Mercurial > hg > nginx-tests
annotate ssl_verify_client.t @ 1477:8b122b35703b
Tests: fixed session reuse tests in ssl_certificate.t with TLSv1.3.
Previously, session data was retrieved too early, before server passed
application data, which usually means NewSessionTicket is not yet sent.
The fix is to ask server for application data, then retrieve a session.
author | Sergey Kandaurov <pluknet@nginx.com> |
---|---|
date | Mon, 20 May 2019 16:00:40 +0300 |
parents | e5246e5caa31 |
children | dbce8fb5f5f8 |
rev | line source |
---|---|
932
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
1 #!/usr/bin/perl |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
2 |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
3 # (C) Sergey Kandaurov |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
4 # (C) Nginx, Inc. |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
5 |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
6 # Tests for http ssl module, ssl_verify_client. |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
7 |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
8 ############################################################################### |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
9 |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
10 use warnings; |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
11 use strict; |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
12 |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
13 use Test::More; |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
14 |
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
15 use Socket qw/ :DEFAULT CRLF /; |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
16 |
932
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
17 BEGIN { use FindBin; chdir($FindBin::Bin); } |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
18 |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
19 use lib 'lib'; |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
20 use Test::Nginx; |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
21 |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
22 ############################################################################### |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
23 |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
24 select STDERR; $| = 1; |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
25 select STDOUT; $| = 1; |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
26 |
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
27 eval { |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
28 require Net::SSLeay; |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
29 Net::SSLeay::load_error_strings(); |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
30 Net::SSLeay::SSLeay_add_ssl_algorithms(); |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
31 Net::SSLeay::randomize(); |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
32 }; |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
33 plan(skip_all => 'Net::SSLeay not installed') if $@; |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
34 |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
35 eval { |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
36 my $ctx = Net::SSLeay::CTX_new() or die; |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
37 my $ssl = Net::SSLeay::new($ctx) or die; |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
38 Net::SSLeay::set_tlsext_host_name($ssl, 'example.org') == 1 or die; |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
39 }; |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
40 plan(skip_all => 'Net::SSLeay with OpenSSL SNI support required') if $@; |
932
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
41 |
1032
43eedbfea090
Tests: add missing sni prerequisites.
Sergey Kandaurov <pluknet@nginx.com>
parents:
974
diff
changeset
|
42 my $t = Test::Nginx->new()->has(qw/http http_ssl sni/) |
1277
1d7c87dba788
Tests: added test for SSL session remove (ticket #1464).
Sergey Kandaurov <pluknet@nginx.com>
parents:
1260
diff
changeset
|
43 ->has_daemon('openssl')->plan(11); |
932
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
44 |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
45 $t->write_file_expand('nginx.conf', <<'EOF'); |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
46 |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
47 %%TEST_GLOBALS%% |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
48 |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
49 daemon off; |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
50 |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
51 events { |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
52 } |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
53 |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
54 http { |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
55 %%TEST_GLOBALS_HTTP%% |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
56 |
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
57 add_header X-Verify x$ssl_client_verify:${ssl_client_cert}x; |
932
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
58 |
1383
e5246e5caa31
Tests: use shared session cache in ssl_verify_client for coverage.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1381
diff
changeset
|
59 ssl_session_cache shared:SSL:1m; |
e5246e5caa31
Tests: use shared session cache in ssl_verify_client for coverage.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1381
diff
changeset
|
60 ssl_session_tickets off; |
e5246e5caa31
Tests: use shared session cache in ssl_verify_client for coverage.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1381
diff
changeset
|
61 |
932
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
62 server { |
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
63 listen 127.0.0.1:8080; |
932
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
64 server_name localhost; |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
65 |
1277
1d7c87dba788
Tests: added test for SSL session remove (ticket #1464).
Sergey Kandaurov <pluknet@nginx.com>
parents:
1260
diff
changeset
|
66 ssl_certificate_key 1.example.com.key; |
1d7c87dba788
Tests: added test for SSL session remove (ticket #1464).
Sergey Kandaurov <pluknet@nginx.com>
parents:
1260
diff
changeset
|
67 ssl_certificate 1.example.com.crt; |
1d7c87dba788
Tests: added test for SSL session remove (ticket #1464).
Sergey Kandaurov <pluknet@nginx.com>
parents:
1260
diff
changeset
|
68 |
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
69 ssl_verify_client on; |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
70 ssl_client_certificate 2.example.com.crt; |
932
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
71 } |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
72 |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
73 server { |
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
74 listen 127.0.0.1:8081 ssl; |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
75 server_name on; |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
76 |
1277
1d7c87dba788
Tests: added test for SSL session remove (ticket #1464).
