Mercurial > hg > nginx-tests
annotate ssl_ocsp.t @ 1938:e1059682aeef
Tests: fixed ClientHello with resending Initial QUIC packets.
Previously it was rebuilt each time using distinct ClientHello.random
resulting in different CRYPTO payload. As such, it led to TLS digest
hash and derived secrets mismatch when resending Initial packet. Now
ClientHello is built once and reused when resending Initial packets.
Additionally, this required to preserve a generated secret value used
in shared secret calculation as part of TLS key schedule. Previously
it was regenerated when receiving a Retry packet, but this won't work
with reused ClientHello as the resulting shared secrets won't match.
author | Sergey Kandaurov <pluknet@nginx.com> |
---|---|
date | Wed, 30 Aug 2023 02:22:58 +0400 |
parents | 0e1865aa9b33 |
children | 0b5ec15c62ed |
rev | line source |
---|---|
1570 | 1 #!/usr/bin/perl |
2 | |
3 # (C) Sergey Kandaurov | |
4 # (C) Nginx, Inc. | |
5 | |
6 # Tests for OCSP with client certificates. | |
7 | |
8 ############################################################################### | |
9 | |
10 use warnings; | |
11 use strict; | |
12 | |
13 use Test::More; | |
14 | |
15 use MIME::Base64 qw/ decode_base64 /; | |
16 | |
17 BEGIN { use FindBin; chdir($FindBin::Bin); } | |
18 | |
19 use lib 'lib'; | |
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
20 use Test::Nginx qw/ :DEFAULT http_end /; |
1570 | 21 |
22 ############################################################################### | |
23 | |
24 select STDERR; $| = 1; | |
25 select STDOUT; $| = 1; | |
26 | |
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
27 my $t = Test::Nginx->new()->has(qw/http http_ssl sni socket_ssl_sni/) |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
28 ->has_daemon('openssl'); |
1570 | 29 |
1846
9d98c2ad3126
Tests: cleaned up ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1693
diff
changeset
|
30 plan(skip_all => 'no OCSP support in BoringSSL') |
9d98c2ad3126
Tests: cleaned up ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1693
diff
changeset
|
31 if $t->has_module('BoringSSL'); |
1570 | 32 |
33 $t->write_file_expand('nginx.conf', <<'EOF'); | |
34 | |
35 %%TEST_GLOBALS%% | |
36 | |
37 daemon off; | |
38 | |
39 events { | |
40 } | |
41 | |
42 http { | |
43 %%TEST_GLOBALS_HTTP%% | |
44 | |
45 ssl_ocsp leaf; | |
46 ssl_verify_client on; | |
47 ssl_verify_depth 2; | |
48 ssl_client_certificate trusted.crt; | |
49 | |
50 ssl_certificate_key rsa.key; | |
51 ssl_certificate rsa.crt; | |
52 | |
53 ssl_session_cache shared:SSL:1m; | |
54 ssl_session_tickets off; | |
55 | |
56 add_header X-Verify x${ssl_client_verify}:${ssl_session_reused}x always; | |
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
57 add_header X-SSL-Protocol $ssl_protocol always; |
1570 | 58 |
59 server { | |
60 listen 127.0.0.1:8443 ssl; | |
61 server_name localhost; | |
62 } | |
63 | |
64 server { | |
65 listen 127.0.0.1:8443 ssl; | |
66 server_name sni; | |
67 | |
68 ssl_ocsp_responder http://127.0.0.1:8082; | |
69 } | |
70 | |
71 server { | |
1577
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
72 listen 127.0.0.1:8443 ssl; |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
73 server_name resolver; |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
74 |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
75 ssl_ocsp on; |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
76 } |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
77 |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
78 server { |
1570 | 79 listen 127.0.0.1:8444 ssl; |
80 server_name localhost; | |
81 | |
1577
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
82 ssl_ocsp_responder http://127.0.0.1:8081; |
1570 | 83 ssl_ocsp on; |
84 } | |
85 | |
86 server { | |
87 listen 127.0.0.1:8445 ssl; | |
88 server_name localhost; | |
89 | |
90 ssl_ocsp_responder http://127.0.0.1:8082; | |
91 } | |
92 | |
93 server { | |
94 listen 127.0.0.1:8446 ssl; | |
95 server_name localhost; | |
96 | |
97 ssl_ocsp_cache shared:OCSP:1m; | |
98 } | |
