aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorebo <eliezio.oliveira@est.tech>2020-04-19 01:33:21 +0100
committerBartek Grzybowski <b.grzybowski@partner.samsung.com>2020-04-20 07:11:26 +0000
commitee0c74e28de9552e683724264b101362c144694c (patch)
tree84aef9e38cbdd4c88e25f3bbbe6bff6af703fb20
parent93d2ff22d0c8c1bc1fc7a2ea5e5643c88a345667 (diff)
netconf-pnp-simulator: fix sysrepod crash on TLS reconfig
The crash was caused by: - the '--permanent' option while updating the ietf-keystore by sysrepocfg - missing some Yang modules on sysrepo installation Other changes: 1. Added TLS integration tests, including reconfiguration 2. reconfigure-*.sh are now synchronous, only returnig after restart is completed Issue-ID: INT-1516 Change-Id: Iddc03fc968aaab60931596045437ba0c78448b08 Signed-off-by: ebo <eliezio.oliveira@est.tech>
-rw-r--r--test/mocks/netconf-pnp-simulator/engine/Dockerfile28
-rw-r--r--test/mocks/netconf-pnp-simulator/engine/common.sh31
-rw-r--r--test/mocks/netconf-pnp-simulator/engine/container-tag.yaml2
-rw-r--r--test/mocks/netconf-pnp-simulator/engine/tests/data/tls_initial/README2
-rw-r--r--test/mocks/netconf-pnp-simulator/engine/tests/data/tls_initial/ca.pem24
-rw-r--r--test/mocks/netconf-pnp-simulator/engine/tests/data/tls_initial/client_cert.pem24
-rw-r--r--test/mocks/netconf-pnp-simulator/engine/tests/data/tls_initial/client_key.pem27
-rw-r--r--test/mocks/netconf-pnp-simulator/engine/tests/data/tls_initial/server_cert.pem24
-rw-r--r--test/mocks/netconf-pnp-simulator/engine/tests/data/tls_initial/server_key.pem27
-rw-r--r--test/mocks/netconf-pnp-simulator/engine/tests/data/tls_new/README1
-rw-r--r--test/mocks/netconf-pnp-simulator/engine/tests/data/tls_new/ca.pem21
-rw-r--r--test/mocks/netconf-pnp-simulator/engine/tests/data/tls_new/ca_key.pem28
-rw-r--r--test/mocks/netconf-pnp-simulator/engine/tests/data/tls_new/client_cert.pem21
-rw-r--r--test/mocks/netconf-pnp-simulator/engine/tests/data/tls_new/client_key.pem27
-rwxr-xr-xtest/mocks/netconf-pnp-simulator/engine/tests/data/tls_new/openssl_2way_auth.sh84
-rw-r--r--test/mocks/netconf-pnp-simulator/engine/tests/data/tls_new/server_cert.pem21
-rw-r--r--test/mocks/netconf-pnp-simulator/engine/tests/data/tls_new/server_key.pem27
-rw-r--r--test/mocks/netconf-pnp-simulator/engine/tests/nctest.py6
-rw-r--r--test/mocks/netconf-pnp-simulator/engine/tests/settings.py5
-rw-r--r--test/mocks/netconf-pnp-simulator/engine/tests/test_tls.py115
-rw-r--r--test/mocks/netconf-pnp-simulator/engine/tox.ini2
21 files changed, 527 insertions, 20 deletions
diff --git a/test/mocks/netconf-pnp-simulator/engine/Dockerfile b/test/mocks/netconf-pnp-simulator/engine/Dockerfile
index 9eec0baa7..3afca4b6d 100644
--- a/test/mocks/netconf-pnp-simulator/engine/Dockerfile
+++ b/test/mocks/netconf-pnp-simulator/engine/Dockerfile
@@ -65,8 +65,7 @@ RUN set -eux \
&& mkdir build && cd build \
&& cmake -DCMAKE_BUILD_TYPE:String="Release" -DENABLE_BUILD_TESTS=OFF \
-DCMAKE_INSTALL_PREFIX:PATH=/opt \
- -DGEN_LANGUAGE_BINDINGS=ON \
- -DPYTHON_MODULE_PATH:PATH=/opt/lib/python3.7/site-packages \
+ -DGEN_LANGUAGE_BINDINGS=OFF \
.. \
&& make -j2 \
&& make install
@@ -98,6 +97,7 @@ RUN set -eux \
-DGEN_PYTHON_VERSION=3 \
-DPYTHON_MODULE_PATH:PATH=/opt/lib/python3.7/site-packages \
-DBUILD_EXAMPLES=0 \
+ -DBUILD_CPP_EXAMPLES=0 \
.. \
&& make -j2 \
&& make install
@@ -111,8 +111,7 @@ RUN set -eux \
&& mkdir build && cd build \
&& cmake -DCMAKE_BUILD_TYPE:String="Release" -DENABLE_BUILD_TESTS=OFF \
-DCMAKE_INSTALL_PREFIX:PATH=/opt \
- -DENABLE_PYTHON=ON \
- -DPYTHON_MODULE_PATH:PATH=/opt/lib/python3.7/site-packages \
+ -DENABLE_PYTHON=OFF \
.. \
&& make \
&& make install
@@ -127,6 +126,7 @@ RUN set -eux \
&& mkdir build && cd build \
&& cmake -DCMAKE_BUILD_TYPE:String="Release" \
-DCMAKE_INSTALL_PREFIX:PATH=/opt \
+ -DMODEL_INSTALL=ON \
.. \
&& make -j2 \
&& make install
@@ -141,14 +141,16 @@ RUN set -eux \
&& make -j2 \
&& make install
-FROM python:3.7.7-alpine3.11
+FROM python:3.7.7-alpine3.11 as stage0
+RUN apk upgrade --no-cache --available
+
+FROM scratch
LABEL authors="eliezio.oliveira@est.tech"
+COPY --from=stage0 / /
+
RUN set -eux \
- && pip install loguru supervisor virtualenv \
- && apk update \
- && apk upgrade -a \
- && apk add \
+ && apk add --no-cache \
coreutils \
libcurl \
libev \
@@ -156,8 +158,7 @@ RUN set -eux \
openssl \
pcre \
protobuf-c \
- xmlstarlet \
- && rm -rf /var/cache/apk/*
+ xmlstarlet
COPY --from=build /opt/ /opt/
@@ -167,6 +168,7 @@ ENV PYTHONPATH=/opt/lib/python3.7/site-packages
COPY patches/supervisor/ /usr/src/patches/supervisor/
RUN set -eux \
+ && pip install loguru supervisor supervisor virtualenv \
&& cd /usr/local/lib/python3.7/site-packages \
&& for p in /usr/src/patches/supervisor/*.patch; do patch -p1 -i $p; done
@@ -181,8 +183,12 @@ RUN adduser --system --disabled-password --gecos 'Netconf User' netconf
