Mercurial > hg > nginx-tests
comparison stream_ssl.t @ 1863:dbb7561a9441
Tests: reworked stream SSL tests to use IO::Socket::SSL.
Relevant infrastructure is provided in Test::Nginx::Stream. This also
ensures that SSL handshake and various read operations are guarded
with timeouts.
The stream_ssl_verify_client.t test uses IO::Socket::SSL::_get_ssl_object()
to access the Net::SSLeay object directly, as it seems to be the only
way to obtain CA list with IO::Socket::SSL. While not exactly correct,
this seems to be good enough for tests.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Thu, 18 May 2023 18:07:12 +0300 |
parents | fd9d077fee02 |
children | b5036a0f9ae0 |
comparison
equal
deleted
inserted
replaced
1862:7681a970f6bd | 1863:dbb7561a9441 |
---|---|
17 | 17 |
18 BEGIN { use FindBin; chdir($FindBin::Bin); } | 18 BEGIN { use FindBin; chdir($FindBin::Bin); } |
19 | 19 |
20 use lib 'lib'; | 20 use lib 'lib'; |
21 use Test::Nginx; | 21 use Test::Nginx; |
22 use Test::Nginx::Stream qw/ stream /; | |
22 | 23 |
23 ############################################################################### | 24 ############################################################################### |
24 | 25 |
25 select STDERR; $| = 1; | 26 select STDERR; $| = 1; |
26 select STDOUT; $| = 1; | 27 select STDOUT; $| = 1; |
27 | 28 |
28 eval { | |
29 require Net::SSLeay; | |
30 Net::SSLeay::load_error_strings(); | |
31 Net::SSLeay::SSLeay_add_ssl_algorithms(); | |
32 Net::SSLeay::randomize(); | |
33 }; | |
34 plan(skip_all => 'Net::SSLeay not installed') if $@; | |
35 | |
36 plan(skip_all => 'win32') if $^O eq 'MSWin32'; | 29 plan(skip_all => 'win32') if $^O eq 'MSWin32'; |
37 | 30 |
38 my $t = Test::Nginx->new()->has(qw/stream stream_ssl/)->has_daemon('openssl'); | 31 my $t = Test::Nginx->new()->has(qw/stream stream_ssl socket_ssl/) |
32 ->has_daemon('openssl'); | |
39 | 33 |
40 $t->plan(5)->write_file_expand('nginx.conf', <<'EOF'); | 34 $t->plan(5)->write_file_expand('nginx.conf', <<'EOF'); |
41 | 35 |
42 %%TEST_GLOBALS%% | 36 %%TEST_GLOBALS%% |
43 | 37 |
108 . "-key $d/$name.key -passin pass:$name" | 102 . "-key $d/$name.key -passin pass:$name" |
109 . ">>$d/openssl.out 2>&1") == 0 | 103 . ">>$d/openssl.out 2>&1") == 0 |
110 or die "Can't create certificate for $name: $!\n"; | 104 or die "Can't create certificate for $name: $!\n"; |
111 } | 105 } |
112 | 106 |
113 my $ctx = Net::SSLeay::CTX_new() or die("Failed to create SSL_CTX $!"); | |
114 | |
115 $t->write_file('password', 'localhost'); | 107 $t->write_file('password', 'localhost'); |
116 $t->write_file('password_many', "wrong$CRLF" . "localhost$CRLF"); | 108 $t->write_file('password_many', "wrong$CRLF" . "localhost$CRLF"); |
117 $t->write_file('password_stream', 'inherits'); | 109 $t->write_file('password_stream', 'inherits'); |
118 | 110 |
119 my $p = fork(); | 111 my $p = fork(); |
130 | 122 |
131 $t->waitforsocket('127.0.0.1:' . port(8081)); | 123 $t->waitforsocket('127.0.0.1:' . port(8081)); |
132 | 124 |
133 ############################################################################### | 125 ############################################################################### |
134 | 126 |
135 my ($s, $ssl); | 127 like(get(8443), qr/200 OK/, 'ssl'); |
136 | 128 like(get(8444), qr/200 OK/, 'ssl password many'); |
137 ($s, $ssl) = get_ssl_socket(8443); | 129 like(get(8445), qr/200 OK/, 'ssl password fifo'); |
138 Net::SSLeay::write($ssl, "GET / HTTP/1.0$CRLF$CRLF"); | |
139 like(Net::SSLeay::read($ssl), qr/200 OK/, 'ssl'); | |
140 | |
141 ($s, $ssl) = get_ssl_socket(8444); | |
142 Net::SSLeay::write($ssl, "GET / HTTP/1.0$CRLF$CRLF"); | |
143 like(Net::SSLeay::read($ssl), qr/200 OK/, 'ssl password many'); | |
144 | |
145 ($s, $ssl) = get_ssl_socket(8445); | |
146 Net::SSLeay::write($ssl, "GET / HTTP/1.0$CRLF$CRLF"); | |
147 like(Net::SSLeay::read($ssl), qr/200 OK/, 'ssl password fifo'); | |
148 | 130 |
149 # ssl_certificate inheritance | 131 # ssl_certificate inheritance |
150 | 132 |
151 ($s, $ssl) = get_ssl_socket(8443); | 133 like(cert(8443), qr/CN=localhost/, 'CN'); |
152 like(Net::SSLeay::dump_peer_certificate($ssl), qr/CN=localhost/, 'CN'); | 134 like(cert(8446), qr/CN=inherits/, 'CN inner'); |
153 | |
154 ($s, $ssl) = get_ssl_socket(8446); | |
155 like(Net::SSLeay::dump_peer_certificate($ssl), qr/CN=inherits/, 'CN inner'); | |
156 | 135 |
157 ############################################################################### | 136 ############################################################################### |
158 | 137 |
159 sub get_ssl_socket { | 138 sub get { |
139 my $s = get_socket(@_); | |
140 return $s->io("GET / HTTP/1.0$CRLF$CRLF"); | |
141 } | |
142 | |
143 sub cert { | |
144 my $s = get_socket(@_); | |
145 return $s->socket()->dump_peer_certificate(); | |
146 } | |
147 | |
148 sub get_socket { | |
160 my ($port) = @_; | 149 my ($port) = @_; |
161 | 150 return stream(PeerAddr => '127.0.0.1:' . port($port), SSL => 1); |
162 my $s = IO::Socket::INET->new('127.0.0.1:' . port($port)); | |
163 my $ssl = Net::SSLeay::new($ctx) or die("Failed to create SSL $!"); | |
164 Net::SSLeay::set_fd($ssl, fileno($s)); | |
165 Net::SSLeay::connect($ssl) or die("ssl connect"); | |
166 return ($s, $ssl); | |
167 } | 151 } |
168 | 152 |
169 ############################################################################### | 153 ############################################################################### |
170 | 154 |
171 sub http_daemon { | 155 sub http_daemon { |