Mercurial > hg > nginx-tests
annotate ssl_stapling.t @ 1752:ba6e24e38f03
Tests: improved stop_daemons() to send signal again.
As was observed, it's possible that a signal to complete a uwsgi daemon
can be ignored while it is starting up, which results in tests hang due
to eternal waiting on child processes termination. Notably, it is seen
when running tests with a high number of prove jobs on a low-profile VM
against nginx with broken modules and/or configuration. To reproduce:
$ TEST_NGINX_GLOBALS=ERROR prove -j16 uwsgi*.t
Inspecting uwsgi under ktrace on FreeBSD confirms that a SIGTERM signal
is ignored at the very beginning of uwsgi startup. It is then replaced
with a default action after listen(), thus waiting until uwsgi is ready
to accept new TCP connections doesn't completely solve the hang window.
The fix is to retry sending a signal some time after waitpid(WNOHANG)
continuously demonstrated no progress with reaping a signaled process.
It is modelled after f13ead27f89c that improved stop() for nginx.
| author | Sergey Kandaurov <pluknet@nginx.com> |
|---|---|
| date | Wed, 29 Dec 2021 22:29:23 +0300 |
| parents | 2d371452658c |
| children | af47a0b348a5 |
| rev | line source |
|---|---|
|
1330
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
1 #!/usr/bin/perl |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
2 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
3 # (C) Sergey Kandaurov |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
4 # (C) Nginx, Inc. |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
5 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
6 # Tests for OCSP stapling. |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
7 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
8 ############################################################################### |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
9 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
10 use warnings; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
11 use strict; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
12 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
13 use Test::More; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
14 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
15 use MIME::Base64 qw/ decode_base64 /; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
16 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
17 BEGIN { use FindBin; chdir($FindBin::Bin); } |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
18 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
19 use lib 'lib'; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
20 use Test::Nginx; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
21 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
22 ############################################################################### |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
23 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
24 select STDERR; $| = 1; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
25 select STDOUT; $| = 1; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
26 |
|
1389
73a9504ae6fd
Tests: support TLS 1.3 in ssl_stapling.t by preferring sigalgs.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1330
diff
changeset
|
27 eval { |
|
73a9504ae6fd
Tests: support TLS 1.3 in ssl_stapling.t by preferring sigalgs.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1330
diff
changeset
|
28 require Net::SSLeay; |
|
73a9504ae6fd
Tests: support TLS 1.3 in ssl_stapling.t by preferring sigalgs.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1330
diff
changeset
|
29 Net::SSLeay::load_error_strings(); |
|
73a9504ae6fd
Tests: support TLS 1.3 in ssl_stapling.t by preferring sigalgs.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1330
diff
changeset
|
30 Net::SSLeay::SSLeay_add_ssl_algorithms(); |
|
73a9504ae6fd
Tests: support TLS 1.3 in ssl_stapling.t by preferring sigalgs.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1330
diff
changeset
|
31 Net::SSLeay::randomize(); |
|
73a9504ae6fd
Tests: support TLS 1.3 in ssl_stapling.t by preferring sigalgs.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1330
diff
changeset
|
32 Net::SSLeay::SSLeay(); |
|
73a9504ae6fd
Tests: support TLS 1.3 in ssl_stapling.t by preferring sigalgs.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1330
diff
changeset
|
33 defined &Net::SSLeay::set_tlsext_status_type or die; |
|
73a9504ae6fd
Tests: support TLS 1.3 in ssl_stapling.t by preferring sigalgs.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1330
diff
changeset
|
34 }; |
|
73a9504ae6fd
Tests: support TLS 1.3 in ssl_stapling.t by preferring sigalgs.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1330
diff
changeset
|
35 plan(skip_all => 'Net::SSLeay not installed or too old') if $@; |
|
1330
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
36 |
|
1400
94bcad5611af
Tests: skip OCSP stapling and multiple cert tests with BoringSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1397
diff
changeset
|
37 my $t = Test::Nginx->new()->has(qw/http http_ssl/)->has_daemon('openssl'); |
|
94bcad5611af
Tests: skip OCSP stapling and multiple cert tests with BoringSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1397
diff
changeset
|
38 |
|
94bcad5611af
Tests: skip OCSP stapling and multiple cert tests with BoringSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1397
diff
changeset
|
39 plan(skip_all => 'no OCSP stapling') if $t->has_module('BoringSSL'); |
|
94bcad5611af
Tests: skip OCSP stapling and multiple cert tests with BoringSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1397
diff
changeset
|
40 |
|
94bcad5611af
Tests: skip OCSP stapling and multiple cert tests with BoringSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1397
diff
changeset
|
41 $t->plan(9)->write_file_expand('nginx.conf', <<'EOF'); |
|
1330
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
42 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
43 %%TEST_GLOBALS%% |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
44 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
45 daemon off; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
46 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
47 events { |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
48 } |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
49 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
50 http { |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
51 %%TEST_GLOBALS_HTTP%% |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
52 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
53 ssl_stapling on; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
54 ssl_trusted_certificate trusted.crt; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
55 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
56 ssl_certificate ec-end-int.crt; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
