Mercurial > hg > nginx-tests
comparison ssl.t @ 1068:d0ec761774a5
Tests: client certificate issuer/subject variables.
author | Sergey Kandaurov <pluknet@nginx.com> |
---|---|
date | Fri, 21 Oct 2016 16:32:45 +0300 |
parents | 4606a2ec3d7c |
children | 2b0ef67ab032 |
comparison
equal
deleted
inserted
replaced
1067:4606a2ec3d7c | 1068:d0ec761774a5 |
---|---|
29 plan(skip_all => 'IO::Socket::SSL too old') if $@; | 29 plan(skip_all => 'IO::Socket::SSL too old') if $@; |
30 | 30 |
31 my $t = Test::Nginx->new()->has(qw/http http_ssl rewrite/) | 31 my $t = Test::Nginx->new()->has(qw/http http_ssl rewrite/) |
32 ->has_daemon('openssl'); | 32 ->has_daemon('openssl'); |
33 | 33 |
34 $t->plan(18)->write_file_expand('nginx.conf', <<'EOF'); | 34 $t->write_file_expand('nginx.conf', <<'EOF'); |
35 | 35 |
36 %%TEST_GLOBALS%% | 36 %%TEST_GLOBALS%% |
37 | 37 |
38 daemon off; | 38 daemon off; |
39 | 39 |
53 server_name localhost; | 53 server_name localhost; |
54 | 54 |
55 ssl_certificate_key inner.key; | 55 ssl_certificate_key inner.key; |
56 ssl_certificate inner.crt; | 56 ssl_certificate inner.crt; |
57 ssl_session_cache shared:SSL:1m; | 57 ssl_session_cache shared:SSL:1m; |
58 ssl_verify_client optional_no_ca; | |
58 | 59 |
59 location /reuse { | 60 location /reuse { |
60 return 200 "body $ssl_session_reused"; | 61 return 200 "body $ssl_session_reused"; |
61 } | 62 } |
62 location /id { | 63 location /id { |
68 location /client_verify { | 69 location /client_verify { |
69 return 200 "body $ssl_client_verify"; | 70 return 200 "body $ssl_client_verify"; |
70 } | 71 } |
71 location /protocol { | 72 location /protocol { |
72 return 200 "body $ssl_protocol"; | 73 return 200 "body $ssl_protocol"; |
74 } | |
75 location /issuer { | |
76 return 200 "body $ssl_client_i_dn:$ssl_client_i_dn_legacy"; | |
77 } | |
78 location /subject { | |
79 return 200 "body $ssl_client_s_dn:$ssl_client_s_dn_legacy"; | |
73 } | 80 } |
74 } | 81 } |
75 | 82 |
76 server { | 83 server { |
77 listen 127.0.0.1:8081; | 84 listen 127.0.0.1:8081; |
132 [ req_distinguished_name ] | 139 [ req_distinguished_name ] |
133 EOF | 140 EOF |
134 | 141 |
135 my $d = $t->testdir(); | 142 my $d = $t->testdir(); |
136 | 143 |
144 $t->write_file('ca.conf', <<EOF); | |
145 [ ca ] | |
146 default_ca = myca | |
147 | |
148 [ myca ] | |
149 new_certs_dir = $d | |
150 database = $d/certindex | |
151 default_md = sha1 | |
152 policy = myca_policy | |
153 serial = $d/certserial | |
154 default_days = 1 | |
155 | |
156 [ myca_policy ] | |
157 commonName = supplied | |
158 EOF | |
159 | |
160 $t->write_file('certserial', '1000'); | |
161 $t->write_file('certindex', ''); | |
162 | |
163 system('openssl req -x509 -new ' | |
164 . "-config '$d/openssl.conf' -subj '/CN=issuer/' " | |
165 . "-out '$d/issuer.crt' -keyout '$d/issuer.key' " | |
166 . ">>$d/openssl.out 2>&1") == 0 | |
167 or die "Can't create certificate for issuer: $!\n"; | |
168 | |
169 system("openssl req -new " | |
170 . "-config '$d/openssl.conf' -subj '/CN=subject/' " | |
171 . "-out '$d/subject.csr' -keyout '$d/subject.key' " | |
172 . ">>$d/openssl.out 2>&1") == 0 | |
173 or die "Can't create certificate for subject: $!\n"; | |
174 | |
175 system("openssl ca -batch -config '$d/ca.conf' " | |
176 . "-keyfile '$d/issuer.key' -cert '$d/issuer.crt' " | |
177 . "-subj '/CN=subject/' -in '$d/subject.csr' -out '$d/subject.crt' " | |
178 . ">>$d/openssl.out 2>&1") == 0 | |
179 or die "Can't sign certificate for subject: $!\n"; | |
180 | |
137 foreach my $name ('localhost', 'inner') { | 181 foreach my $name ('localhost', 'inner') { |
138 system('openssl req -x509 -new ' | 182 system('openssl req -x509 -new ' |
