# HG changeset patch # User Valentin Bartenev # Date 1349045697 -14400 # Node ID 90af19544dd232c76f28020babe38d4fc0a27a80 # Parent 5ac875a3088ee97d4c9e8a6b2c01dce0747ddc02 Tests: https sni tests. diff --git a/lib/Test/Nginx.pm b/lib/Test/Nginx.pm --- a/lib/Test/Nginx.pm +++ b/lib/Test/Nginx.pm @@ -68,6 +68,7 @@ sub has_module($) { my ($self, $feature) = @_; my %regex = ( + sni => 'TLS SNI support enabled', mail => '--with-mail(?!\S)', flv => '--with-http_flv_module', perl => '--with-http_perl_module', @@ -387,7 +388,7 @@ sub http($;%) { local $SIG{ALRM} = sub { die "timeout\n" }; local $SIG{PIPE} = sub { die "sigpipe\n" }; alarm(2); - my $s = IO::Socket::INET->new( + my $s = $extra{socket} || IO::Socket::INET->new( Proto => 'tcp', PeerAddr => '127.0.0.1:8080' ); diff --git a/ssl_sni.t b/ssl_sni.t new file mode 100644 --- /dev/null +++ b/ssl_sni.t @@ -0,0 +1,166 @@ +#!/usr/bin/perl + +# (C) Maxim Dounin +# (C) Valentin Bartenev + +# Tests for Server Name Indication (SNI) TLS extension + +############################################################################### + +use warnings; +use strict; + +use Test::More; + +BEGIN { use FindBin; chdir($FindBin::Bin); } + +use lib 'lib'; +use Test::Nginx; + +############################################################################### + +select STDERR; $| = 1; +select STDOUT; $| = 1; + +my $t = Test::Nginx->new()->has(qw/http http_ssl sni rewrite/) + ->has_daemon('openssl') + ->write_file_expand('nginx.conf', <<'EOF'); + +%%TEST_GLOBALS%% + +daemon off; + +events { +} + +http { + %%TEST_GLOBALS_HTTP%% + + server { + listen 127.0.0.1:8443 ssl; + server_name localhost; + + ssl_certificate_key localhost.key; + ssl_certificate localhost.crt; + + location / { + return 200 $server_name; + } + } + + server { + listen 127.0.0.1:8443; + server_name example.com; + + ssl_certificate_key example.com.key; + ssl_certificate example.com.crt; + + location / { + return 200 $server_name; + } + } +} + +EOF + +eval { require IO::Socket::SSL; die if $IO::Socket::SSL::VERSION < 1.56; }; +plan(skip_all => 'IO::Socket::SSL version >= 1.56 required') if $@; + +eval { + my $ctx = Net::SSLeay::CTX_new() or die; + my $ssl = Net::SSLeay::new($ctx) or die; + Net::SSLeay::set_tlsext_host_name($ssl, 'example.org') == 1 or die; +}; +plan(skip_all => 'Net::SSLeay with OpenSSL SNI support required') if $@; + +$t->plan(6); + +$t->write_file('openssl.conf', <testdir(); + +foreach my $name ('localhost', 'example.com') { + system('openssl req -x509 -new ' + . "-config '$d/openssl.conf' -subj '/CN=$name/' " + . "-out '$d/$name.crt' -keyout '$d/$name.key' " + . ">>$d/openssl.out 2>&1") == 0 + or die "Can't create certificate for $name: $!\n"; +} + +$t->run(); + +############################################################################### + +like(get_cert_cn(), qr!/CN=localhost!, 'default cert'); +like(get_cert_cn('example.com'), qr!/CN=example.com!, 'sni cert'); + +like(https_get_host('example.com'), qr!example.com!, + 'host exists, sni exists, and host is equal sni'); + +like(https_get_host('example.com', 'example.org'), qr!example.com!, + 'host exists, sni not found'); + +TODO: { +local $TODO = 'sni restrictions'; + +like(https_get_host('example.com', 'localhost'), qr!400 Bad Request!, + 'host exists, sni exists, and host is not equal sni'); + +like(https_get_host('example.org', 'example.com'), qr!400 Bad Request!, + 'host not found, sni exists'); + +} + +############################################################################### + +sub get_ssl_socket { + my ($host) = @_; + my $s; + + eval { + local $SIG{ALRM} = sub { die "timeout\n" }; + local $SIG{PIPE} = sub { die "sigpipe\n" }; + alarm(2); + $s = IO::Socket::SSL->new( + Proto => 'tcp', + PeerAddr => '127.0.0.1:8443', + SSL_hostname => $host, + SSL_error_trap => sub { die $_[1] } + ); + alarm(0); + }; + alarm(0); + + if ($@) { + log_in("died: $@"); + return undef; + } + + return $s; +} + +sub get_cert_cn { + my ($host) = @_; + my $s = get_ssl_socket($host); + + return $s->dump_peer_certificate(); +} + +sub https_get_host { + my ($host, $sni) = @_; + my $s = get_ssl_socket($sni ? $sni : $host); + + return http(< $s); +GET / HTTP/1.0 +Host: $host + +EOF +} + +###############################################################################