Mercurial > hg > nginx-tests
annotate stream_ssl_certificate.t @ 1974:b5036a0f9ae0 default tip
Tests: improved compatibility when using recent "openssl" app.
Starting with OpenSSL 3.0, "openssl genrsa" generates encrypted keys
in PKCS#8 format instead of previously used PKCS#1 format. Further,
since OpenSSL 1.1.0 such keys are using PBKDF2 hmacWithSHA256.
Such keys are not supported by old SSL libraries, notably by OpenSSL
before 1.0.0 (OpenSSL 0.9.8 only supports hmacWithSHA1) and by BoringSSL
before May 21, 2019 (support for hmacWithSHA256 was added in 302a4dee6c),
and trying to load such keys into nginx compiled with an old SSL library
results in "unsupported prf" errors.
To facilitate testing with old SSL libraries, keys are now generated
with "openssl genrsa -traditional" if the flag is available.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Mon, 06 May 2024 00:04:26 +0300 |
parents | c924ae8d7104 |
children |
rev | line source |
---|---|
1443
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
1 #!/usr/bin/perl |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
2 |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
3 # (C) Sergey Kandaurov |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
4 # (C) Nginx, Inc. |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
5 |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
6 # Tests for stream ssl module with dynamic certificates. |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
7 |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
8 ############################################################################### |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
9 |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
10 use warnings; |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
11 use strict; |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
12 |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
13 use Test::More; |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
14 |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
15 BEGIN { use FindBin; chdir($FindBin::Bin); } |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
16 |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
17 use lib 'lib'; |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
18 use Test::Nginx; |
1863
dbb7561a9441
Tests: reworked stream SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1860
diff
changeset
|
19 use Test::Nginx::Stream qw/ stream /; |
1443
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
20 |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
21 ############################################################################### |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
22 |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
23 select STDERR; $| = 1; |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
24 select STDOUT; $| = 1; |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
25 |
1860
58951cf933e1
Tests: added has_feature() test for SSL libraries.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1851
diff
changeset
|
26 my $t = Test::Nginx->new() |
58951cf933e1
Tests: added has_feature() test for SSL libraries.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1851
diff
changeset
|
27 ->has(qw/stream stream_ssl stream_geo stream_return openssl:1.0.2/) |
1863
dbb7561a9441
Tests: reworked stream SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1860
diff
changeset
|
28 ->has(qw/socket_ssl_sni/) |
1860
58951cf933e1
Tests: added has_feature() test for SSL libraries.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1851
diff
changeset
|
29 ->has_daemon('openssl') |
58951cf933e1
Tests: added has_feature() test for SSL libraries.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1851
diff
changeset
|
30 ->write_file_expand('nginx.conf', <<'EOF'); |
1443
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
31 |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
32 %%TEST_GLOBALS%% |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
33 |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
34 daemon off; |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
35 |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
36 events { |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
37 } |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
38 |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
39 stream { |
1609
f3ba4c74de31
Tests: added TEST_GLOBALS_STREAM variable support.
Andrei Belov <defan@nginx.com>
parents:
1535
diff
changeset
|
40 %%TEST_GLOBALS_STREAM%% |
f3ba4c74de31
Tests: added TEST_GLOBALS_STREAM variable support.
