From 13879f749107bd946fc4b038f1128de40f471104 Mon Sep 17 00:00:00 2001
From: proller <proller@github.com>
Date: Tue, 13 Mar 2018 22:49:21 +0300
Subject: [PATCH] Test client-server ssl

---
 dbms/src/Server/Server.cpp          |  4 ++--
 dbms/src/Server/TCPHandlerFactory.h |  4 ++--
 dbms/tests/clickhouse-test-server   |  8 ++++++--
 dbms/tests/client-test.xml          |  1 +
 dbms/tests/server-test.xml          | 30 ++++++++++++++++++++++++++++-
 5 files changed, 40 insertions(+), 7 deletions(-)

diff --git a/dbms/src/Server/Server.cpp b/dbms/src/Server/Server.cpp
index db20c194573..9f09ffd549b 100644
--- a/dbms/src/Server/Server.cpp
+++ b/dbms/src/Server/Server.cpp
@@ -387,7 +387,7 @@ int Server::main(const std::vector<std::string> & /*args*/)
                     http_socket.setSendTimeout(settings.http_send_timeout);
 
                     servers.emplace_back(new Poco::Net::HTTPServer(
-                        new HTTPHandlerFactory(*this, "HTTPHandler-factory"),
+                        new HTTPHandlerFactory(*this, "HTTPSHandler-factory"),
                         server_pool,
                         http_socket,
                         http_params));
@@ -425,7 +425,7 @@ int Server::main(const std::vector<std::string> & /*args*/)
                     tcp_socket.setReceiveTimeout(settings.receive_timeout);
                     tcp_socket.setSendTimeout(settings.send_timeout);
                     servers.emplace_back(new Poco::Net::TCPServer(
-                        new TCPHandlerFactory(*this),
+                        new TCPHandlerFactory(*this, /* secure= */ true ),
                                                                   server_pool,
                                                                   tcp_socket,
                                                                   new Poco::Net::TCPServerParams));
diff --git a/dbms/src/Server/TCPHandlerFactory.h b/dbms/src/Server/TCPHandlerFactory.h
index 1f454b35a8f..99cc23a45da 100644
--- a/dbms/src/Server/TCPHandlerFactory.h
+++ b/dbms/src/Server/TCPHandlerFactory.h
@@ -17,9 +17,9 @@ private:
     Poco::Logger * log;
 
 public:
-    explicit TCPHandlerFactory(IServer & server_)
+    explicit TCPHandlerFactory(IServer & server_, bool secure_ = false)
         : server(server_)
-        , log(&Logger::get("TCPHandlerFactory"))
+        , log(&Logger::get("TCP" + (secure_ ? "S" : "") + "HandlerFactory"))
     {
     }
 
diff --git a/dbms/tests/clickhouse-test-server b/dbms/tests/clickhouse-test-server
index 82d254017bf..7fb6918bfe5 100755
--- a/dbms/tests/clickhouse-test-server
+++ b/dbms/tests/clickhouse-test-server
@@ -22,8 +22,10 @@ export CLICKHOUSE_CONFIG=${CLICKHOUSE_CONFIG:=${CONFIG_SERVER_DIR}server-test.xm
 [ ! -d "$QUERIES_DIR" ] && QUERIES_DIR=${QUERIES_DIR=/usr/share/clickhouse-test/queries}
 
 rm -rf $DATA_DIR
-mkdir -p $LOG_DIR
+mkdir -p $LOG_DIR $DATA_DIR
 
+openssl dhparam -out `clickhouse-extract-from-config --config=$CLICKHOUSE_CONFIG  --key=openSSL.server.dhParamsFile` 256
+openssl req -subj "/CN=localhost" -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout `clickhouse-extract-from-config --config=$CLICKHOUSE_CONFIG  --key=openSSL.server.privateKeyFile` -out `clickhouse-extract-from-config --config=$CLICKHOUSE_CONFIG  --key=openSSL.server.certificateFile`
 
 # Start a local clickhouse server which will be used to run tests
 #PATH=$PATH:$BIN_DIR \
@@ -31,6 +33,8 @@ ${BIN_DIR}clickhouse-server --config-file=${CLICKHOUSE_CONFIG} > $LOG_DIR/stdout
 CH_PID=$!
 sleep 3
 
+tail -n50 $LOG_DIR/*
+
 # Define needed stuff to kill test clickhouse server after tests completion
 function finish {
   kill $CH_PID || true
@@ -38,7 +42,7 @@ function finish {
   tail -n 50 $LOG_DIR/stdout
   rm -rf $DATA_DIR
 }
-trap finish EXIT
+trap finish EXIT SIGINT SIGQUIT SIGTERM
 
 # Do tests
 if [ -n "$*" ]; then
diff --git a/dbms/tests/client-test.xml b/dbms/tests/client-test.xml
index 0cd3bdd5dc0..c5478dcb80d 100644
--- a/dbms/tests/client-test.xml
+++ b/dbms/tests/client-test.xml
@@ -1,4 +1,5 @@
 <!-- Config for connecting to test server -->
 <yandex>
     <tcp_port>59000</tcp_port>
+    <tcp_ssl_port>59440</tcp_ssl_port>
 </yandex>
diff --git a/dbms/tests/server-test.xml b/dbms/tests/server-test.xml
index cdb8e9caf5d..57f3f8ad9ea 100644
--- a/dbms/tests/server-test.xml
+++ b/dbms/tests/server-test.xml
@@ -13,8 +13,36 @@
     <listen_try>1</listen_try>
     <http_port>58123</http_port>
     <tcp_port>59000</tcp_port>
-    <listen_host>0.0.0.0</listen_host>
+    <https_port>58443</https_port>
+    <tcp_ssl_port>59440</tcp_ssl_port>
     <interserver_http_port>59009</interserver_http_port>
+    <openSSL>
+        <server> <!-- Used for https server AND secure tcp port -->
+            <!-- openssl req -subj "/CN=localhost" -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout /etc/clickhouse-server/server.key -out /etc/clickhouse-server/server.crt -->
+            <certificateFile>/tmp/clickhouse/server.crt</certificateFile>
+            <privateKeyFile>/tmp/clickhouse/server.key</privateKeyFile>
+            <!-- openssl dhparam -out /etc/clickhouse-server/dhparam.pem 4096 -->
+            <dhParamsFile>/tmp/clickhouse/dhparam.pem</dhParamsFile>
+            <verificationMode>none</verificationMode>
+            <loadDefaultCAFile>true</loadDefaultCAFile>
+            <cacheSessions>true</cacheSessions>
+            <disableProtocols>sslv2,sslv3</disableProtocols>
+            <preferServerCiphers>true</preferServerCiphers>
+        </server>
+
+        <client> <!-- Used for connecting to https dictionary source -->
+            <loadDefaultCAFile>true</loadDefaultCAFile>
+            <cacheSessions>true</cacheSessions>
+            <disableProtocols>sslv2,sslv3</disableProtocols>
+            <preferServerCiphers>true</preferServerCiphers>
+            <!-- Use for self-signed: <verificationMode>none</verificationMode> -->
+            <invalidCertificateHandler>
+                <!-- Use for self-signed: <name>AcceptCertificateHandler</name> -->
+                <name>RejectCertificateHandler</name>
+            </invalidCertificateHandler>
+        </client>
+    </openSSL>
+
     <keep_alive_timeout>3</keep_alive_timeout>
     <path>/tmp/clickhouse/data/</path>
     <tmp_path>/tmp/clickhouse/tmp/</tmp_path>