Mercurial > hg > nginx-tests
annotate ssl_verify_depth.t @ 1619:436d0ffc2ea3
Tests: correctly shutdown ssl for reproducible session reuse tests.
Previously, session reuse tests in stream_ssl_certificate.t were prone
to testing errors, since the client doesn't write any application data
before closing a connection, which is done so to pass tests on win32.
In this case, the server may happened to get an unexpected eof meaning
that it will abandon that session. This is specific to stream testing
pattern, changes to ssl_certificate.t are applied too for consistency.
This is also specific to SSL_R_UNEXPECTED_EOF_WHILE_READING, which is
implemented in OpenSSL 3.0.0.
| author | Sergey Kandaurov <pluknet@nginx.com> |
|---|---|
| date | Mon, 23 Nov 2020 22:46:06 +0000 |
| parents | bad6aa24ec10 |
| children | b28f88e352dd |
| rev | line source |
|---|---|
|
1115
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
1 #!/usr/bin/perl |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
2 |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
3 # (C) Sergey Kandaurov |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
4 # (C) Nginx, Inc. |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
5 |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
6 # Tests for http ssl module, ssl_verify_depth. |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
7 |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
8 ############################################################################### |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
9 |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
10 use warnings; |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
11 use strict; |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
12 |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
13 use Test::More; |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
14 |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
15 BEGIN { use FindBin; chdir($FindBin::Bin); } |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
16 |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
17 use lib 'lib'; |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
18 use Test::Nginx; |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
19 |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
20 ############################################################################### |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
21 |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
22 select STDERR; $| = 1; |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
23 select STDOUT; $| = 1; |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
24 |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
25 eval { require IO::Socket::SSL; }; |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
26 plan(skip_all => 'IO::Socket::SSL not installed') if $@; |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
27 eval { IO::Socket::SSL::SSL_VERIFY_NONE(); }; |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
28 plan(skip_all => 'IO::Socket::SSL too old') if $@; |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
29 |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
30 my $t = Test::Nginx->new()->has(qw/http http_ssl/) |
|
1610
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
31 ->has_daemon('openssl')->plan(9); |
|
1115
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
32 |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
33 $t->write_file_expand('nginx.conf', <<'EOF'); |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
34 |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
35 %%TEST_GLOBALS%% |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
36 |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
37 daemon off; |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
38 |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
39 events { |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
40 } |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
41 |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
42 http { |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
43 %%TEST_GLOBALS_HTTP%% |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
44 |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
45 ssl_certificate localhost.crt; |
|
1610
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
46 ssl_certificate_key localhost.key; |
|
1115
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
47 |
|
1117
3e2af4dedd9c
Tests: ssl_verify_depth.t cleanup.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1115
diff
changeset
|
48 ssl_verify_client on; |
|
1610
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
49 ssl_client_certificate root-int.crt; |
|
1115
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
50 |
|
1610
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
51 add_header X-Client $ssl_client_s_dn always; |
|
1605
aa5a61d1254b
Tests: actually test the verification depth in ssl_verify_depth.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1488
diff
changeset
|
52 add_header X-Verify $ssl_client_verify always; |
|
1115
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
53 |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
54 server { |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
55 listen 127.0.0.1:8080 ssl; |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
56 server_name localhost; |
|
1610
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
57 ssl_verify_depth 0; |
|
1605
aa5a61d1254b
Tests: actually test the verification depth in ssl_verify_depth.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1488
diff
changeset
|
58 } |
|
aa5a61d1254b
Tests: actually test the verification depth in ssl_verify_depth.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1488
diff
changeset
|
59 |
|
aa5a61d1254b
Tests: actually test the verification depth in ssl_verify_depth.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1488
diff
changeset
|
60 server { |
|
aa5a61d1254b
Tests: actually test the verification depth in ssl_verify_depth.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1488
diff
changeset
|
61 listen 127.0.0.1:8081 ssl; |
|
aa5a61d1254b
Tests: actually test the verification depth in ssl_verify_depth.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1488
diff
changeset
|
62 server_name localhost; |
|
1610
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
63 ssl_verify_depth 1; |
|
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
64 } |
|
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
65 |
|
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
66 server { |
|
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
67 listen 127.0.0.1:8082 ssl; |
|
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
68 server_name localhost; |
|
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
69 ssl_verify_depth 2; |
|
1115
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
