Mercurial > hg > nginx-tests

comparison ssl.t @ 1514:c6f27bcdd9d9

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Tests: revised ssl.t.
author Sergey Kandaurov <pluknet@nginx.com>
date Mon, 07 Oct 2019 16:19:07 +0300
parents dbce8fb5f5f8
children 3b6b2667ece9
comparison
equal deleted inserted replaced
1513:02412b209838 1514:c6f27bcdd9d9
57 ssl_certificate_key inner.key; 57 ssl_certificate_key inner.key;
58 ssl_certificate inner.crt; 58 ssl_certificate inner.crt;
59 ssl_session_cache shared:SSL:1m; 59 ssl_session_cache shared:SSL:1m;
60 ssl_verify_client optional_no_ca; 60 ssl_verify_client optional_no_ca;
61 61
62 location /reuse { 62 location / {
63 return 200 "body $ssl_session_reused"; 63 return 200 "body $ssl_session_reused";
64 } 64 }
65 location /id { 65 location /id {
66 return 200 "body $ssl_session_id"; 66 return 200 "body $ssl_session_id";
67 } 67 }
68 location /cipher { 68 location /cipher {
69 return 200 "body $ssl_cipher"; 69 return 200 "body $ssl_cipher";
70 }
71 location /ciphers {
72 return 200 "body $ssl_ciphers";
70 } 73 }
71 location /client_verify { 74 location /client_verify {
72 return 200 "body $ssl_client_verify"; 75 return 200 "body $ssl_client_verify";
73 } 76 }
74 location /protocol { 77 location /protocol {
133 136
134 ssl_session_cache off; 137 ssl_session_cache off;
135 138
136 location / { 139 location / {
137 return 200 "body $ssl_session_reused"; 140 return 200 "body $ssl_session_reused";
138 }
139
140 location /ciphers {
141 return 200 "body $ssl_ciphers";
142 }
143
144 location /protocol {
145 return 200 "body $ssl_protocol";
146 } 141 }
147 } 142 }
148 } 143 }
149 144
150 EOF 145 EOF
202 . "-out $d/$name.crt -keyout $d/$name.key " 197 . "-out $d/$name.crt -keyout $d/$name.key "
203 . ">>$d/openssl.out 2>&1") == 0 198 . ">>$d/openssl.out 2>&1") == 0
204 or die "Can't create certificate for $name: $!\n"; 199 or die "Can't create certificate for $name: $!\n";
205 } 200 }
206 201
207 my $ctx = new IO::Socket::SSL::SSL_Context( 202 # suppress deprecation warning
208 SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE(),
209 SSL_session_cache_size => 100);
210 203
211 open OLDERR, ">&", \*STDERR; close STDERR; 204 open OLDERR, ">&", \*STDERR; close STDERR;
212 $t->run(); 205 $t->run();
213 open STDERR, ">&", \*OLDERR; 206 open STDERR, ">&", \*OLDERR;
214 207
215 ############################################################################### 208 ###############################################################################
216 209
217 like(get('/reuse', 8085), qr/^body \.$/m, 'shared initial session'); 210 my $ctx;
218 like(get('/', 8081), qr/^body \.$/m, 'builtin initial session');
219 like(get('/', 8082), qr/^body \.$/m, 'builtin size initial session');
220 211
221 SKIP: { 212 SKIP: {
222 skip 'no TLS 1.3 sessions', 3 if get('/protocol', 8084) =~ /TLSv1.3/ 213 skip 'no TLS 1.3 sessions', 6 if get('/protocol', 8085) =~ /TLSv1.3/
223 && ($Net::SSLeay::VERSION < 1.88 || $IO::Socket::SSL::VERSION < 2.061); 214 && ($Net::SSLeay::VERSION < 1.88 || $IO::Socket::SSL::VERSION < 2.061);
224 215
225 like(get('/reuse', 8085), qr/^body r$/m, 'shared session reused'); 216 $ctx = get_ssl_context();
226 like(get('/', 8081), qr/^body r$/m, 'builtin session reused'); 217
