Mercurial > hg > nginx-tests
annotate ssl_certificate.t @ 1851:0351dee227a8
Tests: unbreak tests with dynamic certificates on stable.
In 74cffa9d4c43, ticket based session reuse is enabled in addition to
using a shared SSL session cache. This changed how a session can be
resumed in a different server:
- for a session ID based resumption, it is resumed in the same context
- when using session tickets, a key name is also checked for matching
- with a ticket callback, this is skipped in favor of callback's logic
This makes 'session id context match' tests fail with session tickets
on stable since ticket key names are unique in distinct SSL contexts.
On the other hand, tests pass on 1.23.2+ due to automatic ticket keys
rotation that installs ticket callback, and using a common shared SSL
session cache.
| author | Sergey Kandaurov <pluknet@nginx.com> |
|---|---|
| date | Tue, 28 Mar 2023 01:36:32 +0400 |
| parents | 74cffa9d4c43 |
| children | 58951cf933e1 |
| rev | line source |
|---|---|
|
1443
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
1 #!/usr/bin/perl |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
2 |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
3 # (C) Sergey Kandaurov |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
4 # (C) Nginx, Inc. |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
5 |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
6 # Tests for http ssl module with dynamic certificates. |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
7 |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
8 ############################################################################### |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
9 |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
10 use warnings; |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
11 use strict; |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
12 |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
13 use Test::More; |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
14 |
|
1621
fd440d324700
Tests: simplified get_ssl_socket() functions that use Net::SSLeay.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1619
diff
changeset
|
15 use Socket qw/ CRLF /; |
|
1443
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
16 |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
17 BEGIN { use FindBin; chdir($FindBin::Bin); } |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
18 |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
19 use lib 'lib'; |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
20 use Test::Nginx; |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
21 |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
22 ############################################################################### |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
23 |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
24 select STDERR; $| = 1; |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
25 select STDOUT; $| = 1; |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
26 |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
27 eval { |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
28 require Net::SSLeay; |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
29 Net::SSLeay::load_error_strings(); |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
30 Net::SSLeay::SSLeay_add_ssl_algorithms(); |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
31 Net::SSLeay::randomize(); |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
32 }; |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
33 plan(skip_all => 'Net::SSLeay not installed') if $@; |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
34 |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
35 eval { |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
36 my $ctx = Net::SSLeay::CTX_new() or die; |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
37 my $ssl = Net::SSLeay::new($ctx) or die; |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
38 Net::SSLeay::set_tlsext_host_name($ssl, 'example.org') == 1 or die; |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
39 }; |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
40 plan(skip_all => 'Net::SSLeay with OpenSSL SNI support required') if $@; |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
41 |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
42 my $t = Test::Nginx->new()->has(qw/http http_ssl geo/) |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
43 ->has_daemon('openssl'); |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
44 |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
45 $t->{_configure_args} =~ /OpenSSL ([\d\.]+)/; |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
46 plan(skip_all => 'OpenSSL too old') unless defined $1 and $1 ge '1.0.2'; |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
47 |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
48 $t->write_file_expand('nginx.conf', <<'EOF'); |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
49 |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
50 %%TEST_GLOBALS%% |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
51 |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
52 daemon off; |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
53 |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
54 events { |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
55 } |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
56 |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
57 http { |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
58 %%TEST_GLOBALS_HTTP%% |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
59 |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
60 geo $one { |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
61 default one; |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
62 } |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
63 |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
64 geo $two { |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
65 default two; |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
66 } |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
67 |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
68 geo $pass { |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
69 default pass; |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
70 } |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
71 |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
72 add_header X-SSL $ssl_server_name:$ssl_session_reused; |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
73 ssl_session_cache shared:SSL:1m; |
|
1836
74cffa9d4c43
Tests: enabled session reuse via TLS session tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1637
diff
changeset
|
74 ssl_session_tickets on; |
|
1443
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
75 |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
76 server { |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
77 listen 127.0.0.1:8080 ssl; |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
78 server_name default; |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
79 |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
80 ssl_certificate $one.crt; |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
81 ssl_certificate_key $one.key; |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
82 } |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
83 |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
84 server { |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
85 listen 127.0.0.1:8080 ssl; |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
86 server_name virtual; |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
87 |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
88 # found in key |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
89 ssl_certificate $two.crt; |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
