Mercurial > hg > nginx-tests
comparison ssl.t @ 1068:d0ec761774a5
Tests: client certificate issuer/subject variables.
| author | Sergey Kandaurov <pluknet@nginx.com> |
|---|---|
| date | Fri, 21 Oct 2016 16:32:45 +0300 |
| parents | 4606a2ec3d7c |
| children | 2b0ef67ab032 |
comparison
equal
deleted
inserted
replaced
| 1067:4606a2ec3d7c | 1068:d0ec761774a5 |
|---|---|
| 29 plan(skip_all => 'IO::Socket::SSL too old') if $@; | 29 plan(skip_all => 'IO::Socket::SSL too old') if $@; |
| 30 | 30 |
| 31 my $t = Test::Nginx->new()->has(qw/http http_ssl rewrite/) | 31 my $t = Test::Nginx->new()->has(qw/http http_ssl rewrite/) |
| 32 ->has_daemon('openssl'); | 32 ->has_daemon('openssl'); |
| 33 | 33 |
| 34 $t->plan(18)->write_file_expand('nginx.conf', <<'EOF'); | 34 $t->write_file_expand('nginx.conf', <<'EOF'); |
| 35 | 35 |
| 36 %%TEST_GLOBALS%% | 36 %%TEST_GLOBALS%% |
| 37 | 37 |
| 38 daemon off; | 38 daemon off; |
| 39 | 39 |
| 53 server_name localhost; | 53 server_name localhost; |
| 54 | 54 |
| 55 ssl_certificate_key inner.key; | 55 ssl_certificate_key inner.key; |
| 56 ssl_certificate inner.crt; | 56 ssl_certificate inner.crt; |
| 57 ssl_session_cache shared:SSL:1m; | 57 ssl_session_cache shared:SSL:1m; |
| 58 ssl_verify_client optional_no_ca; | |
| 58 | 59 |
| 59 location /reuse { | 60 location /reuse { |
| 60 return 200 "body $ssl_session_reused"; | 61 return 200 "body $ssl_session_reused"; |
| 61 } | 62 } |
| 62 location /id { | 63 location /id { |
| 68 location /client_verify { | 69 location /client_verify { |
| 69 return 200 "body $ssl_client_verify"; | 70 return 200 "body $ssl_client_verify"; |
| 70 } | 71 } |
| 71 location /protocol { | 72 location /protocol { |
| 72 return 200 "body $ssl_protocol"; | 73 return 200 "body $ssl_protocol"; |
| 74 } | |
| 75 location /issuer { | |
| 76 return 200 "body $ssl_client_i_dn:$ssl_client_i_dn_legacy"; | |
| 77 } | |
| 78 location /subject { | |
| 79 return 200 "body $ssl_client_s_dn:$ssl_client_s_dn_legacy"; | |
| 73 } | 80 } |
| 74 } | 81 } |
| 75 | 82 |
| 76 server { | 83 server { |
| 77 listen 127.0.0.1:8081; | 84 listen 127.0.0.1:8081; |
| 132 [ req_distinguished_name ] | 139 [ req_distinguished_name ] |
| 133 EOF | 140 EOF |
| 134 | 141 |
| 135 my $d = $t->testdir(); | 142 my $d = $t->testdir(); |
| 136 | 143 |
| 144 $t->write_file('ca.conf', <<EOF); | |
| 145 [ ca ] | |
| 146 default_ca = myca | |
| 147 | |
| 148 [ myca ] | |
| 149 new_certs_dir = $d | |
| 150 database = $d/certindex | |
| 151 default_md = sha1 | |
| 152 policy = myca_policy | |
| 153 serial = $d/certserial | |
| 154 default_days = 1 | |
| 155 | |
| 156 [ myca_policy ] | |
| 157 commonName = supplied | |
| 158 EOF | |
| 159 | |
| 160 $t->write_file('certserial', '1000'); | |
| 161 $t->write_file('certindex', ''); | |
| 162 | |
| 163 system('openssl req -x509 -new ' | |
| 164 . "-config '$d/openssl.conf' -subj '/CN=issuer/' " | |
| 165 . "-out '$d/issuer.crt' -keyout '$d/issuer.key' " | |
| 166 . ">>$d/openssl.out 2>&1") == 0 | |
| 167 or die "Can't create certificate for issuer: $!\n"; | |
| 168 | |
| 169 system("openssl req -new " | |
| 170 . "-config '$d/openssl.conf' -subj '/CN=subject/' " | |
| 171 . "-out '$d/subject.csr' -keyout '$d/subject.key' " | |
| 172 . ">>$d/openssl.out 2>&1") == 0 | |
| 173 or die "Can't create certificate for subject: $!\n"; | |
| 174 | |
| 175 system("openssl ca -batch -config '$d/ca.conf' " | |
| 176 . "-keyfile '$d/issuer.key' -cert '$d/issuer.crt' " | |
| 177 . "-subj '/CN=subject/' -in '$d/subject.csr' -out '$d/subject.crt' " | |
| 178 . ">>$d/openssl.out 2>&1") == 0 | |
| 179 or die "Can't sign certificate for subject: $!\n"; | |
| 180 | |
| 137 foreach my $name ('localhost', 'inner') { | 181 foreach my $name ('localhost', 'inner') { |
| 138 system('openssl req -x509 -new ' | 182 system('openssl req -x509 -new ' |
