Mercurial > hg > nginx-tests
annotate proxy_ssl_verify.t @ 1571:1b4ceab9cb1c
Tests: fixed ssl_certificate.t with LibreSSL client.
Net::SSLeay::connect() that manages TLS handshake could return unexpected
error when receiving server alert, as seen in server certificate tests if
it could not been selected. Typically, it returns the expected error -1,
but with certain libssl implementations it can be 0, as explained below.
The error is propagated from libssl's SSL_connect(), which is usually -1.
In modern OpenSSL versions, it is the default error code used in the state
machine returned when something went wrong with parsing TLS message header.
In versions up to OpenSSL 1.0.2, with SSLv23_method() used by default, -1
is the only error code in the ssl_connect() method implementation which is
used as well if receiving alert while parsing ServerHello. BoringSSL also
seems to return -1. But it is not so with LibreSSL that returns zero.
Previously, tests failed with client built with LibreSSL with SSLv3 removed.
Here, the error is propagated directly from ssl_read_bytes() method, which
is always implemented as ssl3_read_bytes() in all TLS methods. It could be
also seen with OpenSSL up to 1.0.2 with non-default methods explicitly set.
author | Sergey Kandaurov <pluknet@nginx.com> |
---|---|
date | Fri, 29 May 2020 23:10:20 +0300 |
parents | dbce8fb5f5f8 |
children |
rev | line source |
---|---|
393
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
1 #!/usr/bin/perl |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
2 |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
3 # (C) Maxim Dounin |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
4 # (C) Nginx, Inc. |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
5 |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
6 # Tests for proxy to ssl backend, backend certificate verification. |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
7 |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
8 ############################################################################### |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
9 |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
10 use warnings; |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
11 use strict; |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
12 |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
13 use Test::More; |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
14 |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
15 BEGIN { use FindBin; chdir($FindBin::Bin); } |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
16 |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
17 use lib 'lib'; |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
18 use Test::Nginx; |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
19 |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
20 ############################################################################### |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
21 |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
22 select STDERR; $| = 1; |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
23 select STDOUT; $| = 1; |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
24 |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
25 my $t = Test::Nginx->new()->has(qw/http http_ssl proxy/) |
568
907e89fba9c3
Tests: removed TODO and try_run() checks for legacy versions.
Sergey Kandaurov <pluknet@nginx.com>
parents:
393
diff
changeset
|
26 ->has_daemon('openssl')->plan(6) |
393
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
27 ->write_file_expand('nginx.conf', <<'EOF'); |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
28 |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
29 %%TEST_GLOBALS%% |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
30 |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
31 daemon off; |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
32 |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
33 events { |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
34 } |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
35 |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
36 http { |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
37 %%TEST_GLOBALS_HTTP%% |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
38 |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
39 server { |
974
882267679006
Tests: simplified parallel modifications in tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
952
diff
changeset
|
40 listen 127.0.0.1:8080; |
393
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
41 server_name localhost; |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
42 |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
43 location /verify { |
974
882267679006
Tests: simplified parallel modifications in tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
952
diff
changeset
|
44 proxy_pass https://127.0.0.1:8081/; |
393
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
45 proxy_ssl_name example.com; |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
46 proxy_ssl_verify on; |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
47 proxy_ssl_trusted_certificate 1.example.com.crt; |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
48 } |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
49 |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
50 location /wildcard { |
974
882267679006
Tests: simplified parallel modifications in tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
952
diff
changeset
|
51 proxy_pass https://127.0.0.1:8081/; |
393
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
52 proxy_ssl_name foo.example.com; |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
53 proxy_ssl_verify on; |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
54 proxy_ssl_trusted_certificate 1.example.com.crt; |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
55 } |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
56 |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
57 location /fail { |
974
882267679006
Tests: simplified parallel modifications in tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
952
diff
changeset
|
58 proxy_pass https://127.0.0.1:8081/; |
393
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
59 proxy_ssl_name no.match.example.com; |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
60 proxy_ssl_verify on; |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
61 proxy_ssl_trusted_certificate 1.example.com.crt; |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
62 } |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
63 |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
64 location /cn { |
974
882267679006
Tests: simplified parallel modifications in tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
952
diff
changeset
|
65 proxy_pass https://127.0.0.1:8082/; |
393
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
66 proxy_ssl_name 2.example.com; |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
67 proxy_ssl_verify on; |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
68 proxy_ssl_trusted_certificate 2.example.com.crt; |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
69 } |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
70 |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
71 location /cn/fail { |
974
882267679006
Tests: simplified parallel modifications in tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
952
diff
changeset
|
72 proxy_pass https://127.0.0.1:8082/; |
393
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
73 proxy_ssl_name bad.example.com; |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
74 proxy_ssl_verify on; |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
75 proxy_ssl_trusted_certificate 2.example.com.crt; |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
76 } |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
77 |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
78 location /untrusted { |
974
882267679006