227 like(get('/', 8082), qr/^body r$/m, 'builtin size session reused'); 218 like(get('/', 8085, $ctx), qr/^body \.$/m, 'cache shared');
228 219 like(get('/', 8085, $ctx), qr/^body r$/m, 'cache shared reused');
229 } 220
230 221 $ctx = get_ssl_context();
231 like(get('/', 8083), qr/^body \.$/m, 'reused none initial session'); 222
232 like(get('/', 8083), qr/^body \.$/m, 'session not reused 1'); 223 like(get('/', 8081, $ctx), qr/^body \.$/m, 'cache builtin');
233 224 like(get('/', 8081, $ctx), qr/^body r$/m, 'cache builtin reused');
234 like(get('/', 8084), qr/^body \.$/m, 'reused off initial session'); 225
235 like(get('/', 8084), qr/^body \.$/m, 'session not reused 2'); 226 $ctx = get_ssl_context();
227
228 like(get('/', 8082, $ctx), qr/^body \.$/m, 'cache builtin size');
229 like(get('/', 8082, $ctx), qr/^body r$/m, 'cache builtin size reused');
230
231 }
232
233 $ctx = get_ssl_context();
234
235 like(get('/', 8083, $ctx), qr/^body \.$/m, 'cache none');
236 like(get('/', 8083, $ctx), qr/^body \.$/m, 'cache none not reused');
237
238 $ctx = get_ssl_context();
239
240 like(get('/', 8084, $ctx), qr/^body \.$/m, 'cache off');
241 like(get('/', 8084, $ctx), qr/^body \.$/m, 'cache off not reused');
236 242
237 # ssl certificate inheritance 243 # ssl certificate inheritance
238 244
239 my $s = get_ssl_socket($ctx, port(8081)); 245 my $s = get_ssl_socket(8081);
240 like($s->dump_peer_certificate(), qr/CN=localhost/, 'CN'); 246 like($s->dump_peer_certificate(), qr/CN=localhost/, 'CN');
241 247
242 $s->close(); 248 $s->close();
243 249
244 $s = get_ssl_socket($ctx, port(8085)); 250 $s = get_ssl_socket(8085);
245 like($s->dump_peer_certificate(), qr/CN=inner/, 'CN inner'); 251 like($s->dump_peer_certificate(), qr/CN=inner/, 'CN inner');
246 252
247 $s->close(); 253 $s->close();
248 254
249 # session timeout 255 # session timeout
255 # embedded variables 261 # embedded variables
256 262
257 like(get('/id', 8085), qr/^body \w{64}$/m, 'session id'); 263 like(get('/id', 8085), qr/^body \w{64}$/m, 'session id');
258 unlike(http_get('/id'), qr/body \w/, 'session id no ssl'); 264 unlike(http_get('/id'), qr/body \w/, 'session id no ssl');
259 like(get('/cipher', 8085), qr/^body [\w-]+$/m, 'cipher'); 265 like(get('/cipher', 8085), qr/^body [\w-]+$/m, 'cipher');
260 my $re = $t->has_module('BoringSSL') ? '' : qr/[:\w-]+/; 266
261 like(get('/ciphers', 8084), qr/^body $re$/m, 'ciphers'); 267 SKIP: {
268 skip 'BoringSSL', 1 if $t->has_module('BoringSSL');
269
270 like(get('/ciphers', 8085), qr/^body [:\w-]+$/m, 'ciphers');
271
272 }
273
262 like(get('/client_verify', 8085), qr/^body NONE$/m, 'client verify'); 274 like(get('/client_verify', 8085), qr/^body NONE$/m, 'client verify');
263 like(get('/protocol', 8085), qr/^body (TLS|SSL)v(\d|\.)+$/m, 'protocol'); 275 like(get('/protocol', 8085), qr/^body (TLS|SSL)v(\d|\.)+$/m, 'protocol');
264 like(cert('/issuer', 8085), qr!^body CN=issuer:/CN=issuer$!m, 'issuer'); 276 like(cert('/issuer', 8085), qr!^body CN=issuer:/CN=issuer$!m, 'issuer');
265 like(cert('/subject', 8085), qr!^body CN=subject:/CN=subject$!m, 'subject'); 277 like(cert('/subject', 8085), qr!^body CN=subject:/CN=subject$!m, 'subject');