70 } |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
71 } |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
72 |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
73 EOF |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
74 |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
75 my $d = $t->testdir(); |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
76 |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
77 $t->write_file('openssl.conf', <<EOF); |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
78 [ req ] |
|
1488
dbce8fb5f5f8
Tests: align with OpenSSL security level 2.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1421
diff
changeset
|
79 default_bits = 2048 |
|
1115
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
80 encrypt_key = no |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
81 distinguished_name = req_distinguished_name |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
82 [ req_distinguished_name ] |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
83 EOF |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
84 |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
85 $t->write_file('ca.conf', <<EOF); |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
86 [ ca ] |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
87 default_ca = myca |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
88 |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
89 [ myca ] |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
90 new_certs_dir = $d |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
91 database = $d/certindex |
|
1488
dbce8fb5f5f8
Tests: align with OpenSSL security level 2.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1421
diff
changeset
|
92 default_md = sha256 |
|
1115
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
93 policy = myca_policy |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
94 serial = $d/certserial |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
95 default_days = 1 |
|
1605
aa5a61d1254b
Tests: actually test the verification depth in ssl_verify_depth.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1488
diff
changeset
|
96 x509_extensions = myca_extensions |
|
1115
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
97 |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
98 [ myca_policy ] |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
99 commonName = supplied |
|
1605
aa5a61d1254b
Tests: actually test the verification depth in ssl_verify_depth.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1488
diff
changeset
|
100 |
|
aa5a61d1254b
Tests: actually test the verification depth in ssl_verify_depth.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1488
diff
changeset
|
101 [ myca_extensions ] |
|
aa5a61d1254b
Tests: actually test the verification depth in ssl_verify_depth.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1488
diff
changeset
|
102 basicConstraints = critical,CA:TRUE |
|
1115
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
103 EOF |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
104 |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
105 foreach my $name ('root', 'localhost') { |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
106 system('openssl req -x509 -new ' |
|
1220
0af58b78df35
Tests: removed single quotes from system() calls.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1124
diff
changeset
|
107 . "-config $d/openssl.conf -subj /CN=$name/ " |
|
0af58b78df35
Tests: removed single quotes from system() calls.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1124
diff
changeset
|
108 . "-out $d/$name.crt -keyout $d/$name.key " |
|
1115
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
109 . ">>$d/openssl.out 2>&1") == 0 |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
110 or die "Can't create certificate for $name: $!\n"; |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
111 } |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
112 |
|
1610
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
113 foreach my $name ('int', 'end') { |
|
1115
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
114 system("openssl req -new " |
|
1220
0af58b78df35
Tests: removed single quotes from system() calls.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1124
diff
changeset
|
115 . "-config $d/openssl.conf -subj /CN=$name/ " |
|
0af58b78df35
Tests: removed single quotes from system() calls.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1124
diff
changeset
|
116 . "-out $d/$name.csr -keyout $d/$name.key " |
|
1115
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
117 . ">>$d/openssl.out 2>&1") == 0 |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
118 or die "Can't create certificate for $name: $!\n"; |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
119 } |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
120 |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
121 $t->write_file('certserial', '1000'); |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
122 $t->write_file('certindex', ''); |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
123 |
|
1220
0af58b78df35
Tests: removed single quotes from system() calls.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1124
diff
changeset
|
124 system("openssl ca -batch -config $d/ca.conf " |
|
0af58b78df35
Tests: removed single quotes from system() calls.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1124
diff
changeset
|
125 . "-keyfile $d/root.key -cert $d/root.crt " |
|
0af58b78df35
Tests: removed single quotes from system() calls.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1124
diff
changeset
|
126 . "-subj /CN=int/ -in $d/int.csr -out $d/int.crt " |
|
1115
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
127 . ">>$d/openssl.out 2>&1") == 0 |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
128 or die "Can't sign certificate for int: $!\n"; |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
129 |
|
1220
0af58b78df35
Tests: removed single quotes from system() calls.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1124
diff
changeset
|
130 system("openssl ca -batch -config $d/ca.conf " |
|
0af58b78df35
Tests: removed single quotes from system() calls.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1124
diff
changeset
|
131 . "-keyfile $d/int.key -cert $d/int.crt " |
|
0af58b78df35
Tests: removed single quotes from system() calls.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1124
diff
changeset
|
132 . "-subj /CN=end/ -in $d/end.csr -out $d/end.crt " |
|
1115
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
133 . ">>$d/openssl.out 2>&1") == 0 |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
134 or die "Can't sign certificate for end: $!\n"; |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
135 |
|
1610
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
