Mercurial > hg > nginx-tests
comparison ssl_ocsp.t @ 1577:804a7409bc63
Tests: added ssl_ocsp test with failing request.
author | Sergey Kandaurov <pluknet@nginx.com> |
---|---|
date | Fri, 19 Jun 2020 18:21:25 +0300 |
parents | 0077b80ef745 |
children | 2d371452658c |
comparison
equal
deleted
inserted
replaced
1576:8177323823d6 | 1577:804a7409bc63 |
---|---|
86 | 86 |
87 ssl_ocsp_responder http://127.0.0.1:8082; | 87 ssl_ocsp_responder http://127.0.0.1:8082; |
88 } | 88 } |
89 | 89 |
90 server { | 90 server { |
91 listen 127.0.0.1:8443 ssl; | |
92 server_name resolver; | |
93 | |
94 ssl_ocsp on; | |
95 } | |
96 | |
97 server { | |
91 listen 127.0.0.1:8444 ssl; | 98 listen 127.0.0.1:8444 ssl; |
92 server_name localhost; | 99 server_name localhost; |
93 | 100 |
101 ssl_ocsp_responder http://127.0.0.1:8081; | |
94 ssl_ocsp on; | 102 ssl_ocsp on; |
95 } | 103 } |
96 | 104 |
97 server { | 105 server { |
98 listen 127.0.0.1:8445 ssl; | 106 listen 127.0.0.1:8445 ssl; |
147 commonName = supplied | 155 commonName = supplied |
148 | 156 |
149 [ myca_extensions ] | 157 [ myca_extensions ] |
150 basicConstraints = critical,CA:TRUE | 158 basicConstraints = critical,CA:TRUE |
151 authorityInfoAccess = OCSP;URI:http://127.0.0.1:$p | 159 authorityInfoAccess = OCSP;URI:http://127.0.0.1:$p |
160 EOF | |
161 | |
162 # variant for int.crt to trigger missing resolver | |
163 | |
164 $t->write_file('ca2.conf', <<EOF); | |
165 [ ca ] | |
166 default_ca = myca | |
167 | |
168 [ myca ] | |
169 new_certs_dir = $d | |
170 database = $d/certindex | |
171 default_md = sha256 | |
172 policy = myca_policy | |
173 serial = $d/certserial | |
174 default_days = 1 | |
175 x509_extensions = myca_extensions | |
176 | |
177 [ myca_policy ] | |
178 commonName = supplied | |
179 | |
180 [ myca_extensions ] | |
181 basicConstraints = critical,CA:TRUE | |
182 authorityInfoAccess = OCSP;URI:http://localhost:$p | |
152 EOF | 183 EOF |
153 | 184 |
154 foreach my $name ('root') { | 185 foreach my $name ('root') { |
155 system('openssl req -x509 -new ' | 186 system('openssl req -x509 -new ' |
156 . "-config $d/openssl.conf -subj /CN=$name/ " | 187 . "-config $d/openssl.conf -subj /CN=$name/ " |
179 } | 210 } |
180 | 211 |
181 $t->write_file('certserial', '1000'); | 212 $t->write_file('certserial', '1000'); |
182 $t->write_file('certindex', ''); | 213 $t->write_file('certindex', ''); |
183 | 214 |
184 system("openssl ca -batch -config $d/ca.conf " | 215 system("openssl ca -batch -config $d/ca2.conf " |
185 . "-keyfile $d/root.key -cert $d/root.crt " | 216 . "-keyfile $d/root.key -cert $d/root.crt " |
186 . "-subj /CN=int/ -in $d/int.csr -out $d/int.crt " | 217 . "-subj /CN=int/ -in $d/int.csr -out $d/int.crt " |
187 . ">>$d/openssl.out 2>&1") == 0 | 218 . ">>$d/openssl.out 2>&1") == 0 |
188 or die "Can't sign certificate for int: $!\n"; | 219 or die "Can't sign certificate for int: $!\n"; |
189 | 220 |
254 or die "Can't create certificate for $name: $!\n"; | 285 or die "Can't create certificate for $name: $!\n"; |
255 } | 286 } |
256 | 287 |
257 $t->run_daemon(\&http_daemon, $t, port(8081)); | 288 $t->run_daemon(\&http_daemon, $t, port(8081)); |
258 $t->run_daemon(\&http_daemon, $t, port(8082)); | 289 $t->run_daemon(\&http_daemon, $t, port(8082)); |
259 $t->try_run('no ssl_ocsp')->plan(13); | 290 $t->try_run('no ssl_ocsp')->plan(14); |
260 | 291 |
261 $t->waitforsocket("127.0.0.1:" . port(8081)); | 292 $t->waitforsocket("127.0.0.1:" . port(8081)); |
262 $t->waitforsocket("127.0.0.1:" . port(8082)); | 293 $t->waitforsocket("127.0.0.1:" . port(8082)); |
263 | 294 |
264 my $version = get_version(); | 295 my $version = get_version(); |
265 | 296 |
266 ############################################################################### | 297 ############################################################################### |
267 | 298 |
268 like(get('RSA', 'end'), qr/200 OK.*SUCCESS/s, 'ocsp leaf'); | 299 like(get('RSA', 'end'), qr/200 OK.*SUCCESS/s, 'ocsp leaf'); |
300 | |
301 # demonstrate that ocsp int request is failed due to missing resolver | |
302 | |
303 TODO: { | |
304 todo_skip 'leaves coredump', 1 unless $t->has_version('1.19.1') | |
305 or $ENV{TEST_NGINX_UNSAFE}; | |
306 | |
307 like(get('RSA', 'end', sni => 'resolver'), | |
308 qr/400 Bad.*FAILED:certificate status request failed/s, | |
309 'ocsp many failed request'); | |
310 | |
311 } | |
269 | 312 |
270 # demonstrate that ocsp int request is actually made by failing ocsp response | 313 # demonstrate that ocsp int request is actually made by failing ocsp response |
271 | 314 |
272 like(get('RSA', 'end', port => 8444), | 315 like(get('RSA', 'end', port => 8444), |
273 qr/400 Bad.*FAILED:certificate status request failed/s, | 316 qr/400 Bad.*FAILED:certificate status request failed/s, |