99 | |
100 server { | |
101 listen 127.0.0.1:8447 ssl; | |
102 server_name localhost; | |
103 | |
104 ssl_ocsp_responder http://127.0.0.1:8082; | |
105 ssl_client_certificate root.crt; | |
106 } | |
107 } | |
108 | |
109 EOF | |
110 | |
111 my $d = $t->testdir(); | |
112 my $p = port(8081); | |
113 | |
114 $t->write_file('openssl.conf', <<EOF); | |
115 [ req ] | |
116 default_bits = 2048 | |
117 encrypt_key = no | |
118 distinguished_name = req_distinguished_name | |
119 [ req_distinguished_name ] | |
120 EOF | |
121 | |
122 $t->write_file('ca.conf', <<EOF); | |
123 [ ca ] | |
124 default_ca = myca | |
125 | |
126 [ myca ] | |
127 new_certs_dir = $d | |
128 database = $d/certindex | |
129 default_md = sha256 | |
130 policy = myca_policy | |
131 serial = $d/certserial | |
132 default_days = 1 | |
133 x509_extensions = myca_extensions | |
134 | |
135 [ myca_policy ] | |
136 commonName = supplied | |
137 | |
138 [ myca_extensions ] | |
139 basicConstraints = critical,CA:TRUE | |
140 authorityInfoAccess = OCSP;URI:http://127.0.0.1:$p | |
141 EOF | |
142 | |
1577
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
143 # variant for int.crt to trigger missing resolver |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
144 |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
145 $t->write_file('ca2.conf', <<EOF); |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
146 [ ca ] |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
147 default_ca = myca |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
148 |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
149 [ myca ] |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
150 new_certs_dir = $d |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
151 database = $d/certindex |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
152 default_md = sha256 |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
153 policy = myca_policy |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
154 serial = $d/certserial |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
155 default_days = 1 |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
156 x509_extensions = myca_extensions |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
157 |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
158 [ myca_policy ] |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
159 commonName = supplied |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
160 |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
161 [ myca_extensions ] |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
162 basicConstraints = critical,CA:TRUE |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
163 authorityInfoAccess = OCSP;URI:http://localhost:$p |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
164 EOF |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
165 |
1570 | 166 foreach my $name ('root') { |
167 system('openssl req -x509 -new ' | |
168 . "-config $d/openssl.conf -subj /CN=$name/ " | |
169 . "-out $d/$name.crt -keyout $d/$name.key " | |
170 . ">>$d/openssl.out 2>&1") == 0 | |
171 or die "Can't create certificate for $name: $!\n"; | |
172 } | |
173 | |
174 foreach my $name ('int', 'end') { | |
175 system("openssl req -new " | |
176 . "-config $d/openssl.conf -subj /CN=$name/ " | |
177 . "-out $d/$name.csr -keyout $d/$name.key " | |
178 . ">>$d/openssl.out 2>&1") == 0 | |
179 or die "Can't create certificate for $name: $!\n"; | |
180 } | |
181 | |
182 foreach my $name ('ec-end') { | |
183 system("openssl ecparam -genkey -out $d/$name.key -name prime256v1 " | |
184 . ">>$d/openssl.out 2>&1") == 0 | |
185 or die "Can't create EC param: $!\n"; | |
186 system("openssl req -new -key $d/$name.key " | |
187 . "-config $d/openssl.conf -subj /CN=$name/ " | |
188 . "-out $d/$name.csr " | |
189 . ">>$d/openssl.out 2>&1") == 0 | |
190 or die "Can't create certificate for $name: $!\n"; | |
191 } | |
192 | |
193 $t->write_file('certserial', '1000'); | |
194 $t->write_file('certindex', ''); | |
195 | |
1577
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
