Mercurial > hg > nginx-tests
comparison stream_ssl_session_reuse.t @ 1863:dbb7561a9441
Tests: reworked stream SSL tests to use IO::Socket::SSL.
Relevant infrastructure is provided in Test::Nginx::Stream. This also
ensures that SSL handshake and various read operations are guarded
with timeouts.
The stream_ssl_verify_client.t test uses IO::Socket::SSL::_get_ssl_object()
to access the Net::SSLeay object directly, as it seems to be the only
way to obtain CA list with IO::Socket::SSL. While not exactly correct,
this seems to be good enough for tests.
| author | Maxim Dounin <mdounin@mdounin.ru> |
|---|---|
| date | Thu, 18 May 2023 18:07:12 +0300 |
| parents | df96e9d6c095 |
| children | f7f1f349dd26 |
comparison
equal
deleted
inserted
replaced
| 1862:7681a970f6bd | 1863:dbb7561a9441 |
|---|---|
| 17 | 17 |
| 18 BEGIN { use FindBin; chdir($FindBin::Bin); } | 18 BEGIN { use FindBin; chdir($FindBin::Bin); } |
| 19 | 19 |
| 20 use lib 'lib'; | 20 use lib 'lib'; |
| 21 use Test::Nginx; | 21 use Test::Nginx; |
| 22 use Test::Nginx::Stream qw/ stream /; | |
| 22 | 23 |
| 23 ############################################################################### | 24 ############################################################################### |
| 24 | 25 |
| 25 select STDERR; $| = 1; | 26 select STDERR; $| = 1; |
| 26 select STDOUT; $| = 1; | 27 select STDOUT; $| = 1; |
| 27 | 28 |
| 28 eval { | 29 my $t = Test::Nginx->new()->has(qw/stream stream_ssl socket_ssl_sslversion/) |
| 29 require Net::SSLeay; | 30 ->has_daemon('openssl')->plan(7); |
| 30 Net::SSLeay::load_error_strings(); | 31 |
| 31 Net::SSLeay::SSLeay_add_ssl_algorithms(); | 32 $t->write_file_expand('nginx.conf', <<'EOF'); |
| 32 Net::SSLeay::randomize(); | |
| 33 }; | |
| 34 plan(skip_all => 'Net::SSLeay not installed') if $@; | |
| 35 | |
| 36 my $t = Test::Nginx->new()->has(qw/stream stream_ssl/)->has_daemon('openssl'); | |
| 37 | |
| 38 $t->plan(7)->write_file_expand('nginx.conf', <<'EOF'); | |
| 39 | 33 |
| 40 %%TEST_GLOBALS%% | 34 %%TEST_GLOBALS%% |
| 41 | 35 |
| 42 daemon off; | 36 daemon off; |
| 43 | 37 |
| 121 . "-config $d/openssl.conf -subj /CN=$name/ " | 115 . "-config $d/openssl.conf -subj /CN=$name/ " |
| 122 . "-out $d/$name.crt -keyout $d/$name.key " | 116 . "-out $d/$name.crt -keyout $d/$name.key " |
| 123 . ">>$d/openssl.out 2>&1") == 0 | 117 . ">>$d/openssl.out 2>&1") == 0 |
| 124 or die "Can't create certificate for $name: $!\n"; | 118 or die "Can't create certificate for $name: $!\n"; |
| 125 } | 119 } |
| 126 | |
| 127 my $ctx = Net::SSLeay::CTX_new() or die("Failed to create SSL_CTX $!"); | |
| 128 | 120 |
| 129 $t->run_daemon(\&http_daemon); | 121 $t->run_daemon(\&http_daemon); |
| 130 | 122 |
| 131 $t->run(); | 123 $t->run(); |
| 132 | 124 |
| 143 # - only builtin cache with explicitly configured size | 135 # - only builtin cache with explicitly configured size |
| 144 # - only cache none | 136 # - only cache none |
