Simulating SSL outages with Go

What could go wrong?

Everything could go wrong.

Sometimes that “thing” is the expiry or invalidity of the SSL certificates for services we use.

Say your webapp uses an API provided by a 3rd party service, how will your webapp behave in time of an SSL malfunction? Don’t guess, test!

In this post we’ll learn how to simulate this scenario using Go.

A really nice part of Go’s standard library is the test-friendly http server provided by the httptest package.
Hopefully you already use this package to test how your code interacts with other services.

Testing Interactions With External Services

One good strategy is to maintain the URL of the external service as a variable that could be defined at execution time, like an environment variable:

And then test the service using httptest:

SSL Related Outages

A very common issue is certificate expiry. Let’s test for that!

First we’ll add a method that generates an expired certificate:

The interesting parts here are at line 11 and 12, where we can control the duration of the certificate’s validity. In our case it’s valid until an hour before creation.

Once we created the certificate, we can feed it to our test server:

Notice how we now create a TLS server rather than an ordinary server.
Now your test will fail with an error like:

x509: certificate has expired or is not yet valid

Excellent!

Further Scenarios

Another scenario which we can now test is a case where the certificate has been signed by an unrecognized authority.

By fixing the expired certificate to a valid date range, we now have a valid self-signed certificate. This type of certificate should be denied by your application, and now you can test for it!