Mercurial > hg > nginx-tests
annotate ssl_ocsp.t @ 1752:ba6e24e38f03
Tests: improved stop_daemons() to send signal again.
As was observed, it's possible that a signal to complete a uwsgi daemon
can be ignored while it is starting up, which results in tests hang due
to eternal waiting on child processes termination. Notably, it is seen
when running tests with a high number of prove jobs on a low-profile VM
against nginx with broken modules and/or configuration. To reproduce:
$ TEST_NGINX_GLOBALS=ERROR prove -j16 uwsgi*.t
Inspecting uwsgi under ktrace on FreeBSD confirms that a SIGTERM signal
is ignored at the very beginning of uwsgi startup. It is then replaced
with a default action after listen(), thus waiting until uwsgi is ready
to accept new TCP connections doesn't completely solve the hang window.
The fix is to retry sending a signal some time after waitpid(WNOHANG)
continuously demonstrated no progress with reaping a signaled process.
It is modelled after f13ead27f89c that improved stop() for nginx.
author | Sergey Kandaurov <pluknet@nginx.com> |
---|---|
date | Wed, 29 Dec 2021 22:29:23 +0300 |
parents | 5ac6efbe5552 |
children | 9d98c2ad3126 |
rev | line source |
---|---|
1570 | 1 #!/usr/bin/perl |
2 | |
3 # (C) Sergey Kandaurov | |
4 # (C) Nginx, Inc. | |
5 | |
6 # Tests for OCSP with client certificates. | |
7 | |
8 ############################################################################### | |
9 | |
10 use warnings; | |
11 use strict; | |
12 | |
13 use Test::More; | |
14 | |
15 use MIME::Base64 qw/ decode_base64 /; | |
16 | |
17 BEGIN { use FindBin; chdir($FindBin::Bin); } | |
18 | |
19 use lib 'lib'; | |
20 use Test::Nginx; | |
21 | |
22 ############################################################################### | |
23 | |
24 select STDERR; $| = 1; | |
25 select STDOUT; $| = 1; | |
26 | |
27 eval { | |
28 require Net::SSLeay; | |
29 Net::SSLeay::load_error_strings(); | |
30 Net::SSLeay::SSLeay_add_ssl_algorithms(); | |
31 Net::SSLeay::randomize(); | |
32 Net::SSLeay::SSLeay(); | |
33 defined &Net::SSLeay::set_tlsext_status_type or die; | |
34 }; | |
35 plan(skip_all => 'Net::SSLeay not installed or too old') if $@; | |
36 | |
37 eval { | |
38 my $ctx = Net::SSLeay::CTX_new() or die; | |
39 my $ssl = Net::SSLeay::new($ctx) or die; | |
40 Net::SSLeay::set_tlsext_host_name($ssl, 'example.org') == 1 or die; | |
41 }; | |
42 plan(skip_all => 'Net::SSLeay with OpenSSL SNI support required') if $@; | |
43 | |
44 my $t = Test::Nginx->new()->has(qw/http http_ssl sni/)->has_daemon('openssl'); | |
45 | |
46 plan(skip_all => 'no OCSP stapling') if $t->has_module('BoringSSL'); | |
47 | |
48 $t->write_file_expand('nginx.conf', <<'EOF'); | |
49 | |
50 %%TEST_GLOBALS%% | |
51 | |
52 daemon off; | |
53 | |
54 events { | |
55 } | |
56 | |
57 http { | |
58 %%TEST_GLOBALS_HTTP%% | |
59 | |
60 ssl_ocsp leaf; | |
61 ssl_verify_client on; | |
62 ssl_verify_depth 2; | |
63 ssl_client_certificate trusted.crt; | |
64 | |
65 ssl_ciphers DEFAULT:ECCdraft; | |
66 | |
67 ssl_certificate_key ec.key; | |
68 ssl_certificate ec.crt; | |
69 | |
70 ssl_certificate_key rsa.key; | |
71 ssl_certificate rsa.crt; | |
72 | |
73 ssl_session_cache shared:SSL:1m; | |
74 ssl_session_tickets off; | |
75 | |
76 add_header X-Verify x${ssl_client_verify}:${ssl_session_reused}x always; | |
77 | |
78 server { | |
79 listen 127.0.0.1:8443 ssl; | |
80 server_name localhost; | |
81 } | |
82 | |
83 server { | |
84 listen 127.0.0.1:8443 ssl; | |
85 server_name sni; | |
86 | |
87 ssl_ocsp_responder http://127.0.0.1:8082; | |
88 } | |
89 | |
90 server { | |
1577
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
