Mercurial > hg > nginx-tests
comparison ssl_certificates.t @ 1388:0090e2476ef0
Tests: support TLS 1.3 in ssl_certificates.t by preferring sigalgs.
A certificate key type cannot be selected in TLS 1.3 by limiting cipher suites.
Therefore, tests are modified to prefer "signature_algorithms" based selection,
while retaining limiting cipher suites as a fallback for older OpenSSL versions.
author | Sergey Kandaurov <pluknet@nginx.com> |
---|---|
date | Wed, 17 Oct 2018 23:34:17 +0300 |
parents | 2ec9ce1bc820 |
children | d3d2aabe16dd |
comparison
equal
deleted
inserted
replaced
1387:ad3cb6f451a5 | 1388:0090e2476ef0 |
---|---|
20 ############################################################################### | 20 ############################################################################### |
21 | 21 |
22 select STDERR; $| = 1; | 22 select STDERR; $| = 1; |
23 select STDOUT; $| = 1; | 23 select STDOUT; $| = 1; |
24 | 24 |
25 eval { require IO::Socket::SSL; }; | 25 eval { |
26 plan(skip_all => 'IO::Socket::SSL not installed') if $@; | 26 require Net::SSLeay; |
27 eval { IO::Socket::SSL::SSL_VERIFY_NONE(); }; | 27 Net::SSLeay::load_error_strings(); |
28 plan(skip_all => 'IO::Socket::SSL too old') if $@; | 28 Net::SSLeay::SSLeay_add_ssl_algorithms(); |
29 Net::SSLeay::randomize(); | |
30 Net::SSLeay::SSLeay(); | |
31 }; | |
32 plan(skip_all => 'Net::SSLeay not installed or too old') if $@; | |
29 | 33 |
30 my $t = Test::Nginx->new()->has(qw/http http_ssl/)->has_daemon('openssl'); | 34 my $t = Test::Nginx->new()->has(qw/http http_ssl/)->has_daemon('openssl'); |
31 | 35 |
32 $t->write_file_expand('nginx.conf', <<'EOF'); | 36 $t->write_file_expand('nginx.conf', <<'EOF'); |
33 | 37 |
92 like(get_cert('RSA'), qr/CN=rsa/, 'ssl cert RSA'); | 96 like(get_cert('RSA'), qr/CN=rsa/, 'ssl cert RSA'); |
93 like(get_cert('ECDSA'), qr/CN=ec/, 'ssl cert ECDSA'); | 97 like(get_cert('ECDSA'), qr/CN=ec/, 'ssl cert ECDSA'); |
94 | 98 |
95 ############################################################################### | 99 ############################################################################### |
96 | 100 |
101 sub get_version { | |
102 my ($s, $ssl) = get_ssl_socket(); | |
103 return Net::SSLeay::version($ssl); | |
104 } | |
105 | |
97 sub get_cert { | 106 sub get_cert { |
98 my ($ciphers) = @_; | 107 my ($type) = @_; |
108 $type = 'PSS' if $type eq 'RSA' && get_version() > 0x0303; | |
109 my ($s, $ssl) = get_ssl_socket($type); | |
110 my $cipher = Net::SSLeay::get_cipher($ssl); | |
111 Test::Nginx::log_core('||', "cipher: $cipher"); | |
112 return Net::SSLeay::dump_peer_certificate($ssl); | |
113 } | |
114 | |
115 sub get_ssl_socket { | |
116 my ($type) = @_; | |
99 my $s; | 117 my $s; |
100 | 118 |
101 eval { | 119 eval { |
102 local $SIG{ALRM} = sub { die "timeout\n" }; | 120 local $SIG{ALRM} = sub { die "timeout\n" }; |
103 local $SIG{PIPE} = sub { die "sigpipe\n" }; | 121 local $SIG{PIPE} = sub { die "sigpipe\n" }; |
104 alarm(2); | 122 alarm(2); |
105 $s = IO::Socket::SSL->new( | 123 $s = IO::Socket::INET->new('127.0.0.1:' . port(8080)); |
106 Proto => 'tcp', | |
107 PeerAddr => '127.0.0.1', | |
108 PeerPort => port(8080), | |
109 SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE(), | |
110 SSL_cipher_list => $ciphers, | |
111 SSL_error_trap => sub { die $_[1] } | |
112 ); | |
113 alarm(0); | 124 alarm(0); |
114 }; | 125 }; |
115 alarm(0); | 126 alarm(0); |
116 | 127 |
117 if ($@) { | 128 if ($@) { |
118 log_in("died: $@"); | 129 log_in("died: $@"); |
119 return undef; | 130 return undef; |
120 } | 131 } |
121 | 132 |
122 my $cipher = $s->get_cipher(); | 133 my $ctx = Net::SSLeay::CTX_new() or die("Failed to create SSL_CTX $!"); |
123 | 134 |
124 Test::Nginx::log_core('||', "cipher: $cipher"); | 135 if (defined $type) { |
136 if (Net::SSLeay::SSLeay() < 0x1000200f) { | |
137 Net::SSLeay::CTX_set_cipher_list($ctx, $type) | |
138 or die("Failed to set cipher list"); | |
139 } else { | |
140 # SSL_CTRL_SET_SIGALGS_LIST | |
141 Net::SSLeay::CTX_ctrl($ctx, 98, 0, $type . '+SHA256') | |
142 or die("Failed to set sigalgs"); | |
143 } | |
144 } | |
125 | 145 |
126 return $s->dump_peer_certificate; | 146 my $ssl = Net::SSLeay::new($ctx) or die("Failed to create SSL $!"); |
147 Net::SSLeay::set_fd($ssl, fileno($s)); | |
148 Net::SSLeay::connect($ssl) or die("ssl connect"); | |
149 return ($s, $ssl); | |
127 } | 150 } |
128 | 151 |
129 ############################################################################### | 152 ############################################################################### |