196 system("openssl ca -batch -config $d/ca2.conf " |
1570 | 197 . "-keyfile $d/root.key -cert $d/root.crt " |
198 . "-subj /CN=int/ -in $d/int.csr -out $d/int.crt " | |
199 . ">>$d/openssl.out 2>&1") == 0 | |
200 or die "Can't sign certificate for int: $!\n"; | |
201 | |
202 system("openssl ca -batch -config $d/ca.conf " | |
203 . "-keyfile $d/int.key -cert $d/int.crt " | |
204 . "-subj /CN=ec-end/ -in $d/ec-end.csr -out $d/ec-end.crt " | |
205 . ">>$d/openssl.out 2>&1") == 0 | |
206 or die "Can't sign certificate for ec-end: $!\n"; | |
207 | |
208 system("openssl ca -batch -config $d/ca.conf " | |
209 . "-keyfile $d/int.key -cert $d/int.crt " | |
210 . "-subj /CN=end/ -in $d/end.csr -out $d/end.crt " | |
211 . ">>$d/openssl.out 2>&1") == 0 | |
212 or die "Can't sign certificate for end: $!\n"; | |
213 | |
214 # RFC 6960, serialNumber | |
215 | |
216 system("openssl x509 -in $d/int.crt -serial -noout " | |
217 . ">>$d/serial_int 2>>$d/openssl.out") == 0 | |
218 or die "Can't obtain serial for end: $!\n"; | |
219 | |
220 my $serial_int = pack("n2", 0x0202, hex $1) | |
221 if $t->read_file('serial_int') =~ /(\d+)/; | |
222 | |
223 system("openssl x509 -in $d/end.crt -serial -noout " | |
224 . ">>$d/serial 2>>$d/openssl.out") == 0 | |
225 or die "Can't obtain serial for end: $!\n"; | |
226 | |
227 my $serial = pack("n2", 0x0202, hex $1) if $t->read_file('serial') =~ /(\d+)/; | |
228 | |
229 # ocsp end | |
230 | |
231 system("openssl ocsp -issuer $d/int.crt -cert $d/end.crt " | |
232 . "-reqout $d/req.der >>$d/openssl.out 2>&1") == 0 | |
233 or die "Can't create OCSP request: $!\n"; | |
234 | |
235 system("openssl ocsp -index $d/certindex -CA $d/int.crt " | |
236 . "-rsigner $d/int.crt -rkey $d/int.key " | |
237 . "-reqin $d/req.der -respout $d/resp.der -ndays 1 " | |
238 . ">>$d/openssl.out 2>&1") == 0 | |
239 or die "Can't create OCSP response: $!\n"; | |
240 | |
241 system("openssl ocsp -issuer $d/int.crt -cert $d/ec-end.crt " | |
242 . "-reqout $d/ec-req.der >>$d/openssl.out 2>&1") == 0 | |
243 or die "Can't create EC OCSP request: $!\n"; | |
244 | |
245 system("openssl ocsp -index $d/certindex -CA $d/int.crt " | |
246 . "-rsigner $d/root.crt -rkey $d/root.key " | |
247 . "-reqin $d/ec-req.der -respout $d/ec-resp.der -ndays 1 " | |
248 . ">>$d/openssl.out 2>&1") == 0 | |
249 or die "Can't create EC OCSP response: $!\n"; | |
250 | |
251 $t->write_file('trusted.crt', | |
252 $t->read_file('int.crt') . $t->read_file('root.crt')); | |
253 | |
254 # server cert/key | |
255 | |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
256 foreach my $name ('rsa') { |
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
257 system('openssl req -x509 -new ' |
1570 | 258 . "-config $d/openssl.conf -subj /CN=$name/ " |
259 . "-out $d/$name.crt -keyout $d/$name.key " | |
260 . ">>$d/openssl.out 2>&1") == 0 | |
261 or die "Can't create certificate for $name: $!\n"; | |
262 } | |
263 | |
264 $t->run_daemon(\&http_daemon, $t, port(8081)); | |
265 $t->run_daemon(\&http_daemon, $t, port(8082)); | |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
266 $t->run()->plan(15); |
1570 | 267 |
268 $t->waitforsocket("127.0.0.1:" . port(8081)); | |
269 $t->waitforsocket("127.0.0.1:" . port(8082)); | |
270 | |
271 ############################################################################### | |
272 | |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
273 like(get('end'), qr/200 OK.*SUCCESS/s, 'ocsp leaf'); |
1570 | 274 |
1577
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
275 # demonstrate that ocsp int request is failed due to missing resolver |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
276 |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
277 like(get('end', sni => 'resolver'), |
1577
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
278 qr/400 Bad.*FAILED:certificate status request failed/s, |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
279 'ocsp many failed request'); |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
280 |
