added hostname mismatch tests

Author: jrobertboos

docker-compose-library.yaml

@@ -125,6 +125,7 @@ services:
     ports:
       - "8443:8443"
       - "8444:8444"
+      - "8445:8445"
     networks:
       - lightspeednet
     volumes:

docker-compose.yaml

@@ -153,6 +153,7 @@ services:
     ports:
       - "8443:8443"
       - "8444:8444"
+      - "8445:8445"
     networks:
       - lightspeednet
     volumes:

tests/e2e/features/steps/tls.py

@@ -250,6 +250,67 @@ def configure_mtls_expired_client_cert(context: Context) -> None:
     _write_config(config, _LLAMA_STACK_CONFIG)
 
 
+@given("Llama Stack is configured with CA certificate and hostname mismatch server")
+def configure_tls_hostname_mismatch(context: Context) -> None:
+    """Configure run.yaml to connect to the hostname-mismatch TLS server.
+
+    The mock server on port 8445 presents a certificate issued for
+    "wrong-hostname.example.com", but the client connects to
+    "mock-tls-inference", causing a hostname verification failure.
+
+    Parameters:
+        context: Behave test context.
+    """
+    config, provider = _prepare_tls_provider()
+    provider["config"]["base_url"] = "https://mock-tls-inference:8445/v1"
+    provider["config"]["network"]["tls"] = {"verify": "/certs/ca.crt"}
+    _write_config(config, _LLAMA_STACK_CONFIG)
+
+
+@given(
+    "Llama Stack is configured with mutual TLS and hostname mismatch server"
+)
+def configure_mtls_hostname_mismatch(context: Context) -> None:
+    """Configure run.yaml for mTLS against the hostname-mismatch TLS server.
+
+    The mock server on port 8445 presents a certificate issued for
+    "wrong-hostname.example.com". Even though client certs are provided,
+    the hostname mismatch should cause the connection to fail.
+
+    Parameters:
+        context: Behave test context.
+    """
+    config, provider = _prepare_tls_provider()
+    provider["config"]["base_url"] = "https://mock-tls-inference:8445/v1"
+    provider["config"]["network"]["tls"] = {
+        "verify": "/certs/ca.crt",
+        "client_cert": "/certs/client.crt",
+        "client_key": "/certs/client.key",
+    }
+    _write_config(config, _LLAMA_STACK_CONFIG)
+
+
+@given(
+    'Llama Stack is configured with TLS minimum version "{version}" and hostname mismatch server'
+)
+def configure_tls_min_version_hostname_mismatch(
+    context: Context, version: str
+) -> None:
+    """Configure run.yaml with TLS min version against the hostname-mismatch server.
+
+    Parameters:
+        context: Behave test context.
+        version: The TLS version (e.g., "TLSv1.2", "TLSv1.3").
+    """
+    config, provider = _prepare_tls_provider()
+    provider["config"]["base_url"] = "https://mock-tls-inference:8445/v1"
+    provider["config"]["network"]["tls"] = {
+        "verify": "/certs/ca.crt",
+        "min_version": version,
+    }
+    _write_config(config, _LLAMA_STACK_CONFIG)
+
+
 @given(
     'Llama Stack is configured with TLS minimum version "{version}" and CA certificate path "{path}"'
 )

tests/e2e/features/tls.feature

@@ -116,6 +116,28 @@ Feature: TLS configuration for remote inference providers
      Then The status code of the response is 500
       And The body of the response does not contain Hello from the TLS mock inference server
 
+  Scenario: Inference fails with CA certificate verification and hostname mismatch
+    Given Llama Stack is configured with CA certificate and hostname mismatch server
+      And Llama Stack is restarted
+      And Lightspeed Stack is restarted
+     When I use "query" to ask question
+    """
+    {"query": "Say hello", "model": "mock-tls-model", "provider": "tls-openai"}
+    """
+     Then The status code of the response is 500
+      And The body of the response does not contain Hello from the TLS mock inference server
+
+  Scenario: Inference fails with mutual TLS and hostname mismatch
+    Given Llama Stack is configured with mutual TLS and hostname mismatch server
+      And Llama Stack is restarted
+      And Lightspeed Stack is restarted
+     When I use "query" to ask question
+    """
+    {"query": "Say hello", "model": "mock-tls-model", "provider": "tls-openai"}
+    """
+     Then The status code of the response is 500
+      And The body of the response does not contain Hello from the TLS mock inference server
+
   Scenario: Inference succeeds with TLS minimum version TLSv1.3
     Given Llama Stack is configured with TLS minimum version "TLSv1.3" and CA certificate path "/certs/ca.crt"
       And Llama Stack is restarted
@@ -137,6 +159,17 @@ Feature: TLS configuration for remote inference providers
      Then The status code of the response is 500
       And The body of the response does not contain Hello from the TLS mock inference server
 