57 ssl_certificate_key ec-end.key; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
58 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
59 ssl_certificate end-int.crt; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
60 ssl_certificate_key end.key; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
61 |
|
1476
e8ba4ae5e3ac
Tests: fixed ssl_stapling.t for nginx built with OpenSSL 0.9.8y+.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1421
diff
changeset
|
62 ssl_ciphers DEFAULT:ECCdraft; |
|
e8ba4ae5e3ac
Tests: fixed ssl_stapling.t for nginx built with OpenSSL 0.9.8y+.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1421
diff
changeset
|
63 |
|
1330
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
64 server { |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
65 listen 127.0.0.1:8443 ssl; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
66 listen 127.0.0.1:8080; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
67 server_name localhost; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
68 } |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
69 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
70 server { |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
71 listen 127.0.0.1:8444 ssl; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
72 server_name localhost; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
73 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
74 ssl_stapling_responder http://127.0.0.1:8081/; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
75 } |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
76 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
77 server { |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
78 listen 127.0.0.1:8445 ssl; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
79 server_name localhost; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
80 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
81 ssl_stapling_verify on; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
82 } |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
83 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
84 server { |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
85 listen 127.0.0.1:8446 ssl; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
86 server_name localhost; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
87 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
88 ssl_certificate ec-end.crt; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
89 ssl_certificate_key ec-end.key; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
90 } |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
91 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
92 server { |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
93 listen 127.0.0.1:8447 ssl; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
94 server_name localhost; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
95 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
96 ssl_certificate end-int.crt; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
97 ssl_certificate_key end.key; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
98 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
99 ssl_stapling_file %%TESTDIR%%/resp.der; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
100 } |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
101 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
102 server { |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
103 listen 127.0.0.1:8448 ssl; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
104 server_name localhost; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
105 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
106 ssl_certificate ec-end-int.crt; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
107 ssl_certificate_key ec-end.key; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
108 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
109 ssl_stapling_file %%TESTDIR%%/ec-resp.der; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
110 } |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
111 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
112 server { |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
113 listen 127.0.0.1:8449 ssl; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
114 server_name localhost; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
115 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
116 ssl_stapling_responder http://127.0.0.1:8080/; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
117 } |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
118 } |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
119 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
120 EOF |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
121 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
122 my $d = $t->testdir(); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
123 my $p = port(8081); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
124 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
125 $t->write_file('openssl.conf', <<EOF); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
126 [ req ] |
|
1488
dbce8fb5f5f8
Tests: align with OpenSSL security level 2.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1476
diff
changeset
|
127 default_bits = 2048 |
|
1330
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
128 encrypt_key = no |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
129 distinguished_name = req_distinguished_name |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
130 [ req_distinguished_name ] |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
131 EOF |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
132 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
133 $t->write_file('ca.conf', <<EOF); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
134 [ ca ] |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
135 default_ca = myca |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
136 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
137 [ myca ] |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
138 new_certs_dir = $d |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
139 database = $d/certindex |
|
1488
dbce8fb5f5f8
Tests: align with OpenSSL security level 2.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1476
diff
changeset
|
140 default_md = sha256 |
|
1330
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
141 policy = myca_policy |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
142 serial = $d/certserial |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
143 default_days = 1 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
144 x509_extensions = myca_extensions |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
145 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
146 [ myca_policy ] |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
