Mercurial > hg > nginx-tests
annotate ssl_stapling.t @ 1969:3ba1668cea87
Tests: adjusted stream_ssl_alpn.t to handle old SSL libraries.
The "ssl_alpn" directive of the stream module requires an SSL library with
ALPN support, and startup fails if the directive is used in the configuration
but ALPN support is not available (notably, with OpenSSL before 1.0.2).
Restored try_run() to skip the test in this case.
| author | Maxim Dounin <mdounin@mdounin.ru> |
|---|---|
| date | Mon, 06 May 2024 00:03:01 +0300 |
| parents | 0a93f101925a |
| children | f3573393f36f |
| rev | line source |
|---|---|
|
1330
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
1 #!/usr/bin/perl |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
2 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
3 # (C) Sergey Kandaurov |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
4 # (C) Nginx, Inc. |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
5 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
6 # Tests for OCSP stapling. |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
7 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
8 ############################################################################### |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
9 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
10 use warnings; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
11 use strict; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
12 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
13 use Test::More; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
14 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
15 use MIME::Base64 qw/ decode_base64 /; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
16 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
17 BEGIN { use FindBin; chdir($FindBin::Bin); } |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
18 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
19 use lib 'lib'; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
20 use Test::Nginx; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
21 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
22 ############################################################################### |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
23 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
24 select STDERR; $| = 1; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
25 select STDOUT; $| = 1; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
26 |
|
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1842
diff
changeset
|
27 my $t = Test::Nginx->new()->has(qw/http http_ssl socket_ssl/) |
|
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1842
diff
changeset
|
28 ->has_daemon('openssl'); |
|
1330
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
29 |
|
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1842
diff
changeset
|
30 eval { defined &Net::SSLeay::set_tlsext_status_type or die; }; |
|
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1842
diff
changeset
|
31 plan(skip_all => 'Net::SSLeay too old') if $@; |
|
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1842
diff
changeset
|
32 eval { defined &IO::Socket::SSL::SSL_OCSP_TRY_STAPLE or die; }; |
|
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1842
diff
changeset
|
33 plan(skip_all => 'IO::Socket::SSL too old') if $@; |
|
1400
94bcad5611af
Tests: skip OCSP stapling and multiple cert tests with BoringSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1397
diff
changeset
|
34 |
|
94bcad5611af
Tests: skip OCSP stapling and multiple cert tests with BoringSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1397
diff
changeset
|
35 plan(skip_all => 'no OCSP stapling') if $t->has_module('BoringSSL'); |
|
94bcad5611af
Tests: skip OCSP stapling and multiple cert tests with BoringSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1397
diff
changeset
|
36 |
|
1842
af47a0b348a5
Tests: LibreSSL certificate negotiation with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1636
diff
changeset
|
37 $t->plan(10)->write_file_expand('nginx.conf', <<'EOF'); |
|
1330
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
38 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
39 %%TEST_GLOBALS%% |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
40 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
41 daemon off; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
42 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
43 events { |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
44 } |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
45 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
46 http { |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
47 %%TEST_GLOBALS_HTTP%% |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
48 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
49 ssl_stapling on; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
50 ssl_trusted_certificate trusted.crt; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
51 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
52 ssl_certificate ec-end-int.crt; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
53 ssl_certificate_key ec-end.key; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
54 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
55 ssl_certificate end-int.crt; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
56 ssl_certificate_key end.key; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
57 |
|
1476
e8ba4ae5e3ac
Tests: fixed ssl_stapling.t for nginx built with OpenSSL 0.9.8y+.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1421
diff
changeset
|
58 ssl_ciphers DEFAULT:ECCdraft; |
|
e8ba4ae5e3ac
Tests: fixed ssl_stapling.t for nginx built with OpenSSL 0.9.8y+.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1421
diff
changeset
|
59 |
|
1867
231b14e2041a
Tests: unbreak ssl_stapling.t after IO::Socket::SSL refactoring.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1865
diff
changeset
|
60 add_header X-SSL-Protocol $ssl_protocol always; |
|
231b14e2041a
Tests: unbreak ssl_stapling.t after IO::Socket::SSL refactoring.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1865
diff
changeset
|
61 |
|
1330
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
62 server { |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
63 listen 127.0.0.1:8443 ssl; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
64 listen 127.0.0.1:8080; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
65 server_name localhost; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
66 } |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