+  Scenario: Inference fails with TLS minimum version TLSv1.3 and hostname mismatch
+    Given Llama Stack is configured with TLS minimum version "TLSv1.3" and hostname mismatch server
+      And Llama Stack is restarted
+      And Lightspeed Stack is restarted
+     When I use "query" to ask question
+    """
+    {"query": "Say hello", "model": "mock-tls-model", "provider": "tls-openai"}
+    """
+     Then The status code of the response is 500
+      And The body of the response does not contain Hello from the TLS mock inference server
+
   Scenario: Inference fails with TLS minimum version TLSv1.3 and expired CA certificate
     Given Llama Stack is configured with TLS minimum version "TLSv1.3" and CA certificate path "/certs/expired-ca.crt"
       And Llama Stack is restarted

tests/e2e/mock_tls_inference_server/server.py

@@ -253,10 +253,17 @@ def main() -> None:
     _export_expired_client_cert(ca, client_cert, certs_dir / "expired-client.crt")
     print(f"  Expired client cert: {certs_dir / 'expired-client.crt'}")
 
+    # Issue a server cert with a hostname that does NOT match the Docker service
+    # name ("mock-tls-inference") — used to test hostname-mismatch rejection.
+    hostname_mismatch_cert = ca.issue_cert("wrong-hostname.example.com")
+    print("  Hostname-mismatch server cert: wrong-hostname.example.com (port 8445)")
+
     print("=" * 60)
     print("Starting servers...")
     print("=" * 60)
 
+    hostname_mismatch_port = int(sys.argv[3]) if len(sys.argv) > 3 else 8445
+
     # Create TLS server (no client cert required)
     tls_server = ThreadingHTTPServer(("", tls_port), OpenAIHandler)
     tls_ctx = _make_tls_context(ca, server_cert, require_client_cert=False)
@@ -267,17 +274,33 @@ def main() -> None:
     mtls_ctx = _make_tls_context(ca, server_cert, require_client_cert=True)
     mtls_server.socket = mtls_ctx.wrap_socket(mtls_server.socket, server_side=True)
 
+    # Create hostname-mismatch TLS server (cert SAN ≠ connecting hostname)
+    mismatch_server = ThreadingHTTPServer(
+        ("", hostname_mismatch_port), OpenAIHandler
+    )
+    mismatch_ctx = _make_tls_context(
+        ca, hostname_mismatch_cert, require_client_cert=False
+    )
+    mismatch_server.socket = mismatch_ctx.wrap_socket(
+        mismatch_server.socket, server_side=True
+    )
+
     print("=" * 60)
     print("Mock TLS Inference Server")
     print("=" * 60)
-    print(f"  TLS  : https://localhost:{tls_port}  (no client cert)")
-    print(f"  mTLS : https://localhost:{mtls_port}  (client cert required)")
+    print(f"  TLS      : https://localhost:{tls_port}  (no client cert)")
+    print(f"  mTLS     : https://localhost:{mtls_port}  (client cert required)")
+    print(
+        f"  Mismatch : https://localhost:{hostname_mismatch_port}"
+        "  (hostname-mismatch cert)"
+    )
     print(f"  Model: {MODEL_ID}")
     print("=" * 60)
 
     for srv, label in [
         (tls_server, f"TLS  :{tls_port}"),
         (mtls_server, f"mTLS :{mtls_port}"),
+        (mismatch_server, f"Mismatch :{hostname_mismatch_port}"),
     ]:
         t = threading.Thread(target=_run_server, args=(srv, label), daemon=True)
         t.start()