Mercurial > hg > nginx-tests
annotate ssl_ocsp.t @ 1974:b5036a0f9ae0 default tip
Tests: improved compatibility when using recent "openssl" app.
Starting with OpenSSL 3.0, "openssl genrsa" generates encrypted keys
in PKCS#8 format instead of previously used PKCS#1 format. Further,
since OpenSSL 1.1.0 such keys are using PBKDF2 hmacWithSHA256.
Such keys are not supported by old SSL libraries, notably by OpenSSL
before 1.0.0 (OpenSSL 0.9.8 only supports hmacWithSHA1) and by BoringSSL
before May 21, 2019 (support for hmacWithSHA256 was added in 302a4dee6c),
and trying to load such keys into nginx compiled with an old SSL library
results in "unsupported prf" errors.
To facilitate testing with old SSL libraries, keys are now generated
with "openssl genrsa -traditional" if the flag is available.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Mon, 06 May 2024 00:04:26 +0300 |
parents | c924ae8d7104 |
children |
rev | line source |
---|---|
1570 | 1 #!/usr/bin/perl |
2 | |
3 # (C) Sergey Kandaurov | |
4 # (C) Nginx, Inc. | |
5 | |
6 # Tests for OCSP with client certificates. | |
7 | |
8 ############################################################################### | |
9 | |
10 use warnings; | |
11 use strict; | |
12 | |
13 use Test::More; | |
14 | |
15 use MIME::Base64 qw/ decode_base64 /; | |
16 | |
17 BEGIN { use FindBin; chdir($FindBin::Bin); } | |
18 | |
19 use lib 'lib'; | |
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
20 use Test::Nginx qw/ :DEFAULT http_end /; |
1570 | 21 |
22 ############################################################################### | |
23 | |
24 select STDERR; $| = 1; | |
25 select STDOUT; $| = 1; | |
26 | |
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
27 my $t = Test::Nginx->new()->has(qw/http http_ssl sni socket_ssl_sni/) |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
28 ->has_daemon('openssl'); |
1570 | 29 |
1846
9d98c2ad3126
Tests: cleaned up ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1693
diff
changeset
|
30 plan(skip_all => 'no OCSP support in BoringSSL') |
9d98c2ad3126
Tests: cleaned up ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1693
diff
changeset
|
31 if $t->has_module('BoringSSL'); |
1570 | 32 |
33 $t->write_file_expand('nginx.conf', <<'EOF'); | |
34 | |
35 %%TEST_GLOBALS%% | |
36 | |
37 daemon off; | |
38 | |
39 events { | |
40 } | |
41 | |
42 http { | |
43 %%TEST_GLOBALS_HTTP%% | |
44 | |
45 ssl_ocsp leaf; | |
46 ssl_verify_client on; | |
47 ssl_verify_depth 2; | |
48 ssl_client_certificate trusted.crt; | |
49 | |
50 ssl_certificate_key rsa.key; | |
51 ssl_certificate rsa.crt; | |
52 | |
53 ssl_session_cache shared:SSL:1m; | |
54 ssl_session_tickets off; | |
55 | |
56 add_header X-Verify x${ssl_client_verify}:${ssl_session_reused}x always; | |
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
57 add_header X-SSL-Protocol $ssl_protocol always; |
1570 | 58 |
59 server { | |
60 listen 127.0.0.1:8443 ssl; | |
61 server_name localhost; | |
62 } | |
63 | |
64 server { | |
65 listen 127.0.0.1:8443 ssl; | |
66 server_name sni; | |
67 | |
68 ssl_ocsp_responder http://127.0.0.1:8082; | |
69 } | |
70 | |
71 server { | |
1577
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
72 listen 127.0.0.1:8443 ssl; |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
73 server_name resolver; |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
74 |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
75 ssl_ocsp on; |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
76 } |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
77 |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
78 server { |
1570 | 79 listen 127.0.0.1:8444 ssl; |
80 server_name localhost; | |
81 | |
1577
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
82 ssl_ocsp_responder http://127.0.0.1:8081; |
1570 | 83 ssl_ocsp on; |
84 } | |
85 | |
86 server { | |
87 listen 127.0.0.1:8445 ssl; | |
88 server_name localhost; | |
89 | |
90 ssl_ocsp_responder http://127.0.0.1:8082; | |
91 } | |
92 | |
93 server { | |
94 listen 127.0.0.1:8446 ssl; | |
95 server_name localhost; | |
96 | |
97 ssl_ocsp_cache shared:OCSP:1m; | |
98 } | |
99 | |
100 server { | |
101 listen 127.0.0.1:8447 ssl; | |
102 server_name localhost; | |
103 | |
104 ssl_ocsp_responder http://127.0.0.1:8082; | |
105 ssl_client_certificate root.crt; | |
