Mercurial > hg > nginx-tests
annotate ssl_sni.t @ 1728:6d5ecf445e57
Tests: added HTTP/2 test with big request body.
Notably, it is useful with body buffering in filters, in which case
the stream window is flow controlled based on the preread buffer.
| author | Sergey Kandaurov <pluknet@nginx.com> |
|---|---|
| date | Sat, 04 Sep 2021 14:50:02 +0300 |
| parents | 144c6ce732e4 |
| children | db6fd9184fa0 |
| rev | line source |
|---|---|
| 237 | 1 #!/usr/bin/perl |
| 2 | |
| 3 # (C) Maxim Dounin | |
| 4 # (C) Valentin Bartenev | |
| 5 | |
| 6 # Tests for Server Name Indication (SNI) TLS extension | |
| 7 | |
| 8 ############################################################################### | |
| 9 | |
| 10 use warnings; | |
| 11 use strict; | |
| 12 | |
| 13 use Test::More; | |
| 14 | |
| 15 BEGIN { use FindBin; chdir($FindBin::Bin); } | |
| 16 | |
| 17 use lib 'lib'; | |
| 18 use Test::Nginx; | |
| 19 | |
| 20 ############################################################################### | |
| 21 | |
| 22 select STDERR; $| = 1; | |
| 23 select STDOUT; $| = 1; | |
| 24 | |
| 25 my $t = Test::Nginx->new()->has(qw/http http_ssl sni rewrite/) | |
| 26 ->has_daemon('openssl') | |
| 27 ->write_file_expand('nginx.conf', <<'EOF'); | |
| 28 | |
| 29 %%TEST_GLOBALS%% | |
| 30 | |
|
249
6a0d934950bc
Tests: remove extra spaces in "daemon off".
Maxim Dounin <mdounin@mdounin.ru>
parents:
246
diff
changeset
|
31 daemon off; |
| 237 | 32 |
| 33 events { | |
| 34 } | |
| 35 | |
| 36 http { | |
| 37 %%TEST_GLOBALS_HTTP%% | |
| 38 | |
| 39 server { | |
|
974
882267679006
Tests: simplified parallel modifications in tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
952
diff
changeset
|
40 listen 127.0.0.1:8080 ssl; |
| 237 | 41 server_name localhost; |
| 42 | |
| 43 ssl_certificate_key localhost.key; | |
| 44 ssl_certificate localhost.crt; | |
| 45 | |
| 46 location / { | |
| 47 return 200 $server_name; | |
| 48 } | |
|
1478
f9718a0773b9
Tests: skip TLS 1.3 session reuse tests with older Perl modules.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1450
diff
changeset
|
49 |
|
f9718a0773b9
Tests: skip TLS 1.3 session reuse tests with older Perl modules.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1450
diff
changeset
|
50 location /protocol { |
|
f9718a0773b9
Tests: skip TLS 1.3 session reuse tests with older Perl modules.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1450
diff
changeset
|
51 return 200 $ssl_protocol; |
|
f9718a0773b9
Tests: skip TLS 1.3 session reuse tests with older Perl modules.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1450
diff
changeset
|
52 } |
| 237 | 53 } |
| 54 | |
| 55 server { | |
|
974
882267679006
Tests: simplified parallel modifications in tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
952
diff
changeset
|
56 listen 127.0.0.1:8080; |
| 237 | 57 server_name example.com; |
| 58 | |
| 59 ssl_certificate_key example.com.key; | |
| 60 ssl_certificate example.com.crt; | |
| 61 | |
| 62 location / { | |
| 63 return 200 $server_name; | |
| 64 } | |
| 65 } | |
|
1449
eeababfd8726
Tests: moved $ssl_server_name tests in http to ssl_sni.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1421
diff
changeset
|
66 |
|
eeababfd8726
Tests: moved $ssl_server_name tests in http to ssl_sni.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1421
diff
changeset
|
67 server { |
|
eeababfd8726
Tests: moved $ssl_server_name tests in http to ssl_sni.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1421
diff
changeset
|
68 listen 127.0.0.1:8081 ssl; |
|
eeababfd8726
Tests: moved $ssl_server_name tests in http to ssl_sni.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1421
diff
changeset
|
69 server_name localhost; |
|
eeababfd8726
Tests: moved $ssl_server_name tests in http to ssl_sni.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1421
diff
changeset
|
70 |
|
eeababfd8726
Tests: moved $ssl_server_name tests in http to ssl_sni.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1421
diff
changeset
|
71 ssl_certificate_key localhost.key; |
|
eeababfd8726
Tests: moved $ssl_server_name tests in http to ssl_sni.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1421
diff
changeset
|
72 ssl_certificate localhost.crt; |
|
