Mercurial > hg > nginx-tests
changeset 1488:dbce8fb5f5f8
Tests: align with OpenSSL security level 2.
This updates minimum requirements to 2048 bit RSA keys and SHA-2 message digest.
line wrap: on
line diff
--- a/grpc_ssl.t +++ b/grpc_ssl.t @@ -103,7 +103,7 @@ EOF $t->write_file('openssl.conf', <<EOF); [ req ] -default_bits = 1024 +default_bits = 2048 encrypt_key = no distinguished_name = req_distinguished_name [ req_distinguished_name ] @@ -121,7 +121,7 @@ foreach my $name ('localhost') { foreach my $name ('client') { system("openssl genrsa -out $d/$name.key -passout pass:$name " - . "-aes128 1024 >>$d/openssl.out 2>&1") == 0 + . "-aes128 2048 >>$d/openssl.out 2>&1") == 0 or die "Can't create private key: $!\n"; system('openssl req -x509 -new ' . "-config $d/openssl.conf -subj /CN=$name/ "
--- a/h2_proxy_request_buffering_ssl.t +++ b/h2_proxy_request_buffering_ssl.t @@ -82,7 +82,7 @@ EOF $t->write_file('openssl.conf', <<EOF); [ req ] -default_bits = 1024 +default_bits = 2048 encrypt_key = no distinguished_name = req_distinguished_name [ req_distinguished_name ]
--- a/h2_proxy_ssl.t +++ b/h2_proxy_ssl.t @@ -57,7 +57,7 @@ EOF $t->write_file('openssl.conf', <<EOF); [ req ] -default_bits = 1024 +default_bits = 2048 encrypt_key = no distinguished_name = req_distinguished_name [ req_distinguished_name ]
--- a/h2_ssl.t +++ b/h2_ssl.t @@ -56,7 +56,7 @@ EOF $t->write_file('openssl.conf', <<EOF); [ req ] -default_bits = 1024 +default_bits = 2048 encrypt_key = no distinguished_name = req_distinguished_name [ req_distinguished_name ]
--- a/h2_ssl_proxy_cache.t +++ b/h2_ssl_proxy_cache.t @@ -70,7 +70,7 @@ EOF $t->write_file('openssl.conf', <<EOF); [ req ] -default_bits = 1024 +default_bits = 2048 encrypt_key = no distinguished_name = req_distinguished_name [ req_distinguished_name ]
--- a/h2_ssl_variables.t +++ b/h2_ssl_variables.t @@ -69,7 +69,7 @@ EOF $t->write_file('openssl.conf', <<EOF); [ req ] -default_bits = 1024 +default_bits = 2048 encrypt_key = no distinguished_name = req_distinguished_name [ req_distinguished_name ]
--- a/h2_ssl_verify_client.t +++ b/h2_ssl_verify_client.t @@ -73,7 +73,7 @@ EOF $t->write_file('openssl.conf', <<EOF); [ req ] -default_bits = 1024 +default_bits = 2048 encrypt_key = no distinguished_name = req_distinguished_name [ req_distinguished_name ]
--- a/mail_capability.t +++ b/mail_capability.t @@ -103,7 +103,7 @@ EOF $t->write_file('openssl.conf', <<EOF); [ req ] -default_bits = 1024 +default_bits = 2048 encrypt_key = no distinguished_name = req_distinguished_name [ req_distinguished_name ]
--- a/mail_imap_ssl.t +++ b/mail_imap_ssl.t @@ -119,7 +119,7 @@ EOF $t->write_file('openssl.conf', <<EOF); [ req ] -default_bits = 1024 +default_bits = 2048 encrypt_key = no distinguished_name = req_distinguished_name [ req_distinguished_name ]
--- a/mail_ssl.t +++ b/mail_ssl.t @@ -139,7 +139,7 @@ EOF $t->write_file('openssl.conf', <<EOF); [ req ] -default_bits = 1024 +default_bits = 2048 encrypt_key = no distinguished_name = req_distinguished_name [ req_distinguished_name ] @@ -149,7 +149,7 @@ my $d = $t->testdir(); foreach my $name ('localhost', 'inherits') { system("openssl genrsa -out $d/$name.key -passout pass:localhost " - . "-aes128 1024 >>$d/openssl.out 2>&1") == 0 + . "-aes128 2048 >>$d/openssl.out 2>&1") == 0 or die "Can't create private key: $!\n"; system('openssl req -x509 -new ' . "-config $d/openssl.conf -subj /CN=$name/ "
