Mercurial > hg > nginx-tests

comparison mail_ssl.t @ 1142:baeebac35a2e

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Tests: basic mail ssl tests.
author Andrey Zelenkov <zelenkov@nginx.com>
date Wed, 01 Mar 2017 19:20:32 +0300
parents
children f193664e06d8
comparison
equal deleted inserted replaced
1141:d4e779356d8d 1142:baeebac35a2e
1 #!/usr/bin/perl
2
3 # (C) Andrey Zelenkov
4 # (C) Nginx, Inc.
5
6 # Tests for mail ssl module.
7
8 ###############################################################################
9
10 use warnings;
11 use strict;
12
13 use Test::More;
14
15 use Socket qw/ :DEFAULT $CRLF /;
16
17 BEGIN { use FindBin; chdir($FindBin::Bin); }
18
19 use lib 'lib';
20 use Test::Nginx;
21 use Test::Nginx::IMAP;
22 use Test::Nginx::POP3;
23
24 ###############################################################################
25
26 select STDERR; $| = 1;
27 select STDOUT; $| = 1;
28
29 eval {
30 require Net::SSLeay;
31 Net::SSLeay::load_error_strings();
32 Net::SSLeay::SSLeay_add_ssl_algorithms();
33 Net::SSLeay::randomize();
34 };
35 plan(skip_all => 'Net::SSLeay not installed') if $@;
36
37 my $t = Test::Nginx->new()->has(qw/mail mail_ssl imap pop3 http rewrite/)
38 ->has_daemon('openssl')->plan(16);
39
40 $t->write_file_expand('nginx.conf', <<'EOF');
41
42 %%TEST_GLOBALS%%
43
44 daemon off;
45
46 events {
47 }
48
49 mail {
50 ssl_certificate_key localhost.key;
51 ssl_certificate localhost.crt;
52 ssl_session_tickets off;
53
54 # inherited by server "inherits"
55 ssl_password_file password_mail;
56
57 proxy_pass_error_message on;
58 auth_http http://127.0.0.1:8080/mail/auth;
59
60 ssl_session_cache none;
61
62 server {
63 listen 127.0.0.1:8143;
64 listen 127.0.0.1:8145 ssl;
65 protocol imap;
66
67 ssl_session_cache builtin;
68 ssl_password_file password;
69 }
70
71 server {
72 listen 127.0.0.1:8146 ssl;
73 protocol imap;
74
75 ssl_session_cache off;
76 ssl_password_file password_many;
77 }
78
79 server {
80 listen 127.0.0.1:8147;
81 protocol imap;
82
83 # Special case for enabled "ssl" directive.
84
85 ssl on;
86 ssl_session_cache builtin:1000;
87 ssl_password_file password;
88 }
89
90 server {
91 listen 127.0.0.1:8148 ssl;
92 protocol imap;
93
94 ssl_session_cache shared:SSL:1m;
95 ssl_certificate_key inherits.key;
96 ssl_certificate inherits.crt;
97 }
98
99 server {
100 listen 127.0.0.1:8149;
101 protocol imap;
102
103 ssl_password_file password;
104 starttls on;
105 }
106
107 server {
108 listen 127.0.0.1:8150;
109 protocol imap;
110
111 ssl_password_file password;
112 starttls only;
113 }
114
115 server {
116 listen 127.0.0.1:8151;
117 protocol pop3;
118
119 ssl_password_file password;
120 starttls on;
121 }
122
123 server {
124 listen 127.0.0.1:8152;
125 protocol pop3;
126
127 ssl_password_file password;
128 starttls only;
129 }
130 }
131
132 http {
133 %%TEST_GLOBALS_HTTP%%
134
135 server {
136 listen 127.0.0.1:8080;
137 server_name localhost;
138
139 location = /mail/auth {
140 add_header Auth-Status OK;
141 add_header Auth-Server 127.0.0.1;
142 add_header Auth-Port %%PORT_8144%%;
143 add_header Auth-Wait 1;
144 return 204;
145 }
146 }
147 }
148
149 EOF
150
151 $t->write_file('openssl.conf', <<EOF);
152 [ req ]
153 default_bits = 1024
154 encrypt_key = no
155 distinguished_name = req_distinguished_name
156 [ req_distinguished_name ]
157 EOF
158
159 my $d = $t->testdir();
160
161 foreach my $name ('localhost', 'inherits') {
162 system("openssl genrsa -out '$d/$name.key' -passout pass:$name "
163 . "-aes128 1024 >>$d/openssl.out 2>&1") == 0
164 or die "Can't create private key: $!\n";
165 system('openssl req -x509 -new '
166 . "-config '$d/openssl.conf' -subj '/CN=$name/' "
167 . "-out '$d/$name.crt' "
168 . "-key '$d/$name.key' -passin pass:$name"
169 . ">>$d/openssl.out 2>&1") == 0
170 or die "Can't create certificate for $name: $!\n";
171 }
172
173 my $ctx = Net::SSLeay::CTX_new() or die("Failed to create SSL_CTX $!");
174