67 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
68 server { |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
69 listen 127.0.0.1:8444 ssl; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
70 server_name localhost; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
71 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
72 ssl_stapling_responder http://127.0.0.1:8081/; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
73 } |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
74 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
75 server { |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
76 listen 127.0.0.1:8445 ssl; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
77 server_name localhost; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
78 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
79 ssl_stapling_verify on; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
80 } |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
81 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
82 server { |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
83 listen 127.0.0.1:8446 ssl; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
84 server_name localhost; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
85 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
86 ssl_certificate ec-end.crt; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
87 ssl_certificate_key ec-end.key; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
88 } |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
89 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
90 server { |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
91 listen 127.0.0.1:8447 ssl; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
92 server_name localhost; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
93 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
94 ssl_certificate end-int.crt; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
95 ssl_certificate_key end.key; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
96 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
97 ssl_stapling_file %%TESTDIR%%/resp.der; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
98 } |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
99 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
100 server { |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
101 listen 127.0.0.1:8448 ssl; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
102 server_name localhost; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
103 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
104 ssl_certificate ec-end-int.crt; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
105 ssl_certificate_key ec-end.key; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
106 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
107 ssl_stapling_file %%TESTDIR%%/ec-resp.der; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
108 } |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
109 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
110 server { |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
111 listen 127.0.0.1:8449 ssl; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
112 server_name localhost; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
113 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
114 ssl_stapling_responder http://127.0.0.1:8080/; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
115 } |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
116 } |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
117 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
118 EOF |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
119 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
120 my $d = $t->testdir(); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
121 my $p = port(8081); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
122 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
123 $t->write_file('openssl.conf', <<EOF); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
124 [ req ] |
|
1488
dbce8fb5f5f8
Tests: align with OpenSSL security level 2.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1476
diff
changeset
|
125 default_bits = 2048 |
|
1330
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
126 encrypt_key = no |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
127 distinguished_name = req_distinguished_name |
|
1945
0b5ec15c62ed
Tests: compatibility with "openssl" app from OpenSSL 3.2.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1871
diff
changeset
|
128 x509_extensions = myca_extensions |
|
1330
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
129 [ req_distinguished_name ] |
|
1945
0b5ec15c62ed
Tests: compatibility with "openssl" app from OpenSSL 3.2.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1871
diff
changeset
|
130 [ myca_extensions ] |
|
0b5ec15c62ed
Tests: compatibility with "openssl" app from OpenSSL 3.2.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1871
diff
changeset
|
131 basicConstraints = critical,CA:TRUE |
|
1330
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
132 EOF |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
133 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
134 $t->write_file('ca.conf', <<EOF); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
135 [ ca ] |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
136 default_ca = myca |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
137 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
138 [ myca ] |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
139 new_certs_dir = $d |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
140 database = $d/certindex |
|
1488
dbce8fb5f5f8
Tests: align with OpenSSL security level 2.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1476
diff
changeset
|
141 default_md = sha256 |
|
1330
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
142 policy = myca_policy |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
143 serial = $d/certserial |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
144 default_days = 1 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
145 x509_extensions = myca_extensions |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
146 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
147 [ myca_policy ] |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
148 commonName = supplied |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
149 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
150 [ myca_extensions ] |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
