Mercurial > hg > nginx-tests
annotate ssl_sni.t @ 1477:8b122b35703b
Tests: fixed session reuse tests in ssl_certificate.t with TLSv1.3.
Previously, session data was retrieved too early, before server passed
application data, which usually means NewSessionTicket is not yet sent.
The fix is to ask server for application data, then retrieve a session.
| author | Sergey Kandaurov <pluknet@nginx.com> |
|---|---|
| date | Mon, 20 May 2019 16:00:40 +0300 |
| parents | 5f53a1d6b83c |
| children | f9718a0773b9 |
| rev | line source |
|---|---|
| 237 | 1 #!/usr/bin/perl |
| 2 | |
| 3 # (C) Maxim Dounin | |
| 4 # (C) Valentin Bartenev | |
| 5 | |
| 6 # Tests for Server Name Indication (SNI) TLS extension | |
| 7 | |
| 8 ############################################################################### | |
| 9 | |
| 10 use warnings; | |
| 11 use strict; | |
| 12 | |
| 13 use Test::More; | |
| 14 | |
| 15 BEGIN { use FindBin; chdir($FindBin::Bin); } | |
| 16 | |
| 17 use lib 'lib'; | |
| 18 use Test::Nginx; | |
| 19 | |
| 20 ############################################################################### | |
| 21 | |
| 22 select STDERR; $| = 1; | |
| 23 select STDOUT; $| = 1; | |
| 24 | |
| 25 my $t = Test::Nginx->new()->has(qw/http http_ssl sni rewrite/) | |
| 26 ->has_daemon('openssl') | |
| 27 ->write_file_expand('nginx.conf', <<'EOF'); | |
| 28 | |
| 29 %%TEST_GLOBALS%% | |
| 30 | |
|
249
6a0d934950bc
Tests: remove extra spaces in "daemon off".
Maxim Dounin <mdounin@mdounin.ru>
parents:
246
diff
changeset
|
31 daemon off; |
| 237 | 32 |
| 33 events { | |
| 34 } | |
| 35 | |
| 36 http { | |
| 37 %%TEST_GLOBALS_HTTP%% | |
| 38 | |
| 39 server { | |
|
974
882267679006
Tests: simplified parallel modifications in tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
952
diff
changeset
|
40 listen 127.0.0.1:8080 ssl; |
| 237 | 41 server_name localhost; |
| 42 | |
| 43 ssl_certificate_key localhost.key; | |
| 44 ssl_certificate localhost.crt; | |
| 45 | |
| 46 location / { | |
| 47 return 200 $server_name; | |
| 48 } | |
| 49 } | |
| 50 | |
| 51 server { | |
|
974
882267679006
Tests: simplified parallel modifications in tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
952
diff
changeset
|
52 listen 127.0.0.1:8080; |
| 237 | 53 server_name example.com; |
| 54 | |
| 55 ssl_certificate_key example.com.key; | |
| 56 ssl_certificate example.com.crt; | |
| 57 | |
| 58 location / { | |
| 59 return 200 $server_name; | |
| 60 } | |
| 61 } | |
|
1449
eeababfd8726
Tests: moved $ssl_server_name tests in http to ssl_sni.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1421
diff
changeset
|
62 |
|
eeababfd8726
Tests: moved $ssl_server_name tests in http to ssl_sni.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1421
diff
changeset
|
63 server { |
|
eeababfd8726
Tests: moved $ssl_server_name tests in http to ssl_sni.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1421
diff
changeset
|
64 listen 127.0.0.1:8081 ssl; |
|
eeababfd8726
Tests: moved $ssl_server_name tests in http to ssl_sni.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1421
diff
changeset
|
65 server_name localhost; |
|
eeababfd8726
Tests: moved $ssl_server_name tests in http to ssl_sni.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1421
diff
changeset
|
66 |
|
eeababfd8726
Tests: moved $ssl_server_name tests in http to ssl_sni.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1421
diff
changeset
|
67 ssl_certificate_key localhost.key; |
|
eeababfd8726
Tests: moved $ssl_server_name tests in http to ssl_sni.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1421
diff
changeset
|
68 ssl_certificate localhost.crt; |
|
eeababfd8726
Tests: moved $ssl_server_name tests in http to ssl_sni.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1421
diff
changeset
|
69 |
|
eeababfd8726
Tests: moved $ssl_server_name tests in http to ssl_sni.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1421
diff
changeset
|
70 location / { |
|
eeababfd8726
Tests: moved $ssl_server_name tests in http to ssl_sni.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1421
diff
changeset
|
71 return 200 $ssl_session_reused:$ssl_server_name; |
|
eeababfd8726
Tests: moved $ssl_server_name tests in http to ssl_sni.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1421
diff
changeset
|
72 } |
|
eeababfd8726
Tests: moved $ssl_server_name tests in http to ssl_sni.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1421
diff
changeset
|
73 } |
| 237 | 74 } |
| 75 | |
| 76 EOF | |
| 77 | |
| 78 eval { require IO::Socket::SSL; die if $IO::Socket::SSL::VERSION < 1.56; }; | |
| 79 plan(skip_all => 'IO::Socket::SSL version >= 1.56 required') if $@; | |
| 80 | |
|
243
de7338227832
Tests: removed trailing spaces.
