Mercurial > hg > nginx-tests
comparison stream_ssl.t @ 1863:dbb7561a9441
Tests: reworked stream SSL tests to use IO::Socket::SSL.
Relevant infrastructure is provided in Test::Nginx::Stream. This also
ensures that SSL handshake and various read operations are guarded
with timeouts.
The stream_ssl_verify_client.t test uses IO::Socket::SSL::_get_ssl_object()
to access the Net::SSLeay object directly, as it seems to be the only
way to obtain CA list with IO::Socket::SSL. While not exactly correct,
this seems to be good enough for tests.
| author | Maxim Dounin <mdounin@mdounin.ru> |
|---|---|
| date | Thu, 18 May 2023 18:07:12 +0300 |
| parents | fd9d077fee02 |
| children | b5036a0f9ae0 |
comparison
equal
deleted
inserted
replaced
| 1862:7681a970f6bd | 1863:dbb7561a9441 |
|---|---|
| 17 | 17 |
| 18 BEGIN { use FindBin; chdir($FindBin::Bin); } | 18 BEGIN { use FindBin; chdir($FindBin::Bin); } |
| 19 | 19 |
| 20 use lib 'lib'; | 20 use lib 'lib'; |
| 21 use Test::Nginx; | 21 use Test::Nginx; |
| 22 use Test::Nginx::Stream qw/ stream /; | |
| 22 | 23 |
| 23 ############################################################################### | 24 ############################################################################### |
| 24 | 25 |
| 25 select STDERR; $| = 1; | 26 select STDERR; $| = 1; |
| 26 select STDOUT; $| = 1; | 27 select STDOUT; $| = 1; |
| 27 | 28 |
| 28 eval { | |
| 29 require Net::SSLeay; | |
| 30 Net::SSLeay::load_error_strings(); | |
| 31 Net::SSLeay::SSLeay_add_ssl_algorithms(); | |
| 32 Net::SSLeay::randomize(); | |
| 33 }; | |
| 34 plan(skip_all => 'Net::SSLeay not installed') if $@; | |
| 35 | |
| 36 plan(skip_all => 'win32') if $^O eq 'MSWin32'; | 29 plan(skip_all => 'win32') if $^O eq 'MSWin32'; |
| 37 | 30 |
| 38 my $t = Test::Nginx->new()->has(qw/stream stream_ssl/)->has_daemon('openssl'); | 31 my $t = Test::Nginx->new()->has(qw/stream stream_ssl socket_ssl/) |
| 32 ->has_daemon('openssl'); | |
| 39 | 33 |
| 40 $t->plan(5)->write_file_expand('nginx.conf', <<'EOF'); | 34 $t->plan(5)->write_file_expand('nginx.conf', <<'EOF'); |
| 41 | 35 |
| 42 %%TEST_GLOBALS%% | 36 %%TEST_GLOBALS%% |
| 43 | 37 |
| 108 . "-key $d/$name.key -passin pass:$name" | 102 . "-key $d/$name.key -passin pass:$name" |
| 109 . ">>$d/openssl.out 2>&1") == 0 | 103 . ">>$d/openssl.out 2>&1") == 0 |
| 110 or die "Can't create certificate for $name: $!\n"; | 104 or die "Can't create certificate for $name: $!\n"; |
| 111 } | 105 } |
| 112 | 106 |
| 113 my $ctx = Net::SSLeay::CTX_new() or die("Failed to create SSL_CTX $!"); | |
| 114 | |
| 115 $t->write_file('password', 'localhost'); | 107 $t->write_file('password', 'localhost'); |
| 116 $t->write_file('password_many', "wrong$CRLF" . "localhost$CRLF"); | 108 $t->write_file('password_many', "wrong$CRLF" . "localhost$CRLF"); |
| 117 $t->write_file('password_stream', 'inherits'); | 109 $t->write_file('password_stream', 'inherits'); |
| 118 | 110 |
| 119 my $p = fork(); | 111 my $p = fork(); |
| 130 | 122 |
| 131 $t->waitforsocket('127.0.0.1:' . port(8081)); | 123 $t->waitforsocket('127.0.0.1:' . port(8081)); |
| 132 | 124 |
| 133 ############################################################################### | 125 ############################################################################### |
| 134 | 126 |
| 135 my ($s, $ssl); | 127 like(get(8443), qr/200 OK/, 'ssl'); |
| 136 | 128 like(get(8444), qr/200 OK/, 'ssl password many'); |
| 137 ($s, $ssl) = get_ssl_socket(8443); | 129 like(get(8445), qr/200 OK/, 'ssl password fifo'); |
| 138 Net::SSLeay::write($ssl, "GET / HTTP/1.0$CRLF$CRLF"); | |
| 139 like(Net::SSLeay::read($ssl), qr/200 OK/, 'ssl'); | |
| 140 | |
| 141 ($s, $ssl) = get_ssl_socket(8444); | |
| 142 Net::SSLeay::write($ssl, "GET / HTTP/1.0$CRLF$CRLF"); | |
| 143 like(Net::SSLeay::read($ssl), qr/200 OK/, 'ssl password many'); | |
| 144 | |
| 145 ($s, $ssl) = get_ssl_socket(8445); | |
| 146 Net::SSLeay::write($ssl, "GET / HTTP/1.0$CRLF$CRLF"); | |
| 147 like(Net::SSLeay::read($ssl), qr/200 OK/, 'ssl password fifo'); | |
| 148 | 130 |
| 149 # ssl_certificate inheritance | 131 # ssl_certificate inheritance |
| 150 | 132 |
| 151 ($s, $ssl) = get_ssl_socket(8443); | 133 like(cert(8443), qr/CN=localhost/, 'CN'); |
| 152 like(Net::SSLeay::dump_peer_certificate($ssl), qr/CN=localhost/, 'CN'); | 134 like(cert(8446), qr/CN=inherits/, 'CN inner'); |
| 153 | |
| 154 ($s, $ssl) = get_ssl_socket(8446); | |
| 155 like(Net::SSLeay::dump_peer_certificate($ssl), qr/CN=inherits/, 'CN inner'); | |
| 156 | 135 |
| 157 ############################################################################### | 136 ############################################################################### |
| 158 | 137 |
| 159 sub get_ssl_socket { | 138 sub get { |
| 139 my $s = get_socket(@_); | |
| 140 return $s->io("GET / HTTP/1.0$CRLF$CRLF"); | |
| 141 } | |
| 142 | |
| 143 sub cert { | |
| 144 my $s = get_socket(@_); | |
| 145 return $s->socket()->dump_peer_certificate(); | |
| 146 } | |
| 147 | |
| 148 sub get_socket { | |
| 160 my ($port) = @_; | 149 my ($port) = @_; |
| 161 | 150 return stream(PeerAddr => '127.0.0.1:' . port($port), SSL => 1); |
| 162 my $s = IO::Socket::INET->new('127.0.0.1:' . port($port)); | |
| 163 my $ssl = Net::SSLeay::new($ctx) or die("Failed to create SSL $!"); | |
| 164 Net::SSLeay::set_fd($ssl, fileno($s)); | |
| 165 Net::SSLeay::connect($ssl) or die("ssl connect"); | |
| 166 return ($s, $ssl); | |
| 167 } | 151 } |
| 168 | 152 |
| 169 ############################################################################### | 153 ############################################################################### |
| 170 | 154 |
| 171 sub http_daemon { | 155 sub http_daemon { |