Mercurial > hg > nginx-tests
comparison mail_ssl.t @ 1142:baeebac35a2e
Tests: basic mail ssl tests.
author | Andrey Zelenkov <zelenkov@nginx.com> |
---|---|
date | Wed, 01 Mar 2017 19:20:32 +0300 |
parents | |
children | f193664e06d8 |
comparison
equal
deleted
inserted
replaced
1141:d4e779356d8d | 1142:baeebac35a2e |
---|---|
1 #!/usr/bin/perl | |
2 | |
3 # (C) Andrey Zelenkov | |
4 # (C) Nginx, Inc. | |
5 | |
6 # Tests for mail ssl module. | |
7 | |
8 ############################################################################### | |
9 | |
10 use warnings; | |
11 use strict; | |
12 | |
13 use Test::More; | |
14 | |
15 use Socket qw/ :DEFAULT $CRLF /; | |
16 | |
17 BEGIN { use FindBin; chdir($FindBin::Bin); } | |
18 | |
19 use lib 'lib'; | |
20 use Test::Nginx; | |
21 use Test::Nginx::IMAP; | |
22 use Test::Nginx::POP3; | |
23 | |
24 ############################################################################### | |
25 | |
26 select STDERR; $| = 1; | |
27 select STDOUT; $| = 1; | |
28 | |
29 eval { | |
30 require Net::SSLeay; | |
31 Net::SSLeay::load_error_strings(); | |
32 Net::SSLeay::SSLeay_add_ssl_algorithms(); | |
33 Net::SSLeay::randomize(); | |
34 }; | |
35 plan(skip_all => 'Net::SSLeay not installed') if $@; | |
36 | |
37 my $t = Test::Nginx->new()->has(qw/mail mail_ssl imap pop3 http rewrite/) | |
38 ->has_daemon('openssl')->plan(16); | |
39 | |
40 $t->write_file_expand('nginx.conf', <<'EOF'); | |
41 | |
42 %%TEST_GLOBALS%% | |
43 | |
44 daemon off; | |
45 | |
46 events { | |
47 } | |
48 | |
49 mail { | |
50 ssl_certificate_key localhost.key; | |
51 ssl_certificate localhost.crt; | |
52 ssl_session_tickets off; | |
53 | |
54 # inherited by server "inherits" | |
55 ssl_password_file password_mail; | |
56 | |
57 proxy_pass_error_message on; | |
58 auth_http http://127.0.0.1:8080/mail/auth; | |
59 | |
60 ssl_session_cache none; | |
61 | |
62 server { | |
63 listen 127.0.0.1:8143; | |
64 listen 127.0.0.1:8145 ssl; | |
65 protocol imap; | |
66 | |
67 ssl_session_cache builtin; | |
68 ssl_password_file password; | |
69 } | |
70 | |
71 server { | |
72 listen 127.0.0.1:8146 ssl; | |
73 protocol imap; | |
74 | |
75 ssl_session_cache off; | |
76 ssl_password_file password_many; | |
77 } | |
78 | |
79 server { | |
80 listen 127.0.0.1:8147; | |
81 protocol imap; | |
82 | |
83 # Special case for enabled "ssl" directive. | |
84 | |
85 ssl on; | |
86 ssl_session_cache builtin:1000; | |
87 ssl_password_file password; | |
88 } | |
89 | |
90 server { | |
91 listen 127.0.0.1:8148 ssl; | |
92 protocol imap; | |
93 | |
94 ssl_session_cache shared:SSL:1m; | |
95 ssl_certificate_key inherits.key; | |
96 ssl_certificate inherits.crt; | |
97 } | |
98 | |
99 server { | |
100 listen 127.0.0.1:8149; | |
101 protocol imap; | |
102 | |
103 ssl_password_file password; | |
104 starttls on; | |
105 } | |
106 | |
107 server { | |
108 listen 127.0.0.1:8150; | |
109 protocol imap; | |
110 | |
111 ssl_password_file password; | |
112 starttls only; | |
113 } | |
114 | |
115 server { | |