Homutov Vladimir <vl@nginx.com>
parents:
237
diff
changeset
|
81 eval { |
|
305
f4aab0e66ed0
Tests: better handle the lack of client side SNI support.
Sergey Kandaurov <pluknet@nginx.com>
parents:
249
diff
changeset
|
82 if (IO::Socket::SSL->can('can_client_sni')) { |
|
f4aab0e66ed0
Tests: better handle the lack of client side SNI support.
Sergey Kandaurov <pluknet@nginx.com>
parents:
249
diff
changeset
|
83 IO::Socket::SSL->can_client_sni() or die; |
|
f4aab0e66ed0
Tests: better handle the lack of client side SNI support.
Sergey Kandaurov <pluknet@nginx.com>
parents:
249
diff
changeset
|
84 } |
|
f4aab0e66ed0
Tests: better handle the lack of client side SNI support.
Sergey Kandaurov <pluknet@nginx.com>
parents:
249
diff
changeset
|
85 }; |
|
f4aab0e66ed0
Tests: better handle the lack of client side SNI support.
Sergey Kandaurov <pluknet@nginx.com>
parents:
249
diff
changeset
|
86 plan(skip_all => 'IO::Socket::SSL with OpenSSL SNI support required') if $@; |
|
f4aab0e66ed0
Tests: better handle the lack of client side SNI support.
Sergey Kandaurov <pluknet@nginx.com>
parents:
249
diff
changeset
|
87 |
|
f4aab0e66ed0
Tests: better handle the lack of client side SNI support.
Sergey Kandaurov <pluknet@nginx.com>
parents:
249
diff
changeset
|
88 eval { |
| 237 | 89 my $ctx = Net::SSLeay::CTX_new() or die; |
| 90 my $ssl = Net::SSLeay::new($ctx) or die; | |
| 91 Net::SSLeay::set_tlsext_host_name($ssl, 'example.org') == 1 or die; | |
| 92 }; | |
| 93 plan(skip_all => 'Net::SSLeay with OpenSSL SNI support required') if $@; | |
| 94 | |
|
1449
eeababfd8726
Tests: moved $ssl_server_name tests in http to ssl_sni.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1421
diff
changeset
|
95 $t->plan(8); |
| 237 | 96 |
| 97 $t->write_file('openssl.conf', <<EOF); | |
| 98 [ req ] | |
|
1116
8ef51dbb5d69
Tests: reduced OpenSSL default key length to 1024.
