Mercurial > hg > nginx-tests
comparison mail_imap_ssl.t @ 1862:7681a970f6bd
Tests: simplified mail_imap_ssl.t.
The test now uses improved IO::Socket::SSL infrastructure in Test::Nginx::IMAP.
While here, fixed incorrect port being used for the "trusted cert" test.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Thu, 18 May 2023 18:07:10 +0300 |
parents | cdcd75657e52 |
children | 2a0a6035a1af |
comparison
equal
deleted
inserted
replaced
1861:7b7b64569f55 | 1862:7681a970f6bd |
---|---|
48 | 48 |
49 ssl_certificate_key 1.example.com.key; | 49 ssl_certificate_key 1.example.com.key; |
50 ssl_certificate 1.example.com.crt; | 50 ssl_certificate 1.example.com.crt; |
51 | 51 |
52 server { | 52 server { |
53 listen 127.0.0.1:8142; | 53 listen 127.0.0.1:8143; |
54 protocol imap; | 54 protocol imap; |
55 } | 55 } |
56 | 56 |
57 server { | 57 server { |
58 listen 127.0.0.1:8143 ssl; | 58 listen 127.0.0.1:8993 ssl; |
59 protocol imap; | 59 protocol imap; |
60 | 60 |
61 ssl_verify_client on; | 61 ssl_verify_client on; |
62 ssl_client_certificate 2.example.com.crt; | 62 ssl_client_certificate 2.example.com.crt; |
63 } | 63 } |
64 | 64 |
65 server { | 65 server { |
66 listen 127.0.0.1:8145 ssl; | 66 listen 127.0.0.1:8994 ssl; |
67 protocol imap; | 67 protocol imap; |
68 | 68 |
69 ssl_verify_client optional; | 69 ssl_verify_client optional; |
70 ssl_client_certificate 2.example.com.crt; | 70 ssl_client_certificate 2.example.com.crt; |
71 } | 71 } |
72 | 72 |
73 server { | 73 server { |
74 listen 127.0.0.1:8146 ssl; | 74 listen 127.0.0.1:8995 ssl; |
75 protocol imap; | 75 protocol imap; |
76 | 76 |
77 ssl_verify_client optional; | 77 ssl_verify_client optional; |
78 ssl_client_certificate 2.example.com.crt; | 78 ssl_client_certificate 2.example.com.crt; |
79 ssl_trusted_certificate 3.example.com.crt; | 79 ssl_trusted_certificate 3.example.com.crt; |
80 } | 80 } |
81 | 81 |
82 server { | 82 server { |
83 listen 127.0.0.1:8147 ssl; | 83 listen 127.0.0.1:8996 ssl; |
84 protocol imap; | 84 protocol imap; |
85 | 85 |
86 ssl_verify_client optional_no_ca; | 86 ssl_verify_client optional_no_ca; |
87 ssl_client_certificate 2.example.com.crt; | 87 ssl_client_certificate 2.example.com.crt; |
88 } | 88 } |
138 $t->run()->waitforsocket('127.0.0.1:' . port(8144)); | 138 $t->run()->waitforsocket('127.0.0.1:' . port(8144)); |
139 | 139 |
140 ############################################################################### | 140 ############################################################################### |
141 | 141 |
142 my $cred = sub { encode_base64("\0test\@example.com\0$_[0]", '') }; | 142 my $cred = sub { encode_base64("\0test\@example.com\0$_[0]", '') }; |
143 my %ssl = ( | |
144 SSL => 1, | |
145 SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE(), | |
146 SSL_error_trap => sub { die $_[1] }, | |
147 ); | |
148 | 143 |
149 # no ssl connection | 144 # no ssl connection |
150 | 145 |
151 my $s = Test::Nginx::IMAP->new(PeerAddr => '127.0.0.1:' . port(8142)); | 146 my $s = Test::Nginx::IMAP->new(); |
152 $s->ok('plain connection'); | 147 $s->ok('plain connection'); |
153 $s->send('1 AUTHENTICATE PLAIN ' . $cred->("s1")); | 148 $s->send('1 AUTHENTICATE PLAIN ' . $cred->("s1")); |
154 | 149 |
155 # no cert | 150 # no cert |
156 | 151 |
157 $s = Test::Nginx::IMAP->new(PeerAddr => '127.0.0.1:' . port(8143), %ssl); | 152 $s = Test::Nginx::IMAP->new(SSL => 1); |
158 $s->check(qr/BYE No required SSL certificate/, 'no cert'); | 153 $s->check(qr/BYE No required SSL certificate/, 'no cert'); |
159 | 154 |
160 # no cert with ssl_verify_client optional | 155 # no cert with ssl_verify_client optional |
161 | 156 |
162 $s = Test::Nginx::IMAP->new(PeerAddr => '127.0.0.1:' . port(8145), %ssl); | 157 $s = Test::Nginx::IMAP->new(PeerAddr => '127.0.0.1:' . port(8994), SSL => 1); |
163 $s->ok('no optional cert'); | 158 $s->ok('no optional cert'); |
164 $s->send('1 AUTHENTICATE PLAIN ' . $cred->("s2")); | 159 $s->send('1 AUTHENTICATE PLAIN ' . $cred->("s2")); |
165 | 160 |
166 # wrong cert with ssl_verify_client optional | 161 # wrong cert with ssl_verify_client optional |
167 | 162 |
168 $s = Test::Nginx::IMAP->new( | 163 $s = Test::Nginx::IMAP->new( |
169 PeerAddr => '127.0.0.1:' . port(8145), | 164 PeerAddr => '127.0.0.1:' . port(8995), |
