Mercurial > hg > nginx-tests

annotate ssl_verify_client.t @ 1585:bff287fbf347

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Tests: added proxy_cookie_domain/path tests with "off" parameter.
author Sergey Kandaurov <pluknet@nginx.com>
date Thu, 23 Jul 2020 12:17:39 +0300
parents f55d25e08b3e
children fd440d324700
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
932
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
1 #!/usr/bin/perl
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
2
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
3 # (C) Sergey Kandaurov
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
4 # (C) Nginx, Inc.
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
5
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
6 # Tests for http ssl module, ssl_verify_client.
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
7
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
8 ###############################################################################
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
9
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
10 use warnings;
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
11 use strict;
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
12
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
13 use Test::More;
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
14
1114
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
15 use Socket qw/ :DEFAULT CRLF /;
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
16
932
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
17 BEGIN { use FindBin; chdir($FindBin::Bin); }
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
18
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
19 use lib 'lib';
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
20 use Test::Nginx;
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
21
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
22 ###############################################################################
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
23
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
24 select STDERR; $| = 1;
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
25 select STDOUT; $| = 1;
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
26
1114
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
27 eval {
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
28 require Net::SSLeay;
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
29 Net::SSLeay::load_error_strings();
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
30 Net::SSLeay::SSLeay_add_ssl_algorithms();
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
31 Net::SSLeay::randomize();
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
32 };
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
33 plan(skip_all => 'Net::SSLeay not installed') if $@;
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
34
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
35 eval {
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
36 my $ctx = Net::SSLeay::CTX_new() or die;
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
37 my $ssl = Net::SSLeay::new($ctx) or die;
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
38 Net::SSLeay::set_tlsext_host_name($ssl, 'example.org') == 1 or die;
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
39 };
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
40 plan(skip_all => 'Net::SSLeay with OpenSSL SNI support required') if $@;
932
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
41
1032
43eedbfea090 Tests: add missing sni prerequisites.
Sergey Kandaurov <pluknet@nginx.com>
parents: 974
diff changeset
42 my $t = Test::Nginx->new()->has(qw/http http_ssl sni/)
1578
f55d25e08b3e Tests: added "ssl_verify_client off" tests (ticket #2008).
Sergey Kandaurov <pluknet@nginx.com>
parents: 1572
diff changeset
43 ->has_daemon('openssl')->plan(13);
932
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
44
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
45 $t->write_file_expand('nginx.conf', <<'EOF');
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
46
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
47 %%TEST_GLOBALS%%
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
48
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
49 daemon off;
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
50
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
51 events {
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
52 }
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
53
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
54 http {
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
55 %%TEST_GLOBALS_HTTP%%
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
56
1114
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
57 add_header X-Verify x$ssl_client_verify:${ssl_client_cert}x;
932
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
58
1383
e5246e5caa31 Tests: use shared session cache in ssl_verify_client for coverage.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1381
diff changeset
59 ssl_session_cache shared:SSL:1m;
e5246e5caa31 Tests: use shared session cache in ssl_verify_client for coverage.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1381
diff changeset
60 ssl_session_tickets off;
e5246e5caa31 Tests: use shared session cache in ssl_verify_client for coverage.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1381
diff changeset
61
932
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
62 server {
1114
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
63 listen 127.0.0.1:8080;
932
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
64 server_name localhost;
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
65
1277
1d7c87dba788 Tests: added test for SSL session remove (ticket #1464).
Sergey Kandaurov <pluknet@nginx.com>
parents: 1260
diff changeset
66 ssl_certificate_key 1.example.com.key;
1d7c87dba788 Tests: added test for SSL session remove (ticket #1464).
Sergey Kandaurov <pluknet@nginx.com>
parents: 1260
diff changeset
67 ssl_certificate 1.example.com.crt;
1d7c87dba788 Tests: added test for SSL session remove (ticket #1464).
Sergey Kandaurov <pluknet@nginx.com>
parents: 1260
diff changeset
68
1114
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
69 ssl_verify_client on;
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
70 ssl_client_certificate 2.example.com.crt;
932
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
71 }
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
72
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
73 server {
1114
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
74 listen 127.0.0.1:8081 ssl;
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
75 server_name on;
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
76
1277
1d7c87dba788 Tests: added test for SSL session remove (ticket #1464).
