Mercurial > hg > nginx-tests
comparison ssl_stapling.t @ 1389:73a9504ae6fd
Tests: support TLS 1.3 in ssl_stapling.t by preferring sigalgs.
See 0090e2476ef0 for details.
author | Sergey Kandaurov <pluknet@nginx.com> |
---|---|
date | Fri, 19 Oct 2018 18:49:45 +0300 |
parents | b82ed2061f65 |
children | d3d2aabe16dd |
comparison
equal
deleted
inserted
replaced
1388:0090e2476ef0 | 1389:73a9504ae6fd |
---|---|
22 ############################################################################### | 22 ############################################################################### |
23 | 23 |
24 select STDERR; $| = 1; | 24 select STDERR; $| = 1; |
25 select STDOUT; $| = 1; | 25 select STDOUT; $| = 1; |
26 | 26 |
27 eval { require IO::Socket::SSL; }; | 27 eval { |
28 plan(skip_all => 'IO::Socket::SSL not installed') if $@; | 28 require Net::SSLeay; |
29 eval { IO::Socket::SSL->can_ocsp() or die; }; | 29 Net::SSLeay::load_error_strings(); |
30 plan(skip_all => 'IO::Socket::SSL with OCSP support required') if $@; | 30 Net::SSLeay::SSLeay_add_ssl_algorithms(); |
31 Net::SSLeay::randomize(); | |
32 Net::SSLeay::SSLeay(); | |
33 defined &Net::SSLeay::set_tlsext_status_type or die; | |
34 }; | |
35 plan(skip_all => 'Net::SSLeay not installed or too old') if $@; | |
31 | 36 |
32 my $t = Test::Nginx->new()->has(qw/http http_ssl/)->has_daemon('openssl') | 37 my $t = Test::Nginx->new()->has(qw/http http_ssl/)->has_daemon('openssl') |
33 ->plan(9)->write_file_expand('nginx.conf', <<'EOF'); | 38 ->plan(9)->write_file_expand('nginx.conf', <<'EOF'); |
34 | 39 |
35 %%TEST_GLOBALS%% | 40 %%TEST_GLOBALS%% |
234 | 239 |
235 $t->waitforsocket("127.0.0.1:" . port(8081)); | 240 $t->waitforsocket("127.0.0.1:" . port(8081)); |
236 | 241 |
237 ############################################################################### | 242 ############################################################################### |
238 | 243 |
244 my $version = get_version(); | |
245 | |
239 staple(8443, 'RSA'); | 246 staple(8443, 'RSA'); |
240 staple(8443, 'ECDSA'); | 247 staple(8443, 'ECDSA'); |
241 staple(8444, 'RSA'); | 248 staple(8444, 'RSA'); |
242 staple(8444, 'ECDSA'); | 249 staple(8444, 'ECDSA'); |
243 staple(8445, 'ECDSA'); | 250 staple(8445, 'ECDSA'); |
269 | 276 |
270 my $staple_cb = sub { | 277 my $staple_cb = sub { |
271 my ($ssl, $resp) = @_; | 278 my ($ssl, $resp) = @_; |
272 push @resp, !!$resp; | 279 push @resp, !!$resp; |
273 return 1 unless $resp; | 280 return 1 unless $resp; |
274 my $obj = $ssl->_get_ssl_object; | 281 my $cert = Net::SSLeay::get_peer_certificate($ssl); |
275 my $cert = Net::SSLeay::get_peer_certificate($obj); | 282 my $certid = eval { Net::SSLeay::OCSP_cert2ids($ssl, $cert) } |
276 my $certid = eval { Net::SSLeay::OCSP_cert2ids($obj, $cert) } | |
277 or do { die "no OCSP_CERTID for certificate: $@"; }; | 283 or do { die "no OCSP_CERTID for certificate: $@"; }; |
278 | 284 |
279 my @res = Net::SSLeay::OCSP_response_results($resp, $certid); | 285 my @res = Net::SSLeay::OCSP_response_results($resp, $certid); |