147 commonName = supplied |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
148 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
149 [ myca_extensions ] |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
150 basicConstraints = critical,CA:TRUE |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
151 authorityInfoAccess = OCSP;URI:http://127.0.0.1:$p |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
152 EOF |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
153 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
154 foreach my $name ('root') { |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
155 system('openssl req -x509 -new ' |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
156 . "-config $d/openssl.conf -subj /CN=$name/ " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
157 . "-out $d/$name.crt -keyout $d/$name.key " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
158 . ">>$d/openssl.out 2>&1") == 0 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
159 or die "Can't create certificate for $name: $!\n"; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
160 } |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
161 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
162 foreach my $name ('int', 'end') { |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
163 system("openssl req -new " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
164 . "-config $d/openssl.conf -subj /CN=$name/ " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
165 . "-out $d/$name.csr -keyout $d/$name.key " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
166 . ">>$d/openssl.out 2>&1") == 0 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
167 or die "Can't create certificate for $name: $!\n"; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
168 } |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
169 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
170 foreach my $name ('ec-end') { |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
171 system("openssl ecparam -genkey -out $d/$name.key -name prime256v1 " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
172 . ">>$d/openssl.out 2>&1") == 0 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
173 or die "Can't create EC param: $!\n"; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
174 system("openssl req -new -key $d/$name.key " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
175 . "-config $d/openssl.conf -subj /CN=$name/ " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
176 . "-out $d/$name.csr " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
177 . ">>$d/openssl.out 2>&1") == 0 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
178 or die "Can't create certificate for $name: $!\n"; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
179 } |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
180 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
181 $t->write_file('certserial', '1000'); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
182 $t->write_file('certindex', ''); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
183 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
184 system("openssl ca -batch -config $d/ca.conf " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
185 . "-keyfile $d/root.key -cert $d/root.crt " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
186 . "-subj /CN=int/ -in $d/int.csr -out $d/int.crt " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
187 . ">>$d/openssl.out 2>&1") == 0 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
188 or die "Can't sign certificate for int: $!\n"; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
189 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
190 system("openssl ca -batch -config $d/ca.conf " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
191 . "-keyfile $d/int.key -cert $d/int.crt " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
192 . "-subj /CN=ec-end/ -in $d/ec-end.csr -out $d/ec-end.crt " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
193 . ">>$d/openssl.out 2>&1") == 0 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
194 or die "Can't sign certificate for ec-end: $!\n"; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
195 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
196 system("openssl ca -batch -config $d/ca.conf " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
197 . "-keyfile $d/int.key -cert $d/int.crt " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
198 . "-subj /CN=end/ -in $d/end.csr -out $d/end.crt " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
199 . ">>$d/openssl.out 2>&1") == 0 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
200 or die "Can't sign certificate for end: $!\n"; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
201 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
202 # RFC 6960, serialNumber |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
203 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
204 system("openssl x509 -in $d/end.crt -serial -noout " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
205 . ">>$d/serial 2>>$d/openssl.out") == 0 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
206 or die "Can't obtain serial for end: $!\n"; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
207 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
208 my $serial = pack("n2", 0x0202, hex $1) if $t->read_file('serial') =~ /(\d+)/; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
209 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
210 system("openssl ca -config $d/ca.conf -revoke $d/end.crt " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
211 . "-keyfile $d/root.key -cert $d/root.crt " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
212 . ">>$d/openssl.out 2>&1") == 0 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
213 or die "Can't revoke end.crt: $!\n"; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
214 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
215 system("openssl ocsp -issuer $d/int.crt -cert $d/end.crt " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
216 . "-reqout $d/req.der >>$d/openssl.out 2>&1") == 0 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
217 or die "Can't create OCSP request: $!\n"; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
218 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
219 system("openssl ocsp -index $d/certindex -CA $d/int.crt " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
220 . "-rsigner $d/root.crt -rkey $d/root.key " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
221 . "-reqin $d/req.der -respout $d/resp.der -ndays 1 " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
222 . ">>$d/openssl.out 2>&1") == 0 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
223 or die "Can't create OCSP response: $!\n"; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
224 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
