Mercurial > hg > nginx-tests
annotate ssl_stapling.t @ 1972:f3573393f36f
Tests: guarded ssl_stapling.t for old OpenSSL versions.
Stapling requires the certificate status TLS extension. It is implemented
in OpenSSL 0.9.8h and available if TLS extensions support is explicitly
configured, and by default since 0.9.8j.
To properly test if stapling is available, OpenSSL version is checked,
and SNI availability is checked to ensure TLS extensions support is
compiled in.
| author | Maxim Dounin <mdounin@mdounin.ru> |
|---|---|
| date | Mon, 06 May 2024 00:04:22 +0300 |
| parents | 0a93f101925a |
| children |
| rev | line source |
|---|---|
|
1330
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
1 #!/usr/bin/perl |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
2 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
3 # (C) Sergey Kandaurov |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
4 # (C) Nginx, Inc. |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
5 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
6 # Tests for OCSP stapling. |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
7 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
8 ############################################################################### |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
9 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
10 use warnings; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
11 use strict; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
12 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
13 use Test::More; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
14 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
15 use MIME::Base64 qw/ decode_base64 /; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
16 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
17 BEGIN { use FindBin; chdir($FindBin::Bin); } |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
18 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
19 use lib 'lib'; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
20 use Test::Nginx; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
21 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
22 ############################################################################### |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
23 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
24 select STDERR; $| = 1; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
25 select STDOUT; $| = 1; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
26 |
|
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1842
diff
changeset
|
27 my $t = Test::Nginx->new()->has(qw/http http_ssl socket_ssl/) |
|
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1842
diff
changeset
|
28 ->has_daemon('openssl'); |
|
1330
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
29 |
|
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1842
diff
changeset
|
30 eval { defined &Net::SSLeay::set_tlsext_status_type or die; }; |
|
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1842
diff
changeset
|
31 plan(skip_all => 'Net::SSLeay too old') if $@; |
|
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1842
diff
changeset
|
32 eval { defined &IO::Socket::SSL::SSL_OCSP_TRY_STAPLE or die; }; |
|
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1842
diff
changeset
|
33 plan(skip_all => 'IO::Socket::SSL too old') if $@; |
|
1400
94bcad5611af
Tests: skip OCSP stapling and multiple cert tests with BoringSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1397
diff
changeset
|
34 |
|
1972
f3573393f36f
Tests: guarded ssl_stapling.t for old OpenSSL versions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1967
diff
changeset
|
35 plan(skip_all => 'no OCSP stapling') |
|
f3573393f36f
Tests: guarded ssl_stapling.t for old OpenSSL versions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1967
diff
changeset
|
36 if $t->has_module('BoringSSL'); |
|
f3573393f36f
Tests: guarded ssl_stapling.t for old OpenSSL versions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1967
diff
changeset
|
37 plan(skip_all => 'no OCSP stapling') |
|
f3573393f36f
Tests: guarded ssl_stapling.t for old OpenSSL versions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1967
diff
changeset
|
38 if $t->has_module('OpenSSL') and not $t->has_feature('openssl:0.9.8h'); |
|
f3573393f36f
Tests: guarded ssl_stapling.t for old OpenSSL versions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1967
diff
changeset
|
39 plan(skip_all => 'no OCSP stapling') |
|
f3573393f36f
Tests: guarded ssl_stapling.t for old OpenSSL versions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1967
diff
changeset
|
40 if not $t->has_module('sni'); |
|
1400
94bcad5611af
Tests: skip OCSP stapling and multiple cert tests with BoringSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1397
diff
changeset
|
41 |
|
1842
af47a0b348a5
Tests: LibreSSL certificate negotiation with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1636
diff
changeset
|
42 $t->plan(10)->write_file_expand('nginx.conf', <<'EOF'); |
|
1330
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
43 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
44 %%TEST_GLOBALS%% |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
45 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
46 daemon off; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
47 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
48 events { |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
49 } |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
50 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
51 http { |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
52 %%TEST_GLOBALS_HTTP%% |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
53 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
54 ssl_stapling on; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
55 ssl_trusted_certificate trusted.crt; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
56 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
57 ssl_certificate ec-end-int.crt; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
58 ssl_certificate_key ec-end.key; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
59 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
60 ssl_certificate end-int.crt; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
61 ssl_certificate_key end.key; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
62 |
|
1476
e8ba4ae5e3ac
Tests: fixed ssl_stapling.t for nginx built with OpenSSL 0.9.8y+.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1421
diff
changeset
|
63 ssl_ciphers DEFAULT:ECCdraft; |
|
e8ba4ae5e3ac
Tests: fixed ssl_stapling.t for nginx built with OpenSSL 0.9.8y+.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1421