165 SSL => 1, | |
170 SSL_cert_file => "$d/1.example.com.crt", | 166 SSL_cert_file => "$d/1.example.com.crt", |
171 SSL_key_file => "$d/1.example.com.key", | 167 SSL_key_file => "$d/1.example.com.key" |
172 %ssl, | |
173 ); | 168 ); |
174 $s->check(qr/BYE SSL certificate error/, 'bad optional cert'); | 169 $s->check(qr/BYE SSL certificate error/, 'bad optional cert'); |
175 | 170 |
176 # wrong cert with ssl_verify_client optional_no_ca | 171 # wrong cert with ssl_verify_client optional_no_ca |
177 | 172 |
178 $s = Test::Nginx::IMAP->new( | 173 $s = Test::Nginx::IMAP->new( |
179 PeerAddr => '127.0.0.1:' . port(8147), | 174 PeerAddr => '127.0.0.1:' . port(8996), |
175 SSL => 1, | |
180 SSL_cert_file => "$d/1.example.com.crt", | 176 SSL_cert_file => "$d/1.example.com.crt", |
181 SSL_key_file => "$d/1.example.com.key", | 177 SSL_key_file => "$d/1.example.com.key" |
182 %ssl, | |
183 ); | 178 ); |
184 $s->ok('bad optional_no_ca cert'); | 179 $s->ok('bad optional_no_ca cert'); |
185 $s->send('1 AUTHENTICATE PLAIN ' . $cred->("s3")); | 180 $s->send('1 AUTHENTICATE PLAIN ' . $cred->("s3")); |
186 | 181 |
187 # matching cert with ssl_verify_client optional | 182 # matching cert with ssl_verify_client optional |
188 | 183 |
189 $s = Test::Nginx::IMAP->new( | 184 $s = Test::Nginx::IMAP->new( |
190 PeerAddr => '127.0.0.1:' . port(8145), | 185 PeerAddr => '127.0.0.1:' . port(8995), |
186 SSL => 1, | |
191 SSL_cert_file => "$d/2.example.com.crt", | 187 SSL_cert_file => "$d/2.example.com.crt", |
192 SSL_key_file => "$d/2.example.com.key", | 188 SSL_key_file => "$d/2.example.com.key" |
193 %ssl, | |
194 ); | 189 ); |
195 $s->ok('good cert'); | 190 $s->ok('good cert'); |
196 $s->send('1 AUTHENTICATE PLAIN ' . $cred->("s4")); | 191 $s->send('1 AUTHENTICATE PLAIN ' . $cred->("s4")); |
197 | 192 |
198 # trusted cert with ssl_verify_client optional | 193 # trusted cert with ssl_verify_client optional |
199 | 194 |
200 $s = Test::Nginx::IMAP->new( | 195 $s = Test::Nginx::IMAP->new( |
201 PeerAddr => '127.0.0.1:' . port(8146), | 196 PeerAddr => '127.0.0.1:' . port(8995), |
197 SSL => 1, | |
202 SSL_cert_file => "$d/3.example.com.crt", | 198 SSL_cert_file => "$d/3.example.com.crt", |
203 SSL_key_file => "$d/3.example.com.key", | 199 SSL_key_file => "$d/3.example.com.key" |
204 %ssl, | |
205 ); | 200 ); |
206 $s->ok('trusted cert'); | 201 $s->ok('trusted cert'); |
207 $s->send('1 AUTHENTICATE PLAIN ' . $cred->("s5")); | 202 $s->send('1 AUTHENTICATE PLAIN ' . $cred->("s5")); |
208 $s->read(); | 203 $s->read(); |
209 | 204 |
210 # Auth-SSL-Protocol and Auth-SSL-Cipher headers | 205 # Auth-SSL-Protocol and Auth-SSL-Cipher headers |
211 | 206 |
212 my ($cipher, $sslversion); | 207 my ($cipher, $sslversion); |
213 | 208 |
214 $s = get_ssl_socket(8143); | 209 $s = Test::Nginx::IMAP->new(SSL => 1); |
215 $cipher = $s->get_cipher(); | 210 $cipher = $s->socket()->get_cipher(); |
216 $sslversion = $s->get_sslversion(); | 211 $sslversion = $s->socket()->get_sslversion(); |
217 $sslversion =~ s/_/./; | 212 $sslversion =~ s/_/./; |
218 | 213 |
219 undef $s; | 214 undef $s; |
220 | 215 |
221 # test auth_http request header fields with access_log | 216 # test auth_http request header fields with access_log |
240 like($f, qr|^$cipher:$sslversion$|m, 'log - cipher sslversion'); | 235 like($f, qr|^$cipher:$sslversion$|m, 'log - cipher sslversion'); |
241 | 236 |
242 } | 237 } |
243 | 238 |
244 ############################################################################### | 239 ############################################################################### |
245 | |
246 sub get_ssl_socket { | |
247 my ($port) = @_; | |
248 my $s; | |
249 | |
250 eval { | |
251 local $SIG{ALRM} = sub { die "timeout\n" }; | |
252 local $SIG{PIPE} = sub { die "sigpipe\n" }; | |
253 alarm(8); | |
254 $s = IO::Socket::SSL->new( | |
255 Proto => 'tcp', | |
256 PeerAddr => '127.0.0.1:' . port($port), | |
257 SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE(), | |
258 SSL_error_trap => sub { die $_[1] } | |
259 ); | |
260 alarm(0); | |
261 }; | |
262 alarm(0); | |
263 | |
264 if ($@) { | |
265 log_in("died: $@"); | |
266 return undef; | |
267 } | |
268 | |
269 return $s; | |
270 } | |
271 | |
272 ############################################################################### |