266 like(cert('/time', 8085), qr/^body [:\s\w]+![:\s\w]+![23]$/m, 'time'); 278 like(cert('/time', 8085), qr/^body [:\s\w]+![:\s\w]+![23]$/m, 'time');
271 'request body chunked'); 283 'request body chunked');
272 284
273 ############################################################################### 285 ###############################################################################
274 286
275 sub get { 287 sub get {
276 my ($uri, $port) = @_; 288 my ($uri, $port, $ctx) = @_;
277 my $s = get_ssl_socket($ctx, port($port)) or return; 289 my $s = get_ssl_socket($port, $ctx) or return;
278 my $r = http_get($uri, socket => $s); 290 my $r = http_get($uri, socket => $s);
279 $s->close(); 291 $s->close();
280 return $r; 292 return $r;
281 } 293 }
282 294
283 sub get_body { 295 sub get_body {
284 my ($uri, $body, $len, $n) = @_; 296 my ($uri, $body, $len, $n) = @_;
285 my $s = get_ssl_socket($ctx, port(8085)) or return; 297 my $s = get_ssl_socket(8085) or return;
286 http("GET /body HTTP/1.1" . CRLF 298 http("GET /body HTTP/1.1" . CRLF
287 . "Host: localhost" . CRLF 299 . "Host: localhost" . CRLF
288 . "Connection: close" . CRLF 300 . "Connection: close" . CRLF
289 . "Transfer-Encoding: chunked" . CRLF . CRLF, 301 . "Transfer-Encoding: chunked" . CRLF . CRLF,
290 socket => $s, start => 1); 302 socket => $s, start => 1);
291 http("c8" . CRLF . $body x $len . CRLF, socket => $s, start => 1) 303 my $chs = unpack("H*", pack("C", length($body) * $len));
304 http($chs . CRLF . $body x $len . CRLF, socket => $s, start => 1)
292 for 1 .. $n; 305 for 1 .. $n;
293 my $r = http("0" . CRLF . CRLF, socket => $s); 306 my $r = http("0" . CRLF . CRLF, socket => $s);
294 $s->close(); 307 $s->close();
295 return $r; 308 return $r;
296 } 309 }
297 310
298 sub cert { 311 sub cert {
299 my ($uri, $port) = @_; 312 my ($uri, $port) = @_;
300 my $s = get_ssl_socket(undef, port($port), 313 my $s = get_ssl_socket($port, undef,
301 SSL_cert_file => "$d/subject.crt", 314 SSL_cert_file => "$d/subject.crt",
302 SSL_key_file => "$d/subject.key") or return; 315 SSL_key_file => "$d/subject.key") or return;
303 http_get($uri, socket => $s); 316 http_get($uri, socket => $s);
304 } 317 }
305 318
319 sub get_ssl_context {
320 return IO::Socket::SSL::SSL_Context->new(
321 SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE(),
322 SSL_session_cache_size => 100
323 );
324 }
325
306 sub get_ssl_socket { 326 sub get_ssl_socket {
307 my ($ctx, $port, %extra) = @_; 327 my ($port, $ctx, %extra) = @_;
308 my $s; 328 my $s;
309 329
310 eval { 330 eval {
311 local $SIG{ALRM} = sub { die "timeout\n" }; 331 local $SIG{ALRM} = sub { die "timeout\n" };
312 local $SIG{PIPE} = sub { die "sigpipe\n" }; 332 local $SIG{PIPE} = sub { die "sigpipe\n" };
313 alarm(8); 333 alarm(8);
314 $s = IO::Socket::SSL->new( 334 $s = IO::Socket::SSL->new(
315 Proto => 'tcp', 335 Proto => 'tcp',
316 PeerAddr => '127.0.0.1', 336 PeerAddr => '127.0.0.1',
317 PeerPort => $port, 337 PeerPort => port($port),
318 SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE(), 338 SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE(),
319 SSL_reuse_ctx => $ctx, 339 SSL_reuse_ctx => $ctx,
320 SSL_error_trap => sub { die $_[1] }, 340 SSL_error_trap => sub { die $_[1] },
321 %extra 341 %extra
322 ); 342 );