/t/etc/modules/mod_tls/ca-cert.pem"); my $vhost_port = ProFTPD::TestSuite::Utils::get_high_numbered_port(); $vhost_port += 12; my $vhost_port2 = $vhost_port - 7; my $proxy_config = get_reverse_proxy_config($tmpdir, $log_file, $vhost_port); $proxy_config->{ProxyTLSEngine} = 'auto'; $proxy_config->{ProxyRetryCount} = 1; $proxy_config->{ProxyTimeoutConnect} = '2sec'; $proxy_config->{ProxyReverseConnectPolicy} = 'PerUser'; $proxy_config->{ProxyReverseServers} = "ftp://127.0.0.1:$vhost_port ftp://127.0.0.1:$vhost_port2"; $proxy_config->{ProxyTLSVerifyServer} = 'on'; if ($ENV{TEST_VERBOSE}) { $proxy_config->{ProxyTLSOptions} = 'EnableDiags'; } my $config = { PidFile => $pid_file, ScoreboardFile => $scoreboard_file, SystemLog => $log_file, TraceLog => $log_file, Trace => 'DEFAULT:10 event:0 lock:0 response:20 scoreboard:0 signal:0 proxy:20 proxy.db:20 proxy.netio:20 proxy.reverse:20 proxy.tls:20 proxy.ftp.conn:20 proxy.ftp.ctrl:20 proxy.ftp.data:20 proxy.ftp.msg:20 proxy.ftp.sess:20 tls:20', AuthUserFile => $auth_user_file, AuthGroupFile => $auth_group_file, SocketBindTight => 'on', IfModules => { 'mod_proxy.c' => $proxy_config, 'mod_delay.c' => { DelayEngine => 'off', }, }, Limit => { LOGIN => { DenyUser => $user, }, }, }; my ($port, $config_user, $config_group) = config_write($config_file, $config); if (open(my $fh, ">> $config_file")) { print $fh < Port $vhost_port ServerName "Real Server" AuthUserFile $auth_user_file AuthGroupFile $auth_group_file AuthOrder mod_auth_file.c AllowOverride off WtmpLog off TransferLog none TLSEngine on TLSLog $log_file TLSRequired on TLSRSACertificateFile $cert_file TLSCACertificateFile $ca_file Port $vhost_port2 ServerName "Other Real Server" AuthUserFile $auth_user_file AuthGroupFile $auth_group_file AuthOrder mod_auth_file.c AllowOverride off TransferLog none WtmpLog off TLSEngine on TLSLog $log_file TLSRequired on TLSRSACertificateFile $cert_file TLSCACertificateFile $ca_file EOC unless (close($fh)) { die("Can't write $config_file: $!"); } } else { die("Can't open $config_file: $!"); } # Open pipes, for use between the parent and child processes. Specifically, # the child will indicate when it's done with its test by writing a message # to the parent. my ($rfh, $wfh); unless (pipe($rfh, $wfh)) { die("Can't open pipe: $!"); } my $ex; # Fork child $self->handle_sigchld(); defined(my $pid = fork()) or die("Can't fork: $!"); if ($pid) { eval { # Give the server a chance to start up sleep(2); my $client = ProFTPD::TestSuite::FTP->new('127.0.0.1', $port, 0, 0); eval { $client->user($user) }; unless ($@) { die("USER succeeded unexpectedly"); } my $resp_code = $client->response_code(); my $resp_msg = $client->response_msg(); my $expected = 530; $self->assert($expected == $resp_code, test_msg("Expected response code $expected, got $resp_code")); $expected = 'Login incorrect.'; $self->assert($expected eq $resp_msg, test_msg("Expected response message '$expected', got '$resp_msg'")); $client->quit(); }; if ($@) { $ex = $@; } $wfh->print("done\n"); $wfh->flush(); } else { eval { server_wait($config_file, $rfh, 15) }; if ($@) { warn($@); exit 1; } exit 0; } # Stop server server_stop($pid_file); $self->assert_child_ok($pid); if ($ex) { test_append_logfile($log_file, $ex); unlink($log_file); die($ex); } unlink($log_file); } sub proxy_reverse_config_backend_tls_verify_server_off { my $self = shift; my $tmpdir = $self->{tmpdir}; my $config_file = "$tmpdir/proxy.conf"; my $pid_file = File::Spec->rel2abs("$tmpdir/proxy.pid"); my $scoreboard_file = File::Spec->rel2abs("$tmpdir/proxy.scoreboard"); my $log_file = test_get_logfile(); my $auth_user_file = File::Spec->rel2abs("$tmpdir/proxy.passwd"); my $auth_group_file = File::Spec->rel2abs("$tmpdir/proxy.group"); my $user = 'proftpd'; my $passwd = 'test'; my $group = 'ftpd'; my $home_dir = File::Spec->rel2abs($tmpdir); my $uid = 500; my $gid = 500; # Make sure that, if we're running as root, that the home directory has # permissions/privs set for the account we create if ($< == 0) { unless (chmod(0755, $home_dir)) { die("Can't set perms on $home_dir to 0755: $!"); } unless (chown($uid, $gid, $home_dir)) { die("Can't set owner of $home_dir to $uid/$gid: $!"); } } auth_user_write($auth_user_file, $user, $passwd, $uid, $gid, $home_dir, '/bin/bash'); auth_group_write($auth_group_file, $group, $gid, $user); my $cert_file = File::Spec->rel2abs("$ENV{PROFTPD_TEST_DIR}/t/etc/modules/mod_tls/server-cert.pem"); my $ca_file = File::Spec->rel2abs("$ENV{PROFTPD_TEST_DIR}/t/etc/modules/mod_tls/ca-cert.pem"); my $vhost_port = ProFTPD::TestSuite::Utils::get_high_numbered_port(); $vhost_port += 12; my $vhost_port2 = $vhost_port - 7; my $proxy_config = get_reverse_proxy_config($tmpdir, $log_file, $vhost_port); $proxy_config->{ProxyTLSEngine} = 'auto'; $proxy_config->{ProxyTLSVerifyServer} = 'off'; $proxy_config->{ProxyRetryCount} = 1; $proxy_config->{ProxyTimeoutConnect} = '2sec'; $proxy_config->{ProxyReverseConnectPolicy} = 'PerUser'; $proxy_config->{ProxyReverseServers} = "ftp://127.0.0.1:$vhost_port ftp://127.0.0.1:$vhost_port2"; if ($ENV{TEST_VERBOSE}) { $proxy_config->{ProxyTLSOptions} = 'EnableDiags'; } my $config = { PidFile => $pid_file, ScoreboardFile => $scoreboard_file, SystemLog => $log_file, TraceLog => $log_file, Trace => 'DEFAULT:10 event:0 lock:0 response:20 scoreboard:0 signal:0 proxy:20 proxy.db:20 proxy.netio:20 proxy.reverse:20 proxy.tls:20 proxy.ftp.conn:20 proxy.ftp.ctrl:20 proxy.ftp.data:20 proxy.ftp.msg:20 proxy.ftp.sess:20 tls:20', AuthUserFile => $auth_user_file, AuthGroupFile => $auth_group_file, SocketBindTight => 'on', IfModules => { 'mod_proxy.c' => $proxy_config, 'mod_delay.c' => { DelayEngine => 'off', }, }, Limit => { LOGIN => { DenyUser => $user, }, }, }; my ($port, $config_user, $config_group) = config_write($config_file, $config); if (open(my $fh, ">> $config_file")) { print $fh < Port $vhost_port ServerName "Real Server" AuthUserFile $auth_user_file AuthGroupFile $auth_group_file AuthOrder mod_auth_file.c AllowOverride off WtmpLog off TransferLog none TLSEngine on TLSLog $log_file TLSRequired on TLSRSACertificateFile $cert_file TLSCACertificateFile $ca_file Port $vhost_port2 ServerName "Other Real Server" AuthUserFile $auth_user_file AuthGroupFile $auth_group_file AuthOrder mod_auth_file.c AllowOverride off TransferLog none WtmpLog off TLSEngine on TLSLog $log_file TLSRequired on TLSRSACertificateFile $cert_file TLSCACertificateFile $ca_file EOC unless (close($fh)) { die("Can't write $config_file: $!"); } } else { die("Can't open $config_file: $!"); } # Open pipes, for use between the parent and child processes. Specifically, # the child will indicate when it's done with its test by writing a message # to the parent. my ($rfh, $wfh); unless (pipe($rfh, $wfh)) { die("Can't open pipe: $!"); } my $ex; # Fork child $self->handle_sigchld(); defined(my $pid = fork()) or die("Can't fork: $!"); if ($pid) { eval { # Give the server a chance to start up sleep(2); my $client = ProFTPD::TestSuite::FTP->new('127.0.0.1', $port, 0, 0); $client->login($user, $passwd); ftp_list($self, $client); }; if ($@) { $ex = $@; } $wfh->print("done\n"); $wfh->flush(); } else { eval { server_wait($config_file, $rfh, 15) }; if ($@) { warn($@); exit 1; } exit 0; } # Stop server server_stop($pid_file); $self->assert_child_ok($pid); if ($ex) { test_append_logfile($log_file, $ex); unlink($log_file); die($ex); } unlink($log_file); } # TODO: Note that this test is used for manually reviewing the generated logs; # it does NOT currently fail if session caching fails (although it should). sub proxy_reverse_config_backend_tls_no_session_cache { my $self = shift; my $tmpdir = $self->{tmpdir}; my $config_file = "$tmpdir/proxy.conf"; my $pid_file = File::Spec->rel2abs("$tmpdir/proxy.pid"); my $scoreboard_file = File::Spec->rel2abs("$tmpdir/proxy.scoreboard"); my $log_file = test_get_logfile(); my $auth_user_file = File::Spec->rel2abs("$tmpdir/proxy.passwd"); my $auth_group_file = File::Spec->rel2abs("$tmpdir/proxy.group"); my $user = 'proftpd'; my $passwd = 'test'; my $group = 'ftpd'; my $home_dir = File::Spec->rel2abs($tmpdir); my $uid = 500; my $gid = 500; # Make sure that, if we're running as root, that the home directory has # permissions/privs set for the account we create if ($< == 0) { unless (chmod(0755, $home_dir)) { die("Can't set perms on $home_dir to 0755: $!"); } unless (chown($uid, $gid, $home_dir)) { die("Can't set owner of $home_dir to $uid/$gid: $!"); } } auth_user_write($auth_user_file, $user, $passwd, $uid, $gid, $home_dir, '/bin/bash'); auth_group_write($auth_group_file, $group, $gid, $user); my $cert_file = File::Spec->rel2abs("$ENV{PROFTPD_TEST_DIR}/t/etc/modules/mod_tls/server-cert.pem"); my $ca_file = File::Spec->rel2abs("$ENV{PROFTPD_TEST_DIR}/t/etc/modules/mod_tls/ca-cert.pem"); my $cache_file = File::Spec->rel2abs("$tmpdir/tls-shmcache.dat"); my $vhost_port = ProFTPD::TestSuite::Utils::get_high_numbered_port(); $vhost_port += 12; my $proxy_config = get_reverse_proxy_config($tmpdir, $log_file, $vhost_port); $proxy_config->{ProxyTLSEngine} = 'auto'; $proxy_config->{ProxyTLSCACertificateFile} = $ca_file; if ($ENV{TEST_VERBOSE}) { $proxy_config->{ProxyTLSOptions} = 'NoSessionCache EnableDiags'; } else { $proxy_config->{ProxyTLSOptions} = 'NoSessionCache'; } my $config = { PidFile => $pid_file, ScoreboardFile => $scoreboard_file, SystemLog => $log_file, TraceLog => $log_file, Trace => 'DEFAULT:10 event:0 lock:0 scoreboard:0 signal:0 proxy:20 proxy.db:20 proxy.netio:20 proxy.tls:20 proxy.ftp.conn:20 proxy.ftp.ctrl:20 proxy.ftp.data:20 proxy.ftp.msg:20 proxy.ftp.sess:20', AuthUserFile => $auth_user_file, AuthGroupFile => $auth_group_file, SocketBindTight => 'on', IfModules => { 'mod_proxy.c' => $proxy_config, 'mod_delay.c' => { DelayEngine => 'off', }, 'mod_tls_shmcache.c' => { TLSSessionCache => "shm:/file=$cache_file", }, }, Limit => { LOGIN => { DenyUser => $user, }, }, }; my ($port, $config_user, $config_group) = config_write($config_file, $config); if (open(my $fh, ">> $config_file")) { print $fh < Port $vhost_port ServerName "Real Server" AuthUserFile $auth_user_file AuthGroupFile $auth_group_file AuthOrder mod_auth_file.c AllowOverride off WtmpLog off TransferLog none TLSEngine on TLSLog $log_file TLSRequired on TLSRSACertificateFile $cert_file TLSCACertificateFile $ca_file EOC unless (close($fh)) { die("Can't write $config_file: $!"); } } else { die("Can't open $config_file: $!"); } # Open pipes, for use between the parent and child processes. Specifically, # the child will indicate when it's done with its test by writing a message # to the parent. my ($rfh, $wfh); unless (pipe($rfh, $wfh)) { die("Can't open pipe: $!"); } my $ex; # Fork child $self->handle_sigchld(); defined(my $pid = fork()) or die("Can't fork: $!"); if ($pid) { eval { # Give the server a chance to start up sleep(2); for (my $i = 0; $i < 3; $i++) { my $client = ProFTPD::TestSuite::FTP->new('127.0.0.1', $port); $client->login($user, $passwd); $client->quit(); } }; if ($@) { $ex = $@; } $wfh->print("done\n"); $wfh->flush(); } else { eval { server_wait($config_file, $rfh) }; if ($@) { warn($@); exit 1; } exit 0; } # Stop server server_stop($pid_file); $self->assert_child_ok($pid); if ($ex) { test_append_logfile($log_file, $ex); unlink($log_file); die($ex); } unlink($log_file); } sub proxy_reverse_config_backend_tls_ctrl_use_direct_data_transfers_pasv { my $self = shift; my $tmpdir = $self->{tmpdir}; my $setup = test_setup($tmpdir, 'proxy'); my $cert_file = File::Spec->rel2abs("$ENV{PROFTPD_TEST_DIR}/t/etc/modules/mod_tls/server-cert.pem"); my $ca_file = File::Spec->rel2abs("$ENV{PROFTPD_TEST_DIR}/t/etc/modules/mod_tls/ca-cert.pem"); my $cache_file = File::Spec->rel2abs("$tmpdir/tls-shmcache.dat"); my $vhost_port = ProFTPD::TestSuite::Utils::get_high_numbered_port(); $vhost_port += 12; my $proxy_config = get_reverse_proxy_config($tmpdir, $setup->{log_file}, $vhost_port); $proxy_config->{ProxyOptions} = 'UseDirectDataTransfers'; $proxy_config->{ProxyTLSEngine} = 'auto'; $proxy_config->{ProxyTLSCACertificateFile} = $ca_file; if ($ENV{TEST_VERBOSE}) { $proxy_config->{ProxyTLSOptions} = 'EnableDiags'; } my $timeout_idle = 15; my $config = { PidFile => $setup->{pid_file}, ScoreboardFile => $setup->{scoreboard_file}, SystemLog => $setup->{log_file}, TraceLog => $setup->{log_file}, Trace => 'DEFAULT:10 event:0 lock:0 scoreboard:0 signal:0 proxy:20 proxy.db:20 proxy.netio:20 proxy.tls:20 proxy.ftp.conn:20 proxy.ftp.ctrl:20 proxy.ftp.data:20 proxy.ftp.msg:20 proxy.ftp.sess:20', AuthUserFile => $setup->{auth_user_file}, AuthGroupFile => $setup->{auth_group_file}, SocketBindTight => 'on', TimeoutIdle => $timeout_idle, IfModules => { 'mod_proxy.c' => $proxy_config, 'mod_delay.c' => { DelayEngine => 'off', }, }, Limit => { LOGIN => { DenyUser => $setup->{user}, }, }, }; my ($port, $config_user, $config_group) = config_write($setup->{config_file}, $config); if (open(my $fh, ">> $setup->{config_file}")) { print $fh < Port $vhost_port ServerName "Real Server" AuthUserFile $setup->{auth_user_file} AuthGroupFile $setup->{auth_group_file} AuthOrder mod_auth_file.c AllowOverride off WtmpLog off TimeoutIdle $timeout_idle TransferLog none TLSEngine on TLSLog $setup->{log_file} # Since we are using DSR, and the frontend client is not using TLS, # data transfers will fail if we require TLS on them. So only require # TLS on the control connection, and explicitly REJECT TLS on data # connections. TLSRequired ctrl+!data TLSRSACertificateFile $cert_file TLSCACertificateFile $ca_file TLSOptions EnableDiags EOC unless (close($fh)) { die("Can't write $setup->{config_file}: $!"); } } else { die("Can't open $setup->{config_file}: $!"); } # Open pipes, for use between the parent and child processes. Specifically, # the child will indicate when it's done with its test by writing a message # to the parent. my ($rfh, $wfh); unless (pipe($rfh, $wfh)) { die("Can't open pipe: $!"); } my $ex; # Fork child $self->handle_sigchld(); defined(my $pid = fork()) or die("Can't fork: $!"); if ($pid) { eval { # Give the server a chance to start up sleep(2); my $client = ProFTPD::TestSuite::FTP->new('127.0.0.1', $port, 1, 1); $client->login($setup->{user}, $setup->{passwd}); my $conn = $client->list_raw(); unless ($conn) { die("Failed to LIST: " . $client->response_code() . ' ' . $client->response_msg()); } my $buf; $conn->read($buf, 8192, 5); eval { $conn->close() }; my $resp_code = $client->response_code(); my $resp_msg = $client->response_msg(); $self->assert_transfer_ok($resp_code, $resp_msg); $client->quit(); }; if ($@) { $ex = $@; } $wfh->print("done\n"); $wfh->flush(); } else { eval { server_wait($setup->{config_file}, $rfh, $timeout_idle + 2) }; if ($@) { warn($@); exit 1; } exit 0; } # Stop server server_stop($setup->{pid_file}); $self->assert_child_ok($pid); test_cleanup($setup->{log_file}, $ex); } sub proxy_reverse_config_frontend_backend_tls_required_use_direct_data_transfers_pasv { my $self = shift; my $tmpdir = $self->{tmpdir}; my $setup = test_setup($tmpdir, 'proxy'); my $cert_file = File::Spec->rel2abs("$ENV{PROFTPD_TEST_DIR}/t/etc/modules/mod_tls/server-cert.pem"); my $ca_file = File::Spec->rel2abs("$ENV{PROFTPD_TEST_DIR}/t/etc/modules/mod_tls/ca-cert.pem"); my $vhost_port = ProFTPD::TestSuite::Utils::get_high_numbered_port(); $vhost_port += 12; my $proxy_config = get_reverse_proxy_config($tmpdir, $setup->{log_file}, $vhost_port); $proxy_config->{ProxyOptions} = 'UseDirectDataTransfers'; $proxy_config->{ProxyTLSEngine} = 'auto'; $proxy_config->{ProxyTLSCACertificateFile} = $ca_file; if ($ENV{TEST_VERBOSE}) { $proxy_config->{ProxyTLSOptions} = 'EnableDiags'; } my $timeout_idle = 15; my $config = { PidFile => $setup->{pid_file}, ScoreboardFile => $setup->{scoreboard_file}, SystemLog => $setup->{log_file}, TraceLog => $setup->{log_file}, Trace => 'DEFAULT:10 event:0 lock:0 scoreboard:0 signal:0 proxy:20 proxy.db:20 proxy.netio:20 proxy.tls:20 proxy.ftp.conn:20 proxy.ftp.ctrl:20 proxy.ftp.data:20 proxy.ftp.msg:20 proxy.ftp.sess:20', AuthUserFile => $setup->{auth_user_file}, AuthGroupFile => $setup->{auth_group_file}, SocketBindTight => 'on', TimeoutIdle => $timeout_idle, IfModules => { 'mod_proxy.c' => $proxy_config, 'mod_delay.c' => { DelayEngine => 'off', }, 'mod_tls.c' => { TLSEngine => 'on', TLSLog => $setup->{log_file}, TLSRequired => 'on', TLSRSACertificateFile => $cert_file, TLSCACertificateFile => $ca_file, TLSOptions => 'EnableDiags', TLSTimeoutHandshake => 5, TLSVerifyClient => 'off', TLSVerifyServer => 'off', }, }, Limit => { LOGIN => { DenyUser => $setup->{user}, }, }, }; my ($port, $config_user, $config_group) = config_write($setup->{config_file}, $config); if (open(my $fh, ">> $setup->{config_file}")) { print $fh < Port $vhost_port ServerName "Real Server" AuthUserFile $setup->{auth_user_file} AuthGroupFile $setup->{auth_group_file} AuthOrder mod_auth_file.c AllowOverride off WtmpLog off TimeoutIdle $timeout_idle TransferLog none TLSEngine on TLSLog $setup->{log_file} TLSRequired on TLSRSACertificateFile $cert_file TLSCACertificateFile $ca_file TLSVerifyClient off TLSOptions EnableDiags NoSessionReuseRequired EOC unless (close($fh)) { die("Can't write $setup->{config_file}: $!"); } } else { die("Can't open $setup->{config_file}: $!"); } require Net::FTPSSL; # Open pipes, for use between the parent and child processes. Specifically, # the child will indicate when it's done with its test by writing a message # to the parent. my ($rfh, $wfh); unless (pipe($rfh, $wfh)) { die("Can't open pipe: $!"); } my $ex; # Fork child $self->handle_sigchld(); defined(my $pid = fork()) or die("Can't fork: $!"); if ($pid) { eval { # Give the server a chance to start up sleep(2); my $ssl_opts = { SSL_verify_mode => $IO::Socket::SSL::SSL_VERIFY_NONE, }; my $client_opts = { Encryption => 'E', Port => $port, SSL_Client_Certificate => $ssl_opts, }; if ($ENV{TEST_VERBOSE}) { $client_opts->{Debug} = 1; } my $client = Net::FTPSSL->new('127.0.0.1', %$client_opts); unless ($client) { die("Can't connect to FTPS server: " . IO::Socket::SSL::errstr()); } unless ($client->login($setup->{user}, $setup->{passwd})) { die("Can't login: " . $client->last_message()); } my $res = $client->list(); unless ($res) { die("LIST failed unexpectedly: " . $client->last_message() . "(" . IO::Socket::SSL::errstr() . ")"); } my $resp_msg = $client->last_message(); my $expected = '226 Transfer complete'; $self->assert($expected eq $resp_msg, test_msg("Expected response '$expected', got '$resp_msg'")); # Do the LIST again; there are some reports that a first transfer # might succeed, but subsequent ones will fail. $res = $client->list(); unless ($res) { die("LIST failed unexpectedly: " . $client->last_message() . "(" . IO::Socket::SSL::errstr() . ")"); } $resp_msg = $client->last_message(); $client->quit(); $expected = '226 Transfer complete'; $self->assert($expected eq $resp_msg, test_msg("Expected response '$expected', got '$resp_msg'")); }; if ($@) { $ex = $@; } $wfh->print("done\n"); $wfh->flush(); } else { eval { server_wait($setup->{config_file}, $rfh, $timeout_idle + 2) }; if ($@) { warn($@); exit 1; } exit 0; } # Stop server server_stop($setup->{pid_file}); $self->assert_child_ok($pid); test_cleanup($setup->{log_file}, $ex); } sub proxy_reverse_proxy_protocol_v2_tlv_ssl { my $self = shift; my $tmpdir = $self->{tmpdir}; my $setup = test_setup($tmpdir, 'proxy'); my $cert_file = File::Spec->rel2abs("$ENV{PROFTPD_TEST_DIR}/t/etc/modules/mod_tls/server-cert.pem"); my $ca_file = File::Spec->rel2abs("$ENV{PROFTPD_TEST_DIR}/t/etc/modules/mod_tls/ca-cert.pem"); my $vhost_port = ProFTPD::TestSuite::Utils::get_high_numbered_port(); $vhost_port += 12; my $proxy_config = get_reverse_proxy_config($tmpdir, $setup->{log_file}, $vhost_port); $proxy_config->{ProxyOptions} = 'UseProxyProtocolV2 UseProxyProtocolV2TLVs'; $proxy_config->{ProxyReverseConnectPolicy} = 