1570 | 281 # demonstrate that ocsp int request is actually made by failing ocsp response |
282 | |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
283 like(get('end', port => 8444), |
1570 | 284 qr/400 Bad.*FAILED:certificate status request failed/s, |
285 'ocsp many failed'); | |
286 | |
287 # now prepare valid ocsp int response | |
288 | |
289 system("openssl ocsp -issuer $d/root.crt -cert $d/int.crt " | |
290 . "-reqout $d/int-req.der >>$d/openssl.out 2>&1") == 0 | |
291 or die "Can't create OCSP request: $!\n"; | |
292 | |
293 system("openssl ocsp -index $d/certindex -CA $d/root.crt " | |
294 . "-rsigner $d/root.crt -rkey $d/root.key " | |
295 . "-reqin $d/int-req.der -respout $d/int-resp.der -ndays 1 " | |
296 . ">>$d/openssl.out 2>&1") == 0 | |
297 or die "Can't create OCSP response: $!\n"; | |
298 | |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
299 like(get('end', port => 8444), qr/200 OK.*SUCCESS/s, 'ocsp many'); |
1570 | 300 |
301 # store into ssl_ocsp_cache | |
302 | |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
303 like(get('end', port => 8446), qr/200 OK.*SUCCESS/s, 'cache store'); |
1570 | 304 |
305 # revoke | |
306 | |
307 system("openssl ca -config $d/ca.conf -revoke $d/end.crt " | |
308 . "-keyfile $d/root.key -cert $d/root.crt " | |
309 . ">>$d/openssl.out 2>&1") == 0 | |
310 or die "Can't revoke end.crt: $!\n"; | |
311 | |
312 system("openssl ocsp -issuer $d/int.crt -cert $d/end.crt " | |
313 . "-reqout $d/req.der >>$d/openssl.out 2>&1") == 0 | |
314 or die "Can't create OCSP request: $!\n"; | |
315 | |
316 system("openssl ocsp -index $d/certindex -CA $d/int.crt " | |
317 . "-rsigner $d/int.crt -rkey $d/int.key " | |
318 . "-reqin $d/req.der -respout $d/revoked.der -ndays 1 " | |
319 . ">>$d/openssl.out 2>&1") == 0 | |
320 or die "Can't create OCSP response: $!\n"; | |
321 | |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
322 like(get('end'), qr/400 Bad.*FAILED:certificate revoked/s, 'revoked'); |
1570 | 323 |
324 # with different responder where it's still valid | |
325 | |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
326 like(get('end', port => 8445), qr/200 OK.*SUCCESS/s, 'ocsp responder'); |
1570 | 327 |
328 # with different context to responder where it's still valid | |
329 | |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
330 like(get('end', sni => 'sni'), qr/200 OK.*SUCCESS/s, 'ocsp context'); |
1570 | 331 |
332 # with cached ocsp response it's still valid | |
333 | |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
334 like(get('end', port => 8446), qr/200 OK.*SUCCESS/s, 'cache lookup'); |
1570 | 335 |
336 # ocsp end response signed with invalid (root) cert, expect HTTP 400 | |
337 | |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
338 like(get('ec-end'), |
1570 | 339 qr/400 Bad.*FAILED:certificate status request failed/s, |
340 'root ca not trusted'); | |
341 | |
342 # now sign ocsp end response with valid int cert | |
343 | |
344 system("openssl ocsp -index $d/certindex -CA $d/int.crt " | |
345 . "-rsigner $d/int.crt -rkey $d/int.key " | |
346 . "-reqin $d/ec-req.der -respout $d/ec-resp.der -ndays 1 " | |
347 . ">>$d/openssl.out 2>&1") == 0 | |
348 or die "Can't create EC OCSP response: $!\n"; | |
349 | |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
350 like(get('ec-end'), qr/200 OK.*SUCCESS/s, 'ocsp ecdsa'); |
1570 | 351 |
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
352 my $s = session('ec-end'); |
1570 | 353 |
1848
727741cdff74
Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1847
diff
changeset
|
354 TODO: { |
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
355 local $TODO = 'no TLSv1.3 sessions, old Net::SSLeay' |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
356 if $Net::SSLeay::VERSION < 1.88 && test_tls13(); |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
357 local $TODO = 'no TLSv1.3 sessions, old IO::Socket::SSL' |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
358 if $IO::Socket::SSL::VERSION < 2.061 && test_tls13(); |
1848
727741cdff74
Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1847