--- a/proxy_if.t +++ b/proxy_if.t @@ -158,7 +158,7 @@ EOF $t->write_file('openssl.conf', <<EOF); [ req ] -default_bits = 1024 +default_bits = 2048 encrypt_key = no distinguished_name = req_distinguished_name [ req_distinguished_name ]
--- a/proxy_request_buffering_ssl.t +++ b/proxy_request_buffering_ssl.t @@ -97,7 +97,7 @@ EOF $t->write_file('openssl.conf', <<EOF); [ req ] -default_bits = 1024 +default_bits = 2048 encrypt_key = no distinguished_name = req_distinguished_name [ req_distinguished_name ]
--- a/proxy_ssl.t +++ b/proxy_ssl.t @@ -79,7 +79,7 @@ EOF $t->write_file('openssl.conf', <<EOF); [ req ] -default_bits = 1024 +default_bits = 2048 encrypt_key = no distinguished_name = req_distinguished_name [ req_distinguished_name ]
--- a/proxy_ssl_certificate.t +++ b/proxy_ssl_certificate.t @@ -100,7 +100,7 @@ EOF $t->write_file('openssl.conf', <<EOF); [ req ] -default_bits = 1024 +default_bits = 2048 encrypt_key = no distinguished_name = req_distinguished_name [ req_distinguished_name ] @@ -118,7 +118,7 @@ foreach my $name ('1.example.com', '2.ex foreach my $name ('3.example.com') { system("openssl genrsa -out $d/$name.key -passout pass:$name " - . "-aes128 1024 >>$d/openssl.out 2>&1") == 0 + . "-aes128 2048 >>$d/openssl.out 2>&1") == 0 or die "Can't create private key: $!\n"; system('openssl req -x509 -new ' . "-config $d/openssl.conf -subj /CN=$name/ "
--- a/proxy_ssl_keepalive.t +++ b/proxy_ssl_keepalive.t @@ -73,7 +73,7 @@ EOF $t->write_file('openssl.conf', <<EOF); [ req ] -default_bits = 1024 +default_bits = 2048 encrypt_key = no distinguished_name = req_distinguished_name [ req_distinguished_name ]
--- a/proxy_ssl_name.t +++ b/proxy_ssl_name.t @@ -116,7 +116,7 @@ EOF $t->write_file('openssl.conf', <<EOF); [ req ] -default_bits = 1024 +default_bits = 2048 encrypt_key = no distinguished_name = req_distinguished_name [ req_distinguished_name ]
--- a/proxy_ssl_verify.t +++ b/proxy_ssl_verify.t @@ -109,7 +109,7 @@ EOF $t->write_file('openssl.1.example.com.conf', <<EOF); [ req ] prompt = no -default_bits = 1024 +default_bits = 2048 encrypt_key = no distinguished_name = req_distinguished_name x509_extensions = v3_req @@ -124,7 +124,7 @@ EOF $t->write_file('openssl.2.example.com.conf', <<EOF); [ req ] prompt = no -default_bits = 1024 +default_bits = 2048 encrypt_key = no distinguished_name = req_distinguished_name
--- a/ssl.t +++ b/ssl.t @@ -151,7 +151,7 @@ EOF $t->write_file('openssl.conf', <<EOF); [ req ] -default_bits = 1024 +default_bits = 2048 encrypt_key = no distinguished_name = req_distinguished_name [ req_distinguished_name ] @@ -166,7 +166,7 @@ default_ca = myca [ myca ] new_certs_dir = $d database = $d/certindex -default_md = sha1 +default_md = sha256 policy = myca_policy serial = $d/certserial default_days = 3
--- a/ssl_certificate.t +++ b/ssl_certificate.t @@ -134,7 +134,7 @@ EOF $t->write_file('openssl.conf', <<EOF); [ req ] -default_bits = 1024 +default_bits = 2048 encrypt_key = no distinguished_name = req_distinguished_name [ req_distinguished_name ] @@ -152,7 +152,7 @@ foreach my $name ('one', 'two') { foreach my $name ('pass') { system("openssl genrsa -out $d/$name.key -passout pass:pass " - . "-aes128 1024 >>$d/openssl.out 2>&1") == 0 + . "-aes128 2048 >>$d/openssl.out 2>&1") == 0 or die "Can't create $name key: $!\n"; system("openssl req -x509 -new -config $d/openssl.conf " . "-subj /CN=$name/ -out $d/$name.crt -key $d/$name.key "