151 basicConstraints = critical,CA:TRUE |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
152 authorityInfoAccess = OCSP;URI:http://127.0.0.1:$p |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
153 EOF |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
154 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
155 foreach my $name ('root') { |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
156 system('openssl req -x509 -new ' |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
157 . "-config $d/openssl.conf -subj /CN=$name/ " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
158 . "-out $d/$name.crt -keyout $d/$name.key " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
159 . ">>$d/openssl.out 2>&1") == 0 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
160 or die "Can't create certificate for $name: $!\n"; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
161 } |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
162 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
163 foreach my $name ('int', 'end') { |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
164 system("openssl req -new " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
165 . "-config $d/openssl.conf -subj /CN=$name/ " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
166 . "-out $d/$name.csr -keyout $d/$name.key " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
167 . ">>$d/openssl.out 2>&1") == 0 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
168 or die "Can't create certificate for $name: $!\n"; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
169 } |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
170 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
171 foreach my $name ('ec-end') { |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
172 system("openssl ecparam -genkey -out $d/$name.key -name prime256v1 " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
173 . ">>$d/openssl.out 2>&1") == 0 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
174 or die "Can't create EC param: $!\n"; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
175 system("openssl req -new -key $d/$name.key " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
176 . "-config $d/openssl.conf -subj /CN=$name/ " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
177 . "-out $d/$name.csr " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
178 . ">>$d/openssl.out 2>&1") == 0 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
179 or die "Can't create certificate for $name: $!\n"; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
180 } |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
181 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
182 $t->write_file('certserial', '1000'); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
183 $t->write_file('certindex', ''); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
184 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
185 system("openssl ca -batch -config $d/ca.conf " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
186 . "-keyfile $d/root.key -cert $d/root.crt " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
187 . "-subj /CN=int/ -in $d/int.csr -out $d/int.crt " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
188 . ">>$d/openssl.out 2>&1") == 0 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
189 or die "Can't sign certificate for int: $!\n"; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
190 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
191 system("openssl ca -batch -config $d/ca.conf " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
192 . "-keyfile $d/int.key -cert $d/int.crt " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
193 . "-subj /CN=ec-end/ -in $d/ec-end.csr -out $d/ec-end.crt " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
194 . ">>$d/openssl.out 2>&1") == 0 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
195 or die "Can't sign certificate for ec-end: $!\n"; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
196 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
197 system("openssl ca -batch -config $d/ca.conf " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
198 . "-keyfile $d/int.key -cert $d/int.crt " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
199 . "-subj /CN=end/ -in $d/end.csr -out $d/end.crt " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
200 . ">>$d/openssl.out 2>&1") == 0 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
201 or die "Can't sign certificate for end: $!\n"; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
202 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
203 # RFC 6960, serialNumber |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
204 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
205 system("openssl x509 -in $d/end.crt -serial -noout " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
206 . ">>$d/serial 2>>$d/openssl.out") == 0 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
207 or die "Can't obtain serial for end: $!\n"; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
208 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
209 my $serial = pack("n2", 0x0202, hex $1) if $t->read_file('serial') =~ /(\d+)/; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
210 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
211 system("openssl ca -config $d/ca.conf -revoke $d/end.crt " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
212 . "-keyfile $d/root.key -cert $d/root.crt " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
213 . ">>$d/openssl.out 2>&1") == 0 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
214 or die "Can't revoke end.crt: $!\n"; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
215 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
216 system("openssl ocsp -issuer $d/int.crt -cert $d/end.crt " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
217 . "-reqout $d/req.der >>$d/openssl.out 2>&1") == 0 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
218 or die "Can't create OCSP request: $!\n"; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
219 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
220 system("openssl ocsp -index $d/certindex -CA $d/int.crt " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
221 . "-rsigner $d/root.crt -rkey $d/root.key " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
222 . "-reqin $d/req.der -respout $d/resp.der -ndays 1 " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
223 . ">>$d/openssl.out 2>&1") == 0 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
