Mercurial > hg > nginx-tests
annotate ssl_verify_client.t @ 1185:368ab1d8ed8b
Tests: unbreak h2.t with aio.
Postpone sending client's SETTINGS until after server exhausted stream window,
so the expected result does not depend on the time when SETTINGS was applied.
| author | Sergey Kandaurov <pluknet@nginx.com> |
|---|---|
| date | Tue, 06 Jun 2017 21:41:09 +0300 |
| parents | 8ef51dbb5d69 |
| children | b1dc56ad15e9 |
| rev | line source |
|---|---|
|
932
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
1 #!/usr/bin/perl |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
2 |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
3 # (C) Sergey Kandaurov |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
4 # (C) Nginx, Inc. |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
5 |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
6 # Tests for http ssl module, ssl_verify_client. |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
7 |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
8 ############################################################################### |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
9 |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
10 use warnings; |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
11 use strict; |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
12 |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
13 use Test::More; |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
14 |
|
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
15 use Socket qw/ :DEFAULT CRLF /; |
|
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
16 |
|
932
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
17 BEGIN { use FindBin; chdir($FindBin::Bin); } |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
18 |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
19 use lib 'lib'; |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
20 use Test::Nginx; |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
21 |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
22 ############################################################################### |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
23 |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
24 select STDERR; $| = 1; |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
25 select STDOUT; $| = 1; |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
26 |
|
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
27 eval { |
|
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
28 require Net::SSLeay; |
|
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
29 Net::SSLeay::load_error_strings(); |
|
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
30 Net::SSLeay::SSLeay_add_ssl_algorithms(); |
|
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
31 Net::SSLeay::randomize(); |
|
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
32 }; |
|
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
33 plan(skip_all => 'Net::SSLeay not installed') if $@; |
|
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
34 |
|
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
35 eval { |
|
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
36 my $ctx = Net::SSLeay::CTX_new() or die; |
|
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
37 my $ssl = Net::SSLeay::new($ctx) or die; |
|
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
38 Net::SSLeay::set_tlsext_host_name($ssl, 'example.org') == 1 or die; |
|
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
39 }; |
|
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
40 plan(skip_all => 'Net::SSLeay with OpenSSL SNI support required') if $@; |
|
932
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
41 |
|
1032
43eedbfea090
Tests: add missing sni prerequisites.
Sergey Kandaurov <pluknet@nginx.com>
parents:
974
diff
changeset
|
42 my $t = Test::Nginx->new()->has(qw/http http_ssl sni/) |
|
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
43 ->has_daemon('openssl')->plan(10); |
|
932
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
44 |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
45 $t->write_file_expand('nginx.conf', <<'EOF'); |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
46 |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
47 %%TEST_GLOBALS%% |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
48 |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
49 daemon off; |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
50 |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
51 events { |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
52 } |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
53 |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
54 http { |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
55 %%TEST_GLOBALS_HTTP%% |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
56 |
|
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
57 add_header X-Verify x$ssl_client_verify:${ssl_client_cert}x; |
|
932
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
58 |
|
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
59 ssl_certificate_key 1.example.com.key; |
|
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
60 ssl_certificate 1.example.com.crt; |
|
932
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
61 |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
62 server { |
|
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
63 listen 127.0.0.1:8080; |
|
932
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
64 server_name localhost; |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
65 |
|
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
66 ssl_verify_client on; |
|
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
67 ssl_client_certificate 2.example.com.crt; |
|
932
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
68 } |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
69 |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
70 server { |
|
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
71 listen 127.0.0.1:8081 ssl; |
|
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
72 server_name on; |
|
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
73 |
|
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
74 ssl_verify_client on; |
|
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
75 ssl_client_certificate 2.example.com.crt; |
|
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
76 } |
|
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
77 |
|
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
78 server { |
|
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
79 listen 127.0.0.1:8081 ssl; |
|
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
80 server_name optional; |
|
932
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
81 |
|
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
82 ssl_verify_client optional; |
|
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
83 ssl_client_certificate 2.example.com.crt; |
|
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
84 ssl_trusted_certificate 3.example.com.crt; |
|
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
85 } |
|
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
86 |
|
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
87 server { |
|
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
88 listen 127.0.0.1:8081 ssl; |
|
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
89 server_name optional_no_ca; |
|
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
90 |
|
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
91 ssl_verify_client optional_no_ca; |
|
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
92 ssl_client_certificate 2.example.com.crt; |
|
932
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
93 } |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
