Mercurial > hg > nginx-tests
comparison ssl_stapling.t @ 1842:af47a0b348a5
Tests: LibreSSL certificate negotiation with TLSv1.3.
LibreSSL fails to negotiate certificates based on signature algorithms
when using TLSv1.3, and fails with "missing rsa certificate" and
"unknown pkey type" errors.
| author | Maxim Dounin <mdounin@mdounin.ru> |
|---|---|
| date | Thu, 23 Mar 2023 19:50:17 +0300 |
| parents | 2d371452658c |
| children | 0e1865aa9b33 |
comparison
equal
deleted
inserted
replaced
| 1841:db6fd9184fa0 | 1842:af47a0b348a5 |
|---|---|
| 36 | 36 |
| 37 my $t = Test::Nginx->new()->has(qw/http http_ssl/)->has_daemon('openssl'); | 37 my $t = Test::Nginx->new()->has(qw/http http_ssl/)->has_daemon('openssl'); |
| 38 | 38 |
| 39 plan(skip_all => 'no OCSP stapling') if $t->has_module('BoringSSL'); | 39 plan(skip_all => 'no OCSP stapling') if $t->has_module('BoringSSL'); |
| 40 | 40 |
| 41 $t->plan(9)->write_file_expand('nginx.conf', <<'EOF'); | 41 $t->plan(10)->write_file_expand('nginx.conf', <<'EOF'); |
| 42 | 42 |
| 43 %%TEST_GLOBALS%% | 43 %%TEST_GLOBALS%% |
| 44 | 44 |
| 45 daemon off; | 45 daemon off; |
| 46 | 46 |
| 257 staple(8449, 'ECDSA'); | 257 staple(8449, 'ECDSA'); |
| 258 | 258 |
| 259 sleep 1; | 259 sleep 1; |
| 260 | 260 |
| 261 ok(!staple(8443, 'RSA'), 'staple revoked'); | 261 ok(!staple(8443, 'RSA'), 'staple revoked'); |
| 262 | |
| 263 TODO: { | |
| 264 local $TODO = 'broken TLSv1.3 sigalgs in LibreSSL' | |
| 265 if $t->has_module('LibreSSL') && $version > 0x303; | |
| 266 | |
| 262 ok(staple(8443, 'ECDSA'), 'staple success'); | 267 ok(staple(8443, 'ECDSA'), 'staple success'); |
| 263 | 268 |
| 269 } | |
| 270 | |
| 264 ok(!staple(8444, 'RSA'), 'responder revoked'); | 271 ok(!staple(8444, 'RSA'), 'responder revoked'); |
| 272 | |
| 273 TODO: { | |
| 274 local $TODO = 'broken TLSv1.3 sigalgs in LibreSSL' | |
| 275 if $t->has_module('LibreSSL') && $version > 0x303; | |
| 276 | |
| 265 ok(staple(8444, 'ECDSA'), 'responder success'); | 277 ok(staple(8444, 'ECDSA'), 'responder success'); |
| 278 | |
| 279 } | |
| 266 | 280 |
| 267 ok(!staple(8445, 'ECDSA'), 'verify - root not trusted'); | 281 ok(!staple(8445, 'ECDSA'), 'verify - root not trusted'); |
| 268 | 282 |
| 269 ok(staple(8446, 'ECDSA', "$d/int.crt"), 'cert store'); | 283 ok(staple(8446, 'ECDSA', "$d/int.crt"), 'cert store'); |
| 270 | 284 |
| 271 is(staple(8447, 'RSA'), '1 1', 'file revoked'); | 285 is(staple(8447, 'RSA'), '1 1', 'file revoked'); |
| 272 is(staple(8448, 'ECDSA'), '1 0', 'file success'); | 286 is(staple(8448, 'ECDSA'), '1 0', 'file success'); |
| 273 | 287 |
| 274 ok(!staple(8449, 'ECDSA'), 'ocsp error'); | 288 ok(!staple(8449, 'ECDSA'), 'ocsp error'); |
| 289 | |
| 290 TODO: { | |
| 291 local $TODO = 'broken TLSv1.3 sigalgs in LibreSSL' | |
| 292 if $t->has_module('LibreSSL') && $version > 0x303; | |
| 293 | |
| 294 like(`grep -F '[crit]' ${\($t->testdir())}/error.log`, qr/^$/s, 'no crit'); | |
| 295 | |
| 296 } | |
| 275 | 297 |
| 276 ############################################################################### | 298 ############################################################################### |
| 277 | 299 |
| 278 sub staple { | 300 sub staple { |
| 279 my ($port, $ciphers, $ca) = @_; | 301 my ($port, $ciphers, $ca) = @_; |