diff
changeset
|
359 local $TODO = 'no TLSv1.3 sessions in LibreSSL' |
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
360 if $t->has_module('LibreSSL') && test_tls13(); |
1848
727741cdff74
Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1847
diff
changeset
|
361 |
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
362 like(get('ec-end', ses => $s), |
1570 | 363 qr/200 OK.*SUCCESS:r/s, 'session reused'); |
364 | |
1848
727741cdff74
Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1847
diff
changeset
|
365 } |
727741cdff74
Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1847
diff
changeset
|
366 |
1570 | 367 # revoke with saved session |
368 | |
369 system("openssl ca -config $d/ca.conf -revoke $d/ec-end.crt " | |
370 . "-keyfile $d/root.key -cert $d/root.crt " | |
371 . ">>$d/openssl.out 2>&1") == 0 | |
372 or die "Can't revoke end.crt: $!\n"; | |
373 | |
374 system("openssl ocsp -issuer $d/int.crt -cert $d/ec-end.crt " | |
375 . "-reqout $d/ec-req.der >>$d/openssl.out 2>&1") == 0 | |
376 or die "Can't create OCSP request: $!\n"; | |
377 | |
378 system("openssl ocsp -index $d/certindex -CA $d/int.crt " | |
379 . "-rsigner $d/int.crt -rkey $d/int.key " | |
380 . "-reqin $d/ec-req.der -respout $d/ec-resp.der -ndays 1 " | |
381 . ">>$d/openssl.out 2>&1") == 0 | |
382 or die "Can't create OCSP response: $!\n"; | |
383 | |
384 # reusing session with revoked certificate | |
385 | |
1848
727741cdff74
Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1847
diff
changeset
|
386 TODO: { |
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
387 local $TODO = 'no TLSv1.3 sessions, old Net::SSLeay' |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
388 if $Net::SSLeay::VERSION < 1.88 && test_tls13(); |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
389 local $TODO = 'no TLSv1.3 sessions, old IO::Socket::SSL' |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
390 if $IO::Socket::SSL::VERSION < 2.061 && test_tls13(); |
1848
727741cdff74
Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1847
diff
changeset
|
391 local $TODO = 'no TLSv1.3 sessions in LibreSSL' |
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
392 if $t->has_module('LibreSSL') && test_tls13(); |
1848
727741cdff74
Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1847
diff
changeset
|
393 |
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
394 like(get('ec-end', ses => $s), |
1570 | 395 qr/400 Bad.*FAILED:certificate revoked:r/s, 'session reused - revoked'); |
396 | |
1848
727741cdff74
Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1847
diff
changeset
|
397 } |
727741cdff74
Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1847
diff
changeset
|
398 |
1570 | 399 # regression test for self-signed |
400 | |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
401 like(get('root', port => 8447), qr/200 OK.*SUCCESS/s, 'ocsp one'); |
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
402 |
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
403 # check for errors |
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
404 |
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
405 like(`grep -F '[crit]' ${\($t->testdir())}/error.log`, qr/^$/s, 'no crit'); |
1570 | 406 |
407 ############################################################################### | |
408 | |
409 sub get { | |
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
410 my $s = get_socket(@_) || return; |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
411 return http_end($s); |
1570 | 412 } |
413 | |
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
414 sub session { |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
415 my $s = get_socket(@_) || return; |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
416 http_end($s); |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
417 return $s; |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
418 } |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
419 |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
