2017-06-14 10:33:29 +03:00
# TLS Canary
2016-10-05 15:59:44 +03:00
2017-07-14 14:03:38 +03:00
[![Build Status ](https://travis-ci.org/mozilla/tls-canary.svg?branch=master )](https://travis-ci.org/mozilla/tls-canary)
[![License ](https://img.shields.io/badge/license-MPL2-blue.svg )](https://raw.githubusercontent.com/mozilla/tls-canary/master/LICENSE.txt)
2017-06-14 10:33:29 +03:00
[![PyPI Package version ](https://badge.fury.io/py/tlscanary.svg )](https://pypi.python.org/pypi/tlscanary)
TLS Canary is a [TLS/SSL ](https://en.wikipedia.org/wiki/Transport_Layer_Security ) testing framework for the
[Mozilla Firefox ](https://www.mozilla.org/firefox ) web browser. It is used by developers to run regression and
2017-06-19 12:43:08 +03:00
performance tests against a large number of HTTPS-enabled hosts on the Internet.
2017-06-14 10:33:29 +03:00
Results of the regression scans are published in HTML format here:
* http://tlscanary.mozilla.org
2016-10-05 15:59:44 +03:00
2016-11-22 11:55:59 +03:00
## This project
2017-06-14 10:33:29 +03:00
* Downloads a test build and a base build of Firefox for comparison.
2017-06-19 12:43:08 +03:00
* Automatically queries thousands of secure sites with those builds.
* Diffs the results and presents potential regressions in an report for further diagnosis.
2017-06-14 10:33:29 +03:00
* Does performance regression testing.
* Extracts SSL state information.
2017-07-03 21:56:22 +03:00
* Can also use local Firefox build trees or package files for testing.
2017-06-19 12:43:08 +03:00
* Can maintain an updated list of HTTPS-enabled top sites.
* Requires a highly reliable network link. **WiFi will give unstable results.**
2016-10-05 15:59:44 +03:00
2017-06-15 19:17:54 +03:00
## IRC channel
The project has a dedicated IRC channel: [#tlscanary on irc.mozilla.org](
https://mibbit.com/?server=irc.mozilla.org& channel=%23tlscanary). Come talk to us!
2017-03-21 22:42:36 +03:00
## Requirements
2018-08-27 20:31:35 +03:00
* Python 3.6+
2017-03-24 03:33:06 +03:00
* 7zip
2018-08-22 15:40:00 +03:00
* Go 1.7 or later
2016-11-22 11:55:59 +03:00
* OpenSSL-dev
* libffi-dev
2017-03-21 22:42:36 +03:00
2017-06-19 12:43:08 +03:00
### Dependencies for Debian and Ubuntu users
Assuming that you run TLS Canary on a regular graphical desktop machine, these are the packages it requires:
2017-06-14 10:33:29 +03:00
```
2018-08-27 20:31:35 +03:00
sudo apt-get install python3 python3-dev gcc golang-1.9-go p7zip-full libssl-dev libffi-dev
2017-06-14 10:33:29 +03:00
```
The script [linux_bootstrap.sh ](bootstrap/linux_bootstrap.sh ) provides bootstrapping for a headless Ubuntu-based EC2
2017-06-19 12:43:08 +03:00
instance which requires installation of a few standard GUI libraries for running Firefox.
The script may or may not work for your other favourite Debian-based distribution.
2017-03-21 22:42:36 +03:00
2017-06-14 10:33:29 +03:00
### Dependencies for Mac users
Assuming that your're using [Homebrew ](https://brew.sh/ ) for package management, this should set you up:
2017-06-09 23:58:04 +03:00
```
2017-07-14 14:03:38 +03:00
brew install openssl libffi python p7zip go
2017-06-09 23:58:04 +03:00
```
2017-06-08 14:34:37 +03:00
2017-07-14 14:03:38 +03:00
The script [osx_bootstrap.sh ](bootstrap/osx_bootstrap.sh ) provides bootstrapping for Travis CI's Mac OS X instances
using homebrew for package management. It may work for your OS X desktop environment as well.
2017-06-14 10:33:29 +03:00
### Dependencies for Windows users
Windows support targets **PowerShell 5.1** on **Windows 10** . Windows 7 and 8 are generally able to run TLS Canary,
but expect minor unicode encoding issues in terminal logging output.
2017-06-08 14:34:37 +03:00
2017-06-14 10:33:29 +03:00
First, [install Chocolatey ](https://chocolatey.org/install ), then run the following command in an admin PowerShell
to install the dependencies:
2017-06-09 23:58:04 +03:00
```
2018-08-27 20:31:35 +03:00
choco install 7zip.commandline git golang openssh python3
2017-06-09 23:58:04 +03:00
```
2017-06-14 10:33:29 +03:00
## For end users
2017-06-19 12:43:08 +03:00
TLS Canary can be installed as a stable package from PyPI and as experimental package directly from GitHub.
