Mercurial > hg > nginx-tests
comparison stream_ssl_verify_client.t @ 1114:c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Additionally, this includes test for ssl_trusted_certificate.
| author | Sergey Kandaurov <pluknet@nginx.com> |
|---|---|
| date | Thu, 19 Jan 2017 16:59:20 +0300 |
| parents | b3d5a2f8a00b |
| children | 8ef51dbb5d69 |
comparison
equal
deleted
inserted
replaced
| 1113:41690e007ad8 | 1114:c5df4742ad40 |
|---|---|
| 45 | 45 |
| 46 events { | 46 events { |
| 47 } | 47 } |
| 48 | 48 |
| 49 stream { | 49 stream { |
| 50 ssl_certificate_key localhost.key; | 50 log_format status $status; |
| 51 ssl_certificate localhost.crt; | |
| 52 | 51 |
| 53 ssl_verify_client optional_no_ca; | 52 ssl_certificate_key 1.example.com.key; |
| 53 ssl_certificate 1.example.com.crt; | |
| 54 | 54 |
| 55 server { | 55 server { |
| 56 listen 127.0.0.1:8080 ssl; | 56 listen 127.0.0.1:8080; |
| 57 return $ssl_client_verify; | 57 return $ssl_client_verify:$ssl_client_cert; |
| 58 | 58 |
| 59 ssl_client_certificate client.crt; | 59 ssl_verify_client on; |
| 60 ssl_client_certificate 2.example.com.crt; | |
| 60 } | 61 } |
| 61 | 62 |
| 62 server { | 63 server { |
| 63 listen 127.0.0.1:8081 ssl; | 64 listen 127.0.0.1:8081 ssl; |
| 64 return $ssl_client_verify; | 65 return $ssl_client_verify:$ssl_client_cert; |
| 66 | |
| 67 ssl_verify_client on; | |
| 68 ssl_client_certificate 2.example.com.crt; | |
| 69 | |
| 70 access_log %%TESTDIR%%/status.log status; | |
| 71 } | |
| 72 | |
| 73 server { | |
| 74 listen 127.0.0.1:8082 ssl; | |
| 75 return $ssl_client_verify:$ssl_client_cert; | |
| 76 | |
| 77 ssl_verify_client optional; | |
| 78 ssl_client_certificate 2.example.com.crt; | |
| 79 ssl_trusted_certificate 3.example.com.crt; | |
| 80 } | |
| 81 | |
| 82 server { | |
| 83 listen 127.0.0.1:8083 ssl; | |
| 84 return $ssl_client_verify:$ssl_client_cert; | |
| 85 | |
| 86 ssl_verify_client optional_no_ca; | |
| 87 ssl_client_certificate 2.example.com.crt; | |
| 65 } | 88 } |
| 66 } | 89 } |
| 67 | 90 |
| 68 EOF | 91 EOF |
| 69 | |
| 70 my $d = $t->testdir(); | |
| 71 | 92 |
| 72 $t->write_file('openssl.conf', <<EOF); | 93 $t->write_file('openssl.conf', <<EOF); |
| 73 [ req ] | 94 [ req ] |
| 74 default_bits = 2048 | 95 default_bits = 2048 |
| 75 encrypt_key = no | 96 encrypt_key = no |
| 76 distinguished_name = req_distinguished_name | 97 distinguished_name = req_distinguished_name |
| 77 [ req_distinguished_name ] | 98 [ req_distinguished_name ] |
| 78 EOF | 99 EOF |
| 79 | 100 |
| 80 foreach my $name ('localhost', 'client') { | 101 my $d = $t->testdir(); |
| 102 | |
| 103 foreach my $name ('1.example.com', '2.example.com', '3.example.com') { | |
| 81 system('openssl req -x509 -new ' | 104 system('openssl req -x509 -new ' |
| 82 . "-config '$d/openssl.conf' -subj '/CN=$name/' " | 105 . "-config '$d/openssl.conf' -subj '/CN=$name/' " |
| 83 . "-out '$d/$name.crt' -keyout '$d/$name.key' " | 106 . "-out '$d/$name.crt' -keyout '$d/$name.key' " |
| 84 . ">>$d/openssl.out 2>&1") == 0 | 107 . ">>$d/openssl.out 2>&1") == 0 |
| 85 or die "Can't create certificate for $name: $!\n"; | 108 or die "Can't create certificate for $name: $!\n"; |
| 86 } | 109 } |
| 87 | 110 |
| 88 my $ctx = Net::SSLeay::CTX_new() or die("Failed to create SSL_CTX $!"); | 111 $t->try_run('no ssl_verify_client')->plan(10); |
| 89 Net::SSLeay::set_cert_and_key($ctx, "$d/client.crt", "$d/client.key") or die; | |
| 90 | |
| 91 $t->try_run('no ssl_verify_client')->plan(2); | |
| 92 | 112 |
| 93 ############################################################################### | 113 ############################################################################### |
