diff --git a/TESTS/netsocket/README.md b/TESTS/netsocket/README.md index d26b222890..6200e61dea 100644 --- a/TESTS/netsocket/README.md +++ b/TESTS/netsocket/README.md @@ -51,7 +51,7 @@ echo.mbedcloudtesting.com has IPv6 address 2a05:d018:21f:3800:8584:60f8:bc9f:e61 - Echo protocol, [RFC 862](https://tools.ietf.org/html/rfc862) is enabled on both TCP and UDP on port 7. Port 2007 for TLS - Discard protocol, [RFC 863](https://tools.ietf.org/html/rfc863) is enabled in both TCP and UDP on port 9. Port 2009 for TLS. -- Character generator protocol, [RFC 864](https://tools.ietf.org/html/rfc864) is enabled in both TCP and UDP on port 19. Output pattern should follow the proposed example pattern in RFC. +- Character generator protocol, [RFC 864](https://tools.ietf.org/html/rfc864) is enabled in both TCP and UDP on port 19. Port 2019 for TLS. Output pattern should follow the proposed example pattern in RFC. - Daytime protocol, [RFC 867](https://tools.ietf.org/html/rfc867) in both TCP and UDP on port 13. Port 2013 for TLS. - Time protocol, [RFC 868](https://tools.ietf.org/html/rfc868) in both TCP and UDP on port 37. @@ -80,6 +80,82 @@ daytime stream tcp6 nowait root internal time stream tcp6 nowait root internal ``` +Below is an example of how to install these services in TLS version into a Debian/Ubuntu based Linux distribution using Stunnel4 Daemon: + +```.sh +$ sudo apt install stunnel4 +$ nano /etc/stunnel/stunnel.conf +``` + +Enable following services from /etc/inetd.conf: + +``` +; ************************************************************************** +; * Service definitions (remove all services for inetd mode) * +; ************************************************************************** + +[echo] +accept = :::2007 +connect = 7 +cert = /etc/letsencrypt/live//fullchain.pem +key = /etc/letsencrypt/live//privkey.pem + +[discard] +accept = :::2009 +connect = 9 +cert = /etc/letsencrypt/live//fullchain.pem +key = /etc/letsencrypt/live//privkey.pem + +[daytime] +accept = :::2013 +connect = 13 +cert =/etc/letsencrypt/live//fullchain.pem +key = /etc/letsencrypt/live//privkey.pem + +[chargen] +accept = :::2019 +connect = 19 +cert = /etc/letsencrypt/live//fullchain.pem +key = /etc/letsencrypt/live//privkey.pem + +``` + +Get, update and install certificate files by certbot (Provided by Let's Encrypt ). + +- Install lighthttpd server. + +```.sh +$ sudo apt-get install lighttpd +$ sudo rm -rf /var/www/html/* +$ sudo echo "

Empty

" > /var/www/html/index.html +$ sudo echo "" >> /var/www/html/index.html +$ sudo chown www-data:www-data /var/www/html/index.html +$ sudo systemctl restart lighttpd.service +``` + +- Install and setup certbot. + +```.sh +$ sudo apt-get update +$ sudo apt-get install software-properties-common +$ sudo add-apt-repository ppa:certbot/certbot +$ sudo apt-get update +$ sudo apt-get install certbot +$ sudo certbot certonly +$ sudo certbot certonly --webroot -w /var/www/html -d +``` + +- Set test server to renew certificate before expiry. + +```.sh +$ sudo echo "SHELL=/bin/sh" > /etc/cron.d/certbot +$ sudo echo "PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin" > /etc/cron.d/certbot +$ sudo echo "0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew" > /etc/cron.d/certbot +``` + +Where: + is test server url. + **Testing the connectivity** You can connect to the test server with an NMAP tool like this: @@ -1918,4 +1994,4 @@ Subset for driver test ### For socket layer driver (AT-driven, external IP stack): -All Socket, UDPSocket, TCPSocket and TLSSocket testcases. \ No newline at end of file +All Socket, UDPSocket, TCPSocket and TLSSocket testcases. diff --git a/TESTS/netsocket/tls/cert.h b/TESTS/netsocket/tls/cert.h new file mode 100644 index 0000000000..3bbaf5ca7e --- /dev/null +++ b/TESTS/netsocket/tls/cert.h @@ -0,0 +1,48 @@ +/* + * Copyright (c) 2019, ARM Limited, All Rights Reserved + * SPDX-License-Identifier: Apache-2.0 + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include "tls_tests.h" + +const char *tls_global::cert = \ + "-----BEGIN CERTIFICATE-----\n" + "MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/\n" + "MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT\n" + "DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow\n" + "SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT\n" + "GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC\n" + "AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF\n" + "q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8\n" + "SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0\n" + "Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA\n" + "a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj\n" + "/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T\n" + "AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG\n" + "CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv\n" + "bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k\n" + "c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw\n" + "VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC\n" + "ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz\n" + "MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu\n" + "Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF\n" + "AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo\n" + "uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/\n" + "wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu\n" + "X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG\n" + "PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6\n" + "KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==\n" + "-----END CERTIFICATE-----\n"; + diff --git a/TESTS/netsocket/tls/main.cpp b/TESTS/netsocket/tls/main.cpp index 2a8fb9033a..bd1fff4775 100644 --- a/TESTS/netsocket/tls/main.cpp +++ b/TESTS/netsocket/tls/main.cpp @@ -27,6 +27,7 @@ #include "utest.h" #include "utest/utest_stack_trace.h" #include "tls_tests.h" +#include "cert.h" #ifndef ECHO_SERVER_ADDR #error [NOT_SUPPORTED] Requires parameters for echo server @@ -47,35 +48,6 @@ mbed_stats_socket_t tls_stats[MBED_CONF_NSAPI_SOCKET_STATS_MAX_COUNT]; char tls_global::rx_buffer[RX_BUFF_SIZE]; char tls_global::tx_buffer[TX_BUFF_SIZE]; -const char *tls_global::cert = \ - "-----BEGIN CERTIFICATE-----\n" - "MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/\n" - "MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT\n" - "DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow\n" - "SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT\n" - "GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC\n" - "AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF\n" - "q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8\n" - "SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0\n" - "Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA\n" - "a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj\n" - "/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T\n" - "AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG\n" - "CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv\n" - "bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k\n" - "c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw\n" - "VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC\n" - "ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz\n" - "MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu\n" - "Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF\n" - "AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo\n" - "uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/\n" - "wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu\n" - "X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG\n" - "PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6\n" - "KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==\n" - "-----END CERTIFICATE-----\n"; - void drop_bad_packets(TLSSocket &sock, int orig_timeout) { nsapi_error_t err;