Mercurial > hg > nginx-tests
comparison stream_ssl_session_reuse.t @ 1863:dbb7561a9441
Tests: reworked stream SSL tests to use IO::Socket::SSL.
Relevant infrastructure is provided in Test::Nginx::Stream. This also
ensures that SSL handshake and various read operations are guarded
with timeouts.
The stream_ssl_verify_client.t test uses IO::Socket::SSL::_get_ssl_object()
to access the Net::SSLeay object directly, as it seems to be the only
way to obtain CA list with IO::Socket::SSL. While not exactly correct,
this seems to be good enough for tests.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Thu, 18 May 2023 18:07:12 +0300 |
parents | df96e9d6c095 |
children | f7f1f349dd26 |
comparison
equal
deleted
inserted
replaced
1862:7681a970f6bd | 1863:dbb7561a9441 |
---|---|
17 | 17 |
18 BEGIN { use FindBin; chdir($FindBin::Bin); } | 18 BEGIN { use FindBin; chdir($FindBin::Bin); } |
19 | 19 |
20 use lib 'lib'; | 20 use lib 'lib'; |
21 use Test::Nginx; | 21 use Test::Nginx; |
22 use Test::Nginx::Stream qw/ stream /; | |
22 | 23 |
23 ############################################################################### | 24 ############################################################################### |
24 | 25 |
25 select STDERR; $| = 1; | 26 select STDERR; $| = 1; |
26 select STDOUT; $| = 1; | 27 select STDOUT; $| = 1; |
27 | 28 |
28 eval { | 29 my $t = Test::Nginx->new()->has(qw/stream stream_ssl socket_ssl_sslversion/) |
29 require Net::SSLeay; | 30 ->has_daemon('openssl')->plan(7); |
30 Net::SSLeay::load_error_strings(); | 31 |
31 Net::SSLeay::SSLeay_add_ssl_algorithms(); | 32 $t->write_file_expand('nginx.conf', <<'EOF'); |
32 Net::SSLeay::randomize(); | |
33 }; | |
34 plan(skip_all => 'Net::SSLeay not installed') if $@; | |
35 | |
36 my $t = Test::Nginx->new()->has(qw/stream stream_ssl/)->has_daemon('openssl'); | |
37 | |
38 $t->plan(7)->write_file_expand('nginx.conf', <<'EOF'); | |
39 | 33 |
40 %%TEST_GLOBALS%% | 34 %%TEST_GLOBALS%% |
41 | 35 |
42 daemon off; | 36 daemon off; |
43 | 37 |
121 . "-config $d/openssl.conf -subj /CN=$name/ " | 115 . "-config $d/openssl.conf -subj /CN=$name/ " |
122 . "-out $d/$name.crt -keyout $d/$name.key " | 116 . "-out $d/$name.crt -keyout $d/$name.key " |
123 . ">>$d/openssl.out 2>&1") == 0 | 117 . ">>$d/openssl.out 2>&1") == 0 |
124 or die "Can't create certificate for $name: $!\n"; | 118 or die "Can't create certificate for $name: $!\n"; |
125 } | 119 } |
126 | |
127 my $ctx = Net::SSLeay::CTX_new() or die("Failed to create SSL_CTX $!"); | |
128 | 120 |
129 $t->run_daemon(\&http_daemon); | 121 $t->run_daemon(\&http_daemon); |
130 | 122 |
131 $t->run(); | 123 $t->run(); |
132 | 124 |
143 # - only builtin cache with explicitly configured size | 135 # - only builtin cache with explicitly configured size |
144 # - only cache none | 136 # - only cache none |
145 # - only cache off | 137 # - only cache off |
146 | 138 |
147 TODO: { | 139 TODO: { |
140 local $TODO = 'no TLSv1.3 sessions, old Net::SSLeay' | |
141 if $Net::SSLeay::VERSION < 1.88 && test_tls13(); | |
142 local $TODO = 'no TLSv1.3 sessions, old IO::Socket::SSL' | |
143 if $IO::Socket::SSL::VERSION < 2.061 && test_tls13(); | |
148 local $TODO = 'no TLSv1.3 sessions in LibreSSL' | 144 local $TODO = 'no TLSv1.3 sessions in LibreSSL' |
149 if $t->has_module('LibreSSL') && test_tls13(); | 145 if $t->has_module('LibreSSL') && test_tls13(); |
150 | 146 |
151 is(test_reuse(8443), 1, 'tickets reused'); | 147 is(test_reuse(8443), 1, 'tickets reused'); |
152 is(test_reuse(8444), 1, 'tickets and cache reused'); | 148 is(test_reuse(8444), 1, 'tickets and cache reused'); |
166 is(test_reuse(8449), 0, 'cache off not reused'); | 162 is(test_reuse(8449), 0, 'cache off not reused'); |
167 | 163 |
168 ############################################################################### | 164 ############################################################################### |
169 | 165 |
170 sub test_tls13 { | 166 sub test_tls13 { |
171 my ($s, $ssl) = get_ssl_socket(8443); | 167 my $s = stream( |
172 return (Net::SSLeay::version($ssl) > 0x303); | 168 PeerAddr => '127.0.0.1:' . port(8443), |
169 SSL => 1 | |
170 ); | |
171 return ($s->socket()->get_sslversion_int() > 0x303); | |
173 } | 172 } |
174 | 173 |
175 sub test_reuse { | 174 sub test_reuse { |
176 my ($port) = @_; | 175 my ($port) = @_; |
177 my ($s, $ssl) = get_ssl_socket($port); | 176 |
178 Net::SSLeay::write($ssl, "GET / HTTP/1.0$CRLF$CRLF"); | 177 my $s = stream( |
179 Net::SSLeay::read($ssl); | 178 PeerAddr => '127.0.0.1:' . port($port), |
180 my $ses = Net::SSLeay::get_session($ssl); | 179 SSL => 1, |
181 ($s, $ssl) = get_ssl_socket($port, $ses); | 180 SSL_session_cache_size => 100 |
182 return Net::SSLeay::session_reused($ssl); | 181 ); |
183 } | 182 $s->io("GET / HTTP/1.0$CRLF$CRLF"); |
184 | 183 |
185 sub get_ssl_socket { | 184 $s = stream( |
186 my ($port, $ses) = @_; | 185 PeerAddr => '127.0.0.1:' . port($port), |
187 | 186 SSL => 1, |
188 my $s = IO::Socket::INET->new('127.0.0.1:' . port($port)); | 187 SSL_reuse_ctx => $s->socket() |
189 my $ssl = Net::SSLeay::new($ctx) or die("Failed to create SSL $!"); | 188 ); |
190 Net::SSLeay::set_session($ssl, $ses) if defined $ses; | 189 |
191 Net::SSLeay::set_fd($ssl, fileno($s)); | 190 return $s->socket()->get_session_reused(); |
192 Net::SSLeay::connect($ssl) or die("ssl connect"); | |
193 return ($s, $ssl); | |
194 } | 191 } |
195 | 192 |
196 ############################################################################### | 193 ############################################################################### |
197 | 194 |
198 sub http_daemon { | 195 sub http_daemon { |