Sergey Kandaurov <pluknet@nginx.com>
parents:
1260
diff
changeset
|
77 ssl_certificate_key 1.example.com.key; |
1d7c87dba788
Tests: added test for SSL session remove (ticket #1464).
Sergey Kandaurov <pluknet@nginx.com>
parents:
1260
diff
changeset
|
78 ssl_certificate 1.example.com.crt; |
1d7c87dba788
Tests: added test for SSL session remove (ticket #1464).
Sergey Kandaurov <pluknet@nginx.com>
parents:
1260
diff
changeset
|
79 |
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
80 ssl_verify_client on; |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
81 ssl_client_certificate 2.example.com.crt; |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
82 } |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
83 |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
84 server { |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
85 listen 127.0.0.1:8081 ssl; |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
86 server_name optional; |
932
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
87 |
1277
1d7c87dba788
Tests: added test for SSL session remove (ticket #1464).
Sergey Kandaurov <pluknet@nginx.com>
parents:
1260
diff
changeset
|
88 ssl_certificate_key 1.example.com.key; |
1d7c87dba788
Tests: added test for SSL session remove (ticket #1464).
Sergey Kandaurov <pluknet@nginx.com>
parents:
1260
diff
changeset
|
89 ssl_certificate 1.example.com.crt; |
1d7c87dba788
Tests: added test for SSL session remove (ticket #1464).
Sergey Kandaurov <pluknet@nginx.com>
parents:
1260
diff
changeset
|
90 |
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
91 ssl_verify_client optional; |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
92 ssl_client_certificate 2.example.com.crt; |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
93 ssl_trusted_certificate 3.example.com.crt; |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
94 } |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
95 |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
96 server { |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
97 listen 127.0.0.1:8081 ssl; |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
98 server_name optional_no_ca; |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
99 |
1277
1d7c87dba788
Tests: added test for SSL session remove (ticket #1464).
Sergey Kandaurov <pluknet@nginx.com>
parents:
1260
diff
changeset
|
100 ssl_certificate_key 1.example.com.key; |
1d7c87dba788
Tests: added test for SSL session remove (ticket #1464).
Sergey Kandaurov <pluknet@nginx.com>
parents:
1260
diff
changeset
|
101 ssl_certificate 1.example.com.crt; |
1d7c87dba788
Tests: added test for SSL session remove (ticket #1464).
Sergey Kandaurov <pluknet@nginx.com>
parents:
1260
diff
changeset
|
102 |
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
103 ssl_verify_client optional_no_ca; |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
104 ssl_client_certificate 2.example.com.crt; |
932
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
105 } |
1277
1d7c87dba788
Tests: added test for SSL session remove (ticket #1464).
Sergey Kandaurov <pluknet@nginx.com>
parents:
1260
diff
changeset
|
106 |
1d7c87dba788
Tests: added test for SSL session remove (ticket #1464).
Sergey Kandaurov <pluknet@nginx.com>
parents:
1260
diff
changeset
|
107 server { |
1d7c87dba788
Tests: added test for SSL session remove (ticket #1464).
Sergey Kandaurov <pluknet@nginx.com>
parents:
1260
diff
changeset
|
108 listen 127.0.0.1:8081; |
1d7c87dba788
Tests: added test for SSL session remove (ticket #1464).
Sergey Kandaurov <pluknet@nginx.com>
parents:
1260
diff
changeset
|
109 server_name no_context; |
1d7c87dba788
Tests: added test for SSL session remove (ticket #1464).
Sergey Kandaurov <pluknet@nginx.com>
parents:
1260
diff
changeset
|
110 |
1d7c87dba788
Tests: added test for SSL session remove (ticket #1464).
Sergey Kandaurov <pluknet@nginx.com>
parents:
1260
diff
changeset
|
111 ssl_verify_client on; |
1d7c87dba788
Tests: added test for SSL session remove (ticket #1464).
