# HG changeset patch # User Sergey Kandaurov # Date 1592580085 -10800 # Node ID 804a7409bc63e8b7e3ad4c66152b7d86610a84aa # Parent 8177323823d6b69f1127a167153b8d4e62c04b8c Tests: added ssl_ocsp test with failing request. diff --git a/ssl_ocsp.t b/ssl_ocsp.t --- a/ssl_ocsp.t +++ b/ssl_ocsp.t @@ -88,9 +88,17 @@ http { } server { + listen 127.0.0.1:8443 ssl; + server_name resolver; + + ssl_ocsp on; + } + + server { listen 127.0.0.1:8444 ssl; server_name localhost; + ssl_ocsp_responder http://127.0.0.1:8081; ssl_ocsp on; } @@ -151,6 +159,29 @@ basicConstraints = critical,CA:TRUE authorityInfoAccess = OCSP;URI:http://127.0.0.1:$p EOF +# variant for int.crt to trigger missing resolver + +$t->write_file('ca2.conf', <write_file('certserial', '1000'); $t->write_file('certindex', ''); -system("openssl ca -batch -config $d/ca.conf " +system("openssl ca -batch -config $d/ca2.conf " . "-keyfile $d/root.key -cert $d/root.crt " . "-subj /CN=int/ -in $d/int.csr -out $d/int.crt " . ">>$d/openssl.out 2>&1") == 0 @@ -256,7 +287,7 @@ foreach my $name ('ec', 'rsa') { $t->run_daemon(\&http_daemon, $t, port(8081)); $t->run_daemon(\&http_daemon, $t, port(8082)); -$t->try_run('no ssl_ocsp')->plan(13); +$t->try_run('no ssl_ocsp')->plan(14); $t->waitforsocket("127.0.0.1:" . port(8081)); $t->waitforsocket("127.0.0.1:" . port(8082)); @@ -267,6 +298,18 @@ my $version = get_version(); like(get('RSA', 'end'), qr/200 OK.*SUCCESS/s, 'ocsp leaf'); +# demonstrate that ocsp int request is failed due to missing resolver + +TODO: { +todo_skip 'leaves coredump', 1 unless $t->has_version('1.19.1') + or $ENV{TEST_NGINX_UNSAFE}; + +like(get('RSA', 'end', sni => 'resolver'), + qr/400 Bad.*FAILED:certificate status request failed/s, + 'ocsp many failed request'); + +} + # demonstrate that ocsp int request is actually made by failing ocsp response like(get('RSA', 'end', port => 8444),