eeababfd8726
Tests: moved $ssl_server_name tests in http to ssl_sni.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1421
diff
changeset
|
73 |
|
eeababfd8726
Tests: moved $ssl_server_name tests in http to ssl_sni.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1421
diff
changeset
|
74 location / { |
|
eeababfd8726
Tests: moved $ssl_server_name tests in http to ssl_sni.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1421
diff
changeset
|
75 return 200 $ssl_session_reused:$ssl_server_name; |
|
eeababfd8726
Tests: moved $ssl_server_name tests in http to ssl_sni.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1421
diff
changeset
|
76 } |
|
eeababfd8726
Tests: moved $ssl_server_name tests in http to ssl_sni.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1421
diff
changeset
|
77 } |
| 237 | 78 } |
| 79 | |
| 80 EOF | |
| 81 | |
| 82 eval { require IO::Socket::SSL; die if $IO::Socket::SSL::VERSION < 1.56; }; | |
| 83 plan(skip_all => 'IO::Socket::SSL version >= 1.56 required') if $@; | |
| 84 | |
|
243
de7338227832
Tests: removed trailing spaces.
Homutov Vladimir <vl@nginx.com>
parents:
237
diff
changeset
|
85 eval { |
|
305
f4aab0e66ed0
Tests: better handle the lack of client side SNI support.
Sergey Kandaurov <pluknet@nginx.com>
parents:
249
diff
changeset
|
86 if (IO::Socket::SSL->can('can_client_sni')) { |
|
f4aab0e66ed0
Tests: better handle the lack of client side SNI support.
Sergey Kandaurov <pluknet@nginx.com>
parents:
249
diff
changeset
|
87 IO::Socket::SSL->can_client_sni() or die; |
|
f4aab0e66ed0
Tests: better handle the lack of client side SNI support.
Sergey Kandaurov <pluknet@nginx.com>
parents:
249
diff
changeset
|
88 } |
|
f4aab0e66ed0
Tests: better handle the lack of client side SNI support.
Sergey Kandaurov <pluknet@nginx.com>
parents:
249
diff
changeset
|
89 }; |
|
f4aab0e66ed0
Tests: better handle the lack of client side SNI support.
Sergey Kandaurov <pluknet@nginx.com>
parents:
249
diff
changeset
|
90 plan(skip_all => 'IO::Socket::SSL with OpenSSL SNI support required') if $@; |
|
f4aab0e66ed0
Tests: better handle the lack of client side SNI support.
Sergey Kandaurov <pluknet@nginx.com>
parents:
249
diff
changeset
|
91 |
|
f4aab0e66ed0
Tests: better handle the lack of client side SNI support.
Sergey Kandaurov <pluknet@nginx.com>
parents:
249
diff
changeset
|
92 eval { |
| 237 | 93 my $ctx = Net::SSLeay::CTX_new() or die; |
| 94 my $ssl = Net::SSLeay::new($ctx) or die; | |
| 95 Net::SSLeay::set_tlsext_host_name($ssl, 'example.org') == 1 or die; | |
| 96 }; | |
| 97 plan(skip_all => 'Net::SSLeay with OpenSSL SNI support required') if $@; | |
| 98 | |
|
1449
eeababfd8726
Tests: moved $ssl_server_name tests in http to ssl_sni.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1421
diff
changeset
|
99 $t->plan(8); |
| 237 | 100 |
| 101 $t->write_file('openssl.conf', <<EOF); | |
| 102 [ req ] | |
|
1488
dbce8fb5f5f8
Tests: align with OpenSSL security level 2.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1478
diff
changeset
|
103 default_bits = 2048 |
| 237 | 104 encrypt_key = no |
| 105 distinguished_name = req_distinguished_name | |
| 106 [ req_distinguished_name ] | |
| 107 EOF | |
| 108 | |
| 109 my $d = $t->testdir(); | |
| 110 | |
| 111 foreach my $name ('localhost', 'example.com') { | |
| 112 system('openssl req -x509 -new ' | |
|
1220
0af58b78df35
Tests: removed single quotes from system() calls.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1116
diff
changeset
|
113 . "-config $d/openssl.conf -subj /CN=$name/ " |
|
0af58b78df35
Tests: removed single quotes from system() calls.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1116
diff
changeset
|
114 . "-out $d/$name.crt -keyout $d/$name.key " |
| 237 | 115 . ">>$d/openssl.out 2>&1") == 0 |
| 116 or die "Can't create certificate for $name: $!\n"; | |
| 117 } | |
| 118 | |
| 119 $t->run(); | |
| 120 | |
| 121 ############################################################################### | |
| 122 | |
| 123 like(get_cert_cn(), qr!/CN=localhost!, 'default cert'); | |
| 124 like(get_cert_cn('example.com'), qr!/CN=example.com!, 'sni cert'); | |
| 125 | |
| 126 like(https_get_host('example.com'), qr!example.com!, | |
| 127 'host exists, sni exists, and host is equal sni'); | |
