Merge pull request #123 from tls-attacker/docs-update

update docs to simplify quickstart and add infos about the docker lib

Author: Conradowatz

Dockerfile

@@ -1,4 +1,4 @@
-FROM maven:3.9.9-eclipse-temurin-21-jammy as build-tlsanvil
+FROM maven:3.9.9-eclipse-temurin-21-jammy AS build-tlsanvil
 COPY ./TLS-Test-Framework /src/TLS-Test-Framework/
 COPY ./TLS-Testsuite /src/TLS-Testsuite/
 COPY ./pom.xml /src/

Docs/docs/01-Quick-Start/00-index.md

@@ -1,17 +1,26 @@
 # Quick Start
 
-The quick start guide is showing you how to use TLS-Anvil to test a TLS server or client. This is basically a two step process. First TLS-Anvil is executed to perform the tests against the OpenSSL example server and client. TLS-Anvil as well as the OpenSSL server/client will run inside a Docker container. The TLS server/client images are provided by the TLS-Docker-Library project which we released alongside TLS-Anvil.
+The quick start guide is showing you how to use TLS-Anvil to test a TLS server or client.
+This is basically a two step process.
 
-The second step is to analyze the results. Those are going to be imported into a web application that visualizes the results for each test case. The application is also able to inspect every connection between TLS-Anvil and the tested target at TCP message level.
+First TLS-Anvil is executed to perform the tests against the OpenSSL example server and client.
+We will use OpenSSL as an example implementation here.
+TLS-Anvil as well as the OpenSSL server/client will run inside a Docker container.
+The OpenSSL server/client images are provided by the TLS-Docker-Library project which we released alongside TLS-Anvil.
+So see how you can test against other implementations that are inside the TLS-Docker-Library see [Using the TLS-Docker-Library](/docs/Docker-Library).
+
+The second step is to analyze the results.
+Those are going to be imported into a web application that visualizes the results for each test case.
+The application is also able to inspect every connection between TLS-Anvil and the tested target at TCP message level.
 
 ### Requirements
 
 - Docker
-- Python (for using TLS-Docker-Library)
+- Python *(optional, for using TLS-Docker-Library to test other implementations)*
 
-### GitHub Repos
+### GitHub Repositories
 
-- TLS-Anvil (Testsuite)
-- TLS-Docker-Library (optional, for test server and clients)
-- Anvil-Web (optional, for a graphical user interface)
+- [TLS-Anvil](https://github.com/tls-attacker/tls-anvil) (Testsuite)
+- [TLS-Docker-Library](https://github.com/tls-attacker/tls-docker-library) *(optional, images of TLS implementations)*
+- [Anvil-Web](https://github.com/tls-attacker/anvil-web) *(optional, for a graphical user interface and to analyze reports)*
 

Docs/docs/01-Quick-Start/01-Server-Testing.md

@@ -1,28 +1,36 @@
 # Server Testing
 
-This site demonstrates how to test the OpenSSL server provided by the TLS-Docker-Library.
-Testing the server in the most simple form roughly takes around 10 minutes. However, this duration can increase to several depending on the strength parameter that that basically defines how often a single test case triggered with different parameters.
+This site demonstrates how to test an OpenSSL server provided by the TLS-Docker-Library.
+You can of course also test other implementations, for example by [using the TLS-Docker-Library](/docs/Docker-Library) or by running your own server binary.
+
+Testing the server in the most simple form roughly takes around 10-20 minutes.
+However, this duration can increase to several depending on the strength parameter that basically defines how often a single test case is performed with different parameters.
 
 ### Preparations
 
-The server we will use, is found in the [TLS-Docker-Library](https://github.com/tls-attacker/tls-docker-library).
+:::info
 
-Before the server is able to do anything we need to generate a TLS certificate. Inside the TLS-Docker-Library repo, run:
+The server image we will use, is prebuilt by us using the [TLS-Docker-Library](https://github.com/tls-attacker/tls-docker-library).
+We included certificates in the container, so that you do not have to generate them yourself.
 
-```bash
-./setup.sh
-```
+:::
 
-Next we create a dedicated docker network that is used by the TLS-Anvil and OpenSSL server container to communicate with each other.
+For better compatibility, we create a dedicated docker network that is used by TLS-Anvil and the OpenSSL server container to communicate with each other.
 
 ```bash
 docker network create tls-anvil
 ```
 
 ### Starting the OpenSSL Server
 
+:::info
+
 As mentioned before, we use OpenSSL as an example. In this case the server uses an RSA certificate. However, TLS-Anvil works with any certificate and automatically adapts the tests to the given circumstances.
 