91 listen 127.0.0.1:8443 ssl; |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
92 server_name resolver; |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
93 |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
94 ssl_ocsp on; |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
95 } |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
96 |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
97 server { |
1570 | 98 listen 127.0.0.1:8444 ssl; |
99 server_name localhost; | |
100 | |
1577
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
101 ssl_ocsp_responder http://127.0.0.1:8081; |
1570 | 102 ssl_ocsp on; |
103 } | |
104 | |
105 server { | |
106 listen 127.0.0.1:8445 ssl; | |
107 server_name localhost; | |
108 | |
109 ssl_ocsp_responder http://127.0.0.1:8082; | |
110 } | |
111 | |
112 server { | |
113 listen 127.0.0.1:8446 ssl; | |
114 server_name localhost; | |
115 | |
116 ssl_ocsp_cache shared:OCSP:1m; | |
117 } | |
118 | |
119 server { | |
120 listen 127.0.0.1:8447 ssl; | |
121 server_name localhost; | |
122 | |
123 ssl_ocsp_responder http://127.0.0.1:8082; | |
124 ssl_client_certificate root.crt; | |
125 } | |
126 } | |
127 | |
128 EOF | |
129 | |
130 my $d = $t->testdir(); | |
131 my $p = port(8081); | |
132 | |
133 $t->write_file('openssl.conf', <<EOF); | |
134 [ req ] | |
135 default_bits = 2048 | |
136 encrypt_key = no | |
137 distinguished_name = req_distinguished_name | |
138 [ req_distinguished_name ] | |
139 EOF | |
140 | |
141 $t->write_file('ca.conf', <<EOF); | |
142 [ ca ] | |
143 default_ca = myca | |
144 | |
145 [ myca ] | |
146 new_certs_dir = $d | |
147 database = $d/certindex | |
148 default_md = sha256 | |
149 policy = myca_policy | |
150 serial = $d/certserial | |
151 default_days = 1 | |
152 x509_extensions = myca_extensions | |
153 | |
154 [ myca_policy ] | |
155 commonName = supplied | |
156 | |
157 [ myca_extensions ] | |
158 basicConstraints = critical,CA:TRUE | |
159 authorityInfoAccess = OCSP;URI:http://127.0.0.1:$p | |
160 EOF | |
161 | |
1577
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
162 # variant for int.crt to trigger missing resolver |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
163 |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
164 $t->write_file('ca2.conf', <<EOF); |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
165 [ ca ] |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
166 default_ca = myca |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
167 |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
168 [ myca ] |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
169 new_certs_dir = $d |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
170 database = $d/certindex |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
171 default_md = sha256 |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
172 policy = myca_policy |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
173 serial = $d/certserial |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
174 default_days = 1 |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
175 x509_extensions = myca_extensions |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
176 |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
177 [ myca_policy ] |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
178 commonName = supplied |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
179 |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
180 [ myca_extensions ] |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
181 basicConstraints = critical,CA:TRUE |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