106 } | |
107 } | |
108 | |
109 EOF | |
110 | |
111 my $d = $t->testdir(); | |
112 my $p = port(8081); | |
113 | |
114 $t->write_file('openssl.conf', <<EOF); | |
115 [ req ] | |
116 default_bits = 2048 | |
117 encrypt_key = no | |
118 distinguished_name = req_distinguished_name | |
1945
0b5ec15c62ed
Tests: compatibility with "openssl" app from OpenSSL 3.2.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1865
diff
changeset
|
119 x509_extensions = myca_extensions |
1570 | 120 [ req_distinguished_name ] |
1945
0b5ec15c62ed
Tests: compatibility with "openssl" app from OpenSSL 3.2.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1865
diff
changeset
|
121 [ myca_extensions ] |
0b5ec15c62ed
Tests: compatibility with "openssl" app from OpenSSL 3.2.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1865
diff
changeset
|
122 basicConstraints = critical,CA:TRUE |
1570 | 123 EOF |
124 | |
125 $t->write_file('ca.conf', <<EOF); | |
126 [ ca ] | |
127 default_ca = myca | |
128 | |
129 [ myca ] | |
130 new_certs_dir = $d | |
131 database = $d/certindex | |
132 default_md = sha256 | |
133 policy = myca_policy | |
134 serial = $d/certserial | |
135 default_days = 1 | |
136 x509_extensions = myca_extensions | |
137 | |
138 [ myca_policy ] | |
139 commonName = supplied | |
140 | |
141 [ myca_extensions ] | |
142 basicConstraints = critical,CA:TRUE | |
143 authorityInfoAccess = OCSP;URI:http://127.0.0.1:$p | |
144 EOF | |
145 | |
1577
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
146 # variant for int.crt to trigger missing resolver |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
147 |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
148 $t->write_file('ca2.conf', <<EOF); |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
149 [ ca ] |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
150 default_ca = myca |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
151 |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
152 [ myca ] |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
153 new_certs_dir = $d |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
154 database = $d/certindex |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
155 default_md = sha256 |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
156 policy = myca_policy |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
157 serial = $d/certserial |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
158 default_days = 1 |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
159 x509_extensions = myca_extensions |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
160 |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
161 [ myca_policy ] |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
162 commonName = supplied |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
163 |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
164 [ myca_extensions ] |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
165 basicConstraints = critical,CA:TRUE |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
166 authorityInfoAccess = OCSP;URI:http://localhost:$p |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
167 EOF |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
168 |
1570 | 169 foreach my $name ('root') { |
170 system('openssl req -x509 -new ' | |
171 . "-config $d/openssl.conf -subj /CN=$name/ " | |
172 . "-out $d/$name.crt -keyout $d/$name.key " | |
173 . ">>$d/openssl.out 2>&1") == 0 | |
174 or die "Can't create certificate for $name: $!\n"; | |
175 } | |
176 | |
177 foreach my $name ('int', 'end') { | |
178 system("openssl req -new " | |
179 . "-config $d/openssl.conf -subj /CN=$name/ " | |
180 . "-out $d/$name.csr -keyout $d/$name.key " | |
181 . ">>$d/openssl.out 2>&1") == 0 | |
182 or die "Can't create certificate for $name: $!\n"; | |
183 } | |
184 | |
185 foreach my $name ('ec-end') { | |
186 system("openssl ecparam -genkey -out $d/$name.key -name prime256v1 " | |
187 . ">>$d/openssl.out 2>&1") == 0 | |
188 or die "Can't create EC param: $!\n"; | |
189 system("openssl req -new -key $d/$name.key " | |
190 . "-config $d/openssl.conf -subj /CN=$name/ " | |
191 . "-out $d/$name.csr " | |
192 . ">>$d/openssl.out 2>&1") == 0 | |
193 or die "Can't create certificate for $name: $!\n"; | |
194 } | |
195 | |