224 or die "Can't create OCSP response: $!\n"; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
225 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
226 system("openssl ocsp -issuer $d/int.crt -cert $d/ec-end.crt " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
227 . "-reqout $d/ec-req.der >>$d/openssl.out 2>&1") == 0 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
228 or die "Can't create EC OCSP request: $!\n"; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
229 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
230 system("openssl ocsp -index $d/certindex -CA $d/int.crt " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
231 . "-rsigner $d/root.crt -rkey $d/root.key " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
232 . "-reqin $d/ec-req.der -respout $d/ec-resp.der -ndays 1 " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
233 . ">>$d/openssl.out 2>&1") == 0 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
234 or die "Can't create EC OCSP response: $!\n"; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
235 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
236 $t->write_file('trusted.crt', |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
237 $t->read_file('int.crt') . $t->read_file('root.crt')); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
238 $t->write_file('end-int.crt', |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
239 $t->read_file('end.crt') . $t->read_file('int.crt')); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
240 $t->write_file('ec-end-int.crt', |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
241 $t->read_file('ec-end.crt') . $t->read_file('int.crt')); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
242 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
243 $t->run_daemon(\&http_daemon, $t); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
244 $t->run(); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
245 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
246 $t->waitforsocket("127.0.0.1:" . port(8081)); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
247 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
248 ############################################################################### |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
249 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
250 staple(8443, 'RSA'); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
251 staple(8443, 'ECDSA'); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
252 staple(8444, 'RSA'); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
253 staple(8444, 'ECDSA'); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
254 staple(8445, 'ECDSA'); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
255 staple(8446, 'ECDSA'); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
256 staple(8449, 'ECDSA'); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
257 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
258 sleep 1; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
259 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
260 ok(!staple(8443, 'RSA'), 'staple revoked'); |
|
1842
af47a0b348a5
Tests: LibreSSL certificate negotiation with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1636
diff
changeset
|
261 |
|
af47a0b348a5
Tests: LibreSSL certificate negotiation with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1636
diff
changeset
|
262 TODO: { |
|
af47a0b348a5
Tests: LibreSSL certificate negotiation with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1636
diff
changeset
|
263 local $TODO = 'broken TLSv1.3 sigalgs in LibreSSL' |
|
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1842
diff
changeset
|
264 if $t->has_module('LibreSSL') && test_tls13(); |
|
1967
0a93f101925a
Tests: sigalgs handling with Net::SSLeay with LibreSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1945
diff
changeset
|
265 local $TODO = 'no TLSv1.3 sigalgs in Net::SSLeay (LibreSSL)' |
|
0a93f101925a
Tests: sigalgs handling with Net::SSLeay with LibreSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1945
diff
changeset
|
266 if Net::SSLeay::constant("LIBRESSL_VERSION_NUMBER") && test_tls13(); |
|
1842
af47a0b348a5
Tests: LibreSSL certificate negotiation with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1636
diff
changeset
|
267 |
|
1330
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
268 ok(staple(8443, 'ECDSA'), 'staple success'); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
269 |
|
1842
af47a0b348a5
Tests: LibreSSL certificate negotiation with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1636
diff
changeset
|
270 } |
|
af47a0b348a5
Tests: LibreSSL certificate negotiation with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1636
diff
changeset
|
271 |
|
1330
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
272 ok(!staple(8444, 'RSA'), 'responder revoked'); |
|
1842
af47a0b348a5
Tests: LibreSSL certificate negotiation with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1636
diff
changeset
|
273 |
|
af47a0b348a5
Tests: LibreSSL certificate negotiation with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1636
diff
changeset
|
274 TODO: { |
|
af47a0b348a5
Tests: LibreSSL certificate negotiation with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1636
diff
changeset
|
275 local $TODO = 'broken TLSv1.3 sigalgs in LibreSSL' |
|
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1842
diff
changeset
|
276 if $t->has_module('LibreSSL') && test_tls13(); |
|
1967
0a93f101925a
Tests: sigalgs handling with Net::SSLeay with LibreSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1945
diff
changeset
|
277 local $TODO = 'no TLSv1.3 sigalgs in Net::SSLeay (LibreSSL)' |
|
0a93f101925a
Tests: sigalgs handling with Net::SSLeay with LibreSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1945
diff
changeset
|
278 if Net::SSLeay::constant("LIBRESSL_VERSION_NUMBER") && test_tls13(); |
|
1842
af47a0b348a5
Tests: LibreSSL certificate negotiation with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1636
diff
changeset
|
279 |
|
1330
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
280 ok(staple(8444, 'ECDSA'), 'responder success'); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
281 |
|
1842
af47a0b348a5
Tests: LibreSSL certificate negotiation with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1636
diff
changeset
|
282 } |
|
af47a0b348a5
Tests: LibreSSL certificate negotiation with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1636
diff
changeset
|
283 |
|
1330
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