225 system("openssl ocsp -issuer $d/int.crt -cert $d/ec-end.crt " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
226 . "-reqout $d/ec-req.der >>$d/openssl.out 2>&1") == 0 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
227 or die "Can't create EC OCSP request: $!\n"; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
228 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
229 system("openssl ocsp -index $d/certindex -CA $d/int.crt " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
230 . "-rsigner $d/root.crt -rkey $d/root.key " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
231 . "-reqin $d/ec-req.der -respout $d/ec-resp.der -ndays 1 " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
232 . ">>$d/openssl.out 2>&1") == 0 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
233 or die "Can't create EC OCSP response: $!\n"; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
234 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
235 $t->write_file('trusted.crt', |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
236 $t->read_file('int.crt') . $t->read_file('root.crt')); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
237 $t->write_file('end-int.crt', |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
238 $t->read_file('end.crt') . $t->read_file('int.crt')); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
239 $t->write_file('ec-end-int.crt', |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
240 $t->read_file('ec-end.crt') . $t->read_file('int.crt')); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
241 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
242 $t->run_daemon(\&http_daemon, $t); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
243 $t->run(); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
244 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
245 $t->waitforsocket("127.0.0.1:" . port(8081)); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
246 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
247 ############################################################################### |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
248 |
|
1389
73a9504ae6fd
Tests: support TLS 1.3 in ssl_stapling.t by preferring sigalgs.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1330
diff
changeset
|
249 my $version = get_version(); |
|
73a9504ae6fd
Tests: support TLS 1.3 in ssl_stapling.t by preferring sigalgs.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1330
diff
changeset
|
250 |
|
1330
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
251 staple(8443, 'RSA'); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
252 staple(8443, 'ECDSA'); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
253 staple(8444, 'RSA'); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
254 staple(8444, 'ECDSA'); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
255 staple(8445, 'ECDSA'); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
256 staple(8446, 'ECDSA'); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
257 staple(8449, 'ECDSA'); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
258 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
259 sleep 1; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
260 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
261 ok(!staple(8443, 'RSA'), 'staple revoked'); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
262 ok(staple(8443, 'ECDSA'), 'staple success'); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
263 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
264 ok(!staple(8444, 'RSA'), 'responder revoked'); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
265 ok(staple(8444, 'ECDSA'), 'responder success'); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
266 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
267 ok(!staple(8445, 'ECDSA'), 'verify - root not trusted'); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
268 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
269 ok(staple(8446, 'ECDSA', "$d/int.crt"), 'cert store'); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
270 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
271 is(staple(8447, 'RSA'), '1 1', 'file revoked'); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
272 is(staple(8448, 'ECDSA'), '1 0', 'file success'); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
273 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
274 ok(!staple(8449, 'ECDSA'), 'ocsp error'); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
275 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
276 ############################################################################### |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
277 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
278 sub staple { |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
279 my ($port, $ciphers, $ca) = @_; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
280 my (@resp); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
281 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
282 my $staple_cb = sub { |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
283 my ($ssl, $resp) = @_; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
284 push @resp, !!$resp; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
285 return 1 unless $resp; |
|
1389
73a9504ae6fd
Tests: support TLS 1.3 in ssl_stapling.t by preferring sigalgs.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1330
diff
changeset
|
286 my $cert = Net::SSLeay::get_peer_certificate($ssl); |
|
73a9504ae6fd
Tests: support TLS 1.3 in ssl_stapling.t by preferring sigalgs.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1330
diff
changeset
|
287 my $certid = eval { Net::SSLeay::OCSP_cert2ids($ssl, $cert) } |
|
1330
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
288 or do { die "no OCSP_CERTID for certificate: $@"; }; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
289 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
290 my @res = Net::SSLeay::OCSP_response_results($resp, $certid); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
291 push @resp, $res[0][2]->{'statusType'}; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
292 }; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
293 |
|
1389
73a9504ae6fd
Tests: support TLS 1.3 in ssl_stapling.t by preferring sigalgs.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1330
diff
changeset
|
294 my $s; |
|
73a9504ae6fd
Tests: support TLS 1.3 in ssl_stapling.t by preferring sigalgs.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1330
diff
changeset
|
295 |
|
1330
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
296 eval { |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
297 local $SIG{ALRM} = sub { die "timeout\n" }; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
298 local $SIG{PIPE} = sub { die "sigpipe\n" }; |
|
1421
4e48bf51714f
Tests: aligned various generic read timeouts to http_end().