116 listen 127.0.0.1:8151; | |
117 protocol pop3; | |
118 | |
119 ssl_password_file password; | |
120 starttls on; | |
121 } | |
122 | |
123 server { | |
124 listen 127.0.0.1:8152; | |
125 protocol pop3; | |
126 | |
127 ssl_password_file password; | |
128 starttls only; | |
129 } | |
130 } | |
131 | |
132 http { | |
133 %%TEST_GLOBALS_HTTP%% | |
134 | |
135 server { | |
136 listen 127.0.0.1:8080; | |
137 server_name localhost; | |
138 | |
139 location = /mail/auth { | |
140 add_header Auth-Status OK; | |
141 add_header Auth-Server 127.0.0.1; | |
142 add_header Auth-Port %%PORT_8144%%; | |
143 add_header Auth-Wait 1; | |
144 return 204; | |
145 } | |
146 } | |
147 } | |
148 | |
149 EOF | |
150 | |
151 $t->write_file('openssl.conf', <<EOF); | |
152 [ req ] | |
153 default_bits = 1024 | |
154 encrypt_key = no | |
155 distinguished_name = req_distinguished_name | |
156 [ req_distinguished_name ] | |
157 EOF | |
158 | |
159 my $d = $t->testdir(); | |
160 | |
161 foreach my $name ('localhost', 'inherits') { | |
162 system("openssl genrsa -out '$d/$name.key' -passout pass:$name " | |
163 . "-aes128 1024 >>$d/openssl.out 2>&1") == 0 | |
164 or die "Can't create private key: $!\n"; | |
165 system('openssl req -x509 -new ' | |
166 . "-config '$d/openssl.conf' -subj '/CN=$name/' " | |
167 . "-out '$d/$name.crt' " | |
168 . "-key '$d/$name.key' -passin pass:$name" | |
169 . ">>$d/openssl.out 2>&1") == 0 | |
170 or die "Can't create certificate for $name: $!\n"; | |
171 } | |
172 | |
173 my $ctx = Net::SSLeay::CTX_new() or die("Failed to create SSL_CTX $!"); | |
174 | |
175 $t->write_file('password', 'localhost'); | |
176 $t->write_file('password_many', "wrong$CRLF" . "localhost$CRLF"); | |
177 $t->write_file('password_mail', 'inherits'); | |
178 | |
179 $t->run_daemon(\&Test::Nginx::IMAP::imap_test_daemon); | |
180 $t->run()->waitforsocket('127.0.0.1:' . port(8144)); | |
181 | |
182 ############################################################################### | |
183 | |
184 # simple tests to ensure that nothing broke with ssl_password_file directive | |
185 | |
186 my $s = Test::Nginx::IMAP->new(); | |
187 $s->ok('greeting'); | |
188 | |
189 $s->send('1 AUTHENTICATE LOGIN'); | |
190 $s->check(qr/\+ VXNlcm5hbWU6/, 'login'); | |
191 | |
192 # ssl_session_cache | |
193 | |
194 my ($ssl, $ses); | |
195 | |
196 ($s, $ssl) = get_ssl_socket(8145); | |
197 $ses = Net::SSLeay::get_session($ssl); | |
198 | |
199 ($s, $ssl) = get_ssl_socket(8145, $ses); | |
200 is(Net::SSLeay::session_reused($ssl), 1, 'builtin session reused'); | |
201 | |
202 ($s, $ssl) = get_ssl_socket(8146); | |
203 $ses = Net::SSLeay::get_session($ssl); | |
204 | |
205 ($s, $ssl) = get_ssl_socket(8146, $ses); | |
206 is(Net::SSLeay::session_reused($ssl), 0, 'session not reused'); | |
207 | |
208 ($s, $ssl) = get_ssl_socket(8147); | |
209 $ses = Net::SSLeay::get_session($ssl); | |
210 | |
211 ($s, $ssl) = get_ssl_socket(8147, $ses); | |
212 is(Net::SSLeay::session_reused($ssl), 1, 'builtin size session reused'); | |