284 ok(!staple(8445, 'ECDSA'), 'verify - root not trusted'); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
285 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
286 ok(staple(8446, 'ECDSA', "$d/int.crt"), 'cert store'); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
287 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
288 is(staple(8447, 'RSA'), '1 1', 'file revoked'); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
289 is(staple(8448, 'ECDSA'), '1 0', 'file success'); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
290 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
291 ok(!staple(8449, 'ECDSA'), 'ocsp error'); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
292 |
|
1842
af47a0b348a5
Tests: LibreSSL certificate negotiation with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1636
diff
changeset
|
293 TODO: { |
|
af47a0b348a5
Tests: LibreSSL certificate negotiation with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1636
diff
changeset
|
294 local $TODO = 'broken TLSv1.3 sigalgs in LibreSSL' |
|
1967
0a93f101925a
Tests: sigalgs handling with Net::SSLeay with LibreSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1945
diff
changeset
|
295 if $t->has_module('LibreSSL') |
|
0a93f101925a
Tests: sigalgs handling with Net::SSLeay with LibreSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1945
diff
changeset
|
296 && !Net::SSLeay::constant("LIBRESSL_VERSION_NUMBER") |
|
0a93f101925a
Tests: sigalgs handling with Net::SSLeay with LibreSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1945
diff
changeset
|
297 && test_tls13(); |
|
1842
af47a0b348a5
Tests: LibreSSL certificate negotiation with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1636
diff
changeset
|
298 |
|
af47a0b348a5
Tests: LibreSSL certificate negotiation with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1636
diff
changeset
|
299 like(`grep -F '[crit]' ${\($t->testdir())}/error.log`, qr/^$/s, 'no crit'); |
|
af47a0b348a5
Tests: LibreSSL certificate negotiation with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1636
diff
changeset
|
300 |
|
af47a0b348a5
Tests: LibreSSL certificate negotiation with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1636
diff
changeset
|
301 } |
|
af47a0b348a5
Tests: LibreSSL certificate negotiation with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1636
diff
changeset
|
302 |
|
1330
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
303 ############################################################################### |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
304 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
305 sub staple { |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
306 my ($port, $ciphers, $ca) = @_; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
307 my (@resp); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
308 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
309 my $staple_cb = sub { |
|
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1842
diff
changeset
|
310 my ($s, $resp) = @_; |
|
1330
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
311 push @resp, !!$resp; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
312 return 1 unless $resp; |
|
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1842
diff
changeset
|
313 |
|
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1842
diff
changeset
|
314 # Contrary to the documentation, IO::Socket::SSL calls the |
|
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1842
diff
changeset
|
315 # SSL_ocsp_staple_callback with the socket, and not the |
|
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1842
diff
changeset
|
316 # Net::SSLeay object. |
|
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1842
diff
changeset
|
317 |
|
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1842
diff
changeset
|
318 my $ssl = $s->_get_ssl_object(); |
|
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1842
diff
changeset
|
319 |
|
1389
73a9504ae6fd
Tests: support TLS 1.3 in ssl_stapling.t by preferring sigalgs.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1330
diff
changeset
|
320 my $cert = Net::SSLeay::get_peer_certificate($ssl); |
|
73a9504ae6fd
Tests: support TLS 1.3 in ssl_stapling.t by preferring sigalgs.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1330
diff
changeset
|
321 my $certid = eval { Net::SSLeay::OCSP_cert2ids($ssl, $cert) } |
|
1330
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
322 or do { die "no OCSP_CERTID for certificate: $@"; }; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
323 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
324 my @res = Net::SSLeay::OCSP_response_results($resp, $certid); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
325 push @resp, $res[0][2]->{'statusType'}; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
326 }; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
327 |
|
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1842
diff
changeset
|
328 my $ctx_cb = sub { |
|
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1842
diff
changeset
|
329 my $ctx = shift; |
|
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1842
diff
changeset
|
330 return unless defined $ciphers; |
|
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1842
diff
changeset
|
331 my $ssleay = Net::SSLeay::SSLeay(); |
|
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1842
diff
changeset
|
332 return if ($ssleay < 0x1000200f || $ssleay == 0x20000000); |
|
1871
1ba5108b6c24
Tests: handled unsupported PSS in sigalgs.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1867
diff
changeset
|
333 my @sigalgs = ('RSA+SHA256:PSS+SHA256', 'RSA+SHA256'); |
|
1ba5108b6c24
Tests: handled unsupported PSS in sigalgs.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1867
diff
changeset
|
334 @sigalgs = ($ciphers . '+SHA256') unless $ciphers eq 'RSA'; |
|
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1842
diff
changeset
|
335 # SSL_CTRL_SET_SIGALGS_LIST |
|
1871
1ba5108b6c24
Tests: handled unsupported PSS in sigalgs.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1867
diff
changeset
|
336 Net::SSLeay::CTX_ctrl($ctx, 98, 0, $sigalgs[0]) |
|
1ba5108b6c24
Tests: handled unsupported PSS in sigalgs.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1867
diff
changeset
|
337 or Net::SSLeay::CTX_ctrl($ctx, 98, 0, $sigalgs[1]) |
|
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1842
diff
changeset
|
338 or die("Failed to set sigalgs"); |
|
1330
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
339 }; |
|
1389
73a9504ae6fd
Tests: support TLS 1.3 in ssl_stapling.t by preferring sigalgs.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1330