182 authorityInfoAccess = OCSP;URI:http://localhost:$p |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
183 EOF |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
184 |
1570 | 185 foreach my $name ('root') { |
186 system('openssl req -x509 -new ' | |
187 . "-config $d/openssl.conf -subj /CN=$name/ " | |
188 . "-out $d/$name.crt -keyout $d/$name.key " | |
189 . ">>$d/openssl.out 2>&1") == 0 | |
190 or die "Can't create certificate for $name: $!\n"; | |
191 } | |
192 | |
193 foreach my $name ('int', 'end') { | |
194 system("openssl req -new " | |
195 . "-config $d/openssl.conf -subj /CN=$name/ " | |
196 . "-out $d/$name.csr -keyout $d/$name.key " | |
197 . ">>$d/openssl.out 2>&1") == 0 | |
198 or die "Can't create certificate for $name: $!\n"; | |
199 } | |
200 | |
201 foreach my $name ('ec-end') { | |
202 system("openssl ecparam -genkey -out $d/$name.key -name prime256v1 " | |
203 . ">>$d/openssl.out 2>&1") == 0 | |
204 or die "Can't create EC param: $!\n"; | |
205 system("openssl req -new -key $d/$name.key " | |
206 . "-config $d/openssl.conf -subj /CN=$name/ " | |
207 . "-out $d/$name.csr " | |
208 . ">>$d/openssl.out 2>&1") == 0 | |
209 or die "Can't create certificate for $name: $!\n"; | |
210 } | |
211 | |
212 $t->write_file('certserial', '1000'); | |
213 $t->write_file('certindex', ''); | |
214 | |
1577
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
215 system("openssl ca -batch -config $d/ca2.conf " |
1570 | 216 . "-keyfile $d/root.key -cert $d/root.crt " |
217 . "-subj /CN=int/ -in $d/int.csr -out $d/int.crt " | |
218 . ">>$d/openssl.out 2>&1") == 0 | |
219 or die "Can't sign certificate for int: $!\n"; | |
220 | |
221 system("openssl ca -batch -config $d/ca.conf " | |
222 . "-keyfile $d/int.key -cert $d/int.crt " | |
223 . "-subj /CN=ec-end/ -in $d/ec-end.csr -out $d/ec-end.crt " | |
224 . ">>$d/openssl.out 2>&1") == 0 | |
225 or die "Can't sign certificate for ec-end: $!\n"; | |
226 | |
227 system("openssl ca -batch -config $d/ca.conf " | |
228 . "-keyfile $d/int.key -cert $d/int.crt " | |
229 . "-subj /CN=end/ -in $d/end.csr -out $d/end.crt " | |
230 . ">>$d/openssl.out 2>&1") == 0 | |
231 or die "Can't sign certificate for end: $!\n"; | |
232 | |
233 # RFC 6960, serialNumber | |
234 | |
235 system("openssl x509 -in $d/int.crt -serial -noout " | |
236 . ">>$d/serial_int 2>>$d/openssl.out") == 0 | |
237 or die "Can't obtain serial for end: $!\n"; | |
238 | |
239 my $serial_int = pack("n2", 0x0202, hex $1) | |
240 if $t->read_file('serial_int') =~ /(\d+)/; | |
241 | |
242 system("openssl x509 -in $d/end.crt -serial -noout " | |
243 . ">>$d/serial 2>>$d/openssl.out") == 0 | |
244 or die "Can't obtain serial for end: $!\n"; | |
245 | |
246 my $serial = pack("n2", 0x0202, hex $1) if $t->read_file('serial') =~ /(\d+)/; | |
247 | |
248 # ocsp end | |
249 | |
250 system("openssl ocsp -issuer $d/int.crt -cert $d/end.crt " | |
251 . "-reqout $d/req.der >>$d/openssl.out 2>&1") == 0 | |
252 or die "Can't create OCSP request: $!\n"; | |
253 | |
254 system("openssl ocsp -index $d/certindex -CA $d/int.crt " | |
255 . "-rsigner $d/int.crt -rkey $d/int.key " | |
256 . "-reqin $d/req.der -respout $d/resp.der -ndays 1 " | |
257 . ">>$d/openssl.out 2>&1") == 0 | |
258 or die "Can't create OCSP response: $!\n"; | |
259 | |
260 system("openssl ocsp -issuer $d/int.crt -cert $d/ec-end.crt " | |
261 . "-reqout $d/ec-req.der >>$d/openssl.out 2>&1") == 0 | |
262 or die "Can't create EC OCSP request: $!\n"; | |
263 | |
264 system("openssl ocsp -index $d/certindex -CA $d/int.crt " | |
265 . "-rsigner $d/root.crt -rkey $d/root.key " | |
266 . "-reqin $d/ec-req.der -respout $d/ec-resp.der -ndays 1 " | |
267 . ">>$d/openssl.out 2>&1") == 0 | |