| 94 | 114 |
| 95 my ($s, $ssl) = get_ssl_socket(port(8080)); | 115 TODO: { |
| 96 is(Net::SSLeay::read($ssl), 'SUCCESS', 'success'); | 116 todo_skip 'leaves coredump', 1 unless $t->has_version('1.11.9'); |
| 97 | 117 |
| 98 ($s, $ssl) = get_ssl_socket(port(8081)); | 118 is(stream()->read(), ':', 'plain connection'); |
| 99 like(Net::SSLeay::read($ssl), qr/FAILED/, 'failed'); | 119 |
| 120 } | |
| 121 | |
| 122 TODO: { | |
| 123 local $TODO = 'fails on one-pass ngx_ssl_handshake' | |
| 124 unless $t->has_version('1.11.9'); | |
| 125 | |
| 126 is(get(8081), '', 'no cert'); | |
| 127 is(get(8082, '1.example.com'), '', 'bad optional cert'); | |
| 128 | |
| 129 } | |
| 130 | |
| 131 is(get(8082), 'NONE:', 'no optional cert'); | |
| 132 like(get(8083, '1.example.com'), qr/FAILED.*BEGIN/, 'bad optional_no_ca cert'); | |
| 133 | |
| 134 like(get(8081, '2.example.com'), qr/SUCCESS.*BEGIN/, 'good cert'); | |
| 135 like(get(8082, '2.example.com'), qr/SUCCESS.*BEGIN/, 'good cert optional'); | |
| 136 like(get(8082, '3.example.com'), qr/SUCCESS.*BEGIN/, 'good cert trusted'); | |
| 137 | |
| 138 SKIP: { | |
| 139 skip 'Net::SSLeay version >= 1.36 required', 1 if $Net::SSLeay::VERSION < 1.36; | |
| 140 | |
| 141 my $ca = join ' ', get(8082, '3.example.com'); | |
| 142 is($ca, '/CN=2.example.com', 'no trusted sent'); | |
| 143 | |
| 144 } | |
| 145 | |
| 146 TODO: { | |
| 147 local $TODO = 'not yet, see above' unless $t->has_version('1.11.9'); | |
| 148 | |
| 149 $t->stop(); | |
| 150 | |
| 151 is($t->read_file('status.log'), "500\n200\n", 'log'); | |
| 152 | |
| 153 } | |
| 100 | 154 |
| 101 ############################################################################### | 155 ############################################################################### |
| 102 | 156 |
| 103 sub get_ssl_socket { | 157 sub get { |
| 104 my ($port) = @_; | 158 my ($port, $cert) = @_; |
| 105 | 159 |
| 106 my $dest_ip = inet_aton('127.0.0.1'); | 160 my $dest_ip = inet_aton('127.0.0.1'); |
| 107 my $dest_serv_params = sockaddr_in($port, $dest_ip); | 161 my $dest_serv_params = sockaddr_in(port($port), $dest_ip); |
| 108 | 162 |
| 109 socket(my $s, &AF_INET, &SOCK_STREAM, 0) or die "socket: $!"; | 163 socket(my $s, &AF_INET, &SOCK_STREAM, 0) or die "socket: $!"; |
| 110 connect($s, $dest_serv_params) or die "connect: $!"; | 164 connect($s, $dest_serv_params) or die "connect: $!"; |
| 111 | 165 |
| 166 my $ctx = Net::SSLeay::CTX_new() or die("Failed to create SSL_CTX $!"); | |
| 167 Net::SSLeay::set_cert_and_key($ctx, "$d/$cert.crt", "$d/$cert.key") | |
| 168 or die if $cert; | |
| 112 my $ssl = Net::SSLeay::new($ctx) or die("Failed to create SSL $!"); | 169 my $ssl = Net::SSLeay::new($ctx) or die("Failed to create SSL $!"); |
| 113 Net::SSLeay::set_fd($ssl, fileno($s)); | 170 Net::SSLeay::set_fd($ssl, fileno($s)); |
| 114 Net::SSLeay::connect($ssl) or die("ssl connect"); | 171 Net::SSLeay::connect($ssl) or die("ssl connect"); |
| 115 return ($s, $ssl); | 172 |
| 173 my $buf = Net::SSLeay::read($ssl); | |
| 174 log_in($buf); | |
| 175 return $buf unless wantarray(); | |
| 176 | |
| 177 my $list = Net::SSLeay::get_client_CA_list($ssl); | |
| 178 my @names; | |
| 179 for my $i (0 .. Net::SSLeay::sk_X509_NAME_num($list) - 1) { | |
| 180 my $name = Net::SSLeay::sk_X509_NAME_value($list, $i); | |
| 181 push @names, Net::SSLeay::X509_NAME_oneline($name); | |
| 182 } | |
| 183 return @names; | |
| 116 } | 184 } |
| 117 | 185 |
| 118 ############################################################################### | 186 ############################################################################### |