view quic_migration.t @ 1923:1b9f21836f57

Tests: enabled TLSv1 in uwsgi SSL tests. In uWSGI starting with, TLSv1 is disabled by default. It is now re-enabled to make it possible to run tests with OpenSSL before 1.0.1, where TLSv1.1 and TLSv1.2 support was introduced.
author Maxim Dounin <>
date Wed, 12 Jul 2023 02:40:49 +0300
parents 8b74936ff2ac
children b68471aee5ad
line wrap: on
line source


# (C) Sergey Kandaurov
# (C) Nginx, Inc.

# Tests for quic connection migration.


use warnings;
use strict;

use Test::More;

BEGIN { use FindBin; chdir($FindBin::Bin); }

use lib 'lib';
use Test::Nginx;
use Test::Nginx::HTTP3;


select STDERR; $| = 1;
select STDOUT; $| = 1;

plan(skip_all => ' local address required')
	unless defined IO::Socket::INET->new( LocalAddr => '' );

my $t = Test::Nginx->new()->has(qw/http http_v3 cryptx/)

$t->write_file_expand('nginx.conf', <<'EOF');


daemon off;

events {

http {

    ssl_certificate_key localhost.key;
    ssl_certificate localhost.crt;

    server {
        listen quic;
        server_name  localhost;

        location / {
            add_header X-IP $remote_addr;


$t->write_file('openssl.conf', <<EOF);
[ req ]
default_bits = 2048
encrypt_key = no
distinguished_name = req_distinguished_name
[ req_distinguished_name ]

my $d = $t->testdir();

foreach my $name ('localhost') {
	system('openssl req -x509 -new '
		. "-config $d/openssl.conf -subj /CN=$name/ "
		. "-out $d/$name.crt -keyout $d/$name.key "
		. ">>$d/openssl.out 2>&1") == 0
		or die "Can't create certificate for $name: $!\n";

$t->write_file('index.html', '');


# test that $remote_addr is not truncated after migration (ticket #2488),
# to test, we migrate to another address large enough in text representation,
# then send a request on the new path

my $s = Test::Nginx::HTTP3->new();
$s->new_connection_id(1, 0, "connection_id_1", "reset_token_0001");

my $frames = $s->read(all => [{ type => 'NCID' }]);
my ($frame) = grep { $_->{type} eq "NCID" } @$frames;

$s->{socket} = IO::Socket::INET->new(
	Proto => "udp",
	LocalAddr => '',
	PeerAddr => '' . port(8980),
$s->{scid} = "connection_id_1";
$s->{dcid} = $frame->{cid};

$frames = $s->read(all => [{ type => 'PATH_CHALLENGE' }]);
($frame) = grep { $_->{type} eq "PATH_CHALLENGE" } @$frames;

$frames = $s->read(all => [{ sid => $s->new_stream(), fin => 1 }]);
($frame) = grep { $_->{type} eq "HEADERS" } @$frames;
is($frame->{headers}{'x-ip'}, '', 'remote addr after migration');

# test that $remote_addr is not truncated while in the process of migration;
# the same but migration occurs on receiving a request stream itself,
# which is the first non-probing frame on the new path;
# this might lead to $remote_addr truncation in the following order:
# - stream held original sockaddr/addr_text references on stream creation
# - values were rewritten as part of handling connection migration
# - stream was handled referencing rewritten values, with old local lengths
# sockaddr and addr_text are expected to keep copies on stream creation

$s = Test::Nginx::HTTP3->new();
$s->new_connection_id(1, 0, "connection_id_1", "reset_token_0001");

$frames = $s->read(all => [{ type => 'NCID' }]);
($frame) = grep { $_->{type} eq "NCID" } @$frames;

$s->{socket} = IO::Socket::INET->new(
	Proto => "udp",
	LocalAddr => '',
	PeerAddr => '' . port(8980),
$s->{scid} = "connection_id_1";
$s->{dcid} = $frame->{cid};

$frames = $s->read(all => [{ sid => $s->new_stream(), fin => 1 }]);
($frame) = grep { $_->{type} eq "HEADERS" } @$frames;
is($frame->{headers}{'x-ip'}, '', 'remote addr on migration');