Sergey Kandaurov <pluknet@nginx.com>
parents: 1260
diff changeset
77 ssl_certificate_key 1.example.com.key;
1d7c87dba788 Tests: added test for SSL session remove (ticket #1464).
Sergey Kandaurov <pluknet@nginx.com>
parents: 1260
diff changeset
78 ssl_certificate 1.example.com.crt;
1d7c87dba788 Tests: added test for SSL session remove (ticket #1464).
Sergey Kandaurov <pluknet@nginx.com>
parents: 1260
diff changeset
79
1114
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
80 ssl_verify_client on;
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
81 ssl_client_certificate 2.example.com.crt;
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
82 }
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
83
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
84 server {
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
85 listen 127.0.0.1:8081 ssl;
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
86 server_name optional;
932
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
87
1277
1d7c87dba788 Tests: added test for SSL session remove (ticket #1464).
Sergey Kandaurov <pluknet@nginx.com>
parents: 1260
diff changeset
88 ssl_certificate_key 1.example.com.key;
1d7c87dba788 Tests: added test for SSL session remove (ticket #1464).
Sergey Kandaurov <pluknet@nginx.com>
parents: 1260
diff changeset
89 ssl_certificate 1.example.com.crt;
1d7c87dba788 Tests: added test for SSL session remove (ticket #1464).
Sergey Kandaurov <pluknet@nginx.com>
parents: 1260
diff changeset
90
1114
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
91 ssl_verify_client optional;
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
92 ssl_client_certificate 2.example.com.crt;
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
93 ssl_trusted_certificate 3.example.com.crt;
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
94 }
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
95
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
96 server {
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
97 listen 127.0.0.1:8081 ssl;
1578
f55d25e08b3e Tests: added "ssl_verify_client off" tests (ticket #2008).
Sergey Kandaurov <pluknet@nginx.com>
parents: 1572
diff changeset
98 server_name off;
f55d25e08b3e Tests: added "ssl_verify_client off" tests (ticket #2008).
Sergey Kandaurov <pluknet@nginx.com>
parents: 1572
diff changeset
99
f55d25e08b3e Tests: added "ssl_verify_client off" tests (ticket #2008).
Sergey Kandaurov <pluknet@nginx.com>
parents: 1572
diff changeset
100 ssl_certificate_key 1.example.com.key;
f55d25e08b3e Tests: added "ssl_verify_client off" tests (ticket #2008).
Sergey Kandaurov <pluknet@nginx.com>
parents: 1572
diff changeset
101 ssl_certificate 1.example.com.crt;
f55d25e08b3e Tests: added "ssl_verify_client off" tests (ticket #2008).
Sergey Kandaurov <pluknet@nginx.com>
parents: 1572
diff changeset
102
f55d25e08b3e Tests: added "ssl_verify_client off" tests (ticket #2008).
Sergey Kandaurov <pluknet@nginx.com>
parents: 1572
diff changeset
103 ssl_verify_client off;
f55d25e08b3e Tests: added "ssl_verify_client off" tests (ticket #2008).
Sergey Kandaurov <pluknet@nginx.com>
parents: 1572
diff changeset
104 ssl_client_certificate 2.example.com.crt;
f55d25e08b3e Tests: added "ssl_verify_client off" tests (ticket #2008).
Sergey Kandaurov <pluknet@nginx.com>
parents: 1572
diff changeset
105 ssl_trusted_certificate 3.example.com.crt;
f55d25e08b3e Tests: added "ssl_verify_client off" tests (ticket #2008).
Sergey Kandaurov <pluknet@nginx.com>
parents: 1572
diff changeset
106 }
f55d25e08b3e Tests: added "ssl_verify_client off" tests (ticket #2008).
Sergey Kandaurov <pluknet@nginx.com>
parents: 1572
diff changeset
107
f55d25e08b3e Tests: added "ssl_verify_client off" tests (ticket #2008).
Sergey Kandaurov <pluknet@nginx.com>
parents: 1572
diff changeset
108 server {
f55d25e08b3e Tests: added "ssl_verify_client off" tests (ticket #2008).
