Mercurial > hg > nginx-tests
comparison ssl2.t @ 1139:e7e968e3eb74
Tests: split ssl.t to run relevant tests on stable versions again.
author | Sergey Kandaurov <pluknet@nginx.com> |
---|---|
date | Wed, 01 Mar 2017 18:04:25 +0300 |
parents | |
children | 0af58b78df35 |
comparison
equal
deleted
inserted
replaced
1138:d6acd17ca4e3 | 1139:e7e968e3eb74 |
---|---|
1 #!/usr/bin/perl | |
2 | |
3 # (C) Sergey Kandaurov | |
4 # (C) Andrey Zelenkov | |
5 # (C) Nginx, Inc. | |
6 | |
7 # Tests for http ssl module. | |
8 | |
9 ############################################################################### | |
10 | |
11 use warnings; | |
12 use strict; | |
13 | |
14 use Test::More; | |
15 | |
16 BEGIN { use FindBin; chdir($FindBin::Bin); } | |
17 | |
18 use lib 'lib'; | |
19 use Test::Nginx; | |
20 | |
21 ############################################################################### | |
22 | |
23 select STDERR; $| = 1; | |
24 select STDOUT; $| = 1; | |
25 | |
26 eval { require IO::Socket::SSL; }; | |
27 plan(skip_all => 'IO::Socket::SSL not installed') if $@; | |
28 eval { IO::Socket::SSL::SSL_VERIFY_NONE(); }; | |
29 plan(skip_all => 'IO::Socket::SSL too old') if $@; | |
30 | |
31 my $t = Test::Nginx->new()->has(qw/http http_ssl rewrite/) | |
32 ->has_daemon('openssl'); | |
33 | |
34 $t->write_file_expand('nginx.conf', <<'EOF'); | |
35 | |
36 %%TEST_GLOBALS%% | |
37 | |
38 daemon off; | |
39 | |
40 events { | |
41 } | |
42 | |
43 http { | |
44 %%TEST_GLOBALS_HTTP%% | |
45 | |
46 ssl_certificate_key localhost.key; | |
47 ssl_certificate localhost.crt; | |
48 ssl_verify_client optional_no_ca; | |
49 | |
50 server { | |
51 listen 127.0.0.1:8080 ssl; | |
52 server_name localhost; | |
53 | |
54 location /ciphers { | |
55 return 200 "body $ssl_ciphers"; | |
56 } | |
57 location /issuer { | |
58 return 200 "body $ssl_client_i_dn_legacy"; | |
59 } | |
60 location /subject { | |
61 return 200 "body $ssl_client_s_dn_legacy"; | |
62 } | |
63 location /time { | |
64 return 200 "body $ssl_client_v_start!$ssl_client_v_end!$ssl_client_v_remain"; | |
65 } | |
66 } | |
67 } | |
68 | |
69 EOF | |
70 | |
71 $t->write_file('openssl.conf', <<EOF); | |
72 [ req ] | |
73 default_bits = 1024 | |
74 encrypt_key = no | |
75 distinguished_name = req_distinguished_name | |
76 [ req_distinguished_name ] | |
77 EOF | |
78 | |
79 my $d = $t->testdir(); | |
80 | |
81 $t->write_file('ca.conf', <<EOF); | |
82 [ ca ] | |
83 default_ca = myca | |
84 | |
85 [ myca ] | |
86 new_certs_dir = $d | |
87 database = $d/certindex | |
88 default_md = sha1 | |
89 policy = myca_policy | |
90 serial = $d/certserial | |
91 default_days = 3 | |
92 | |
93 [ myca_policy ] | |
94 commonName = supplied | |
95 EOF | |
96 | |
97 $t->write_file('certserial', '1000'); | |
98 $t->write_file('certindex', ''); | |
99 | |
100 system('openssl req -x509 -new ' | |
101 . "-config '$d/openssl.conf' -subj '/CN=issuer/' " | |
102 . "-out '$d/issuer.crt' -keyout '$d/issuer.key' " | |
103 . ">>$d/openssl.out 2>&1") == 0 | |
104 or die "Can't create certificate for issuer: $!\n"; | |
105 | |
106 system("openssl req -new " | |
107 . "-config '$d/openssl.conf' -subj '/CN=subject/' " | |
108 . "-out '$d/subject.csr' -keyout '$d/subject.key' " | |
109 . ">>$d/openssl.out 2>&1") == 0 | |
110 or die "Can't create certificate for subject: $!\n"; | |
111 | |
112 system("openssl ca -batch -config '$d/ca.conf' " | |
113 . "-keyfile '$d/issuer.key' -cert '$d/issuer.crt' " | |
114 . "-subj '/CN=subject/' -in '$d/subject.csr' -out '$d/subject.crt' " | |
115 . ">>$d/openssl.out 2>&1") == 0 | |
116 or die "Can't sign certificate for subject: $!\n"; | |
117 | |
118 foreach my $name ('localhost') { | |
119 system('openssl req -x509 -new ' | |
120 . "-config '$d/openssl.conf' -subj '/CN=$name/' " | |
121 . "-out '$d/$name.crt' -keyout '$d/$name.key' " | |
122 . ">>$d/openssl.out 2>&1") == 0 | |
123 or die "Can't create certificate for $name: $!\n"; | |
124 } | |
125 | |
126 $t->try_run('no ssl_ciphers')->plan(4); | |
127 | |
128 ############################################################################### | |
129 | |
130 like(get('/ciphers'), qr/^body [:\w-]+$/m, 'ciphers'); | |
131 like(get('/issuer'), qr!^body /CN=issuer$!m, 'issuer'); | |
132 like(get('/subject'), qr!^body /CN=subject$!m, 'subject'); | |
133 like(get('/time'), qr/^body [:\s\w]+![:\s\w]+![23]$/m, 'time'); | |
134 | |
135 ############################################################################### | |
136 | |
137 sub get { | |
138 my ($uri) = @_; | |
139 my $s = get_ssl_socket() or return; | |
140 http_get($uri, socket => $s); | |
141 } | |
142 | |
143 sub get_ssl_socket { | |
144 my (%extra) = @_; | |
145 my $s; | |
146 | |
147 eval { | |
148 local $SIG{ALRM} = sub { die "timeout\n" }; | |
149 local $SIG{PIPE} = sub { die "sigpipe\n" }; | |
150 alarm(2); | |
151 $s = IO::Socket::SSL->new( | |
152 Proto => 'tcp', | |
153 PeerAddr => '127.0.0.1', | |
154 PeerPort => port(8080), | |
155 SSL_cert_file => "$d/subject.crt", | |
156 SSL_key_file => "$d/subject.key", | |
157 SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE(), | |
158 SSL_error_trap => sub { die $_[1] }, | |
159 %extra | |
160 ); | |
161 alarm(0); | |
162 }; | |
163 alarm(0); | |
164 | |
165 if ($@) { | |
166 log_in("died: $@"); | |
167 return undef; | |
168 } | |
169 | |
170 return $s; | |
171 } | |
172 | |
173 ############################################################################### |