# it can start the tests.
HEALTHCHECK --interval=1s --start-period=2s --retries=10 CMD test -f /run/netopeer2-server.pid
+# SSH
EXPOSE 830
+# TLS
+EXPOSE 6513
+
COPY supervisord.conf /etc/supervisord.conf
RUN mkdir /etc/supervisord.d
diff --git a/test/mocks/netconf-pnp-simulator/engine/common.sh b/test/mocks/netconf-pnp-simulator/engine/common.sh
index 961d51f9b..80e882a06 100644
--- a/test/mocks/netconf-pnp-simulator/engine/common.sh
+++ b/test/mocks/netconf-pnp-simulator/engine/common.sh
@@ -62,13 +62,33 @@ find_file() {
# Extracts the body of a PEM file by removing the dashed header and footer
alias pem_body='grep -Fv -- -----'
+wait_for_file() {
+ local file=$1
+ local timeout=$2
+
+ local i=0
+ while [ $i -lt $timeout ]; do
+ if [ -e $file ]; then
+ return
+ fi
+ sleep 1
+ done
+
+ false
+}
kill_service() {
local service=$1
- pid=$(cat /var/run/${service}.pid)
+ pid_file=/run/${service}.pid
+ pid=$(cat $pid_file)
log INFO Killing $service pid=$pid
+ rm -f $pid_file
kill $pid
+ if ! wait_for_file $pid_file 10; then
+ log ERROR Timeout while waiting $service to restart
+ exit 1
+ fi
}
# ------------------------------------
@@ -115,11 +135,16 @@ configure_tls() {
log INFO Load CA and server certificates
ca_cert=$(pem_body $TLS_CONFIG/ca.pem)
server_cert=$(pem_body $TLS_CONFIG/server_cert.pem)
+ out=$(mktemp -p $WORKDIR ietf-keystore.XXXXXX.xml)
xmlstarlet ed --pf --omit-decl \
--update '//_:name[text()="server_cert"]/following-sibling::_:certificate' --value "$server_cert" \
--update '//_:name[text()="ca"]/following-sibling::_:certificate' --value "$ca_cert" \
- $dir/ietf-keystore.xml | \
- sysrepocfg --datastore=$datastore --permanent --format=xml ietf-keystore --${operation}=-
+ $dir/ietf-keystore.xml > $out
+ sysrepocfg --datastore=$datastore --format=xml ietf-keystore --${operation}=$out
+ # The '--permanent' option was causing sysrepod to crash
+ if [ "$datastore" != "startup" ]; then
+ sysrepocfg --datastore=startup --format=xml ietf-keystore --${operation}=$out
+ fi
log INFO Configure TLS ingress service
ca_fingerprint=$(openssl x509 -noout -fingerprint -in $TLS_CONFIG/ca.pem | cut -d= -f2)
diff --git a/test/mocks/netconf-pnp-simulator/engine/container-tag.yaml b/test/mocks/netconf-pnp-simulator/engine/container-tag.yaml
index 9bd214eca..c76aa8f61 100644
--- a/test/mocks/netconf-pnp-simulator/engine/container-tag.yaml
+++ b/test/mocks/netconf-pnp-simulator/engine/container-tag.yaml
@@ -1 +1 @@
-tag: "2.8.4"
+tag: "2.8.5"
diff --git a/test/mocks/netconf-pnp-simulator/engine/tests/data/tls_initial/README b/test/mocks/netconf-pnp-simulator/engine/tests/data/tls_initial/README
new file mode 100644
index 000000000..725b6b69b
--- /dev/null
+++ b/test/mocks/netconf-pnp-simulator/engine/tests/data/tls_initial/README
@@ -0,0 +1,2 @@
+The files 'ca.pem', 'server_key.pem', and 'server_cert.pem' were copied from
+../../../config/tls directory.
diff --git a/test/mocks/netconf-pnp-simulator/engine/tests/data/tls_initial/ca.pem b/test/mocks/netconf-pnp-simulator/engine/tests/data/tls_initial/ca.pem
new file mode 100644
index 000000000..62593ab7c
--- /dev/null
+++ b/test/mocks/netconf-pnp-simulator/engine/tests/data/tls_initial/ca.pem
@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIID7TCCAtWgAwIBAgIJAMtE1NGAR5KoMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYD
+VQQGEwJDWjEWMBQGA1UECAwNU291dGggTW9yYXZpYTENMAsGA1UEBwwEQnJubzEP
+MA0GA1UECgwGQ0VTTkVUMQwwCgYDVQQLDANUTUMxEzARBgNVBAMMCmV4YW1wbGUg
+Q0ExIjAgBgkqhkiG9w0BCQEWE2V4YW1wbGVjYUBsb2NhbGhvc3QwHhcNMTQwNzI0
+MTQxOTAyWhcNMjQwNzIxMTQxOTAyWjCBjDELMAkGA1UEBhMCQ1oxFjAUBgNVBAgM
+DVNvdXRoIE1vcmF2aWExDTALBgNVBAcMBEJybm8xDzANBgNVBAoMBkNFU05FVDEM
+MAoGA1UECwwDVE1DMRMwEQYDVQQDDApleGFtcGxlIENBMSIwIAYJKoZIhvcNAQkB
+FhNleGFtcGxlY2FAbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEArD3TDHPAMT2Z84orK4lMlarbgooIUCcRZyLe+QM+8KY8Hn+mGaxPEOTS
+L3ywszqefB/Utm2hPKLHX684iRC14ID9WDGHxPjvoPArhgFhfV+qnPfxKTgxZC12
+uOj4u1V9y+SkTCocFbRfXVBGpojrBuDHXkDMDEWNvr8/52YCv7bGaiBwUHolcLCU
+bmtKILCG0RNJyTaJpXQdAeq5Z1SJotpbfYFFtAXB32hVoLug1dzl2tjG9sb1wq3Q
+aDExcbC5w6P65qOkNoyym9ne6QlQagCqVDyFn3vcqkRaTjvZmxauCeUxXgJoXkyW
+cm0lM1KMHdoTArmchw2Dz0yHHSyDAQIDAQABo1AwTjAdBgNVHQ4EFgQUc1YQIqjZ
+sHVwlea0AB4N+ilNI2gwHwYDVR0jBBgwFoAUc1YQIqjZsHVwlea0AB4N+ilNI2gw
+DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAI/1KH60qnw9Xs2RGfi0/
+IKf5EynXt4bQX8EIyVKwSkYKe04zZxYfLIl/Q2HOPYoFmm3daj5ddr0ZS1i4p4fT
+UhstjsYWvXs3W/HhVmFUslakkn3PrswhP77fCk6eEJLxdfyJ1C7Uudq2m1isZbKi
+h+XF0mG1LxJaDMocSz4eAya7M5brwjy8DoOmA1TnLQFCVcpn+sCr7VC4wE/JqxyV
+hBCk/MuGqqM3B1j90bGFZ112ZOecyE0EDSr6IbiRBtmeNbEwOFjKXhNLYdxpBZ9D
+8A/368OckZkCrVLGuJNxK9UwCVTe8IhotHUqU9EqFDmxdV8oIdU/OzUwwNPA/Bd/
+9g==
+-----END CERTIFICATE-----
diff --git a/test/mocks/netconf-pnp-simulator/engine/tests/data/tls_initial/client_cert.pem b/test/mocks/netconf-pnp-simulator/engine/tests/data/tls_initial/client_cert.pem
new file mode 100644
index 000000000..8e52dacfd
--- /dev/null
+++ b/test/mocks/netconf-pnp-simulator/engine/tests/data/tls_initial/client_cert.pem
@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIIECTCCAvGgAwIBAgIBBzANBgkqhkiG9w0BAQsFADCBjDELMAkGA1UEBhMCQ1ox
+FjAUBgNVBAgMDVNvdXRoIE1vcmF2aWExDTALBgNVBAcMBEJybm8xDzANBgNVBAoM
+BkNFU05FVDEMMAoGA1UECwwDVE1DMRMwEQYDVQQDDApleGFtcGxlIENBMSIwIAYJ
+KoZIhvcNAQkBFhNleGFtcGxlY2FAbG9jYWxob3N0MB4XDTE1MDczMDA3MjcxOFoX
+DTM1MDcyNTA3MjcxOFowgYUxCzAJBgNVBAYTAkNaMRYwFAYDVQQIDA1Tb3V0aCBN
+b3JhdmlhMQ8wDQYDVQQKDAZDRVNORVQxDDAKBgNVBAsMA1RNQzEXMBUGA1UEAwwO
+ZXhhbXBsZSBjbGllbnQxJjAkBgkqhkiG9w0BCQEWF2V4YW1wbGVjbGllbnRAbG9j
+YWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAueCQaNQWoNmF
+K6LKu1p8U8ZWdWg/PvDdLsJyzfzl/Qw4UA68SfFNaY06zZl8QB9W02nr5kWeeMY0
+VA3adrPgOlvfx3oWlFbkETnMaN4OT3WTQ0Wt6jAWZDzVfopwpJPAzRPxACDftIqF
+GagYcF32hZlVNqqnVdbXh0S0EViweqp/dbG4VDUHSNVbglc+u4UbEzNIFXMdEFsJ
+ZpkynOmSiTsIATqIhb+2srkVgLwhfkC2qkuHQwAHdubuB07ObM2z01UhyEdDvEYG
+HwtYAGDBL2TAcsI0oGeVkRyuOkV0QY0UN7UEFI1yTYw+xZ42HgFx3uGwApCImxhb
+j69GBYWFqwIDAQABo3sweTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVu
+U1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUXGpLeLnh2cSDARAV
+A7KrBxGYpo8wHwYDVR0jBBgwFoAUc1YQIqjZsHVwlea0AB4N+ilNI2gwDQYJKoZI
+hvcNAQELBQADggEBAJPV3RTXFRtNyOU4rjPpYeBAIAFp2aqGc4t2J1c7oPp/1n+l
+ZvjnwtlJpZHxMM783e2ryDQ6dkvXDf8kpwKlg3U3mkJ3xKkDdWrM4QwghXdCN519
+aa9qmu0zdFL+jUAaWlQ5tsceOrvbusCcbMqiFGk/QfpHqPv52SVWbYyUx7IX7DE+
+UjgsLHycfV/tlcx4ZE6soTzl9VdgSL/zmzG3rjsr58J80rXckLgBhvijgBlIAJvW
+fC7D0vaouvBInSFXymdPVoUDZ30cdGLf+hI/i/TfsEMOinLrXVdkSGNo6FXAHKSv
+XeB9oFKSzhQ7OPyRyqvEPycUSw/qD6FVr80oDDc=
+-----END CERTIFICATE-----
diff --git a/test/mocks/netconf-pnp-simulator/engine/tests/data/tls_initial/client_key.pem b/test/mocks/netconf-pnp-simulator/engine/tests/data/tls_initial/client_key.pem
new file mode 100644
index 000000000..7ccdab10c
--- /dev/null
+++ b/test/mocks/netconf-pnp-simulator/engine/tests/data/tls_initial/client_key.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAueCQaNQWoNmFK6LKu1p8U8ZWdWg/PvDdLsJyzfzl/Qw4UA68
+SfFNaY06zZl8QB9W02nr5kWeeMY0VA3adrPgOlvfx3oWlFbkETnMaN4OT3WTQ0Wt
+6jAWZDzVfopwpJPAzRPxACDftIqFGagYcF32hZlVNqqnVdbXh0S0EViweqp/dbG4
+VDUHSNVbglc+u4UbEzNIFXMdEFsJZpkynOmSiTsIATqIhb+2srkVgLwhfkC2qkuH
+QwAHdubuB07ObM2z01UhyEdDvEYGHwtYAGDBL2TAcsI0oGeVkRyuOkV0QY0UN7UE
+FI1yTYw+xZ42HgFx3uGwApCImxhbj69GBYWFqwIDAQABAoIBAQCZN9kR8DGu6V7y
+t0Ax68asL8O5B/OKaHWKQ9LqpVrXmikZJOxkbzoGldow/CIFoU+q+Zbwu9aDa65a
+0wiP7Hoa4Py3q5XNNUrOQDyU/OYC7cI0I83WS0lJ2zOJGYj8wKae5Z81IeQFKGHK
+4lsy1OGPAvPRGh7RjUUgRavA2MCwe07rWRuDb/OJFe4Oh56UMEjwMiNBtMNtncog
+j1vr/qgRJdf9tf0zlJmLvUJ9+HSFFV9I/97LJyFhb95gAfHkjdVroLVgT3Cho+4P
+WtZaKCIGD0OwfOG2nLV4leXvRUk62/LMlB8NI9+JF7Xm+HCKbaWHNWC7mvWSLV58
+Zl4AbUWRAoGBANyJ6SFHFRHSPDY026SsdMzXR0eUxBAK7G70oSBKKhY+O1j0ocLE
+jI2krHJBhHbLlnvJVyMUaCUOTS5m0uDw9hgSsAqeSL3hL38kxVZw+KNG9Ouno1Fl
+KnE/xXHlPQyeGs/P8nAMzHZxQtEsQdQayJEhK2XXHTsy7Q3MxDisfVJ1AoGBANfD
+34gB+OMx6pwj7zk3qWbYXSX8xjCZMR0ciko+h4xeMP2N8B0oyoqC+v1ABMAtJ3wG
+sGZd0hV9gwM7OUM3SEwkn6oeg1GemWLcn4rlSmTnZc4aeVwrEWlnSNFX3s4g9l4u
+k8Ugu4MVJYqH8HuDQ5Ggl6/QAwPzMSEdCW0O+jOfAoGAIBRbegC5+t6m7Yegz4Ja
+dxV1g98K6f58x+MDsQu4tYWV4mmrQgaPH2dtwizvlMwmdpkh+LNWNtWuumowkJHc
+akIFo3XExQIFg6wYnGtQb4e5xrGa2xMpKlIJaXjb+YLiCYqJDG2ALFZrTrvuU2kV
+9a5qfqTc1qigvNolTM0iaaUCgYApmrZWhnLUdEKV2wP813PNxfioI4afxlpHD8LG
+sCn48gymR6E+Lihn7vuwq5B+8fYEH1ISWxLwW+RQUjIneNhy/jjfV8TgjyFqg7or
+0Sy4KjpiNI6kLBXOakELRNNMkeSPopGR2E7v5rr3bGD9oAD+aqX1G7oJH/KgPPYd
+Vl7+ZwKBgQDcHyWYrimjyUgKaQD2GmoO9wdcJYQ59ke9K+OuGlp4ti5arsi7N1tP
+B4f09aeELM2ASIuk8Q/Mx0jQFnm8lzRFXdewgvdPoZW/7VufM9O7dGPOc41cm2Dh
+yrTcXx/VmUBb+/fnXVEgCv7gylp/wtdTGHQBQJHR81jFBz0lnLj+gg==
+-----END RSA PRIVATE KEY-----
