Mercurial > hg > nginx-tests

annotate stream_proxy_ssl_name_complex.t @ 1571:1b4ceab9cb1c

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Tests: fixed ssl_certificate.t with LibreSSL client. Net::SSLeay::connect() that manages TLS handshake could return unexpected error when receiving server alert, as seen in server certificate tests if it could not been selected. Typically, it returns the expected error -1, but with certain libssl implementations it can be 0, as explained below. The error is propagated from libssl's SSL_connect(), which is usually -1. In modern OpenSSL versions, it is the default error code used in the state machine returned when something went wrong with parsing TLS message header. In versions up to OpenSSL 1.0.2, with SSLv23_method() used by default, -1 is the only error code in the ssl_connect() method implementation which is used as well if receiving alert while parsing ServerHello. BoringSSL also seems to return -1. But it is not so with LibreSSL that returns zero. Previously, tests failed with client built with LibreSSL with SSLv3 removed. Here, the error is propagated directly from ssl_read_bytes() method, which is always implemented as ssl3_read_bytes() in all TLS methods. It could be also seen with OpenSSL up to 1.0.2 with non-default methods explicitly set.
author Sergey Kandaurov <pluknet@nginx.com>
date Fri, 29 May 2020 23:10:20 +0300
parents dbce8fb5f5f8
children f3ba4c74de31
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
989
98546e08521f Tests: stream tests for proxy_ssl_name with complex value.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
1 #!/usr/bin/perl
98546e08521f Tests: stream tests for proxy_ssl_name with complex value.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
2
98546e08521f Tests: stream tests for proxy_ssl_name with complex value.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
3 # (C) Sergey Kandaurov
98546e08521f Tests: stream tests for proxy_ssl_name with complex value.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
4 # (C) Nginx, Inc.
98546e08521f Tests: stream tests for proxy_ssl_name with complex value.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
5
98546e08521f Tests: stream tests for proxy_ssl_name with complex value.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
6 # Stream tests for proxy to ssl backend, use of Server Name Indication
98546e08521f Tests: stream tests for proxy_ssl_name with complex value.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
7 # (proxy_ssl_name, proxy_ssl_server_name directives) with complex value.
98546e08521f Tests: stream tests for proxy_ssl_name with complex value.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
8
98546e08521f Tests: stream tests for proxy_ssl_name with complex value.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
9 ###############################################################################
98546e08521f Tests: stream tests for proxy_ssl_name with complex value.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
10
98546e08521f Tests: stream tests for proxy_ssl_name with complex value.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
11 use warnings;
98546e08521f Tests: stream tests for proxy_ssl_name with complex value.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
12 use strict;
98546e08521f Tests: stream tests for proxy_ssl_name with complex value.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
13
98546e08521f Tests: stream tests for proxy_ssl_name with complex value.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
14 use Test::More;
98546e08521f Tests: stream tests for proxy_ssl_name with complex value.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
15
98546e08521f Tests: stream tests for proxy_ssl_name with complex value.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
16 BEGIN { use FindBin; chdir($FindBin::Bin); }
98546e08521f Tests: stream tests for proxy_ssl_name with complex value.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
17
98546e08521f Tests: stream tests for proxy_ssl_name with complex value.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
18 use lib 'lib';
98546e08521f Tests: stream tests for proxy_ssl_name with complex value.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
19 use Test::Nginx;
98546e08521f Tests: stream tests for proxy_ssl_name with complex value.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
20 use Test::Nginx::Stream qw/ stream /;
98546e08521f Tests: stream tests for proxy_ssl_name with complex value.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
21
98546e08521f Tests: stream tests for proxy_ssl_name with complex value.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
22 ###############################################################################
98546e08521f Tests: stream tests for proxy_ssl_name with complex value.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
23
98546e08521f Tests: stream tests for proxy_ssl_name with complex value.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
24 select STDERR; $| = 1;
98546e08521f Tests: stream tests for proxy_ssl_name with complex value.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
25 select STDOUT; $| = 1;
98546e08521f Tests: stream tests for proxy_ssl_name with complex value.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
26
98546e08521f Tests: stream tests for proxy_ssl_name with complex value.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
27 my $t = Test::Nginx->new()->has(qw/stream stream_ssl stream_return sni/)
98546e08521f Tests: stream tests for proxy_ssl_name with complex value.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
28 ->has_daemon('openssl');
98546e08521f Tests: stream tests for proxy_ssl_name with complex value.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
29
98546e08521f Tests: stream tests for proxy_ssl_name with complex value.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
30 $t->write_file_expand('nginx.conf', <<'EOF');
98546e08521f Tests: stream tests for proxy_ssl_name with complex value.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
31
98546e08521f Tests: stream tests for proxy_ssl_name with complex value.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
32 %%TEST_GLOBALS%%
98546e08521f Tests: stream tests for proxy_ssl_name with complex value.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
33
98546e08521f Tests: stream tests for proxy_ssl_name with complex value.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
34 daemon off;
98546e08521f Tests: stream tests for proxy_ssl_name with complex value.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
35
98546e08521f Tests: stream tests for proxy_ssl_name with complex value.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
36 events {
98546e08521f Tests: stream tests for proxy_ssl_name with complex value.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
37 }
98546e08521f Tests: stream tests for proxy_ssl_name with complex value.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
38
98546e08521f Tests: stream tests for proxy_ssl_name with complex value.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
39 stream {
98546e08521f Tests: stream tests for proxy_ssl_name with complex value.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
40 proxy_ssl on;
98546e08521f Tests: stream tests for proxy_ssl_name with complex value.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