Sergey Kandaurov <pluknet@nginx.com>
parents:
1407
diff
changeset
|
299 alarm(8); |
|
1389
73a9504ae6fd
Tests: support TLS 1.3 in ssl_stapling.t by preferring sigalgs.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1330
diff
changeset
|
300 $s = IO::Socket::INET->new('127.0.0.1:' . port($port)); |
|
1330
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
301 alarm(0); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
302 }; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
303 alarm(0); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
304 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
305 if ($@) { |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
306 log_in("died: $@"); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
307 return undef; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
308 } |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
309 |
|
1389
73a9504ae6fd
Tests: support TLS 1.3 in ssl_stapling.t by preferring sigalgs.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1330
diff
changeset
|
310 my $ctx = Net::SSLeay::CTX_new() or die("Failed to create SSL_CTX $!"); |
|
73a9504ae6fd
Tests: support TLS 1.3 in ssl_stapling.t by preferring sigalgs.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1330
diff
changeset
|
311 |
|
1397
d3d2aabe16dd
Tests: LibreSSL client detection in multiple certificate tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1389
diff
changeset
|
312 my $ssleay = Net::SSLeay::SSLeay(); |
|
d3d2aabe16dd
Tests: LibreSSL client detection in multiple certificate tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1389
diff
changeset
|
313 if ($ssleay < 0x1000200f || $ssleay == 0x20000000) { |
|
1389
73a9504ae6fd
Tests: support TLS 1.3 in ssl_stapling.t by preferring sigalgs.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1330
diff
changeset
|
314 Net::SSLeay::CTX_set_cipher_list($ctx, $ciphers) |
|
73a9504ae6fd
Tests: support TLS 1.3 in ssl_stapling.t by preferring sigalgs.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1330
diff
changeset
|
315 or die("Failed to set cipher list"); |
|
73a9504ae6fd
Tests: support TLS 1.3 in ssl_stapling.t by preferring sigalgs.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1330
diff
changeset
|
316 } else { |
|
73a9504ae6fd
Tests: support TLS 1.3 in ssl_stapling.t by preferring sigalgs.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1330
diff
changeset
|
317 # SSL_CTRL_SET_SIGALGS_LIST |
|
73a9504ae6fd
Tests: support TLS 1.3 in ssl_stapling.t by preferring sigalgs.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1330
diff
changeset
|
318 $ciphers = 'PSS' if $ciphers eq 'RSA' && $version > 0x0303; |
|
73a9504ae6fd
Tests: support TLS 1.3 in ssl_stapling.t by preferring sigalgs.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1330
diff
changeset
|
319 Net::SSLeay::CTX_ctrl($ctx, 98, 0, $ciphers . '+SHA256') |
|
73a9504ae6fd
Tests: support TLS 1.3 in ssl_stapling.t by preferring sigalgs.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1330
diff
changeset
|
320 or die("Failed to set sigalgs"); |
|
73a9504ae6fd
Tests: support TLS 1.3 in ssl_stapling.t by preferring sigalgs.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1330
diff
changeset
|
321 } |
|
73a9504ae6fd
Tests: support TLS 1.3 in ssl_stapling.t by preferring sigalgs.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1330
diff
changeset
|
322 |
|
73a9504ae6fd
Tests: support TLS 1.3 in ssl_stapling.t by preferring sigalgs.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1330
diff
changeset
|
323 Net::SSLeay::CTX_load_verify_locations($ctx, $ca || '', ''); |
|
73a9504ae6fd
Tests: support TLS 1.3 in ssl_stapling.t by preferring sigalgs.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1330
diff
changeset
|
324 Net::SSLeay::CTX_set_tlsext_status_cb($ctx, $staple_cb); |
|
73a9504ae6fd
Tests: support TLS 1.3 in ssl_stapling.t by preferring sigalgs.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1330
diff
changeset
|
325 my $ssl = Net::SSLeay::new($ctx) or die("Failed to create SSL $!"); |
|
73a9504ae6fd
Tests: support TLS 1.3 in ssl_stapling.t by preferring sigalgs.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1330
diff
changeset
|
326 Net::SSLeay::set_tlsext_status_type($ssl, |
|
73a9504ae6fd
Tests: support TLS 1.3 in ssl_stapling.t by preferring sigalgs.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1330
diff
changeset
|
327 Net::SSLeay::TLSEXT_STATUSTYPE_ocsp()); |
|
73a9504ae6fd
Tests: support TLS 1.3 in ssl_stapling.t by preferring sigalgs.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1330
diff
changeset
|
328 Net::SSLeay::set_fd($ssl, fileno($s)); |
|
73a9504ae6fd
