Mercurial > hg > nginx-tests

comparison uwsgi_ssl_verify.t @ 1688:31ea330ac360

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Tests: more uwsgi tests with SSL. This covers tests for client certificate (including encrypted) to SSL backend and backend certificate verification.
author Sergey Kandaurov <pluknet@nginx.com>
date Mon, 24 May 2021 18:28:17 +0300
parents
children 1b9f21836f57
comparison
equal deleted inserted replaced
1687:41b213d611f5 1688:31ea330ac360
1 #!/usr/bin/perl
2
3 # (C) Maxim Dounin
4 # (C) Sergey Kandaurov
5 # (C) Nginx, Inc.
6
7 # Tests for uwsgi backend with SSL, backend certificate verification.
8
9 ###############################################################################
10
11 use warnings;
12 use strict;
13
14 use Test::More;
15
16 BEGIN { use FindBin; chdir($FindBin::Bin); }
17
18 use lib 'lib';
19 use Test::Nginx;
20
21 ###############################################################################
22
23 select STDERR; $| = 1;
24 select STDOUT; $| = 1;
25
26 my $t = Test::Nginx->new()->has(qw/http http_ssl uwsgi/)
27 ->has_daemon('uwsgi')->has_daemon('openssl')->plan(6)
28 ->write_file_expand('nginx.conf', <<'EOF');
29
30 %%TEST_GLOBALS%%
31
32 daemon off;
33
34 events {
35 }
36
37 http {
38 %%TEST_GLOBALS_HTTP%%
39
40 server {
41 listen 127.0.0.1:8080;
42 server_name localhost;
43
44 location /verify {
45 uwsgi_pass suwsgi://127.0.0.1:8081;
46 uwsgi_ssl_name example.com;
47 uwsgi_ssl_verify on;
48 uwsgi_ssl_trusted_certificate 1.example.com.crt;
49 }
50
51 location /wildcard {
52 uwsgi_pass suwsgi://127.0.0.1:8081;
53 uwsgi_ssl_name foo.example.com;
54 uwsgi_ssl_verify on;
55 uwsgi_ssl_trusted_certificate 1.example.com.crt;
56 }
57
58 location /fail {
59 uwsgi_pass suwsgi://127.0.0.1:8081;
60 uwsgi_ssl_name no.match.example.com;
61 uwsgi_ssl_verify on;
62 uwsgi_ssl_trusted_certificate 1.example.com.crt;
63 }
64
65 location /cn {
66 uwsgi_pass suwsgi://127.0.0.1:8082;
67 uwsgi_ssl_name 2.example.com;
68 uwsgi_ssl_verify on;
69 uwsgi_ssl_trusted_certificate 2.example.com.crt;
70 }
71
72 location /cn/fail {
73 uwsgi_pass suwsgi://127.0.0.1:8082;
74 uwsgi_ssl_name bad.example.com;
75 uwsgi_ssl_verify on;
76 uwsgi_ssl_trusted_certificate 2.example.com.crt;
77 }
78
79 location /untrusted {
80 uwsgi_pass suwsgi://127.0.0.1:8082;
81 uwsgi_ssl_verify on;
82 uwsgi_ssl_trusted_certificate 1.example.com.crt;
83 uwsgi_ssl_session_reuse off;
84 }
85 }
86 }
87
88 EOF
89
90 $t->write_file('openssl.1.example.com.conf', <<EOF);
91 [ req ]
92 prompt = no
93 default_bits = 2048
94 encrypt_key = no
95 distinguished_name = req_distinguished_name
96 x509_extensions = v3_req
97
98 [ req_distinguished_name ]
99 commonName=no.match.example.com
100
101 [ v3_req ]
102 subjectAltName = DNS:example.com,DNS:*.example.com
103 EOF
104
105 $t->write_file('openssl.2.example.com.conf', <<EOF);
106 [ req ]
107 prompt = no
108 default_bits = 2048
109 encrypt_key = no
110 distinguished_name = req_distinguished_name
111
112 [ req_distinguished_name ]
113 commonName=2.example.com
114 EOF
115
116 my $d = $t->testdir();
117 my $crt1 = "$d/1.example.com.crt";
118 my $crt2 = "$d/2.example.com.crt";
119 my $key1 = "$d/1.example.com.key";
120 my $key2 = "$d/2.example.com.key";
121
122 foreach my $name ('1.example.com', '2.example.com') {
123 system('openssl req -x509 -new '
124 . "-config $d/openssl.$name.conf "
125 . "-out $d/$name.crt -keyout $d/$name.key "
126 . ">>$d/openssl.out 2>&1") == 0
127 or die "Can't create certificate for $name: $!\n";
128 }
129
130 $t->write_file('uwsgi_test_app.py', <<END);
131
132 def application(env, start_response):
133 start_response('200 OK', [('Content-Type','text/plain')])
134 return b"SEE-THIS"
135
136 END
137
138 my $uwsgihelp = `uwsgi -h`;
139 my @uwsgiopts = ();
140
141 if ($uwsgihelp !~ /--wsgi-file/) {
142 # uwsgi has no python support, maybe plugin load is necessary
143 push @uwsgiopts, '--plugin', 'python';
144 push @uwsgiopts, '--plugin', 'python3';
145 }
146
147 open OLDERR, ">&", \*STDERR; close STDERR;
148 $t->run_daemon('uwsgi', @uwsgiopts,
149 '--ssl-socket', '127.0.0.1:' . port(8081) . ",$crt1,$key1",
150 '--wsgi-file', $d . '/uwsgi_test_app.py',
151 '--logto', $d . '/uwsgi_log');
152 $t->run_daemon('uwsgi', @uwsgiopts,
153 '--ssl-socket', '127.0.0.1:' . port(8082) . ",$crt2,$key2",
154 '--wsgi-file', $d . '/uwsgi_test_app.py',
155 '--logto', $d . '/uwsgi_log');
156 open STDERR, ">&", \*OLDERR;
157
158 $t->run();
159
160 $t->waitforsocket('127.0.0.1:' . port(8081))
161 or die "Can't start uwsgi";
162 $t->waitforsocket('127.0.0.1:' . port(8082))
163 or die "Can't start uwsgi";
164
165 ###############################################################################
166
167 # subjectAltName
168
169 like(http_get('/verify'), qr/200 OK/ms, 'verify');
170 like(http_get('/wildcard'), qr/200 OK/ms, 'verify wildcard');
171 like(http_get('/fail'), qr/502 Bad/ms, 'verify fail');
172
173 # commonName
174
175 like(http_get('/cn'), qr/200 OK/ms, 'verify cn');
176 like(http_get('/cn/fail'), qr/502 Bad/ms, 'verify cn fail');
177
178 # untrusted
179
180 like(http_get('/untrusted'), qr/502 Bad/ms, 'untrusted');
181
182 ###############################################################################