Mercurial > hg > nginx-tests

changeset 1724:1522ab9d37b4

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Tests: Auth-SSL-Protocol and Auth-SSL-Cipher tests (ticket #2134).
author Sergey Kandaurov <pluknet@nginx.com>
date Wed, 18 Aug 2021 17:43:43 +0300
parents 3581dc3c1937
children f4c79ee52d8f
files mail_imap_ssl.t
diffstat 1 files changed, 57 insertions(+), 1 deletions(-) [+]
line wrap: on
line diff
--- a/mail_imap_ssl.t
+++ b/mail_imap_ssl.t
@@ -34,7 +34,7 @@ plan(skip_all => 'IO::Socket::SSL too ol
 local $SIG{PIPE} = 'IGNORE';
 
 my $t = Test::Nginx->new()->has(qw/mail mail_ssl imap http rewrite/)
-	->has_daemon('openssl')->plan(12)
+	->has_daemon('openssl')->plan(13)
 	->write_file_expand('nginx.conf', <<'EOF');
 
 %%TEST_GLOBALS%%
@@ -99,6 +99,7 @@ http {
                       '$http_auth_ssl_subject:$http_auth_ssl_issuer:'
                       '$http_auth_ssl_serial:$http_auth_ssl_fingerprint:'
                       '$http_auth_ssl_cert:$http_auth_pass';
+    log_format  test2 '$http_auth_ssl_cipher:$http_auth_ssl_protocol';
 
     server {
         listen       127.0.0.1:8080;
@@ -106,6 +107,7 @@ http {
 
         location = /mail/auth {
             access_log auth.log test;
+            access_log auth2.log test2;
 
             add_header Auth-Status OK;
             add_header Auth-Server 127.0.0.1;
@@ -208,6 +210,18 @@ my $s = Test::Nginx::IMAP->new(PeerAddr 
 $s->ok('trusted cert');
 $s->send('1 AUTHENTICATE PLAIN ' . $cred->("s5"));
 $s->read();
+
+# Auth-SSL-Protocol and Auth-SSL-Cipher headers
+
+my ($cipher, $sslversion);
+
+if ($IO::Socket::SSL::VERSION >= 1.964) {
+	$s = get_ssl_socket(8143);
+	$cipher = $s->get_cipher();
+	$sslversion = $s->get_sslversion();
+	$sslversion =~ s/_/./;
+}
+
 undef $s;
 
 # test auth_http request header fields with access_log
@@ -225,4 +239,46 @@ like($f, qr!^on:SUCCESS:(/?CN=2.example.
 like($f, qr!^on:SUCCESS:(/?CN=3.example.com):\1:\w+:\w+:[^:]+:s5$!m,
 	'log - trusted cert');
 
+SKIP: {
+skip 'IO::Socket::SSL version >= 1.964 required', 1
+	if $IO::Socket::SSL::VERSION < 1.964;
+
+TODO: {
+local $TODO = 'not yet' unless $t->has_version('1.21.2');
+
+$f = $t->read_file('auth2.log');
+like($f, qr|^$cipher:$sslversion$|m, 'log - cipher sslversion');
+
+}
+
+}
+
 ###############################################################################
+
+sub get_ssl_socket {
+	my ($port) = @_;
+	my $s;
+
+	eval {
+		local $SIG{ALRM} = sub { die "timeout\n" };
+		local $SIG{PIPE} = sub { die "sigpipe\n" };
+		alarm(8);
+		$s = IO::Socket::SSL->new(
+			Proto => 'tcp',
+			PeerAddr => '127.0.0.1:' . port($port),
+			SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE(),
+			SSL_error_trap => sub { die $_[1] }
+		);
+		alarm(0);
+	};
+	alarm(0);
+
+	if ($@) {
+		log_in("died: $@");
+		return undef;
+	}
+
+	return $s;
+}
+
+###############################################################################