175 $t->write_file('password', 'localhost');
176 $t->write_file('password_many', "wrong$CRLF" . "localhost$CRLF");
177 $t->write_file('password_mail', 'inherits');
178
179 $t->run_daemon(\&Test::Nginx::IMAP::imap_test_daemon);
180 $t->run()->waitforsocket('127.0.0.1:' . port(8144));
181
182 ###############################################################################
183
184 # simple tests to ensure that nothing broke with ssl_password_file directive
185
186 my $s = Test::Nginx::IMAP->new();
187 $s->ok('greeting');
188
189 $s->send('1 AUTHENTICATE LOGIN');
190 $s->check(qr/\+ VXNlcm5hbWU6/, 'login');
191
192 # ssl_session_cache
193
194 my ($ssl, $ses);
195
196 ($s, $ssl) = get_ssl_socket(8145);
197 $ses = Net::SSLeay::get_session($ssl);
198
199 ($s, $ssl) = get_ssl_socket(8145, $ses);
200 is(Net::SSLeay::session_reused($ssl), 1, 'builtin session reused');
201
202 ($s, $ssl) = get_ssl_socket(8146);
203 $ses = Net::SSLeay::get_session($ssl);
204
205 ($s, $ssl) = get_ssl_socket(8146, $ses);
206 is(Net::SSLeay::session_reused($ssl), 0, 'session not reused');
207
208 ($s, $ssl) = get_ssl_socket(8147);
209 $ses = Net::SSLeay::get_session($ssl);
210
211 ($s, $ssl) = get_ssl_socket(8147, $ses);
212 is(Net::SSLeay::session_reused($ssl), 1, 'builtin size session reused');
213
214 ($s, $ssl) = get_ssl_socket(8148);
215 $ses = Net::SSLeay::get_session($ssl);
216
217 ($s, $ssl) = get_ssl_socket(8148, $ses);
218 is(Net::SSLeay::session_reused($ssl), 1, 'shared session reused');
219
220 # ssl_certificate inheritance
221
222 ($s, $ssl) = get_ssl_socket(8145);
223 like(Net::SSLeay::dump_peer_certificate($ssl), qr/CN=localhost/, 'CN');
224
225 ($s, $ssl) = get_ssl_socket(8148);
226 like(Net::SSLeay::dump_peer_certificate($ssl), qr/CN=inherits/, 'CN inner');
227
228 # starttls imap
229
230 $s = Test::Nginx::IMAP->new(PeerAddr => '127.0.0.1:' . port(8149));
231 $s->read();
232
233 $s->send('1 AUTHENTICATE LOGIN');
234 $s->check(qr/\+ VXNlcm5hbWU6/, 'imap auth before startls on');
235
236 $s = Test::Nginx::IMAP->new(PeerAddr => '127.0.0.1:' . port(8149));
237 $s->read();
238
239 $s->send('1 STARTTLS');
240 $s->ok('imap starttls on');
241
242 $s = Test::Nginx::IMAP->new(PeerAddr => '127.0.0.1:' . port(8150));
243 $s->read();
244
245 $s->send('1 AUTHENTICATE LOGIN');
246 $s->check(qr/^\S+ BAD/, 'imap auth before startls only');
247
248 $s = Test::Nginx::IMAP->new(PeerAddr => '127.0.0.1:' . port(8150));
249 $s->read();
250
251 $s->send('1 STARTTLS');
252 $s->ok('imap starttls only');
253
254 # starttls pop3
255
256 $s = Test::Nginx::POP3->new(PeerAddr => '127.0.0.1:' . port(8151));
257 $s->read();
258
259 $s->send('AUTH LOGIN');
260 $s->check(qr/\+ VXNlcm5hbWU6/, 'pop3 auth before startls on');
261
262 $s = Test::Nginx::POP3->new(PeerAddr => '127.0.0.1:' . port(8151));
263 $s->read();
264
265 $s->send('STLS');
266 $s->ok('pop3 starttls on');
267
268 $s = Test::Nginx::POP3->new(PeerAddr => '127.0.0.1:' . port(8152));
269 $s->read();
270
271 $s->send('AUTH LOGIN');
272 $s->check(qr/^-ERR/, 'pop3 auth before startls only');
273
274 $s = Test::Nginx::POP3->new(PeerAddr => '127.0.0.1:' . port(8152));
275 $s->read();
276
277 $s->send('STLS');
278 $s->ok('pop3 starttls only');
279
280 ###############################################################################
281
282 sub get_ssl_socket {
283 my ($port, $ses) = @_;
284 my $s;
285
286 my $dest_ip = inet_aton('127.0.0.1');
287 my $dest_serv_params = sockaddr_in(port($port), $dest_ip);
288
289 socket($s, &AF_INET, &SOCK_STREAM, 0) or die "socket: $!";
290 connect($s, $dest_serv_params) or die "connect: $!";
291
292 my $ssl = Net::SSLeay::new($ctx) or die("Failed to create SSL $!");
293 Net::SSLeay::set_session($ssl, $ses) if defined $ses;
294 Net::SSLeay::set_fd($ssl, fileno($s));
295 Net::SSLeay::connect($ssl) or die("ssl connect");
296 return ($s, $ssl);
297 }
298
299 ###############################################################################