Mercurial > hg > nginx-tests

annotate ssl_verify_client.t @ 1938:e1059682aeef

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Tests: fixed ClientHello with resending Initial QUIC packets. Previously it was rebuilt each time using distinct ClientHello.random resulting in different CRYPTO payload. As such, it led to TLS digest hash and derived secrets mismatch when resending Initial packet. Now ClientHello is built once and reused when resending Initial packets. Additionally, this required to preserve a generated secret value used in shared secret calculation as part of TLS key schedule. Previously it was regenerated when receiving a Retry packet, but this won't work with reused ClientHello as the resulting shared secrets won't match.
author Sergey Kandaurov <pluknet@nginx.com>
date Wed, 30 Aug 2023 02:22:58 +0400
parents 0e1865aa9b33
children b72a8c4a1bef
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
932
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
1 #!/usr/bin/perl
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
2
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
3 # (C) Sergey Kandaurov
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
4 # (C) Nginx, Inc.
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
5
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
6 # Tests for http ssl module, ssl_verify_client.
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
7
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
8 ###############################################################################
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
9
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
10 use warnings;
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
11 use strict;
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
12
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
13 use Test::More;
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
14
1621
fd440d324700 Tests: simplified get_ssl_socket() functions that use Net::SSLeay.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1578
diff changeset
15 use Socket qw/ CRLF /;
1114
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
16
932
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
17 BEGIN { use FindBin; chdir($FindBin::Bin); }
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
18
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
19 use lib 'lib';
1865
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents: 1843
diff changeset
20 use Test::Nginx qw/ :DEFAULT http_end /;
932
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
21
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
22 ###############################################################################
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
23
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
24 select STDERR; $| = 1;
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
25 select STDOUT; $| = 1;
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
26
1865
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents: 1843
diff changeset
27 my $t = Test::Nginx->new()->has(qw/http http_ssl sni socket_ssl_sni/)
1578
f55d25e08b3e Tests: added "ssl_verify_client off" tests (ticket #2008).
Sergey Kandaurov <pluknet@nginx.com>
parents: 1572
diff changeset
28 ->has_daemon('openssl')->plan(13);
932
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
29
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
30 $t->write_file_expand('nginx.conf', <<'EOF');
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
31
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
32 %%TEST_GLOBALS%%
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
33
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
34 daemon off;
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
35
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
36 events {
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
37 }
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
38
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
39 http {
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
40 %%TEST_GLOBALS_HTTP%%
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
41
1114
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
42 add_header X-Verify x$ssl_client_verify:${ssl_client_cert}x;
1843
818e6d8c43b5 Tests: LibreSSL does not send CA lists with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents: 1819
diff changeset
43 add_header X-Protocol $ssl_protocol;
932
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
44
1383
e5246e5caa31 Tests: use shared session cache in ssl_verify_client for coverage.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1381
diff changeset
45 ssl_session_cache shared:SSL:1m;
e5246e5caa31 Tests: use shared session cache in ssl_verify_client for coverage.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1381
diff changeset
46 ssl_session_tickets off;
e5246e5caa31 Tests: use shared session cache in ssl_verify_client for coverage.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1381
diff changeset
47
932
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
48 server {
1114
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
49 listen 127.0.0.1:8080;
932
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
50 server_name localhost;
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
51
1277
1d7c87dba788 Tests: added test for SSL session remove (ticket #1464).
Sergey Kandaurov <pluknet@nginx.com>
parents: 1260
diff changeset
52 ssl_certificate_key 1.example.com.key;
1d7c87dba788 Tests: added test for SSL session remove (ticket #1464).
Sergey Kandaurov <pluknet@nginx.com>
parents: 1260
diff changeset
53 ssl_certificate 1.example.com.crt;
1d7c87dba788 Tests: added test for SSL session remove (ticket #1464).
Sergey Kandaurov <pluknet@nginx.com>
parents: 1260
diff changeset
54
1114
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
55 ssl_verify_client on;
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
56 ssl_client_certificate 2.example.com.crt;
932
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
57 }
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
58
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
59 server {
1865
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents: 1843
diff changeset
60 listen 127.0.0.1:8443 ssl;
1114
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
61 server_name on;
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
62
1277
1d7c87dba788 Tests: added test for SSL session remove (ticket #1464).
Sergey Kandaurov <pluknet@nginx.com>
parents: 1260
diff changeset
63 ssl_certificate_key 1.example.com.key;
1d7c87dba788 Tests: added test for SSL session remove (ticket #1464).