196 $t->write_file('certserial', '1000'); | |
197 $t->write_file('certindex', ''); | |
198 | |
1577
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
199 system("openssl ca -batch -config $d/ca2.conf " |
1570 | 200 . "-keyfile $d/root.key -cert $d/root.crt " |
201 . "-subj /CN=int/ -in $d/int.csr -out $d/int.crt " | |
202 . ">>$d/openssl.out 2>&1") == 0 | |
203 or die "Can't sign certificate for int: $!\n"; | |
204 | |
205 system("openssl ca -batch -config $d/ca.conf " | |
206 . "-keyfile $d/int.key -cert $d/int.crt " | |
207 . "-subj /CN=ec-end/ -in $d/ec-end.csr -out $d/ec-end.crt " | |
208 . ">>$d/openssl.out 2>&1") == 0 | |
209 or die "Can't sign certificate for ec-end: $!\n"; | |
210 | |
211 system("openssl ca -batch -config $d/ca.conf " | |
212 . "-keyfile $d/int.key -cert $d/int.crt " | |
213 . "-subj /CN=end/ -in $d/end.csr -out $d/end.crt " | |
214 . ">>$d/openssl.out 2>&1") == 0 | |
215 or die "Can't sign certificate for end: $!\n"; | |
216 | |
217 # RFC 6960, serialNumber | |
218 | |
219 system("openssl x509 -in $d/int.crt -serial -noout " | |
220 . ">>$d/serial_int 2>>$d/openssl.out") == 0 | |
221 or die "Can't obtain serial for end: $!\n"; | |
222 | |
223 my $serial_int = pack("n2", 0x0202, hex $1) | |
224 if $t->read_file('serial_int') =~ /(\d+)/; | |
225 | |
226 system("openssl x509 -in $d/end.crt -serial -noout " | |
227 . ">>$d/serial 2>>$d/openssl.out") == 0 | |
228 or die "Can't obtain serial for end: $!\n"; | |
229 | |
230 my $serial = pack("n2", 0x0202, hex $1) if $t->read_file('serial') =~ /(\d+)/; | |
231 | |
232 # ocsp end | |
233 | |
234 system("openssl ocsp -issuer $d/int.crt -cert $d/end.crt " | |
235 . "-reqout $d/req.der >>$d/openssl.out 2>&1") == 0 | |
236 or die "Can't create OCSP request: $!\n"; | |
237 | |
238 system("openssl ocsp -index $d/certindex -CA $d/int.crt " | |
239 . "-rsigner $d/int.crt -rkey $d/int.key " | |
240 . "-reqin $d/req.der -respout $d/resp.der -ndays 1 " | |
241 . ">>$d/openssl.out 2>&1") == 0 | |
242 or die "Can't create OCSP response: $!\n"; | |
243 | |
244 system("openssl ocsp -issuer $d/int.crt -cert $d/ec-end.crt " | |
245 . "-reqout $d/ec-req.der >>$d/openssl.out 2>&1") == 0 | |
246 or die "Can't create EC OCSP request: $!\n"; | |
247 | |
248 system("openssl ocsp -index $d/certindex -CA $d/int.crt " | |
249 . "-rsigner $d/root.crt -rkey $d/root.key " | |
250 . "-reqin $d/ec-req.der -respout $d/ec-resp.der -ndays 1 " | |
251 . ">>$d/openssl.out 2>&1") == 0 | |
252 or die "Can't create EC OCSP response: $!\n"; | |
253 | |
254 $t->write_file('trusted.crt', | |
255 $t->read_file('int.crt') . $t->read_file('root.crt')); | |
256 | |
257 # server cert/key | |
258 | |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
259 foreach my $name ('rsa') { |
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
260 system('openssl req -x509 -new ' |
1570 | 261 . "-config $d/openssl.conf -subj /CN=$name/ " |
262 . "-out $d/$name.crt -keyout $d/$name.key " | |
263 . ">>$d/openssl.out 2>&1") == 0 | |
264 or die "Can't create certificate for $name: $!\n"; | |
265 } | |
266 | |
267 $t->run_daemon(\&http_daemon, $t, port(8081)); | |
268 $t->run_daemon(\&http_daemon, $t, port(8082)); | |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
269 $t->run()->plan(15); |
1570 | 270 |
271 $t->waitforsocket("127.0.0.1:" . port(8081)); | |
272 $t->waitforsocket("127.0.0.1:" . port(8082)); | |
273 | |
274 ############################################################################### | |
275 | |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
276 like(get('end'), qr/200 OK.*SUCCESS/s, 'ocsp leaf'); |
1570 | 277 |
1577
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
278 # demonstrate that ocsp int request is failed due to missing resolver |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
279 |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
280 like(get('end', sni => 'resolver'), |
1577
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
281 qr/400 Bad.*FAILED:certificate status request failed/s, |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
282 'ocsp many failed request'); |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
283 |
1570 | 284 # demonstrate that ocsp int request is actually made by failing ocsp response |
285 | |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
