Mercurial > hg > nginx-tests

comparison mail_imap_ssl.t @ 1862:7681a970f6bd

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Tests: simplified mail_imap_ssl.t. The test now uses improved IO::Socket::SSL infrastructure in Test::Nginx::IMAP. While here, fixed incorrect port being used for the "trusted cert" test.
author Maxim Dounin <mdounin@mdounin.ru>
date Thu, 18 May 2023 18:07:10 +0300
parents cdcd75657e52
children 2a0a6035a1af
comparison
equal deleted inserted replaced
1861:7b7b64569f55 1862:7681a970f6bd
48 48
49 ssl_certificate_key 1.example.com.key; 49 ssl_certificate_key 1.example.com.key;
50 ssl_certificate 1.example.com.crt; 50 ssl_certificate 1.example.com.crt;
51 51
52 server { 52 server {
53 listen 127.0.0.1:8142; 53 listen 127.0.0.1:8143;
54 protocol imap; 54 protocol imap;
55 } 55 }
56 56
57 server { 57 server {
58 listen 127.0.0.1:8143 ssl; 58 listen 127.0.0.1:8993 ssl;
59 protocol imap; 59 protocol imap;
60 60
61 ssl_verify_client on; 61 ssl_verify_client on;
62 ssl_client_certificate 2.example.com.crt; 62 ssl_client_certificate 2.example.com.crt;
63 } 63 }
64 64
65 server { 65 server {
66 listen 127.0.0.1:8145 ssl; 66 listen 127.0.0.1:8994 ssl;
67 protocol imap; 67 protocol imap;
68 68
69 ssl_verify_client optional; 69 ssl_verify_client optional;
70 ssl_client_certificate 2.example.com.crt; 70 ssl_client_certificate 2.example.com.crt;
71 } 71 }
72 72
73 server { 73 server {
74 listen 127.0.0.1:8146 ssl; 74 listen 127.0.0.1:8995 ssl;
75 protocol imap; 75 protocol imap;
76 76
77 ssl_verify_client optional; 77 ssl_verify_client optional;
78 ssl_client_certificate 2.example.com.crt; 78 ssl_client_certificate 2.example.com.crt;
79 ssl_trusted_certificate 3.example.com.crt; 79 ssl_trusted_certificate 3.example.com.crt;
80 } 80 }
81 81
82 server { 82 server {
83 listen 127.0.0.1:8147 ssl; 83 listen 127.0.0.1:8996 ssl;
84 protocol imap; 84 protocol imap;
85 85
86 ssl_verify_client optional_no_ca; 86 ssl_verify_client optional_no_ca;
87 ssl_client_certificate 2.example.com.crt; 87 ssl_client_certificate 2.example.com.crt;
88 } 88 }
138 $t->run()->waitforsocket('127.0.0.1:' . port(8144)); 138 $t->run()->waitforsocket('127.0.0.1:' . port(8144));
139 139
140 ############################################################################### 140 ###############################################################################
141 141
142 my $cred = sub { encode_base64("\0test\@example.com\0$_[0]", '') }; 142 my $cred = sub { encode_base64("\0test\@example.com\0$_[0]", '') };
143 my %ssl = (
144 SSL => 1,
145 SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE(),
146 SSL_error_trap => sub { die $_[1] },
147 );
148 143
149 # no ssl connection 144 # no ssl connection
150 145
151 my $s = Test::Nginx::IMAP->new(PeerAddr => '127.0.0.1:' . port(8142)); 146 my $s = Test::Nginx::IMAP->new();
152 $s->ok('plain connection'); 147 $s->ok('plain connection');
153 $s->send('1 AUTHENTICATE PLAIN ' . $cred->("s1")); 148 $s->send('1 AUTHENTICATE PLAIN ' . $cred->("s1"));
154 149
155 # no cert 150 # no cert
156 151
157 $s = Test::Nginx::IMAP->new(PeerAddr => '127.0.0.1:' . port(8143), %ssl); 152 $s = Test::Nginx::IMAP->new(SSL => 1);
158 $s->check(qr/BYE No required SSL certificate/, 'no cert'); 153 $s->check(qr/BYE No required SSL certificate/, 'no cert');
159 154
160 # no cert with ssl_verify_client optional 155 # no cert with ssl_verify_client optional
161 156
162 $s = Test::Nginx::IMAP->new(PeerAddr => '127.0.0.1:' . port(8145), %ssl); 157 $s = Test::Nginx::IMAP->new(PeerAddr => '127.0.0.1:' . port(8994), SSL => 1);
163 $s->ok('no optional cert'); 158 $s->ok('no optional cert');
164 $s->send('1 AUTHENTICATE PLAIN ' . $cred->("s2")); 159 $s->send('1 AUTHENTICATE PLAIN ' . $cred->("s2"));
165 160
166 # wrong cert with ssl_verify_client optional 161 # wrong cert with ssl_verify_client optional
167 162
168 $s = Test::Nginx::IMAP->new( 163 $s = Test::Nginx::IMAP->new(
169 PeerAddr => '127.0.0.1:' . port(8145), 164 PeerAddr => '127.0.0.1:' . port(8995),