2017-06-14 10:33:29 +03:00
The following command will install the latest stable release of TLS Canary to your current Python environment:
```
2018-08-27 20:31:35 +03:00
pip3 install [--user] --upgrade tlscanary
2017-06-14 10:33:29 +03:00
```
2017-06-19 12:43:08 +03:00
Whether or not you require the `--user` flag depends on how your Python environment is set up. Most Linux distributions
require it when not installing Python packages as root.
If you prefer the bleeding-edge developer version with the latest features and added instability, you can run
2017-06-14 10:33:29 +03:00
```
2018-08-27 20:31:35 +03:00
pip3 install [--user] --upgrade git+git://github.com/mozilla/tls-canary.git
2017-06-14 10:33:29 +03:00
```
2017-06-19 12:43:08 +03:00
Once it finishes the `tlscanary` binary is available in your Python environment:
2017-06-14 10:33:29 +03:00
```
tlscanary --help
2017-06-15 19:17:54 +03:00
tlscanary regression --help
tlscanary log --help
2017-06-14 10:33:29 +03:00
```
## Usage examples
```bash
# Run a quick regression test against the first 50000 hosts in the default `top` database
2017-06-15 19:17:54 +03:00
tlscanary regression -l 50000
2017-06-14 10:33:29 +03:00
# Compile a fresh 'top 1000' host database called `mini`
2017-06-15 19:17:54 +03:00
tlscanary srcupdate -s mini -l 1000 -x1
2017-06-14 10:33:29 +03:00
# Show a list of available host databases
2017-06-15 19:17:54 +03:00
tlscanary srcupdate -s list
2017-06-14 10:33:29 +03:00
# Use your fresh `mini` database for a quick regession test and see lots of things happening
2017-06-15 19:17:54 +03:00
tlscanary --debug regression -s mini
2017-06-14 10:33:29 +03:00
```
Please refer to the complete argument and mode references below.
2017-06-15 19:17:54 +03:00
### Run log and reporting
TLS Canary collects all run log data in `~/.tlscanary/log` . The format is somewhat JSONny, but heavily compressed
to save disk space. Canary logs can get very big very fast when a run returns many results.
Here are some usage examples how to interact with TLS Canary's run log database:
```bash
# List all logs in database, including incomplete ones markes with (*)
tlscanary log
# List and then delete incomplete logs
tlscanary log -i incomplete
tlscanary log -i incomplete -a delete # just a dry-run
tlscanary log -i incomplete -a delete --really
# Print complete regression logs as JSON array to terminal
tlscanary log -i regression -e incomplete -a json
# Print JSON report of the last two runs to terminal
tlscanary log -i 2 -a json
# Create an HTML report in /tmp/report for completed regression runs
tlscanary log -i regression -e incomplete -a htmlreport -o /tmp/report
```
### Canary run modes
Run modes are specified via the mandatory positional `mode` parameter. See `tlscanary <mode> --help` for mode-specific
arguments.
Mode | Description
-----|-----
log | Performs various actions on run logs collected by performance, regression, and scan runs. See `tlscanary log --help` .
performance | Runs a performance analysis against the hosts in the test set. Use `--scans` to specify how often each host is tested.
2019-10-18 23:33:17 +03:00
regression | Runs a TLS regression test, comparing the 'test' candidate against the 'baseline' candidate. Only reports errors that are new to the test candidate. No error generated by baseline can make it to the report.
2017-06-15 19:17:54 +03:00
scan | This mode only collects connection state information for every host in the test set.
srcupdate | Compile a fresh set of TLS-enabled 'top' sites from the *Umbrella Top 1M* list. Use `-l` to override the default target size of 500k hosts. Use `-x` to adjust the number of passes for errors. Use `-x1` for a factor two speed improvement with slightly less stable results. Use `-b` to change the Firefox version used for filtering. You can use `-s` to create a new database, but you can't make it the default. Databases are written to `~/.tlscanary/sources/` .
### Command line arguments for test runs
The run modes `performance` , `regression` , and `scan` share a common set command line arguments:
Argument | Choices / **default** | Description
----------|----------|----------
-b --base | **release** , nightly, beta, aurora, esr, *build tree* , *package file* | Baseline test candidate to test against. Only used by comparative test modes.