--- a/ssl_certificate_chain.t +++ b/ssl_certificate_chain.t @@ -73,7 +73,7 @@ my $d = $t->testdir(); $t->write_file('openssl.conf', <<EOF); [ req ] -default_bits = 1024 +default_bits = 2048 encrypt_key = no distinguished_name = req_distinguished_name [ req_distinguished_name ] @@ -86,7 +86,7 @@ default_ca = myca [ myca ] new_certs_dir = $d database = $d/certindex -default_md = sha1 +default_md = sha256 policy = myca_policy serial = $d/certserial default_days = 1
--- a/ssl_certificate_perl.t +++ b/ssl_certificate_perl.t @@ -81,7 +81,7 @@ EOF $t->write_file('openssl.conf', <<EOF); [ req ] -default_bits = 1024 +default_bits = 2048 encrypt_key = no distinguished_name = req_distinguished_name [ req_distinguished_name ]
--- a/ssl_certificates.t +++ b/ssl_certificates.t @@ -70,7 +70,7 @@ EOF $t->write_file('openssl.conf', <<EOF); [ req ] -default_bits = 1024 +default_bits = 2048 encrypt_key = no distinguished_name = req_distinguished_name [ req_distinguished_name ] @@ -80,7 +80,7 @@ my $d = $t->testdir(); system("openssl ecparam -genkey -out $d/ec.key -name prime256v1 " . ">>$d/openssl.out 2>&1") == 0 or die "Can't create EC pem: $!\n"; -system("openssl genrsa -out $d/rsa.key 1024 >>$d/openssl.out 2>&1") == 0 +system("openssl genrsa -out $d/rsa.key 2048 >>$d/openssl.out 2>&1") == 0 or die "Can't create RSA pem: $!\n"; foreach my $name ('ec', 'rsa') {
--- a/ssl_client_escaped_cert.t +++ b/ssl_client_escaped_cert.t @@ -63,7 +63,7 @@ EOF $t->write_file('openssl.conf', <<EOF); [ req ] -default_bits = 1024 +default_bits = 2048 encrypt_key = no distinguished_name = req_distinguished_name [ req_distinguished_name ]
--- a/ssl_crl.t +++ b/ssl_crl.t @@ -81,7 +81,7 @@ my $d = $t->testdir(); $t->write_file('openssl.conf', <<EOF); [ req ] -default_bits = 1024 +default_bits = 2048 encrypt_key = no distinguished_name = req_distinguished_name [ req_distinguished_name ] @@ -94,7 +94,7 @@ default_ca = myca [ myca ] new_certs_dir = $d database = $d/certindex -default_md = sha1 +default_md = sha256 policy = myca_policy serial = $d/certserial default_days = 1
--- a/ssl_engine_keys.t +++ b/ssl_engine_keys.t @@ -106,7 +106,7 @@ init = 1 PIN = 1234 [ req ] -default_bits = 1024 +default_bits = 2048 encrypt_key = no distinguished_name = req_distinguished_name [ req_distinguished_name ] @@ -127,7 +127,7 @@ foreach my $name ('localhost') { . ">>$d/openssl.out 2>&1"); system('pkcs11-tool --module=/usr/local/lib/softhsm/libsofthsm.so ' - . '-p 1234 -l -k -d 0 -a nx_key_0 --key-type rsa:1024 ' + . '-p 1234 -l -k -d 0 -a nx_key_0 --key-type rsa:2048 ' . ">>$d/openssl.out 2>&1"); system('openssl req -x509 -new -engine pkcs11 '
--- a/ssl_password_file.t +++ b/ssl_password_file.t @@ -92,7 +92,7 @@ EOF $t->write_file('openssl.conf', <<EOF); [ req ] -default_bits = 1024 +default_bits = 2048 encrypt_key = no distinguished_name = req_distinguished_name [ req_distinguished_name ] @@ -103,7 +103,7 @@ mkfifo("$d/password_fifo", 0700); foreach my $name ('localhost', 'inherits') { system("openssl genrsa -out $d/$name.key -passout pass:$name " - . "-aes128 1024 >>$d/openssl.out 2>&1") == 0 + . "-aes128 2048 >>$d/openssl.out 2>&1") == 0 or die "Can't create private key: $!\n"; system('openssl req -x509 -new ' . "-config $d/openssl.conf -subj /CN=$name/ "
--- a/ssl_proxy_protocol.t +++ b/ssl_proxy_protocol.t @@ -76,7 +76,7 @@ EOF $t->write_file('openssl.conf', <<EOF); [ req ] -default_bits = 1024 +default_bits = 2048 encrypt_key = no distinguished_name = req_distinguished_name [ req_distinguished_name ]
