Adding client ssl testing
Creation of the Client Certificate
The creation is identical to the server certificates with one exception. For the client, it was necessary to create one additional file: A .pfx file. This is used by browsers like Chrome and Firefox to authenticate using client authentication. It is a binary file that contains information about the authority as well as the key and certificate of the client.
| File | Creation Command |
|---|---|
client.key |
openssl genrsa -out gitlab.test.key 4096 |
client.csr |
openssl req -new -key gitlab.test.key -out gitlab.test.csr |
client.crt |
openssl x509 -req -days 3650 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 1 -out client.crt |
client.pfx |
openssl pkcs12 -export -out client.pfx -inkey client.key -in client.crt -certfile ca.crt |
Dockerfile
We need to add the client certificate file to the browser database using the NSS tools. We create the folder structure and populating it with the pfx file.
Problems
As mentioned in this comment, we have the problem that chrome and chromium have a bug inside the headless mode. It prevents us from executing any tests (and even testing the test inside an orchestrated environment).
Solution
The best solution until we have a broader testing environment (selenium grid or multi-browser testing), we have implemented a contemporary solution. We give the user the ability to automatically set up a usable environment with Nginx client SSL enabled. Additionally, we provide the needed client SSL inside the project to just add to the browser you wish to use. This makes it possible to use the created environment.
A video was created to explain the process a bit more and show how it works: https://www.youtube.com/watch?v=HA_Ejk6MRI8