| 145 # - only cache off | 137 # - only cache off |
| 146 | 138 |
| 147 TODO: { | 139 TODO: { |
| 140 local $TODO = 'no TLSv1.3 sessions, old Net::SSLeay' | |
| 141 if $Net::SSLeay::VERSION < 1.88 && test_tls13(); | |
| 142 local $TODO = 'no TLSv1.3 sessions, old IO::Socket::SSL' | |
| 143 if $IO::Socket::SSL::VERSION < 2.061 && test_tls13(); | |
| 148 local $TODO = 'no TLSv1.3 sessions in LibreSSL' | 144 local $TODO = 'no TLSv1.3 sessions in LibreSSL' |
| 149 if $t->has_module('LibreSSL') && test_tls13(); | 145 if $t->has_module('LibreSSL') && test_tls13(); |
| 150 | 146 |
| 151 is(test_reuse(8443), 1, 'tickets reused'); | 147 is(test_reuse(8443), 1, 'tickets reused'); |
| 152 is(test_reuse(8444), 1, 'tickets and cache reused'); | 148 is(test_reuse(8444), 1, 'tickets and cache reused'); |
| 166 is(test_reuse(8449), 0, 'cache off not reused'); | 162 is(test_reuse(8449), 0, 'cache off not reused'); |
| 167 | 163 |
| 168 ############################################################################### | 164 ############################################################################### |
| 169 | 165 |
| 170 sub test_tls13 { | 166 sub test_tls13 { |
| 171 my ($s, $ssl) = get_ssl_socket(8443); | 167 my $s = stream( |
| 172 return (Net::SSLeay::version($ssl) > 0x303); | 168 PeerAddr => '127.0.0.1:' . port(8443), |
| 169 SSL => 1 | |
| 170 ); | |
| 171 return ($s->socket()->get_sslversion_int() > 0x303); | |
| 173 } | 172 } |
| 174 | 173 |
| 175 sub test_reuse { | 174 sub test_reuse { |
| 176 my ($port) = @_; | 175 my ($port) = @_; |
| 177 my ($s, $ssl) = get_ssl_socket($port); | 176 |
| 178 Net::SSLeay::write($ssl, "GET / HTTP/1.0$CRLF$CRLF"); | 177 my $s = stream( |
| 179 Net::SSLeay::read($ssl); | 178 PeerAddr => '127.0.0.1:' . port($port), |
| 180 my $ses = Net::SSLeay::get_session($ssl); | 179 SSL => 1, |
| 181 ($s, $ssl) = get_ssl_socket($port, $ses); | 180 SSL_session_cache_size => 100 |
| 182 return Net::SSLeay::session_reused($ssl); | 181 ); |
| 183 } | 182 $s->io("GET / HTTP/1.0$CRLF$CRLF"); |
| 184 | 183 |
| 185 sub get_ssl_socket { | 184 $s = stream( |
| 186 my ($port, $ses) = @_; | 185 PeerAddr => '127.0.0.1:' . port($port), |
| 187 | 186 SSL => 1, |
| 188 my $s = IO::Socket::INET->new('127.0.0.1:' . port($port)); | 187 SSL_reuse_ctx => $s->socket() |
| 189 my $ssl = Net::SSLeay::new($ctx) or die("Failed to create SSL $!"); | 188 ); |
| 190 Net::SSLeay::set_session($ssl, $ses) if defined $ses; | 189 |
| 191 Net::SSLeay::set_fd($ssl, fileno($s)); | 190 return $s->socket()->get_session_reused(); |
| 192 Net::SSLeay::connect($ssl) or die("ssl connect"); | |
| 193 return ($s, $ssl); | |
| 194 } | 191 } |
| 195 | 192 |
| 196 ############################################################################### | 193 ############################################################################### |
| 197 | 194 |
| 198 sub http_daemon { | 195 sub http_daemon { |