268 or die "Can't create EC OCSP response: $!\n"; | |
269 | |
270 $t->write_file('trusted.crt', | |
271 $t->read_file('int.crt') . $t->read_file('root.crt')); | |
272 | |
273 # server cert/key | |
274 | |
275 system("openssl ecparam -genkey -out $d/ec.key -name prime256v1 " | |
276 . ">>$d/openssl.out 2>&1") == 0 or die "Can't create EC pem: $!\n"; | |
277 system("openssl genrsa -out $d/rsa.key 2048 >>$d/openssl.out 2>&1") == 0 | |
278 or die "Can't create RSA pem: $!\n"; | |
279 | |
280 foreach my $name ('ec', 'rsa') { | |
281 system("openssl req -x509 -new -key $d/$name.key " | |
282 . "-config $d/openssl.conf -subj /CN=$name/ " | |
283 . "-out $d/$name.crt -keyout $d/$name.key " | |
284 . ">>$d/openssl.out 2>&1") == 0 | |
285 or die "Can't create certificate for $name: $!\n"; | |
286 } | |
287 | |
288 $t->run_daemon(\&http_daemon, $t, port(8081)); | |
289 $t->run_daemon(\&http_daemon, $t, port(8082)); | |
1693
5ac6efbe5552
Tests: removed TODO and try_run() checks for legacy versions.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1636
diff
changeset
|
290 $t->run()->plan(14); |
1570 | 291 |
292 $t->waitforsocket("127.0.0.1:" . port(8081)); | |
293 $t->waitforsocket("127.0.0.1:" . port(8082)); | |
294 | |
295 my $version = get_version(); | |
296 | |
297 ############################################################################### | |
298 | |
299 like(get('RSA', 'end'), qr/200 OK.*SUCCESS/s, 'ocsp leaf'); | |
300 | |
1577
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
301 # demonstrate that ocsp int request is failed due to missing resolver |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
302 |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
303 like(get('RSA', 'end', sni => 'resolver'), |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
304 qr/400 Bad.*FAILED:certificate status request failed/s, |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
305 'ocsp many failed request'); |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
306 |
1570 | 307 # demonstrate that ocsp int request is actually made by failing ocsp response |
308 | |
309 like(get('RSA', 'end', port => 8444), | |
310 qr/400 Bad.*FAILED:certificate status request failed/s, | |
311 'ocsp many failed'); | |
312 | |
313 # now prepare valid ocsp int response | |
314 | |
315 system("openssl ocsp -issuer $d/root.crt -cert $d/int.crt " | |
316 . "-reqout $d/int-req.der >>$d/openssl.out 2>&1") == 0 | |
317 or die "Can't create OCSP request: $!\n"; | |
318 | |
319 system("openssl ocsp -index $d/certindex -CA $d/root.crt " | |
320 . "-rsigner $d/root.crt -rkey $d/root.key " | |
321 . "-reqin $d/int-req.der -respout $d/int-resp.der -ndays 1 " | |
322 . ">>$d/openssl.out 2>&1") == 0 | |
323 or die "Can't create OCSP response: $!\n"; | |
324 | |
325 like(get('RSA', 'end', port => 8444), qr/200 OK.*SUCCESS/s, 'ocsp many'); | |
326 | |
327 # store into ssl_ocsp_cache | |
328 | |
329 like(get('RSA', 'end', port => 8446), qr/200 OK.*SUCCESS/s, 'cache store'); | |
330 | |
331 # revoke | |
332 | |
333 system("openssl ca -config $d/ca.conf -revoke $d/end.crt " | |
334 . "-keyfile $d/root.key -cert $d/root.crt " | |
335 . ">>$d/openssl.out 2>&1") == 0 | |
336 or die "Can't revoke end.crt: $!\n"; | |
337 | |
338 system("openssl ocsp -issuer $d/int.crt -cert $d/end.crt " | |
339 . "-reqout $d/req.der >>$d/openssl.out 2>&1") == 0 | |
340 or die "Can't create OCSP request: $!\n"; | |
341 | |
342 system("openssl ocsp -index $d/certindex -CA $d/int.crt " | |
343 . "-rsigner $d/int.crt -rkey $d/int.key " | |
344 . "-reqin $d/req.der -respout $d/revoked.der -ndays 1 " | |
345 . ">>$d/openssl.out 2>&1") == 0 | |