139 . "-config '$d/openssl.conf' -subj '/CN=$name/' " | 183 . "-config '$d/openssl.conf' -subj '/CN=$name/' " |
140 . "-out '$d/$name.crt' -keyout '$d/$name.key' " | 184 . "-out '$d/$name.crt' -keyout '$d/$name.key' " |
141 . ">>$d/openssl.out 2>&1") == 0 | 185 . ">>$d/openssl.out 2>&1") == 0 |
144 | 188 |
145 my $ctx = new IO::Socket::SSL::SSL_Context( | 189 my $ctx = new IO::Socket::SSL::SSL_Context( |
146 SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE(), | 190 SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE(), |
147 SSL_session_cache_size => 100); | 191 SSL_session_cache_size => 100); |
148 | 192 |
149 $t->run(); | 193 $t->try_run('no ssl_client_s_dn_legacy')->plan(20); |
150 | 194 |
151 ############################################################################### | 195 ############################################################################### |
152 | 196 |
153 like(get('/reuse', 8085), qr/^body \.$/m, 'shared initial session'); | 197 like(get('/reuse', 8085), qr/^body \.$/m, 'shared initial session'); |
154 like(get('/reuse', 8085), qr/^body r$/m, 'shared session reused'); | 198 like(get('/reuse', 8085), qr/^body r$/m, 'shared session reused'); |
188 like(get('/id', 8085), qr/^body \w{64}$/m, 'session id'); | 232 like(get('/id', 8085), qr/^body \w{64}$/m, 'session id'); |
189 unlike(http_get('/id'), qr/body \w/, 'session id no ssl'); | 233 unlike(http_get('/id'), qr/body \w/, 'session id no ssl'); |
190 like(get('/cipher', 8085), qr/^body [\w-]+$/m, 'cipher'); | 234 like(get('/cipher', 8085), qr/^body [\w-]+$/m, 'cipher'); |
191 like(get('/client_verify', 8085), qr/^body NONE$/m, 'client verify'); | 235 like(get('/client_verify', 8085), qr/^body NONE$/m, 'client verify'); |
192 like(get('/protocol', 8085), qr/^body (TLS|SSL)v(\d|\.)+$/m, 'protocol'); | 236 like(get('/protocol', 8085), qr/^body (TLS|SSL)v(\d|\.)+$/m, 'protocol'); |
237 like(cert('/issuer', 8085), qr!^body CN=issuer:/CN=issuer$!m, 'issuer'); | |
238 like(cert('/subject', 8085), qr!^body CN=subject:/CN=subject$!m, 'subject'); | |
193 | 239 |
194 ############################################################################### | 240 ############################################################################### |
195 | 241 |
196 sub get { | 242 sub get { |
197 my ($uri, $port) = @_; | 243 my ($uri, $port) = @_; |
198 my $s = get_ssl_socket($ctx, port($port)) or return; | 244 my $s = get_ssl_socket($ctx, port($port)) or return; |
199 http_get($uri, socket => $s); | 245 http_get($uri, socket => $s); |
200 } | 246 } |
201 | 247 |
248 sub cert { | |
249 my ($uri, $port) = @_; | |
250 my $s = get_ssl_socket(undef, port($port), | |
251 SSL_cert_file => "$d/subject.crt", | |
252 SSL_key_file => "$d/subject.key") or return; | |
253 http_get($uri, socket => $s); | |
254 } | |
255 | |
202 sub get_ssl_socket { | 256 sub get_ssl_socket { |
203 my ($ctx, $port) = @_; | 257 my ($ctx, $port, %extra) = @_; |
204 my $s; | 258 my $s; |
205 | 259 |
206 eval { | 260 eval { |
207 local $SIG{ALRM} = sub { die "timeout\n" }; | 261 local $SIG{ALRM} = sub { die "timeout\n" }; |
208 local $SIG{PIPE} = sub { die "sigpipe\n" }; | 262 local $SIG{PIPE} = sub { die "sigpipe\n" }; |
211 Proto => 'tcp', | 265 Proto => 'tcp', |
212 PeerAddr => '127.0.0.1', | 266 PeerAddr => '127.0.0.1', |
213 PeerPort => $port, | 267 PeerPort => $port, |
214 SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE(), | 268 SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE(), |
215 SSL_reuse_ctx => $ctx, | 269 SSL_reuse_ctx => $ctx, |
216 SSL_error_trap => sub { die $_[1] } | 270 SSL_error_trap => sub { die $_[1] }, |
271 %extra | |
217 ); | 272 ); |
218 alarm(0); | 273 alarm(0); |
219 }; | 274 }; |
220 alarm(0); | 275 alarm(0); |
221 | 276 |