41 proxy_ssl_session_reuse off;
98546e08521f Tests: stream tests for proxy_ssl_name with complex value.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
42
98546e08521f Tests: stream tests for proxy_ssl_name with complex value.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
43 server {
98546e08521f Tests: stream tests for proxy_ssl_name with complex value.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
44 listen 127.0.0.1:8081;
98546e08521f Tests: stream tests for proxy_ssl_name with complex value.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
45 listen 127.0.0.1:8082;
98546e08521f Tests: stream tests for proxy_ssl_name with complex value.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
46 proxy_pass 127.0.0.1:8085;
98546e08521f Tests: stream tests for proxy_ssl_name with complex value.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
47
98546e08521f Tests: stream tests for proxy_ssl_name with complex value.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
48 proxy_ssl_server_name on;
98546e08521f Tests: stream tests for proxy_ssl_name with complex value.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
49 proxy_ssl_name x${server_port}x;
98546e08521f Tests: stream tests for proxy_ssl_name with complex value.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
50 }
98546e08521f Tests: stream tests for proxy_ssl_name with complex value.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
51
98546e08521f Tests: stream tests for proxy_ssl_name with complex value.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
52 server {
98546e08521f Tests: stream tests for proxy_ssl_name with complex value.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
53 ssl_certificate_key localhost.key;
98546e08521f Tests: stream tests for proxy_ssl_name with complex value.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
54 ssl_certificate localhost.crt;
98546e08521f Tests: stream tests for proxy_ssl_name with complex value.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
55
98546e08521f Tests: stream tests for proxy_ssl_name with complex value.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
56 listen 127.0.0.1:8085 ssl;
98546e08521f Tests: stream tests for proxy_ssl_name with complex value.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
57 return $ssl_server_name;
98546e08521f Tests: stream tests for proxy_ssl_name with complex value.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
58 }
98546e08521f Tests: stream tests for proxy_ssl_name with complex value.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
59 }
98546e08521f Tests: stream tests for proxy_ssl_name with complex value.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
60
98546e08521f Tests: stream tests for proxy_ssl_name with complex value.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
61 EOF
98546e08521f Tests: stream tests for proxy_ssl_name with complex value.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
62
98546e08521f Tests: stream tests for proxy_ssl_name with complex value.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
63 $t->write_file('openssl.conf', <<EOF);
98546e08521f Tests: stream tests for proxy_ssl_name with complex value.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
64 [ req ]
1488
dbce8fb5f5f8 Tests: align with OpenSSL security level 2.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1251
diff changeset
65 default_bits = 2048
989
98546e08521f Tests: stream tests for proxy_ssl_name with complex value.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
66 encrypt_key = no
98546e08521f Tests: stream tests for proxy_ssl_name with complex value.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
67 distinguished_name = req_distinguished_name
98546e08521f Tests: stream tests for proxy_ssl_name with complex value.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
68 [ req_distinguished_name ]
98546e08521f Tests: stream tests for proxy_ssl_name with complex value.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
69 EOF
98546e08521f Tests: stream tests for proxy_ssl_name with complex value.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
70
98546e08521f Tests: stream tests for proxy_ssl_name with complex value.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
71 my $d = $t->testdir();
98546e08521f Tests: stream tests for proxy_ssl_name with complex value.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
72
98546e08521f Tests: stream tests for proxy_ssl_name with complex value.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
73 foreach my $name ('localhost') {
98546e08521f Tests: stream tests for proxy_ssl_name with complex value.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
74 system('openssl req -x509 -new '
1220
0af58b78df35 Tests: removed single quotes from system() calls.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1116
diff changeset
75 . "-config $d/openssl.conf -subj /CN=$name/ "
0af58b78df35 Tests: removed single quotes from system() calls.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1116
diff changeset
76 . "-out $d/$name.crt -keyout $d/$name.key "
989
98546e08521f Tests: stream tests for proxy_ssl_name with complex value.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
77 . ">>$d/openssl.out 2>&1") == 0
98546e08521f Tests: stream tests for proxy_ssl_name with complex value.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
78 or die "Can't create certificate for $name: $!\n";
98546e08521f Tests: stream tests for proxy_ssl_name with complex value.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
79 }
98546e08521f Tests: stream tests for proxy_ssl_name with complex value.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
80
1251
766bcbb632ee Tests: removed TODO and try_run() checks for legacy versions.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1220
diff changeset
81 $t->run()->plan(2);
989
98546e08521f Tests: stream tests for proxy_ssl_name with complex value.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
82
98546e08521f Tests: stream tests for proxy_ssl_name with complex value.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
83 ###############################################################################
98546e08521f Tests: stream tests for proxy_ssl_name with complex value.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
84
98546e08521f Tests: stream tests for proxy_ssl_name with complex value.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
85 my ($p1, $p2) = (port(8081), port(8082));
98546e08521f Tests: stream tests for proxy_ssl_name with complex value.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
86
98546e08521f Tests: stream tests for proxy_ssl_name with complex value.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
87 is(stream("127.0.0.1:$p1")->read(), "x${p1}x", 'name 1');
98546e08521f Tests: stream tests for proxy_ssl_name with complex value.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
88 is(stream("127.0.0.1:$p2")->read(), "x${p2}x", 'name 2');
98546e08521f Tests: stream tests for proxy_ssl_name with complex value.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
89
98546e08521f Tests: stream tests for proxy_ssl_name with complex value.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
90 ###############################################################################