346 or die "Can't create OCSP response: $!\n"; | |
347 | |
348 like(get('RSA', 'end'), qr/400 Bad.*FAILED:certificate revoked/s, 'revoked'); | |
349 | |
350 # with different responder where it's still valid | |
351 | |
352 like(get('RSA', 'end', port => 8445), qr/200 OK.*SUCCESS/s, 'ocsp responder'); | |
353 | |
354 # with different context to responder where it's still valid | |
355 | |
356 like(get('RSA', 'end', sni => 'sni'), qr/200 OK.*SUCCESS/s, 'ocsp context'); | |
357 | |
358 # with cached ocsp response it's still valid | |
359 | |
360 like(get('RSA', 'end', port => 8446), qr/200 OK.*SUCCESS/s, 'cache lookup'); | |
361 | |
362 # ocsp end response signed with invalid (root) cert, expect HTTP 400 | |
363 | |
364 like(get('ECDSA', 'ec-end'), | |
365 qr/400 Bad.*FAILED:certificate status request failed/s, | |
366 'root ca not trusted'); | |
367 | |
368 # now sign ocsp end response with valid int cert | |
369 | |
370 system("openssl ocsp -index $d/certindex -CA $d/int.crt " | |
371 . "-rsigner $d/int.crt -rkey $d/int.key " | |
372 . "-reqin $d/ec-req.der -respout $d/ec-resp.der -ndays 1 " | |
373 . ">>$d/openssl.out 2>&1") == 0 | |
374 or die "Can't create EC OCSP response: $!\n"; | |
375 | |
376 like(get('ECDSA', 'ec-end'), qr/200 OK.*SUCCESS/s, 'ocsp ecdsa'); | |
377 | |
378 my ($s, $ssl) = get('ECDSA', 'ec-end'); | |
379 my $ses = Net::SSLeay::get_session($ssl); | |
380 | |
381 like(get('ECDSA', 'ec-end', ses => $ses), | |
382 qr/200 OK.*SUCCESS:r/s, 'session reused'); | |
383 | |
384 # revoke with saved session | |
385 | |
386 system("openssl ca -config $d/ca.conf -revoke $d/ec-end.crt " | |
387 . "-keyfile $d/root.key -cert $d/root.crt " | |
388 . ">>$d/openssl.out 2>&1") == 0 | |
389 or die "Can't revoke end.crt: $!\n"; | |
390 | |
391 system("openssl ocsp -issuer $d/int.crt -cert $d/ec-end.crt " | |
392 . "-reqout $d/ec-req.der >>$d/openssl.out 2>&1") == 0 | |
393 or die "Can't create OCSP request: $!\n"; | |
394 | |
395 system("openssl ocsp -index $d/certindex -CA $d/int.crt " | |
396 . "-rsigner $d/int.crt -rkey $d/int.key " | |
397 . "-reqin $d/ec-req.der -respout $d/ec-resp.der -ndays 1 " | |
398 . ">>$d/openssl.out 2>&1") == 0 | |
399 or die "Can't create OCSP response: $!\n"; | |
400 | |
401 # reusing session with revoked certificate | |
402 | |
403 like(get('ECDSA', 'ec-end', ses => $ses), | |
404 qr/400 Bad.*FAILED:certificate revoked:r/s, 'session reused - revoked'); | |
405 | |
406 # regression test for self-signed | |
407 | |
408 like(get('RSA', 'root', port => 8447), qr/200 OK.*SUCCESS/s, 'ocsp one'); | |
409 | |
410 ############################################################################### | |
411 | |
412 sub get { | |
413 my ($type, $cert, %extra) = @_; | |
414 $type = 'PSS' if $type eq 'RSA' && $version > 0x0303; | |
415 my ($s, $ssl) = get_ssl_socket($type, $cert, %extra); | |
416 my $cipher = Net::SSLeay::get_cipher($ssl); | |
417 Test::Nginx::log_core('||', "cipher: $cipher"); | |
418 my $host = $extra{sni} ? $extra{sni} : 'localhost'; | |
419 Net::SSLeay::write($ssl, "GET /serial HTTP/1.0\nHost: $host\n\n"); | |
420 my $r = Net::SSLeay::read($ssl); | |
421 Test::Nginx::log_core($r); | |
422 $s->close(); | |
423 return $r unless wantarray(); | |
424 return ($s, $ssl); | |
425 } | |
426 | |
427 sub get_ssl_socket { | |
428 my ($type, $cert, %extra) = @_; | |
429 my $ses = $extra{ses}; | |
430 my $sni = $extra{sni}; | |
431 my $port = $extra{port} || 8443; | |
432 my $s; | |
433 | |
434 eval { | |
435 local $SIG{ALRM} = sub { die "timeout\n" }; | |
436 local $SIG{PIPE} = sub { die "sigpipe\n" }; | |
437 alarm(8); | |
438 $s = IO::Socket::INET->new('127.0.0.1:' . port($port)); | |