Tests: simplified parallel modifications in tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
952
diff
changeset
|
79 proxy_pass https://127.0.0.1:8082/; |
393
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
80 proxy_ssl_verify on; |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
81 proxy_ssl_trusted_certificate 1.example.com.crt; |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
82 proxy_ssl_session_reuse off; |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
83 } |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
84 } |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
85 |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
86 server { |
974
882267679006
Tests: simplified parallel modifications in tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
952
diff
changeset
|
87 listen 127.0.0.1:8081 ssl; |
393
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
88 server_name 1.example.com; |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
89 |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
90 ssl_certificate 1.example.com.crt; |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
91 ssl_certificate_key 1.example.com.key; |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
92 |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
93 add_header X-Name $ssl_server_name; |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
94 } |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
95 |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
96 server { |
974
882267679006
Tests: simplified parallel modifications in tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
952
diff
changeset
|
97 listen 127.0.0.1:8082 ssl; |
393
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
98 server_name 2.example.com; |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
99 |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
100 ssl_certificate 2.example.com.crt; |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
101 ssl_certificate_key 2.example.com.key; |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
102 |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
103 add_header X-Name $ssl_server_name; |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
104 } |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
105 } |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
106 |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
107 EOF |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
108 |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
109 $t->write_file('openssl.1.example.com.conf', <<EOF); |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
110 [ req ] |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
111 prompt = no |
1488
dbce8fb5f5f8
Tests: align with OpenSSL security level 2.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1260
diff
changeset
|
112 default_bits = 2048 |
393
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
113 encrypt_key = no |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
114 distinguished_name = req_distinguished_name |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
115 x509_extensions = v3_req |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
116 |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
117 [ req_distinguished_name ] |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
118 commonName=no.match.example.com |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
119 |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
120 [ v3_req ] |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
121 subjectAltName = DNS:example.com,DNS:*.example.com |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
122 EOF |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
123 |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
124 $t->write_file('openssl.2.example.com.conf', <<EOF); |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
125 [ req ] |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
126 prompt = no |
1488
dbce8fb5f5f8
Tests: align with OpenSSL security level 2.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1260
diff
changeset
|
127 default_bits = 2048 |
393
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
128 encrypt_key = no |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
129 distinguished_name = req_distinguished_name |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
130 |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
131 [ req_distinguished_name ] |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
132 commonName=2.example.com |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
133 EOF |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
134 |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
135 my $d = $t->testdir(); |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
136 |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
137 foreach my $name ('1.example.com', '2.example.com') { |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
138 system('openssl req -x509 -new ' |
1220
0af58b78df35
Tests: removed single quotes from system() calls.
Sergey Kandaurov <pluknet@nginx.com>
parents:
974
diff
changeset
|
139 . "-config $d/openssl.$name.conf " |
0af58b78df35
Tests: removed single quotes from system() calls.
Sergey Kandaurov <pluknet@nginx.com>
parents:
974
diff
changeset
|
140 . "-out $d/$name.crt -keyout $d/$name.key " |
393
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
141 . ">>$d/openssl.out 2>&1") == 0 |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
142 or die "Can't create certificate for $name: $!\n"; |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
143 } |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
144 |
1260
eadd24ccfda1
Tests: postponed startup in certain ssl certificate tests on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1220
diff
changeset
|
145 sleep 1 if $^O eq 'MSWin32'; |
eadd24ccfda1
Tests: postponed startup in certain ssl certificate tests on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1220
diff
changeset
|
146 |
393
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
147 $t->write_file('index.html', ''); |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
148 |
568
907e89fba9c3
Tests: removed TODO and try_run() checks for legacy versions.
Sergey Kandaurov <pluknet@nginx.com>
parents:
393
diff
changeset
|
149 $t->run(); |
393
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
150 |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
151 ############################################################################### |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
152 |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
153 # subjectAltName |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
154 |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
155 like(http_get('/verify'), qr/200 OK/ms, 'verify'); |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
156 like(http_get('/wildcard'), qr/200 OK/ms, 'verify wildcard'); |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
157 like(http_get('/fail'), qr/502 Bad/ms, 'verify fail'); |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
158 |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
159 # commonName |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
160 |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
161 like(http_get('/cn'), qr/200 OK/ms, 'verify cn'); |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
162 like(http_get('/cn/fail'), qr/502 Bad/ms, 'verify cn fail'); |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
163 |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
164 # untrusted |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
165 |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
166 like(http_get('/untrusted'), qr/502 Bad/ms, 'untrusted'); |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
167 |
3c9aeeb09ac8
Tests: proxy_ssl_name and proxy_ssl_verify tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
168 ############################################################################### |