Mercurial > hg > nginx-tests
annotate ssl_curve.t @ 1865:0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Relevant infrastructure is provided in Test::Nginx http() functions.
This also ensures that SSL handshake and various read and write operations
are guarded with timeouts.
The ssl_sni_reneg.t test uses IO::Socket::SSL::_get_ssl_object() to access
the Net::SSLeay object directly and trigger renegotation. While
not exactly correct, this seems to be good enough for tests.
Similarly, IO::Socket::SSL::_get_ssl_object() is used in ssl_stapling.t,
since SSL_ocsp_staple_callback is called with the socket instead of the
Net::SSLeay object.
Similarly, IO::Socket::SSL::_get_ssl_object() is used in ssl_verify_client.t,
since there seems to be no way to obtain CA list with IO::Socket::SSL.
Notable change to http() request interface is that http_end() now closes
the socket. This is to make sure that SSL connections are properly
closed and SSL sessions are not removed from the IO::Socket::SSL session
cache. This affected access_log.t, which was modified accordingly.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Thu, 18 May 2023 18:07:17 +0300 |
parents | 58951cf933e1 |
children | a797d7428fa5 |
rev | line source |
---|---|
1749 | 1 #!/usr/bin/perl |
2 | |
3 # (C) Sergey Kandaurov | |
4 # (C) Nginx, Inc. | |
5 | |
6 # Tests for http ssl module, $ssl_curve variable. | |
7 | |
8 ############################################################################### | |
9 | |
10 use warnings; | |
11 use strict; | |
12 | |
13 use Test::More; | |
14 | |
15 BEGIN { use FindBin; chdir($FindBin::Bin); } | |
16 | |
17 use lib 'lib'; | |
18 use Test::Nginx; | |
19 | |
20 ############################################################################### | |
21 | |
22 select STDERR; $| = 1; | |
23 select STDOUT; $| = 1; | |
24 | |
1860
58951cf933e1
Tests: added has_feature() test for SSL libraries.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1858
diff
changeset
|
25 my $t = Test::Nginx->new() |
58951cf933e1
Tests: added has_feature() test for SSL libraries.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1858
diff
changeset
|
26 ->has(qw/http http_ssl rewrite socket_ssl openssl:3.0.0/) |
1749 | 27 ->has_daemon('openssl'); |
28 | |
29 $t->write_file_expand('nginx.conf', <<'EOF'); | |
30 | |
31 %%TEST_GLOBALS%% | |
32 | |
33 daemon off; | |
34 | |
35 events { | |
36 } | |
37 | |
38 http { | |
39 %%TEST_GLOBALS_HTTP%% | |
40 | |
41 ssl_certificate_key localhost.key; | |
42 ssl_certificate localhost.crt; | |
43 | |
44 ssl_ecdh_curve prime256v1; | |
45 | |
46 server { | |
47 listen 127.0.0.1:8443 ssl; | |
48 server_name localhost; | |
49 | |
50 return 200 "$ssl_curve $ssl_curves"; | |
51 } | |
52 } | |
53 | |
54 EOF | |
55 | |
56 $t->write_file('openssl.conf', <<EOF); | |
57 [ req ] | |
58 default_bits = 2048 | |
59 encrypt_key = no | |
60 distinguished_name = req_distinguished_name | |
61 [ req_distinguished_name ] | |
62 EOF | |
63 | |
64 my $d = $t->testdir(); | |
65 | |
66 foreach my $name ('localhost') { | |
67 system('openssl req -x509 -new ' | |
68 . "-config $d/openssl.conf -subj /CN=$name/ " | |
69 . "-out $d/$name.crt -keyout $d/$name.key " | |
70 . ">>$d/openssl.out 2>&1") == 0 | |
71 or die "Can't create certificate for $name: $!\n"; | |
72 } | |
73 | |
74 $t->try_run('no $ssl_curve')->plan(1); | |
75 | |
76 ############################################################################### | |
77 | |
78 like(get('/curve'), qr/^prime256v1 /m, 'ssl curve'); | |
79 | |
80 ############################################################################### | |
81 | |
82 sub get { | |
83 my ($uri, $port, $ctx) = @_; | |
84 my $s = get_ssl_socket($port) or return; | |
85 my $r = http_get($uri, socket => $s); | |
86 $s->close(); | |
87 return $r; | |
88 } | |
89 | |
90 sub get_ssl_socket { | |
91 my ($port, $ctx) = @_; | |
92 my $s; | |
93 | |
94 eval { | |
95 local $SIG{ALRM} = sub { die "timeout\n" }; | |
96 local $SIG{PIPE} = sub { die "sigpipe\n" }; | |
97 alarm(8); | |
98 $s = IO::Socket::SSL->new( | |
99 Proto => 'tcp', | |
100 PeerAddr => '127.0.0.1', | |
101 PeerPort => port(8443), | |
102 SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE(), | |
103 SSL_error_trap => sub { die $_[1] }, | |
104 ); | |
105 alarm(0); | |
106 }; | |
107 alarm(0); | |
108 | |
109 if ($@) { | |
110 log_in("died: $@"); | |
111 return undef; | |
112 } | |
113 | |
114 return $s; | |
115 } | |
116 | |
117 ############################################################################### |