--- a/ssl_proxy_upgrade.t +++ b/ssl_proxy_upgrade.t @@ -72,7 +72,7 @@ EOF $t->write_file('openssl.conf', <<EOF); [ req ] -default_bits = 1024 +default_bits = 2048 encrypt_key = no distinguished_name = req_distinguished_name [ req_distinguished_name ]
--- a/ssl_sni.t +++ b/ssl_sni.t @@ -100,7 +100,7 @@ plan(skip_all => 'Net::SSLeay with OpenS $t->write_file('openssl.conf', <<EOF); [ req ] -default_bits = 1024 +default_bits = 2048 encrypt_key = no distinguished_name = req_distinguished_name [ req_distinguished_name ]
--- a/ssl_sni_reneg.t +++ b/ssl_sni_reneg.t @@ -76,7 +76,7 @@ EOF $t->write_file('openssl.conf', <<EOF); [ req ] -default_bits = 1024 +default_bits = 2048 encrypt_key = no distinguished_name = req_distinguished_name [ req_distinguished_name ]
--- a/ssl_sni_sessions.t +++ b/ssl_sni_sessions.t @@ -106,7 +106,7 @@ plan(skip_all => 'Net::SSLeay with OpenS $t->write_file('openssl.conf', <<EOF); [ req ] -default_bits = 1024 +default_bits = 2048 encrypt_key = no distinguished_name = req_distinguished_name [ req_distinguished_name ]
--- a/ssl_stapling.t +++ b/ssl_stapling.t @@ -124,7 +124,7 @@ my $p = port(8081); $t->write_file('openssl.conf', <<EOF); [ req ] -default_bits = 1024 +default_bits = 2048 encrypt_key = no distinguished_name = req_distinguished_name [ req_distinguished_name ] @@ -137,7 +137,7 @@ default_ca = myca [ myca ] new_certs_dir = $d database = $d/certindex -default_md = sha1 +default_md = sha256 policy = myca_policy serial = $d/certserial default_days = 1
--- a/ssl_verify_client.t +++ b/ssl_verify_client.t @@ -116,7 +116,7 @@ EOF $t->write_file('openssl.conf', <<EOF); [ req ] -default_bits = 1024 +default_bits = 2048 encrypt_key = no distinguished_name = req_distinguished_name [ req_distinguished_name ]
--- a/ssl_verify_depth.t +++ b/ssl_verify_depth.t @@ -63,7 +63,7 @@ my $d = $t->testdir(); $t->write_file('openssl.conf', <<EOF); [ req ] -default_bits = 1024 +default_bits = 2048 encrypt_key = no distinguished_name = req_distinguished_name [ req_distinguished_name ] @@ -76,7 +76,7 @@ default_ca = myca [ myca ] new_certs_dir = $d database = $d/certindex -default_md = sha1 +default_md = sha256 policy = myca_policy serial = $d/certserial default_days = 1
--- a/stream_proxy_protocol_ssl.t +++ b/stream_proxy_protocol_ssl.t @@ -59,7 +59,7 @@ EOF $t->write_file('openssl.conf', <<EOF); [ req ] -default_bits = 1024 +default_bits = 2048 encrypt_key = no distinguished_name = req_distinguished_name [ req_distinguished_name ]
--- a/stream_proxy_ssl.t +++ b/stream_proxy_ssl.t @@ -83,7 +83,7 @@ EOF $t->write_file('openssl.conf', <<EOF); [ req ] -default_bits = 1024 +default_bits = 2048 encrypt_key = no distinguished_name = req_distinguished_name [ req_distinguished_name ]
--- a/stream_proxy_ssl_certificate.t +++ b/stream_proxy_ssl_certificate.t @@ -104,7 +104,7 @@ EOF $t->write_file('openssl.conf', <<EOF); [ req ] -default_bits = 1024 +default_bits = 2048 encrypt_key = no distinguished_name = req_distinguished_name [ req_distinguished_name ] @@ -122,7 +122,7 @@ foreach my $name ('1.example.com', '2.ex foreach my $name ('3.example.com') { system("openssl genrsa -out $d/$name.key -passout pass:$name " - . "-aes128 1024 >>$d/openssl.out 2>&1") == 0 + . "-aes128 2048 >>$d/openssl.out 2>&1") == 0 or die "Can't create private key: $!\n"; system('openssl req -x509 -new ' . "-config $d/openssl.conf -subj /CN=$name/ "
--- a/stream_proxy_ssl_name.t +++ b/stream_proxy_ssl_name.t @@ -101,7 +101,7 @@ EOF $t->write_file('openssl.conf', <<EOF); [ req ] -default_bits = 1024 +default_bits = 2048 encrypt_key = no distinguished_name = req_distinguished_name [ req_distinguished_name ]