Sergey Kandaurov <pluknet@nginx.com>
parents: 1260
diff changeset
64 ssl_certificate 1.example.com.crt;
1d7c87dba788 Tests: added test for SSL session remove (ticket #1464).
Sergey Kandaurov <pluknet@nginx.com>
parents: 1260
diff changeset
65
1114
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
66 ssl_verify_client on;
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
67 ssl_client_certificate 2.example.com.crt;
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
68 }
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
69
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
70 server {
1865
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents: 1843
diff changeset
71 listen 127.0.0.1:8443 ssl;
1114
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
72 server_name optional;
932
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
73
1277
1d7c87dba788 Tests: added test for SSL session remove (ticket #1464).
Sergey Kandaurov <pluknet@nginx.com>
parents: 1260
diff changeset
74 ssl_certificate_key 1.example.com.key;
1d7c87dba788 Tests: added test for SSL session remove (ticket #1464).
Sergey Kandaurov <pluknet@nginx.com>
parents: 1260
diff changeset
75 ssl_certificate 1.example.com.crt;
1d7c87dba788 Tests: added test for SSL session remove (ticket #1464).
Sergey Kandaurov <pluknet@nginx.com>
parents: 1260
diff changeset
76
1114
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
77 ssl_verify_client optional;
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
78 ssl_client_certificate 2.example.com.crt;
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
79 ssl_trusted_certificate 3.example.com.crt;
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
80 }
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
81
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
82 server {
1865
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents: 1843
diff changeset
83 listen 127.0.0.1:8443 ssl;
1578
f55d25e08b3e Tests: added "ssl_verify_client off" tests (ticket #2008).
Sergey Kandaurov <pluknet@nginx.com>
parents: 1572
diff changeset
84 server_name off;
f55d25e08b3e Tests: added "ssl_verify_client off" tests (ticket #2008).
Sergey Kandaurov <pluknet@nginx.com>
parents: 1572
diff changeset
85
f55d25e08b3e Tests: added "ssl_verify_client off" tests (ticket #2008).
Sergey Kandaurov <pluknet@nginx.com>
parents: 1572
diff changeset
86 ssl_certificate_key 1.example.com.key;
f55d25e08b3e Tests: added "ssl_verify_client off" tests (ticket #2008).
Sergey Kandaurov <pluknet@nginx.com>
parents: 1572
diff changeset
87 ssl_certificate 1.example.com.crt;
f55d25e08b3e Tests: added "ssl_verify_client off" tests (ticket #2008).
Sergey Kandaurov <pluknet@nginx.com>
parents: 1572
diff changeset
88
f55d25e08b3e Tests: added "ssl_verify_client off" tests (ticket #2008).
Sergey Kandaurov <pluknet@nginx.com>
parents: 1572
diff changeset
89 ssl_verify_client off;
f55d25e08b3e Tests: added "ssl_verify_client off" tests (ticket #2008).
Sergey Kandaurov <pluknet@nginx.com>
parents: 1572
diff changeset
90 ssl_client_certificate 2.example.com.crt;
f55d25e08b3e Tests: added "ssl_verify_client off" tests (ticket #2008).
Sergey Kandaurov <pluknet@nginx.com>
parents: 1572
diff changeset
91 ssl_trusted_certificate 3.example.com.crt;
f55d25e08b3e Tests: added "ssl_verify_client off" tests (ticket #2008).
Sergey Kandaurov <pluknet@nginx.com>
parents: 1572
diff changeset
92 }
f55d25e08b3e Tests: added "ssl_verify_client off" tests (ticket #2008).
Sergey Kandaurov <pluknet@nginx.com>
parents: 1572
diff changeset
93
f55d25e08b3e Tests: added "ssl_verify_client off" tests (ticket #2008).
Sergey Kandaurov <pluknet@nginx.com>
parents: 1572
diff changeset
94 server {
1865
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents: 1843
diff changeset
95 listen 127.0.0.1:8443 ssl;
1572
f5a3b70c0f2f Tests: fixed ssl_verify_client.t with LibreSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1488
diff changeset
96 server_name optional.no.ca;
1114
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
97
1277
1d7c87dba788 Tests: added test for SSL session remove (ticket #1464).
Sergey Kandaurov <pluknet@nginx.com>
parents: 1260
diff changeset
98 ssl_certificate_key 1.example.com.key;
1d7c87dba788 Tests: added test for SSL session remove (ticket #1464).