90 ssl_certificate_key $two.key; |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
91 } |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
92 |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
93 server { |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
94 listen 127.0.0.1:8080 ssl; |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
95 server_name no_ctx; |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
96 } |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
97 |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
98 server { |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
99 listen 127.0.0.1:8083 ssl; |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
100 server_name password; |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
101 |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
102 # found in key |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
103 ssl_certificate pass.crt; |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
104 ssl_certificate_key $pass.key; |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
105 ssl_password_file password_file; |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
106 } |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
107 |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
108 server { |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
109 listen 127.0.0.1:8081 ssl; |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
110 server_name default; |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
111 |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
112 ssl_certificate $one.crt; |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
113 ssl_certificate_key $one.key; |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
114 } |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
115 |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
116 server { |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
117 listen 127.0.0.1:8082 ssl; |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
118 server_name default; |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
119 |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
120 ssl_certificate $two.crt; |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
121 ssl_certificate_key $two.key; |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
122 } |
|
1445
889283abadf8
Tests: added basic ssl tests with dynamic certificate not found.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1443
diff
changeset
|
123 |
|
889283abadf8
Tests: added basic ssl tests with dynamic certificate not found.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1443
diff
changeset
|
124 server { |
|
889283abadf8
Tests: added basic ssl tests with dynamic certificate not found.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1443
diff
changeset
|
125 listen 127.0.0.1:8084 ssl; |
|
889283abadf8
Tests: added basic ssl tests with dynamic certificate not found.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1443
diff
changeset
|
126 server_name localhost; |
|
889283abadf8
Tests: added basic ssl tests with dynamic certificate not found.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1443
diff
changeset
|
127 |
|
889283abadf8
Tests: added basic ssl tests with dynamic certificate not found.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1443
diff
changeset
|
128 ssl_certificate $ssl_server_name.crt; |
|
889283abadf8
Tests: added basic ssl tests with dynamic certificate not found.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1443
diff
changeset
|
129 ssl_certificate_key $ssl_server_name.key; |
|
889283abadf8
Tests: added basic ssl tests with dynamic certificate not found.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1443
diff
changeset
|
130 } |
|
1443
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
131 } |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
132 |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
133 EOF |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
134 |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
135 $t->write_file('openssl.conf', <<EOF); |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
136 [ req ] |
|
1488
dbce8fb5f5f8
Tests: align with OpenSSL security level 2.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1477
diff
changeset
|
137 default_bits = 2048 |
|
1443
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
138 encrypt_key = no |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
139 distinguished_name = req_distinguished_name |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
140 [ req_distinguished_name ] |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
141 EOF |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
142 |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
143 my $d = $t->testdir(); |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
144 |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
145 foreach my $name ('one', 'two') { |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
146 system('openssl req -x509 -new ' |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
147 . "-config $d/openssl.conf -subj /CN=$name/ " |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
148 . "-out $d/$name.crt -keyout $d/$name.key " |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
149 . ">>$d/openssl.out 2>&1") == 0 |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
150 or die "Can't create certificate for $name: $!\n"; |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
151 } |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
152 |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
153 foreach my $name ('pass') { |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
154 system("openssl genrsa -out $d/$name.key -passout pass:pass " |
|
1488
dbce8fb5f5f8
Tests: align with OpenSSL security level 2.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1477
diff
changeset
|
155 . "-aes128 2048 >>$d/openssl.out 2>&1") == 0 |
|
1443
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
156 or die "Can't create $name key: $!\n"; |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
157 system("openssl req -x509 -new -config $d/openssl.conf " |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
158 . "-subj /CN=$name/ -out $d/$name.crt -key $d/$name.key " |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
159 . "-passin pass:pass >>$d/openssl.out 2>&1") == 0 |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
160 or die "Can't create $name certificate: $!\n"; |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
161 } |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
162 |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
163 $t->write_file('password_file', 'pass'); |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
164 $t->write_file('index.html', ''); |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
165 |
|
1535
144c6ce732e4
Tests: removed TODO and try_run() checks for legacy versions.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1488
diff
changeset
|
166 $t->run()->plan(11); |
|
1443
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
167 |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
168 ############################################################################### |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
169 |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
170 like(cert('default', 8080), qr/CN=one/, 'default certificate'); |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
171 like(get('default', 8080), qr/default/, 'default context'); |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
172 |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
173 like(cert('virtual', 8080), qr/CN=two/, 'virtual server certificate'); |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
174 like(get('virtual', 8080), qr/virtual/, 'virtual server context'); |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