439 alarm(0); | |
440 }; | |
441 alarm(0); | |
442 | |
443 if ($@) { | |
444 log_in("died: $@"); | |
445 return undef; | |
446 } | |
447 | |
448 my $ctx = Net::SSLeay::CTX_new() or die("Failed to create SSL_CTX $!"); | |
449 | |
450 if (defined $type) { | |
451 my $ssleay = Net::SSLeay::SSLeay(); | |
452 if ($ssleay < 0x1000200f || $ssleay == 0x20000000) { | |
453 Net::SSLeay::CTX_set_cipher_list($ctx, $type) | |
454 or die("Failed to set cipher list"); | |
455 } else { | |
456 # SSL_CTRL_SET_SIGALGS_LIST | |
457 Net::SSLeay::CTX_ctrl($ctx, 98, 0, $type . '+SHA256') | |
458 or die("Failed to set sigalgs"); | |
459 } | |
460 } | |
461 | |
462 Net::SSLeay::set_cert_and_key($ctx, "$d/$cert.crt", "$d/$cert.key") | |
463 or die if $cert; | |
464 my $ssl = Net::SSLeay::new($ctx) or die("Failed to create SSL $!"); | |
465 Net::SSLeay::set_session($ssl, $ses) if defined $ses; | |
466 Net::SSLeay::set_tlsext_host_name($ssl, $sni) if $sni; | |
467 Net::SSLeay::set_fd($ssl, fileno($s)); | |
468 Net::SSLeay::connect($ssl) or die("ssl connect"); | |
469 return ($s, $ssl); | |
470 } | |
471 | |
472 sub get_version { | |
473 my ($s, $ssl) = get_ssl_socket(); | |
474 return Net::SSLeay::version($ssl); | |
475 } | |
476 | |
477 ############################################################################### | |
478 | |
479 sub http_daemon { | |
480 my ($t, $port) = @_; | |
481 my $server = IO::Socket::INET->new( | |
482 Proto => 'tcp', | |
483 LocalHost => "127.0.0.1:$port", | |
484 Listen => 5, | |
485 Reuse => 1 | |
486 ) | |
487 or die "Can't create listening socket: $!\n"; | |
488 | |
489 local $SIG{PIPE} = 'IGNORE'; | |
490 | |
491 while (my $client = $server->accept()) { | |
492 $client->autoflush(1); | |
493 | |
494 my $headers = ''; | |
495 my $uri = ''; | |
496 my $resp; | |
497 | |
498 while (<$client>) { | |
499 $headers .= $_; | |
500 last if (/^\x0d?\x0a?$/); | |
501 } | |
502 | |
503 $uri = $1 if $headers =~ /^\S+\s+\/([^ ]+)\s+HTTP/i; | |
504 next unless $uri; | |
505 | |
506 $uri =~ s/%([0-9A-Fa-f]{2})/chr(hex($1))/eg; | |
507 my $req = decode_base64($uri); | |
508 | |
509 if (index($req, $serial_int) > 0) { | |
510 $resp = 'int-resp'; | |
511 | |
512 } elsif (index($req, $serial) > 0) { | |
513 $resp = 'resp'; | |
514 | |
515 # used to differentiate ssl_ocsp_responder | |
516 | |
517 if ($port == port(8081) && -e "$d/revoked.der") { | |
518 $resp = 'revoked'; | |
519 } | |
520 | |
521 } else { | |
522 $resp = 'ec-resp'; | |
523 } | |
524 | |
1636
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
525 next unless -s "$d/$resp.der"; |
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
526 |
1570 | 527 # ocsp dummy handler |
528 | |
529 select undef, undef, undef, 0.02; | |
530 | |
531 $headers = <<"EOF"; | |
532 HTTP/1.1 200 OK | |
533 Connection: close | |
534 Content-Type: application/ocsp-response | |
535 | |
536 EOF | |
537 | |
1636
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
538 local $/; |
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
539 open my $fh, '<', "$d/$resp.der" |
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
540 or die "Can't open $resp.der: $!"; |
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
541 binmode $fh; |
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
542 my $content = <$fh>; |
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
543 close $fh; |
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
544 |
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
545 print $client $headers . $content; |
1570 | 546 } |
547 } | |
548 | |
549 ############################################################################### |