286 like(get('end', port => 8444), |
1570 | 287 qr/400 Bad.*FAILED:certificate status request failed/s, |
288 'ocsp many failed'); | |
289 | |
290 # now prepare valid ocsp int response | |
291 | |
292 system("openssl ocsp -issuer $d/root.crt -cert $d/int.crt " | |
293 . "-reqout $d/int-req.der >>$d/openssl.out 2>&1") == 0 | |
294 or die "Can't create OCSP request: $!\n"; | |
295 | |
296 system("openssl ocsp -index $d/certindex -CA $d/root.crt " | |
297 . "-rsigner $d/root.crt -rkey $d/root.key " | |
298 . "-reqin $d/int-req.der -respout $d/int-resp.der -ndays 1 " | |
299 . ">>$d/openssl.out 2>&1") == 0 | |
300 or die "Can't create OCSP response: $!\n"; | |
301 | |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
302 like(get('end', port => 8444), qr/200 OK.*SUCCESS/s, 'ocsp many'); |
1570 | 303 |
304 # store into ssl_ocsp_cache | |
305 | |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
306 like(get('end', port => 8446), qr/200 OK.*SUCCESS/s, 'cache store'); |
1570 | 307 |
308 # revoke | |
309 | |
310 system("openssl ca -config $d/ca.conf -revoke $d/end.crt " | |
311 . "-keyfile $d/root.key -cert $d/root.crt " | |
312 . ">>$d/openssl.out 2>&1") == 0 | |
313 or die "Can't revoke end.crt: $!\n"; | |
314 | |
315 system("openssl ocsp -issuer $d/int.crt -cert $d/end.crt " | |
316 . "-reqout $d/req.der >>$d/openssl.out 2>&1") == 0 | |
317 or die "Can't create OCSP request: $!\n"; | |
318 | |
319 system("openssl ocsp -index $d/certindex -CA $d/int.crt " | |
320 . "-rsigner $d/int.crt -rkey $d/int.key " | |
321 . "-reqin $d/req.der -respout $d/revoked.der -ndays 1 " | |
322 . ">>$d/openssl.out 2>&1") == 0 | |
323 or die "Can't create OCSP response: $!\n"; | |
324 | |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
325 like(get('end'), qr/400 Bad.*FAILED:certificate revoked/s, 'revoked'); |
1570 | 326 |
327 # with different responder where it's still valid | |
328 | |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
329 like(get('end', port => 8445), qr/200 OK.*SUCCESS/s, 'ocsp responder'); |
1570 | 330 |
331 # with different context to responder where it's still valid | |
332 | |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
333 like(get('end', sni => 'sni'), qr/200 OK.*SUCCESS/s, 'ocsp context'); |
1570 | 334 |
335 # with cached ocsp response it's still valid | |
336 | |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
337 like(get('end', port => 8446), qr/200 OK.*SUCCESS/s, 'cache lookup'); |
1570 | 338 |
339 # ocsp end response signed with invalid (root) cert, expect HTTP 400 | |
340 | |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
341 like(get('ec-end'), |
1570 | 342 qr/400 Bad.*FAILED:certificate status request failed/s, |
343 'root ca not trusted'); | |
344 | |
345 # now sign ocsp end response with valid int cert | |
346 | |
347 system("openssl ocsp -index $d/certindex -CA $d/int.crt " | |
348 . "-rsigner $d/int.crt -rkey $d/int.key " | |
349 . "-reqin $d/ec-req.der -respout $d/ec-resp.der -ndays 1 " | |
350 . ">>$d/openssl.out 2>&1") == 0 | |
351 or die "Can't create EC OCSP response: $!\n"; | |
352 | |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
353 like(get('ec-end'), qr/200 OK.*SUCCESS/s, 'ocsp ecdsa'); |
1570 | 354 |
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
355 my $s = session('ec-end'); |
1570 | 356 |
1848
727741cdff74
Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1847
diff
changeset
|
357 TODO: { |
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
358 local $TODO = 'no TLSv1.3 sessions, old Net::SSLeay' |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
359 if $Net::SSLeay::VERSION < 1.88 && test_tls13(); |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
360 local $TODO = 'no TLSv1.3 sessions, old IO::Socket::SSL' |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
361 if $IO::Socket::SSL::VERSION < 2.061 && test_tls13(); |
1848
727741cdff74
Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1847
diff
changeset
|
362 local $TODO = 'no TLSv1.3 sessions in LibreSSL' |
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
363 if $t->has_module('LibreSSL') && test_tls13(); |
1966
c924ae8d7104
Tests: session reuse handling with Net::SSLeay with LibreSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1945
diff
changeset
|