175 |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
176 like(cert('no_ctx', 8080), qr/CN=one/, 'certificate - no context'); |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
177 like(get('no_ctx', 8080), qr/no_ctx/, 'virtual server - no context'); |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
178 |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
179 like(get('password', 8083), qr/password/, 'ssl_password_file'); |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
180 |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
181 # session reuse |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
182 |
|
1477
8b122b35703b
Tests: fixed session reuse tests in ssl_certificate.t with TLSv1.3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1445
diff
changeset
|
183 my ($s, $ssl) = get('default', 8080); |
|
1443
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
184 my $ses = Net::SSLeay::get_session($ssl); |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
185 |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
186 like(get('default', 8080, $ses), qr/default:r/, 'session reused'); |
|
1851
0351dee227a8
Tests: unbreak tests with dynamic certificates on stable.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1836
diff
changeset
|
187 |
|
0351dee227a8
Tests: unbreak tests with dynamic certificates on stable.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1836
diff
changeset
|
188 TODO: { |
|
0351dee227a8
Tests: unbreak tests with dynamic certificates on stable.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1836
diff
changeset
|
189 # ticket key name mismatch prevents session resumption |
|
0351dee227a8
Tests: unbreak tests with dynamic certificates on stable.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1836
diff
changeset
|
190 local $TODO = 'not yet' unless $t->has_version('1.23.2'); |
|
0351dee227a8
Tests: unbreak tests with dynamic certificates on stable.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1836
diff
changeset
|
191 |
|
1443
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
192 like(get('default', 8081, $ses), qr/default:r/, 'session id context match'); |
|
1851
0351dee227a8
Tests: unbreak tests with dynamic certificates on stable.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1836
diff
changeset
|
193 |
|
0351dee227a8
Tests: unbreak tests with dynamic certificates on stable.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1836
diff
changeset
|
194 } |
|
0351dee227a8
Tests: unbreak tests with dynamic certificates on stable.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1836
diff
changeset
|
195 |
|
1443
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
196 like(get('default', 8082, $ses), qr/default:\./, 'session id context distinct'); |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
197 |
|
1445
889283abadf8
Tests: added basic ssl tests with dynamic certificate not found.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1443
diff
changeset
|
198 # errors |
|
889283abadf8
Tests: added basic ssl tests with dynamic certificate not found.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1443
diff
changeset
|
199 |
|
889283abadf8
Tests: added basic ssl tests with dynamic certificate not found.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1443
diff
changeset
|
200 Net::SSLeay::ERR_clear_error(); |
|
889283abadf8
Tests: added basic ssl tests with dynamic certificate not found.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1443
diff
changeset
|
201 get_ssl_socket('nx', 8084); |
|
889283abadf8
Tests: added basic ssl tests with dynamic certificate not found.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1443
diff
changeset
|
202 ok(Net::SSLeay::ERR_peek_error(), 'no certificate'); |
|
889283abadf8
Tests: added basic ssl tests with dynamic certificate not found.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1443
diff
changeset
|
203 |
|
1443
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
204 ############################################################################### |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
205 |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
206 sub get { |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
207 my ($host, $port, $ctx) = @_; |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
208 my ($s, $ssl) = get_ssl_socket($host, $port, $ctx) or return; |
|
1637
da52525f49d1
Tests: avoid ssl_certificate.t hang on SIGPIPE.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1621
diff
changeset
|
209 |
|
da52525f49d1
Tests: avoid ssl_certificate.t hang on SIGPIPE.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1621
diff
changeset
|
210 local $SIG{PIPE} = 'IGNORE'; |
|
da52525f49d1
Tests: avoid ssl_certificate.t hang on SIGPIPE.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1621
diff
changeset
|
211 |
|
1443
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
212 Net::SSLeay::write($ssl, 'GET / HTTP/1.0' . CRLF . CRLF); |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
213 my $r = Net::SSLeay::read($ssl); |
|
1619
436d0ffc2ea3
Tests: correctly shutdown ssl for reproducible session reuse tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1571
diff
changeset
|
214 Net::SSLeay::shutdown($ssl); |
|
1443
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
215 $s->close(); |
|
1477
8b122b35703b
Tests: fixed session reuse tests in ssl_certificate.t with TLSv1.3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1445
diff
changeset
|
216 return $r unless wantarray(); |
|
8b122b35703b
Tests: fixed session reuse tests in ssl_certificate.t with TLSv1.3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1445
diff
changeset
|
217 return ($s, $ssl); |
|
1443
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
218 } |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
219 |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
220 sub cert { |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
221 my ($host, $port, $ctx) = @_; |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
222 my ($s, $ssl) = get_ssl_socket($host, $port, $ctx) or return; |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
223 Net::SSLeay::dump_peer_certificate($ssl); |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
224 } |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
225 |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
226 sub get_ssl_socket { |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
227 my ($host, $port, $ses) = @_; |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
228 |
|
1621
fd440d324700
Tests: simplified get_ssl_socket() functions that use Net::SSLeay.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1619
diff
changeset
|
229 my $s = IO::Socket::INET->new('127.0.0.1:' . port($port)); |
|
1443
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
230 my $ctx = Net::SSLeay::CTX_new() or die("Failed to create SSL_CTX $!"); |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
231 my $ssl = Net::SSLeay::new($ctx) or die("Failed to create SSL $!"); |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
232 Net::SSLeay::set_tlsext_host_name($ssl, $host); |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
233 Net::SSLeay::set_session($ssl, $ses) if defined $ses; |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
234 Net::SSLeay::set_fd($ssl, fileno($s)); |
|
1571
1b4ceab9cb1c
Tests: fixed ssl_certificate.t with LibreSSL client.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1535
diff
changeset
|
235 Net::SSLeay::connect($ssl); |
|
1443
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
236 return ($s, $ssl); |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
237 } |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
238 |
|
7c217d343d1e
Tests: ssl tests with dynamic certificates.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
239 ############################################################################### |