Mercurial > hg > nginx-tests
annotate ssl_ocsp.t @ 1851:0351dee227a8
Tests: unbreak tests with dynamic certificates on stable.
In 74cffa9d4c43, ticket based session reuse is enabled in addition to
using a shared SSL session cache. This changed how a session can be
resumed in a different server:
- for a session ID based resumption, it is resumed in the same context
- when using session tickets, a key name is also checked for matching
- with a ticket callback, this is skipped in favor of callback's logic
This makes 'session id context match' tests fail with session tickets
on stable since ticket key names are unique in distinct SSL contexts.
On the other hand, tests pass on 1.23.2+ due to automatic ticket keys
rotation that installs ticket callback, and using a common shared SSL
session cache.
author | Sergey Kandaurov <pluknet@nginx.com> |
---|---|
date | Tue, 28 Mar 2023 01:36:32 +0400 |
parents | 727741cdff74 |
children | 0e1865aa9b33 |
rev | line source |
---|---|
1570 | 1 #!/usr/bin/perl |
2 | |
3 # (C) Sergey Kandaurov | |
4 # (C) Nginx, Inc. | |
5 | |
6 # Tests for OCSP with client certificates. | |
7 | |
8 ############################################################################### | |
9 | |
10 use warnings; | |
11 use strict; | |
12 | |
13 use Test::More; | |
14 | |
15 use MIME::Base64 qw/ decode_base64 /; | |
16 | |
17 BEGIN { use FindBin; chdir($FindBin::Bin); } | |
18 | |
19 use lib 'lib'; | |
20 use Test::Nginx; | |
21 | |
22 ############################################################################### | |
23 | |
24 select STDERR; $| = 1; | |
25 select STDOUT; $| = 1; | |
26 | |
27 eval { | |
28 require Net::SSLeay; | |
29 Net::SSLeay::load_error_strings(); | |
30 Net::SSLeay::SSLeay_add_ssl_algorithms(); | |
31 Net::SSLeay::randomize(); | |
32 Net::SSLeay::SSLeay(); | |
33 defined &Net::SSLeay::set_tlsext_status_type or die; | |
34 }; | |
35 plan(skip_all => 'Net::SSLeay not installed or too old') if $@; | |
36 | |
37 eval { | |
38 my $ctx = Net::SSLeay::CTX_new() or die; | |
39 my $ssl = Net::SSLeay::new($ctx) or die; | |
40 Net::SSLeay::set_tlsext_host_name($ssl, 'example.org') == 1 or die; | |
41 }; | |
42 plan(skip_all => 'Net::SSLeay with OpenSSL SNI support required') if $@; | |
43 | |
44 my $t = Test::Nginx->new()->has(qw/http http_ssl sni/)->has_daemon('openssl'); | |
45 | |
1846
9d98c2ad3126
Tests: cleaned up ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1693
diff
changeset
|
46 plan(skip_all => 'no OCSP support in BoringSSL') |
9d98c2ad3126
Tests: cleaned up ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1693
diff
changeset
|
47 if $t->has_module('BoringSSL'); |
1570 | 48 |
49 $t->write_file_expand('nginx.conf', <<'EOF'); | |
50 | |
51 %%TEST_GLOBALS%% | |
52 | |
53 daemon off; | |
54 | |
55 events { | |
56 } | |
57 | |
58 http { | |
59 %%TEST_GLOBALS_HTTP%% | |
60 | |
61 ssl_ocsp leaf; | |
62 ssl_verify_client on; | |
63 ssl_verify_depth 2; | |
64 ssl_client_certificate trusted.crt; | |
65 | |
66 ssl_certificate_key rsa.key; | |
67 ssl_certificate rsa.crt; | |
68 | |
69 ssl_session_cache shared:SSL:1m; | |
70 ssl_session_tickets off; | |
71 | |
72 add_header X-Verify x${ssl_client_verify}:${ssl_session_reused}x always; | |
73 | |
74 server { | |
75 listen 127.0.0.1:8443 ssl; | |
76 server_name localhost; | |
77 } | |
78 | |
79 server { | |
80 listen 127.0.0.1:8443 ssl; | |
81 server_name sni; | |
82 | |
83 ssl_ocsp_responder http://127.0.0.1:8082; | |
84 } | |
85 | |
86 server { | |
1577
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
87 listen 127.0.0.1:8443 ssl; |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
88 server_name resolver; |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
89 |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
90 ssl_ocsp on; |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
91 } |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
92 |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
93 server { |
1570 | 94 listen 127.0.0.1:8444 ssl; |
95 server_name localhost; | |
96 | |
1577
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
97 ssl_ocsp_responder http://127.0.0.1:8081; |