Andrei Belov <defan@nginx.com>
parents:
1535
diff
changeset
|
41 |
1443
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
42 geo $one { |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
43 default one; |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
44 } |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
45 |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
46 geo $two { |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
47 default two; |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
48 } |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
49 |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
50 geo $pass { |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
51 default pass; |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
52 } |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
53 |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
54 ssl_session_cache shared:SSL:1m; |
1836
74cffa9d4c43
Tests: enabled session reuse via TLS session tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1637
diff
changeset
|
55 ssl_session_tickets on; |
1443
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
56 |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
57 server { |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
58 listen 127.0.0.1:8080 ssl; |
1863
dbb7561a9441
Tests: reworked stream SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1860
diff
changeset
|
59 return $ssl_server_name:$ssl_session_reused:$ssl_protocol; |
1443
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
60 |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
61 ssl_certificate $one.crt; |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
62 ssl_certificate_key $one.key; |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
63 } |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
64 |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
65 server { |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
66 listen 127.0.0.1:8083 ssl; |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
67 return $ssl_server_name:$ssl_session_reused; |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
68 |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
69 # found in key |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
70 ssl_certificate pass.crt; |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
71 ssl_certificate_key $pass.key; |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
72 ssl_password_file password_file; |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
73 } |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
74 |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
75 server { |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
76 listen 127.0.0.1:8081 ssl; |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
77 return $ssl_server_name:$ssl_session_reused; |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
78 |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
79 ssl_certificate $one.crt; |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
80 ssl_certificate_key $one.key; |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
81 } |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
82 |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
83 server { |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
84 listen 127.0.0.1:8082 ssl; |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
85 return $ssl_server_name:$ssl_session_reused; |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
86 |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
87 ssl_certificate $two.crt; |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
88 ssl_certificate_key $two.key; |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
89 } |
1445
889283abadf8
Tests: added basic ssl tests with dynamic certificate not found.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1443
diff
changeset
|
90 |
889283abadf8
Tests: added basic ssl tests with dynamic certificate not found.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1443
diff
changeset
|
91 server { |
889283abadf8
Tests: added basic ssl tests with dynamic certificate not found.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1443
diff
changeset
|
92 listen 127.0.0.1:8084 ssl; |
889283abadf8
Tests: added basic ssl tests with dynamic certificate not found.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1443
diff
changeset
|
93 return $ssl_server_name:$ssl_session_reused; |
889283abadf8
Tests: added basic ssl tests with dynamic certificate not found.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1443
diff
changeset
|
94 |
889283abadf8
Tests: added basic ssl tests with dynamic certificate not found.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1443
diff
changeset
|
95 ssl_certificate $ssl_server_name.crt; |
889283abadf8
Tests: added basic ssl tests with dynamic certificate not found.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1443
diff
changeset
|
96 ssl_certificate_key $ssl_server_name.key; |
889283abadf8
Tests: added basic ssl tests with dynamic certificate not found.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1443
diff
changeset
|
97 } |
1443
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
98 } |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
99 |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
100 EOF |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
101 |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
102 $t->write_file('openssl.conf', <<EOF); |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
103 [ req ] |
1488
dbce8fb5f5f8
Tests: align with OpenSSL security level 2.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1445
diff
changeset
|
104 default_bits = 2048 |
1443
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
105 encrypt_key = no |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
106 distinguished_name = req_distinguished_name |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
107 [ req_distinguished_name ] |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
108 EOF |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
109 |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
