Mercurial > hg > nginx-tests
annotate ssl_client_escaped_cert.t @ 1974:b5036a0f9ae0 default tip
Tests: improved compatibility when using recent "openssl" app.
Starting with OpenSSL 3.0, "openssl genrsa" generates encrypted keys
in PKCS#8 format instead of previously used PKCS#1 format. Further,
since OpenSSL 1.1.0 such keys are using PBKDF2 hmacWithSHA256.
Such keys are not supported by old SSL libraries, notably by OpenSSL
before 1.0.0 (OpenSSL 0.9.8 only supports hmacWithSHA1) and by BoringSSL
before May 21, 2019 (support for hmacWithSHA256 was added in 302a4dee6c),
and trying to load such keys into nginx compiled with an old SSL library
results in "unsupported prf" errors.
To facilitate testing with old SSL libraries, keys are now generated
with "openssl genrsa -traditional" if the flag is available.
| author | Maxim Dounin <mdounin@mdounin.ru> |
|---|---|
| date | Mon, 06 May 2024 00:04:26 +0300 |
| parents | a797d7428fa5 |
| children |
| rev | line source |
|---|---|
|
1209
0d9df274e3a3
Tests: ssl_client_escaped_cert variable tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
1 #!/usr/bin/perl |
|
0d9df274e3a3
Tests: ssl_client_escaped_cert variable tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
2 |
|
0d9df274e3a3
Tests: ssl_client_escaped_cert variable tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
3 # (C) Sergey Kandaurov |
|
0d9df274e3a3
Tests: ssl_client_escaped_cert variable tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
4 # (C) Nginx, Inc. |
|
0d9df274e3a3
Tests: ssl_client_escaped_cert variable tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
5 |
|
0d9df274e3a3
Tests: ssl_client_escaped_cert variable tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
6 # Tests for http ssl module, $ssl_client_escaped_cert variable. |
|
0d9df274e3a3
Tests: ssl_client_escaped_cert variable tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
7 |
|
0d9df274e3a3
Tests: ssl_client_escaped_cert variable tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
8 ############################################################################### |
|
0d9df274e3a3
Tests: ssl_client_escaped_cert variable tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
9 |
|
0d9df274e3a3
Tests: ssl_client_escaped_cert variable tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
10 use warnings; |
|
0d9df274e3a3
Tests: ssl_client_escaped_cert variable tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
11 use strict; |
|
0d9df274e3a3
Tests: ssl_client_escaped_cert variable tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
12 |
|
0d9df274e3a3
Tests: ssl_client_escaped_cert variable tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
13 use Test::More; |
|
0d9df274e3a3
Tests: ssl_client_escaped_cert variable tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
14 |
|
0d9df274e3a3
Tests: ssl_client_escaped_cert variable tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
15 BEGIN { use FindBin; chdir($FindBin::Bin); } |
|
0d9df274e3a3
Tests: ssl_client_escaped_cert variable tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
16 |
|
0d9df274e3a3
Tests: ssl_client_escaped_cert variable tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
17 use lib 'lib'; |
|
0d9df274e3a3
Tests: ssl_client_escaped_cert variable tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
18 use Test::Nginx; |
|
0d9df274e3a3
Tests: ssl_client_escaped_cert variable tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
19 |
|
0d9df274e3a3
Tests: ssl_client_escaped_cert variable tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
20 ############################################################################### |
|
0d9df274e3a3
Tests: ssl_client_escaped_cert variable tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
21 |
|
0d9df274e3a3
Tests: ssl_client_escaped_cert variable tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
22 select STDERR; $| = 1; |
|
0d9df274e3a3
Tests: ssl_client_escaped_cert variable tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
23 select STDOUT; $| = 1; |
|
0d9df274e3a3
Tests: ssl_client_escaped_cert variable tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
24 |
|
1858
cdcd75657e52
Tests: added has_feature() tests for IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1488
diff
changeset
|
25 my $t = Test::Nginx->new()->has(qw/http http_ssl rewrite socket_ssl/) |
|
1381
97c8280de681
Tests: removed TODO and try_run() checks for legacy versions.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1209
diff
changeset
|
26 ->has_daemon('openssl')->plan(3); |
|
1209
0d9df274e3a3
Tests: ssl_client_escaped_cert variable tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
27 |
|
0d9df274e3a3
Tests: ssl_client_escaped_cert variable tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
28 $t->write_file_expand('nginx.conf', <<'EOF'); |
|
0d9df274e3a3
Tests: ssl_client_escaped_cert variable tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
29 |
|
0d9df274e3a3