136 $t->write_file('root-int.crt', $t->read_file('root.crt') |
|
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
137 . $t->read_file('int.crt')); |
|
1115
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
138 |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
139 $t->write_file('t', ''); |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
140 $t->run(); |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
141 |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
142 ############################################################################### |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
143 |
|
1610
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
144 # with verify depth 0, only self-signed certificates should |
|
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
145 # be allowed |
|
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
146 |
|
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
147 # OpenSSL 1.1.0+ instead limits the number of intermediate certs allowed; |
|
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
148 # as a result, it is not possible to limit certificate checking |
|
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
149 # to self-signed certificates only when using OpenSSL 1.1.0+ |
|
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
150 |
|
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
151 like(get(8080, 'root'), qr/SUCCESS/, 'verify depth 0 - root'); |
|
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
152 like(get(8080, 'int'), qr/FAI|SUC/, 'verify depth 0 - no int'); |
|
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
153 like(get(8080, 'end'), qr/FAILED/, 'verify depth 0 - no end'); |
|
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
154 |
|
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
155 # with verify depth 1 (the default), one signature is |
|
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
156 # expected to be checked, so certificates directly signed |
|
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
157 # by the root cert are allowed, but nothing more |
|
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
158 |
|
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
159 # OpenSSL 1.1.0+ instead limits the number of intermediate certs allowed; |
|
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
160 # so with depth 1 it is possible to validate not only directly signed |
|
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
161 # certificates, but also chains with one intermediate certificate |
|
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
162 |
|
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
163 like(get(8081, 'root'), qr/SUCCESS/, 'verify depth 1 - root'); |
|
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
164 like(get(8081, 'int'), qr/SUCCESS/, 'verify depth 1 - int'); |
|
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
165 like(get(8081, 'end'), qr/FAI|SUC/, 'verify depth 1 - no end'); |
|
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
166 |
|
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
167 # with verify depth 2 it is also possible to validate up to two signatures, |
|
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
168 # so chains with one intermediate certificate are allowed |
|
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
169 |
|
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
170 like(get(8082, 'root'), qr/SUCCESS/, 'verify depth 2 - root'); |
|
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
171 like(get(8082, 'int'), qr/SUCCESS/, 'verify depth 2 - int'); |
|
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
172 like(get(8082, 'end'), qr/SUCCESS/, 'verify depth 2 - end'); |
|
1115
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
173 |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
174 ############################################################################### |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
175 |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
176 sub get { |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
177 my ($port, $cert) = @_; |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
178 my $s = get_ssl_socket($port, $cert) or return; |
|
1610
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
179 http_get("/t?$cert", socket => $s); |
|
1115
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
180 } |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
181 |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
182 sub get_ssl_socket { |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
183 my ($port, $cert) = @_; |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
184 my ($s); |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
185 |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
186 eval { |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
187 local $SIG{ALRM} = sub { die "timeout\n" }; |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
188 local $SIG{PIPE} = sub { die "sigpipe\n" }; |
|
1421
4e48bf51714f
Tests: aligned various generic read timeouts to http_end().
Sergey Kandaurov <pluknet@nginx.com>
parents:
1407
diff
changeset
|
189 alarm(8); |
|
1115
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
190 $s = IO::Socket::SSL->new( |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
191 Proto => 'tcp', |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
192 PeerAddr => '127.0.0.1', |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
193 PeerPort => port($port), |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
194 SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE(), |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
195 SSL_cert_file => "$d/$cert.crt", |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
196 SSL_key_file => "$d/$cert.key", |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
197 SSL_error_trap => sub { die $_[1] } |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
198 ); |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
199 alarm(0); |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
200 }; |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
201 alarm(0); |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
202 |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
203 if ($@) { |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
204 log_in("died: $@"); |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
205 return undef; |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
206 } |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
207 |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
208 return $s; |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
209 } |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
210 |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
211 ############################################################################### |