Sergey Kandaurov <pluknet@nginx.com>
parents: 1572
diff changeset
109 listen 127.0.0.1:8081 ssl;
1572
f5a3b70c0f2f Tests: fixed ssl_verify_client.t with LibreSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1488
diff changeset
110 server_name optional.no.ca;
1114
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
111
1277
1d7c87dba788 Tests: added test for SSL session remove (ticket #1464).
Sergey Kandaurov <pluknet@nginx.com>
parents: 1260
diff changeset
112 ssl_certificate_key 1.example.com.key;
1d7c87dba788 Tests: added test for SSL session remove (ticket #1464).
Sergey Kandaurov <pluknet@nginx.com>
parents: 1260
diff changeset
113 ssl_certificate 1.example.com.crt;
1d7c87dba788 Tests: added test for SSL session remove (ticket #1464).
Sergey Kandaurov <pluknet@nginx.com>
parents: 1260
diff changeset
114
1114
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
115 ssl_verify_client optional_no_ca;
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
116 ssl_client_certificate 2.example.com.crt;
932
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
117 }
1277
1d7c87dba788 Tests: added test for SSL session remove (ticket #1464).
Sergey Kandaurov <pluknet@nginx.com>
parents: 1260
diff changeset
118
1d7c87dba788 Tests: added test for SSL session remove (ticket #1464).
Sergey Kandaurov <pluknet@nginx.com>
parents: 1260
diff changeset
119 server {
1d7c87dba788 Tests: added test for SSL session remove (ticket #1464).
Sergey Kandaurov <pluknet@nginx.com>
parents: 1260
diff changeset
120 listen 127.0.0.1:8081;
1572
f5a3b70c0f2f Tests: fixed ssl_verify_client.t with LibreSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1488
diff changeset
121 server_name no.context;
1277
1d7c87dba788 Tests: added test for SSL session remove (ticket #1464).
Sergey Kandaurov <pluknet@nginx.com>
parents: 1260
diff changeset
122
1d7c87dba788 Tests: added test for SSL session remove (ticket #1464).
Sergey Kandaurov <pluknet@nginx.com>
parents: 1260
diff changeset
123 ssl_verify_client on;
1d7c87dba788 Tests: added test for SSL session remove (ticket #1464).
Sergey Kandaurov <pluknet@nginx.com>
parents: 1260
diff changeset
124 }
932
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
125 }
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
126
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
127 EOF
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
128
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
129 $t->write_file('openssl.conf', <<EOF);
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
130 [ req ]
1488
dbce8fb5f5f8 Tests: align with OpenSSL security level 2.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1383
diff changeset
131 default_bits = 2048
932
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
132 encrypt_key = no
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
133 distinguished_name = req_distinguished_name
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
134 [ req_distinguished_name ]
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
135 EOF
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
136
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
137 my $d = $t->testdir();
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
138
1114
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
139 foreach my $name ('1.example.com', '2.example.com', '3.example.com') {
932
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
140 system('openssl req -x509 -new '
1220
0af58b78df35 Tests: removed single quotes from system() calls.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1207
diff changeset
141 . "-config $d/openssl.conf -subj /CN=$name/ "
0af58b78df35 Tests: removed single quotes from system() calls.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1207
diff changeset
142 . "-out $d/$name.crt -keyout $d/$name.key "
932
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
143 . ">>$d/openssl.out 2>&1") == 0
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
144 or die "Can't create certificate for $name: $!\n";
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
145 }
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
146
1260
eadd24ccfda1 Tests: postponed startup in certain ssl certificate tests on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1220
diff changeset
147 sleep 1 if $^O eq 'MSWin32';
eadd24ccfda1 Tests: postponed startup in certain ssl certificate tests on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1220
diff changeset
148
932
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
149 $t->write_file('t', 'SEE-THIS');
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
150
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
151 $t->run();
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
152
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
153 ###############################################################################
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
154
1114
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
155 like(http_get('/t'), qr/x:x/, 'plain connection');
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
156 like(get('on'), qr/400 Bad Request/, 'no cert');
1572
f5a3b70c0f2f Tests: fixed ssl_verify_client.t with LibreSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1488
diff changeset
157 like(get('no.context'), qr/400 Bad Request/, 'no server cert');
1114
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
158 like(get('optional'), qr/NONE:x/, 'no optional cert');
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
159 like(get('optional', '1.example.com'), qr/400 Bad/, 'bad optional cert');
1572
f5a3b70c0f2f Tests: fixed ssl_verify_client.t with LibreSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1488
diff changeset
160 like(get('optional.no.ca', '1.example.com'), qr/FAILED.*BEGIN/,
1114
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
161 'bad optional_no_ca cert');
1578
f55d25e08b3e Tests: added "ssl_verify_client off" tests (ticket #2008).
