Add SSL/TLS support to NDT

[pboothe]

This is a big pull request. I recommend checking it out before accepting it.

It adds SSL/TLS support to NDT. In order to do this, a lot of very critical pieces of NDT had to get touched a little. I didn't break anything, and all the end-to-end tests pass as do the new tests.

To do this, I had to re-architect and rewrite most of web100srv.c excepting the run_test() function. This was necessary both because it was almost unreadable, but also because the way it worked was hostile to SSL because multiple processes were writing to the network on the same socket. This breaks SSL because the two SSL objects end up advancing their internal state machines independently which means that the second process to write to the SSL socket ends up looking like a man-in-the-middle attack, which causes the client to drop the connection.

I think the logic in web100srv.c is now pretty easy to follow. The main() is now approximately 1000 lines shorter. The server's "serve-forever" loop has been factored out into its own function. The queue management now definitely works and is unit-tested to work. Race conditions have been eliminated. There are no more semaphores.

It improves things a lot. But it's a big change, so check it out before saying yes.

[dkorzhevin]

Hi guys

Can you please tell - any chance to get this working over https? I mean, ndt and web100srv over https.

[pboothe]

There is a very good chance, actually. I got distracted, but fixing this and getting the patch in is currently one of the things I want to get done ASAP. Thanks for asking, as external interest make me feel like this work is not in vain!

[pboothe]

This will leave ndt able to use wss and ws, not http and https, though.

[dkorzhevin]

I have it running under apache with certificate, so widgets.html requested using secure connection (https). Page loading, but counters not react when I start test - because I have web100srv without wss..

[dkorzhevin]

Do you have any kind of short howto, how I can compile it and test?

[dkorzhevin]

I have it running under apache with certificate, so widgets.html requested using secure connection (https). Page loading, but counters not react when I start test - because I have web100srv without wss..

Do you have any kind of short howto, how I can compile it and test?

2015-10-01 18:25 GMT+03:00 Peter Boothe notifications@github.com:

This will leave ndt able to use wss and ws, not http and https, though.

— Reply to this email directly or view it on GitHub https://github.com/ndt-project/ndt/pull/194#issuecomment-144762051.

[pboothe]

Are you trying to compile this branch? Can you compile NDT at all even outside of this branch?

Unfortunately, because this code is still in a branch, its features have not been added to the documentation.

[dkorzhevin]

I cloned master branch:

git clone https://github.com/m-lab/ndt.git

After, used bootstrap to generate initial configure and makefiles.

---

* Network Diagnostic Tool *

---

• configured modules *

  ---

*\ Client Tools - incomplete

• web100clt: NO (missing jansson library)
• Tcpbw100.jar: YES
• flash-client: YES

*\ Server Tools - incomplete

• fakewww: NO (disabled by default)
• web100srv: NO (missing pcap headers)
• web10gsrv: NO (missing web10g userland library >=2.0.6.2)

*\ Administrative Tools - incomplete

• analyze: YES
• viewtrace: YES
• tr-mkmap: YES
• genplot: YES
• genplot10g: NO (missing web10g userland library >=2.0.6.2)
• JAnalyze.jar: NO (missing java compiler)
• Admin.class: NO (missing java compiler)

[pboothe]

It looks like you need the pcap headers. Install libpcap and its header files.

-Peter

On Thu, Oct 1, 2015 at 12:04 PM, Dmitry Korzhevin notifications@github.com wrote:

I cloned master branch:

git clone https://github.com/m-lab/ndt.git

After, used bootstrap to generate initial configure and makefiles.

* Network Diagnostic Tool *

• configured modules * ***

*\ Client Tools - incomplete

• web100clt: NO (missing jansson library)
• Tcpbw100.jar: YES
• flash-client: YES

*\ Server Tools - incomplete

• fakewww: NO (disabled by default)
• web100srv: NO (missing pcap headers)
• web10gsrv: NO (missing web10g userland library >=2.0.6.2)

*\ Administrative Tools - incomplete

• analyze: YES
• viewtrace: YES
• tr-mkmap: YES
• genplot: YES
• genplot10g: NO (missing web10g userland library >=2.0.6.2)
• JAnalyze.jar: NO (missing java compiler)
• Admin.class: NO (missing java compiler)

— Reply to this email directly or view it on GitHub https://github.com/ndt-project/ndt/pull/194#issuecomment-144772907.

ᴹ̶LAB http://measurementlab.net/ | Measure the Internet, save the data, and make it universally accessible and useful.

[dkorzhevin]

Thank you, I installed few other build-time dependencies and build web100srv

./web100srv -v
ANL/Internet2 NDT version 3.7.0.1 (server)

And now I see needed options :)

  --tls                  - Use SSL or TLS sockets to conduct the tests.
                           Note: This disables all tests which require the
                           server to open a socket to the client (MID, SFW),
                           and requires the --certificate and --private-key
                           options also be set.
 --private_key           - the private key (.pem format) to use for TLS/SSL
 --certificate           - the certificate (.pem format) to use for TLS/SSL

[dkorzhevin]

Btw, if anyone interested to see how this works IRL, with WSS and apache, not fakewww - visit:

https://www.warface.com/en/speed/test

Thanks to Peter!

Dmitry

[pboothe]

Deleting this pull request, because there is now one which merges cleanly - https://github.com/ndt-project/ndt/pull/198