| 139 . "-config '$d/openssl.conf' -subj '/CN=$name/' " | 183 . "-config '$d/openssl.conf' -subj '/CN=$name/' " |
| 140 . "-out '$d/$name.crt' -keyout '$d/$name.key' " | 184 . "-out '$d/$name.crt' -keyout '$d/$name.key' " |
| 141 . ">>$d/openssl.out 2>&1") == 0 | 185 . ">>$d/openssl.out 2>&1") == 0 |
| 144 | 188 |
| 145 my $ctx = new IO::Socket::SSL::SSL_Context( | 189 my $ctx = new IO::Socket::SSL::SSL_Context( |
| 146 SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE(), | 190 SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE(), |
| 147 SSL_session_cache_size => 100); | 191 SSL_session_cache_size => 100); |
| 148 | 192 |
| 149 $t->run(); | 193 $t->try_run('no ssl_client_s_dn_legacy')->plan(20); |
| 150 | 194 |
| 151 ############################################################################### | 195 ############################################################################### |
| 152 | 196 |
| 153 like(get('/reuse', 8085), qr/^body \.$/m, 'shared initial session'); | 197 like(get('/reuse', 8085), qr/^body \.$/m, 'shared initial session'); |
| 154 like(get('/reuse', 8085), qr/^body r$/m, 'shared session reused'); | 198 like(get('/reuse', 8085), qr/^body r$/m, 'shared session reused'); |
| 188 like(get('/id', 8085), qr/^body \w{64}$/m, 'session id'); | 232 like(get('/id', 8085), qr/^body \w{64}$/m, 'session id'); |
| 189 unlike(http_get('/id'), qr/body \w/, 'session id no ssl'); | 233 unlike(http_get('/id'), qr/body \w/, 'session id no ssl'); |
| 190 like(get('/cipher', 8085), qr/^body [\w-]+$/m, 'cipher'); | 234 like(get('/cipher', 8085), qr/^body [\w-]+$/m, 'cipher'); |
| 191 like(get('/client_verify', 8085), qr/^body NONE$/m, 'client verify'); | 235 like(get('/client_verify', 8085), qr/^body NONE$/m, 'client verify'); |
| 192 like(get('/protocol', 8085), qr/^body (TLS|SSL)v(\d|\.)+$/m, 'protocol'); | 236 like(get('/protocol', 8085), qr/^body (TLS|SSL)v(\d|\.)+$/m, 'protocol'); |
| 237 like(cert('/issuer', 8085), qr!^body CN=issuer:/CN=issuer$!m, 'issuer'); | |
| 238 like(cert('/subject', 8085), qr!^body CN=subject:/CN=subject$!m, 'subject'); | |
| 193 | 239 |
| 194 ############################################################################### | 240 ############################################################################### |
| 195 | 241 |
| 196 sub get { | 242 sub get { |
| 197 my ($uri, $port) = @_; | 243 my ($uri, $port) = @_; |
| 198 my $s = get_ssl_socket($ctx, port($port)) or return; | 244 my $s = get_ssl_socket($ctx, port($port)) or return; |
| 199 http_get($uri, socket => $s); | 245 http_get($uri, socket => $s); |
| 200 } | 246 } |
| 201 | 247 |
| 248 sub cert { | |
| 249 my ($uri, $port) = @_; | |
| 250 my $s = get_ssl_socket(undef, port($port), | |
| 251 SSL_cert_file => "$d/subject.crt", | |
| 252 SSL_key_file => "$d/subject.key") or return; | |
| 253 http_get($uri, socket => $s); | |
| 254 } | |
| 255 | |
| 202 sub get_ssl_socket { | 256 sub get_ssl_socket { |
| 203 my ($ctx, $port) = @_; | 257 my ($ctx, $port, %extra) = @_; |
| 204 my $s; | 258 my $s; |
| 205 | 259 |
| 206 eval { | 260 eval { |
| 207 local $SIG{ALRM} = sub { die "timeout\n" }; | 261 local $SIG{ALRM} = sub { die "timeout\n" }; |
| 208 local $SIG{PIPE} = sub { die "sigpipe\n" }; | 262 local $SIG{PIPE} = sub { die "sigpipe\n" }; |
| 211 Proto => 'tcp', | 265 Proto => 'tcp', |
| 212 PeerAddr => '127.0.0.1', | 266 PeerAddr => '127.0.0.1', |
| 213 PeerPort => $port, | 267 PeerPort => $port, |
| 214 SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE(), | 268 SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE(), |
| 215 SSL_reuse_ctx => $ctx, | 269 SSL_reuse_ctx => $ctx, |
| 216 SSL_error_trap => sub { die $_[1] } | 270 SSL_error_trap => sub { die $_[1] }, |
| 271 %extra | |
| 217 ); | 272 ); |
| 218 alarm(0); | 273 alarm(0); |
| 219 }; | 274 }; |
| 220 alarm(0); | 275 alarm(0); |
| 221 | 276 |