| 128 | |
| 129 like(https_get_host('example.com', 'example.org'), qr!example.com!, | |
| 130 'host exists, sni not found'); | |
| 131 | |
| 132 TODO: { | |
| 133 local $TODO = 'sni restrictions'; | |
| 134 | |
| 135 like(https_get_host('example.com', 'localhost'), qr!400 Bad Request!, | |
| 136 'host exists, sni exists, and host is not equal sni'); | |
| 137 | |
| 138 like(https_get_host('example.org', 'example.com'), qr!400 Bad Request!, | |
| 139 'host not found, sni exists'); | |
| 140 | |
| 141 } | |
| 142 | |
|
1449
eeababfd8726
Tests: moved $ssl_server_name tests in http to ssl_sni.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1421
diff
changeset
|
143 # $ssl_server_name in sessions |
|
eeababfd8726
Tests: moved $ssl_server_name tests in http to ssl_sni.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1421
diff
changeset
|
144 |
|
eeababfd8726
Tests: moved $ssl_server_name tests in http to ssl_sni.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1421
diff
changeset
|
145 my $ctx = new IO::Socket::SSL::SSL_Context( |
|
eeababfd8726
Tests: moved $ssl_server_name tests in http to ssl_sni.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1421
diff
changeset
|
146 SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE(), |
|
eeababfd8726
Tests: moved $ssl_server_name tests in http to ssl_sni.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1421
diff
changeset
|
147 SSL_session_cache_size => 100); |
|
eeababfd8726
Tests: moved $ssl_server_name tests in http to ssl_sni.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1421
diff
changeset
|
148 |
|
1450
5f53a1d6b83c
Tests: fixed session reuse in ssl_sni.t with OpenSSL 1.1.0+.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1449
diff
changeset
|
149 like(get('/', 'localhost', 8081, $ctx), qr/^\.:localhost$/m, 'ssl server name'); |
|
1449
eeababfd8726
Tests: moved $ssl_server_name tests in http to ssl_sni.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1421
diff
changeset
|
150 |
|
1478
f9718a0773b9
Tests: skip TLS 1.3 session reuse tests with older Perl modules.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1450
diff
changeset
|
151 SKIP: { |
|
f9718a0773b9
Tests: skip TLS 1.3 session reuse tests with older Perl modules.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1450
diff
changeset
|
152 skip 'no TLS 1.3 sessions', 1 if get('/protocol', 'localhost') =~ /TLSv1.3/ |
|
f9718a0773b9
Tests: skip TLS 1.3 session reuse tests with older Perl modules.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1450
diff
changeset
|
153 && ($Net::SSLeay::VERSION < 1.88 || $IO::Socket::SSL::VERSION < 2.061); |
|
f9718a0773b9
Tests: skip TLS 1.3 session reuse tests with older Perl modules.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1450
diff
changeset
|
154 |
|
1450
5f53a1d6b83c
Tests: fixed session reuse in ssl_sni.t with OpenSSL 1.1.0+.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1449
diff
changeset
|
155 like(get('/', 'localhost', 8081, $ctx), qr/^r:localhost$/m, |
|
5f53a1d6b83c
Tests: fixed session reuse in ssl_sni.t with OpenSSL 1.1.0+.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1449
diff
changeset
|
156 'ssl server name - reused'); |
|
1449
eeababfd8726
Tests: moved $ssl_server_name tests in http to ssl_sni.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1421
diff
changeset
|
157 |
|
eeababfd8726
Tests: moved $ssl_server_name tests in http to ssl_sni.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1421
diff
changeset
|
158 } |
|
eeababfd8726
Tests: moved $ssl_server_name tests in http to ssl_sni.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1421
diff
changeset
|
159 |
| 237 | 160 ############################################################################### |
| 161 | |
| 162 sub get_ssl_socket { | |
|
1449
eeababfd8726
Tests: moved $ssl_server_name tests in http to ssl_sni.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1421
diff
changeset
|
163 my ($host, $port, $ctx) = @_; |
| 237 | 164 my $s; |
| 165 | |
| 166 eval { | |
| 167 local $SIG{ALRM} = sub { die "timeout\n" }; | |
| 168 local $SIG{PIPE} = sub { die "sigpipe\n" }; | |
|
1421
4e48bf51714f
Tests: aligned various generic read timeouts to http_end().