+:::
+
+Starting the server can be done with the following command. This will download a pre-built image from our GitHub registry, and run it.
+
 ```bash showLineNumbers
 docker run \
     -d \
@@ -42,7 +50,7 @@ docker run \
 
 ### Starting TLS-Anvil
 
-Finally TLS-Anvil is started. The current directory is mounted to the docker container and used to store the results.
+After that, TLS-Anvil is started. The current directory is mounted to the docker container and used to store the results. We connect to the server using its docker hostname `openssl-server`, which is possible since they are on the same docker network.
 
 ```bash showLineNumbers
 docker run \
@@ -52,6 +60,7 @@ docker run \
     --network tls-anvil \
     -v $(pwd):/output/ \
     ghcr.io/tls-attacker/tlsanvil:latest \
+    -zip \
     -parallelHandshakes 1 \
     -connectionTimeout 200 \
     -strength 1 \
@@ -63,8 +72,13 @@ docker run \
 * Lines 2-5: Docker related command flags
 * Line 6: Set the output directory through a docker volume
 * Line 7: Specifies the TLS-Anvil docker image
-* Line 8: Since the OpenSSL example server is single threaded, we can only perform one handshakes sequentially
-* Line 9: We run our server locally, so we can reduce the timeout to 200ms.
-* Line 10: Defines the strength, i.e. the `t` for t-way combinatorial testing
-* Line 12: We want to test a server
-* Line 13: Determines the details how TLS-Anvil should connect to the server
+* Line 8: Zip the results, that way we can easily import them into Anvil-Web later
+* Line 9: Since the OpenSSL example server is single threaded, we can only perform one handshakes sequentially
+* Line 10: We run our server locally, so we can reduce the timeout to 200ms.
+* Line 11: Defines the strength, i.e. the `t` for t-way combinatorial testing
+* Line 13: We want to test a server
+* Line 14: Determines the details how TLS-Anvil should connect to the server
+
+### What now?
+After the testsuite finished you should see a folder named `TestSuiteResults_...` which contains all the results.
+To analyze them, go to [Viewing Results](Anvil-Web).

Docs/docs/01-Quick-Start/02-Client-Testing.md

@@ -1,11 +1,14 @@
 # Client Testing
 
 This site demonstrates how to test the OpenSSL client provided by the TLS-Docker-Library.
-Testing the client in the most simple form roughly takes around 15 minutes. However, this duration can increase to several depending on the strength parameter that that basically defines how often a single test case triggered with different parameters.
+You can of course also test other implementations, for example by [using the TLS-Docker-Library](/docs/Docker-Library) or by running your own client binary.
+
+Testing the client in the most simple form roughly takes around 15 minutes.
+However, this duration can increase to several depending on the strength parameter that basically defines how often a single test case is performed with different parameters.
 
 ### Preparations
 
-Similar to the server test we first create a dedicated docker network that is used by the TLS-Anvil and OpenSSL client container to communicate with each other.
+Similar to the server test we first create a dedicated docker network that is used by the TLS-Anvil and OpenSSL client container to communicate with each other. If it is already created, no need to recreate it.
 
 ```bash
 docker network create tls-anvil
@@ -14,6 +17,7 @@ docker network create tls-anvil
 ### Starting the TLS-Anvil container
 
 Since the client has to connect to TLS-Anvil the test suite container is started first.
+After starting, the testsuite is waiting for the client to connect, so leave the terminal open.
 
 ```bash showLineNumbers
 docker run \
@@ -23,6 +27,7 @@ docker run \
     --name tls-anvil \
     -v $(pwd):/output/ \
     ghcr.io/tls-attacker/tlsanvil:latest \
+    -zip \
     -parallelHandshakes 3 \
     -parallelTests 3 \
     -strength 1 \
@@ -35,19 +40,28 @@ docker run \
 * Lines 2-5: Docker related command flags
 * Line 6: Set the output directory through a docker volume
 * Line 7: Specifies the TLS-Anvil docker image
-* Lines 8-9: Since the client can started multiple times, TLS-Anvil can run multiple tests and handshakes in parallel
-* Line 10: Defines the strength, i.e. the `t` for t-way combinatorial testing
-* Line 11: Defines an arbitrary name that is written to the report
-* Line 12: We want to test a client
-* Line 13: The port on which TLS-Anvil listens to accept requests from the client
-* Line 14: Specifies a script that is executed before each handshake, which the goal to trigger a connection from the client. See below how this works.
+* Line 8: Zip the results, that way we can easily import them into Anvil-Web later
+* Lines 9-10: Since the client can started multiple times, TLS-Anvil can run multiple tests and handshakes in parallel
+* Line 11: Defines the strength, i.e. the `t` for t-way combinatorial testing
+* Line 12: Defines an arbitrary name that is written to the report
+* Line 13: We want to test a client
+* Line 14: The port on which TLS-Anvil listens to accept requests from the client
+* Line 15: Specifies a script that is executed before each handshake, which the goal to trigger a connection from the client. See below how this works.
 