420 sub get_socket { |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
421 my ($cert, %extra) = @_; |
1570 | 422 my $ses = $extra{ses}; |
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
423 my $sni = $extra{sni} || 'localhost'; |
1570 | 424 my $port = $extra{port} || 8443; |
425 | |
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
426 return http( |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
427 "GET /serial HTTP/1.0\nHost: $sni\n\n", |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
428 start => 1, PeerAddr => '127.0.0.1:' . port($port), |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
429 SSL => 1, |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
430 SSL_hostname => $sni, |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
431 SSL_session_cache_size => 100, |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
432 SSL_reuse_ctx => $ses, |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
433 $cert ? ( |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
434 SSL_cert_file => "$d/$cert.crt", |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
435 SSL_key_file => "$d/$cert.key" |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
436 ) : () |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
437 ); |
1570 | 438 } |
439 | |
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
440 sub test_tls13 { |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
441 return http_get('/', SSL => 1) =~ /TLSv1.3/; |
1570 | 442 } |
443 | |
444 ############################################################################### | |
445 | |
446 sub http_daemon { | |
447 my ($t, $port) = @_; | |
448 my $server = IO::Socket::INET->new( | |
449 Proto => 'tcp', | |
450 LocalHost => "127.0.0.1:$port", | |
451 Listen => 5, | |
452 Reuse => 1 | |
453 ) | |
454 or die "Can't create listening socket: $!\n"; | |
455 | |
456 local $SIG{PIPE} = 'IGNORE'; | |
457 | |
458 while (my $client = $server->accept()) { | |
459 $client->autoflush(1); | |
460 | |
461 my $headers = ''; | |
462 my $uri = ''; | |
463 my $resp; | |
464 | |
465 while (<$client>) { | |
1846
9d98c2ad3126
Tests: cleaned up ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1693
diff
changeset
|
466 Test::Nginx::log_core('||', $_); |
1570 | 467 $headers .= $_; |
468 last if (/^\x0d?\x0a?$/); | |
469 } | |
470 | |
471 $uri = $1 if $headers =~ /^\S+\s+\/([^ ]+)\s+HTTP/i; | |
472 next unless $uri; | |
473 | |
474 $uri =~ s/%([0-9A-Fa-f]{2})/chr(hex($1))/eg; | |
475 my $req = decode_base64($uri); | |
476 | |
477 if (index($req, $serial_int) > 0) { | |
478 $resp = 'int-resp'; | |
479 | |
480 } elsif (index($req, $serial) > 0) { | |
481 $resp = 'resp'; | |
482 | |
483 # used to differentiate ssl_ocsp_responder | |
484 | |
485 if ($port == port(8081) && -e "$d/revoked.der") { | |
486 $resp = 'revoked'; | |
487 } | |
488 | |
489 } else { | |
490 $resp = 'ec-resp'; | |
491 } | |
492 | |
1636
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
493 next unless -s "$d/$resp.der"; |
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
494 |
1570 | 495 # ocsp dummy handler |
496 | |
497 select undef, undef, undef, 0.02; | |
498 | |
499 $headers = <<"EOF"; | |
500 HTTP/1.1 200 OK | |
501 Connection: close | |
502 Content-Type: application/ocsp-response | |
503 | |
504 EOF | |
505 | |
1636
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
506 local $/; |
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
507 open my $fh, '<', "$d/$resp.der" |
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
508 or die "Can't open $resp.der: $!"; |
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
509 binmode $fh; |
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
510 my $content = <$fh>; |
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
511 close $fh; |
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
512 |
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
513 print $client $headers . $content; |
1570 | 514 } |
515 } | |
516 | |
517 ############################################################################### |