364 local $TODO = 'no TLSv1.3 sessions in Net::SSLeay (LibreSSL)' |
c924ae8d7104
Tests: session reuse handling with Net::SSLeay with LibreSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1945
diff
changeset
|
365 if Net::SSLeay::constant("LIBRESSL_VERSION_NUMBER") && test_tls13(); |
1848
727741cdff74
Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1847
diff
changeset
|
366 |
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
367 like(get('ec-end', ses => $s), |
1570 | 368 qr/200 OK.*SUCCESS:r/s, 'session reused'); |
369 | |
1848
727741cdff74
Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1847
diff
changeset
|
370 } |
727741cdff74
Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1847
diff
changeset
|
371 |
1570 | 372 # revoke with saved session |
373 | |
374 system("openssl ca -config $d/ca.conf -revoke $d/ec-end.crt " | |
375 . "-keyfile $d/root.key -cert $d/root.crt " | |
376 . ">>$d/openssl.out 2>&1") == 0 | |
377 or die "Can't revoke end.crt: $!\n"; | |
378 | |
379 system("openssl ocsp -issuer $d/int.crt -cert $d/ec-end.crt " | |
380 . "-reqout $d/ec-req.der >>$d/openssl.out 2>&1") == 0 | |
381 or die "Can't create OCSP request: $!\n"; | |
382 | |
383 system("openssl ocsp -index $d/certindex -CA $d/int.crt " | |
384 . "-rsigner $d/int.crt -rkey $d/int.key " | |
385 . "-reqin $d/ec-req.der -respout $d/ec-resp.der -ndays 1 " | |
386 . ">>$d/openssl.out 2>&1") == 0 | |
387 or die "Can't create OCSP response: $!\n"; | |
388 | |
389 # reusing session with revoked certificate | |
390 | |
1848
727741cdff74
Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1847
diff
changeset
|
391 TODO: { |
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
392 local $TODO = 'no TLSv1.3 sessions, old Net::SSLeay' |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
393 if $Net::SSLeay::VERSION < 1.88 && test_tls13(); |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
394 local $TODO = 'no TLSv1.3 sessions, old IO::Socket::SSL' |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
395 if $IO::Socket::SSL::VERSION < 2.061 && test_tls13(); |
1848
727741cdff74
Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1847
diff
changeset
|
396 local $TODO = 'no TLSv1.3 sessions in LibreSSL' |
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
397 if $t->has_module('LibreSSL') && test_tls13(); |
1966
c924ae8d7104
Tests: session reuse handling with Net::SSLeay with LibreSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1945
diff
changeset
|
398 local $TODO = 'no TLSv1.3 sessions in Net::SSLeay (LibreSSL)' |
c924ae8d7104
Tests: session reuse handling with Net::SSLeay with LibreSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1945
diff
changeset
|
399 if Net::SSLeay::constant("LIBRESSL_VERSION_NUMBER") && test_tls13(); |
1848
727741cdff74
Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1847
diff
changeset
|
400 |
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
401 like(get('ec-end', ses => $s), |
1570 | 402 qr/400 Bad.*FAILED:certificate revoked:r/s, 'session reused - revoked'); |
403 | |
1848
727741cdff74
Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1847
diff
changeset
|
404 } |
727741cdff74
Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1847
diff
changeset
|
405 |
1570 | 406 # regression test for self-signed |
407 | |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
408 like(get('root', port => 8447), qr/200 OK.*SUCCESS/s, 'ocsp one'); |
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
409 |
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
410 # check for errors |
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
411 |
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
412 like(`grep -F '[crit]' ${\($t->testdir())}/error.log`, qr/^$/s, 'no crit'); |
1570 | 413 |
414 ############################################################################### | |
415 | |
416 sub get { | |
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
417 my $s = get_socket(@_) || return; |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
418 return http_end($s); |
1570 | 419 } |
420 | |
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
421 sub session { |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
422 my $s = get_socket(@_) || return; |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