Tests: support TLS 1.3 in ssl_stapling.t by preferring sigalgs.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1330
diff
changeset
|
329 Net::SSLeay::connect($ssl) or die("ssl connect"); |
|
73a9504ae6fd
Tests: support TLS 1.3 in ssl_stapling.t by preferring sigalgs.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1330
diff
changeset
|
330 |
|
1330
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
331 return join ' ', @resp; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
332 } |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
333 |
|
1389
73a9504ae6fd
Tests: support TLS 1.3 in ssl_stapling.t by preferring sigalgs.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1330
diff
changeset
|
334 sub get_version { |
|
73a9504ae6fd
Tests: support TLS 1.3 in ssl_stapling.t by preferring sigalgs.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1330
diff
changeset
|
335 my $s; |
|
73a9504ae6fd
Tests: support TLS 1.3 in ssl_stapling.t by preferring sigalgs.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1330
diff
changeset
|
336 |
|
73a9504ae6fd
Tests: support TLS 1.3 in ssl_stapling.t by preferring sigalgs.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1330
diff
changeset
|
337 eval { |
|
73a9504ae6fd
Tests: support TLS 1.3 in ssl_stapling.t by preferring sigalgs.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1330
diff
changeset
|
338 local $SIG{ALRM} = sub { die "timeout\n" }; |
|
73a9504ae6fd
Tests: support TLS 1.3 in ssl_stapling.t by preferring sigalgs.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1330
diff
changeset
|
339 local $SIG{PIPE} = sub { die "sigpipe\n" }; |
|
1421
4e48bf51714f
Tests: aligned various generic read timeouts to http_end().
Sergey Kandaurov <pluknet@nginx.com>
parents:
1407
diff
changeset
|
340 alarm(8); |
|
1389
73a9504ae6fd
Tests: support TLS 1.3 in ssl_stapling.t by preferring sigalgs.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1330
diff
changeset
|
341 $s = IO::Socket::INET->new('127.0.0.1:' . port(8443)); |
|
73a9504ae6fd
Tests: support TLS 1.3 in ssl_stapling.t by preferring sigalgs.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1330
diff
changeset
|
342 alarm(0); |
|
73a9504ae6fd
Tests: support TLS 1.3 in ssl_stapling.t by preferring sigalgs.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1330
diff
changeset
|
343 }; |
|
73a9504ae6fd
Tests: support TLS 1.3 in ssl_stapling.t by preferring sigalgs.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1330
diff
changeset
|
344 alarm(0); |
|
73a9504ae6fd
Tests: support TLS 1.3 in ssl_stapling.t by preferring sigalgs.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1330
diff
changeset
|
345 |
|
73a9504ae6fd
Tests: support TLS 1.3 in ssl_stapling.t by preferring sigalgs.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1330
diff
changeset
|
346 if ($@) { |
|
73a9504ae6fd
Tests: support TLS 1.3 in ssl_stapling.t by preferring sigalgs.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1330
diff
changeset
|
347 log_in("died: $@"); |
|
73a9504ae6fd
Tests: support TLS 1.3 in ssl_stapling.t by preferring sigalgs.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1330
diff
changeset
|
348 return undef; |
|
73a9504ae6fd
Tests: support TLS 1.3 in ssl_stapling.t by preferring sigalgs.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1330
diff
changeset
|
349 } |
|
73a9504ae6fd
Tests: support TLS 1.3 in ssl_stapling.t by preferring sigalgs.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1330
diff
changeset
|
350 |
|
73a9504ae6fd
Tests: support TLS 1.3 in ssl_stapling.t by preferring sigalgs.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1330
diff
changeset
|
351 my $ctx = Net::SSLeay::CTX_new() or die("Failed to create SSL_CTX $!"); |
|
73a9504ae6fd
Tests: support TLS 1.3 in ssl_stapling.t by preferring sigalgs.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1330
diff
changeset
|
352 my $ssl = Net::SSLeay::new($ctx) or die("Failed to create SSL $!"); |
|
73a9504ae6fd
Tests: support TLS 1.3 in ssl_stapling.t by preferring sigalgs.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1330
diff
changeset
|
353 Net::SSLeay::set_fd($ssl, fileno($s)); |
|
73a9504ae6fd
Tests: support TLS 1.3 in ssl_stapling.t by preferring sigalgs.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1330
diff
changeset
|
354 Net::SSLeay::connect($ssl) or die("ssl connect"); |
|
73a9504ae6fd
Tests: support TLS 1.3 in ssl_stapling.t by preferring sigalgs.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1330
diff
changeset
|
355 |
|
73a9504ae6fd
Tests: support TLS 1.3 in ssl_stapling.t by preferring sigalgs.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1330
diff
changeset
|
356 Net::SSLeay::version($ssl); |
|
73a9504ae6fd