diff
changeset
|
340 |
|
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1842
diff
changeset
|
341 my $s = http_get( |
|
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1842
diff
changeset
|
342 '/', start => 1, PeerAddr => '127.0.0.1:' . port($port), |
|
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1842
diff
changeset
|
343 SSL => 1, |
|
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1842
diff
changeset
|
344 SSL_cipher_list => $ciphers, |
|
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1842
diff
changeset
|
345 SSL_create_ctx_callback => $ctx_cb, |
|
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1842
diff
changeset
|
346 SSL_ocsp_staple_callback => $staple_cb, |
|
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1842
diff
changeset
|
347 SSL_ocsp_mode => IO::Socket::SSL::SSL_OCSP_TRY_STAPLE(), |
|
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1842
diff
changeset
|
348 SSL_ca_file => $ca |
|
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1842
diff
changeset
|
349 ); |
|
1389
73a9504ae6fd
Tests: support TLS 1.3 in ssl_stapling.t by preferring sigalgs.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1330
diff
changeset
|
350 |
|
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1842
diff
changeset
|
351 return $s unless $s; |
|
1330
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
352 return join ' ', @resp; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
353 } |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
354 |
|
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1842
diff
changeset
|
355 sub test_tls13 { |
|
1867
231b14e2041a
Tests: unbreak ssl_stapling.t after IO::Socket::SSL refactoring.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1865
diff
changeset
|
356 return http_get('/', SSL => 1) =~ /TLSv1.3/; |
|
1389
73a9504ae6fd
Tests: support TLS 1.3 in ssl_stapling.t by preferring sigalgs.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1330
diff
changeset
|
357 } |
|
73a9504ae6fd
Tests: support TLS 1.3 in ssl_stapling.t by preferring sigalgs.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1330
diff
changeset
|
358 |
|
1330
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
359 ############################################################################### |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
360 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
361 sub http_daemon { |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
362 my ($t) = shift; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
363 my $server = IO::Socket::INET->new( |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
364 Proto => 'tcp', |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
365 LocalHost => "127.0.0.1:" . port(8081), |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
366 Listen => 5, |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
367 Reuse => 1 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
368 ) |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
369 or die "Can't create listening socket: $!\n"; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
370 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
371 local $SIG{PIPE} = 'IGNORE'; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
372 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
373 while (my $client = $server->accept()) { |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
374 $client->autoflush(1); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
375 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
376 my $headers = ''; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
377 my $uri = ''; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
378 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
379 while (<$client>) { |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
380 $headers .= $_; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
381 last if (/^\x0d?\x0a?$/); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
382 } |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
383 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
384 $uri = $1 if $headers =~ /^\S+\s+\/([^ ]+)\s+HTTP/i; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
385 next unless $uri; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
386 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
387 $uri =~ s/%([0-9A-Fa-f]{2})/chr(hex($1))/eg; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
388 my $req = decode_base64($uri); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
389 my $resp = index($req, $serial) > 0 ? 'resp' : 'ec-resp'; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
390 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
391 # ocsp dummy handler |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
392 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
393 select undef, undef, undef, 0.02; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
394 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
395 $headers = <<"EOF"; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
396 HTTP/1.1 200 OK |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
397 Connection: close |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
398 Content-Type: application/ocsp-response |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
399 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
400 EOF |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
401 |
|
1636
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1488
diff
changeset
|
402 local $/; |
|
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1488
diff
changeset
|
403 open my $fh, '<', "$d/$resp.der" |
|
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1488
diff
changeset
|
404 or die "Can't open $resp.der: $!"; |
|
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1488
diff
changeset
|
405 binmode $fh; |
|
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1488
diff
changeset
|
406 my $content = <$fh>; |
|
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1488
diff
changeset
|
407 close $fh; |
|
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1488
diff
changeset
|
408 |
|
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1488
diff
changeset
|
409 print $client $headers . $content; |
|
1330
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
410 } |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
411 } |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
412 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
413 ############################################################################### |