--- a/stream_proxy_ssl_name_complex.t +++ b/stream_proxy_ssl_name_complex.t @@ -62,7 +62,7 @@ EOF $t->write_file('openssl.conf', <<EOF); [ req ] -default_bits = 1024 +default_bits = 2048 encrypt_key = no distinguished_name = req_distinguished_name [ req_distinguished_name ]
--- a/stream_proxy_ssl_verify.t +++ b/stream_proxy_ssl_verify.t @@ -111,7 +111,7 @@ EOF $t->write_file('openssl.1.example.com.conf', <<EOF); [ req ] prompt = no -default_bits = 1024 +default_bits = 2048 encrypt_key = no distinguished_name = req_distinguished_name x509_extensions = v3_req @@ -126,7 +126,7 @@ EOF $t->write_file('openssl.2.example.com.conf', <<EOF); [ req ] prompt = no -default_bits = 1024 +default_bits = 2048 encrypt_key = no distinguished_name = req_distinguished_name
--- a/stream_ssl.t +++ b/stream_ssl.t @@ -92,7 +92,7 @@ EOF $t->write_file('openssl.conf', <<EOF); [ req ] -default_bits = 1024 +default_bits = 2048 encrypt_key = no distinguished_name = req_distinguished_name [ req_distinguished_name ] @@ -103,7 +103,7 @@ mkfifo("$d/password_fifo", 0700); foreach my $name ('localhost', 'inherits') { system("openssl genrsa -out $d/$name.key -passout pass:$name " - . "-aes128 1024 >>$d/openssl.out 2>&1") == 0 + . "-aes128 2048 >>$d/openssl.out 2>&1") == 0 or die "Can't create private key: $!\n"; system('openssl req -x509 -new ' . "-config $d/openssl.conf -subj /CN=$name/ "
--- a/stream_ssl_certificate.t +++ b/stream_ssl_certificate.t @@ -117,7 +117,7 @@ EOF $t->write_file('openssl.conf', <<EOF); [ req ] -default_bits = 1024 +default_bits = 2048 encrypt_key = no distinguished_name = req_distinguished_name [ req_distinguished_name ] @@ -135,7 +135,7 @@ foreach my $name ('one', 'two') { foreach my $name ('pass') { system("openssl genrsa -out $d/$name.key -passout pass:pass " - . "-aes128 1024 >>$d/openssl.out 2>&1") == 0 + . "-aes128 2048 >>$d/openssl.out 2>&1") == 0 or die "Can't create $name key: $!\n"; system("openssl req -x509 -new -config $d/openssl.conf " . "-subj /CN=$name/ -out $d/$name.crt -key $d/$name.key "
--- a/stream_ssl_preread.t +++ b/stream_ssl_preread.t @@ -126,7 +126,7 @@ plan(skip_all => 'Net::SSLeay with OpenS $t->write_file('openssl.conf', <<EOF); [ req ] -default_bits = 1024 +default_bits = 2048 encrypt_key = no distinguished_name = req_distinguished_name [ req_distinguished_name ]
--- a/stream_ssl_preread_alpn.t +++ b/stream_ssl_preread_alpn.t @@ -86,7 +86,7 @@ plan(skip_all => 'Net::SSLeay with OpenS $t->write_file('openssl.conf', <<EOF); [ req ] -default_bits = 1024 +default_bits = 2048 encrypt_key = no distinguished_name = req_distinguished_name [ req_distinguished_name ]
--- a/stream_ssl_realip.t +++ b/stream_ssl_realip.t @@ -84,7 +84,7 @@ EOF $t->write_file('openssl.conf', <<EOF); [ req ] -default_bits = 1024 +default_bits = 2048 encrypt_key = no distinguished_name = req_distinguished_name [ req_distinguished_name ]
--- a/stream_ssl_variables.t +++ b/stream_ssl_variables.t @@ -73,7 +73,7 @@ EOF $t->write_file('openssl.conf', <<EOF); [ req ] -default_bits = 1024 +default_bits = 2048 encrypt_key = no distinguished_name = req_distinguished_name [ req_distinguished_name ]
--- a/stream_ssl_verify_client.t +++ b/stream_ssl_verify_client.t @@ -92,7 +92,7 @@ EOF $t->write_file('openssl.conf', <<EOF); [ req ] -default_bits = 1024 +default_bits = 2048 encrypt_key = no distinguished_name = req_distinguished_name [ req_distinguished_name ]