2017-10-24 02:27:59 +03:00
-c --cache | false | Enable content caching in profiles
2017-06-15 19:17:54 +03:00
-d --debug | | Enable verbose debug logging to the terminal
-f --filter | 0, **1** | The default filter level 1 removes network timeouts from reports which may appear spuriously. Filter level 0 applies no filtering.
-h --help | | Longer usage information
-j --parallel | 4 | Number of parallel firefox worker instances the host set will be distributed among
2017-07-07 22:44:18 +03:00
-l --limit | 100000 | The number of hosts in the test set is limited to the given number. Default is 100000 hosts. You can increase the limit, but such runs will require LOTS of memory (90 GBytes and more) and can cause instability.
2017-06-15 19:17:54 +03:00
-m --timeout | 10 | Request timeout in seconds. Running more requests in parallel increases network latency and results in more timeouts.
-n --requestsperworker | 50 | Chunk size of hosts that a worker will query in parallel.
-o --onecrl | **production** , stage, custom | OneCRL revocation list to install to the test profiles. `custom` uses a pre-configured, static list.
-s --source | **top** , list, ... | Set of hosts to run the test against. Pass `list` to get info on available test sets.
-t --test | release, **nightly** , beta, aurora, esr, *build tree* , *package file* | Specify the main test candidate. Used by every run mode.
2017-10-24 02:27:59 +03:00
-u --max_timeout | 20 | Maximum request timeout in seconds. Each scan increases the timeout, up to this value
2017-06-15 19:17:54 +03:00
-w --workdir | ** ~/.tlscanary** | Directory where cached files and other state is stored
2017-10-24 02:27:59 +03:00
-x --scans | 3 | Number of scans to run against each host during performance or regression mode.
2017-06-15 19:17:54 +03:00
MODE | performance, regression, scan, srcupdate | Test mode to run, given as positional parameter. This is a mandatory argument.
2017-06-14 10:33:29 +03:00
## For developers
For development you will additionally need to install:
* git
* virtualenv (highly recommended)
2017-06-19 12:43:08 +03:00
*git* can be installed with your favourite package manager. *virtualenv* comes with a simple
`pip install [--user] virtualenv` .
2017-06-14 10:33:29 +03:00
### Developing on Linux or Mac
2017-06-19 12:43:08 +03:00
These are the commands that set you up for TLS Canary development work:
2017-06-14 10:33:29 +03:00
```
git clone https://github.com/mozilla/tls-canary
cd tls-canary
2018-08-27 20:31:35 +03:00
virtualenv -p python3 venv
2017-06-14 10:33:29 +03:00
source venv/bin/activate
pip install -e .[dev]
```
2017-06-19 12:43:08 +03:00
The latter command should be used regularly to install new Python dependencies that a TLS Canary update might require.
2017-06-14 10:33:29 +03:00
### Developing on Windows
Developing TLS Canary on Windows is not something we practice regularly. If you encounter quirks along the way,
please do not hesitate to open an issue here on GitHub. The following commands, executed in a PowerShell session
2017-06-19 12:43:08 +03:00
with user privileges, should set you up for TLS Canary development:
2017-06-09 23:58:04 +03:00
```
git clone https://github.com/mozilla/tls-canary
cd tls-canary
2018-08-27 20:31:35 +03:00
virtualenv -p c:\python36\python.exe venv
2017-06-09 23:58:04 +03:00
venv\Scripts\activate
2017-06-14 10:33:29 +03:00
pip install -e .[dev]
2017-06-09 23:58:04 +03:00
```
2016-11-22 11:55:59 +03:00
2017-06-14 10:33:29 +03:00
### Running tests
There are two ways to run the test suite:
```
python setup.py test
2017-07-09 03:05:06 +03:00
nosetests -v
2017-06-14 10:33:29 +03:00
```
They are largely equivalent, but the former takes care of missing test dependencies, while running `nosetests`
2017-07-09 03:05:06 +03:00
directly offers more control. To get test coverage, for example, use
```
nosetests -v --with-coverage --cover-erase --cover-package=tlscanary
```
2017-06-14 10:33:29 +03:00
### Installing the pre-commit hook for git
2017-06-19 12:43:08 +03:00
There's a pre-commit hook for git that you can use for automated [PEP 8 ](https://www.python.org/dev/peps/pep-0008/ )
violations checking. You can install it by running
2017-06-15 21:27:05 +03:00
```
ln -sf ../../hooks/pre-commit .git/hooks/
```
2017-06-14 10:33:29 +03:00
in the top-level project directory. By using a symbolic link, you will automatically get updates once the hook
in the repo changes. This is highly recommended. You can also copy the script manually, but then you have to
2017-06-19 12:43:08 +03:00
take care of updates yourself.