Mercurial > hg > nginx-tests
annotate stream_ssl_verify_client.t @ 1843:818e6d8c43b5
Tests: LibreSSL does not send CA lists with TLSv1.3.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Thu, 23 Mar 2023 19:50:19 +0300 |
parents | fd440d324700 |
children | dbb7561a9441 |
rev | line source |
---|---|
1104
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
1 #!/usr/bin/perl |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
2 |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
3 # (C) Sergey Kandaurov |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
4 # (C) Andrey Zelenkov |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
5 # (C) Nginx, Inc. |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
6 |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
7 # Tests for stream ssl module, ssl_verify_client. |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
8 |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
9 ############################################################################### |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
10 |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
11 use warnings; |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
12 use strict; |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
13 |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
14 use Test::More; |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
15 |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
16 BEGIN { use FindBin; chdir($FindBin::Bin); } |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
17 |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
18 use lib 'lib'; |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
19 use Test::Nginx; |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
20 use Test::Nginx::Stream qw/ stream /; |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
21 |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
22 ############################################################################### |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
23 |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
24 select STDERR; $| = 1; |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
25 select STDOUT; $| = 1; |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
26 |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
27 eval { |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
28 require Net::SSLeay; |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
29 Net::SSLeay::load_error_strings(); |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
30 Net::SSLeay::SSLeay_add_ssl_algorithms(); |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
31 Net::SSLeay::randomize(); |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
32 }; |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
33 plan(skip_all => 'Net::SSLeay not installed') if $@; |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
34 |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
35 my $t = Test::Nginx->new()->has(qw/stream stream_ssl stream_return/) |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
36 ->has_daemon('openssl'); |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
37 |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
38 $t->write_file_expand('nginx.conf', <<'EOF'); |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
39 |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
40 %%TEST_GLOBALS%% |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
41 |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
42 daemon off; |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
43 |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
44 events { |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
45 } |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
46 |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
47 stream { |
1609
f3ba4c74de31
Tests: added TEST_GLOBALS_STREAM variable support.
Andrei Belov <defan@nginx.com>
parents:
1488
diff
changeset
|
48 %%TEST_GLOBALS_STREAM%% |
f3ba4c74de31
Tests: added TEST_GLOBALS_STREAM variable support.
Andrei Belov <defan@nginx.com>
parents:
1488
diff
changeset
|
49 |
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
50 log_format status $status; |
1104
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
51 |
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
52 ssl_certificate_key 1.example.com.key; |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
53 ssl_certificate 1.example.com.crt; |
1104
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
54 |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
55 server { |
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
56 listen 127.0.0.1:8080; |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
57 return $ssl_client_verify:$ssl_client_cert; |
1104
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
58 |
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
59 ssl_verify_client on; |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
60 ssl_client_certificate 2.example.com.crt; |
1104
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
61 } |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
62 |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
63 server { |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
64 listen 127.0.0.1:8081 ssl; |
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
65 return $ssl_client_verify:$ssl_client_cert; |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
66 |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
67 ssl_verify_client on; |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
68 ssl_client_certificate 2.example.com.crt; |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
69 |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
70 access_log %%TESTDIR%%/status.log status; |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
71 } |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
72 |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
73 server { |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
74 listen 127.0.0.1:8082 ssl; |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
75 return $ssl_client_verify:$ssl_client_cert; |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
76 |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
77 ssl_verify_client optional; |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
78 ssl_client_certificate 2.example.com.crt; |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
79 ssl_trusted_certificate 3.example.com.crt; |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
80 } |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
81 |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
82 server { |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
83 listen 127.0.0.1:8083 ssl; |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
84 return $ssl_client_verify:$ssl_client_cert; |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
85 |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
86 ssl_verify_client optional_no_ca; |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
87 ssl_client_certificate 2.example.com.crt; |
1104
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
88 } |
1843
818e6d8c43b5
Tests: LibreSSL does not send CA lists with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1621
diff
changeset
|
89 |
818e6d8c43b5
Tests: LibreSSL does not send CA lists with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1621
diff
changeset
|
90 server { |
818e6d8c43b5
Tests: LibreSSL does not send CA lists with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1621
diff
changeset
|
91 listen 127.0.0.1:8084 ssl; |
818e6d8c43b5
Tests: LibreSSL does not send CA lists with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1621
diff
changeset
|
92 return $ssl_protocol; |
818e6d8c43b5
Tests: LibreSSL does not send CA lists with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1621
diff
changeset
|
93 } |
1104
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
94 } |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
95 |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
96 EOF |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
97 |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
98 $t->write_file('openssl.conf', <<EOF); |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