110 my $d = $t->testdir(); |
1974
b5036a0f9ae0
Tests: improved compatibility when using recent "openssl" app.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1966
diff
changeset
|
111 my $tr = `openssl genrsa -help 2>&1` =~ /-traditional/ ? '-traditional' : ''; |
1443
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
112 |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
113 foreach my $name ('one', 'two') { |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
114 system('openssl req -x509 -new ' |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
115 . "-config $d/openssl.conf -subj /CN=$name/ " |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
116 . "-out $d/$name.crt -keyout $d/$name.key " |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
117 . ">>$d/openssl.out 2>&1") == 0 |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
118 or die "Can't create certificate for $name: $!\n"; |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
119 } |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
120 |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
121 foreach my $name ('pass') { |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
122 system("openssl genrsa -out $d/$name.key -passout pass:pass " |
1974
b5036a0f9ae0
Tests: improved compatibility when using recent "openssl" app.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1966
diff
changeset
|
123 . "-aes128 $tr 2048 >>$d/openssl.out 2>&1") == 0 |
1443
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
124 or die "Can't create $name key: $!\n"; |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
125 system("openssl req -x509 -new -config $d/openssl.conf " |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
126 . "-subj /CN=$name/ -out $d/$name.crt -key $d/$name.key " |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
127 . "-passin pass:pass >>$d/openssl.out 2>&1") == 0 |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
128 or die "Can't create $name certificate: $!\n"; |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
129 } |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
130 |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
131 $t->write_file('password_file', 'pass'); |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
132 $t->write_file('index.html', ''); |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
133 |
1535
144c6ce732e4
Tests: removed TODO and try_run() checks for legacy versions.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1488
diff
changeset
|
134 $t->run()->plan(7); |
1443
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
135 |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
136 ############################################################################### |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
137 |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
138 like(cert('default', 8080), qr/CN=one/, 'default certificate'); |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
139 like(get('default', 8080), qr/default/, 'default context'); |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
140 |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
141 like(get('password', 8083), qr/password/, 'ssl_password_file'); |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
142 |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
143 # session reuse |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
144 |
1863
dbb7561a9441
Tests: reworked stream SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1860
diff
changeset
|
145 my $s = session('default', 8080); |
1443
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
146 |
1863
dbb7561a9441
Tests: reworked stream SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1860
diff
changeset
|
147 TODO: { |
dbb7561a9441
Tests: reworked stream SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1860
diff
changeset
|
148 local $TODO = 'no TLSv1.3 sessions, old Net::SSLeay' |
dbb7561a9441
Tests: reworked stream SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1860
diff
changeset
|
149 if $Net::SSLeay::VERSION < 1.88 && test_tls13(); |
dbb7561a9441
Tests: reworked stream SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1860
diff
changeset
|
150 local $TODO = 'no TLSv1.3 sessions, old IO::Socket::SSL' |
dbb7561a9441
Tests: reworked stream SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1860
diff
changeset
|
151 if $IO::Socket::SSL::VERSION < 2.061 && test_tls13(); |
1966
c924ae8d7104
Tests: session reuse handling with Net::SSLeay with LibreSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1868
diff
changeset
|
152 local $TODO = 'no TLSv1.3 sessions in Net::SSLeay (LibreSSL)' |
c924ae8d7104
Tests: session reuse handling with Net::SSLeay with LibreSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1868
diff
changeset
|
153 if Net::SSLeay::constant("LIBRESSL_VERSION_NUMBER") && test_tls13(); |
1863
dbb7561a9441
Tests: reworked stream SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1860
diff
changeset
|
154 |
dbb7561a9441
Tests: reworked stream SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1860
diff
changeset
|
155 like(get('default', 8080, $s), qr/default:r/, 'session reused'); |
1851
0351dee227a8
Tests: unbreak tests with dynamic certificates on stable.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1836
diff
changeset
|
156 |
0351dee227a8
Tests: unbreak tests with dynamic certificates on stable.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1836
diff
changeset
|
157 TODO: { |
0351dee227a8
Tests: unbreak tests with dynamic certificates on stable.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1836
diff
changeset
|
158 # ticket key name mismatch prevents session resumption |
0351dee227a8
Tests: unbreak tests with dynamic certificates on stable.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1836
diff
changeset
|
159 local $TODO = 'not yet' unless $t->has_version('1.23.2'); |
1868
d570dbcad925
Tests: unbreak tests with IO::Socket:SSL lacking SSL_session_key.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1863
diff
changeset
|
160 local $TODO = 'no SSL_session_key, old IO::Socket::SSL' |