diff
changeset
|
64 |
|
1867
231b14e2041a
Tests: unbreak ssl_stapling.t after IO::Socket::SSL refactoring.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1865
diff
changeset
|
65 add_header X-SSL-Protocol $ssl_protocol always; |
|
231b14e2041a
Tests: unbreak ssl_stapling.t after IO::Socket::SSL refactoring.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1865
diff
changeset
|
66 |
|
1330
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
67 server { |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
68 listen 127.0.0.1:8443 ssl; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
69 listen 127.0.0.1:8080; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
70 server_name localhost; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
71 } |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
72 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
73 server { |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
74 listen 127.0.0.1:8444 ssl; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
75 server_name localhost; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
76 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
77 ssl_stapling_responder http://127.0.0.1:8081/; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
78 } |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
79 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
80 server { |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
81 listen 127.0.0.1:8445 ssl; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
82 server_name localhost; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
83 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
84 ssl_stapling_verify on; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
85 } |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
86 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
87 server { |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
88 listen 127.0.0.1:8446 ssl; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
89 server_name localhost; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
90 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
91 ssl_certificate ec-end.crt; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
92 ssl_certificate_key ec-end.key; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
93 } |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
94 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
95 server { |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
96 listen 127.0.0.1:8447 ssl; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
97 server_name localhost; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
98 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
99 ssl_certificate end-int.crt; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
100 ssl_certificate_key end.key; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
101 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
102 ssl_stapling_file %%TESTDIR%%/resp.der; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
103 } |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
104 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
105 server { |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
106 listen 127.0.0.1:8448 ssl; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
107 server_name localhost; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
108 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
109 ssl_certificate ec-end-int.crt; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
110 ssl_certificate_key ec-end.key; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
111 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
112 ssl_stapling_file %%TESTDIR%%/ec-resp.der; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
113 } |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
114 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
115 server { |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
116 listen 127.0.0.1:8449 ssl; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
117 server_name localhost; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
118 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
119 ssl_stapling_responder http://127.0.0.1:8080/; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
120 } |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
121 } |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
122 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
123 EOF |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
124 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
125 my $d = $t->testdir(); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
126 my $p = port(8081); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
127 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
128 $t->write_file('openssl.conf', <<EOF); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
129 [ req ] |
|
1488
dbce8fb5f5f8
Tests: align with OpenSSL security level 2.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1476
diff
changeset
|
130 default_bits = 2048 |
|
1330
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
131 encrypt_key = no |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
132 distinguished_name = req_distinguished_name |
|
1945
0b5ec15c62ed
Tests: compatibility with "openssl" app from OpenSSL 3.2.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1871
diff
changeset
|
133 x509_extensions = myca_extensions |
|
1330
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
134 [ req_distinguished_name ] |
|
1945
0b5ec15c62ed
Tests: compatibility with "openssl" app from OpenSSL 3.2.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1871
diff
changeset
|
135 [ myca_extensions ] |
|
0b5ec15c62ed
Tests: compatibility with "openssl" app from OpenSSL 3.2.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1871
diff
changeset
|
136 basicConstraints = critical,CA:TRUE |
|
1330
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
137 EOF |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
138 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
139 $t->write_file('ca.conf', <<EOF); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
140 [ ca ] |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
141 default_ca = myca |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
142 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
143 [ myca ] |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
144 new_certs_dir = $d |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
145 database = $d/certindex |
|
1488
dbce8fb5f5f8
Tests: align with OpenSSL security level 2.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1476
diff
changeset
|
146 default_md = sha256 |
|
1330
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