Tests: support TLS 1.3 in ssl_stapling.t by preferring sigalgs.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1330
diff
changeset
|
357 } |
|
73a9504ae6fd
Tests: support TLS 1.3 in ssl_stapling.t by preferring sigalgs.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1330
diff
changeset
|
358 |
|
1330
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
359 ############################################################################### |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
360 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
361 sub http_daemon { |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
362 my ($t) = shift; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
363 my $server = IO::Socket::INET->new( |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
364 Proto => 'tcp', |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
365 LocalHost => "127.0.0.1:" . port(8081), |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
366 Listen => 5, |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
367 Reuse => 1 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
368 ) |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
369 or die "Can't create listening socket: $!\n"; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
370 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
371 local $SIG{PIPE} = 'IGNORE'; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
372 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
373 while (my $client = $server->accept()) { |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
374 $client->autoflush(1); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
375 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
376 my $headers = ''; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
377 my $uri = ''; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
378 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
379 while (<$client>) { |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
380 $headers .= $_; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
381 last if (/^\x0d?\x0a?$/); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
382 } |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
383 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
384 $uri = $1 if $headers =~ /^\S+\s+\/([^ ]+)\s+HTTP/i; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
385 next unless $uri; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
386 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
387 $uri =~ s/%([0-9A-Fa-f]{2})/chr(hex($1))/eg; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
388 my $req = decode_base64($uri); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
389 my $resp = index($req, $serial) > 0 ? 'resp' : 'ec-resp'; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
390 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
391 # ocsp dummy handler |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
392 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
393 select undef, undef, undef, 0.02; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
394 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
395 $headers = <<"EOF"; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
396 HTTP/1.1 200 OK |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
397 Connection: close |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
398 Content-Type: application/ocsp-response |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
399 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
400 EOF |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
401 |
|
1636
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1488
diff
changeset
|
402 local $/; |
|
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1488
diff
changeset
|
403 open my $fh, '<', "$d/$resp.der" |
|
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1488
diff
changeset
|
404 or die "Can't open $resp.der: $!"; |
|
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1488
diff
changeset
|
405 binmode $fh; |
|
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1488
diff
changeset
|
406 my $content = <$fh>; |
|
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1488
diff
changeset
|
407 close $fh; |
|
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1488
diff
changeset
|
408 |
|
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1488
diff
changeset
|
409 print $client $headers . $content; |
|
1330
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
410 } |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
411 } |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
412 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
413 ############################################################################### |