'PerUser'; my $hostname = 'castaglia'; my $config = { PidFile => $setup->{pid_file}, ScoreboardFile => $setup->{scoreboard_file}, SystemLog => $setup->{log_file}, TraceLog => $setup->{log_file}, Trace => 'DEFAULT:10 event:0 lock:0 scoreboard:0 signal:0 proxy:20 proxy.conn:10 proxy.ftp.conn:20 proxy.ftp.ctrl:20 proxy.ftp.data:20 proxy.ftp.msg:20 proxy_protocol:20 tls:20', AuthUserFile => $setup->{auth_user_file}, AuthGroupFile => $setup->{auth_group_file}, SocketBindTight => 'on', # Include the ALPN, Authority, SSL TLVs in an ExtendedLog LogFormat => 'session "ALPN=%{note:mod_proxy_protocol.alpn} AUTHORITY=%{note:mod_proxy_protocol.authority} TLS_VERSION=%{note:mod_proxy_protocol.tls.version} TLS_CIPHER=%{note:mod_proxy_protocol.tls.cipher}"', ServerAlias => $hostname, IfModules => { 'mod_proxy.c' => $proxy_config, 'mod_tls.c' => { TLSEngine => 'on', TLSLog => $setup->{log_file}, TLSRequired => 'on', TLSRSACertificateFile => $cert_file, TLSCACertificateFile => $ca_file, TLSOptions => 'EnableDiags', }, 'mod_delay.c' => { DelayEngine => 'off', }, }, }; my ($port, $config_user, $config_group) = config_write($setup->{config_file}, $config); if (open(my $fh, ">> $setup->{config_file}")) { print $fh < Port $vhost_port ServerName "Real Server" AuthUserFile $setup->{auth_user_file} AuthGroupFile $setup->{auth_group_file} AuthOrder mod_auth_file.c AllowOverride off TransferLog none WtmpLog off ProxyProtocolEngine on ProxyProtocolVersion haproxyV2 ExtendedLog $setup->{log_file} ALL session EOC unless (close($fh)) { die("Can't write $setup->{config_file}: $!"); } } else { die("Can't open $setup->{config_file}: $!"); } require Net::FTPSSL; # Open pipes, for use between the parent and child processes. Specifically, # the child will indicate when it's done with its test by writing a message # to the parent. my ($rfh, $wfh); unless (pipe($rfh, $wfh)) { die("Can't open pipe: $!"); } my $ex; # Fork child $self->handle_sigchld(); defined(my $pid = fork()) or die("Can't fork: $!"); if ($pid) { eval { # Give the server a chance to start up sleep(2); my $ssl_opts = { SSL_hostname => $hostname, # Yes, this is a deliberate choice. Sigh. SSL_verifycn_scheme => 'none', }; my $client_opts = { Encryption => 'E', Port => $port, SSL_Client_Certificate => $ssl_opts, }; if ($ENV{TEST_VERBOSE}) { $client_opts->{Debug} = 1; } my $client = Net::FTPSSL->new('127.0.0.1', %$client_opts); unless ($client) { die("Can't connect to FTPS server: " . IO::Socket::SSL::errstr()); } unless ($client->login($setup->{user}, $setup->{passwd})) { die("Can't login: " . $client->last_message()); } $client->quit(); }; if ($@) { $ex = $@; } $wfh->print("done\n"); $wfh->flush(); } else { eval { server_wait($setup->{config_file}, $rfh) }; if ($@) { warn($@); exit 1; } exit 0; } # Stop server server_stop($setup->{pid_file}); $self->assert_child_ok($pid); eval { if (open(my $fh, "< $setup->{log_file}")) { my $ok = 0; while (my $line = <$fh>) { chomp($line); if ($ENV{TEST_VERBOSE}) { print STDERR "# $line\n"; } if ($line =~ /^ALPN=ftps AUTHORITY=$hostname TLS_VERSION=.+ TLS_CIPHER=.+/) { $ok = 1; last; } } close($fh); $self->assert($ok, test_msg("Did not see expected ALPN, Authority, SSL TLVs log message")); } else { die("Can't read $setup->{log_file}: $!"); } }; if ($@) { $ex = $@; } test_cleanup($setup->{log_file}, $ex); } sub proxy_forward_frontend_tls_noproxyauth_login { my $self = shift; my $tmpdir = $self->{tmpdir}; my $config_file = "$tmpdir/proxy.conf"; my $pid_file = File::Spec->rel2abs("$tmpdir/proxy.pid"); my $scoreboard_file = File::Spec->rel2abs("$tmpdir/proxy.scoreboard"); my $log_file = test_get_logfile(); my $auth_user_file = File::Spec->rel2abs("$tmpdir/proxy.passwd"); my $auth_group_file = File::Spec->rel2abs("$tmpdir/proxy.group"); my $user = 'proftpd'; my $passwd = 'test'; my $group = 'ftpd'; my $home_dir = File::Spec->rel2abs($tmpdir); my $uid = 500; my $gid = 500; # Make sure that, if we're running as root, that the home directory has # permissions/privs set for the account we create if ($< == 0) { unless (chmod(0755, $home_dir)) { die("Can't set perms on $home_dir to 0755: $!"); } unless (chown($uid, $gid, $home_dir)) { die("Can't set owner of $home_dir to $uid/$gid: $!"); } } auth_user_write($auth_user_file, $user, $passwd, $uid, $gid, $home_dir, '/bin/bash'); auth_group_write($auth_group_file, $group, $gid, $user); my $cert_file = File::Spec->rel2abs("$ENV{PROFTPD_TEST_DIR}/t/etc/modules/mod_tls/server-cert.pem"); my $ca_file = File::Spec->rel2abs("$ENV{PROFTPD_TEST_DIR}/t/etc/modules/mod_tls/ca-cert.pem"); my $vhost_port = ProFTPD::TestSuite::Utils::get_high_numbered_port(); $vhost_port += 17; my $proxy_config = get_forward_proxy_config($tmpdir, $log_file, $vhost_port); $proxy_config->{ProxyForwardMethod} = 'user@host'; my $config = { PidFile => $pid_file, ScoreboardFile => $scoreboard_file, SystemLog => $log_file, TraceLog => $log_file, Trace => 'DEFAULT:10 event:0 lock:0 scoreboard:0 signal:0 proxy:20 proxy.forward:20 proxy.ftp.conn:20 proxy.ftp.ctrl:20 proxy.ftp.data:20 proxy.ftp.msg:20', AuthUserFile => $auth_user_file, AuthGroupFile => $auth_group_file, SocketBindTight => 'on', IfModules => { 'mod_proxy.c' => $proxy_config, 'mod_tls.c' => { TLSEngine => 'on', TLSLog => $log_file, TLSRequired => 'on', TLSRSACertificateFile => $cert_file, TLSCACertificateFile => $ca_file, }, 'mod_delay.c' => { DelayEngine => 'off', }, }, }; my ($port, $config_user, $config_group) = config_write($config_file, $config); if (open(my $fh, ">> $config_file")) { print $fh < Port $vhost_port ServerName "Real Server" AuthUserFile $auth_user_file AuthGroupFile $auth_group_file AuthOrder mod_auth_file.c AllowOverride off WtmpLog off TransferLog none EOC unless (close($fh)) { die("Can't write $config_file: $!"); } } else { die("Can't open $config_file: $!"); } require Net::FTPSSL; # Open pipes, for use between the parent and child processes. Specifically, # the child will indicate when it's done with its test by writing a message # to the parent. my ($rfh, $wfh); unless (pipe($rfh, $wfh)) { die("Can't open pipe: $!"); } my $ex; # Fork child $self->handle_sigchld(); defined(my $pid = fork()) or die("Can't fork: $!"); if ($pid) { eval { # Give the server a chance to start up sleep(2); my $client_opts = { Encryption => 'E', Port => $port, }; if ($ENV{TEST_VERBOSE}) { $client_opts->{Debug} = 1; } my $client = Net::FTPSSL->new('127.0.0.1', %$client_opts); unless ($client) { die("Can't connect to FTPS server: " . IO::Socket::SSL::errstr()); } unless ($client->login("$user\@127.0.0.1:$vhost_port", $passwd)) { die("Can't login: " . $client->last_message()); } $client->quit(); }; if ($@) { $ex = $@; } $wfh->print("done\n"); $wfh->flush(); } else { eval { server_wait($config_file, $rfh) }; if ($@) { warn($@); exit 1; } exit 0; } # Stop server server_stop($pid_file); $self->assert_child_ok($pid); if ($ex) { test_append_logfile($log_file, $ex); unlink($log_file); die($ex); } unlink($log_file); } sub proxy_forward_backend_tls_login { my $self = shift; my $tmpdir = $self->{tmpdir}; my $config_file = "$tmpdir/proxy.conf"; my $pid_file = File::Spec->rel2abs("$tmpdir/proxy.pid"); my $scoreboard_file = File::Spec->rel2abs("$tmpdir/proxy.scoreboard"); my $log_file = test_get_logfile(); my $auth_user_file = File::Spec->rel2abs("$tmpdir/proxy.passwd"); my $auth_group_file = File::Spec->rel2abs("$tmpdir/proxy.group"); my $user = 'proftpd'; my $passwd = 'test'; my $group = 'ftpd'; my $home_dir = File::Spec->rel2abs($tmpdir); my $uid = 500; my $gid = 500; # Make sure that, if we're running as root, that the home directory has # permissions/privs set for the account we create if ($< == 0) { unless (chmod(0755, $home_dir)) { die("Can't set perms on $home_dir to 0755: $!"); } unless (chown($uid, $gid, $home_dir)) { die("Can't set owner of $home_dir to $uid/$gid: $!"); } } auth_user_write($auth_user_file, $user, $passwd, $uid, $gid, $home_dir, '/bin/bash'); auth_group_write($auth_group_file, $group, $gid, $user); my $cert_file = File::Spec->rel2abs("$ENV{PROFTPD_TEST_DIR}/t/etc/modules/mod_tls/server-cert.pem"); my $ca_file = File::Spec->rel2abs("$ENV{PROFTPD_TEST_DIR}/t/etc/modules/mod_tls/ca-cert.pem"); my $vhost_port = ProFTPD::TestSuite::Utils::get_high_numbered_port(); $vhost_port += 17; my $proxy_config = get_forward_proxy_config($tmpdir, $log_file, $vhost_port); $proxy_config->{ProxyForwardMethod} = 'user@host'; $proxy_config->{ProxyTLSEngine} = 'on'; $proxy_config->{ProxyTLSCACertificateFile} = $ca_file; $proxy_config->{ProxyRetryCount} = 1; if ($ENV{TEST_VERBOSE}) { $proxy_config->{ProxyTLSOptions} = 'EnableDiags'; } my $config = { PidFile => $pid_file, ScoreboardFile => $scoreboard_file, SystemLog => $log_file, TraceLog => $log_file, Trace => 'DEFAULT:10 event:0 lock:0 scoreboard:0 signal:0 proxy:20 proxy.forward:20 proxy.tls:20 proxy.ftp.conn:20 proxy.ftp.ctrl:20 proxy.ftp.data:20 proxy.ftp.msg:20 tls:20', AuthUserFile => $auth_user_file, AuthGroupFile => $auth_group_file, SocketBindTight => 'on', IfModules => { 'mod_proxy.c' => $proxy_config, 'mod_delay.c' => { DelayEngine => 'off', }, }, }; my ($port, $config_user, $config_group) = config_write($config_file, $config); if (open(my $fh, ">> $config_file")) { print $fh < Port $vhost_port ServerName "Real Server" AuthUserFile $auth_user_file AuthGroupFile $auth_group_file AuthOrder mod_auth_file.c AllowOverride off WtmpLog off TransferLog none TLSEngine on TLSLog $log_file TLSRequired on TLSRSACertificateFile $cert_file TLSCACertificateFile $ca_file EOC unless (close($fh)) { die("Can't write $config_file: $!"); } } else { die("Can't open $config_file: $!"); } require Net::FTPSSL; # Open pipes, for use between the parent and child processes. Specifically, # the child will indicate when it's done with its test by writing a message # to the parent. my ($rfh, $wfh); unless (pipe($rfh, $wfh)) { die("Can't open pipe: $!"); } my $ex; # Fork child $self->handle_sigchld(); defined(my $pid = fork()) or die("Can't fork: $!"); if ($pid) { eval { # Give the server a chance to start up sleep(2); my $client = ProFTPD::TestSuite::FTP->new('127.0.0.1', $port); $client->login("$user\@127.0.0.1:$vhost_port", $passwd); $client->quit(); }; if ($@) { $ex = $@; } $wfh->print("done\n"); $wfh->flush(); } else { eval { server_wait($config_file, $rfh) }; if ($@) { warn($@); exit 1; } exit 0; } # Stop server server_stop($pid_file); $self->assert_child_ok($pid); if ($ex) { test_append_logfile($log_file, $ex); unlink($log_file); die($ex); } unlink($log_file); } sub proxy_forward_backend_tls_implicit_login { my $self = shift; my $tmpdir = $self->{tmpdir}; my $setup = test_setup($tmpdir, 'proxy'); # Skip this test on GitHub, as it fails unnecessarily there. return if $ENV{PROFTPD_TEST_CI} eq 'github'; my $cert_file = File::Spec->rel2abs("$ENV{PROFTPD_TEST_DIR}/t/etc/modules/mod_tls/server-cert.pem"); my $ca_file = File::Spec->rel2abs("$ENV{PROFTPD_TEST_DIR}/t/etc/modules/mod_tls/ca-cert.pem"); my $proxy_config = get_forward_proxy_config($tmpdir, $setup->{log_file}, 990); $proxy_config->{ProxyForwardMethod} = 'user@host'; $proxy_config->{ProxyTLSEngine} = 'on'; $proxy_config->{ProxyTLSCACertificateFile} = $ca_file; $proxy_config->{ProxyTLSVerifyServer} = 'off'; $proxy_config->{ProxyRetryCount} = 1; if ($ENV{TEST_VERBOSE}) { $proxy_config->{ProxyTLSOptions} = 'EnableDiags'; } my $config = { PidFile => $setup->{pid_file}, ScoreboardFile => $setup->{scoreboard_file}, SystemLog => $setup->{log_file}, TraceLog => $setup->{log_file}, Trace => 'DEFAULT:10 event:0 lock:0 scoreboard:0 signal:0 proxy:20 proxy.conn:20 proxy.forward:20 proxy.netio:20 proxy.tls:20 proxy.ftp.conn:20 proxy.ftp.ctrl:20 proxy.ftp.data:20 proxy.ftp.msg:20 netio:20 tls:20', AuthUserFile => $setup->{auth_user_file}, AuthGroupFile => $setup->{auth_group_file}, SocketBindTight => 'on', IfModules => { 'mod_proxy.c' => $proxy_config, 'mod_delay.c' => { DelayEngine => 'off', }, }, }; my ($port, $config_user, $config_group) = config_write($setup->{config_file}, $config); require Net::FTPSSL; # Open pipes, for use between the parent and child processes. Specifically, # the child will indicate when it's done with its test by writing a message # to the parent. my ($rfh, $wfh); unless (pipe($rfh, $wfh)) { die("Can't open pipe: $!"); } my $ex; # Fork child $self->handle_sigchld(); defined(my $pid = fork()) or die("Can't fork: $!"); if ($pid) { eval { # Give the server a chance to start up sleep(3); my $client = ProFTPD::TestSuite::FTP->new('127.0.0.1', $port, 0, 10, 15); $client->login('demo@test.rebex.net:990', 'password'); $client->quit(); }; if ($@) { $ex = $@; } $wfh->print("done\n"); $wfh->flush(); } else { eval { server_wait($setup->{config_file}, $rfh) }; if ($@) { warn($@); exit 1; } exit 0; } # Stop server server_stop($setup->{pid_file}); $self->assert_child_ok($pid); test_cleanup($setup->{log_file}, $ex); } sub proxy_forward_backend_tls_login_failed_unknown_ca { my $self = shift; my $tmpdir = $self->{tmpdir}; my $config_file = "$tmpdir/proxy.conf"; my $pid_file = File::Spec->rel2abs("$tmpdir/proxy.pid"); my $scoreboard_file = File::Spec->rel2abs("$tmpdir/proxy.scoreboard"); my $log_file = test_get_logfile(); my $auth_user_file = File::Spec->rel2abs("$tmpdir/proxy.passwd"); my $auth_group_file = File::Spec->rel2abs("$tmpdir/proxy.group"); my $user = 'proftpd'; my $passwd = 'test'; my $group = 'ftpd'; my $home_dir = File::Spec->rel2abs($tmpdir); my $uid = 500; my $gid = 500; # Make sure that, if we're running as root, that the home directory has # permissions/privs set for the account we create if ($< == 0) { unless (chmod(0755, $home_dir)) { die("Can't set perms on $home_dir to 0755: $!"); } unless (chown($uid, $gid, $home_dir)) { die("Can't set owner of $home_dir to $uid/$gid: $!"); } } auth_user_write($auth_user_file, $user, $passwd, $uid, $gid, $home_dir, '/bin/bash'); auth_group_write($auth_group_file, $group, $gid, $user); my $cert_file = File::Spec->rel2abs("$ENV{PROFTPD_TEST_DIR}/t/etc/modules/mod_tls/server-cert.pem"); my $ca_file = File::Spec->rel2abs("$ENV{PROFTPD_TEST_DIR}/t/etc/modules/mod_tls/ca-cert.pem"); my $vhost_port = ProFTPD::TestSuite::Utils::get_high_numbered_port(); $vhost_port += 17; my $proxy_config = get_forward_proxy_config($tmpdir, $log_file, $vhost_port); $proxy_config->{ProxyForwardMethod} = 'user@host'; $proxy_config->{ProxyTLSEngine} = 'on'; $proxy_config->{ProxyRetryCount} = 1; $proxy_config->{ProxyTLSVerifyServer} = 'on'; if ($ENV{TEST_VERBOSE}) { $proxy_config->{ProxyTLSOptions} = 'EnableDiags'; } my $config = { PidFile => $pid_file, ScoreboardFile => $scoreboard_file, SystemLog => $log_file, TraceLog => $log_file, Trace => 'DEFAULT:10 event:0 lock:0 scoreboard:0 signal:0 proxy:20 proxy.forward:20 proxy.tls:20 proxy.ftp.conn:20 proxy.ftp.ctrl:20 proxy.ftp.data:20 proxy.ftp.msg:20 tls:20', AuthUserFile => $auth_user_file, AuthGroupFile => $auth_group_file, SocketBindTight => 'on', IfModules => { 'mod_proxy.c' => $proxy_config, 'mod_delay.c' => { DelayEngine => 'off', }, }, }; my ($port, $config_user, $config_group) = config_write($config_file, $config); if (open(my $fh, ">> $config_file")) { print $fh < Port $vhost_port ServerName "Real Server" AuthUserFile $auth_user_file AuthGroupFile $auth_group_file AuthOrder mod_auth_file.c AllowOverride off WtmpLog off TransferLog none TLSEngine on TLSLog $log_file TLSRequired on TLSRSACertificateFile $cert_file TLSCACertificateFile $ca_file EOC unless (close($fh)) { die("Can't write $config_file: $!"); } } else { die("Can't open $config_file: $!"); } require Net::FTPSSL; # Open pipes, for use between the parent and child processes. Specifically, # the child will indicate when it's done with its test by writing a message # to the parent. my ($rfh, $wfh); unless (pipe($rfh, $wfh)) { die("Can't open pipe: $!"); } my $ex; # Fork child $self->handle_sigchld(); defined(my $pid = fork()) or die("Can't fork: $!"); if ($pid) { eval { # Give the server a chance to start up sleep(2); my $client = ProFTPD::TestSuite::FTP->new('127.0.0.1', $port); eval { $client->user("$user\@127.0.0.1:$vhost_port") }; unless ($@) { die("Login succeeded unexpectedly"); } my $resp_code = $client->response_code(); my $resp_msg = $client->response_msg(); $client->quit(); my $expected = 530; $self->assert($expected == $resp_code, test_msg("Expected response code $expected, got $resp_code")); $expected = 'Unable to connect to 127.0.0.1:\d+: Operation not permitted'; $self->assert(qr/$expected/, $resp_msg, test_msg("Expected response message '$expected', got '$resp_msg'")); }; if ($@) { $ex = $@; } $wfh->print("done\n"); $wfh->flush(); } else { eval { server_wait($config_file, $rfh) }; if ($@) { warn($@); exit 1; } exit 0; } # Stop server server_stop($pid_file); $self->assert_child_ok($pid); if ($ex) { test_append_logfile($log_file, $ex); unlink($log_file); die($ex); } unlink($log_file); } sub proxy_forward_config_backend_tls_engine_match_client_ftp { my $self = shift; my $tmpdir = $self->{tmpdir}; my $setup = test_setup($tmpdir, 'proxy'); my $cert_file = File::Spec->rel2abs("$ENV{PROFTPD_TEST_DIR}/t/etc/modules/mod_tls/server-cert.pem"); my $ca_file = File::Spec->rel2abs("$ENV{PROFTPD_TEST_DIR}/t/etc/modules/mod_tls/ca-cert.pem"); my $vhost_port = ProFTPD::TestSuite::Utils::get_high_numbered_port(); $vhost_port += 17; my $proxy_config = get_forward_proxy_config($tmpdir, $setup->{log_file}, $vhost_port); $proxy_config->{ProxyForwardMethod} = 'user@host'; $proxy_config->{ProxyTLSEngine} = 'MatchClient'; $proxy_config->{ProxyRetryCount} = 1; $proxy_config->{ProxyTLSVerifyServer} = 'on'; if ($ENV{TEST_VERBOSE}) { $proxy_config->{ProxyTLSOptions} = 'EnableDiags'; } my $config = { PidFile => $setup->{pid_file}, ScoreboardFile => $setup->{scoreboard_file}, SystemLog => $setup->{log_file}, TraceLog => $setup->{log_file}, Trace => 'DEFAULT:10 event:0 lock:0 scoreboard:0 signal:0 proxy:20 proxy.forward:20 proxy.tls:20 proxy.ftp.conn:20 proxy.ftp.ctrl:20 proxy.ftp.data:20 proxy.ftp.msg:20 tls:20', AuthUserFile => $setup->{auth_user_file}, AuthGroupFile => $setup->{auth_group_file}, SocketBindTight => 'on', IfModules => { 'mod_proxy.c' => $proxy_config, 'mod_delay.c' => { DelayEngine => 'off', }, }, }; my ($port, $config_user, $config_group) = config_write($setup->{config_file}, $config); if (open(my $fh, ">> $setup->{config_file}")) { print $fh < Port $vhost_port ServerName "Real Server" AuthUserFile $setup->{auth_user_file} AuthGroupFile $setup->{auth_group_file} AuthOrder mod_auth_file.c AllowOverride off WtmpLog off TransferLog none TLSEngine on TLSLog $setup->{log_file} TLSRequired off TLSRSACertificateFile $cert_file TLSCACertificateFile $ca_file EOC unless (close($fh)) { die("Can't write $setup->{config_file}: $!"); } } else { die("Can't open $setup->{config_file}: $!"); } require Net::FTPSSL; # Open pipes, for use between the parent and child processes. Specifically, # the child will indicate when it's done with its test by writing a message # to the parent. my ($rfh, $wfh); unless (pipe($rfh, $wfh)) { die("Can't open pipe: $!"); } my $ex; # Fork child $self->handle_sigchld(); defined(my $pid = fork()) or die("Can't fork: $!"); if ($pid) { eval { # Give the server a chance to start up sleep(2); my $client = ProFTPD::TestSuite::FTP->new('127.0.0.1', $port); $client->login("$setup->{user}\@127.0.0.1:$vhost_port", $setup->{passwd}); $client->quit(); }; if ($@) { $ex = $@; } $wfh->print("done\n"); $wfh->flush(); } else { eval { server_wait($setup->{config_file}, $rfh) }; if ($@) { warn($@); exit 1; } exit 0; } # Stop server server_stop($setup->{pid_file}); $self->assert_child_ok($pid); test_cleanup($setup->{log_file}, $ex); } sub proxy_forward_config_backend_tls_engine_match_client_ftps_explicit { my $self = shift; my $tmpdir = $self->{tmpdir}; my $setup = test_setup($tmpdir, 'proxy'); my $cert_file = File::Spec->rel2abs("$ENV{PROFTPD_TEST_DIR}/t/etc/modules/mod_tls/server-cert.pem"); my $ca_file = File::Spec->rel2abs("$ENV{PROFTPD_TEST_DIR}/t/etc/modules/mod_tls/ca-cert.pem"); my $vhost_port = ProFTPD::TestSuite::Utils::get_high_numbered_port(); $vhost_port += 17; my $proxy_config = get_forward_proxy_config($tmpdir, $setup->{log_file}, $vhost_port); $proxy_config->{ProxyForwardMethod} = 'user@host'; $proxy_config->{ProxyTLSEngine} = 'MatchClient'; $proxy_config->{ProxyRetryCount} = 1; $proxy_config->{ProxyTLSVerifyServer} = 'off'; if ($ENV{TEST_VERBOSE}) { $proxy_config->{ProxyTLSOptions} = 'EnableDiags'; } my $config = { PidFile => $setup->{pid_file}, ScoreboardFile => $setup->{scoreboard_file}, SystemLog => $setup->{log_file}, TraceLog => $setup->{log_file}, Trace => 'DEFAULT:10 event:0 lock:0 scoreboard:0 signal:0 proxy:20 proxy.forward:20 proxy.tls:20 proxy.ftp.conn:20 proxy.ftp.ctrl:20 proxy.ftp.data:20 proxy.ftp.msg:20 tls:20', AuthUserFile => $setup->{auth_user_file}, AuthGroupFile => $setup->{auth_group_file}, SocketBindTight => 'on', IfModules => { 'mod_proxy.c' => $proxy_config, 'mod_delay.c' => { DelayEngine => 'off', }, 'mod_tls.c' => { TLSEngine => 'on', TLSLog => $setup->{log_file}, TLSRequired => 'on', TLSRSACertificateFile => $cert_file, TLSCACertificateFile => $ca_file, TLSOptions => 'EnableDiags', }, }, }; my ($port, $config_user, $config_group) = config_write($setup->{config_file}, $config); if (open(my $fh, ">> $setup->{config_file}")) { print $fh < Port $vhost_port ServerName "Real Server" AuthUserFile $setup->{auth_user_file} AuthGroupFile $setup->{auth_group_file} AuthOrder mod_auth_file.c AllowOverride off WtmpLog off TransferLog none TLSEngine on TLSLog $setup->{log_file} TLSRequired on TLSRSACertificateFile $cert_file TLSCACertificateFile $ca_file EOC unless (close($fh)) { die("Can't write $setup->{config_file}: $!"); } } else { die("Can't open $setup->{config_file}: $!"); } require Net::FTPSSL; # Open pipes, for use between the parent and child processes. Specifically, # the child will indicate when it's done with its test by writing a message # to the parent. my ($rfh, $wfh); unless (pipe($rfh, $wfh)) { die("Can't open pipe: $!"); } my $ex; # Fork child $self->handle_sigchld(); defined(my $pid = fork()) or die("Can't fork: $!"); if ($pid) { eval { # Give the server a chance to start up sleep(2); my $client_opts = { Encryption => 'E', Port => $port, }; if ($ENV{TEST_VERBOSE}) { $client_opts->{Debug} = 1; } my $client = Net::FTPSSL->new('127.0.0.1', %$client_opts); unless ($client) { die("Can't connect to FTPS server: " . IO::Socket::SSL::errstr()); } unless ($client->login("$setup->{user}\@127.0.0.1:$vhost_port", $setup->{passwd})) { die("Can't login: " . $client->last_message()); } $client->quit(); }; if ($@) { $ex = $@; } $wfh->print("done\n"); $wfh->flush(); } else { eval { server_wait($setup->{config_file}, $rfh) }; if ($@) { warn($@); exit 1; } exit 0; } # Stop server server_stop($setup->{pid_file}); $self->assert_child_ok($pid); test_cleanup($setup->{log_file}, $ex); } sub proxy_forward_config_backend_tls_engine_match_client_ftps_implicit { my $self = shift; my $tmpdir = $self->{tmpdir}; my $setup = test_setup($tmpdir, 'proxy'); my $cert_file = File::Spec->rel2abs("$ENV{PROFTPD_TEST_DIR}/t/etc/modules/mod_tls/server-cert.pem"); my $ca_file = File::Spec->rel2abs("$ENV{PROFTPD_TEST_DIR}/t/etc/modules/mod_tls/ca-cert.pem"); my $vhost_port = ProFTPD::TestSuite::Utils::get_high_numbered_port(); $vhost_port += 17; my $proxy_config = get_forward_proxy_config($tmpdir, $setup->{log_file}, $vhost_port); $proxy_config->{ProxyForwardMethod} = 'user@host'; $proxy_config->{ProxyTLSEngine} = 'MatchClient'; $proxy_config->{ProxyRetryCount} = 1; $proxy_config->{ProxyTLSVerifyServer} = 'off'; if ($ENV{TEST_VERBOSE}) { $proxy_config->{ProxyTLSOptions} = 'EnableDiags'; } my $config = { PidFile => $setup->{pid_file}, ScoreboardFile => $setup->{scoreboard_file}, SystemLog => $setup->{log_file}, TraceLog => $setup->{log_file}, Trace => 'DEFAULT:10 event:0 lock:0 scoreboard:0 signal:0 proxy:20 proxy.forward:20 proxy.tls:20 proxy.ftp.conn:20 proxy.ftp.ctrl:20 proxy.ftp.data:20 proxy.ftp.msg:20 tls:20', AuthUserFile => $setup->{auth_user_file}, AuthGroupFile => $setup->{auth_group_file}, SocketBindTight => 'on', IfModules => { 'mod_proxy.c' => $proxy_config, 'mod_delay.c' => { DelayEngine => 'off', }, 'mod_tls.c' => { TLSEngine => 'on', TLSLog => $setup->{log_file}, TLSRequired => 'on', TLSRSACertificateFile => $cert_file, TLSCACertificateFile => $ca_file, TLSOptions => 'EnableDiags UseImplicitSSL', }, }, }; my ($port, $config_user, $config_group) = config_write($setup->{config_file}, $config); if (open(my $fh, ">> $setup->{config_file}")) { print $fh < Port $vhost_port ServerName "Real Server" AuthUserFile $setup->{auth_user_file} AuthGroupFile $setup->{auth_group_file} AuthOrder mod_auth_file.c AllowOverride off WtmpLog off TransferLog none TLSEngine on TLSLog $setup->{log_file} TLSRequired on TLSRSACertificateFile $cert_file TLSCACertificateFile $ca_file TLSOptions UseImplicitSSL EOC unless (close($fh)) { die("Can't write $setup->{config_file}: $!"); } } else { die("Can't open $setup->{config_file}: $!"); } require Net::FTPSSL; # Open pipes, for use between the parent and child processes. Specifically, # the child will indicate when it's done with its test by writing a message # to the parent. my ($rfh, $wfh); unless (pipe($rfh, $wfh)) { die("Can't open pipe: $!"); } my $ex; # Fork child $self->handle_sigchld(); defined(my $pid = fork()) or die("Can't fork: $!"); if ($pid) { eval { # Give the server a chance to start up sleep(2); my $client_opts = { Encryption => 'I', Port => $port, }; if ($ENV{TEST_VERBOSE}) { $client_opts->{Debug} = 1; } my $client = Net::FTPSSL->new('127.0.0.1', %$client_opts); unless ($client) { die("Can't connect to FTPS server: " . IO::Socket::SSL::errstr()); } unless ($client->login("$setup->{user}\@127.0.0.1:$vhost_port", $setup->{passwd})) { die("Can't login: " . $client->last_message()); } $client->quit(); }; if ($@) { $ex = $@; } $wfh->print("done\n"); $wfh->flush(); } else { eval { server_wait($setup->{config_file}, $rfh) }; if ($@) { warn($@); exit 1; } exit 0; } # Stop server server_stop($setup->{pid_file}); $self->assert_child_ok($pid); test_cleanup($setup->{log_file}, $ex); } sub proxy_forward_backend_tls_list_pasv { my $self = shift; my $tmpdir = $self->{tmpdir}; my $config_file = "$tmpdir/proxy.conf"; my $pid_file = File::Spec->rel2abs("$tmpdir/proxy.pid"); my $scoreboard_file = File::Spec->rel2abs("$tmpdir/proxy.scoreboard"); my $log_file = test_get_logfile(); my $auth_user_file = File::Spec->rel2abs("$tmpdir/proxy.passwd"); my $auth_group_file = File::Spec->rel2abs("$tmpdir/proxy.group"); my $user = 'proftpd'; my $passwd = 'test'; my $group = 'ftpd'; my $home_dir = File::Spec->rel2abs($tmpdir); my $uid = 500; my $gid = 500; # Make sure that, if we're running as root, that the home directory has # permissions/privs set for the account we create if ($< == 0) { unless (chmod(0755, $home_dir)) { die("Can't set perms on $home_dir to 0755: $!"); } unless (chown($uid, $gid, $home_dir)) { die("Can't set owner of $home_dir to $uid/$gid: $!"); } } auth_user_write($auth_user_file, $user, $passwd, $uid, $gid, $home_dir, '/bin/bash'); auth_group_write($auth_group_file, $group, $gid, $user); my $cert_file = File::Spec->rel2abs("$ENV{PROFTPD_TEST_DIR}/t/etc/modules/mod_tls/server-cert.pem"); my $ca_file = File::Spec->rel2abs("$ENV{PROFTPD_TEST_DIR}/t/etc/modules/mod_tls/ca-cert.pem"); my $vhost_port = ProFTPD::TestSuite::Utils::get_high_numbered_port(); $vhost_port += 17; my $proxy_config = get_forward_proxy_config($tmpdir, $log_file, $vhost_port); $proxy_config->{ProxyForwardMethod} = 'user@host'; $proxy_config->{ProxyTLSEngine} = 'on'; $proxy_config->{ProxyTLSCACertificateFile} = $ca_file; $proxy_config->{ProxyRetryCount} = 1; if ($ENV{TEST_VERBOSE}) { $proxy_config->{ProxyTLSOptions} = 'EnableDiags'; } my $config = { PidFile => $pid_file, ScoreboardFile => $scoreboard_file, SystemLog => $log_file, TraceLog => $log_file, Trace => 'DEFAULT:10 event:0 lock:0 netio:20 scoreboard:0 signal:0 proxy:20 proxy.forward:20 proxy.tls:20 proxy.ftp.conn:20 proxy.ftp.ctrl:20 proxy.ftp.data:20 proxy.ftp.msg:20 tls:20', AuthUserFile => $auth_user_file, AuthGroupFile => $auth_group_file, SocketBindTight => 'on', IfModules => { 'mod_proxy.c' => $proxy_config, 'mod_delay.c' => { DelayEngine => 'off', }, }, }; my ($port, $config_user, $config_group) = config_write($config_file, $config); if (open(my $fh, ">> $config_file")) { print $fh < Port $vhost_port ServerName "Real Server" AuthUserFile $auth_user_file AuthGroupFile $auth_group_file AuthOrder mod_auth_file.c AllowOverride off WtmpLog off TransferLog none TLSEngine on TLSLog $log_file TLSRequired on TLSRSACertificateFile $cert_file TLSCACertificateFile $ca_file EOC unless (close($fh)) { die("Can't write $config_file: $!"); } } else { die("Can't open $config_file: $!"); } require Net::FTPSSL; # Open pipes, for use between the parent and child processes. Specifically, # the child will indicate when it's done with its test by writing a message # to the parent. my ($rfh, $wfh); unless (pipe($rfh, $wfh)) { die("Can't open pipe: $!"); } my $ex; # Fork child $self->handle_sigchld(); defined(my $pid = fork()) or die("Can't fork: $!"); if ($pid) { eval { # Give the server a chance to start up sleep(2); my $client = ProFTPD::TestSuite::FTP->new('127.0.0.1', $port); $client->login("$user\@127.0.0.1:$vhost_port", $passwd); for (my $i = 0; $i < 3; $i++) { ftp_list($self, $client, 1); } }; if ($@) { $ex = $@; } $wfh->print("done\n"); $wfh->flush(); } else { eval { server_wait($config_file, $rfh) }; if ($@) { warn($@); exit 1; } exit 0; } # Stop server server_stop($pid_file); $self->assert_child_ok($pid); if ($ex) { test_append_logfile($log_file, $ex); unlink($log_file); die($ex); } unlink($log_file); } sub proxy_forward_frontend_backend_tls_login_after_host { my $self = shift; my $tmpdir = $self->{tmpdir}; my $config_file = "$tmpdir/proxy.conf"; my $pid_file = File::Spec->rel2abs("$tmpdir/proxy.pid"); my $scoreboard_file = File::Spec->rel2abs("$tmpdir/proxy.scoreboard"); my $log_file = test_get_logfile(); my $auth_user_file = File::Spec->rel2abs("$tmpdir/proxy.passwd"); my $auth_group_file = File::Spec->rel2abs("$tmpdir/proxy.group"); my $user = 'proftpd'; my $passwd = 'test'; my $group = 'ftpd'; my $home_dir = File::Spec->rel2abs($tmpdir); my $uid = 500; my $gid = 500; # Make sure that, if we're running as root, that the home directory has # permissions/privs set for the account we create if ($< == 0) { unless (chmod(0755, $home_dir)) { die("Can't set perms on $home_dir to 0755: $!"); } unless (chown($uid, $gid, $home_dir)) { die("Can't set owner of $home_dir to $uid/$gid: $!"); } } auth_user_write($auth_user_file, $user, $passwd, $uid, $gid, $home_dir, '/bin/bash'); auth_group_write($auth_group_file, $group, $gid, $user); my $cert_file = File::Spec->rel2abs("$ENV{PROFTPD_TEST_DIR}/t/etc/modules/mod_tls/server-cert.pem"); my $ca_file = File::Spec->rel2abs("$ENV{PROFTPD_TEST_DIR}/t/etc/modules/mod_tls/ca-cert.pem"); my $vhost_port = ProFTPD::TestSuite::Utils::get_high_numbered_port(); $vhost_port += 17; my $host = 'www.castaglia.org'; my $config = { PidFile => $pid_file, ScoreboardFile => $scoreboard_file, SystemLog => $log_file, TraceLog => $log_file, Trace => 'DEFAULT:10 event:0 lock:0 scoreboard:0 signal:0 proxy:20 proxy.forward:20 proxy.tls:20 proxy.ftp.conn:20 proxy.ftp.ctrl:20 proxy.ftp.data:20 proxy.ftp.msg:20 tls:20', AuthUserFile => $auth_user_file, AuthGroupFile => $auth_group_file, DefaultServer => 'on', ServerName => '"Default Server"', SocketBindTight => 'on', IfModules => { 'mod_tls.c' => { TLSEngine => 'on', TLSLog => $log_file, TLSRequired => 'on', TLSRSACertificateFile => $cert_file, TLSCACertificateFile => $ca_file, TLSOptions => 'NoSessionReuseRequired EnableDiags', }, 'mod_delay.c' => { DelayEngine => 'off', }, }, }; my ($port, $config_user, $config_group) = config_write($config_file, $config); if (open(my $fh, ">> $config_file")) { my $tables_dir = File::Spec->rel2abs("$tmpdir/var/proxy"); print $fh < ProxyTables $tables_dir From 127.0.0.1 ProxyForwardEnabled on Port $port ServerAlias $host ServerName "Namebased Server" DelayEngine off ProxyEngine on ProxyLog $log_file ProxyRole forward ProxyForwardMethod user\@host ProxyRetryCount 1 ProxyTLSEngine on ProxyTLSCACertificateFile $ca_file ProxyTLSOptions EnableDiags ProxyTLSVerifyServer off TLSEngine on TLSLog $log_file TLSRequired on TLSRSACertificateFile $cert_file TLSCACertificateFile $ca_file TLSOptions NoSessionReuseRequired Port $vhost_port ServerName "Real Server" AuthUserFile $auth_user_file AuthGroupFile $auth_group_file AuthOrder mod_auth_file.c AllowOverride off WtmpLog off TransferLog none TLSEngine on TLSLog $log_file TLSRequired on TLSRSACertificateFile $cert_file TLSCACertificateFile $ca_file TLSOptions NoSessionReuseRequired EOC unless (close($fh)) { die("Can't write $config_file: $!"); } } else { die("Can't open $config_file: $!"); } require Net::FTPSSL; # Open pipes, for use between the parent and child processes. Specifically, # the child will indicate when it's done with its test by writing a message # to the parent. my ($rfh, $wfh); unless (pipe($rfh, $wfh)) { die("Can't open pipe: $!"); } my $ex; # Fork child $self->handle_sigchld(); defined(my $pid = fork()) or die("Can't fork: $!"); if ($pid) { eval { # Give the server a chance to start up sleep(2); my $ssl_opts = { SSL_hostname => $host, SSL_ca_file => $ca_file, # Yes, this is a deliberate choice. Sigh. SSL_verifycn_scheme => 'none', }; my $client_opts = { Encryption => 'E', Port => $port, SSL_Client_Certificate => $ssl_opts, }; if ($ENV{TEST_VERBOSE}) { $client_opts->{Debug} = 1; } my $client = Net::FTPSSL->new('127.0.0.1', %$client_opts); unless ($client) { die("Can't connect to FTPS server: " . IO::Socket::SSL::errstr()); } unless ($client->quot('HOST', $host)) { die("HOST failed: " . $client->last_message()); } unless ($client->login("$user\@127.0.0.1:$vhost_port", $passwd)) { die("Can't login: " . $client->last_message()); } my $res = $client->list(); unless ($res) { die("LIST failed unexpectedly: " . $client->last_message() . "(" . IO::Socket::SSL::errstr() . ")"); } my $resp_msg = $client->last_message(); $client->quit(); my $expected = '226 Transfer complete'; $self->assert($expected eq $resp_msg, test_msg("Expected response '$expected', got '$resp_msg'")); }; if ($@) { $ex = $@; } $wfh->print("done\n"); $wfh->flush(); } else { eval { server_wait($config_file, $rfh) }; if ($@) { warn($@); exit 1; } exit 0; } # Stop server server_stop($pid_file); $self->assert_child_ok($pid); if ($ex) { test_append_logfile($log_file, $ex); unlink($log_file); die($ex); } unlink($log_file); } sub proxy_forward_frontend_backend_tls_list_pasv { my $self = shift; my $tmpdir = $self->{tmpdir}; my $config_file = "$tmpdir/proxy.conf"; my $pid_file = File::Spec->rel2abs("$tmpdir/proxy.pid"); my $scoreboard_file = File::Spec->rel2abs("$tmpdir/proxy.scoreboard"); my $log_file = test_get_logfile(); my $auth_user_file = File::Spec->rel2abs("$tmpdir/proxy.passwd"); my $auth_group_file = File::Spec->rel2abs("$tmpdir/proxy.group"); my $user = 'proftpd'; my $passwd = 'test'; my $group = 'ftpd'; my $home_dir = File::Spec->rel2abs($tmpdir); my $uid = 500; my $gid = 500; # Make sure that, if we're running as root, that the home directory has # permissions/privs set for the account we create if ($< == 0) { unless (chmod(0755, $home_dir)) { die("Can't set perms on $home_dir to 0755: $!"); } unless (chown($uid, $gid, $home_dir)) { die("Can't set owner of $home_dir to $uid/$gid: $!"); } } auth_user_write($auth_user_file, $user, $passwd, $uid, $gid, $home_dir, '/bin/bash'); auth_group_write($auth_group_file, $group, $gid, $user); my $cert_file = File::Spec->rel2abs("$ENV{PROFTPD_TEST_DIR}/t/etc/modules/mod_tls/server-cert.pem"); my $ca_file = File::Spec->rel2abs("$ENV{PROFTPD_TEST_DIR}/t/etc/modules/mod_tls/ca-cert.pem"); my $vhost_port = ProFTPD::TestSuite::Utils::get_high_numbered_port(); $vhost_port += 17; my $proxy_config = get_forward_proxy_config($tmpdir, $log_file, $vhost_port); $proxy_config->{ProxyForwardMethod} = 'user@host'; $proxy_config->{ProxyTLSEngine} = 'on'; $proxy_config->{ProxyTLSCACertificateFile} = $ca_file; $proxy_config->{ProxyRetryCount} = 1; if ($ENV{TEST_VERBOSE}) { $proxy_config->{ProxyTLSOptions} = 'EnableDiags'; } my $config = { PidFile => $pid_file, ScoreboardFile => $scoreboard_file, SystemLog => $log_file, TraceLog => $log_file, Trace => 'DEFAULT:10 event:0 lock:0 scoreboard:0 signal:0 proxy:20 proxy.forward:20 proxy.tls:20 proxy.ftp.conn:20 proxy.ftp.ctrl:20 proxy.ftp.data:20 proxy.ftp.msg:20 tls:20', AuthUserFile => $auth_user_file, AuthGroupFile => $auth_group_file, SocketBindTight => 'on', IfModules => { 'mod_proxy.c' => $proxy_config, 'mod_tls.c' => { TLSEngine => 'on', TLSLog => $log_file, TLSRequired => 'on', TLSRSACertificateFile => $cert_file, TLSCACertificateFile => $ca_file, TLSOptions => 'NoSessionReuseRequired EnableDiags', }, 'mod_delay.c' => { DelayEngine => 'off', }, }, }; my ($port, $config_user, $config_group) = config_write($config_file, $config); if (open(my $fh, ">> $config_file")) { print $fh < Port $vhost_port ServerName "Real Server" AuthUserFile $auth_user_file AuthGroupFile $auth_group_file AuthOrder mod_auth_file.c AllowOverride off WtmpLog off TransferLog none TLSEngine on TLSLog $log_file TLSRequired on TLSRSACertificateFile $cert_file TLSCACertificateFile $ca_file EOC unless (close($fh)) { die("Can't write $config_file: $!"); } } else { die("Can't open $config_file: $!"); } require Net::FTPSSL; # Open pipes, for use between the parent and child processes. Specifically, # the child will indicate when it's done with its test by writing a message # to the parent. my ($rfh, $wfh); unless (pipe($rfh, $wfh)) { die("Can't open pipe: $!"); } my $ex; # Fork child $self->handle_sigchld(); defined(my $pid = fork()) or die("Can't fork: $!"); if ($pid) { eval { # Give the server a chance to start up sleep(2); my $ssl_opts = { SSL_ca_file => $ca_file, }; my $client_opts = { Encryption => 'E', Port => $port, SSL_Client_Certificate => $ssl_opts, }; if ($ENV{TEST_VERBOSE}) { $client_opts->{Debug} = 1; } my $client = Net::FTPSSL->new('127.0.0.1', %$client_opts); unless ($client) { die("Can't connect to FTPS server: " . IO::Socket::SSL::errstr()); } unless ($client->login("$user\@127.0.0.1:$vhost_port", $passwd)) { die("Can't login: " . $client->last_message()); } my $res = $client->list(); unless ($res) { die("LIST failed unexpectedly: " . $client->last_message() . "(" . IO::Socket::SSL::errstr() . ")"); } my $resp_msg = $client->last_message(); my $expected = '226 Transfer complete'; $self->assert($expected eq $resp_msg, test_msg("Expected response '$expected', got '$resp_msg'")); # Do the LIST again; there are some reports that a first transfer # might succeed, but subsequent ones will fail. for (my $i = 0; $i < 3; $i++) { $res = $client->list(); unless ($res) { die("LIST failed unexpectedly: " . $client->last_message() . "(" . IO::Socket::SSL::errstr() . ")"); } $resp_msg = $client->last_message(); $expected = '226 Transfer complete'; $self->assert($expected eq $resp_msg, test_msg("Expected response '$expected', got '$resp_msg'")); } $client->quit(); }; if ($@) { $ex = $@; } $wfh->print("done\n"); $wfh->flush(); } else { eval { server_wait($config_file, $rfh) }; if ($@) { warn($@); exit 1; } exit 0; } # Stop server server_stop($pid_file); $self->assert_child_ok($pid); if ($ex) { test_append_logfile($log_file, $ex); unlink($log_file); die($ex); } unlink($log_file); } sub forward_frontend_plain_backend_tls_tls_xfer_policy { my $self = shift; my $tmpdir = $self->{tmpdir}; my $setup = test_setup($tmpdir, 'proxy'); my $use_port = shift; $use_port = 0 unless defined($use_port); my $tls_xfer_policy = shift; my $use_upload = shift; my $cert_file = File::Spec->rel2abs("$ENV{PROFTPD_TEST_DIR}/t/etc/modules/mod_tls/server-cert.pem"); my $ca_file = File::Spec->rel2abs("$ENV{PROFTPD_TEST_DIR}/t/etc/modules/mod_tls/ca-cert.pem"); my $vhost_port = ProFTPD::TestSuite::Utils::get_high_numbered_port(); $vhost_port += 17; my $proxy_config = get_forward_proxy_config($tmpdir, $setup->{log_file}, $vhost_port); $proxy_config->{ProxyForwardMethod} = 'user@host'; $proxy_config->{ProxyTLSEngine} = 'on'; $proxy_config->{ProxyTLSCACertificateFile} = $ca_file; $proxy_config->{ProxyTLSTransferProtectionPolicy} = $tls_xfer_policy; $proxy_config->{ProxyTLSVerifyServer} = 'off'; $proxy_config->{ProxyRetryCount} = 1; if ($ENV{TEST_VERBOSE}) { $proxy_config->{ProxyTLSOptions} = 'EnableDiags'; } my $backend_tls_required = 'ctrl'; if ($tls_xfer_policy =~ /required/i) { $backend_tls_required = 'on'; } my $config = { PidFile => $setup->{pid_file}, ScoreboardFile => $setup->{scoreboard_file}, SystemLog => $setup->{log_file}, TraceLog => $setup->{log_file}, Trace => 'DEFAULT:10 event:0 lock:0 scoreboard:0 signal:0 proxy:20 proxy.forward:20 proxy.tls:20 proxy.ftp.conn:20 proxy.ftp.ctrl:20 proxy.ftp.data:20 proxy.ftp.msg:20 tls:20', AuthUserFile => $setup->{auth_user_file}, AuthGroupFile => $setup->{auth_group_file}, SocketBindTight => 'on', IfModules => { 'mod_proxy.c' => $proxy_config, 'mod_delay.c' => { DelayEngine => 'off', }, }, }; my ($port, $config_user, $config_group) = config_write($setup->{config_file}, $config); if (open(my $fh, ">> $setup->{config_file}")) { print $fh < Port $vhost_port ServerName "Real Server" AuthUserFile $setup->{auth_user_file} AuthGroupFile $setup->{auth_group_file} AuthOrder mod_auth_file.c AllowOverride off AllowOverwrite on WtmpLog off TransferLog none TLSEngine on TLSLog $setup->{log_file} TLSRequired $backend_tls_required TLSRSACertificateFile $cert_file TLSCACertificateFile $ca_file TLSOptions EnableDiags EOC unless (close($fh)) { die("Can't write $setup->{config_file}: $!"); } } else { die("Can't open $setup->{config_file}: $!"); } require Net::FTPSSL; # Open pipes, for use between the parent and child processes. Specifically, # the child will indicate when it's done with its test by writing a message # to the parent. my ($rfh, $wfh); unless (pipe($rfh, $wfh)) { die("Can't open pipe: $!"); } my $ex; # Fork child $self->handle_sigchld(); defined(my $pid = fork()) or die("Can't fork: $!"); if ($pid) { eval { # Give the server a chance to start up sleep(5); my $client = ProFTPD::TestSuite::FTP->new('127.0.0.1', $port, $use_port, 5); $client->login("$setup->{user}\@127.0.0.1:$vhost_port", $setup->{passwd}); for (my $i = 0; $i < 3; $i++) { if ($use_upload) { ftp_upload($self, $client, 1); } else { ftp_list($self, $client, 1); } } $client->quit(); }; if ($@) { $ex = $@; } $wfh->print("done\n"); $wfh->flush(); } else { eval { server_wait($setup->{config_file}, $rfh) }; if ($@) { warn($@); exit 1; } exit 0; } # Stop server server_stop($setup->{pid_file}); $self->assert_child_ok($pid); test_cleanup($setup->{log_file}, $ex); } sub forward_frontend_backend_tls_tls_xfer_policy { my $self = shift; my $tmpdir = $self->{tmpdir}; my $setup = test_setup($tmpdir, 'proxy'); my $use_port = shift; $use_port = 0 unless defined($use_port); my $tls_xfer_policy = shift; my $use_upload = shift; my $cert_file = File::Spec->rel2abs("$ENV{PROFTPD_TEST_DIR}/t/etc/modules/mod_tls/server-cert.pem"); my $ca_file = File::Spec->rel2abs("$ENV{PROFTPD_TEST_DIR}/t/etc/modules/mod_tls/ca-cert.pem"); my $vhost_port = ProFTPD::TestSuite::Utils::get_high_numbered_port(); $vhost_port += 17; my $proxy_config = get_forward_proxy_config($tmpdir, $setup->{log_file}, $vhost_port); if ($use_port) { $proxy_config->{ProxyDataTransferPolicy} = 'PORT'; } $proxy_config->{ProxyForwardMethod} = 'user@host'; $proxy_config->{ProxyTLSEngine} = 'on'; $proxy_config->{ProxyTLSCACertificateFile} = $ca_file; $proxy_config->{ProxyTLSTransferProtectionPolicy} = $tls_xfer_policy; $proxy_config->{ProxyTLSVerifyServer} = 'off'; $proxy_config->{ProxyRetryCount} = 1; if ($ENV{TEST_VERBOSE}) { $proxy_config->{ProxyTLSOptions} = 'EnableDiags'; } my $backend_tls_required = 'ctrl'; if ($tls_xfer_policy =~ /required/i) { $backend_tls_required = 'on'; } my $test_file = File::Spec->rel2abs("$tmpdir/test.dat"); if (open(my $fh, "> $test_file")) { print $fh 'AbCdEfGh' x 81920; unless (close($fh)) { die("Can't write $test_file: $!"); } } else { die("Can't open $test_file: $!"); } my $config = { PidFile => $setup->{pid_file}, ScoreboardFile => $setup->{scoreboard_file}, SystemLog => $setup->{log_file}, TraceLog => $setup->{log_file}, Trace => 'DEFAULT:10 event:0 lock:0 scoreboard:0 signal:0 proxy:20 proxy.forward:20 proxy.tls:20 proxy.ftp.conn:20 proxy.ftp.ctrl:20 proxy.ftp.data:20 proxy.ftp.msg:20 tls:20', AuthUserFile => $setup->{auth_user_file}, AuthGroupFile => $setup->{auth_group_file}, AuthOrder => 'mod_auth_file.c', SocketBindTight => 'on', IfModules => { 'mod_proxy.c' => $proxy_config, 'mod_tls.c' => { TLSEngine => 'on', TLSLog => $setup->{log_file}, TLSRequired => 'ctrl', TLSRSACertificateFile => $cert_file, TLSCACertificateFile => $ca_file, TLSCipherSuite => 'RSA', TLSOptions => 'NoSessionReuseRequired EnableDiags', }, 'mod_delay.c' => { DelayEngine => 'off', }, }, }; my ($port, $config_user, $config_group) = config_write($setup->{config_file}, $config); if (open(my $fh, ">> $setup->{config_file}")) { print $fh < Port $vhost_port ServerName "Real Server" AuthUserFile $setup->{auth_user_file} AuthGroupFile $setup->{auth_group_file} AuthOrder mod_auth_file.c AllowOverride off AllowOverwrite on WtmpLog off TransferLog none TLSEngine on TLSLog $setup->{log_file} TLSRequired $backend_tls_required TLSRSACertificateFile $cert_file TLSCACertificateFile $ca_file TLSOptions EnableDiags NoSessionReuseRequired EOC unless (close($fh)) { die("Can't write $setup->{config_file}: $!"); } } else { die("Can't open $setup->{config_file}: $!"); } require Net::FTPSSL; # Open pipes, for use between the parent and child processes. Specifically, # the child will indicate when it's done with its test by writing a message # to the parent. my ($rfh, $wfh); unless (pipe($rfh, $wfh)) { die("Can't open pipe: $!"); } my $ex; # Fork child $self->handle_sigchld(); defined(my $pid = fork()) or die("Can't fork: $!"); if ($pid) { eval { # Give the server a chance to start up sleep(3); my $ssl_opts = { SSL_ca_file => $ca_file, }; my $client_opts = { Encryption => 'E', Port => $port, SSL_Client_Certificate => $ssl_opts, # Request protection only on the control channel DataProtLevel => 'C', }; if ($ENV{TEST_VERBOSE}) { $client_opts->{Debug} = 1; } my $client = Net::FTPSSL->new('127.0.0.1', %$client_opts); unless ($client) { die("Can't connect to FTPS server: " . IO::Socket::SSL::errstr()); } unless ($client->login("$setup->{user}\@127.0.0.1:$vhost_port", $setup->{passwd})) { die("Can't login: " . $client->last_message()); } my $res; if ($use_upload) { $res = $client->put($test_file, '/dev/null'); unless ($res) { die("STOR failed unexpectedly: " . $client->last_message() . "(" . IO::Socket::SSL::errstr() . ")"); } } else { $res = $client->list(); unless ($res) { die("LIST failed unexpectedly: " . $client->last_message() . "(" . IO::Socket::SSL::errstr() . ")"); } } my $resp_msg = $client->last_message(); my $expected = '226 Transfer complete'; $self->assert($expected eq $resp_msg, test_msg("Expected response '$expected', got '$resp_msg'")); # Do the data transfer again; there are some reports that a first transfer # might succeed, but subsequent ones will fail. for (my $i = 0; $i < 3; $i++) { if ($use_upload) { $res = $client->put($test_file, '/dev/null'); unless ($res) { die("STOR failed unexpectedly: " . $client->last_message() . "(" . IO::Socket::SSL::errstr() . ")"); } } else { $res = $client->list(); unless ($res) { die("LIST failed unexpectedly: " . $client->last_message() . "(" . IO::Socket::SSL::errstr() . ")"); } } $resp_msg = $client->last_message(); $expected = '226 Transfer complete'; $self->assert($expected eq $resp_msg, test_msg("Expected response '$expected', got '$resp_msg'")); } $client->quit(); }; if ($@) { $ex = $@; } $wfh->print("done\n"); $wfh->flush(); } else { eval { server_wait($setup->{config_file}, $rfh) }; if ($@) { warn($@); exit 1; } exit 0; } # Stop server server_stop($setup->{pid_file}); $self->assert_child_ok($pid); test_cleanup($setup->{log_file}, $ex); } sub proxy_forward_frontend_plain_backend_tls_list_pasv_tls_xfer_policy_required { my $self = shift; return forward_frontend_plain_backend_tls_tls_xfer_policy($self, 0, 'Required', 0); } sub proxy_forward_frontend_plain_backend_tls_list_port_tls_xfer_policy_required { my $self = shift; return forward_frontend_plain_backend_tls_tls_xfer_policy($self, 1, 'Required', 0); } sub proxy_forward_frontend_plain_backend_tls_stor_pasv_tls_xfer_policy_required { my $self = shift; return forward_frontend_plain_backend_tls_tls_xfer_policy($self, 0, 'Required', 1); } sub proxy_forward_frontend_plain_backend_tls_stor_port_tls_xfer_policy_required { my $self = shift; return forward_frontend_plain_backend_tls_tls_xfer_policy($self, 1, 'Required', 1); } sub proxy_forward_frontend_backend_tls_list_pasv_tls_xfer_policy_required { my $self = shift; return forward_frontend_backend_tls_tls_xfer_policy($self, 0, 'Required', 0); } sub proxy_forward_frontend_backend_tls_list_port_tls_xfer_policy_required { my $self = shift; return forward_frontend_backend_tls_tls_xfer_policy($self, 1, 'Required', 0); } sub proxy_forward_frontend_backend_tls_stor_pasv_tls_xfer_policy_required { my $self = shift; return forward_frontend_backend_tls_tls_xfer_policy($self, 0, 'Required', 1); } sub proxy_forward_frontend_backend_tls_stor_port_tls_xfer_policy_required { my $self = shift; return forward_frontend_backend_tls_tls_xfer_policy($self, 1, 'Required', 1); } sub