147 policy = myca_policy |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
148 serial = $d/certserial |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
149 default_days = 1 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
150 x509_extensions = myca_extensions |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
151 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
152 [ myca_policy ] |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
153 commonName = supplied |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
154 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
155 [ myca_extensions ] |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
156 basicConstraints = critical,CA:TRUE |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
157 authorityInfoAccess = OCSP;URI:http://127.0.0.1:$p |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
158 EOF |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
159 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
160 foreach my $name ('root') { |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
161 system('openssl req -x509 -new ' |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
162 . "-config $d/openssl.conf -subj /CN=$name/ " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
163 . "-out $d/$name.crt -keyout $d/$name.key " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
164 . ">>$d/openssl.out 2>&1") == 0 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
165 or die "Can't create certificate for $name: $!\n"; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
166 } |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
167 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
168 foreach my $name ('int', 'end') { |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
169 system("openssl req -new " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
170 . "-config $d/openssl.conf -subj /CN=$name/ " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
171 . "-out $d/$name.csr -keyout $d/$name.key " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
172 . ">>$d/openssl.out 2>&1") == 0 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
173 or die "Can't create certificate for $name: $!\n"; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
174 } |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
175 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
176 foreach my $name ('ec-end') { |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
177 system("openssl ecparam -genkey -out $d/$name.key -name prime256v1 " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
178 . ">>$d/openssl.out 2>&1") == 0 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
179 or die "Can't create EC param: $!\n"; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
180 system("openssl req -new -key $d/$name.key " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
181 . "-config $d/openssl.conf -subj /CN=$name/ " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
182 . "-out $d/$name.csr " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
183 . ">>$d/openssl.out 2>&1") == 0 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
184 or die "Can't create certificate for $name: $!\n"; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
185 } |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
186 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
187 $t->write_file('certserial', '1000'); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
188 $t->write_file('certindex', ''); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
189 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
190 system("openssl ca -batch -config $d/ca.conf " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
191 . "-keyfile $d/root.key -cert $d/root.crt " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
192 . "-subj /CN=int/ -in $d/int.csr -out $d/int.crt " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
193 . ">>$d/openssl.out 2>&1") == 0 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
194 or die "Can't sign certificate for int: $!\n"; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
195 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
196 system("openssl ca -batch -config $d/ca.conf " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
197 . "-keyfile $d/int.key -cert $d/int.crt " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
198 . "-subj /CN=ec-end/ -in $d/ec-end.csr -out $d/ec-end.crt " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
199 . ">>$d/openssl.out 2>&1") == 0 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
200 or die "Can't sign certificate for ec-end: $!\n"; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
201 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
202 system("openssl ca -batch -config $d/ca.conf " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
203 . "-keyfile $d/int.key -cert $d/int.crt " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
204 . "-subj /CN=end/ -in $d/end.csr -out $d/end.crt " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
205 . ">>$d/openssl.out 2>&1") == 0 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
206 or die "Can't sign certificate for end: $!\n"; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
207 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
208 # RFC 6960, serialNumber |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
209 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
210 system("openssl x509 -in $d/end.crt -serial -noout " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
211 . ">>$d/serial 2>>$d/openssl.out") == 0 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
212 or die "Can't obtain serial for end: $!\n"; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
213 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
214 my $serial = pack("n2", 0x0202, hex $1) if $t->read_file('serial') =~ /(\d+)/; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
215 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
216 system("openssl ca -config $d/ca.conf -revoke $d/end.crt " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
217 . "-keyfile $d/root.key -cert $d/root.crt " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
218 . ">>$d/openssl.out 2>&1") == 0 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
219 or die "Can't revoke end.crt: $!\n"; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
220 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
221 system("openssl ocsp -issuer $d/int.crt -cert $d/end.crt " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
222 . "-reqout $d/req.der >>$d/openssl.out 2>&1") == 0 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
223 or die "Can't create OCSP request: $!\n"; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