Sergey Kandaurov <pluknet@nginx.com>
parents: 1260
diff changeset
99 ssl_certificate 1.example.com.crt;
1d7c87dba788 Tests: added test for SSL session remove (ticket #1464).
Sergey Kandaurov <pluknet@nginx.com>
parents: 1260
diff changeset
100
1114
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
101 ssl_verify_client optional_no_ca;
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
102 ssl_client_certificate 2.example.com.crt;
932
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
103 }
1277
1d7c87dba788 Tests: added test for SSL session remove (ticket #1464).
Sergey Kandaurov <pluknet@nginx.com>
parents: 1260
diff changeset
104
1d7c87dba788 Tests: added test for SSL session remove (ticket #1464).
Sergey Kandaurov <pluknet@nginx.com>
parents: 1260
diff changeset
105 server {
1865
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents: 1843
diff changeset
106 listen 127.0.0.1:8443 ssl;
1572
f5a3b70c0f2f Tests: fixed ssl_verify_client.t with LibreSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1488
diff changeset
107 server_name no.context;
1277
1d7c87dba788 Tests: added test for SSL session remove (ticket #1464).
Sergey Kandaurov <pluknet@nginx.com>
parents: 1260
diff changeset
108
1d7c87dba788 Tests: added test for SSL session remove (ticket #1464).
Sergey Kandaurov <pluknet@nginx.com>
parents: 1260
diff changeset
109 ssl_verify_client on;
1d7c87dba788 Tests: added test for SSL session remove (ticket #1464).
Sergey Kandaurov <pluknet@nginx.com>
parents: 1260
diff changeset
110 }
932
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
111 }
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
112
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
113 EOF
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
114
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
115 $t->write_file('openssl.conf', <<EOF);
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
116 [ req ]
1488
dbce8fb5f5f8 Tests: align with OpenSSL security level 2.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1383
diff changeset
117 default_bits = 2048
932
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
118 encrypt_key = no
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
119 distinguished_name = req_distinguished_name
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
120 [ req_distinguished_name ]
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
121 EOF
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
122
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
123 my $d = $t->testdir();
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
124
1114
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
125 foreach my $name ('1.example.com', '2.example.com', '3.example.com') {
932
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
126 system('openssl req -x509 -new '
1220
0af58b78df35 Tests: removed single quotes from system() calls.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1207
diff changeset
127 . "-config $d/openssl.conf -subj /CN=$name/ "
0af58b78df35 Tests: removed single quotes from system() calls.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1207
diff changeset
128 . "-out $d/$name.crt -keyout $d/$name.key "
932
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
129 . ">>$d/openssl.out 2>&1") == 0
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
130 or die "Can't create certificate for $name: $!\n";
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
131 }
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
132
1260
eadd24ccfda1 Tests: postponed startup in certain ssl certificate tests on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1220
diff changeset
133 sleep 1 if $^O eq 'MSWin32';
eadd24ccfda1 Tests: postponed startup in certain ssl certificate tests on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1220
diff changeset
134
932
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
135 $t->write_file('t', 'SEE-THIS');
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
136
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
137 $t->run();
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
138
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
139 ###############################################################################
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
140
1114
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
141 like(http_get('/t'), qr/x:x/, 'plain connection');
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
142 like(get('on'), qr/400 Bad Request/, 'no cert');
1572
f5a3b70c0f2f Tests: fixed ssl_verify_client.t with LibreSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1488
diff changeset
143 like(get('no.context'), qr/400 Bad Request/, 'no server cert');
1114
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
144 like(get('optional'), qr/NONE:x/, 'no optional cert');
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
145 like(get('optional', '1.example.com'), qr/400 Bad/, 'bad optional cert');
1572
f5a3b70c0f2f Tests: fixed ssl_verify_client.t with LibreSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1488
diff changeset
146 like(get('optional.no.ca', '1.example.com'), qr/FAILED.*BEGIN/,
1114
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
147 'bad optional_no_ca cert');
1578
f55d25e08b3e Tests: added "ssl_verify_client off" tests (ticket #2008).
Sergey Kandaurov <pluknet@nginx.com>
parents: 1572
diff changeset
148 like(get('off', '2.example.com'), qr/NONE/, 'off cert');
f55d25e08b3e Tests: added "ssl_verify_client off" tests (ticket #2008).
