TLS ECH Testing Improvements #2
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: OpenSSL ECH Interop Test | |
| # START OF COMMON SECTION | |
| on: | |
| push: | |
| branches: [ 'master', 'main', 'release/**' ] | |
| pull_request: | |
| branches: [ '*' ] | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| # END OF COMMON SECTION | |
| jobs: | |
| build_wolfssl: | |
| name: Build wolfSSL | |
| if: github.repository_owner == 'wolfssl' | |
| runs-on: ubuntu-24.04 | |
| timeout-minutes: 4 | |
| steps: | |
| - name: Build wolfSSL | |
| uses: wolfSSL/actions-build-autotools-project@v1 | |
| with: | |
| path: wolfssl | |
| configure: --enable-ech CFLAGS='-DUSE_FLAT_TEST_H' | |
| install: true | |
| - name: tar build-dir | |
| run: | | |
| cp "$GITHUB_WORKSPACE/wolfssl/examples/server/server.h" \ | |
| build-dir/share/doc/wolfssl/example/server.h | |
| tar -zcf build-dir.tgz build-dir | |
| - name: Upload built wolfSSL | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: wolf-install-openssl-ech | |
| path: build-dir.tgz | |
| retention-days: 5 | |
| build_openssl_ech: | |
| name: Build OpenSSL (feature/ech) | |
| if: github.repository_owner == 'wolfssl' | |
| runs-on: ubuntu-24.04 | |
| timeout-minutes: 10 | |
| steps: | |
| - name: Checkout OpenSSL feature/ech branch | |
| uses: actions/checkout@v4 | |
| with: | |
| repository: openssl/openssl | |
| ref: feature/ech | |
| path: openssl | |
| - name: Build OpenSSL | |
| working-directory: openssl | |
| run: | | |
| ./Configure --prefix=$GITHUB_WORKSPACE/openssl-install \ | |
| --openssldir=$GITHUB_WORKSPACE/openssl-install/ssl \ | |
| enable-ech no-docs | |
| make -j$(nproc) | |
| make install_sw | |
| - name: tar openssl-install | |
| run: tar -zcf openssl-install.tgz openssl-install | |
| - name: Upload built OpenSSL | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: openssl-ech-install | |
| path: openssl-install.tgz | |
| retention-days: 5 | |
| ech_interop_test: | |
| name: ECH Interop Test | |
| if: github.repository_owner == 'wolfssl' | |
| needs: [build_wolfssl, build_openssl_ech] | |
| runs-on: ubuntu-24.04 | |
| timeout-minutes: 10 | |
| steps: | |
| - name: Download wolfSSL build | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: wolf-install-openssl-ech | |
| - name: Download OpenSSL build | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: openssl-ech-install | |
| - name: Extract builds | |
| run: | | |
| tar -xzf build-dir.tgz | |
| tar -xzf openssl-install.tgz | |
| - name: Build wolfssl server example | |
| run: | | |
| export WOLFSSL_INSTALL_DIR="$GITHUB_WORKSPACE/build-dir" | |
| export WOLFSSL_BIN_DIR="$GITHUB_WORKSPACE/build-dir/bin" | |
| export CFLAGS="-Wall -I$WOLFSSL_INSTALL_DIR/include" | |
| export LIBS="-L$WOLFSSL_INSTALL_DIR/lib -lm -lwolfssl" | |
| export LD_LIBRARY_PATH="$GITHUB_WORKSPACE/lib/:$LD_LIBRARY_PATH" | |
| gcc -o "$WOLFSSL_BIN_DIR/server" \ | |
| "$WOLFSSL_INSTALL_DIR/share/doc/wolfssl/example/server.c" \ | |
| $CFLAGS $LIBS -I"$WOLFSSL_INSTALL_DIR/share/doc/wolfssl/example" | |
| - name: ECH interop - wolfSSL server, OpenSSL client | |
| run: | | |
| set -e | |
| export LD_LIBRARY_PATH="$GITHUB_WORKSPACE/openssl-install/lib64:$GITHUB_WORKSPACE/openssl-install/lib:$GITHUB_WORKSPACE/build-dir/lib:$LD_LIBRARY_PATH" | |
| OPENSSL=$GITHUB_WORKSPACE/openssl-install/bin/openssl | |
| WOLFSSL_SERVER=$GITHUB_WORKSPACE/build-dir/bin/server | |
| CERT_DIR="$GITHUB_WORKSPACE/build-dir/certs" | |
| READY_FILE="$GITHUB_WORKSPACE/wolfssl_tls13_ready$$" | |
| LOG_FILE="$GITHUB_WORKSPACE/log_file.log" | |
| PRIV_NAME="ech-private-name.com" | |
| PUB_NAME="ech-public-name.com" | |
| ECH_CONFIG="" | |
| PORT=0 | |
| rm -f "$READY_FILE" | |
| rm -f "$LOG_FILE" | |
| $OPENSSL version | |
| # start server with ephemeral port + ready file | |
| # also set server to be line buffered so the log can be grepped | |
| stdbuf -oL $WOLFSSL_SERVER -v 4 -R "$READY_FILE" -p "$PORT" \ | |
| -S "$PRIV_NAME" --ech "$PUB_NAME" &> "$LOG_FILE" & | |
| SERVER_PID=$! | |
| # wait for server to be ready, then get port | |
| counter=0 | |
| while [ ! -s "$READY_FILE" ]; do | |
| sleep 0.1 | |
| counter=$((counter + 1)) | |
| if [ "$counter" -gt 50 ]; then | |
| echo "ERROR: no ready file" &>> "$LOG_FILE" | |
| exit 1 | |
| fi | |
| done | |
| PORT="$(cat "$READY_FILE")" | |
| # get ECH config from server | |
| counter=0 | |
| while [ -z "$ECH_CONFIG" ]; do | |
| ECH_CONFIG=$(grep -m1 "ECH config (base64): " "$LOG_FILE" \ | |
| 2>/dev/null | sed 's/ECH config (base64): //g') | |
| sleep 0.1 | |
| counter=$((counter + 1)) | |
| if [ "$counter" -gt 50 ]; then | |
| echo "ERROR: no ECH configs" &>> "$LOG_FILE" | |
| exit 1 | |
| fi | |
| done | |
| # Test with OpenSSL s_client using ECH | |
| echo "wolfssl" | $OPENSSL s_client \ | |
| -tls1_3 \ | |
| -connect "localhost:$PORT" \ | |
| -cert "$CERT_DIR/client-cert.pem" \ | |
| -key "$CERT_DIR/client-key.pem" \ | |
| -CAfile "$CERT_DIR/ca-cert.pem" \ | |
| -servername "$PRIV_NAME" \ | |
| -ech_config_list "$ECH_CONFIG" \ | |
| &>> "$LOG_FILE" | |
| grep "ECH: success: 1" "$LOG_FILE" | |
| # cleanup | |
| rm -f "$READY_FILE" | |
| kill $SERVER_PID 2>/dev/null | |
| - name: Print debug info on failure | |
| if: ${{ failure() }} | |
| run: | | |
| if [ -s "$GITHUB_WORKSPACE/log_file.log" ]; then | |
| cat "$GITHUB_WORKSPACE/log_file.log" | |
| else | |
| echo "No log file" | |
| fi |