224 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
225 system("openssl ocsp -index $d/certindex -CA $d/int.crt " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
226 . "-rsigner $d/root.crt -rkey $d/root.key " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
227 . "-reqin $d/req.der -respout $d/resp.der -ndays 1 " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
228 . ">>$d/openssl.out 2>&1") == 0 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
229 or die "Can't create OCSP response: $!\n"; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
230 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
231 system("openssl ocsp -issuer $d/int.crt -cert $d/ec-end.crt " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
232 . "-reqout $d/ec-req.der >>$d/openssl.out 2>&1") == 0 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
233 or die "Can't create EC OCSP request: $!\n"; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
234 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
235 system("openssl ocsp -index $d/certindex -CA $d/int.crt " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
236 . "-rsigner $d/root.crt -rkey $d/root.key " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
237 . "-reqin $d/ec-req.der -respout $d/ec-resp.der -ndays 1 " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
238 . ">>$d/openssl.out 2>&1") == 0 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
239 or die "Can't create EC OCSP response: $!\n"; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
240 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
241 $t->write_file('trusted.crt', |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
242 $t->read_file('int.crt') . $t->read_file('root.crt')); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
243 $t->write_file('end-int.crt', |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
244 $t->read_file('end.crt') . $t->read_file('int.crt')); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
245 $t->write_file('ec-end-int.crt', |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
246 $t->read_file('ec-end.crt') . $t->read_file('int.crt')); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
247 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
248 $t->run_daemon(\&http_daemon, $t); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
249 $t->run(); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
250 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
251 $t->waitforsocket("127.0.0.1:" . port(8081)); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
252 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
253 ############################################################################### |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
254 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
255 staple(8443, 'RSA'); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
256 staple(8443, 'ECDSA'); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
257 staple(8444, 'RSA'); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
258 staple(8444, 'ECDSA'); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
259 staple(8445, 'ECDSA'); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
260 staple(8446, 'ECDSA'); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
261 staple(8449, 'ECDSA'); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
262 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
263 sleep 1; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
264 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
265 ok(!staple(8443, 'RSA'), 'staple revoked'); |
|
1842
af47a0b348a5
Tests: LibreSSL certificate negotiation with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1636
diff
changeset
|
266 |
|
af47a0b348a5
Tests: LibreSSL certificate negotiation with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1636
diff
changeset
|
267 TODO: { |
|
af47a0b348a5
Tests: LibreSSL certificate negotiation with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1636
diff
changeset
|
268 local $TODO = 'broken TLSv1.3 sigalgs in LibreSSL' |
|
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1842
diff
changeset
|
269 if $t->has_module('LibreSSL') && test_tls13(); |
|
1967
0a93f101925a
Tests: sigalgs handling with Net::SSLeay with LibreSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1945
diff
changeset
|
270 local $TODO = 'no TLSv1.3 sigalgs in Net::SSLeay (LibreSSL)' |
|
0a93f101925a
Tests: sigalgs handling with Net::SSLeay with LibreSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1945
diff
changeset
|
271 if Net::SSLeay::constant("LIBRESSL_VERSION_NUMBER") && test_tls13(); |
|
1842
af47a0b348a5
Tests: LibreSSL certificate negotiation with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1636
diff
changeset
|
272 |
|
1330
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
273 ok(staple(8443, 'ECDSA'), 'staple success'); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
274 |
|
1842
af47a0b348a5
Tests: LibreSSL certificate negotiation with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1636
diff
changeset
|
275 } |
|
af47a0b348a5
Tests: LibreSSL certificate negotiation with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1636
diff
changeset
|
276 |
|
1330
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
277 ok(!staple(8444, 'RSA'), 'responder revoked'); |
|
1842
af47a0b348a5
Tests: LibreSSL certificate negotiation with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1636
diff
changeset
|
278 |
|
af47a0b348a5
Tests: LibreSSL certificate negotiation with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1636
diff
changeset
|
279 TODO: { |
|
af47a0b348a5
Tests: LibreSSL certificate negotiation with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1636
diff
changeset
|
280 local $TODO = 'broken TLSv1.3 sigalgs in LibreSSL' |
|
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1842
diff
changeset
|
281 if $t->has_module('LibreSSL') && test_tls13(); |
|
1967
0a93f101925a
Tests: sigalgs handling with Net::SSLeay with LibreSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1945
diff
changeset
|
282 local $TODO = 'no TLSv1.3 sigalgs in Net::SSLeay (LibreSSL)' |
|
0a93f101925a
Tests: sigalgs handling with Net::SSLeay with LibreSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1945
diff
changeset
|
283 if Net::SSLeay::constant("LIBRESSL_VERSION_NUMBER") && test_tls13(); |
|
1842
af47a0b348a5
Tests: LibreSSL certificate negotiation with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1636
diff
changeset
|
284 |
|
1330
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
285 ok(staple(8444, 'ECDSA'), 'responder success'); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
286 |
|
1842
af47a0b348a5