Sergey Kandaurov <pluknet@nginx.com>
parents:
974
diff
changeset
|
99 default_bits = 1024 |
| 237 | 100 encrypt_key = no |
| 101 distinguished_name = req_distinguished_name | |
| 102 [ req_distinguished_name ] | |
| 103 EOF | |
| 104 | |
| 105 my $d = $t->testdir(); | |
| 106 | |
| 107 foreach my $name ('localhost', 'example.com') { | |
| 108 system('openssl req -x509 -new ' | |
|
1220
0af58b78df35
Tests: removed single quotes from system() calls.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1116
diff
changeset
|
109 . "-config $d/openssl.conf -subj /CN=$name/ " |
|
0af58b78df35
Tests: removed single quotes from system() calls.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1116
diff
changeset
|
110 . "-out $d/$name.crt -keyout $d/$name.key " |
| 237 | 111 . ">>$d/openssl.out 2>&1") == 0 |
| 112 or die "Can't create certificate for $name: $!\n"; | |
| 113 } | |
| 114 | |
| 115 $t->run(); | |
| 116 | |
| 117 ############################################################################### | |
| 118 | |
| 119 like(get_cert_cn(), qr!/CN=localhost!, 'default cert'); | |
| 120 like(get_cert_cn('example.com'), qr!/CN=example.com!, 'sni cert'); | |
| 121 | |
| 122 like(https_get_host('example.com'), qr!example.com!, | |
| 123 'host exists, sni exists, and host is equal sni'); | |
| 124 | |
| 125 like(https_get_host('example.com', 'example.org'), qr!example.com!, | |
| 126 'host exists, sni not found'); | |
| 127 | |
| 128 TODO: { | |
| 129 local $TODO = 'sni restrictions'; | |
| 130 | |
| 131 like(https_get_host('example.com', 'localhost'), qr!400 Bad Request!, | |
| 132 'host exists, sni exists, and host is not equal sni'); | |
| 133 | |
| 134 like(https_get_host('example.org', 'example.com'), qr!400 Bad Request!, | |
| 135 'host not found, sni exists'); | |
| 136 | |
| 137 } | |
| 138 | |
|
1449
eeababfd8726
Tests: moved $ssl_server_name tests in http to ssl_sni.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1421
diff
changeset
|
139 # $ssl_server_name in sessions |
|
eeababfd8726
Tests: moved $ssl_server_name tests in http to ssl_sni.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1421
diff
changeset
|
140 |
|
eeababfd8726
Tests: moved $ssl_server_name tests in http to ssl_sni.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1421
diff
changeset
|
141 my $ctx = new IO::Socket::SSL::SSL_Context( |
|
eeababfd8726
Tests: moved $ssl_server_name tests in http to ssl_sni.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1421
diff
changeset
|
142 SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE(), |
|
eeababfd8726
Tests: moved $ssl_server_name tests in http to ssl_sni.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1421
diff
changeset
|
143 SSL_session_cache_size => 100); |
|
eeababfd8726
Tests: moved $ssl_server_name tests in http to ssl_sni.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1421
diff
changeset
|
144 |
|
1450
5f53a1d6b83c
Tests: fixed session reuse in ssl_sni.t with OpenSSL 1.1.0+.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1449
diff
changeset
|
145 like(get('/', 'localhost', 8081, $ctx), qr/^\.:localhost$/m, 'ssl server name'); |
|
1449
eeababfd8726
Tests: moved $ssl_server_name tests in http to ssl_sni.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1421
diff
changeset
|
146 |
|
eeababfd8726
Tests: moved $ssl_server_name tests in http to ssl_sni.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1421
diff
changeset
|
147 TODO: { |
|
eeababfd8726
Tests: moved $ssl_server_name tests in http to ssl_sni.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1421
diff
changeset
|
148 local $TODO = 'not yet' if $t->has_module('OpenSSL (1.1.1|3)') |
|
eeababfd8726
Tests: moved $ssl_server_name tests in http to ssl_sni.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1421
diff
changeset
|
149 && !$t->has_version('1.15.10'); |
|
eeababfd8726
Tests: moved $ssl_server_name tests in http to ssl_sni.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1421
diff
changeset
|
150 |
|
1450
5f53a1d6b83c
Tests: fixed session reuse in ssl_sni.t with OpenSSL 1.1.0+.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1449
diff
changeset
|
151 like(get('/', 'localhost', 8081, $ctx), qr/^r:localhost$/m, |
|
5f53a1d6b83c
Tests: fixed session reuse in ssl_sni.t with OpenSSL 1.1.0+.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1449
diff
changeset
|
152 'ssl server name - reused'); |
|
1449
eeababfd8726
Tests: moved $ssl_server_name tests in http to ssl_sni.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1421
diff
changeset
|
153 |
|
eeababfd8726
Tests: moved $ssl_server_name tests in http to ssl_sni.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1421
diff
changeset
|
154 } |
|
eeababfd8726
Tests: moved $ssl_server_name tests in http to ssl_sni.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1421
diff
changeset
|
155 |
| 237 | 156 ############################################################################### |
| 157 | |
| 158 sub get_ssl_socket { | |
|
1449
eeababfd8726
Tests: moved $ssl_server_name tests in http to ssl_sni.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1421
diff
changeset
|
159 my ($host, $port, $ctx) = @_; |
| 237 | 160 my $s; |
| 161 | |
| 162 eval { | |
| 163 local $SIG{ALRM} = sub { die "timeout\n" }; | |
| 164 local $SIG{PIPE} = sub { die "sigpipe\n" }; | |
|
1421
4e48bf51714f
Tests: aligned various generic read timeouts to http_end().
