Mercurial > hg > nginx-tests
comparison h2_ssl_verify_client.t @ 932:f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
author | Sergey Kandaurov <pluknet@nginx.com> |
---|---|
date | Mon, 23 May 2016 13:58:34 +0300 |
parents | |
children | 4dc302d8e04f |
comparison
equal
deleted
inserted
replaced
931:bf86f9ad0c23 | 932:f9ab0aa6e14e |
---|---|
1 #!/usr/bin/perl | |
2 | |
3 # (C) Sergey Kandaurov | |
4 # (C) Nginx, Inc. | |
5 | |
6 # Tests for HTTP/2 protocol with ssl, ssl_verify_client. | |
7 | |
8 ############################################################################### | |
9 | |
10 use warnings; | |
11 use strict; | |
12 | |
13 use Test::More; | |
14 | |
15 BEGIN { use FindBin; chdir($FindBin::Bin); } | |
16 | |
17 use lib 'lib'; | |
18 use Test::Nginx; | |
19 use Test::Nginx::HTTP2; | |
20 | |
21 ############################################################################### | |
22 | |
23 select STDERR; $| = 1; | |
24 select STDOUT; $| = 1; | |
25 | |
26 eval { require IO::Socket::SSL; }; | |
27 plan(skip_all => 'IO::Socket::SSL not installed') if $@; | |
28 eval { IO::Socket::SSL->can_client_sni() or die; }; | |
29 plan(skip_all => 'IO::Socket::SSL with OpenSSL SNI support required') if $@; | |
30 eval { IO::Socket::SSL->can_alpn() or die; }; | |
31 plan(skip_all => 'OpenSSL ALPN support required') if $@; | |
32 | |
33 my $t = Test::Nginx->new()->has(qw/http http_ssl http_v2/) | |
34 ->has_daemon('openssl')->plan(3); | |
35 | |
36 $t->write_file_expand('nginx.conf', <<'EOF'); | |
37 | |
38 %%TEST_GLOBALS%% | |
39 | |
40 daemon off; | |
41 | |
42 events { | |
43 } | |
44 | |
45 http { | |
46 %%TEST_GLOBALS_HTTP%% | |
47 | |
48 ssl_certificate_key localhost.key; | |
49 ssl_certificate localhost.crt; | |
50 | |
51 ssl_verify_client optional_no_ca; | |
52 | |
53 add_header X-Verify $ssl_client_verify; | |
54 | |
55 server { | |
56 listen 127.0.0.1:8443 ssl http2; | |
57 server_name localhost; | |
58 | |
59 ssl_client_certificate client.crt; | |
60 | |
61 location / { } | |
62 } | |
63 | |
64 server { | |
65 listen 127.0.0.1:8443 ssl http2; | |
66 server_name example.com; | |
67 | |
68 location / { } | |
69 } | |
70 } | |
71 | |
72 EOF | |
73 | |
74 $t->write_file('openssl.conf', <<EOF); | |
75 [ req ] | |
76 default_bits = 2048 | |
77 encrypt_key = no | |
78 distinguished_name = req_distinguished_name | |
79 [ req_distinguished_name ] | |
80 EOF | |
81 | |
82 my $d = $t->testdir(); | |
83 | |
84 foreach my $name ('localhost', 'client') { | |
85 system('openssl req -x509 -new ' | |
86 . "-config '$d/openssl.conf' -subj '/CN=$name/' " | |
87 . "-out '$d/$name.crt' -keyout '$d/$name.key' " | |
88 . ">>$d/openssl.out 2>&1") == 0 | |
89 or die "Can't create certificate for $name: $!\n"; | |
90 } | |
91 | |
92 $t->write_file('t', 'SEE-THIS'); | |
93 | |
94 $t->run(); | |
95 | |
96 ############################################################################### | |
97 | |
98 is(get('localhost')->{'x-verify'}, 'SUCCESS', 'success'); | |
99 is(get('example.com')->{'x-verify'}, 'FAILED', 'failed'); | |
100 | |
101 # used to be "400 Bad Request" before 654d2dae97d3 (1.11.0) | |
102 | |
103 TODO: { | |
104 local $TODO = 'not yet' unless $t->has_version('1.11.0'); | |
105 | |
106 is(get('localhost', 'example.com')->{':status'}, '421', 'misdirected'); | |
107 | |
108 } | |
109 | |
110 ############################################################################### | |
111 | |
112 sub get { | |
113 my ($sni, $host) = @_; | |
114 my $s; | |
115 | |
116 $host = $sni if !defined $host; | |
117 | |
118 eval { | |
119 local $SIG{ALRM} = sub { die "timeout\n" }; | |
120 local $SIG{PIPE} = sub { die "sigpipe\n" }; | |
121 alarm(2); | |
122 $s = IO::Socket::SSL->new( | |
123 Proto => 'tcp', | |
124 PeerAddr => '127.0.0.1', | |
125 PeerPort => 8443, | |
126 SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE(), | |
127 SSL_alpn_protocols => [ 'h2' ], | |
128 SSL_hostname => $sni, | |
129 SSL_cert_file => "$d/client.crt", | |
130 SSL_key_file => "$d/client.key", | |
131 SSL_error_trap => sub { die $_[1] } | |
132 ); | |
133 alarm(0); | |
134 }; | |
135 alarm(0); | |
136 | |
137 if ($@) { | |
138 log_in("died: $@"); | |
139 return undef; | |
140 } | |
141 | |
142 my $sess = new_session(8443, socket => $s); | |
143 my $sid = new_stream($sess, { headers => [ | |
144 { name => ':method', value => 'GET', mode => 0 }, | |
145 { name => ':scheme', value => 'http', mode => 0 }, | |
146 { name => ':path', value => '/t', mode => 1 }, | |
147 { name => ':authority', value => $host, mode => 1 }]}); | |
148 my $frames = h2_read($sess, all => [{ sid => $sid, fin => 1 }]); | |
149 | |
150 my ($frame) = grep { $_->{type} eq "HEADERS" } @$frames; | |
151 return $frame->{'headers'}; | |
152 } | |
153 | |
154 ############################################################################### |