Mercurial > hg > nginx-tests
annotate ssl_sni.t @ 1248:70192b1baf01
Tests: added exception test to stream_js.t using 'require'.
The stream js tests introduced in edf5a3c9e36a fail on njs 0.1.14. It doesn't
currently provide an easy way to check its version, whilst we are obligated to
gracefully handle such cases somehow. With such an addition of 'require', now
the tests are skipped instead on the previous versions.
author | Sergey Kandaurov <pluknet@nginx.com> |
---|---|
date | Tue, 21 Nov 2017 13:16:39 +0300 |
parents | 0af58b78df35 |
children | 8c764fd93b5e |
rev | line source |
---|---|
237 | 1 #!/usr/bin/perl |
2 | |
3 # (C) Maxim Dounin | |
4 # (C) Valentin Bartenev | |
5 | |
6 # Tests for Server Name Indication (SNI) TLS extension | |
7 | |
8 ############################################################################### | |
9 | |
10 use warnings; | |
11 use strict; | |
12 | |
13 use Test::More; | |
14 | |
15 BEGIN { use FindBin; chdir($FindBin::Bin); } | |
16 | |
17 use lib 'lib'; | |
18 use Test::Nginx; | |
19 | |
20 ############################################################################### | |
21 | |
22 select STDERR; $| = 1; | |
23 select STDOUT; $| = 1; | |
24 | |
25 my $t = Test::Nginx->new()->has(qw/http http_ssl sni rewrite/) | |
26 ->has_daemon('openssl') | |
27 ->write_file_expand('nginx.conf', <<'EOF'); | |
28 | |
29 %%TEST_GLOBALS%% | |
30 | |
249
6a0d934950bc
Tests: remove extra spaces in "daemon off".
Maxim Dounin <mdounin@mdounin.ru>
parents:
246
diff
changeset
|
31 daemon off; |
237 | 32 |
33 events { | |
34 } | |
35 | |
36 http { | |
37 %%TEST_GLOBALS_HTTP%% | |
38 | |
39 server { | |
974
882267679006
Tests: simplified parallel modifications in tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
952
diff
changeset
|
40 listen 127.0.0.1:8080 ssl; |
237 | 41 server_name localhost; |
42 | |
43 ssl_certificate_key localhost.key; | |
44 ssl_certificate localhost.crt; | |
45 | |
46 location / { | |
47 return 200 $server_name; | |
48 } | |
49 } | |
50 | |
51 server { | |
974
882267679006
Tests: simplified parallel modifications in tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
952
diff
changeset
|
52 listen 127.0.0.1:8080; |
237 | 53 server_name example.com; |
54 | |
55 ssl_certificate_key example.com.key; | |
56 ssl_certificate example.com.crt; | |
57 | |
58 location / { | |
59 return 200 $server_name; | |
60 } | |
61 } | |
62 } | |
63 | |
64 EOF | |
65 | |
66 eval { require IO::Socket::SSL; die if $IO::Socket::SSL::VERSION < 1.56; }; | |
67 plan(skip_all => 'IO::Socket::SSL version >= 1.56 required') if $@; | |
68 | |
243
de7338227832
Tests: removed trailing spaces.
Homutov Vladimir <vl@nginx.com>
parents:
237
diff
changeset
|
69 eval { |
305
f4aab0e66ed0
Tests: better handle the lack of client side SNI support.
Sergey Kandaurov <pluknet@nginx.com>
parents:
249
diff
changeset
|
70 if (IO::Socket::SSL->can('can_client_sni')) { |
f4aab0e66ed0
Tests: better handle the lack of client side SNI support.
Sergey Kandaurov <pluknet@nginx.com>
parents:
249
diff
changeset
|
71 IO::Socket::SSL->can_client_sni() or die; |
f4aab0e66ed0
Tests: better handle the lack of client side SNI support.
Sergey Kandaurov <pluknet@nginx.com>
parents:
249
diff
changeset
|
72 } |
f4aab0e66ed0
Tests: better handle the lack of client side SNI support.
Sergey Kandaurov <pluknet@nginx.com>
parents:
249
diff
changeset
|
73 }; |
f4aab0e66ed0
Tests: better handle the lack of client side SNI support.
Sergey Kandaurov <pluknet@nginx.com>
parents:
249
diff
changeset
|
74 plan(skip_all => 'IO::Socket::SSL with OpenSSL SNI support required') if $@; |
f4aab0e66ed0
Tests: better handle the lack of client side SNI support.
Sergey Kandaurov <pluknet@nginx.com>
parents:
249
diff
changeset
|
75 |
f4aab0e66ed0
Tests: better handle the lack of client side SNI support.
