Mercurial > hg > nginx-tests
view ssl_verify_depth.t @ 1185:368ab1d8ed8b
Tests: unbreak h2.t with aio.
Postpone sending client's SETTINGS until after server exhausted stream window,
so the expected result does not depend on the time when SETTINGS was applied.
| author | Sergey Kandaurov <pluknet@nginx.com> |
|---|---|
| date | Tue, 06 Jun 2017 21:41:09 +0300 |
| parents | 5b22e2014f76 |
| children | 0af58b78df35 |
line wrap: on
line source
#!/usr/bin/perl # (C) Sergey Kandaurov # (C) Nginx, Inc. # Tests for http ssl module, ssl_verify_depth. ############################################################################### use warnings; use strict; use Test::More; BEGIN { use FindBin; chdir($FindBin::Bin); } use lib 'lib'; use Test::Nginx; ############################################################################### select STDERR; $| = 1; select STDOUT; $| = 1; eval { require IO::Socket::SSL; }; plan(skip_all => 'IO::Socket::SSL not installed') if $@; eval { IO::Socket::SSL::SSL_VERIFY_NONE(); }; plan(skip_all => 'IO::Socket::SSL too old') if $@; my $t = Test::Nginx->new()->has(qw/http http_ssl/) ->has_daemon('openssl')->plan(2); $t->write_file_expand('nginx.conf', <<'EOF'); %%TEST_GLOBALS%% daemon off; events { } http { %%TEST_GLOBALS_HTTP%% ssl_certificate_key localhost.key; ssl_certificate localhost.crt; ssl_verify_client on; ssl_client_certificate int-root.crt; add_header X-Verify $ssl_client_verify; server { listen 127.0.0.1:8080 ssl; server_name localhost; ssl_verify_depth 0; } } EOF my $d = $t->testdir(); $t->write_file('openssl.conf', <<EOF); [ req ] default_bits = 1024 encrypt_key = no distinguished_name = req_distinguished_name [ req_distinguished_name ] EOF $t->write_file('ca.conf', <<EOF); [ ca ] default_ca = myca [ myca ] new_certs_dir = $d database = $d/certindex default_md = sha1 policy = myca_policy serial = $d/certserial default_days = 1 [ myca_policy ] commonName = supplied EOF foreach my $name ('root', 'localhost') { system('openssl req -x509 -new ' . "-config '$d/openssl.conf' -subj '/CN=$name/' " . "-out '$d/$name.crt' -keyout '$d/$name.key' " . ">>$d/openssl.out 2>&1") == 0 or die "Can't create certificate for $name: $!\n"; } foreach my $name ('int', 'end') { system("openssl req -new " . "-config '$d/openssl.conf' -subj '/CN=$name/' " . "-out '$d/$name.csr' -keyout '$d/$name.key' " . ">>$d/openssl.out 2>&1") == 0 or die "Can't create certificate for $name: $!\n"; } $t->write_file('certserial', '1000'); $t->write_file('certindex', ''); system("openssl ca -batch -config '$d/ca.conf' " . "-keyfile '$d/root.key' -cert '$d/root.crt' " . "-subj '/CN=int/' -in '$d/int.csr' -out '$d/int.crt' " . ">>$d/openssl.out 2>&1") == 0 or die "Can't sign certificate for int: $!\n"; system("openssl ca -batch -config '$d/ca.conf' " . "-keyfile '$d/int.key' -cert '$d/int.crt' " . "-subj '/CN=end/' -in '$d/end.csr' -out '$d/end.crt' " . ">>$d/openssl.out 2>&1") == 0 or die "Can't sign certificate for end: $!\n"; $t->write_file('int-root.crt', $t->read_file('int.crt') . $t->read_file('root.crt')); $t->write_file('t', ''); $t->run(); ############################################################################### like(get(8080, 'root'), qr/SUCCESS/, 'verify depth'); like(get(8080, 'end'), qr/400 Bad Request/, 'verify depth limited'); ############################################################################### sub get { my ($port, $cert) = @_; my $s = get_ssl_socket($port, $cert) or return; http_get('/t', socket => $s); } sub get_ssl_socket { my ($port, $cert) = @_; my ($s); eval { local $SIG{ALRM} = sub { die "timeout\n" }; local $SIG{PIPE} = sub { die "sigpipe\n" }; alarm(2); $s = IO::Socket::SSL->new( Proto => 'tcp', PeerAddr => '127.0.0.1', PeerPort => port($port), SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE(), SSL_cert_file => "$d/$cert.crt", SSL_key_file => "$d/$cert.key", SSL_error_trap => sub { die $_[1] } ); alarm(0); }; alarm(0); if ($@) { log_in("died: $@"); return undef; } return $s; } ###############################################################################