Sergey Kandaurov <pluknet@nginx.com>
parents:
1260
diff
changeset
|
112 } |
932
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
113 } |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
114 |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
115 EOF |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
116 |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
117 $t->write_file('openssl.conf', <<EOF); |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
118 [ req ] |
1116
8ef51dbb5d69
Tests: reduced OpenSSL default key length to 1024.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1114
diff
changeset
|
119 default_bits = 1024 |
932
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
120 encrypt_key = no |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
121 distinguished_name = req_distinguished_name |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
122 [ req_distinguished_name ] |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
123 EOF |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
124 |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
125 my $d = $t->testdir(); |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
126 |
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
127 foreach my $name ('1.example.com', '2.example.com', '3.example.com') { |
932
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
128 system('openssl req -x509 -new ' |
1220
0af58b78df35
Tests: removed single quotes from system() calls.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1207
diff
changeset
|
129 . "-config $d/openssl.conf -subj /CN=$name/ " |
0af58b78df35
Tests: removed single quotes from system() calls.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1207
diff
changeset
|
130 . "-out $d/$name.crt -keyout $d/$name.key " |
932
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
131 . ">>$d/openssl.out 2>&1") == 0 |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
132 or die "Can't create certificate for $name: $!\n"; |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
133 } |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
134 |
1260
eadd24ccfda1
Tests: postponed startup in certain ssl certificate tests on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1220
diff
changeset
|
135 sleep 1 if $^O eq 'MSWin32'; |
eadd24ccfda1
Tests: postponed startup in certain ssl certificate tests on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1220
diff
changeset
|
136 |
932
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
137 $t->write_file('t', 'SEE-THIS'); |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
138 |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
139 $t->run(); |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
140 |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
141 ############################################################################### |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
142 |
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
143 like(http_get('/t'), qr/x:x/, 'plain connection'); |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
144 like(get('on'), qr/400 Bad Request/, 'no cert'); |
1277
1d7c87dba788
Tests: added test for SSL session remove (ticket #1464).
Sergey Kandaurov <pluknet@nginx.com>
parents:
1260
diff
changeset
|
145 like(get('no_context'), qr/400 Bad Request/, 'no server cert'); |
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
146 like(get('optional'), qr/NONE:x/, 'no optional cert'); |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
147 like(get('optional', '1.example.com'), qr/400 Bad/, 'bad optional cert'); |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
148 like(get('optional_no_ca', '1.example.com'), qr/FAILED.*BEGIN/, |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
149 'bad optional_no_ca cert'); |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
150 |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
151 like(get('localhost', '2.example.com'), qr/SUCCESS.*BEGIN/, 'good cert'); |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
152 like(get('optional', '2.example.com'), qr/SUCCESS.*BEGI/, 'good cert optional'); |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
153 like(get('optional', '3.example.com'), qr/SUCCESS.*BEGIN/, 'good cert trusted'); |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
154 |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
155 SKIP: { |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
156 skip 'Net::SSLeay version >= 1.36 required', 1 if $Net::SSLeay::VERSION < 1.36; |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
157 |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
158 my $ca = join ' ', get('optional', '3.example.com'); |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
159 is($ca, '/CN=2.example.com', 'no trusted sent'); |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
160 |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
161 } |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
162 |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
163 like(get('optional', undef, 'localhost'), qr/421 Misdirected/, 'misdirected'); |
932
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
164 |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
165 ############################################################################### |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
166 |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
167 sub get { |
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
168 my ($sni, $cert, $host) = @_; |
932
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
169 |
1207
b1dc56ad15e9
Tests: ignore SIGPIPE in ssl_verify_client.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1116
diff
changeset
|
170 local $SIG{PIPE} = 'IGNORE'; |
b1dc56ad15e9
Tests: ignore SIGPIPE in ssl_verify_client.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1116
diff
changeset
|
171 |
932
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
172 $host = $sni if !defined $host; |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
173 |
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
174 my $dest_ip = inet_aton('127.0.0.1'); |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
175 my $dest_serv_params = sockaddr_in(port(8081), $dest_ip); |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
176 |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
177 socket(my $s, &AF_INET, &SOCK_STREAM, 0) or die "socket: $!"; |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
178 connect($s, $dest_serv_params) or die "connect: $!"; |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
179 |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
180 my $ctx = Net::SSLeay::CTX_new() or die("Failed to create SSL_CTX $!"); |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
181 Net::SSLeay::set_cert_and_key($ctx, "$d/$cert.crt", "$d/$cert.key") |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
182 or die if $cert; |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
183 my $ssl = Net::SSLeay::new($ctx) or die("Failed to create SSL $!"); |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
184 Net::SSLeay::set_tlsext_host_name($ssl, $sni) == 1 or die; |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
185 Net::SSLeay::set_fd($ssl, fileno($s)); |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
186 Net::SSLeay::connect($ssl) or die("ssl connect"); |
932
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
187 |
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
188 Net::SSLeay::write($ssl, 'GET /t HTTP/1.0' . CRLF); |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
189 Net::SSLeay::write($ssl, "Host: $host" . CRLF . CRLF); |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
190 my $buf = Net::SSLeay::read($ssl); |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
191 log_in($buf); |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
192 return $buf unless wantarray(); |
932
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
193 |
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
194 my $list = Net::SSLeay::get_client_CA_list($ssl); |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
195 my @names; |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
196 for my $i (0 .. Net::SSLeay::sk_X509_NAME_num($list) - 1) { |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
197 my $name = Net::SSLeay::sk_X509_NAME_value($list, $i); |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
198 push @names, Net::SSLeay::X509_NAME_oneline($name); |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
199 } |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
200 return @names; |
932
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
201 } |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
202 |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
203 ############################################################################### |