423 http_end($s); |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
424 return $s; |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
425 } |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
426 |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
427 sub get_socket { |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
428 my ($cert, %extra) = @_; |
1570 | 429 my $ses = $extra{ses}; |
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
430 my $sni = $extra{sni} || 'localhost'; |
1570 | 431 my $port = $extra{port} || 8443; |
432 | |
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
433 return http( |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
434 "GET /serial HTTP/1.0\nHost: $sni\n\n", |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
435 start => 1, PeerAddr => '127.0.0.1:' . port($port), |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
436 SSL => 1, |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
437 SSL_hostname => $sni, |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
438 SSL_session_cache_size => 100, |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
439 SSL_reuse_ctx => $ses, |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
440 $cert ? ( |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
441 SSL_cert_file => "$d/$cert.crt", |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
442 SSL_key_file => "$d/$cert.key" |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
443 ) : () |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
444 ); |
1570 | 445 } |
446 | |
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
447 sub test_tls13 { |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
448 return http_get('/', SSL => 1) =~ /TLSv1.3/; |
1570 | 449 } |
450 | |
451 ############################################################################### | |
452 | |
453 sub http_daemon { | |
454 my ($t, $port) = @_; | |
455 my $server = IO::Socket::INET->new( | |
456 Proto => 'tcp', | |
457 LocalHost => "127.0.0.1:$port", | |
458 Listen => 5, | |
459 Reuse => 1 | |
460 ) | |
461 or die "Can't create listening socket: $!\n"; | |
462 | |
463 local $SIG{PIPE} = 'IGNORE'; | |
464 | |
465 while (my $client = $server->accept()) { | |
466 $client->autoflush(1); | |
467 | |
468 my $headers = ''; | |
469 my $uri = ''; | |
470 my $resp; | |
471 | |
472 while (<$client>) { | |
1846
9d98c2ad3126
Tests: cleaned up ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1693
diff
changeset
|
473 Test::Nginx::log_core('||', $_); |
1570 | 474 $headers .= $_; |
475 last if (/^\x0d?\x0a?$/); | |
476 } | |
477 | |
478 $uri = $1 if $headers =~ /^\S+\s+\/([^ ]+)\s+HTTP/i; | |
479 next unless $uri; | |
480 | |
481 $uri =~ s/%([0-9A-Fa-f]{2})/chr(hex($1))/eg; | |
482 my $req = decode_base64($uri); | |
483 | |
484 if (index($req, $serial_int) > 0) { | |
485 $resp = 'int-resp'; | |
486 | |
487 } elsif (index($req, $serial) > 0) { | |
488 $resp = 'resp'; | |
489 | |
490 # used to differentiate ssl_ocsp_responder | |
491 | |
492 if ($port == port(8081) && -e "$d/revoked.der") { | |
493 $resp = 'revoked'; | |
494 } | |
495 | |
496 } else { | |
497 $resp = 'ec-resp'; | |
498 } | |
499 | |
1636
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
500 next unless -s "$d/$resp.der"; |
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
501 |
1570 | 502 # ocsp dummy handler |
503 | |
504 select undef, undef, undef, 0.02; | |
505 | |
506 $headers = <<"EOF"; | |
507 HTTP/1.1 200 OK | |
508 Connection: close | |
509 Content-Type: application/ocsp-response | |
510 | |
511 EOF | |
512 | |
1636
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
513 local $/; |
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
514 open my $fh, '<', "$d/$resp.der" |
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
515 or die "Can't open $resp.der: $!"; |
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
516 binmode $fh; |
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
517 my $content = <$fh>; |
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
518 close $fh; |
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
519 |
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
520 print $client $headers . $content; |
1570 | 521 } |
522 } | |
523 | |
524 ############################################################################### |