diff --git a/test/mocks/netconf-pnp-simulator/engine/tests/data/tls_initial/server_cert.pem b/test/mocks/netconf-pnp-simulator/engine/tests/data/tls_initial/server_cert.pem
new file mode 100644
index 000000000..c0e03a3f0
--- /dev/null
+++ b/test/mocks/netconf-pnp-simulator/engine/tests/data/tls_initial/server_cert.pem
@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIIECTCCAvGgAwIBAgIBCDANBgkqhkiG9w0BAQsFADCBjDELMAkGA1UEBhMCQ1ox
+FjAUBgNVBAgMDVNvdXRoIE1vcmF2aWExDTALBgNVBAcMBEJybm8xDzANBgNVBAoM
+BkNFU05FVDEMMAoGA1UECwwDVE1DMRMwEQYDVQQDDApleGFtcGxlIENBMSIwIAYJ
+KoZIhvcNAQkBFhNleGFtcGxlY2FAbG9jYWxob3N0MB4XDTE1MDczMDA3MjU1MFoX
+DTM1MDcyNTA3MjU1MFowgYUxCzAJBgNVBAYTAkNaMRYwFAYDVQQIDA1Tb3V0aCBN
+b3JhdmlhMQ8wDQYDVQQKDAZDRVNORVQxDDAKBgNVBAsMA1RNQzEXMBUGA1UEAwwO
+ZXhhbXBsZSBzZXJ2ZXIxJjAkBgkqhkiG9w0BCQEWF2V4YW1wbGVzZXJ2ZXJAbG9j
+YWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsdI1TBjzX1Pg
+QXFuPCw5/kQwU7qkrhirMcFAXhI8EoXepPa9fKAVuMjHW32P6nNzDpnhFe0YGdNl
+oIEN3hJJ87cVOqj4o7zZMbq3zVG2L8As7MTA8tYXm2fSC/0rIxxRRemcGUXM0q+4
+LEACjZj2pOKonaivF5VbhgNjPCO1Jj/TamUc0aViE577C9L9EiObGM+bGbabWk/K
+WKLsvxUc+sKZXaJ7psTVgpggJAkUszlmwOQgFiMSR53E9/CAkQYhzGVCmH44Vs6H
+zs3RZjOTbce4wr4ongiA5LbPeSNSCFjy9loKpaE1rtOjkNBVdiNPCQTmLuODXUTK
+gkeL+9v/OwIDAQABo3sweTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVu
+U1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQU83qEtQDFzDvLoaII
+vqiU6k7j1uswHwYDVR0jBBgwFoAUc1YQIqjZsHVwlea0AB4N+ilNI2gwDQYJKoZI
+hvcNAQELBQADggEBAJ+QOLi4gPWGofMkLTqSsbv5xRvTw0xa/sJnEeiejtygAu3o
+McAsyevSH9EYVPCANxzISPzd9SFaO56HxWgcxLn9vi8ZNvo2wIp9zucNu285ced1
+K/2nDZfBmvBxXnj/n7spwqOyuoIc8sR7P7YyI806Qsfhk3ybNZE5UHJFZKDRQKvR
+J1t4nk9saeo87kIuNEDfYNdwYZzRfXoGJ5qIJQK+uJJv9noaIhfFowDW/G14Ji5p
+Vh/YtvnOPh7aBjOj8jmzk8MqzK+TZgT7GWu48Nd/NaV8g/DNg9hlN047LaNsJly3
+NX3+VBlpMnA4rKwl1OnmYSirIVh9RJqNwqe6k/k=
+-----END CERTIFICATE-----
diff --git a/test/mocks/netconf-pnp-simulator/engine/tests/data/tls_initial/server_key.pem b/test/mocks/netconf-pnp-simulator/engine/tests/data/tls_initial/server_key.pem
new file mode 100644
index 000000000..d61c77bdf
--- /dev/null
+++ b/test/mocks/netconf-pnp-simulator/engine/tests/data/tls_initial/server_key.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAsdI1TBjzX1PgQXFuPCw5/kQwU7qkrhirMcFAXhI8EoXepPa9
+fKAVuMjHW32P6nNzDpnhFe0YGdNloIEN3hJJ87cVOqj4o7zZMbq3zVG2L8As7MTA
+8tYXm2fSC/0rIxxRRemcGUXM0q+4LEACjZj2pOKonaivF5VbhgNjPCO1Jj/TamUc
+0aViE577C9L9EiObGM+bGbabWk/KWKLsvxUc+sKZXaJ7psTVgpggJAkUszlmwOQg
+FiMSR53E9/CAkQYhzGVCmH44Vs6Hzs3RZjOTbce4wr4ongiA5LbPeSNSCFjy9loK
+paE1rtOjkNBVdiNPCQTmLuODXUTKgkeL+9v/OwIDAQABAoIBAG/4MG1JbL4C/7vV
+pBcpth7Aaznd1eJ2UB4VVOWnT8JOH2L6p1h5KRRhAP9AMkXsCnAQPyZiVAG3FlAZ
+01SZaY2YJDr6uQ3JVW4155TWtgSdWux//Ass+lJ17lJ0SRxjsV13ez6CsDWeRjc+
+2xy0S+KJgqk71XzhJG9fZLYyuddp3U/i3xFPUAcQM9xXKxcaD7g6LJf+a9pt6rim
+Eqq/pjJxDgTsRLARsazYuxrlOB445mvnLiYhOf2/MvI80jIUKaj8BeAhg49UIg/k
+mIh0xdevkcxBFer/BjBjscWaFjx14D6nkFMw7vtCum5KfalLN2edZKAzByOudGD4
+5KnRp3ECgYEA6vnSoNGg9Do80JOpXRGYWhcR1lIDO5yRW5rVagncCcW5Pn/GMtNd
+x2q6k1ks8mXKR9CxZrxZGqeYObZ9a/5SLih7ZkpiVWXG8ZiBIPhP6lnwm5OeIqLa
+hr0BYWcRfrGg1phj5uySZgsVBE+D8jH42O9ccdvrWv1OiryAHfKIcwMCgYEAwbs+
+HfQtvHOQXSYNhtOeA7IetkGy3cKVg2oILNcROvI96hS0MZKt1Rko0UAapx96eCIr
+el7vfdT0eUzNqt2wTKp1zmiG+SnX3fMDJNzMwu/jb/b4wQ20IHWNDnqcqTUVRUnL
+iksLFoHbTxsN5NpEQExcSt/zzP4qi1W2Bmo18WkCgYEAnhrk16LVux9ohiulHONW
+8N9u+BeM51JtGAcxrDzgGo85Gs2czdwc0K6GxdiN/rfxCKtqgqcfCWlVaxfYgo7I
+OxiwF17blXx7BVrJICcUlqpX1Ebac5HCmkCYqjJQuj/I6jv1lI7/3rt8M79RF+j5
++PXt7Qq97SZd78nwJrZni4MCgYAiPjZ8lOyAouyhilhZvI3xmUpUbMhw6jQDRnqr
+clhZUvgeqAoxuPuA7zGHywzq/WVoVqHYv28Vjs6noiu4R/chlf+8vD0fTYYadRnZ
+Ki4HRt+sqrrNZN6x3hVQudt3DSr1VFXl293Z3JonIWETUoE93EFz+qHdWg+rETtb
+ZuqiAQKBgD+HI/syLECyO8UynuEaDD7qPl87PJ/CmZLMxa2/ZZUjhaXAW7CJMaS6
+9PIzsLk33y3O4Qer0wx/tEdfnxMTBJrgGt/lFFdAKhSJroZ45l5apiavg1oZYp89
+jSd0lVxWSmrBjBZLnqOl336gzaBVkBD5ND+XUPdR1UuVQExJlem4
+-----END RSA PRIVATE KEY-----
diff --git a/test/mocks/netconf-pnp-simulator/engine/tests/data/tls_new/README b/test/mocks/netconf-pnp-simulator/engine/tests/data/tls_new/README
new file mode 100644
index 000000000..89c12e26f
--- /dev/null
+++ b/test/mocks/netconf-pnp-simulator/engine/tests/data/tls_new/README
@@ -0,0 +1 @@
+Based on https://gist.github.com/zapstar/4b51d7cfa74c7e709fcdaace19233443
