Mercurial > hg > nginx-tests
annotate ssl_certificate.t @ 1907:034c9121b9d1
Tests: added h2_http2.t TODOs for LibreSSL and older OpenSSL.
Those libraries provide an older callback order, where ALPN callback
is invoked before SNI callback.
Additionally, OpenSSL 1.0.2 doesn't send alert on ALPN mismatch.
author | Sergey Kandaurov <pluknet@nginx.com> |
---|---|
date | Thu, 08 Jun 2023 16:41:11 +0400 |
parents | d570dbcad925 |
children | c924ae8d7104 |
rev | line source |
---|---|
1443
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
1 #!/usr/bin/perl |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
2 |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
3 # (C) Sergey Kandaurov |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
4 # (C) Nginx, Inc. |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
5 |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
6 # Tests for http ssl module with dynamic certificates. |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
7 |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
8 ############################################################################### |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
9 |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
10 use warnings; |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
11 use strict; |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
12 |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
13 use Test::More; |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
14 |
1621
fd440d324700
Tests: simplified get_ssl_socket() functions that use Net::SSLeay.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1619
diff
changeset
|
15 use Socket qw/ CRLF /; |
1443
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
16 |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
17 BEGIN { use FindBin; chdir($FindBin::Bin); } |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
18 |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
19 use lib 'lib'; |
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1860
diff
changeset
|
20 use Test::Nginx qw/ :DEFAULT http_end /; |
1443
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
21 |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
22 ############################################################################### |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
23 |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
24 select STDERR; $| = 1; |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
25 select STDOUT; $| = 1; |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
26 |
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1860
diff
changeset
|
27 my $t = Test::Nginx->new() |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1860
diff
changeset
|
28 ->has(qw/http http_ssl geo openssl:1.0.2 socket_ssl_sni/) |
1443
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
29 ->has_daemon('openssl'); |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
30 |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
31 $t->write_file_expand('nginx.conf', <<'EOF'); |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
32 |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
33 %%TEST_GLOBALS%% |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
34 |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
35 daemon off; |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
36 |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
37 events { |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
38 } |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
39 |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
40 http { |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
41 %%TEST_GLOBALS_HTTP%% |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
42 |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
43 geo $one { |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
44 default one; |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
45 } |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
46 |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
47 geo $two { |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
48 default two; |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
49 } |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
50 |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
51 geo $pass { |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
52 default pass; |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
53 } |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
54 |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
55 add_header X-SSL $ssl_server_name:$ssl_session_reused; |
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1860
diff
changeset
|
56 add_header X-SSL-Protocol $ssl_protocol; |
1443
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
57 ssl_session_cache shared:SSL:1m; |
1836
74cffa9d4c43
Tests: enabled session reuse via TLS session tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1637
diff
changeset
|
58 ssl_session_tickets on; |
1443
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
59 |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
60 server { |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
61 listen 127.0.0.1:8080 ssl; |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
62 server_name default; |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
63 |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
64 ssl_certificate $one.crt; |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
65 ssl_certificate_key $one.key; |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
66 } |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
67 |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
68 server { |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
69 listen 127.0.0.1:8080 ssl; |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
70 server_name virtual; |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
71 |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
72 # found in key |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
73 ssl_certificate $two.crt; |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
74 ssl_certificate_key $two.key; |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
75 } |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
76 |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
77 server { |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
78 listen 127.0.0.1:8080 ssl; |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
79 server_name no_ctx; |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
80 } |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
81 |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
82 server { |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
83 listen 127.0.0.1:8083 ssl; |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
84 server_name password; |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
85 |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
86 # found in key |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
87 ssl_certificate pass.crt; |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
88 ssl_certificate_key $pass.key; |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
