Mercurial > hg > nginx-tests

changeset 664:97660514e518

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Tests: more http ssl tests. Added ssl_session_cache, certificate inheritance, session timeout and some embedded variables tests.
author Andrey Zelenkov <zelenkov@nginx.com>
date Tue, 25 Aug 2015 18:36:04 +0300
parents 4765f3981d91
children 3a8dc14b98ba
files ssl.t
diffstat 1 files changed, 121 insertions(+), 9 deletions(-) [+]
line wrap: on
line diff
--- a/ssl.t
+++ b/ssl.t
@@ -1,6 +1,7 @@
 #!/usr/bin/perl
 
 # (C) Sergey Kandaurov
+# (C) Andrey Zelenkov
 # (C) Nginx, Inc.
 
 # Tests for http ssl module.
@@ -30,7 +31,7 @@ plan(skip_all => 'IO::Socket::SSL too ol
 my $t = Test::Nginx->new()->has(qw/http http_ssl rewrite/)
 	->has_daemon('openssl');
 
-$t->plan(4)->write_file_expand('nginx.conf', <<'EOF');
+$t->plan(18)->write_file_expand('nginx.conf', <<'EOF');
 
 %%TEST_GLOBALS%%
 
@@ -42,15 +43,18 @@ events {
 http {
     %%TEST_GLOBALS_HTTP%%
 
+    ssl_certificate_key localhost.key;
+    ssl_certificate localhost.crt;
+    ssl_session_tickets off;
+
     server {
         listen       127.0.0.1:8443 ssl;
         listen       127.0.0.1:8080;
         server_name  localhost;
 
-        ssl_certificate_key localhost.key;
-        ssl_certificate localhost.crt;
+        ssl_certificate_key inner.key;
+        ssl_certificate inner.crt;
         ssl_session_cache shared:SSL:1m;
-        ssl_session_tickets off;
 
         location /reuse {
             return 200 "body $ssl_session_reused";
@@ -58,6 +62,63 @@ http {
         location /id {
             return 200 "body $ssl_session_id";
         }
+        location /cipher {
+            return 200 "body $ssl_cipher";
+        }
+        location /client_verify {
+            return 200 "body $ssl_client_verify";
+        }
+        location /protocol {
+            return 200 "body $ssl_protocol";
+        }
+    }
+
+    server {
+        listen      127.0.0.1:8081;
+        server_name  localhost;
+
+        # Special case for enabled "ssl" directive.
+
+        ssl on;
+        ssl_session_cache builtin;
+        ssl_session_timeout 1;
+
+        location / {
+            return 200 "body $ssl_session_reused";
+        }
+    }
+
+    server {
+        listen      127.0.0.1:8082 ssl;
+        server_name  localhost;
+
+        ssl_session_cache builtin:1000;
+
+        location / {
+            return 200 "body $ssl_session_reused";
+        }
+    }
+
+    server {
+        listen      127.0.0.1:8083 ssl;
+        server_name  localhost;
+
+        ssl_session_cache none;
+
+        location / {
+            return 200 "body $ssl_session_reused";
+        }
+    }
+
+    server {
+        listen      127.0.0.1:8084 ssl;
+        server_name  localhost;
+
+        ssl_session_cache off;
+
+        location / {
+            return 200 "body $ssl_session_reused";
+        }
     }
 }
 
@@ -73,7 +134,7 @@ EOF
 
 my $d = $t->testdir();
 
-foreach my $name ('localhost') {
+foreach my $name ('localhost', 'inner') {
 	system('openssl req -x509 -new '
 		. "-config '$d/openssl.conf' -subj '/CN=$name/' "
 		. "-out '$d/$name.crt' -keyout '$d/$name.key' "
@@ -90,19 +151,69 @@ my $ctx = new IO::Socket::SSL::SSL_Conte
 ###############################################################################
 
 like(http_get('/reuse', socket => get_ssl_socket($ctx)), qr/^body \.$/m,
-	'initial session');
+	'shared initial session');
 like(http_get('/reuse', socket => get_ssl_socket($ctx)), qr/^body r$/m,
-	'session reused');
+	'shared session reused');
+
+like(http_get('/', socket => get_ssl_socket($ctx, 8081)), qr/^body \.$/m,
+	'builtin initial session');
+like(http_get('/', socket => get_ssl_socket($ctx, 8081)), qr/^body r$/m,
+	'builtin session reused');
+
+like(http_get('/', socket => get_ssl_socket($ctx, 8082)), qr/^body \.$/m,
+	'builtin size initial session');
+like(http_get('/', socket => get_ssl_socket($ctx, 8082)), qr/^body r$/m,
+	'builtin size session reused');
+
+like(http_get('/', socket => get_ssl_socket($ctx, 8083)), qr/^body \.$/m,
+	'reused none initial session');
+like(http_get('/', socket => get_ssl_socket($ctx, 8083)), qr/^body \.$/m,
+	'session not reused 1');
+
+like(http_get('/', socket => get_ssl_socket($ctx, 8084)), qr/^body \.$/m,
+	'reused off initial session');
+like(http_get('/', socket => get_ssl_socket($ctx, 8084)), qr/^body \.$/m,
+	'session not reused 2');
+
+# ssl certificate inheritance
+
+my $s = get_ssl_socket($ctx, 8081);
+like($s->dump_peer_certificate(), qr/CN=localhost/, 'CN');
+
+$s->close();
+
+$s = get_ssl_socket($ctx);
+like($s->dump_peer_certificate(), qr/CN=inner/, 'CN inner');
+
+$s->close();
+
+# session timeout
+
+select undef, undef, undef, 2.1;
+
+like(http_get('/', socket => get_ssl_socket($ctx, 8081)), qr/^body \.$/m,
+	'session timeout');
+
+# embedded variables
 
 my ($sid) = http_get('/id', socket => get_ssl_socket($ctx)) =~ /^body (\w+)$/m;
 is(length $sid, 64, 'session id');
 
 unlike(http_get('/id'), qr/body \w/, 'session id no ssl');
 
+like(http_get('/cipher', socket => get_ssl_socket($ctx)),
+	qr/^body [\w-]+$/m, 'cipher');
+
+like(http_get('/client_verify', socket => get_ssl_socket($ctx)),
+	qr/^body NONE$/m, 'client verify');
+
+like(http_get('/protocol', socket => get_ssl_socket($ctx)),
+	qr/^body (TLS|SSL)v(\d|\.)+$/m, 'protocol');
+
 ###############################################################################
 
 sub get_ssl_socket {
-	my ($ctx) = @_;
+	my ($ctx, $port) = @_;
 	my $s;
 
 	eval {
@@ -111,7 +222,8 @@ sub get_ssl_socket {
 		alarm(2);
 		$s = IO::Socket::SSL->new(
 			Proto => 'tcp',
-			PeerAddr => '127.0.0.1:8443',
+			PeerAddr => '127.0.0.1',
+			PeerPort => $port || '8443',
 			SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE(),
 			SSL_reuse_ctx => $ctx,
 			SSL_error_trap => sub { die $_[1] }