 ### Starting the OpenSSL client container
 
-The OpenSSL client image is provided by the TLS-Docker-Library. The entrypoint of the client images is a small HTTP server that provides two REST-API endpoints on port 8090.
+:::info
+
+As mentioned before, we use OpenSSL as an example.
+The OpenSSL client image in this example is prebuilt using the [TLS-Docker-Library](https://github.com/tls-attacker/tls-docker-library). The entrypoint of the client images is a small HTTP server that provides two REST-API endpoints on port 8090.
 * `GET /trigger` starts the client
 * `GET /shutdown` shutdown the HTTP server to terminate the container
 
+:::
+
+Starting the client can be done with the following command. This will download a pre-built image from our GitHub registry, and run it.
+Since TLS-Anvil is already running, open another terminal to start the client.
+
 ```bash showLineNumbers
 docker run \
     -d \
@@ -61,3 +75,7 @@ docker run \
 * Lines 2-5: Docker related command flags
 * Line 6: Specifies the OpenSSL client image from the TLS-Docker-Library
 * Line 7: This is passed to the OpenSSL `s_client` binary, which is started each time a HTTP-GET request is sent to `:8090/trigger`.
+
+### What now?
+After the testsuite finished you should see a folder named `TestSuiteResults_...` which contains all the results.
+To analyze them, go to the next page.

Docs/docs/01-Quick-Start/03-Anvil-Web.md

@@ -3,22 +3,24 @@ import Definition from '@site/src/components/Definition';
 
 # Viewing Results
 
-TLS-Anvil stores the test results in multiple `json` files. In addition the network traffic is captured during the execution. Since analyzing those files by hand is tedious, we created a small web application to get the job done.
+TLS-Anvil stores the test results in multiple `json` files. In addition the network traffic is captured during the execution. Since analyzing those files by hand is tedious, we created a web application called **Anvil-Web** to get the job done.
 
-The result analyzer application is also shipped as docker container. Since a database is required, `docker-compose` is the easiest way to start the application. The `docker-compose.yml` file is part the [Anvil-Web GitHub Repo](https://github.com/tls-attacker/Anvil-Web).
+The result analyzer application is also shipped as docker container. Since a database is required, `docker compose` is the easiest way to start the application. The `docker-compose.yml` file is part the [Anvil-Web GitHub Repo](https://github.com/tls-attacker/Anvil-Web).
 
 [Download docker-compose.yml](https://github.com/tls-attacker/Anvil-Web/blob/main/docker-compose.yml)
 
 ### Start the application
 
 First we start the web application.
+Download the file `docker-compose.yml` and in the same directory as the downloaded file, execute the following commands.
+This will download prebuilt images of Anvil-Web and start a webserver.
 