Tests: ssl_client_escaped_cert variable tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
30 %%TEST_GLOBALS%% |
|
0d9df274e3a3
Tests: ssl_client_escaped_cert variable tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
31 |
|
0d9df274e3a3
Tests: ssl_client_escaped_cert variable tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
32 daemon off; |
|
0d9df274e3a3
Tests: ssl_client_escaped_cert variable tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
33 |
|
0d9df274e3a3
Tests: ssl_client_escaped_cert variable tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
34 events { |
|
0d9df274e3a3
Tests: ssl_client_escaped_cert variable tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
35 } |
|
0d9df274e3a3
Tests: ssl_client_escaped_cert variable tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
36 |
|
0d9df274e3a3
Tests: ssl_client_escaped_cert variable tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
37 http { |
|
0d9df274e3a3
Tests: ssl_client_escaped_cert variable tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
38 %%TEST_GLOBALS_HTTP%% |
|
0d9df274e3a3
Tests: ssl_client_escaped_cert variable tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
39 |
|
0d9df274e3a3
Tests: ssl_client_escaped_cert variable tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
40 ssl_certificate_key localhost.key; |
|
0d9df274e3a3
Tests: ssl_client_escaped_cert variable tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
41 ssl_certificate localhost.crt; |
|
0d9df274e3a3
Tests: ssl_client_escaped_cert variable tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
42 ssl_verify_client optional_no_ca; |
|
0d9df274e3a3
Tests: ssl_client_escaped_cert variable tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
43 |
|
0d9df274e3a3
Tests: ssl_client_escaped_cert variable tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
44 server { |
|
0d9df274e3a3
Tests: ssl_client_escaped_cert variable tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
45 listen 127.0.0.1:8443 ssl; |
|
0d9df274e3a3
Tests: ssl_client_escaped_cert variable tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
46 server_name localhost; |
|
0d9df274e3a3
Tests: ssl_client_escaped_cert variable tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
47 |
|
0d9df274e3a3
Tests: ssl_client_escaped_cert variable tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
48 location /cert { |
|
0d9df274e3a3
Tests: ssl_client_escaped_cert variable tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
49 return 200 $ssl_client_raw_cert; |
|
0d9df274e3a3
Tests: ssl_client_escaped_cert variable tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
50 } |
|
0d9df274e3a3
Tests: ssl_client_escaped_cert variable tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
51 location /escaped { |
|
0d9df274e3a3
Tests: ssl_client_escaped_cert variable tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
52 return 200 $ssl_client_escaped_cert; |
|
0d9df274e3a3
Tests: ssl_client_escaped_cert variable tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
53 } |
|
0d9df274e3a3
Tests: ssl_client_escaped_cert variable tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
54 } |
|
0d9df274e3a3
Tests: ssl_client_escaped_cert variable tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
55 } |
|
0d9df274e3a3
Tests: ssl_client_escaped_cert variable tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
56 |
|
0d9df274e3a3
Tests: ssl_client_escaped_cert variable tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
57 EOF |
|
0d9df274e3a3
Tests: ssl_client_escaped_cert variable tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
58 |
|
0d9df274e3a3
Tests: ssl_client_escaped_cert variable tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
59 $t->write_file('openssl.conf', <<EOF); |
|
0d9df274e3a3
Tests: ssl_client_escaped_cert variable tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
60 [ req ] |
|
1488
dbce8fb5f5f8
Tests: align with OpenSSL security level 2.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1421
diff
changeset
|
61 default_bits = 2048 |
|
1209
0d9df274e3a3
Tests: ssl_client_escaped_cert variable tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
62 encrypt_key = no |
|
0d9df274e3a3
Tests: ssl_client_escaped_cert variable tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
63 distinguished_name = req_distinguished_name |
|
0d9df274e3a3
Tests: ssl_client_escaped_cert variable tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
64 [ req_distinguished_name ] |
|
0d9df274e3a3
Tests: ssl_client_escaped_cert variable tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
65 EOF |
|
0d9df274e3a3
Tests: ssl_client_escaped_cert variable tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
66 |
|
0d9df274e3a3
Tests: ssl_client_escaped_cert variable tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
67 my $d = $t->testdir(); |
|
0d9df274e3a3
Tests: ssl_client_escaped_cert variable tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
68 |
|