Tests: LibreSSL certificate negotiation with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1636
diff
changeset
|
287 } |
|
af47a0b348a5
Tests: LibreSSL certificate negotiation with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1636
diff
changeset
|
288 |
|
1330
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
289 ok(!staple(8445, 'ECDSA'), 'verify - root not trusted'); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
290 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
291 ok(staple(8446, 'ECDSA', "$d/int.crt"), 'cert store'); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
292 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
293 is(staple(8447, 'RSA'), '1 1', 'file revoked'); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
294 is(staple(8448, 'ECDSA'), '1 0', 'file success'); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
295 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
296 ok(!staple(8449, 'ECDSA'), 'ocsp error'); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
297 |
|
1842
af47a0b348a5
Tests: LibreSSL certificate negotiation with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1636
diff
changeset
|
298 TODO: { |
|
af47a0b348a5
Tests: LibreSSL certificate negotiation with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1636
diff
changeset
|
299 local $TODO = 'broken TLSv1.3 sigalgs in LibreSSL' |
|
1967
0a93f101925a
Tests: sigalgs handling with Net::SSLeay with LibreSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1945
diff
changeset
|
300 if $t->has_module('LibreSSL') |
|
0a93f101925a
Tests: sigalgs handling with Net::SSLeay with LibreSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1945
diff
changeset
|
301 && !Net::SSLeay::constant("LIBRESSL_VERSION_NUMBER") |
|
0a93f101925a
Tests: sigalgs handling with Net::SSLeay with LibreSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1945
diff
changeset
|
302 && test_tls13(); |
|
1842
af47a0b348a5
Tests: LibreSSL certificate negotiation with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1636
diff
changeset
|
303 |
|
af47a0b348a5
Tests: LibreSSL certificate negotiation with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1636
diff
changeset
|
304 like(`grep -F '[crit]' ${\($t->testdir())}/error.log`, qr/^$/s, 'no crit'); |
|
af47a0b348a5
Tests: LibreSSL certificate negotiation with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1636
diff
changeset
|
305 |
|
af47a0b348a5
Tests: LibreSSL certificate negotiation with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1636
diff
changeset
|
306 } |
|
af47a0b348a5
Tests: LibreSSL certificate negotiation with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1636
diff
changeset
|
307 |
|
1330
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
308 ############################################################################### |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
309 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
310 sub staple { |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
311 my ($port, $ciphers, $ca) = @_; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
312 my (@resp); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
313 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
314 my $staple_cb = sub { |
|
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1842
diff
changeset
|
315 my ($s, $resp) = @_; |
|
1330
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
316 push @resp, !!$resp; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
317 return 1 unless $resp; |
|
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1842
diff
changeset
|
318 |
|
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1842
diff
changeset
|
319 # Contrary to the documentation, IO::Socket::SSL calls the |
|
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1842
diff
changeset
|
320 # SSL_ocsp_staple_callback with the socket, and not the |
|
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1842
diff
changeset
|
321 # Net::SSLeay object. |
|
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1842
diff
changeset
|
322 |
|
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1842
diff
changeset
|
323 my $ssl = $s->_get_ssl_object(); |
|
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1842
diff
changeset
|
324 |
|
1389
73a9504ae6fd
Tests: support TLS 1.3 in ssl_stapling.t by preferring sigalgs.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1330
diff
changeset
|
325 my $cert = Net::SSLeay::get_peer_certificate($ssl); |
|
73a9504ae6fd
Tests: support TLS 1.3 in ssl_stapling.t by preferring sigalgs.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1330
diff
changeset
|
326 my $certid = eval { Net::SSLeay::OCSP_cert2ids($ssl, $cert) } |
|
1330
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
327 or do { die "no OCSP_CERTID for certificate: $@"; }; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
328 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
329 my @res = Net::SSLeay::OCSP_response_results($resp, $certid); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
330 push @resp, $res[0][2]->{'statusType'}; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
331 }; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
332 |
|
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1842
diff
changeset
|
333 my $ctx_cb = sub { |
|
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1842
diff
changeset
|
334 my $ctx = shift; |
|
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1842
diff
changeset
|
335 return unless defined $ciphers; |
|
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1842
diff
changeset
|
336 my $ssleay = Net::SSLeay::SSLeay(); |
|
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1842
diff
changeset
|
337 return if ($ssleay < 0x1000200f || $ssleay == 0x20000000); |
|
1871
1ba5108b6c24
Tests: handled unsupported PSS in sigalgs.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1867
diff
changeset
|
338 my @sigalgs = ('RSA+SHA256:PSS+SHA256', 'RSA+SHA256'); |
|
1ba5108b6c24
Tests: handled unsupported PSS in sigalgs.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1867
diff
changeset
|
339 @sigalgs = ($ciphers . '+SHA256') unless $ciphers eq 'RSA'; |
|
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1842
diff
changeset
|
340 # SSL_CTRL_SET_SIGALGS_LIST |
|
1871
1ba5108b6c24
Tests: handled unsupported PSS in sigalgs.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1867
diff
changeset
|
341 Net::SSLeay::CTX_ctrl($ctx, 98, 0, $sigalgs[0]) |
|
1ba5108b6c24
Tests: handled unsupported PSS in sigalgs.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1867
diff
changeset
|
342 or Net::SSLeay::CTX_ctrl($ctx, 98, 0, $sigalgs[1]) |
|
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1842
diff
changeset
|
343 or die("Failed to set sigalgs"); |
|
1330