proxy_forward_frontend_plain_backend_tls_list_pasv_tls_xfer_policy_clear { my $self = shift; return forward_frontend_plain_backend_tls_tls_xfer_policy($self, 0, 'Clear', 0); } sub proxy_forward_frontend_plain_backend_tls_list_port_tls_xfer_policy_clear { my $self = shift; return forward_frontend_plain_backend_tls_tls_xfer_policy($self, 1, 'Clear', 0); } sub proxy_forward_frontend_plain_backend_tls_stor_pasv_tls_xfer_policy_clear { my $self = shift; return forward_frontend_plain_backend_tls_tls_xfer_policy($self, 0, 'Clear', 1); } sub proxy_forward_frontend_plain_backend_tls_stor_port_tls_xfer_policy_clear { my $self = shift; return forward_frontend_plain_backend_tls_tls_xfer_policy($self, 1, 'Clear', 1); } sub proxy_forward_frontend_backend_tls_list_pasv_tls_xfer_policy_clear { my $self = shift; return forward_frontend_backend_tls_tls_xfer_policy($self, 0, 'Clear', 0); } sub proxy_forward_frontend_backend_tls_list_port_tls_xfer_policy_clear { my $self = shift; return forward_frontend_backend_tls_tls_xfer_policy($self, 1, 'Clear', 0); } sub proxy_forward_frontend_backend_tls_stor_pasv_tls_xfer_policy_clear { my $self = shift; return forward_frontend_backend_tls_tls_xfer_policy($self, 0, 'Clear', 1); } sub proxy_forward_frontend_backend_tls_stor_port_tls_xfer_policy_clear { my $self = shift; return forward_frontend_backend_tls_tls_xfer_policy($self, 1, 'Clear', 1); } sub proxy_forward_frontend_plain_backend_tls_list_pasv_tls_xfer_policy_client { my $self = shift; return forward_frontend_plain_backend_tls_tls_xfer_policy($self, 0, 'Client', 0); } sub proxy_forward_frontend_plain_backend_tls_list_port_tls_xfer_policy_client { my $self = shift; return forward_frontend_plain_backend_tls_tls_xfer_policy($self, 1, 'Client', 0); } sub proxy_forward_frontend_plain_backend_tls_stor_pasv_tls_xfer_policy_client { my $self = shift; return forward_frontend_plain_backend_tls_tls_xfer_policy($self, 0, 'Client', 1); } sub proxy_forward_frontend_plain_backend_tls_stor_port_tls_xfer_policy_client { my $self = shift; return forward_frontend_plain_backend_tls_tls_xfer_policy($self, 1, 'Client', 1); } sub proxy_forward_frontend_backend_tls_list_pasv_tls_xfer_policy_client { my $self = shift; return forward_frontend_backend_tls_tls_xfer_policy($self, 0, 'Client', 0); } sub proxy_forward_frontend_backend_tls_list_port_tls_xfer_policy_client { my $self = shift; return forward_frontend_backend_tls_tls_xfer_policy($self, 1, 'Client', 0); } sub proxy_forward_frontend_backend_tls_stor_pasv_tls_xfer_policy_client { my $self = shift; return forward_frontend_backend_tls_tls_xfer_policy($self, 0, 'Client', 1); } sub proxy_forward_frontend_backend_tls_stor_port_tls_xfer_policy_client { my $self = shift; return forward_frontend_backend_tls_tls_xfer_policy($self, 1, 'Client', 1); } sub proxy_forward_config_backend_tls_ctrl_use_direct_data_transfers_pasv { my $self = shift; my $tmpdir = $self->{tmpdir}; my $setup = test_setup($tmpdir, 'proxy'); my $cert_file = File::Spec->rel2abs("$ENV{PROFTPD_TEST_DIR}/t/etc/modules/mod_tls/server-cert.pem"); my $ca_file = File::Spec->rel2abs("$ENV{PROFTPD_TEST_DIR}/t/etc/modules/mod_tls/ca-cert.pem"); my $vhost_port = ProFTPD::TestSuite::Utils::get_high_numbered_port(); $vhost_port += 17; my $proxy_config = get_forward_proxy_config($tmpdir, $setup->{log_file}, $vhost_port); $proxy_config->{ProxyForwardMethod} = 'user@host'; $proxy_config->{ProxyTLSEngine} = 'on'; $proxy_config->{ProxyTLSCACertificateFile} = $ca_file; $proxy_config->{ProxyRetryCount} = 1; $proxy_config->{ProxyOptions} = 'UseDirectDataTransfers'; if ($ENV{TEST_VERBOSE}) { $proxy_config->{ProxyTLSOptions} = 'EnableDiags'; } my $config = { PidFile => $setup->{pid_file}, ScoreboardFile => $setup->{scoreboard_file}, SystemLog => $setup->{log_file}, TraceLog => $setup->{log_file}, Trace => 'DEFAULT:10 event:0 lock:0 scoreboard:0 signal:0 proxy:20 proxy.forward:20 proxy.tls:20 proxy.ftp.conn:20 proxy.ftp.ctrl:20 proxy.ftp.data:20 proxy.ftp.msg:20 tls:20', AuthUserFile => $setup->{auth_user_file}, AuthGroupFile => $setup->{auth_group_file}, SocketBindTight => 'on', IfModules => { 'mod_proxy.c' => $proxy_config, 'mod_delay.c' => { DelayEngine => 'off', }, }, }; my ($port, $config_user, $config_group) = config_write($setup->{config_file}, $config); if (open(my $fh, ">> $setup->{config_file}")) { print $fh < Port $vhost_port ServerName "Real Server" AuthUserFile $setup->{auth_user_file} AuthGroupFile $setup->{auth_group_file} AuthOrder mod_auth_file.c AllowOverride off WtmpLog off TransferLog none TLSEngine on TLSLog $setup->{log_file} # Since we are using DSR, and the frontend client is not using TLS, # data transfers will fail if we require TLS on them. So only require # TLS on the control connection, and explicitly REJECT TLS on data # connections. TLSRequired ctrl+!data TLSRSACertificateFile $cert_file TLSCACertificateFile $ca_file EOC unless (close($fh)) { die("Can't write $setup->{config_file}: $!"); } } else { die("Can't open $setup->{config_file}: $!"); } # Open pipes, for use between the parent and child processes. Specifically, # the child will indicate when it's done with its test by writing a message # to the parent. my ($rfh, $wfh); unless (pipe($rfh, $wfh)) { die("Can't open pipe: $!"); } my $ex; # Fork child $self->handle_sigchld(); defined(my $pid = fork()) or die("Can't fork: $!"); if ($pid) { eval { # Give the server a chance to start up sleep(2); my $client = ProFTPD::TestSuite::FTP->new('127.0.0.1', $port, 1, 1); $client->login("$setup->{user}\@127.0.0.1:$vhost_port", $setup->{passwd}); my $conn = $client->list_raw(); unless ($conn) { die("Failed to LIST: " . $client->response_code() . ' ' . $client->response_msg()); } my $buf; $conn->read($buf, 8192, 5); eval { $conn->close() }; my $resp_code = $client->response_code(); my $resp_msg = $client->response_msg(); $self->assert_transfer_ok($resp_code, $resp_msg); $client->quit(); }; if ($@) { $ex = $@; } $wfh->print("done\n"); $wfh->flush(); } else { eval { server_wait($setup->{config_file}, $rfh) }; if ($@) { warn($@); exit 1; } exit 0; } # Stop server server_stop($setup->{pid_file}); $self->assert_child_ok($pid); test_cleanup($setup->{log_file}, $ex); } sub proxy_forward_config_frontend_backend_tls_required_use_direct_data_transfers_pasv { my $self = shift; my $tmpdir = $self->{tmpdir}; my $setup = test_setup($tmpdir, 'proxy'); my $cert_file = File::Spec->rel2abs("$ENV{PROFTPD_TEST_DIR}/t/etc/modules/mod_tls/server-cert.pem"); my $ca_file = File::Spec->rel2abs("$ENV{PROFTPD_TEST_DIR}/t/etc/modules/mod_tls/ca-cert.pem"); my $vhost_port = ProFTPD::TestSuite::Utils::get_high_numbered_port(); $vhost_port += 17; my $proxy_config = get_forward_proxy_config($tmpdir, $setup->{log_file}, $vhost_port); $proxy_config->{ProxyForwardMethod} = 'user@host'; $proxy_config->{ProxyTLSEngine} = 'on'; $proxy_config->{ProxyTLSCACertificateFile} = $ca_file; $proxy_config->{ProxyRetryCount} = 1; $proxy_config->{ProxyOptions} = 'UseDirectDataTransfers'; if ($ENV{TEST_VERBOSE}) { $proxy_config->{ProxyTLSOptions} = 'EnableDiags'; } my $config = { PidFile => $setup->{pid_file}, ScoreboardFile => $setup->{scoreboard_file}, SystemLog => $setup->{log_file}, TraceLog => $setup->{log_file}, Trace => 'DEFAULT:10 event:0 lock:0 scoreboard:0 signal:0 proxy:20 proxy.forward:20 proxy.tls:20 proxy.ftp.conn:20 proxy.ftp.ctrl:20 proxy.ftp.data:20 proxy.ftp.msg:20 tls:20', AuthUserFile => $setup->{auth_user_file}, AuthGroupFile => $setup->{auth_group_file}, SocketBindTight => 'on', IfModules => { 'mod_proxy.c' => $proxy_config, 'mod_tls.c' => { TLSEngine => 'on', TLSLog => $setup->{log_file}, TLSRequired => 'on', TLSRSACertificateFile => $cert_file, TLSCACertificateFile => $ca_file, TLSOptions => 'NoSessionReuseRequired EnableDiags', }, 'mod_delay.c' => { DelayEngine => 'off', }, }, }; my ($port, $config_user, $config_group) = config_write($setup->{config_file}, $config); if (open(my $fh, ">> $setup->{config_file}")) { print $fh < Port $vhost_port ServerName "Real Server" AuthUserFile $setup->{auth_user_file} AuthGroupFile $setup->{auth_group_file} AuthOrder mod_auth_file.c AllowOverride off WtmpLog off TransferLog none TLSEngine on TLSLog $setup->{log_file} TLSRequired on TLSRSACertificateFile $cert_file TLSCACertificateFile $ca_file TLSOptions NoSessionReuseRequired EOC unless (close($fh)) { die("Can't write $setup->{config_file}: $!"); } } else { die("Can't open $setup->{config_file}: $!"); } require Net::FTPSSL; # Open pipes, for use between the parent and child processes. Specifically, # the child will indicate when it's done with its test by writing a message # to the parent. my ($rfh, $wfh); unless (pipe($rfh, $wfh)) { die("Can't open pipe: $!"); } my $ex; # Fork child $self->handle_sigchld(); defined(my $pid = fork()) or die("Can't fork: $!"); if ($pid) { eval { # Give the server a chance to start up sleep(2); my $ssl_opts = { SSL_ca_file => $ca_file, }; my $client_opts = { Encryption => 'E', Port => $port, SSL_Client_Certificate => $ssl_opts, }; if ($ENV{TEST_VERBOSE}) { $client_opts->{Debug} = 1; } my $client = Net::FTPSSL->new('127.0.0.1', %$client_opts); unless ($client) { die("Can't connect to FTPS server: " . IO::Socket::SSL::errstr()); } unless ($client->login("$setup->{user}\@127.0.0.1:$vhost_port", $setup->{passwd})) { die("Can't login: " . $client->last_message()); } my $res = $client->list(); unless ($res) { die("LIST failed unexpectedly: " . $client->last_message() . "(" . IO::Socket::SSL::errstr() . ")"); } my $resp_msg = $client->last_message(); $client->quit(); my $expected = '226 Transfer complete'; $self->assert($expected eq $resp_msg, test_msg("Expected response '$expected', got '$resp_msg'")); }; if ($@) { $ex = $@; } $wfh->print("done\n"); $wfh->flush(); } else { eval { server_wait($setup->{config_file}, $rfh) }; if ($@) { warn($@); exit 1; } exit 0; } # Stop server server_stop($setup->{pid_file}); $self->assert_child_ok($pid); test_cleanup($setup->{log_file}, $ex); } 1;