280 push @resp, $res[0][2]->{'statusType'}; | 286 push @resp, $res[0][2]->{'statusType'}; |
281 }; | 287 }; |
288 | |
289 my $s; | |
282 | 290 |
283 eval { | 291 eval { |
284 local $SIG{ALRM} = sub { die "timeout\n" }; | 292 local $SIG{ALRM} = sub { die "timeout\n" }; |
285 local $SIG{PIPE} = sub { die "sigpipe\n" }; | 293 local $SIG{PIPE} = sub { die "sigpipe\n" }; |
286 alarm(2); | 294 alarm(2); |
287 IO::Socket::SSL->new( | 295 $s = IO::Socket::INET->new('127.0.0.1:' . port($port)); |
288 Proto => 'tcp', | |
289 PeerAddr => '127.0.0.1', | |
290 PeerPort => port($port), | |
291 SSL_cipher_list => $ciphers, | |
292 SSL_ca_file => $ca, | |
293 SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE(), | |
294 SSL_ocsp_mode => IO::Socket::SSL::SSL_OCSP_TRY_STAPLE(), | |
295 SSL_ocsp_staple_callback => $staple_cb, | |
296 SSL_error_trap => sub { die $_[1] } | |
297 ); | |
298 alarm(0); | 296 alarm(0); |
299 }; | 297 }; |
300 alarm(0); | 298 alarm(0); |
301 | 299 |
302 if ($@) { | 300 if ($@) { |
303 log_in("died: $@"); | 301 log_in("died: $@"); |
304 return undef; | 302 return undef; |
305 } | 303 } |
306 | 304 |
305 my $ctx = Net::SSLeay::CTX_new() or die("Failed to create SSL_CTX $!"); | |
306 | |
307 if (Net::SSLeay::SSLeay() < 0x1000200f) { | |
308 Net::SSLeay::CTX_set_cipher_list($ctx, $ciphers) | |
309 or die("Failed to set cipher list"); | |
310 } else { | |
311 # SSL_CTRL_SET_SIGALGS_LIST | |
312 $ciphers = 'PSS' if $ciphers eq 'RSA' && $version > 0x0303; | |
313 Net::SSLeay::CTX_ctrl($ctx, 98, 0, $ciphers . '+SHA256') | |
314 or die("Failed to set sigalgs"); | |
315 } | |
316 | |
317 Net::SSLeay::CTX_load_verify_locations($ctx, $ca || '', ''); | |
318 Net::SSLeay::CTX_set_tlsext_status_cb($ctx, $staple_cb); | |
319 my $ssl = Net::SSLeay::new($ctx) or die("Failed to create SSL $!"); | |
320 Net::SSLeay::set_tlsext_status_type($ssl, | |
321 Net::SSLeay::TLSEXT_STATUSTYPE_ocsp()); | |
322 Net::SSLeay::set_fd($ssl, fileno($s)); | |
323 Net::SSLeay::connect($ssl) or die("ssl connect"); | |
324 | |
307 return join ' ', @resp; | 325 return join ' ', @resp; |
326 } | |
327 | |
328 sub get_version { | |
329 my $s; | |
330 | |
331 eval { | |
332 local $SIG{ALRM} = sub { die "timeout\n" }; | |
333 local $SIG{PIPE} = sub { die "sigpipe\n" }; | |
334 alarm(2); | |
335 $s = IO::Socket::INET->new('127.0.0.1:' . port(8443)); | |
336 alarm(0); | |
337 }; | |
338 alarm(0); | |
339 | |
340 if ($@) { | |
341 log_in("died: $@"); | |
342 return undef; | |
343 } | |
344 | |
345 my $ctx = Net::SSLeay::CTX_new() or die("Failed to create SSL_CTX $!"); | |
346 my $ssl = Net::SSLeay::new($ctx) or die("Failed to create SSL $!"); | |
347 Net::SSLeay::set_fd($ssl, fileno($s)); | |
348 Net::SSLeay::connect($ssl) or die("ssl connect"); | |
349 | |
350 Net::SSLeay::version($ssl); | |
308 } | 351 } |
309 | 352 |
310 ############################################################################### | 353 ############################################################################### |
311 | 354 |
312 sub http_daemon { | 355 sub http_daemon { |