nginx-tests: ssl_certificates.t comparison

comparison ssl_certificates.t @ 1388:0090e2476ef0

Tests: support TLS 1.3 in ssl_certificates.t by preferring sigalgs. A certificate key type cannot be selected in TLS 1.3 by limiting cipher suites. Therefore, tests are modified to prefer "signature_algorithms" based selection, while retaining limiting cipher suites as a fallback for older OpenSSL versions.

author	Sergey Kandaurov <pluknet@nginx.com>
date	Wed, 17 Oct 2018 23:34:17 +0300
parents	2ec9ce1bc820
children	d3d2aabe16dd

comparison

equal deleted inserted replaced

-:ad3cb6f451a5
+:0090e2476ef0
 ###############################################################################
 select STDERR; $| = 1;
 select STDOUT; $| = 1;
-eval { require IO::Socket::SSL; };
+eval {
-plan(skip_all => 'IO::Socket::SSL not installed') if $@;
+	require Net::SSLeay;
-eval { IO::Socket::SSL::SSL_VERIFY_NONE(); };
+	Net::SSLeay::load_error_strings();
-plan(skip_all => 'IO::Socket::SSL too old') if $@;
+	Net::SSLeay::SSLeay_add_ssl_algorithms();
+	Net::SSLeay::randomize();
+	Net::SSLeay::SSLeay();
+};
+plan(skip_all => 'Net::SSLeay not installed or too old') if $@;
 my $t = Test::Nginx->new()->has(qw/http http_ssl/)->has_daemon('openssl');
 $t->write_file_expand('nginx.conf', <<'EOF');
 like(get_cert('RSA'), qr/CN=rsa/, 'ssl cert RSA');
 like(get_cert('ECDSA'), qr/CN=ec/, 'ssl cert ECDSA');
 ###############################################################################
+sub get_version {
+	my ($s, $ssl) = get_ssl_socket();
+	return Net::SSLeay::version($ssl);
+}
 sub get_cert {
-	my ($ciphers) = @_;
+	my ($type) = @_;
+	$type = 'PSS' if $type eq 'RSA' && get_version() > 0x0303;
+	my ($s, $ssl) = get_ssl_socket($type);
+	my $cipher = Net::SSLeay::get_cipher($ssl);
+	Test::Nginx::log_core('||', "cipher: $cipher");
+	return Net::SSLeay::dump_peer_certificate($ssl);
+}
+sub get_ssl_socket {
+	my ($type) = @_;
 	my $s;
 	eval {
 		local $SIG{ALRM} = sub { die "timeout\n" };
 		local $SIG{PIPE} = sub { die "sigpipe\n" };
 		alarm(2);
-		$s = IO::Socket::SSL->new(
+		$s = IO::Socket::INET->new('127.0.0.1:' . port(8080));
-			Proto => 'tcp',
-			PeerAddr => '127.0.0.1',
-			PeerPort => port(8080),
-			SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE(),
-			SSL_cipher_list => $ciphers,
-			SSL_error_trap => sub { die $_[1] }
-		);
 		alarm(0);
 	};
 	alarm(0);
 	if ($@) {
 		log_in("died: $@");
 		return undef;
 	}
-	my $cipher = $s->get_cipher();
+	my $ctx = Net::SSLeay::CTX_new() or die("Failed to create SSL_CTX $!");
-	Test::Nginx::log_core('||', "cipher: $cipher");
+	if (defined $type) {
+		if (Net::SSLeay::SSLeay() < 0x1000200f) {
+			Net::SSLeay::CTX_set_cipher_list($ctx, $type)
+				or die("Failed to set cipher list");
+		} else {
+			# SSL_CTRL_SET_SIGALGS_LIST
+			Net::SSLeay::CTX_ctrl($ctx, 98, 0, $type . '+SHA256')
+				or die("Failed to set sigalgs");
+		}
+	}
-	return $s->dump_peer_certificate;
+	my $ssl = Net::SSLeay::new($ctx) or die("Failed to create SSL $!");
+	Net::SSLeay::set_fd($ssl, fileno($s));
+	Net::SSLeay::connect($ssl) or die("ssl connect");
+	return ($s, $ssl);
 }
 ###############################################################################

Mercurial > hg > nginx-tests

comparison ssl_certificates.t @ 1388:0090e2476ef0