d570dbcad925
Tests: unbreak tests with IO::Socket:SSL lacking SSL_session_key.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1863
diff
changeset
|
161 if $IO::Socket::SSL::VERSION < 1.965; |
1851
0351dee227a8
Tests: unbreak tests with dynamic certificates on stable.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1836
diff
changeset
|
162 |
1863
dbb7561a9441
Tests: reworked stream SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1860
diff
changeset
|
163 like(get('default', 8081, $s), qr/default:r/, 'session id context match'); |
1851
0351dee227a8
Tests: unbreak tests with dynamic certificates on stable.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1836
diff
changeset
|
164 |
0351dee227a8
Tests: unbreak tests with dynamic certificates on stable.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1836
diff
changeset
|
165 } |
1863
dbb7561a9441
Tests: reworked stream SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1860
diff
changeset
|
166 } |
1851
0351dee227a8
Tests: unbreak tests with dynamic certificates on stable.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1836
diff
changeset
|
167 |
1863
dbb7561a9441
Tests: reworked stream SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1860
diff
changeset
|
168 like(get('default', 8082, $s), qr/default:\./, 'session id context distinct'); |
1443
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
169 |
1445
889283abadf8
Tests: added basic ssl tests with dynamic certificate not found.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1443
diff
changeset
|
170 # errors |
889283abadf8
Tests: added basic ssl tests with dynamic certificate not found.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1443
diff
changeset
|
171 |
1863
dbb7561a9441
Tests: reworked stream SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1860
diff
changeset
|
172 ok(!get('nx', 8084), 'no certificate'); |
1445
889283abadf8
Tests: added basic ssl tests with dynamic certificate not found.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1443
diff
changeset
|
173 |
1443
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
174 ############################################################################### |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
175 |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
176 sub get { |
1863
dbb7561a9441
Tests: reworked stream SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1860
diff
changeset
|
177 my $s = get_socket(@_) || return; |
dbb7561a9441
Tests: reworked stream SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1860
diff
changeset
|
178 return $s->read(); |
1443
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
179 } |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
180 |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
181 sub cert { |
1863
dbb7561a9441
Tests: reworked stream SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1860
diff
changeset
|
182 my $s = get_socket(@_) || return; |
dbb7561a9441
Tests: reworked stream SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1860
diff
changeset
|
183 return $s->socket()->dump_peer_certificate(); |
dbb7561a9441
Tests: reworked stream SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1860
diff
changeset
|
184 } |
dbb7561a9441
Tests: reworked stream SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1860
diff
changeset
|
185 |
dbb7561a9441
Tests: reworked stream SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1860
diff
changeset
|
186 sub session { |
dbb7561a9441
Tests: reworked stream SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1860
diff
changeset
|
187 my $s = get_socket(@_); |
dbb7561a9441
Tests: reworked stream SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1860
diff
changeset
|
188 $s->read(); |
dbb7561a9441
Tests: reworked stream SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1860
diff
changeset
|
189 return $s->socket(); |
1443
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
190 } |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
191 |
1863
dbb7561a9441
Tests: reworked stream SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1860
diff
changeset
|
192 sub get_socket { |
dbb7561a9441
Tests: reworked stream SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1860
diff
changeset
|
193 my ($host, $port, $ctx) = @_; |
dbb7561a9441
Tests: reworked stream SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1860
diff
changeset
|
194 return stream( |
dbb7561a9441
Tests: reworked stream SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1860
diff
changeset
|
195 PeerAddr => '127.0.0.1:' . port($port), |
dbb7561a9441
Tests: reworked stream SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1860
diff
changeset
|
196 SSL => 1, |
dbb7561a9441
Tests: reworked stream SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1860
diff
changeset
|
197 SSL_hostname => $host, |
dbb7561a9441
Tests: reworked stream SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1860
diff
changeset
|
198 SSL_session_cache_size => 100, |
dbb7561a9441
Tests: reworked stream SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1860
diff
changeset
|
199 SSL_session_key => 1, |
dbb7561a9441
Tests: reworked stream SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1860
diff
changeset
|
200 SSL_reuse_ctx => $ctx |
dbb7561a9441
Tests: reworked stream SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1860
diff
changeset
|
201 ); |
dbb7561a9441
Tests: reworked stream SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1860
diff
changeset
|
202 } |
1443
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
203 |
1863
dbb7561a9441
Tests: reworked stream SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1860
diff
changeset
|
204 sub test_tls13 { |
dbb7561a9441
Tests: reworked stream SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1860
diff
changeset
|
205 return get('default', 8080) =~ /TLSv1.3/; |
1443
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
206 } |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
207 |
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
208 ############################################################################### |