Mercurial > hg > nginx-tests
view mail_imap_ssl.t @ 1938:e1059682aeef
Tests: fixed ClientHello with resending Initial QUIC packets.
Previously it was rebuilt each time using distinct ClientHello.random
resulting in different CRYPTO payload. As such, it led to TLS digest
hash and derived secrets mismatch when resending Initial packet. Now
ClientHello is built once and reused when resending Initial packets.
Additionally, this required to preserve a generated secret value used
in shared secret calculation as part of TLS key schedule. Previously
it was regenerated when receiving a Retry packet, but this won't work
with reused ClientHello as the resulting shared secrets won't match.
| author | Sergey Kandaurov <pluknet@nginx.com> |
|---|---|
| date | Wed, 30 Aug 2023 02:22:58 +0400 |
| parents | 2a0a6035a1af |
| children | 84f4d4930835 |
line wrap: on
line source
#!/usr/bin/perl # (C) Maxim Dounin # (C) Sergey Kandaurov # (C) Nginx, Inc. # Tests for nginx mail imap module with ssl. ############################################################################### use warnings; use strict; use Test::More; use MIME::Base64; BEGIN { use FindBin; chdir($FindBin::Bin); } use lib 'lib'; use Test::Nginx; use Test::Nginx::IMAP; ############################################################################### select STDERR; $| = 1; select STDOUT; $| = 1; local $SIG{PIPE} = 'IGNORE'; my $t = Test::Nginx->new() ->has(qw/mail mail_ssl imap http rewrite socket_ssl_sslversion/) ->has_daemon('openssl')->plan(13) ->write_file_expand('nginx.conf', <<'EOF'); %%TEST_GLOBALS%% daemon off; events { } mail { proxy_pass_error_message on; proxy_timeout 15s; auth_http http://127.0.0.1:8080/mail/auth; auth_http_pass_client_cert on; ssl_certificate_key 1.example.com.key; ssl_certificate 1.example.com.crt; server { listen 127.0.0.1:8143; protocol imap; } server { listen 127.0.0.1:8993 ssl; protocol imap; ssl_verify_client on; ssl_client_certificate 2.example.com.crt; } server { listen 127.0.0.1:8994 ssl; protocol imap; ssl_verify_client optional; ssl_client_certificate 2.example.com.crt; } server { listen 127.0.0.1:8995 ssl; protocol imap; ssl_verify_client optional; ssl_client_certificate 2.example.com.crt; ssl_trusted_certificate 3.example.com.crt; } server { listen 127.0.0.1:8996 ssl; protocol imap; ssl_verify_client optional_no_ca; ssl_client_certificate 2.example.com.crt; } } http { %%TEST_GLOBALS_HTTP%% log_format test '$http_auth_ssl:$http_auth_ssl_verify:' '$http_auth_ssl_subject:$http_auth_ssl_issuer:' '$http_auth_ssl_serial:$http_auth_ssl_fingerprint:' '$http_auth_ssl_cert:$http_auth_pass'; log_format test2 '$http_auth_ssl_cipher:$http_auth_ssl_protocol'; server { listen 127.0.0.1:8080; server_name localhost; location = /mail/auth { access_log auth.log test; access_log auth2.log test2; add_header Auth-Status OK; add_header Auth-Server 127.0.0.1; add_header Auth-Port %%PORT_8144%%; add_header Auth-Wait 1; return 204; } } } EOF $t->write_file('openssl.conf', <<EOF); [ req ] default_bits = 2048 encrypt_key = no distinguished_name = req_distinguished_name [ req_distinguished_name ] EOF my $d = $t->testdir(); foreach my $name ('1.example.com', '2.example.com', '3.example.com') { system('openssl req -x509 -new ' . "-config $d/openssl.conf -subj /CN=$name/ " . "-out $d/$name.crt -keyout $d/$name.key " . ">>$d/openssl.out 2>&1") == 0 or die "Can't create certificate for $name: $!\n"; } $t->run_daemon(\&Test::Nginx::IMAP::imap_test_daemon); $t->run()->waitforsocket('127.0.0.1:' . port(8144)); ############################################################################### my $cred = sub { encode_base64("\0test\@example.com\0$_[0]", '') }; # no ssl connection my $s = Test::Nginx::IMAP->new(); $s->ok('plain connection'); $s->send('1 AUTHENTICATE PLAIN ' . $cred->("s1")); # no cert $s = Test::Nginx::IMAP->new(SSL => 1); $s->check(qr/BYE No required SSL certificate/, 'no cert'); # no cert with ssl_verify_client optional $s = Test::Nginx::IMAP->new(PeerAddr => '127.0.0.1:' . port(8994), SSL => 1); $s->ok('no optional cert'); $s->send('1 AUTHENTICATE PLAIN ' . $cred->("s2")); # wrong cert with ssl_verify_client optional $s = Test::Nginx::IMAP->new( PeerAddr => '127.0.0.1:' . port(8995), SSL => 1, SSL_cert_file => "$d/1.example.com.crt", SSL_key_file => "$d/1.example.com.key" ); $s->check(qr/BYE SSL certificate error/, 'bad optional cert'); # wrong cert with ssl_verify_client optional_no_ca $s = Test::Nginx::IMAP->new( PeerAddr => '127.0.0.1:' . port(8996), SSL => 1, SSL_cert_file => "$d/1.example.com.crt", SSL_key_file => "$d/1.example.com.key" ); $s->ok('bad optional_no_ca cert'); $s->send('1 AUTHENTICATE PLAIN ' . $cred->("s3")); # matching cert with ssl_verify_client optional $s = Test::Nginx::IMAP->new( PeerAddr => '127.0.0.1:' . port(8995), SSL => 1, SSL_cert_file => "$d/2.example.com.crt", SSL_key_file => "$d/2.example.com.key" ); $s->ok('good cert'); $s->send('1 AUTHENTICATE PLAIN ' . $cred->("s4")); # trusted cert with ssl_verify_client optional $s = Test::Nginx::IMAP->new( PeerAddr => '127.0.0.1:' . port(8995), SSL => 1, SSL_cert_file => "$d/3.example.com.crt", SSL_key_file => "$d/3.example.com.key" ); $s->ok('trusted cert'); $s->send('1 AUTHENTICATE PLAIN ' . $cred->("s5")); $s->read(); # Auth-SSL-Protocol and Auth-SSL-Cipher headers my ($cipher, $sslversion); $s = Test::Nginx::IMAP->new(SSL => 1); $cipher = $s->socket()->get_cipher(); $sslversion = $s->socket()->get_sslversion(); $sslversion =~ s/_/./; undef $s; # test auth_http request header fields with access_log $t->stop(); my $f = $t->read_file('auth.log'); like($f, qr/^-:-:-:-:-:-:-\x0d?\x0a?:s1$/m, 'log - plain connection'); like($f, qr/^on:NONE:-:-:-:-:-\x0d?\x0a?:s2$/m, 'log - no cert'); like($f, qr!^on:FAILED(?:.*):(/?CN=1.example.com):\1:\w+:\w+:[^:]+:s3$!m, 'log - bad cert'); like($f, qr!^on:SUCCESS:(/?CN=2.example.com):\1:\w+:\w+:[^:]+:s4$!m, 'log - good cert'); like($f, qr!^on:SUCCESS:(/?CN=3.example.com):\1:\w+:\w+:[^:]+:s5$!m, 'log - trusted cert'); $f = $t->read_file('auth2.log'); like($f, qr|^$cipher:$sslversion$|m, 'log - cipher sslversion'); ###############################################################################