Sergey Kandaurov <pluknet@nginx.com>
parents:
1407
diff
changeset
|
165 alarm(8); |
| 237 | 166 $s = IO::Socket::SSL->new( |
| 167 Proto => 'tcp', | |
|
1449
eeababfd8726
Tests: moved $ssl_server_name tests in http to ssl_sni.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1421
diff
changeset
|
168 PeerAddr => '127.0.0.1:' . port($port || 8080), |
| 237 | 169 SSL_hostname => $host, |
|
1449
eeababfd8726
Tests: moved $ssl_server_name tests in http to ssl_sni.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1421
diff
changeset
|
170 SSL_reuse_ctx => $ctx, |
|
246
6072306b7924
Tests: set SSL_verify_mode explicitly.
Homutov Vladimir <vl@nginx.com>
parents:
243
diff
changeset
|
171 SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE(), |
| 237 | 172 SSL_error_trap => sub { die $_[1] } |
| 173 ); | |
| 174 alarm(0); | |
| 175 }; | |
| 176 alarm(0); | |
| 177 | |
| 178 if ($@) { | |
| 179 log_in("died: $@"); | |
| 180 return undef; | |
| 181 } | |
| 182 | |
| 183 return $s; | |
| 184 } | |
| 185 | |
| 186 sub get_cert_cn { | |
| 187 my ($host) = @_; | |
| 188 my $s = get_ssl_socket($host); | |
| 189 | |
| 190 return $s->dump_peer_certificate(); | |
| 191 } | |
| 192 | |
| 193 sub https_get_host { | |
|
243
de7338227832
Tests: removed trailing spaces.
Homutov Vladimir <vl@nginx.com>
parents:
237
diff
changeset
|
194 my ($host, $sni) = @_; |
| 237 | 195 my $s = get_ssl_socket($sni ? $sni : $host); |
| 196 | |
| 197 return http(<<EOF, socket => $s); | |
| 198 GET / HTTP/1.0 | |
| 199 Host: $host | |
| 200 | |
| 201 EOF | |
| 202 } | |
| 203 | |
|
1450
5f53a1d6b83c
Tests: fixed session reuse in ssl_sni.t with OpenSSL 1.1.0+.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1449
diff
changeset
|
204 sub get { |
|
5f53a1d6b83c
Tests: fixed session reuse in ssl_sni.t with OpenSSL 1.1.0+.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1449
diff
changeset
|
205 my ($uri, $host, $port, $ctx) = @_; |
|
5f53a1d6b83c
Tests: fixed session reuse in ssl_sni.t with OpenSSL 1.1.0+.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1449
diff
changeset
|
206 my $s = get_ssl_socket($host, $port, $ctx) or return; |
|
5f53a1d6b83c
Tests: fixed session reuse in ssl_sni.t with OpenSSL 1.1.0+.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1449
diff
changeset
|
207 my $r = http_get($uri, socket => $s); |
|
5f53a1d6b83c
Tests: fixed session reuse in ssl_sni.t with OpenSSL 1.1.0+.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1449
diff
changeset
|
208 $s->close(); |
|
5f53a1d6b83c
Tests: fixed session reuse in ssl_sni.t with OpenSSL 1.1.0+.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1449
diff
changeset
|
209 return $r; |
|
5f53a1d6b83c
Tests: fixed session reuse in ssl_sni.t with OpenSSL 1.1.0+.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1449
diff
changeset
|
210 } |
|
5f53a1d6b83c
Tests: fixed session reuse in ssl_sni.t with OpenSSL 1.1.0+.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1449
diff
changeset
|
211 |
| 237 | 212 ############################################################################### |