# HG changeset patch # User Andrey Zelenkov # Date 1440516964 -10800 # Node ID 97660514e518e87bb12b8cf86ebd9e3cf354f764 # Parent 4765f3981d91a5a205a3d82079082bdc95577a90 Tests: more http ssl tests. Added ssl_session_cache, certificate inheritance, session timeout and some embedded variables tests. diff --git a/ssl.t b/ssl.t --- a/ssl.t +++ b/ssl.t @@ -1,6 +1,7 @@ #!/usr/bin/perl # (C) Sergey Kandaurov +# (C) Andrey Zelenkov # (C) Nginx, Inc. # Tests for http ssl module. @@ -30,7 +31,7 @@ plan(skip_all => 'IO::Socket::SSL too ol my $t = Test::Nginx->new()->has(qw/http http_ssl rewrite/) ->has_daemon('openssl'); -$t->plan(4)->write_file_expand('nginx.conf', <<'EOF'); +$t->plan(18)->write_file_expand('nginx.conf', <<'EOF'); %%TEST_GLOBALS%% @@ -42,15 +43,18 @@ events { http { %%TEST_GLOBALS_HTTP%% + ssl_certificate_key localhost.key; + ssl_certificate localhost.crt; + ssl_session_tickets off; + server { listen 127.0.0.1:8443 ssl; listen 127.0.0.1:8080; server_name localhost; - ssl_certificate_key localhost.key; - ssl_certificate localhost.crt; + ssl_certificate_key inner.key; + ssl_certificate inner.crt; ssl_session_cache shared:SSL:1m; - ssl_session_tickets off; location /reuse { return 200 "body $ssl_session_reused"; @@ -58,6 +62,63 @@ http { location /id { return 200 "body $ssl_session_id"; } + location /cipher { + return 200 "body $ssl_cipher"; + } + location /client_verify { + return 200 "body $ssl_client_verify"; + } + location /protocol { + return 200 "body $ssl_protocol"; + } + } + + server { + listen 127.0.0.1:8081; + server_name localhost; + + # Special case for enabled "ssl" directive. + + ssl on; + ssl_session_cache builtin; + ssl_session_timeout 1; + + location / { + return 200 "body $ssl_session_reused"; + } + } + + server { + listen 127.0.0.1:8082 ssl; + server_name localhost; + + ssl_session_cache builtin:1000; + + location / { + return 200 "body $ssl_session_reused"; + } + } + + server { + listen 127.0.0.1:8083 ssl; + server_name localhost; + + ssl_session_cache none; + + location / { + return 200 "body $ssl_session_reused"; + } + } + + server { + listen 127.0.0.1:8084 ssl; + server_name localhost; + + ssl_session_cache off; + + location / { + return 200 "body $ssl_session_reused"; + } } } @@ -73,7 +134,7 @@ EOF my $d = $t->testdir(); -foreach my $name ('localhost') { +foreach my $name ('localhost', 'inner') { system('openssl req -x509 -new ' . "-config '$d/openssl.conf' -subj '/CN=$name/' " . "-out '$d/$name.crt' -keyout '$d/$name.key' " @@ -90,19 +151,69 @@ my $ctx = new IO::Socket::SSL::SSL_Conte ############################################################################### like(http_get('/reuse', socket => get_ssl_socket($ctx)), qr/^body \.$/m, - 'initial session'); + 'shared initial session'); like(http_get('/reuse', socket => get_ssl_socket($ctx)), qr/^body r$/m, - 'session reused'); + 'shared session reused'); + +like(http_get('/', socket => get_ssl_socket($ctx, 8081)), qr/^body \.$/m, + 'builtin initial session'); +like(http_get('/', socket => get_ssl_socket($ctx, 8081)), qr/^body r$/m, + 'builtin session reused'); + +like(http_get('/', socket => get_ssl_socket($ctx, 8082)), qr/^body \.$/m, + 'builtin size initial session'); +like(http_get('/', socket => get_ssl_socket($ctx, 8082)), qr/^body r$/m, + 'builtin size session reused'); + +like(http_get('/', socket => get_ssl_socket($ctx, 8083)), qr/^body \.$/m, + 'reused none initial session'); +like(http_get('/', socket => get_ssl_socket($ctx, 8083)), qr/^body \.$/m, + 'session not reused 1'); + +like(http_get('/', socket => get_ssl_socket($ctx, 8084)), qr/^body \.$/m, + 'reused off initial session'); +like(http_get('/', socket => get_ssl_socket($ctx, 8084)), qr/^body \.$/m, + 'session not reused 2'); + +# ssl certificate inheritance + +my $s = get_ssl_socket($ctx, 8081); +like($s->dump_peer_certificate(), qr/CN=localhost/, 'CN'); + +$s->close(); + +$s = get_ssl_socket($ctx); +like($s->dump_peer_certificate(), qr/CN=inner/, 'CN inner'); + +$s->close(); + +# session timeout + +select undef, undef, undef, 2.1; + +like(http_get('/', socket => get_ssl_socket($ctx, 8081)), qr/^body \.$/m, + 'session timeout'); + +# embedded variables my ($sid) = http_get('/id', socket => get_ssl_socket($ctx)) =~ /^body (\w+)$/m; is(length $sid, 64, 'session id'); unlike(http_get('/id'), qr/body \w/, 'session id no ssl'); +like(http_get('/cipher', socket => get_ssl_socket($ctx)), + qr/^body [\w-]+$/m, 'cipher'); + +like(http_get('/client_verify', socket => get_ssl_socket($ctx)), + qr/^body NONE$/m, 'client verify'); + +like(http_get('/protocol', socket => get_ssl_socket($ctx)), + qr/^body (TLS|SSL)v(\d|\.)+$/m, 'protocol'); + ############################################################################### sub get_ssl_socket { - my ($ctx) = @_; + my ($ctx, $port) = @_; my $s; eval { @@ -111,7 +222,8 @@ sub get_ssl_socket { alarm(2); $s = IO::Socket::SSL->new( Proto => 'tcp', - PeerAddr => '127.0.0.1:8443', + PeerAddr => '127.0.0.1', + PeerPort => $port || '8443', SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE(), SSL_reuse_ctx => $ctx, SSL_error_trap => sub { die $_[1] }