Sergey Kandaurov <pluknet@nginx.com>
parents:
249
diff
changeset
|
76 eval { |
237 | 77 my $ctx = Net::SSLeay::CTX_new() or die; |
78 my $ssl = Net::SSLeay::new($ctx) or die; | |
79 Net::SSLeay::set_tlsext_host_name($ssl, 'example.org') == 1 or die; | |
80 }; | |
81 plan(skip_all => 'Net::SSLeay with OpenSSL SNI support required') if $@; | |
82 | |
83 $t->plan(6); | |
84 | |
85 $t->write_file('openssl.conf', <<EOF); | |
86 [ req ] | |
1116
8ef51dbb5d69
Tests: reduced OpenSSL default key length to 1024.
Sergey Kandaurov <pluknet@nginx.com>
parents:
974
diff
changeset
|
87 default_bits = 1024 |
237 | 88 encrypt_key = no |
89 distinguished_name = req_distinguished_name | |
90 [ req_distinguished_name ] | |
91 EOF | |
92 | |
93 my $d = $t->testdir(); | |
94 | |
95 foreach my $name ('localhost', 'example.com') { | |
96 system('openssl req -x509 -new ' | |
1220
0af58b78df35
Tests: removed single quotes from system() calls.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1116
diff
changeset
|
97 . "-config $d/openssl.conf -subj /CN=$name/ " |
0af58b78df35
Tests: removed single quotes from system() calls.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1116
diff
changeset
|
98 . "-out $d/$name.crt -keyout $d/$name.key " |
237 | 99 . ">>$d/openssl.out 2>&1") == 0 |
100 or die "Can't create certificate for $name: $!\n"; | |
101 } | |
102 | |
103 $t->run(); | |
104 | |
105 ############################################################################### | |
106 | |
107 like(get_cert_cn(), qr!/CN=localhost!, 'default cert'); | |
108 like(get_cert_cn('example.com'), qr!/CN=example.com!, 'sni cert'); | |
109 | |
110 like(https_get_host('example.com'), qr!example.com!, | |
111 'host exists, sni exists, and host is equal sni'); | |
112 | |
113 like(https_get_host('example.com', 'example.org'), qr!example.com!, | |
114 'host exists, sni not found'); | |
115 | |
116 TODO: { | |
117 local $TODO = 'sni restrictions'; | |
118 | |
119 like(https_get_host('example.com', 'localhost'), qr!400 Bad Request!, | |
120 'host exists, sni exists, and host is not equal sni'); | |
121 | |
122 like(https_get_host('example.org', 'example.com'), qr!400 Bad Request!, | |
123 'host not found, sni exists'); | |
124 | |
125 } | |
126 | |
127 ############################################################################### | |
128 | |
129 sub get_ssl_socket { | |
130 my ($host) = @_; | |
131 my $s; | |
132 | |
133 eval { | |
134 local $SIG{ALRM} = sub { die "timeout\n" }; | |
135 local $SIG{PIPE} = sub { die "sigpipe\n" }; | |
136 alarm(2); | |
137 $s = IO::Socket::SSL->new( | |
138 Proto => 'tcp', | |
974
882267679006
Tests: simplified parallel modifications in tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
952
diff
changeset
|
139 PeerAddr => '127.0.0.1:' . port(8080), |
237 | 140 SSL_hostname => $host, |
246
6072306b7924
Tests: set SSL_verify_mode explicitly.
Homutov Vladimir <vl@nginx.com>
parents:
243
diff
changeset
|
141 SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE(), |
237 | 142 SSL_error_trap => sub { die $_[1] } |
143 ); | |
144 alarm(0); | |
145 }; | |
146 alarm(0); | |
147 | |
148 if ($@) { | |
149 log_in("died: $@"); | |
150 return undef; | |
151 } | |
152 | |
153 return $s; | |
154 } | |
155 | |
156 sub get_cert_cn { | |
157 my ($host) = @_; | |
158 my $s = get_ssl_socket($host); | |
159 | |
160 return $s->dump_peer_certificate(); | |
161 } | |
162 | |
163 sub https_get_host { | |
243
de7338227832
Tests: removed trailing spaces.
Homutov Vladimir <vl@nginx.com>
parents:
237
diff
changeset
|
164 my ($host, $sni) = @_; |
237 | 165 my $s = get_ssl_socket($sni ? $sni : $host); |
166 | |
167 return http(<<EOF, socket => $s); | |
168 GET / HTTP/1.0 | |
169 Host: $host | |
170 | |
171 EOF | |
172 } | |
173 | |
174 ############################################################################### |