213 | |
214 ($s, $ssl) = get_ssl_socket(8148); | |
215 $ses = Net::SSLeay::get_session($ssl); | |
216 | |
217 ($s, $ssl) = get_ssl_socket(8148, $ses); | |
218 is(Net::SSLeay::session_reused($ssl), 1, 'shared session reused'); | |
219 | |
220 # ssl_certificate inheritance | |
221 | |
222 ($s, $ssl) = get_ssl_socket(8145); | |
223 like(Net::SSLeay::dump_peer_certificate($ssl), qr/CN=localhost/, 'CN'); | |
224 | |
225 ($s, $ssl) = get_ssl_socket(8148); | |
226 like(Net::SSLeay::dump_peer_certificate($ssl), qr/CN=inherits/, 'CN inner'); | |
227 | |
228 # starttls imap | |
229 | |
230 $s = Test::Nginx::IMAP->new(PeerAddr => '127.0.0.1:' . port(8149)); | |
231 $s->read(); | |
232 | |
233 $s->send('1 AUTHENTICATE LOGIN'); | |
234 $s->check(qr/\+ VXNlcm5hbWU6/, 'imap auth before startls on'); | |
235 | |
236 $s = Test::Nginx::IMAP->new(PeerAddr => '127.0.0.1:' . port(8149)); | |
237 $s->read(); | |
238 | |
239 $s->send('1 STARTTLS'); | |
240 $s->ok('imap starttls on'); | |
241 | |
242 $s = Test::Nginx::IMAP->new(PeerAddr => '127.0.0.1:' . port(8150)); | |
243 $s->read(); | |
244 | |
245 $s->send('1 AUTHENTICATE LOGIN'); | |
246 $s->check(qr/^\S+ BAD/, 'imap auth before startls only'); | |
247 | |
248 $s = Test::Nginx::IMAP->new(PeerAddr => '127.0.0.1:' . port(8150)); | |
249 $s->read(); | |
250 | |
251 $s->send('1 STARTTLS'); | |
252 $s->ok('imap starttls only'); | |
253 | |
254 # starttls pop3 | |
255 | |
256 $s = Test::Nginx::POP3->new(PeerAddr => '127.0.0.1:' . port(8151)); | |
257 $s->read(); | |
258 | |
259 $s->send('AUTH LOGIN'); | |
260 $s->check(qr/\+ VXNlcm5hbWU6/, 'pop3 auth before startls on'); | |
261 | |
262 $s = Test::Nginx::POP3->new(PeerAddr => '127.0.0.1:' . port(8151)); | |
263 $s->read(); | |
264 | |
265 $s->send('STLS'); | |
266 $s->ok('pop3 starttls on'); | |
267 | |
268 $s = Test::Nginx::POP3->new(PeerAddr => '127.0.0.1:' . port(8152)); | |
269 $s->read(); | |
270 | |
271 $s->send('AUTH LOGIN'); | |
272 $s->check(qr/^-ERR/, 'pop3 auth before startls only'); | |
273 | |
274 $s = Test::Nginx::POP3->new(PeerAddr => '127.0.0.1:' . port(8152)); | |
275 $s->read(); | |
276 | |
277 $s->send('STLS'); | |
278 $s->ok('pop3 starttls only'); | |
279 | |
280 ############################################################################### | |
281 | |
282 sub get_ssl_socket { | |
283 my ($port, $ses) = @_; | |
284 my $s; | |
285 | |
286 my $dest_ip = inet_aton('127.0.0.1'); | |
287 my $dest_serv_params = sockaddr_in(port($port), $dest_ip); | |
288 | |
289 socket($s, &AF_INET, &SOCK_STREAM, 0) or die "socket: $!"; | |
290 connect($s, $dest_serv_params) or die "connect: $!"; | |
291 | |
292 my $ssl = Net::SSLeay::new($ctx) or die("Failed to create SSL $!"); | |
293 Net::SSLeay::set_session($ssl, $ses) if defined $ses; | |
294 Net::SSLeay::set_fd($ssl, fileno($s)); | |
295 Net::SSLeay::connect($ssl) or die("ssl connect"); | |
296 return ($s, $ssl); | |
297 } | |
298 | |
299 ############################################################################### |