89 ssl_password_file password_file; |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
90 } |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
91 |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
92 server { |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
93 listen 127.0.0.1:8081 ssl; |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
94 server_name default; |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
95 |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
96 ssl_certificate $one.crt; |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
97 ssl_certificate_key $one.key; |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
98 } |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
99 |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
100 server { |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
101 listen 127.0.0.1:8082 ssl; |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
102 server_name default; |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
103 |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
104 ssl_certificate $two.crt; |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
105 ssl_certificate_key $two.key; |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
106 } |
1445
889283abadf8
Tests: added basic ssl tests with dynamic certificate not found.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1443
diff
changeset
|
107 |
889283abadf8
Tests: added basic ssl tests with dynamic certificate not found.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1443
diff
changeset
|
108 server { |
889283abadf8
Tests: added basic ssl tests with dynamic certificate not found.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1443
diff
changeset
|
109 listen 127.0.0.1:8084 ssl; |
889283abadf8
Tests: added basic ssl tests with dynamic certificate not found.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1443
diff
changeset
|
110 server_name localhost; |
889283abadf8
Tests: added basic ssl tests with dynamic certificate not found.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1443
diff
changeset
|
111 |
889283abadf8
Tests: added basic ssl tests with dynamic certificate not found.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1443
diff
changeset
|
112 ssl_certificate $ssl_server_name.crt; |
889283abadf8
Tests: added basic ssl tests with dynamic certificate not found.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1443
diff
changeset
|
113 ssl_certificate_key $ssl_server_name.key; |
889283abadf8
Tests: added basic ssl tests with dynamic certificate not found.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1443
diff
changeset
|
114 } |
1443
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
115 } |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
116 |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
117 EOF |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
118 |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
119 $t->write_file('openssl.conf', <<EOF); |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
120 [ req ] |
1488
dbce8fb5f5f8
Tests: align with OpenSSL security level 2.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1477
diff
changeset
|
121 default_bits = 2048 |
1443
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
122 encrypt_key = no |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
123 distinguished_name = req_distinguished_name |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
124 [ req_distinguished_name ] |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
125 EOF |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
126 |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
127 my $d = $t->testdir(); |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
128 |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
129 foreach my $name ('one', 'two') { |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
130 system('openssl req -x509 -new ' |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
131 . "-config $d/openssl.conf -subj /CN=$name/ " |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
132 . "-out $d/$name.crt -keyout $d/$name.key " |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
133 . ">>$d/openssl.out 2>&1") == 0 |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
134 or die "Can't create certificate for $name: $!\n"; |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
135 } |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
136 |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
137 foreach my $name ('pass') { |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
138 system("openssl genrsa -out $d/$name.key -passout pass:pass " |
1488
dbce8fb5f5f8
Tests: align with OpenSSL security level 2.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1477
diff
changeset
|
139 . "-aes128 2048 >>$d/openssl.out 2>&1") == 0 |
1443
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
140 or die "Can't create $name key: $!\n"; |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
141 system("openssl req -x509 -new -config $d/openssl.conf " |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
142 . "-subj /CN=$name/ -out $d/$name.crt -key $d/$name.key " |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
143 . "-passin pass:pass >>$d/openssl.out 2>&1") == 0 |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
144 or die "Can't create $name certificate: $!\n"; |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
145 } |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
146 |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
147 $t->write_file('password_file', 'pass'); |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
148 $t->write_file('index.html', ''); |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
149 |
1535
144c6ce732e4
Tests: removed TODO and try_run() checks for legacy versions.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1488
diff
changeset
|
150 $t->run()->plan(11); |
1443
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
151 |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
152 ############################################################################### |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
153 |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
154 like(cert('default', 8080), qr/CN=one/, 'default certificate'); |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
155 like(get('default', 8080), qr/default/, 'default context'); |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
156 |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
157 like(cert('virtual', 8080), qr/CN=two/, 'virtual server certificate'); |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
158 like(get('virtual', 8080), qr/virtual/, 'virtual server context'); |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
159 |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
160 like(cert('no_ctx', 8080), qr/CN=one/, 'certificate - no context'); |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
161 like(get('no_ctx', 8080), qr/no_ctx/, 'virtual server - no context'); |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
162 |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
163 like(get('password', 8083), qr/password/, 'ssl_password_file'); |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