99 [ req ] |
1488
dbce8fb5f5f8
Tests: align with OpenSSL security level 2.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1251
diff
changeset
|
100 default_bits = 2048 |
1104
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
101 encrypt_key = no |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
102 distinguished_name = req_distinguished_name |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
103 [ req_distinguished_name ] |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
104 EOF |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
105 |
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
106 my $d = $t->testdir(); |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
107 |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
108 foreach my $name ('1.example.com', '2.example.com', '3.example.com') { |
1104
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
109 system('openssl req -x509 -new ' |
1220
0af58b78df35
Tests: removed single quotes from system() calls.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1116
diff
changeset
|
110 . "-config $d/openssl.conf -subj /CN=$name/ " |
0af58b78df35
Tests: removed single quotes from system() calls.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1116
diff
changeset
|
111 . "-out $d/$name.crt -keyout $d/$name.key " |
1104
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
112 . ">>$d/openssl.out 2>&1") == 0 |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
113 or die "Can't create certificate for $name: $!\n"; |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
114 } |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
115 |
1251
766bcbb632ee
Tests: removed TODO and try_run() checks for legacy versions.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1235
diff
changeset
|
116 $t->run()->plan(10); |
1104
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
117 |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
118 ############################################################################### |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
119 |
1235
3fc6817cd84a
Tests: explicit peer port in stream tests now required.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
1220
diff
changeset
|
120 is(stream('127.0.0.1:' . port(8080))->read(), ':', 'plain connection'); |
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
121 |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
122 is(get(8081), '', 'no cert'); |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
123 is(get(8082, '1.example.com'), '', 'bad optional cert'); |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
124 is(get(8082), 'NONE:', 'no optional cert'); |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
125 like(get(8083, '1.example.com'), qr/FAILED.*BEGIN/, 'bad optional_no_ca cert'); |
1104
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
126 |
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
127 like(get(8081, '2.example.com'), qr/SUCCESS.*BEGIN/, 'good cert'); |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
128 like(get(8082, '2.example.com'), qr/SUCCESS.*BEGIN/, 'good cert optional'); |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
129 like(get(8082, '3.example.com'), qr/SUCCESS.*BEGIN/, 'good cert trusted'); |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
130 |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
131 SKIP: { |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
132 skip 'Net::SSLeay version >= 1.36 required', 1 if $Net::SSLeay::VERSION < 1.36; |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
133 |
1843
818e6d8c43b5
Tests: LibreSSL does not send CA lists with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1621
diff
changeset
|
134 TODO: { |
818e6d8c43b5
Tests: LibreSSL does not send CA lists with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1621
diff
changeset
|
135 local $TODO = 'broken TLSv1.3 CA list in LibreSSL' |
818e6d8c43b5
Tests: LibreSSL does not send CA lists with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1621
diff
changeset
|
136 if $t->has_module('LibreSSL') && test_tls13(); |
818e6d8c43b5
Tests: LibreSSL does not send CA lists with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1621
diff
changeset
|
137 |
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
138 my $ca = join ' ', get(8082, '3.example.com'); |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
139 is($ca, '/CN=2.example.com', 'no trusted sent'); |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
140 |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
141 } |
1843
818e6d8c43b5
Tests: LibreSSL does not send CA lists with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1621
diff
changeset
|
142 } |
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
143 |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
144 $t->stop(); |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
145 |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
146 is($t->read_file('status.log'), "500\n200\n", 'log'); |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
147 |
1104
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
148 ############################################################################### |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
149 |
1843
818e6d8c43b5
Tests: LibreSSL does not send CA lists with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1621
diff
changeset
|
150 sub test_tls13 { |
818e6d8c43b5
Tests: LibreSSL does not send CA lists with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1621
diff
changeset
|
151 get(8084) =~ /TLSv1.3/; |
818e6d8c43b5
Tests: LibreSSL does not send CA lists with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1621
diff
changeset
|
152 } |
818e6d8c43b5
Tests: LibreSSL does not send CA lists with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1621
diff
changeset
|
153 |
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
154 sub get { |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
155 my ($port, $cert) = @_; |
1104
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
156 |
1621
fd440d324700
Tests: simplified get_ssl_socket() functions that use Net::SSLeay.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1609
diff
changeset
|
157 my $s = IO::Socket::INET->new('127.0.0.1:' . port($port)); |
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
158 my $ctx = Net::SSLeay::CTX_new() or die("Failed to create SSL_CTX $!"); |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
159 Net::SSLeay::set_cert_and_key($ctx, "$d/$cert.crt", "$d/$cert.key") |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
160 or die if $cert; |
1104
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
161 my $ssl = Net::SSLeay::new($ctx) or die("Failed to create SSL $!"); |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
162 Net::SSLeay::set_fd($ssl, fileno($s)); |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
163 Net::SSLeay::connect($ssl) or die("ssl connect"); |
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
164 |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
165 my $buf = Net::SSLeay::read($ssl); |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
166 log_in($buf); |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
167 return $buf unless wantarray(); |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
168 |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
169 my $list = Net::SSLeay::get_client_CA_list($ssl); |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
170 my @names; |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
171 for my $i (0 .. Net::SSLeay::sk_X509_NAME_num($list) - 1) { |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
172 my $name = Net::SSLeay::sk_X509_NAME_value($list, $i); |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
173 push @names, Net::SSLeay::X509_NAME_oneline($name); |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
174 } |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
175 return @names; |
1104
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
176 } |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
177 |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
178 ############################################################################### |