diff --git a/test/mocks/netconf-pnp-simulator/engine/tests/data/tls_new/ca.pem b/test/mocks/netconf-pnp-simulator/engine/tests/data/tls_new/ca.pem
new file mode 100644
index 000000000..037188ee0
--- /dev/null
+++ b/test/mocks/netconf-pnp-simulator/engine/tests/data/tls_new/ca.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDhTCCAm2gAwIBAgIJAMYVrUQvhZDMMA0GCSqGSIb3DQEBCwUAMGAxCzAJBgNV
+BAYTAlVTMRMwEQYDVQQIDApBY21lIFN0YXRlMRIwEAYDVQQHDAlBY21lIENpdHkx
+EjAQBgNVBAoMCUFjbWUgSW5jLjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wHhcNMjAw
+NDE4MTgyMDM1WhcNNDAwNDE3MTgyMDM1WjBgMQswCQYDVQQGEwJVUzETMBEGA1UE
+CAwKQWNtZSBTdGF0ZTESMBAGA1UEBwwJQWNtZSBDaXR5MRIwEAYDVQQKDAlBY21l
+IEluYy4xFDASBgNVBAMMC2V4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOC
+AQ8AMIIBCgKCAQEAlgIH3JqXrqqGMfz4pvgR6ZHtxKhyhtiH2RXLll4gubzKtLYo
+OwXIQjxXOi1Pcz7NIIGs19q4BJkLj0ogghM9pEKZT9elHOKLyx2yZdQl2FbSj4W3
+QoYeMKy7XHMQD35lXrG3FugyyywIRsqQQrmfp68OPCWanB5nWdddiu7aYgeHZwPY
+3jQ1XjOiHpoFSwV1/4VG1rHB55AqqFIc05Hwr9D3x4iXD6TaWO925ijfnJgCh1Ze
+fk2LT8v2imKjgIyXvgmut/ZXU+2Adcsn3f1HBA8rDdWlAuJAE5Ik4Kb2YPShEMFf
+w2RnQfWHQoghIfIhpGEpeszoWlJyd02R3C5jOQIDAQABo0IwQDAPBgNVHRMBAf8E
+BTADAQH/MA4GA1UdDwEB/wQEAwICBDAdBgNVHQ4EFgQUgkGhQz8P8R3yGIU8tVqU
+DuqrfskwDQYJKoZIhvcNAQELBQADggEBAIjqdOE/TwuOp+xDicIzwcZKtiDCESqd
+9hdqGoQC3Et0d98o6t4TmiqbT+uTcxdWPlDnEFGx6logE/pHZxb1IVKryMcKPIPH
+EyT7JN9KBiR2z0LLD9Ov/BC24HQk0JDbv8bC7ZWYL7nUzG/4n2IU2JYO1iGztiTj
+p4es4UxcnyzPEgN4FEICK4AYUuJAZ7KLVY8LbZAOAuOMt5HnnR+7SFMGYCkfFXTM
+ct3VHnnueA+XSX0vUN9hns+b59kUpC5dzTmPfxXRL1HSaZwkmUxqpAeDfPIkHuTm
+433XjfEI7wMU+00E3Hf08VWaXEp2daQgI32RmKlZO9AUd0c/nro2jLE=
+-----END CERTIFICATE-----
diff --git a/test/mocks/netconf-pnp-simulator/engine/tests/data/tls_new/ca_key.pem b/test/mocks/netconf-pnp-simulator/engine/tests/data/tls_new/ca_key.pem
new file mode 100644
index 000000000..887f1a151
--- /dev/null
+++ b/test/mocks/netconf-pnp-simulator/engine/tests/data/tls_new/ca_key.pem
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCWAgfcmpeuqoYx
+/Pim+BHpke3EqHKG2IfZFcuWXiC5vMq0tig7BchCPFc6LU9zPs0ggazX2rgEmQuP
+SiCCEz2kQplP16Uc4ovLHbJl1CXYVtKPhbdChh4wrLtccxAPfmVesbcW6DLLLAhG
+ypBCuZ+nrw48JZqcHmdZ112K7tpiB4dnA9jeNDVeM6IemgVLBXX/hUbWscHnkCqo
+UhzTkfCv0PfHiJcPpNpY73bmKN+cmAKHVl5+TYtPy/aKYqOAjJe+Ca639ldT7YB1
+yyfd/UcEDysN1aUC4kATkiTgpvZg9KEQwV/DZGdB9YdCiCEh8iGkYSl6zOhaUnJ3
+TZHcLmM5AgMBAAECggEAGm6pK/ohmCl8E/rbZbB4l4ubNffollI5PctVYF2drpzR
+qx4d4KiYLPOs+xdY1JnQU1YGOtLTchv1qX4KVGFHj1Yc5bC962UP9O56rO7A7GoA
+GEIblKFFWJZXPWcZAWHoQtNVy7eGm75ahv7ShK9oroduHrMRl0jUNUR5uy1zVapw
+47m3Trzo7u1QF194N2SqQJajGVkwWmQ8V77+dvSnesoq5ZNLteLPooqDnesSZxFE
+Hus0ZuWz4WcCl9+OUXCZG9Q/lNm3aZMIR1ShpPC74KuKyfTjLoqACt8+8WQr/XD5
+tLDfm0EY+xdnaCke3HdESxTXDXCErHItYNrSRKOaAQKBgQDHAIRmqNuWqKWrd7hz
+cRanfzk7iHSKb40+EzSNEvNht+i/PrfuyU7e0aUQjQUwIPMznGGZHE+NIcRPPxSS
+zPD+Qye+cXMSXS08rB9LZe/VYHXBnFAHAH0rt63UzjnvNqsg6uH40rXuYPPcbtyP
+a74RUShNBp0F3zgegpdEoB0DCQKBgQDA+RsW3WCbm/eBrS/J6wb6Xd8/tj8hOJjP
+aMsijWK9F0LOwLgnrBO1tmrOcO7UPCk3MY4aMlPxyQ43JajoJ+HzHosj8plX3fT7
+/6c6hDyZmYDcghxs5aCcWn0lOoafvHzzNYK7Wrgh4twxFoSpy7QuETlYi8ifPr3j
+zjkz+YV6sQKBgQCE1LqLz9BrOv0CfDI5lFXbzdcE/utTcGxl7+nW9LxSELEh3ppl
+oCeuIV+9sXOyEXxkidC3o6cR/GUNxHxWFMgT3/2KaC24J0vHwNhOuqcg1XckmdLt
+KY1jfgJhFpqjKumFWmMldHiNuldsXu+IKBHBe1ucNnrfbYUHEIIqA3n6CQKBgBYj
+vl7mMTJJN6FSHFx/MYLCCF4H68BE/Qs2y6+AJybop0qPQ9GRZYWAk0pyHISPDm99
+qP8KbSUdWxsqn/Faugqpo28RY1R4a6YJ08bb6xP4T5d8+gPoaH/nxdnimBV1i6Rf
+rEsQgnWo0Hh1S+0rKNXsNfcZun/CtAiR3XBAHXdRAoGAXX97DyQmPaT28XGrT6Mq
+Hus73yJnEtSaRtl2HB9d7CEdKZyai5rnW7jV+WibxSNJbL0dTF5EPlzwCElnR6lD
+d0elYWbjEEr1z0QNEGKJTgH3IAlCnpv2ATqthRjAcxvrIZ/Pd9mh/2AjWl/2Wfd9
+a3/CHQC6qqYkGz2aBx3OZ3w=
+-----END PRIVATE KEY-----
diff --git a/test/mocks/netconf-pnp-simulator/engine/tests/data/tls_new/client_cert.pem b/test/mocks/netconf-pnp-simulator/engine/tests/data/tls_new/client_cert.pem
new file mode 100644
index 000000000..d0f348933
--- /dev/null
+++ b/test/mocks/netconf-pnp-simulator/engine/tests/data/tls_new/client_cert.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDgTCCAmmgAwIBAgIBAzANBgkqhkiG9w0BAQsFADBgMQswCQYDVQQGEwJVUzET
+MBEGA1UECAwKQWNtZSBTdGF0ZTESMBAGA1UEBwwJQWNtZSBDaXR5MRIwEAYDVQQK
+DAlBY21lIEluYy4xFDASBgNVBAMMC2V4YW1wbGUuY29tMB4XDTIwMDQxODE4MjAz
+NVoXDTMwMDQxODE4MjAzNVowZzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkFjbWUg
+U3RhdGUxEjAQBgNVBAcMCUFjbWUgQ2l0eTESMBAGA1UECgwJQWNtZSBJbmMuMRsw
+GQYDVQQDDBJjbGllbnQuZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQC/H/NjHx1yQYEiQF2he+RpkuubLJ83rpPKg6ArT+06SADYAmHM
+VYIG0QguIXn3Alp+VnRc5rqNgteQ6Z90ykrf9wY61PpPmUZd4LB7MXI04VlJqQhP
+MCt9O5Y53hV9ZXXxUwRJEZeC2qxMellDpwaO0G6RaWjjP/KpTIJfgvv0cEJdKBy4
+aJptr65dVg51JN3kNRWUf5hz5gKs2SwgBt2nkiRvSdo8lzxNQjeKKAcfGHEcUjB5
+DMNcCIMgFnW7S8aQVkFeOfQN3VOaDGfKA/lMxD9k93+cPIt9hiTwXPBvheaRiQrZ
+O1rDq9ctW4kf63H5zFOKJyaqhHoHpJ67ezs/AgMBAAGjPzA9MAwGA1UdEwEB/wQC
+MAAwDgYDVR0PAQH/BAQDAgWgMB0GA1UdDgQWBBROdFRq9lmHHgYayhAhnQ1D4RJ6
+0TANBgkqhkiG9w0BAQsFAAOCAQEAQ5fJIV6RhWLEACvxEA91e6NnT7WYNjcSV4Qq
+mJfQT7qEq8OrhLLCytew5HzWFrUt5hJvzp9j7T4oHTTqEggg0VABGBUdBAu5oi7j
+OAaT1sKekhe/LIBAeASMmgxlT+NzGBG0nUqUC4VI/36ZgiDDLbeeoPw3m4sZJ1KD
+EwVdI1HCIRA6Y0B8Fwlx2t6XFyiTsJoR3MlANyK+hRhdsFUWnLPmQBt4AGwJUhsU
+ljUDaz7D3qbl2V7nqxhChUVDIobDlw9v+asGzdsqll4EmNOszaQTGWhlv5BFbHoG
+u5ibVC6vISg27mbViL0OIQDNq016k8GJJZsLN/L0HMyyXYPcQQ==
+-----END CERTIFICATE-----
diff --git a/test/mocks/netconf-pnp-simulator/engine/tests/data/tls_new/client_key.pem b/test/mocks/netconf-pnp-simulator/engine/tests/data/tls_new/client_key.pem
new file mode 100644
index 000000000..80fe4e91a
--- /dev/null
+++ b/test/mocks/netconf-pnp-simulator/engine/tests/data/tls_new/client_key.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAvx/zYx8dckGBIkBdoXvkaZLrmyyfN66TyoOgK0/tOkgA2AJh
+zFWCBtEILiF59wJaflZ0XOa6jYLXkOmfdMpK3/cGOtT6T5lGXeCwezFyNOFZSakI
+TzArfTuWOd4VfWV18VMESRGXgtqsTHpZQ6cGjtBukWlo4z/yqUyCX4L79HBCXSgc
+uGiaba+uXVYOdSTd5DUVlH+Yc+YCrNksIAbdp5Ikb0naPJc8TUI3iigHHxhxHFIw
+eQzDXAiDIBZ1u0vGkFZBXjn0Dd1TmgxnygP5TMQ/ZPd/nDyLfYYk8Fzwb4XmkYkK
+2Ttaw6vXLVuJH+tx+cxTiicmqoR6B6Seu3s7PwIDAQABAoIBAE3CihvCBRD/ZbKx
+zWZuKbhqdkFkHkNhW/ABLaFxm2si8HTyQygHgieT1GgwZpcA9iCAvEcv+KaqnVnw
+M1gpFd2Ze4dkL5NDIUYArMzyiSzKorE9fIv7ZTZGkBBrMwMZzKqqxAuWhLZQkdlr
+zfWgdyKT2uh+opYS5n/LCSAjAq+oaG7qICZq2V6NS2kKYJxBSnEalYaAQ++df3Bx
+D34iQA55AhKYrTcpwjmoVOxg5Itz8k1k07X+k8JQ953YHi8chwVDTFEG52cq+HVu
+tcMMrGEzYBzT4FjOsOZ3hjT7EVgTmEonQr26GuE5ZSjyvsfp05X+G40vBNu4SMRM
+WsT4PIECgYEA7MiO5mosIMW7ipoCEW5GCK7uJ+4H7d4EvKc4sCnxHnhVpH0kZU88
+4q7q8aKh25vKT5iNqCBE7SdJqlLGK1ooRQJqG2lXBElTDwOP71R8C8jfSNFFr1XI
+wbeqIJhuNveQPROep10UpwPG8JWAogYqr3lEky+loSuBvQSNjYnQPPkCgYEAzqLI
+iN5gHbQtza11iZkYESwDCyJNebynckhx3NLQQNQ1gUs3giO+HCO7Nqa4KbRhbmLn
+Ajan8dklNoTPSrGvFWRY5I098xbHQb35LPC1BPZDbI00VkJ3sGB4H0J9rf56sIDD
+BB5mN12xYNk4Jl1WgEurmxH5jWGLQmINUlBwX/cCgYAfQ1fCym/rH9BkO3Ncc8/h
+Y59kPERlvrOnaPjOIauJV2APaMp+adjjIS86Gjv+r/IlUkIZ2bDgExjh2S37GVtJ
+yUjTN7Rah4fk6pZ9hg0ezTXV+nOV8+Ce2y4mQZoDveoYdlezR1Hrv07sAwFJ40CN
+jJhmSps2zXTCzTAXaQPKmQKBgQCRa8pJWIa4INejShHP9mgTna++pDN2GyiUqxtG
+1y4skaveBDtaYSEn2JWmjopI/2MaNoxw6FolQDaKOclQvd+D5I0Su7v/WeZ9A99a
+m0Qp683jlTRiCIEHJb0j8r1UOCXMFbIpMeOpz0xH5lc32LRJsfdhOLMxppZE75CE
+f4u2XQKBgH3X+3p7T952Z2BtnaGXdjyu1XdE20S8FZrBAmC+NLoOA/bE2l66vwT0
+44v3v92DH27Z7rgyTDlPYJRtrKoIma6owOOHRLIMpiibXNUWcYANp9SgWcYrxW21
+nXIJj3zszWcDFa+shpQEgz0wOkFODbkDoae/dPTAYnmrUqY1fuar
+-----END RSA PRIVATE KEY-----
diff --git a/test/mocks/netconf-pnp-simulator/engine/tests/data/tls_new/openssl_2way_auth.sh b/test/mocks/netconf-pnp-simulator/engine/tests/data/tls_new/openssl_2way_auth.sh
new file mode 100755
index 000000000..a6540fc87
--- /dev/null
+++ b/test/mocks/netconf-pnp-simulator/engine/tests/data/tls_new/openssl_2way_auth.sh
@@ -0,0 +1,84 @@
+#!/bin/bash
+
+set -euo pipefail
+
+BASE_DN="/C=US/ST=Acme State/L=Acme City/O=Acme Inc."
+
+WORKDIR=$(mktemp -d)
+trap "rm -rf $WORKDIR" EXIT
+
+CA_DAYS=$((3652 * 2))
+PEER_DAYS=$((3652 * 1))
+
+CONFIG_FILE=$WORKDIR/openssl.cnf
+CA_SERIAL_FILE=$WORKDIR/ca.srl
+echo 01 > $CA_SERIAL_FILE
+
+cat > $CONFIG_FILE <<EOL
+[req]
+default_bits = 2048
+distinguished_name = req_distinguised_name
+prompt = no
+serial = $CA_SERIAL_FILE
+default_md = sha256
+
+[req_distinguised_name]
+C = US
+ST = Acme State
+L = Acme City
+O = Acme Inc.
+CN = example.com
+
+[ca]
+basicConstraints = critical, CA:TRUE
+keyUsage = critical, keyCertSign
+subjectKeyIdentifier = hash
+
+[peer]
+basicConstraints = critical, CA:FALSE
+keyUsage = critical, digitalSignature, keyEncipherment
+subjectKeyIdentifier = hash
+EOL
+
+# Generate a self signed certificate for the CA along with a key.
+# NOTE: I'm using -nodes, this means that once anybody gets
+# their hands on this particular key, they can become this CA.