164 |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
165 # session reuse |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
166 |
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1860
diff
changeset
|
167 my $s = session('default', 8080); |
1443
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
168 |
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1860
diff
changeset
|
169 TODO: { |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1860
diff
changeset
|
170 local $TODO = 'no TLSv1.3 sessions, old Net::SSLeay' |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1860
diff
changeset
|
171 if $Net::SSLeay::VERSION < 1.88 && test_tls13(); |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1860
diff
changeset
|
172 local $TODO = 'no TLSv1.3 sessions, old IO::Socket::SSL' |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1860
diff
changeset
|
173 if $IO::Socket::SSL::VERSION < 2.061 && test_tls13(); |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1860
diff
changeset
|
174 |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1860
diff
changeset
|
175 like(get('default', 8080, $s), qr/default:r/, 'session reused'); |
1851
0351dee227a8
Tests: unbreak tests with dynamic certificates on stable.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1836
diff
changeset
|
176 |
0351dee227a8
Tests: unbreak tests with dynamic certificates on stable.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1836
diff
changeset
|
177 TODO: { |
0351dee227a8
Tests: unbreak tests with dynamic certificates on stable.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1836
diff
changeset
|
178 # ticket key name mismatch prevents session resumption |
0351dee227a8
Tests: unbreak tests with dynamic certificates on stable.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1836
diff
changeset
|
179 local $TODO = 'not yet' unless $t->has_version('1.23.2'); |
1868
d570dbcad925
Tests: unbreak tests with IO::Socket:SSL lacking SSL_session_key.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1865
diff
changeset
|
180 local $TODO = 'no SSL_session_key, old IO::Socket::SSL' |
d570dbcad925
Tests: unbreak tests with IO::Socket:SSL lacking SSL_session_key.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1865
diff
changeset
|
181 if $IO::Socket::SSL::VERSION < 1.965; |
1851
0351dee227a8
Tests: unbreak tests with dynamic certificates on stable.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1836
diff
changeset
|
182 |
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1860
diff
changeset
|
183 like(get('default', 8081, $s), qr/default:r/, 'session id context match'); |
1851
0351dee227a8
Tests: unbreak tests with dynamic certificates on stable.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1836
diff
changeset
|
184 |
0351dee227a8
Tests: unbreak tests with dynamic certificates on stable.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1836
diff
changeset
|
185 } |
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1860
diff
changeset
|
186 } |
1851
0351dee227a8
Tests: unbreak tests with dynamic certificates on stable.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1836
diff
changeset
|
187 |
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1860
diff
changeset
|
188 like(get('default', 8082, $s), qr/default:\./, 'session id context distinct'); |
1443
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
189 |
1445
889283abadf8
Tests: added basic ssl tests with dynamic certificate not found.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1443
diff
changeset
|
190 # errors |
889283abadf8
Tests: added basic ssl tests with dynamic certificate not found.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1443
diff
changeset
|
191 |
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1860
diff
changeset
|
192 ok(!get('nx', 8084), 'no certificate'); |
1445
889283abadf8
Tests: added basic ssl tests with dynamic certificate not found.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1443
diff
changeset
|
193 |
1443
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
194 ############################################################################### |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
195 |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
196 sub get { |
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1860
diff
changeset
|
197 my $s = get_socket(@_) || return; |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1860
diff
changeset
|
198 return http_end($s); |
1443
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
199 } |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
200 |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
201 sub cert { |
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1860
diff
changeset
|
202 my $s = get_socket(@_) || return; |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1860
diff
changeset
|
203 return $s->dump_peer_certificate(); |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1860
diff
changeset
|
204 } |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1860
diff
changeset
|
205 |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1860
diff
changeset
|
206 sub session { |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1860
diff
changeset
|
207 my $s = get_socket(@_) || return; |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1860
diff
changeset
|
208 http_end($s); |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1860
diff
changeset
|
209 return $s; |
1443
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
210 } |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
211 |
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1860
diff
changeset
|
212 sub get_socket { |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1860
diff
changeset
|
213 my ($host, $port, $ctx) = @_; |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1860
diff
changeset
|
214 return http_get( |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1860
diff
changeset
|
215 '/', start => 1, PeerAddr => '127.0.0.1:' . port($port), |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1860
diff
changeset
|
216 SSL => 1, |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1860
diff
changeset
|
217 SSL_hostname => $host, |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1860
diff
changeset
|
218 SSL_session_cache_size => 100, |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1860
diff
changeset
|
219 SSL_session_key => 1, |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1860
diff
changeset
|
220 SSL_reuse_ctx => $ctx |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1860
diff
changeset
|
221 ); |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1860
diff
changeset
|
222 } |
1443
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
223 |
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1860
diff
changeset
|
224 sub test_tls13 { |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1860
diff
changeset
|
225 return get('default', 8080) =~ /TLSv1.3/; |
1443
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
226 } |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
227 |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
228 ############################################################################### |