Mercurial > hg > nginx-tests
comparison mail_ssl_session_reuse.t @ 1861:7b7b64569f55
Tests: reworked mail SSL tests to use IO::Socket::SSL.
Relevant infrastructure is provided in Test::Nginx::IMAP (and also POP3
and SMTP for completeness). This also ensures that SSL handshake and
various read operations are guarded with timeouts.
| author | Maxim Dounin <mdounin@mdounin.ru> |
|---|---|
| date | Thu, 18 May 2023 18:07:08 +0300 |
| parents | ce4a06d72256 |
| children | f7f1f349dd26 |
comparison
equal
deleted
inserted
replaced
| 1860:58951cf933e1 | 1861:7b7b64569f55 |
|---|---|
| 15 | 15 |
| 16 BEGIN { use FindBin; chdir($FindBin::Bin); } | 16 BEGIN { use FindBin; chdir($FindBin::Bin); } |
| 17 | 17 |
| 18 use lib 'lib'; | 18 use lib 'lib'; |
| 19 use Test::Nginx; | 19 use Test::Nginx; |
| 20 use Test::Nginx::IMAP; | |
| 20 | 21 |
| 21 ############################################################################### | 22 ############################################################################### |
| 22 | 23 |
| 23 select STDERR; $| = 1; | 24 select STDERR; $| = 1; |
| 24 select STDOUT; $| = 1; | 25 select STDOUT; $| = 1; |
| 25 | 26 |
| 26 local $SIG{PIPE} = 'IGNORE'; | 27 local $SIG{PIPE} = 'IGNORE'; |
| 27 | 28 |
| 28 eval { | 29 my $t = Test::Nginx->new()->has(qw/mail mail_ssl imap socket_ssl_sslversion/) |
| 29 require Net::SSLeay; | |
| 30 Net::SSLeay::load_error_strings(); | |
| 31 Net::SSLeay::SSLeay_add_ssl_algorithms(); | |
| 32 Net::SSLeay::randomize(); | |
| 33 }; | |
| 34 plan(skip_all => 'Net::SSLeay not installed') if $@; | |
| 35 | |
| 36 my $t = Test::Nginx->new()->has(qw/mail mail_ssl imap/) | |
| 37 ->has_daemon('openssl')->plan(7); | 30 ->has_daemon('openssl')->plan(7); |
| 38 | 31 |
| 39 $t->write_file_expand('nginx.conf', <<'EOF'); | 32 $t->write_file_expand('nginx.conf', <<'EOF'); |
| 40 | 33 |
| 41 %%TEST_GLOBALS%% | 34 %%TEST_GLOBALS%% |
| 123 . "-out $d/$name.crt -keyout $d/$name.key " | 116 . "-out $d/$name.crt -keyout $d/$name.key " |
| 124 . ">>$d/openssl.out 2>&1") == 0 | 117 . ">>$d/openssl.out 2>&1") == 0 |
| 125 or die "Can't create certificate for $name: $!\n"; | 118 or die "Can't create certificate for $name: $!\n"; |
| 126 } | 119 } |
| 127 | 120 |
| 128 my $ctx = Net::SSLeay::CTX_new() or die("Failed to create SSL_CTX $!"); | |
| 129 | |
| 130 $t->run(); | 121 $t->run(); |
| 131 | 122 |
| 132 ############################################################################### | 123 ############################################################################### |
| 133 | 124 |
| 134 # session reuse: | 125 # session reuse: |
| 140 # - only builtin cache with explicitly configured size | 131 # - only builtin cache with explicitly configured size |
| 141 # - only cache none | 132 # - only cache none |
| 142 # - only cache off | 133 # - only cache off |
| 143 | 134 |
| 144 TODO: { | 135 TODO: { |
| 136 local $TODO = 'no TLSv1.3 sessions, old Net::SSLeay' | |
| 137 if $Net::SSLeay::VERSION < 1.88 && test_tls13(); | |
| 138 local $TODO = 'no TLSv1.3 sessions, old IO::Socket::SSL' | |
| 139 if $IO::Socket::SSL::VERSION < 2.061 && test_tls13(); | |
| 145 local $TODO = 'no TLSv1.3 sessions in LibreSSL' | 140 local $TODO = 'no TLSv1.3 sessions in LibreSSL' |
| 146 if $t->has_module('LibreSSL') && test_tls13(); | 141 if $t->has_module('LibreSSL') && test_tls13(); |
| 147 | 142 |
| 148 is(test_reuse(8993), 1, 'tickets reused'); | 143 is(test_reuse(8993), 1, 'tickets reused'); |
| 149 is(test_reuse(8994), 1, 'tickets and cache reused'); | 144 is(test_reuse(8994), 1, 'tickets and cache reused'); |
| 163 is(test_reuse(8999), 0, 'cache off not reused'); | 158 is(test_reuse(8999), 0, 'cache off not reused'); |
| 164 | 159 |
| 165 ############################################################################### | 160 ############################################################################### |
| 166 | 161 |
| 167 sub test_tls13 { | 162 sub test_tls13 { |
| 168 my ($s, $ssl) = get_ssl_socket(8993); | 163 my $s = Test::Nginx::IMAP->new(SSL => 1); |
| 169 return (Net::SSLeay::version($ssl) > 0x303); | 164 return ($s->socket()->get_sslversion_int() > 0x303); |
| 170 } | 165 } |
| 171 | 166 |
| 172 sub test_reuse { | 167 sub test_reuse { |
| 173 my ($port) = @_; | 168 my ($port) = @_; |
| 174 my ($s, $ssl) = get_ssl_socket($port); | |
| 175 Net::SSLeay::read($ssl); | |
| 176 my $ses = Net::SSLeay::get_session($ssl); | |
| 177 ($s, $ssl) = get_ssl_socket($port, $ses); | |
| 178 return Net::SSLeay::session_reused($ssl); | |
| 179 } | |
| 180 | 169 |
| 181 sub get_ssl_socket { | 170 my $s = Test::Nginx::IMAP->new( |
| 182 my ($port, $ses) = @_; | 171 PeerAddr => '127.0.0.1:' . port($port), |
| 172 SSL => 1, | |
| 173 SSL_session_cache_size => 100 | |
| 174 ); | |
| 175 $s->read(); | |
| 183 | 176 |
| 184 my $s = IO::Socket::INET->new('127.0.0.1:' . port($port)); | 177 $s = Test::Nginx::IMAP->new( |
| 185 my $ssl = Net::SSLeay::new($ctx) or die("Failed to create SSL $!"); | 178 PeerAddr => '127.0.0.1:' . port($port), |
| 186 Net::SSLeay::set_session($ssl, $ses) if defined $ses; | 179 SSL => 1, |
| 187 Net::SSLeay::set_fd($ssl, fileno($s)); | 180 SSL_reuse_ctx => $s->socket() |
| 188 Net::SSLeay::connect($ssl) == 1 or return; | 181 ); |
| 189 return ($s, $ssl); | 182 |
| 183 return $s->socket()->get_session_reused(); | |
| 190 } | 184 } |
| 191 | 185 |
| 192 ############################################################################### | 186 ############################################################################### |