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
344 }; |
|
1389
73a9504ae6fd
Tests: support TLS 1.3 in ssl_stapling.t by preferring sigalgs.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1330
diff
changeset
|
345 |
|
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1842
diff
changeset
|
346 my $s = http_get( |
|
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1842
diff
changeset
|
347 '/', start => 1, PeerAddr => '127.0.0.1:' . port($port), |
|
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1842
diff
changeset
|
348 SSL => 1, |
|
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1842
diff
changeset
|
349 SSL_cipher_list => $ciphers, |
|
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1842
diff
changeset
|
350 SSL_create_ctx_callback => $ctx_cb, |
|
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1842
diff
changeset
|
351 SSL_ocsp_staple_callback => $staple_cb, |
|
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1842
diff
changeset
|
352 SSL_ocsp_mode => IO::Socket::SSL::SSL_OCSP_TRY_STAPLE(), |
|
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1842
diff
changeset
|
353 SSL_ca_file => $ca |
|
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1842
diff
changeset
|
354 ); |
|
1389
73a9504ae6fd
Tests: support TLS 1.3 in ssl_stapling.t by preferring sigalgs.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1330
diff
changeset
|
355 |
|
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1842
diff
changeset
|
356 return $s unless $s; |
|
1330
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
357 return join ' ', @resp; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
358 } |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
359 |
|
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1842
diff
changeset
|
360 sub test_tls13 { |
|
1867
231b14e2041a
Tests: unbreak ssl_stapling.t after IO::Socket::SSL refactoring.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1865
diff
changeset
|
361 return http_get('/', SSL => 1) =~ /TLSv1.3/; |
|
1389
73a9504ae6fd
Tests: support TLS 1.3 in ssl_stapling.t by preferring sigalgs.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1330
diff
changeset
|
362 } |
|
73a9504ae6fd
Tests: support TLS 1.3 in ssl_stapling.t by preferring sigalgs.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1330
diff
changeset
|
363 |
|
1330
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
364 ############################################################################### |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
365 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
366 sub http_daemon { |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
367 my ($t) = shift; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
368 my $server = IO::Socket::INET->new( |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
369 Proto => 'tcp', |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
370 LocalHost => "127.0.0.1:" . port(8081), |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
371 Listen => 5, |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
372 Reuse => 1 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
373 ) |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
374 or die "Can't create listening socket: $!\n"; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
375 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
376 local $SIG{PIPE} = 'IGNORE'; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
377 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
378 while (my $client = $server->accept()) { |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
379 $client->autoflush(1); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
380 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
381 my $headers = ''; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
382 my $uri = ''; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
383 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
384 while (<$client>) { |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
385 $headers .= $_; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
386 last if (/^\x0d?\x0a?$/); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
387 } |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
388 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
389 $uri = $1 if $headers =~ /^\S+\s+\/([^ ]+)\s+HTTP/i; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
390 next unless $uri; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
391 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
392 $uri =~ s/%([0-9A-Fa-f]{2})/chr(hex($1))/eg; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
393 my $req = decode_base64($uri); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
394 my $resp = index($req, $serial) > 0 ? 'resp' : 'ec-resp'; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
395 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
396 # ocsp dummy handler |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
397 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
398 select undef, undef, undef, 0.02; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
399 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
400 $headers = <<"EOF"; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
401 HTTP/1.1 200 OK |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
402 Connection: close |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
403 Content-Type: application/ocsp-response |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
404 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
405 EOF |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
406 |
|
1636
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1488
diff
changeset
|
407 local $/; |
|
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1488
diff
changeset
|
408 open my $fh, '<', "$d/$resp.der" |
|
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1488
diff
changeset
|
409 or die "Can't open $resp.der: $!"; |
|
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1488
diff
changeset
|
410 binmode $fh; |
|
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1488
diff
changeset
|
411 my $content = <$fh>; |
|
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1488
diff
changeset
|
412 close $fh; |
|
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1488
diff
changeset
|
413 |
|
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1488
diff
changeset
|
414 print $client $headers . $content; |
|
1330
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
415 } |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
416 } |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
417 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
418 ############################################################################### |