+openssl req \
+ -x509 \
+ -nodes \
+ -days $CA_DAYS \
+ -newkey rsa:2048 \
+ -keyout ca_key.pem \
+ -out ca.pem \
+ -config $CONFIG_FILE \
+ -extensions ca
+
+# Create server private key and certificate request
+openssl genrsa -out server_key.pem 2048
+openssl req -new \
+ -key server_key.pem \
+ -out $WORKDIR/server.csr \
+ -subj "$BASE_DN/CN=server.example.com"
+
+# Create client private key and certificate request
+openssl genrsa -out client_key.pem 2048
+openssl req -new \
+ -key client_key.pem \
+ -out $WORKDIR/client.csr \
+ -subj "$BASE_DN/CN=client.example.com"
+
+# Generate certificates
+openssl x509 -req -days $PEER_DAYS -in $WORKDIR/server.csr \
+ -CA ca.pem -CAkey ca_key.pem \
+ -out server_cert.pem \
+ -sha256 \
+ -CAserial $CA_SERIAL_FILE \
+ -extfile $CONFIG_FILE \
+ -extensions peer
+openssl x509 -req -days $PEER_DAYS -in $WORKDIR/client.csr \
+ -CA ca.pem -CAkey ca_key.pem \
+ -out client_cert.pem \
+ -sha256 \
+ -CAserial $CA_SERIAL_FILE \
+ -extfile $CONFIG_FILE \
+ -extensions peer
diff --git a/test/mocks/netconf-pnp-simulator/engine/tests/data/tls_new/server_cert.pem b/test/mocks/netconf-pnp-simulator/engine/tests/data/tls_new/server_cert.pem
new file mode 100644
index 000000000..8564438cb
--- /dev/null
+++ b/test/mocks/netconf-pnp-simulator/engine/tests/data/tls_new/server_cert.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDgTCCAmmgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBgMQswCQYDVQQGEwJVUzET
+MBEGA1UECAwKQWNtZSBTdGF0ZTESMBAGA1UEBwwJQWNtZSBDaXR5MRIwEAYDVQQK
+DAlBY21lIEluYy4xFDASBgNVBAMMC2V4YW1wbGUuY29tMB4XDTIwMDQxODE4MjAz
+NVoXDTMwMDQxODE4MjAzNVowZzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkFjbWUg
+U3RhdGUxEjAQBgNVBAcMCUFjbWUgQ2l0eTESMBAGA1UECgwJQWNtZSBJbmMuMRsw
+GQYDVQQDDBJzZXJ2ZXIuZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQDTxZJCVEcJ0vLn9gWfE2z98wsBxyOEy0obeXzRi6DVIDa+lO71
+8uSSO4TaOlOkIRfGOoLlQASN4eXtCEub2dPn81ubmlRlOtYpnjikQ1GYoqHQ8z4w
+h4WuqPZDUwpMAQbbWNAle0klWPYF46s7t51U+JuY3gfAVLnmv11dg3ZOW0pYrC2/
+JbbFxAhGqkp4H4pgkvVaADi2tEtHnNchQ0nYiq14PB/UISZlpiYECk10OoP9Q4Q7
+2UHEn8GuGJoO7SkFSVQY5MUWZkHxe46r8sHaM1lWhHEOJWhUSeALUZKgq+mDfkLR
+M474xR0FFinkBOEv06jdVA4OccsEcdRohZiJAgMBAAGjPzA9MAwGA1UdEwEB/wQC
+MAAwDgYDVR0PAQH/BAQDAgWgMB0GA1UdDgQWBBQmOgcOsOQiQfzb9fZ0rICUmSSN
+kzANBgkqhkiG9w0BAQsFAAOCAQEADZ4cFI1KbZfwkwien/kNXtd/D5l72Q491CAF
+0z9xuLKepKtHu5yMFQGuzBhOG+LJj20DYcyfVx9Pr+X5fnYiQfWjv4H2fuqx4Bh2
+FcjcKHIQiGFyA02FMTFNIua8sNXY1vQk7JU424wSkugQdBp1a1yEzzuZDJ7upJqS
+6+8/nW1rjzeS4DNhswga3s12oor1iuESORGU+8D2i3yk9OgLuf/MenPxivJlFC49
+7SXvIw34c13+5bkoMQKnhzs3RVa28babhohviJ+yb8R8FA24hF3lI0C6pKHAtf+2
+lrXvUcxRkkxZi+8BrLdhb/Q9sYvI48aYrVVMeuagtkbnTUiH8Q==
+-----END CERTIFICATE-----
diff --git a/test/mocks/netconf-pnp-simulator/engine/tests/data/tls_new/server_key.pem b/test/mocks/netconf-pnp-simulator/engine/tests/data/tls_new/server_key.pem
new file mode 100644
index 000000000..6c81826a6
--- /dev/null
+++ b/test/mocks/netconf-pnp-simulator/engine/tests/data/tls_new/server_key.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEA08WSQlRHCdLy5/YFnxNs/fMLAccjhMtKG3l80Yug1SA2vpTu
+9fLkkjuE2jpTpCEXxjqC5UAEjeHl7QhLm9nT5/Nbm5pUZTrWKZ44pENRmKKh0PM+
+MIeFrqj2Q1MKTAEG21jQJXtJJVj2BeOrO7edVPibmN4HwFS55r9dXYN2TltKWKwt
+vyW2xcQIRqpKeB+KYJL1WgA4trRLR5zXIUNJ2IqteDwf1CEmZaYmBApNdDqD/UOE
+O9lBxJ/BrhiaDu0pBUlUGOTFFmZB8XuOq/LB2jNZVoRxDiVoVEngC1GSoKvpg35C
+0TOO+MUdBRYp5AThL9Oo3VQODnHLBHHUaIWYiQIDAQABAoIBAFLjCpsBh4h103Ms
+3QhlPwyqew1oFyPbuZbFVzBhGUMxx5uSiXEkb4g42Yfcum4MMdT5g9Ac3Wt3FlpP
+G+DVQlaP7rQZlJzGiZpifkL0wlQem31AJ4AxGwbAxRqWvvn+kON7gISbG4cNqcWm
+VZgbBu6CG8yaYqhJwTVqgy2dzclexTQG39gFEwfFfYAu5tKlEO9GAqMGWdpLhoED
+h+mUV+f522ol37EksmesExzc3SRJpVV6So0KmH+a+1jdAYAz0W7bXsHDxsLiFw3R
+rlTB3jIskQBQALpIbkzv+KxO8tdsz9+FnLVlhZ6jDdN3whJwgTSlG4klGOwMTvnr
+vzPGUQECgYEA+Id4Am2HoXDuG/uNaDiqNMgM32mge5s25ysDEK6JhKtdNFKCLP2x
+VfHcc3g0W7dZAneXaoPeHJB+pdGo7OF5cO5NicX6pMKZS1ODK2ioME+8Lpr8uwp3
+Ss4a94G0c6qCzJndvQxLTP3fXhvmBomDFUHluy7B0287ZV9psnLZI+ECgYEA2iM9
+VQ6FoaxgQ8Mt+sskI+veR+i4J16FwaPXRf4x/GIf4FyYG4vfFkypOWsNH9MRnSfn
+H2JR+hj1apX2jducpCcaeRq2EJJ3n721rdwf9DGlEt8MoDR4qn1ZHj9s4rKolgSb
+wnz1UlDhIVwLG0H4Wp0Y6TfhnsLPLCWbv1IqCakCgYEAvuoR3ouVLQc7YnOS5QTi
+ezlR6i2SAmHxgxMff6kUKr4ZEyBur3ES0RrCZlFopyvpTGPiBQjXjsnRAEBWq+Fp
+EL9/AN7886QpbhvxH19+E96siIC2tFgN24EIZilVHaVWZSWtmJPhJHvBIuH7ifoI
+oEPG3kvEyU8hKXZqE5L2CwECgYEAkr34CVr+jFcAXzVSng6/3iZS3r7v+xP8GNqV
++7DXgXelB/JiJM3AIikqAcVBC/KaO8VXFma2zO6zUaNWO/HLeyYPCf7tEVLmhCBD
+spSNLmGjMYG45aDGt7IhHFcAcbRL8rdg7MHQ6jIccKuRkSGc56Ac3O7JqVpVsdYO
+4vJr8xkCgYB3t2iwhnHqT78bSHVCmGRL7zAK6aIm96nUEODIE3LI87JpecJV9blS
+ABwt3Pl6D35OTA1s0ShUc2qqUL7em+pPPlvKl63IQLZRo1W6qkukgkpQ+UvdsEVN
+ZJf7Kr9jlRXxTvwDXF+2b9eDfie8u70w9H9eliqcEvO4uLL+bsM8WA==
+-----END RSA PRIVATE KEY-----
diff --git a/test/mocks/netconf-pnp-simulator/engine/tests/nctest.py b/test/mocks/netconf-pnp-simulator/engine/tests/nctest.py
index 11ff6ffc4..c508ca47a 100644
--- a/test/mocks/netconf-pnp-simulator/engine/tests/nctest.py
+++ b/test/mocks/netconf-pnp-simulator/engine/tests/nctest.py
@@ -1,4 +1,4 @@
-import logging.config
+import logging
from ncclient import manager, operations
@@ -38,9 +38,9 @@ class NCTestCase:
