Mercurial > hg > nginx-tests

comparison ssl_stapling.t @ 1389:73a9504ae6fd

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Tests: support TLS 1.3 in ssl_stapling.t by preferring sigalgs. See 0090e2476ef0 for details.
author Sergey Kandaurov <pluknet@nginx.com>
date Fri, 19 Oct 2018 18:49:45 +0300
parents b82ed2061f65
children d3d2aabe16dd
comparison
equal deleted inserted replaced
1388:0090e2476ef0 1389:73a9504ae6fd
22 ############################################################################### 22 ###############################################################################
23 23
24 select STDERR; $| = 1; 24 select STDERR; $| = 1;
25 select STDOUT; $| = 1; 25 select STDOUT; $| = 1;
26 26
27 eval { require IO::Socket::SSL; }; 27 eval {
28 plan(skip_all => 'IO::Socket::SSL not installed') if $@; 28 require Net::SSLeay;
29 eval { IO::Socket::SSL->can_ocsp() or die; }; 29 Net::SSLeay::load_error_strings();
30 plan(skip_all => 'IO::Socket::SSL with OCSP support required') if $@; 30 Net::SSLeay::SSLeay_add_ssl_algorithms();
31 Net::SSLeay::randomize();
32 Net::SSLeay::SSLeay();
33 defined &Net::SSLeay::set_tlsext_status_type or die;
34 };
35 plan(skip_all => 'Net::SSLeay not installed or too old') if $@;
31 36
32 my $t = Test::Nginx->new()->has(qw/http http_ssl/)->has_daemon('openssl') 37 my $t = Test::Nginx->new()->has(qw/http http_ssl/)->has_daemon('openssl')
33 ->plan(9)->write_file_expand('nginx.conf', <<'EOF'); 38 ->plan(9)->write_file_expand('nginx.conf', <<'EOF');
34 39
35 %%TEST_GLOBALS%% 40 %%TEST_GLOBALS%%
234 239
235 $t->waitforsocket("127.0.0.1:" . port(8081)); 240 $t->waitforsocket("127.0.0.1:" . port(8081));
236 241
237 ############################################################################### 242 ###############################################################################
238 243
244 my $version = get_version();
245
239 staple(8443, 'RSA'); 246 staple(8443, 'RSA');
240 staple(8443, 'ECDSA'); 247 staple(8443, 'ECDSA');
241 staple(8444, 'RSA'); 248 staple(8444, 'RSA');
242 staple(8444, 'ECDSA'); 249 staple(8444, 'ECDSA');
243 staple(8445, 'ECDSA'); 250 staple(8445, 'ECDSA');
269 276
270 my $staple_cb = sub { 277 my $staple_cb = sub {
271 my ($ssl, $resp) = @_; 278 my ($ssl, $resp) = @_;
272 push @resp, !!$resp; 279 push @resp, !!$resp;
273 return 1 unless $resp; 280 return 1 unless $resp;
274 my $obj = $ssl->_get_ssl_object; 281 my $cert = Net::SSLeay::get_peer_certificate($ssl);
275 my $cert = Net::SSLeay::get_peer_certificate($obj); 282 my $certid = eval { Net::SSLeay::OCSP_cert2ids($ssl, $cert) }
276 my $certid = eval { Net::SSLeay::OCSP_cert2ids($obj, $cert) }
277 or do { die "no OCSP_CERTID for certificate: $@"; }; 283 or do { die "no OCSP_CERTID for certificate: $@"; };
278 284
279 my @res = Net::SSLeay::OCSP_response_results($resp, $certid); 285 my @res = Net::SSLeay::OCSP_response_results($resp, $certid);
280 push @resp, $res[0][2]->{'statusType'}; 286 push @resp, $res[0][2]->{'statusType'};
281 }; 287 };
288
289 my $s;
282 290
283 eval { 291 eval {
284 local $SIG{ALRM} = sub { die "timeout\n" }; 292 local $SIG{ALRM} = sub { die "timeout\n" };
285 local $SIG{PIPE} = sub { die "sigpipe\n" }; 293 local $SIG{PIPE} = sub { die "sigpipe\n" };
286 alarm(2); 294 alarm(2);
287 IO::Socket::SSL->new( 295 $s = IO::Socket::INET->new('127.0.0.1:' . port($port));
288 Proto => 'tcp',
289 PeerAddr => '127.0.0.1',
290 PeerPort => port($port),
291 SSL_cipher_list => $ciphers,
292 SSL_ca_file => $ca,
293 SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE(),
294 SSL_ocsp_mode => IO::Socket::SSL::SSL_OCSP_TRY_STAPLE(),
295 SSL_ocsp_staple_callback => $staple_cb,
296 SSL_error_trap => sub { die $_[1] }
297 );
298 alarm(0); 296 alarm(0);
299 }; 297 };
300 alarm(0); 298 alarm(0);
301 299
302 if ($@) { 300 if ($@) {
303 log_in("died: $@"); 301 log_in("died: $@");
304 return undef; 302 return undef;
305 } 303 }
306 304
305 my $ctx = Net::SSLeay::CTX_new() or die("Failed to create SSL_CTX $!");
306
307 if (Net::SSLeay::SSLeay() < 0x1000200f) {
308 Net::SSLeay::CTX_set_cipher_list($ctx, $ciphers)
309 or die("Failed to set cipher list");
310 } else {
311 # SSL_CTRL_SET_SIGALGS_LIST
312 $ciphers = 'PSS' if $ciphers eq 'RSA' && $version > 0x0303;
313 Net::SSLeay::CTX_ctrl($ctx, 98, 0, $ciphers . '+SHA256')
314 or die("Failed to set sigalgs");
315 }
316
317 Net::SSLeay::CTX_load_verify_locations($ctx, $ca || '', '');
318 Net::SSLeay::CTX_set_tlsext_status_cb($ctx, $staple_cb);
319 my $ssl = Net::SSLeay::new($ctx) or die("Failed to create SSL $!");
320 Net::SSLeay::set_tlsext_status_type($ssl,
321 Net::SSLeay::TLSEXT_STATUSTYPE_ocsp());
322 Net::SSLeay::set_fd($ssl, fileno($s));
323 Net::SSLeay::connect($ssl) or die("ssl connect");
324
307 return join ' ', @resp; 325 return join ' ', @resp;
326 }
327
328 sub get_version {
329 my $s;
330
331 eval {
332 local $SIG{ALRM} = sub { die "timeout\n" };
333 local $SIG{PIPE} = sub { die "sigpipe\n" };
334 alarm(2);
335 $s = IO::Socket::INET->new('127.0.0.1:' . port(8443));
336 alarm(0);
337 };
338 alarm(0);
339
340 if ($@) {
341 log_in("died: $@");
342 return undef;
343 }
344
345 my $ctx = Net::SSLeay::CTX_new() or die("Failed to create SSL_CTX $!");
346 my $ssl = Net::SSLeay::new($ctx) or die("Failed to create SSL $!");
347 Net::SSLeay::set_fd($ssl, fileno($s));
348 Net::SSLeay::connect($ssl) or die("ssl connect");
349
350 Net::SSLeay::version($ssl);
308 } 351 }
309 352
310 ############################################################################### 353 ###############################################################################
311 354
312 sub http_daemon { 355 sub http_daemon {