Sergey Kandaurov <pluknet@nginx.com>
parents:
1407
diff
changeset
|
169 alarm(8); |
| 237 | 170 $s = IO::Socket::SSL->new( |
| 171 Proto => 'tcp', | |
|
1449
eeababfd8726
Tests: moved $ssl_server_name tests in http to ssl_sni.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1421
diff
changeset
|
172 PeerAddr => '127.0.0.1:' . port($port || 8080), |
| 237 | 173 SSL_hostname => $host, |
|
1449
eeababfd8726
Tests: moved $ssl_server_name tests in http to ssl_sni.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1421
diff
changeset
|
174 SSL_reuse_ctx => $ctx, |
|
246
6072306b7924
Tests: set SSL_verify_mode explicitly.
Homutov Vladimir <vl@nginx.com>
parents:
243
diff
changeset
|
175 SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE(), |
| 237 | 176 SSL_error_trap => sub { die $_[1] } |
| 177 ); | |
| 178 alarm(0); | |
| 179 }; | |
| 180 alarm(0); | |
| 181 | |
| 182 if ($@) { | |
| 183 log_in("died: $@"); | |
| 184 return undef; | |
| 185 } | |
| 186 | |
| 187 return $s; | |
| 188 } | |
| 189 | |
| 190 sub get_cert_cn { | |
| 191 my ($host) = @_; | |
| 192 my $s = get_ssl_socket($host); | |
| 193 | |
| 194 return $s->dump_peer_certificate(); | |
| 195 } | |
| 196 | |
| 197 sub https_get_host { | |
|
243
de7338227832
Tests: removed trailing spaces.
Homutov Vladimir <vl@nginx.com>
parents:
237
diff
changeset
|
198 my ($host, $sni) = @_; |
| 237 | 199 my $s = get_ssl_socket($sni ? $sni : $host); |
| 200 | |
| 201 return http(<<EOF, socket => $s); | |
| 202 GET / HTTP/1.0 | |
| 203 Host: $host | |
| 204 | |
| 205 EOF | |
| 206 } | |
| 207 | |
|
1450
5f53a1d6b83c
Tests: fixed session reuse in ssl_sni.t with OpenSSL 1.1.0+.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1449
diff
changeset
|
208 sub get { |
|
5f53a1d6b83c
Tests: fixed session reuse in ssl_sni.t with OpenSSL 1.1.0+.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1449
diff
changeset
|
209 my ($uri, $host, $port, $ctx) = @_; |
|
5f53a1d6b83c
Tests: fixed session reuse in ssl_sni.t with OpenSSL 1.1.0+.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1449
diff
changeset
|
210 my $s = get_ssl_socket($host, $port, $ctx) or return; |
|
5f53a1d6b83c
Tests: fixed session reuse in ssl_sni.t with OpenSSL 1.1.0+.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1449
diff
changeset
|
211 my $r = http_get($uri, socket => $s); |
|
5f53a1d6b83c
Tests: fixed session reuse in ssl_sni.t with OpenSSL 1.1.0+.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1449
diff
changeset
|
212 $s->close(); |
|
5f53a1d6b83c
Tests: fixed session reuse in ssl_sni.t with OpenSSL 1.1.0+.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1449
diff
changeset
|
213 return $r; |
|
5f53a1d6b83c
Tests: fixed session reuse in ssl_sni.t with OpenSSL 1.1.0+.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1449
diff
changeset
|
214 } |
|
5f53a1d6b83c
Tests: fixed session reuse in ssl_sni.t with OpenSSL 1.1.0+.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1449
diff
changeset
|
215 |
| 237 | 216 ############################################################################### |