94 } |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
95 |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
96 EOF |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
97 |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
98 $t->write_file('openssl.conf', <<EOF); |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
99 [ req ] |
|
1116
8ef51dbb5d69
Tests: reduced OpenSSL default key length to 1024.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1114
diff
changeset
|
100 default_bits = 1024 |
|
932
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
101 encrypt_key = no |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
102 distinguished_name = req_distinguished_name |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
103 [ req_distinguished_name ] |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
104 EOF |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
105 |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
106 my $d = $t->testdir(); |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
107 |
|
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
108 foreach my $name ('1.example.com', '2.example.com', '3.example.com') { |
|
932
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
109 system('openssl req -x509 -new ' |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
110 . "-config '$d/openssl.conf' -subj '/CN=$name/' " |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
111 . "-out '$d/$name.crt' -keyout '$d/$name.key' " |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
112 . ">>$d/openssl.out 2>&1") == 0 |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
113 or die "Can't create certificate for $name: $!\n"; |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
114 } |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
115 |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
116 $t->write_file('t', 'SEE-THIS'); |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
117 |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
118 $t->run(); |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
119 |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
120 ############################################################################### |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
121 |
|
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
122 like(http_get('/t'), qr/x:x/, 'plain connection'); |
|
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
123 like(get('on'), qr/400 Bad Request/, 'no cert'); |
|
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
124 like(get('optional'), qr/NONE:x/, 'no optional cert'); |
|
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
125 like(get('optional', '1.example.com'), qr/400 Bad/, 'bad optional cert'); |
|
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
126 like(get('optional_no_ca', '1.example.com'), qr/FAILED.*BEGIN/, |
|
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
127 'bad optional_no_ca cert'); |
|
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
128 |
|
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
129 like(get('localhost', '2.example.com'), qr/SUCCESS.*BEGIN/, 'good cert'); |
|
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
130 like(get('optional', '2.example.com'), qr/SUCCESS.*BEGI/, 'good cert optional'); |
|
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
131 like(get('optional', '3.example.com'), qr/SUCCESS.*BEGIN/, 'good cert trusted'); |
|
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
132 |
|
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
133 SKIP: { |
|
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
134 skip 'Net::SSLeay version >= 1.36 required', 1 if $Net::SSLeay::VERSION < 1.36; |
|
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
135 |
|
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
136 my $ca = join ' ', get('optional', '3.example.com'); |
|
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
137 is($ca, '/CN=2.example.com', 'no trusted sent'); |
|
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
138 |
|
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
139 } |
|
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
140 |
|
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
141 like(get('optional', undef, 'localhost'), qr/421 Misdirected/, 'misdirected'); |
|
932
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
142 |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
143 ############################################################################### |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
144 |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
145 sub get { |
|
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
146 my ($sni, $cert, $host) = @_; |
|
932
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
147 |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
148 $host = $sni if !defined $host; |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
149 |
|
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
150 my $dest_ip = inet_aton('127.0.0.1'); |
|
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
151 my $dest_serv_params = sockaddr_in(port(8081), $dest_ip); |
|
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
152 |
|
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
153 socket(my $s, &AF_INET, &SOCK_STREAM, 0) or die "socket: $!"; |
|
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
154 connect($s, $dest_serv_params) or die "connect: $!"; |
|
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
155 |
|
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
156 my $ctx = Net::SSLeay::CTX_new() or die("Failed to create SSL_CTX $!"); |
|
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
157 Net::SSLeay::set_cert_and_key($ctx, "$d/$cert.crt", "$d/$cert.key") |
|
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
158 or die if $cert; |
|
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
159 my $ssl = Net::SSLeay::new($ctx) or die("Failed to create SSL $!"); |
|
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
160 Net::SSLeay::set_tlsext_host_name($ssl, $sni) == 1 or die; |
|
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
161 Net::SSLeay::set_fd($ssl, fileno($s)); |
|
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
162 Net::SSLeay::connect($ssl) or die("ssl connect"); |
|
932
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
163 |
|
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
164 Net::SSLeay::write($ssl, 'GET /t HTTP/1.0' . CRLF); |
|
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
165 Net::SSLeay::write($ssl, "Host: $host" . CRLF . CRLF); |
|
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
166 my $buf = Net::SSLeay::read($ssl); |
|
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
167 log_in($buf); |
|
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
168 return $buf unless wantarray(); |
|
932
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
169 |
|
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
170 my $list = Net::SSLeay::get_client_CA_list($ssl); |
|
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
171 my @names; |
|
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
172 for my $i (0 .. Net::SSLeay::sk_X509_NAME_num($list) - 1) { |
|
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
173 my $name = Net::SSLeay::sk_X509_NAME_value($list, $i); |
|
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
174 push @names, Net::SSLeay::X509_NAME_oneline($name); |
|
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
175 } |
|
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
176 return @names; |
|
932
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
177 } |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
178 |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
179 ############################################################################### |