0d9df274e3a3
Tests: ssl_client_escaped_cert variable tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
69 foreach my $name ('localhost') { |
|
0d9df274e3a3
Tests: ssl_client_escaped_cert variable tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
70 system('openssl req -x509 -new ' |
|
0d9df274e3a3
Tests: ssl_client_escaped_cert variable tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
71 . "-config $d/openssl.conf -subj /CN=$name/ " |
|
0d9df274e3a3
Tests: ssl_client_escaped_cert variable tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
72 . "-out $d/$name.crt -keyout $d/$name.key " |
|
0d9df274e3a3
Tests: ssl_client_escaped_cert variable tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
73 . ">>$d/openssl.out 2>&1") == 0 |
|
0d9df274e3a3
Tests: ssl_client_escaped_cert variable tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
74 or die "Can't create certificate for $name: $!\n"; |
|
0d9df274e3a3
Tests: ssl_client_escaped_cert variable tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
75 } |
|
0d9df274e3a3
Tests: ssl_client_escaped_cert variable tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
76 |
|
1381
97c8280de681
Tests: removed TODO and try_run() checks for legacy versions.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1209
diff
changeset
|
77 $t->run(); |
|
1209
0d9df274e3a3
Tests: ssl_client_escaped_cert variable tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
78 |
|
0d9df274e3a3
Tests: ssl_client_escaped_cert variable tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
79 ############################################################################### |
|
0d9df274e3a3
Tests: ssl_client_escaped_cert variable tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
80 |
|
0d9df274e3a3
Tests: ssl_client_escaped_cert variable tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
81 my ($cert) = cert('/cert') =~ /\x0d\x0a?\x0d\x0a?(.*)/ms; |
|
0d9df274e3a3
Tests: ssl_client_escaped_cert variable tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
82 my ($escaped) = cert('/escaped') =~ /\x0d\x0a?\x0d\x0a?(.*)/ms; |
|
0d9df274e3a3
Tests: ssl_client_escaped_cert variable tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
83 |
|
0d9df274e3a3
Tests: ssl_client_escaped_cert variable tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
84 ok($cert, 'ssl_client_raw_cert'); |
|
0d9df274e3a3
Tests: ssl_client_escaped_cert variable tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
85 ok($escaped, 'ssl_client_escaped_cert'); |
|
0d9df274e3a3
Tests: ssl_client_escaped_cert variable tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
86 |
|
0d9df274e3a3
Tests: ssl_client_escaped_cert variable tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
87 $escaped =~ s/%([0-9A-Fa-f]{2})/chr(hex($1))/eg; |
|
0d9df274e3a3
Tests: ssl_client_escaped_cert variable tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
88 is($escaped, $cert, 'ssl_client_escaped_cert unescape match'); |
|
0d9df274e3a3
Tests: ssl_client_escaped_cert variable tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
89 |
|
0d9df274e3a3
Tests: ssl_client_escaped_cert variable tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
90 ############################################################################### |
|
0d9df274e3a3
Tests: ssl_client_escaped_cert variable tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
91 |
|
0d9df274e3a3
Tests: ssl_client_escaped_cert variable tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
92 sub cert { |
|
0d9df274e3a3
Tests: ssl_client_escaped_cert variable tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
93 my ($uri) = @_; |
|
1866
a797d7428fa5
Tests: simplified http SSL tests with IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1858
diff
changeset
|
94 return http_get( |
|
a797d7428fa5
Tests: simplified http SSL tests with IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1858
diff
changeset
|
95 $uri, |
|
a797d7428fa5
Tests: simplified http SSL tests with IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1858
diff
changeset
|
96 SSL => 1, |
|
a797d7428fa5
Tests: simplified http SSL tests with IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1858
diff
changeset
|
97 SSL_cert_file => "$d/localhost.crt", |
|
a797d7428fa5
Tests: simplified http SSL tests with IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1858
diff
changeset
|
98 SSL_key_file => "$d/localhost.key" |
|
a797d7428fa5
Tests: simplified http SSL tests with IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1858
diff
changeset
|
99 ); |
|
1209
0d9df274e3a3
Tests: ssl_client_escaped_cert variable tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
100 } |
|
0d9df274e3a3
Tests: ssl_client_escaped_cert variable tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
101 |
|
0d9df274e3a3
Tests: ssl_client_escaped_cert variable tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
102 ############################################################################### |