Mercurial > hg > nginx-tests
comparison ssl2.t @ 1139:e7e968e3eb74
Tests: split ssl.t to run relevant tests on stable versions again.
| author | Sergey Kandaurov <pluknet@nginx.com> |
|---|---|
| date | Wed, 01 Mar 2017 18:04:25 +0300 |
| parents | |
| children | 0af58b78df35 |
comparison
equal
deleted
inserted
replaced
| 1138:d6acd17ca4e3 | 1139:e7e968e3eb74 |
|---|---|
| 1 #!/usr/bin/perl | |
| 2 | |
| 3 # (C) Sergey Kandaurov | |
| 4 # (C) Andrey Zelenkov | |
| 5 # (C) Nginx, Inc. | |
| 6 | |
| 7 # Tests for http ssl module. | |
| 8 | |
| 9 ############################################################################### | |
| 10 | |
| 11 use warnings; | |
| 12 use strict; | |
| 13 | |
| 14 use Test::More; | |
| 15 | |
| 16 BEGIN { use FindBin; chdir($FindBin::Bin); } | |
| 17 | |
| 18 use lib 'lib'; | |
| 19 use Test::Nginx; | |
| 20 | |
| 21 ############################################################################### | |
| 22 | |
| 23 select STDERR; $| = 1; | |
| 24 select STDOUT; $| = 1; | |
| 25 | |
| 26 eval { require IO::Socket::SSL; }; | |
| 27 plan(skip_all => 'IO::Socket::SSL not installed') if $@; | |
| 28 eval { IO::Socket::SSL::SSL_VERIFY_NONE(); }; | |
| 29 plan(skip_all => 'IO::Socket::SSL too old') if $@; | |
| 30 | |
| 31 my $t = Test::Nginx->new()->has(qw/http http_ssl rewrite/) | |
| 32 ->has_daemon('openssl'); | |
| 33 | |
| 34 $t->write_file_expand('nginx.conf', <<'EOF'); | |
| 35 | |
| 36 %%TEST_GLOBALS%% | |
| 37 | |
| 38 daemon off; | |
| 39 | |
| 40 events { | |
| 41 } | |
| 42 | |
| 43 http { | |
| 44 %%TEST_GLOBALS_HTTP%% | |
| 45 | |
| 46 ssl_certificate_key localhost.key; | |
| 47 ssl_certificate localhost.crt; | |
| 48 ssl_verify_client optional_no_ca; | |
| 49 | |
| 50 server { | |
| 51 listen 127.0.0.1:8080 ssl; | |
| 52 server_name localhost; | |
| 53 | |
| 54 location /ciphers { | |
| 55 return 200 "body $ssl_ciphers"; | |
| 56 } | |
| 57 location /issuer { | |
| 58 return 200 "body $ssl_client_i_dn_legacy"; | |
| 59 } | |
| 60 location /subject { | |
| 61 return 200 "body $ssl_client_s_dn_legacy"; | |
| 62 } | |
| 63 location /time { | |
| 64 return 200 "body $ssl_client_v_start!$ssl_client_v_end!$ssl_client_v_remain"; | |
| 65 } | |
| 66 } | |
| 67 } | |
| 68 | |
| 69 EOF | |
| 70 | |
| 71 $t->write_file('openssl.conf', <<EOF); | |
| 72 [ req ] | |
| 73 default_bits = 1024 | |
| 74 encrypt_key = no | |
| 75 distinguished_name = req_distinguished_name | |
| 76 [ req_distinguished_name ] | |
| 77 EOF | |
| 78 | |
| 79 my $d = $t->testdir(); | |
| 80 | |
| 81 $t->write_file('ca.conf', <<EOF); | |
| 82 [ ca ] | |
| 83 default_ca = myca | |
| 84 | |
| 85 [ myca ] | |
| 86 new_certs_dir = $d | |
| 87 database = $d/certindex | |
| 88 default_md = sha1 | |
| 89 policy = myca_policy | |
| 90 serial = $d/certserial | |
| 91 default_days = 3 | |
| 92 | |
| 93 [ myca_policy ] | |
| 94 commonName = supplied | |