def setup(self):
self.nc = manager.connect(
host=settings.HOST,
- port=settings.PORT,
+ port=settings.SSH_PORT,
username=settings.USERNAME,
- key_filename=settings.KEY_FILENAME,
+ key_filename=settings.SSH_KEY_FILENAME,
allow_agent=False,
look_for_keys=False,
hostkey_verify=False)
diff --git a/test/mocks/netconf-pnp-simulator/engine/tests/settings.py b/test/mocks/netconf-pnp-simulator/engine/tests/settings.py
index 124e333cd..0c665c738 100644
--- a/test/mocks/netconf-pnp-simulator/engine/tests/settings.py
+++ b/test/mocks/netconf-pnp-simulator/engine/tests/settings.py
@@ -2,6 +2,7 @@ import os
HOST = "127.0.0.1"
# Set by tox-docker
-PORT = int(os.environ["NETCONF_PNP_SIMULATOR_830_TCP_PORT"])
+SSH_PORT = int(os.environ["NETCONF_PNP_SIMULATOR_830_TCP_PORT"])
+TLS_PORT = int(os.environ["NETCONF_PNP_SIMULATOR_6513_TCP_PORT"])
USERNAME = "netconf"
-KEY_FILENAME = "../config/ssh/id_rsa"
+SSH_KEY_FILENAME = "../config/ssh/id_rsa"
diff --git a/test/mocks/netconf-pnp-simulator/engine/tests/test_tls.py b/test/mocks/netconf-pnp-simulator/engine/tests/test_tls.py
new file mode 100644
index 000000000..f0adf447f
--- /dev/null
+++ b/test/mocks/netconf-pnp-simulator/engine/tests/test_tls.py
@@ -0,0 +1,115 @@
+import os
+import socket
+import ssl
+import tarfile
+import tempfile
+import time
+from io import StringIO
+from typing import List
+
+import docker
+import pytest
+from docker.models.containers import Container
+from lxml import etree
+from ncclient.transport.ssh import MSG_DELIM
+
+import settings
+
+HELLO_DTD = etree.DTD(StringIO("""
+<!ELEMENT hello (capabilities, session-id)>
+<!ATTLIST hello xmlns CDATA #REQUIRED>
+<!ELEMENT capabilities (capability+)>
+<!ELEMENT capability (#PCDATA)>
+<!ELEMENT session-id (#PCDATA)>
+"""))
+
+INITIAL_CONFIG_DIR = "data/tls_initial"
+NEW_CONFIG_DIR = "data/tls_new"
+
+
+class TestTLS:
+ container: Container
+
+ @classmethod
+ def setup_class(cls):
+ dkr = docker.from_env()
+ containers = dkr.containers.list(filters={"ancestor": "netconf-pnp-simulator:latest"})
+ assert len(containers) == 1
+ cls.container = containers[0]
+
+ def test_tls_connect(self):
+ nc_connect(INITIAL_CONFIG_DIR)
+
+ @pytest.mark.parametrize("round_id", [f"round #{i + 1}" for i in range(6)])
+ def test_tls_reconfiguration(self, round_id):
+ # pylint: disable=W0613
+ self.reconfigure_and_check(NEW_CONFIG_DIR, INITIAL_CONFIG_DIR)
+ self.reconfigure_and_check(INITIAL_CONFIG_DIR, NEW_CONFIG_DIR)
+
+ def reconfigure_and_check(self, good_config_dir: str, bad_config_dir: str):
+ with simple_tar([f"{good_config_dir}/{b}.pem" for b in ["ca", "server_key", "server_cert"]]) as config_tar:
+ status = self.container.put_archive(f"/config/tls", config_tar)
+ assert status
+ test_start = int(time.time())
+ exit_code, (_, err) = self.container.exec_run("/opt/bin/reconfigure-tls.sh", demux=True)
+ if exit_code != 0:
+ print(f"reconfigure-tls.sh failed with rc={exit_code}")
+ log_all("stderr", err)
+ log_all("Container Logs", self.container.logs(since=test_start))
+ assert False
+ nc_connect(good_config_dir)
+ # Exception matching must be compatible with Py36 and Py37+
+ with pytest.raises(ssl.SSLError, match=r".*\[SSL: CERTIFICATE_VERIFY_FAILED\].*"):
+ nc_connect(bad_config_dir)
+
+
+def log_all(heading: str, lines: object):
+ print(f"{heading}:")
+ if isinstance(lines, bytes):
+ lines = lines.decode("utf-8")
+ if isinstance(lines, str):
+ lines = lines.split("\n")
+ for line in lines:
+ print(" ", line)
+
+
+def simple_tar(paths: List[str]):
+ file = tempfile.NamedTemporaryFile()
+ with tarfile.open(mode="w", fileobj=file) as tar:
+ for path in paths:
+ abs_path = os.path.abspath(path)
+ tar.add(abs_path, arcname=os.path.basename(path), recursive=False)
+ file.seek(0)
+ return file
+
+
+def nc_connect(config_dir: str):
+ with socket.socket(socket.AF_INET, socket.SOCK_STREAM, 0) as sock:
+ context = ssl.create_default_context()
+ context.load_verify_locations(f"{config_dir}/ca.pem")
+ context.load_cert_chain(certfile=f"{config_dir}/client_cert.pem", keyfile=f"{config_dir}/client_key.pem")
+ context.check_hostname = False
+ with context.wrap_socket(sock, server_side=False, server_hostname=settings.HOST) as conn:
+ conn.connect((settings.HOST, settings.TLS_PORT))
+ buf = nc_read_msg(conn)
+ print(f"Received NETCONF HelloMessage:\n{buf}")
+ conn.close()
+ assert buf.endswith(MSG_DELIM)
+ hello_root = etree.XML(buf[:-len(MSG_DELIM)])
+ valid = HELLO_DTD.validate(hello_root)
+ if not valid:
+ log_all("Invalid NETCONF <hello> msg", list(HELLO_DTD.error_log.filter_from_errors()))
+ assert False
+
+
+def nc_read_msg(conn: ssl.SSLSocket):
+ buf = ''
+ while True:
+ data = conn.recv(4096)
+ if data:
+ buf += data.decode(encoding="utf-8")
+ if buf.endswith(MSG_DELIM):
+ break
+ else:
+ break
+ return buf
diff --git a/test/mocks/netconf-pnp-simulator/engine/tox.ini b/test/mocks/netconf-pnp-simulator/engine/tox.ini
index 20870cf5e..2ad8a166e 100644
--- a/test/mocks/netconf-pnp-simulator/engine/tox.ini
+++ b/test/mocks/netconf-pnp-simulator/engine/tox.ini
@@ -29,6 +29,8 @@ docker =
deps =
pytest
+ docker
+ lxml
ncclient
commands = pytest -v