165 SSL => 1,
170 SSL_cert_file => "$d/1.example.com.crt", 166 SSL_cert_file => "$d/1.example.com.crt",
171 SSL_key_file => "$d/1.example.com.key", 167 SSL_key_file => "$d/1.example.com.key"
172 %ssl,
173 ); 168 );
174 $s->check(qr/BYE SSL certificate error/, 'bad optional cert'); 169 $s->check(qr/BYE SSL certificate error/, 'bad optional cert');
175 170
176 # wrong cert with ssl_verify_client optional_no_ca 171 # wrong cert with ssl_verify_client optional_no_ca
177 172
178 $s = Test::Nginx::IMAP->new( 173 $s = Test::Nginx::IMAP->new(
179 PeerAddr => '127.0.0.1:' . port(8147), 174 PeerAddr => '127.0.0.1:' . port(8996),
175 SSL => 1,
180 SSL_cert_file => "$d/1.example.com.crt", 176 SSL_cert_file => "$d/1.example.com.crt",
181 SSL_key_file => "$d/1.example.com.key", 177 SSL_key_file => "$d/1.example.com.key"
182 %ssl,
183 ); 178 );
184 $s->ok('bad optional_no_ca cert'); 179 $s->ok('bad optional_no_ca cert');
185 $s->send('1 AUTHENTICATE PLAIN ' . $cred->("s3")); 180 $s->send('1 AUTHENTICATE PLAIN ' . $cred->("s3"));
186 181
187 # matching cert with ssl_verify_client optional 182 # matching cert with ssl_verify_client optional
188 183
189 $s = Test::Nginx::IMAP->new( 184 $s = Test::Nginx::IMAP->new(
190 PeerAddr => '127.0.0.1:' . port(8145), 185 PeerAddr => '127.0.0.1:' . port(8995),
186 SSL => 1,
191 SSL_cert_file => "$d/2.example.com.crt", 187 SSL_cert_file => "$d/2.example.com.crt",
192 SSL_key_file => "$d/2.example.com.key", 188 SSL_key_file => "$d/2.example.com.key"
193 %ssl,
194 ); 189 );
195 $s->ok('good cert'); 190 $s->ok('good cert');
196 $s->send('1 AUTHENTICATE PLAIN ' . $cred->("s4")); 191 $s->send('1 AUTHENTICATE PLAIN ' . $cred->("s4"));
197 192
198 # trusted cert with ssl_verify_client optional 193 # trusted cert with ssl_verify_client optional
199 194
200 $s = Test::Nginx::IMAP->new( 195 $s = Test::Nginx::IMAP->new(
201 PeerAddr => '127.0.0.1:' . port(8146), 196 PeerAddr => '127.0.0.1:' . port(8995),
197 SSL => 1,
202 SSL_cert_file => "$d/3.example.com.crt", 198 SSL_cert_file => "$d/3.example.com.crt",
203 SSL_key_file => "$d/3.example.com.key", 199 SSL_key_file => "$d/3.example.com.key"
204 %ssl,
205 ); 200 );
206 $s->ok('trusted cert'); 201 $s->ok('trusted cert');
207 $s->send('1 AUTHENTICATE PLAIN ' . $cred->("s5")); 202 $s->send('1 AUTHENTICATE PLAIN ' . $cred->("s5"));
208 $s->read(); 203 $s->read();
209 204
210 # Auth-SSL-Protocol and Auth-SSL-Cipher headers 205 # Auth-SSL-Protocol and Auth-SSL-Cipher headers
211 206
212 my ($cipher, $sslversion); 207 my ($cipher, $sslversion);
213 208
214 $s = get_ssl_socket(8143); 209 $s = Test::Nginx::IMAP->new(SSL => 1);
215 $cipher = $s->get_cipher(); 210 $cipher = $s->socket()->get_cipher();
216 $sslversion = $s->get_sslversion(); 211 $sslversion = $s->socket()->get_sslversion();
217 $sslversion =~ s/_/./; 212 $sslversion =~ s/_/./;
218 213
219 undef $s; 214 undef $s;
220 215
221 # test auth_http request header fields with access_log 216 # test auth_http request header fields with access_log
240 like($f, qr|^$cipher:$sslversion$|m, 'log - cipher sslversion'); 235 like($f, qr|^$cipher:$sslversion$|m, 'log - cipher sslversion');
241 236
242 } 237 }
243 238
244 ############################################################################### 239 ###############################################################################
245
246 sub get_ssl_socket {
247 my ($port) = @_;
248 my $s;
249
250 eval {
251 local $SIG{ALRM} = sub { die "timeout\n" };
252 local $SIG{PIPE} = sub { die "sigpipe\n" };
253 alarm(8);
254 $s = IO::Socket::SSL->new(
255 Proto => 'tcp',
256 PeerAddr => '127.0.0.1:' . port($port),
257 SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE(),
258 SSL_error_trap => sub { die $_[1] }
259 );
260 alarm(0);
261 };
262 alarm(0);
263
264 if ($@) {
265 log_in("died: $@");
266 return undef;
267 }
268
269 return $s;
270 }
271
272 ###############################################################################