| 95 EOF | |
| 96 | |
| 97 $t->write_file('certserial', '1000'); | |
| 98 $t->write_file('certindex', ''); | |
| 99 | |
| 100 system('openssl req -x509 -new ' | |
| 101 . "-config '$d/openssl.conf' -subj '/CN=issuer/' " | |
| 102 . "-out '$d/issuer.crt' -keyout '$d/issuer.key' " | |
| 103 . ">>$d/openssl.out 2>&1") == 0 | |
| 104 or die "Can't create certificate for issuer: $!\n"; | |
| 105 | |
| 106 system("openssl req -new " | |
| 107 . "-config '$d/openssl.conf' -subj '/CN=subject/' " | |
| 108 . "-out '$d/subject.csr' -keyout '$d/subject.key' " | |
| 109 . ">>$d/openssl.out 2>&1") == 0 | |
| 110 or die "Can't create certificate for subject: $!\n"; | |
| 111 | |
| 112 system("openssl ca -batch -config '$d/ca.conf' " | |
| 113 . "-keyfile '$d/issuer.key' -cert '$d/issuer.crt' " | |
| 114 . "-subj '/CN=subject/' -in '$d/subject.csr' -out '$d/subject.crt' " | |
| 115 . ">>$d/openssl.out 2>&1") == 0 | |
| 116 or die "Can't sign certificate for subject: $!\n"; | |
| 117 | |
| 118 foreach my $name ('localhost') { | |
| 119 system('openssl req -x509 -new ' | |
| 120 . "-config '$d/openssl.conf' -subj '/CN=$name/' " | |
| 121 . "-out '$d/$name.crt' -keyout '$d/$name.key' " | |
| 122 . ">>$d/openssl.out 2>&1") == 0 | |
| 123 or die "Can't create certificate for $name: $!\n"; | |
| 124 } | |
| 125 | |
| 126 $t->try_run('no ssl_ciphers')->plan(4); | |
| 127 | |
| 128 ############################################################################### | |
| 129 | |
| 130 like(get('/ciphers'), qr/^body [:\w-]+$/m, 'ciphers'); | |
| 131 like(get('/issuer'), qr!^body /CN=issuer$!m, 'issuer'); | |
| 132 like(get('/subject'), qr!^body /CN=subject$!m, 'subject'); | |
| 133 like(get('/time'), qr/^body [:\s\w]+![:\s\w]+![23]$/m, 'time'); | |
| 134 | |
| 135 ############################################################################### | |
| 136 | |
| 137 sub get { | |
| 138 my ($uri) = @_; | |
| 139 my $s = get_ssl_socket() or return; | |
| 140 http_get($uri, socket => $s); | |
| 141 } | |
| 142 | |
| 143 sub get_ssl_socket { | |
| 144 my (%extra) = @_; | |
| 145 my $s; | |
| 146 | |
| 147 eval { | |
| 148 local $SIG{ALRM} = sub { die "timeout\n" }; | |
| 149 local $SIG{PIPE} = sub { die "sigpipe\n" }; | |
| 150 alarm(2); | |
| 151 $s = IO::Socket::SSL->new( | |
| 152 Proto => 'tcp', | |
| 153 PeerAddr => '127.0.0.1', | |
| 154 PeerPort => port(8080), | |
| 155 SSL_cert_file => "$d/subject.crt", | |
| 156 SSL_key_file => "$d/subject.key", | |
| 157 SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE(), | |
| 158 SSL_error_trap => sub { die $_[1] }, | |
| 159 %extra | |
| 160 ); | |
| 161 alarm(0); | |
| 162 }; | |
| 163 alarm(0); | |
| 164 | |
| 165 if ($@) { | |
| 166 log_in("died: $@"); | |
| 167 return undef; | |
| 168 } | |
| 169 | |
| 170 return $s; | |
| 171 } | |
| 172 | |
| 173 ############################################################################### |