Sergey Kandaurov <pluknet@nginx.com>
parents: 1572
diff changeset
149 like(get('off', '3.example.com'), qr/NONE/, 'off cert trusted');
1114
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
150
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
151 like(get('localhost', '2.example.com'), qr/SUCCESS.*BEGIN/, 'good cert');
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
152 like(get('optional', '2.example.com'), qr/SUCCESS.*BEGI/, 'good cert optional');
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
153 like(get('optional', '3.example.com'), qr/SUCCESS.*BEGIN/, 'good cert trusted');
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
154
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
155 SKIP: {
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
156 skip 'Net::SSLeay version >= 1.36 required', 1 if $Net::SSLeay::VERSION < 1.36;
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
157
1843
818e6d8c43b5 Tests: LibreSSL does not send CA lists with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents: 1819
diff changeset
158 TODO: {
818e6d8c43b5 Tests: LibreSSL does not send CA lists with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents: 1819
diff changeset
159 local $TODO = 'broken TLSv1.3 CA list in LibreSSL'
818e6d8c43b5 Tests: LibreSSL does not send CA lists with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents: 1819
diff changeset
160 if $t->has_module('LibreSSL') && test_tls13();
818e6d8c43b5 Tests: LibreSSL does not send CA lists with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents: 1819
diff changeset
161
1114
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
162 my $ca = join ' ', get('optional', '3.example.com');
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
163 is($ca, '/CN=2.example.com', 'no trusted sent');
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
164
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
165 }
1843
818e6d8c43b5 Tests: LibreSSL does not send CA lists with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents: 1819
diff changeset
166 }
1114
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
167
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
168 like(get('optional', undef, 'localhost'), qr/421 Misdirected/, 'misdirected');
932
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
169
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
170 ###############################################################################
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
171
1843
818e6d8c43b5 Tests: LibreSSL does not send CA lists with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents: 1819
diff changeset
172 sub test_tls13 {
818e6d8c43b5 Tests: LibreSSL does not send CA lists with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents: 1819
diff changeset
173 get('optional') =~ /TLSv1.3/;
818e6d8c43b5 Tests: LibreSSL does not send CA lists with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents: 1819
diff changeset
174 }
818e6d8c43b5 Tests: LibreSSL does not send CA lists with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents: 1819
diff changeset
175
932
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
176 sub get {
1114
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
177 my ($sni, $cert, $host) = @_;
932
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
178
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
179 $host = $sni if !defined $host;
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
180
1865
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents: 1843
diff changeset
181 my $s = http(
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents: 1843
diff changeset
182 "GET /t HTTP/1.0" . CRLF .
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents: 1843
diff changeset
183 "Host: $host" . CRLF . CRLF,
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents: 1843
diff changeset
184 start => 1,
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents: 1843
diff changeset
185 SSL => 1,
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents: 1843
diff changeset
186 SSL_hostname => $sni,
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents: 1843
diff changeset
187 $cert ? (
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents: 1843
diff changeset
188 SSL_cert_file => "$d/$cert.crt",
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents: 1843
diff changeset
189 SSL_key_file => "$d/$cert.key"
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents: 1843
diff changeset
190 ) : ()
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents: 1843
diff changeset
191 );
932
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
192
1865
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents: 1843
diff changeset
193 return http_end($s) unless wantarray();
932
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
194
1865
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents: 1843
diff changeset
195 # Note: this uses IO::Socket::SSL::_get_ssl_object() internal method.
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents: 1843
diff changeset
196 # While not exactly correct, it looks like there is no other way to
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents: 1843
diff changeset
197 # obtain CA list with IO::Socket::SSL, and this seems to be good
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents: 1843
diff changeset
198 # enough for tests.
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents: 1843
diff changeset
199
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents: 1843
diff changeset
200 my $ssl = $s->_get_ssl_object();
1114
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
201 my $list = Net::SSLeay::get_client_CA_list($ssl);
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
202 my @names;
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
203 for my $i (0 .. Net::SSLeay::sk_X509_NAME_num($list) - 1) {
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
204 my $name = Net::SSLeay::sk_X509_NAME_value($list, $i);
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
205 push @names, Net::SSLeay::X509_NAME_oneline($name);
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
206 }
c5df4742ad40 Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1070
diff changeset
207 return @names;
932
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
208 }
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
209
f9ab0aa6e14e Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
210 ###############################################################################