Sergey Kandaurov <pluknet@nginx.com>
parents: 1572
diff changeset
162 like(get('off', '2.example.com'), qr/NONE/, 'off cert');
f55d25e08b3e Tests: added "ssl_verify_client off" tests (ticket #2008).
Sergey Kandaurov <pluknet@nginx.com>
parents: 1572
diff changeset
163 like(get('off', '3.example.com'), qr/NONE/, 'off cert trusted');
1114
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
164
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
165 like(get('localhost', '2.example.com'), qr/SUCCESS.*BEGIN/, 'good cert');
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
166 like(get('optional', '2.example.com'), qr/SUCCESS.*BEGI/, 'good cert optional');
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
167 like(get('optional', '3.example.com'), qr/SUCCESS.*BEGIN/, 'good cert trusted');
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
168
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
169 SKIP: {
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
170 skip 'Net::SSLeay version >= 1.36 required', 1 if $Net::SSLeay::VERSION < 1.36;
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
171
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
172 my $ca = join ' ', get('optional', '3.example.com');
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
173 is($ca, '/CN=2.example.com', 'no trusted sent');
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
174
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
175 }
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
176
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
177 like(get('optional', undef, 'localhost'), qr/421 Misdirected/, 'misdirected');
932
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
178
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
179 ###############################################################################
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
180
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
181 sub get {
1114
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
182 my ($sni, $cert, $host) = @_;
932
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
183
1207
b1dc56ad15e9 Tests: ignore SIGPIPE in ssl_verify_client.t.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1116
diff changeset
184 local $SIG{PIPE} = 'IGNORE';
b1dc56ad15e9 Tests: ignore SIGPIPE in ssl_verify_client.t.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1116
diff changeset
185
932
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
186 $host = $sni if !defined $host;
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
187
1114
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
188 my $dest_ip = inet_aton('127.0.0.1');
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
189 my $dest_serv_params = sockaddr_in(port(8081), $dest_ip);
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
190
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
191 socket(my $s, &AF_INET, &SOCK_STREAM, 0) or die "socket: $!";
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
192 connect($s, $dest_serv_params) or die "connect: $!";
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
193
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
194 my $ctx = Net::SSLeay::CTX_new() or die("Failed to create SSL_CTX $!");
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
195 Net::SSLeay::set_cert_and_key($ctx, "$d/$cert.crt", "$d/$cert.key")
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
196 or die if $cert;
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
197 my $ssl = Net::SSLeay::new($ctx) or die("Failed to create SSL $!");
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
198 Net::SSLeay::set_tlsext_host_name($ssl, $sni) == 1 or die;
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
199 Net::SSLeay::set_fd($ssl, fileno($s));
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
200 Net::SSLeay::connect($ssl) or die("ssl connect");
932
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
201
1114
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
202 Net::SSLeay::write($ssl, 'GET /t HTTP/1.0' . CRLF);
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
203 Net::SSLeay::write($ssl, "Host: $host" . CRLF . CRLF);
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
204 my $buf = Net::SSLeay::read($ssl);
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
205 log_in($buf);
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
206 return $buf unless wantarray();
932
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
207
1114
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
208 my $list = Net::SSLeay::get_client_CA_list($ssl);
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
209 my @names;
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
210 for my $i (0 .. Net::SSLeay::sk_X509_NAME_num($list) - 1) {
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
211 my $name = Net::SSLeay::sk_X509_NAME_value($list, $i);
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
212 push @names, Net::SSLeay::X509_NAME_oneline($name);
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
213 }
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
214 return @names;
932
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
215 }
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
216
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
217 ###############################################################################