Mercurial > hg > nginx-tests

comparison ssl_ocsp.t @ 1577:804a7409bc63

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Tests: added ssl_ocsp test with failing request.
author Sergey Kandaurov <pluknet@nginx.com>
date Fri, 19 Jun 2020 18:21:25 +0300
parents 0077b80ef745
children 2d371452658c
comparison
equal deleted inserted replaced
1576:8177323823d6 1577:804a7409bc63
86 86
87 ssl_ocsp_responder http://127.0.0.1:8082; 87 ssl_ocsp_responder http://127.0.0.1:8082;
88 } 88 }
89 89
90 server { 90 server {
91 listen 127.0.0.1:8443 ssl;
92 server_name resolver;
93
94 ssl_ocsp on;
95 }
96
97 server {
91 listen 127.0.0.1:8444 ssl; 98 listen 127.0.0.1:8444 ssl;
92 server_name localhost; 99 server_name localhost;
93 100
101 ssl_ocsp_responder http://127.0.0.1:8081;
94 ssl_ocsp on; 102 ssl_ocsp on;
95 } 103 }
96 104
97 server { 105 server {
98 listen 127.0.0.1:8445 ssl; 106 listen 127.0.0.1:8445 ssl;
147 commonName = supplied 155 commonName = supplied
148 156
149 [ myca_extensions ] 157 [ myca_extensions ]
150 basicConstraints = critical,CA:TRUE 158 basicConstraints = critical,CA:TRUE
151 authorityInfoAccess = OCSP;URI:http://127.0.0.1:$p 159 authorityInfoAccess = OCSP;URI:http://127.0.0.1:$p
160 EOF
161
162 # variant for int.crt to trigger missing resolver
163
164 $t->write_file('ca2.conf', <<EOF);
165 [ ca ]
166 default_ca = myca
167
168 [ myca ]
169 new_certs_dir = $d
170 database = $d/certindex
171 default_md = sha256
172 policy = myca_policy
173 serial = $d/certserial
174 default_days = 1
175 x509_extensions = myca_extensions
176
177 [ myca_policy ]
178 commonName = supplied
179
180 [ myca_extensions ]
181 basicConstraints = critical,CA:TRUE
182 authorityInfoAccess = OCSP;URI:http://localhost:$p
152 EOF 183 EOF
153 184
154 foreach my $name ('root') { 185 foreach my $name ('root') {
155 system('openssl req -x509 -new ' 186 system('openssl req -x509 -new '
156 . "-config $d/openssl.conf -subj /CN=$name/ " 187 . "-config $d/openssl.conf -subj /CN=$name/ "
179 } 210 }
180 211
181 $t->write_file('certserial', '1000'); 212 $t->write_file('certserial', '1000');
182 $t->write_file('certindex', ''); 213 $t->write_file('certindex', '');
183 214
184 system("openssl ca -batch -config $d/ca.conf " 215 system("openssl ca -batch -config $d/ca2.conf "
185 . "-keyfile $d/root.key -cert $d/root.crt " 216 . "-keyfile $d/root.key -cert $d/root.crt "
186 . "-subj /CN=int/ -in $d/int.csr -out $d/int.crt " 217 . "-subj /CN=int/ -in $d/int.csr -out $d/int.crt "
187 . ">>$d/openssl.out 2>&1") == 0 218 . ">>$d/openssl.out 2>&1") == 0
188 or die "Can't sign certificate for int: $!\n"; 219 or die "Can't sign certificate for int: $!\n";
189 220
254 or die "Can't create certificate for $name: $!\n"; 285 or die "Can't create certificate for $name: $!\n";
255 } 286 }
256 287
257 $t->run_daemon(\&http_daemon, $t, port(8081)); 288 $t->run_daemon(\&http_daemon, $t, port(8081));
258 $t->run_daemon(\&http_daemon, $t, port(8082)); 289 $t->run_daemon(\&http_daemon, $t, port(8082));
259 $t->try_run('no ssl_ocsp')->plan(13); 290 $t->try_run('no ssl_ocsp')->plan(14);
260 291
261 $t->waitforsocket("127.0.0.1:" . port(8081)); 292 $t->waitforsocket("127.0.0.1:" . port(8081));
262 $t->waitforsocket("127.0.0.1:" . port(8082)); 293 $t->waitforsocket("127.0.0.1:" . port(8082));
263 294
264 my $version = get_version(); 295 my $version = get_version();
265 296
266 ############################################################################### 297 ###############################################################################
267 298
268 like(get('RSA', 'end'), qr/200 OK.*SUCCESS/s, 'ocsp leaf'); 299 like(get('RSA', 'end'), qr/200 OK.*SUCCESS/s, 'ocsp leaf');
300
301 # demonstrate that ocsp int request is failed due to missing resolver
302
303 TODO: {
304 todo_skip 'leaves coredump', 1 unless $t->has_version('1.19.1')
305 or $ENV{TEST_NGINX_UNSAFE};
306
307 like(get('RSA', 'end', sni => 'resolver'),
308 qr/400 Bad.*FAILED:certificate status request failed/s,
309 'ocsp many failed request');
310
311 }
269 312
270 # demonstrate that ocsp int request is actually made by failing ocsp response 313 # demonstrate that ocsp int request is actually made by failing ocsp response
271 314
272 like(get('RSA', 'end', port => 8444), 315 like(get('RSA', 'end', port => 8444),
273 qr/400 Bad.*FAILED:certificate status request failed/s, 316 qr/400 Bad.*FAILED:certificate status request failed/s,