 ```bash
 docker compose pull
 docker compose up -d
 ```
 
-The application should be available at [http://localhost:5001](http://localhost:5001).
+The application should then be available at [http://localhost:5001](http://localhost:5001).
 
 :::info
 
@@ -33,13 +35,14 @@ Below, you can find a short description of the core principles.
 
 Next the results need to be imported, i.e. importing the JSON files of TLS-Anvil into a MongoDB that is accessed by the backend of the web application.
 The easiest way to do that is to zip your results folder (the folder that contains the report.json file) and upload it in the web-interface.
+If you used the `-zip` flag during the execution, a zip file ready to upload should already be inside the results folder.
 Just go to `Tests` -> `Upload Test` and select the zip file.
 
 ### Using the application
 
 1. Open your web browser at [http://localhost:5001](http://localhost:5001).
 2. Click `Tests` in the navbar (if not already selected) and look for the test you just uploaded. Here you can click on `Details`.
-3. You will see an overview over the testresults. The specific result for each <Definition id="test template"/> is presented in the table at the bottom, sorted by RFC.
+3. You will see an overview over the test results. The specific result for each <Definition id="test template"/> is presented in the table at the bottom, sorted by RFC.
 4. The table rows are clickable, if you do, a detailed view will be presented to you showing what exactly got tested in that run and the results for each <Definition id="test input"/>, i.e. each performed handshake.
    1. Click on a row of a test case to view the recorded PCAP dump for the handshake as well as additional information about the handshake. `Parameter Combination`, for example, shows the <Definition id="test input"/> for the test case, generated by the combinatorial testing algorithm.
 

Docs/docs/06-Docker-Library.md

@@ -0,0 +1,66 @@
+# Using the TLS-Docker-Library
+
+The [TLS-Docker-Library](https://github.com/tls-attacker/Tls-docker-library) is a set of Dockerfiles and scripts for building and running many different TLS implementations.
+It can be used to test example server and client implementations of various TLS libraries.
+
+You can follow the README file of the repository to learn, how to build the docker containers yourself.
+
+In short, you need to
+ - run `./setup.sh` to generate the base images and certificates
+ - go to `cd src/main/resources/images`
+ - run `python3 build.py -l image-name:version` with the name of the implementation as well as the version you would like to build
+   - if you would like to build the newest version use `:latest`
+
+## Testing Built Library Containers using TLS-Anvil
+Once you built an image of a library you'd like to test, we have to create and start the container and then connect it to TLS-Anvil.
+
+This procedure differs between server and client images.
+
+To see how to create and run a container of your desired implementation, go to the subfolder of that implementation where you will find a readme file with more infos.
+
+### Server Images
+Server images almost always just start a binary server example implementation of that library in a loop.
+
+The arguments you pass to the docker container after the image name will get passed to the server executable. E.g. the image `openssl-server:1.1.1i` has the entrypoint `openssl s_server`. Any arguments that you pass after `docker run openssl-server:1.1.1i ...` are passed to the openssl executable.
+
+Many of the server implementations need certificates. Many certificates were created when you ran `./setup.sh`. Those are stored in the docker volume `cert-data` and can be used with any image.
+
+E.g. to start an OpenSSL server with an RSA certificate we can use:
+
+`docker run -v cert-data:/certs/ openssl-server:1.1.1i -port 8443 -cert /certs/rsa2048cert.pem -key /certs/rsa2048key.pem`
+
+The `-v` option bind the `cert-data` volume to the container at the location `/certs/`.
+
+The server is now listening on port 8443, but since it is a container, the port is only accessible from inside the container. To be able to connect to it we have to:
+ - add the server container and TLS-Anvil container to the same docker network (like in our [example](/docs/Quick-Start/Server-Testing))
+ - expose the port using `-p 8443:8443` or
+ - add the docker container to the host network using `--network host`
+
+If you added it to a network, the server will be reachable with its container name (can be changed by using `--name ...`), or via the other options, it should be reachable via `localhost:8443`.
+This is, what you will need to input in the `-connect ...` parameter of TLS-Anvil.
+
+### Client Images
+Client images implement a small web server that listens on port 8090. Command line arguments that you pass behind the image name also get passed directly to the client executable. But the client executable is not running in a loop, but rather only started when a GET request is sent to the `/trigger` endpoint of the webserver.
+
+E.g. to start the OpenSSL client, we can run `docker run openssl-client:1.1.1i -connect localhost:8443` and the `-connect ...` part is directly passed to `openssl s_client`.
+
+You have to make sure, that TLS-Anvil can reach the webserver (port 8090) of the client image, and the client can reach TLS-Anvil to connect to. This can be done by either:
+ - adding the client container and TLS-Anvil container to the same docker network (like in our [example](/docs/Quick-Start/Client-Testing))
+   - the client can then connect to TLS-Anvil using its container name
+   - TLS-Anvil can connect to the client using its container name
+ - exposing port the port 8090 on the client using `-p 8090:8090` and exposing the server listening port on the TLS-Anvil container if also run via docker
+   - the client can then connect to TLS-Anvil using the ip `172.17.0.1` or `host.docker.internal`
+   - TLS-Anvil can reach the container using `172.17.0.1` or `host.docker.internal` if also run in a container or `localhost` if run in the host
+ - adding the client (and TLS-Anvil) to the host network using `--network host`
+   - the client can then connect to TLS-Anvil using `localhost`
+   - TLS-Anvil can also connect to the client using `localhost`
+
+TLS-Anvil uses a *trigger script* in the client testing mode. The script is called every time it wants the client to connect to it. Using the TLS-Docker-Library images you almost always want to use `curl` in the trigger script to connect to the `/trigger` endpoint of the client.
+
+An example would be `docker run --network host -v $(pwd):/output/  ghcr.io/tls-attacker/tlsanvil:latest client -port 8443 -triggerScript curl localhost:8090/trigger`.
+
+:::info
+
+You could also execute a binary of a client implementation directly in the `-triggerScript` parameter.
+
+:::