1570 | 98 ssl_ocsp on; |
99 } | |
100 | |
101 server { | |
102 listen 127.0.0.1:8445 ssl; | |
103 server_name localhost; | |
104 | |
105 ssl_ocsp_responder http://127.0.0.1:8082; | |
106 } | |
107 | |
108 server { | |
109 listen 127.0.0.1:8446 ssl; | |
110 server_name localhost; | |
111 | |
112 ssl_ocsp_cache shared:OCSP:1m; | |
113 } | |
114 | |
115 server { | |
116 listen 127.0.0.1:8447 ssl; | |
117 server_name localhost; | |
118 | |
119 ssl_ocsp_responder http://127.0.0.1:8082; | |
120 ssl_client_certificate root.crt; | |
121 } | |
122 } | |
123 | |
124 EOF | |
125 | |
126 my $d = $t->testdir(); | |
127 my $p = port(8081); | |
128 | |
129 $t->write_file('openssl.conf', <<EOF); | |
130 [ req ] | |
131 default_bits = 2048 | |
132 encrypt_key = no | |
133 distinguished_name = req_distinguished_name | |
134 [ req_distinguished_name ] | |
135 EOF | |
136 | |
137 $t->write_file('ca.conf', <<EOF); | |
138 [ ca ] | |
139 default_ca = myca | |
140 | |
141 [ myca ] | |
142 new_certs_dir = $d | |
143 database = $d/certindex | |
144 default_md = sha256 | |
145 policy = myca_policy | |
146 serial = $d/certserial | |
147 default_days = 1 | |
148 x509_extensions = myca_extensions | |
149 | |
150 [ myca_policy ] | |
151 commonName = supplied | |
152 | |
153 [ myca_extensions ] | |
154 basicConstraints = critical,CA:TRUE | |
155 authorityInfoAccess = OCSP;URI:http://127.0.0.1:$p | |
156 EOF | |
157 | |
1577
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
158 # variant for int.crt to trigger missing resolver |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
159 |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
160 $t->write_file('ca2.conf', <<EOF); |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
161 [ ca ] |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
162 default_ca = myca |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
163 |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
164 [ myca ] |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
165 new_certs_dir = $d |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
166 database = $d/certindex |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
167 default_md = sha256 |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
168 policy = myca_policy |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
169 serial = $d/certserial |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
170 default_days = 1 |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
171 x509_extensions = myca_extensions |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
172 |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
173 [ myca_policy ] |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
174 commonName = supplied |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
175 |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
176 [ myca_extensions ] |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
177 basicConstraints = critical,CA:TRUE |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
178 authorityInfoAccess = OCSP;URI:http://localhost:$p |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
179 EOF |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
180 |
1570 | 181 foreach my $name ('root') { |
182 system('openssl req -x509 -new ' | |
183 . "-config $d/openssl.conf -subj /CN=$name/ " | |
184 . "-out $d/$name.crt -keyout $d/$name.key " | |
185 . ">>$d/openssl.out 2>&1") == 0 | |
186 or die "Can't create certificate for $name: $!\n"; | |
187 } | |
188 | |
189 foreach my $name ('int', 'end') { | |
190 system("openssl req -new " | |
191 . "-config $d/openssl.conf -subj /CN=$name/ " | |
192 . "-out $d/$name.csr -keyout $d/$name.key " | |
193 . ">>$d/openssl.out 2>&1") == 0 | |
194 or die "Can't create certificate for $name: $!\n"; | |
195 } | |
196 | |
197 foreach my $name ('ec-end') { | |
198 system("openssl ecparam -genkey -out $d/$name.key -name prime256v1 " | |
199 . ">>$d/openssl.out 2>&1") == 0 | |
200 or die "Can't create EC param: $!\n"; | |
201 system("openssl req -new -key $d/$name.key " | |
202 . "-config $d/openssl.conf -subj /CN=$name/ " | |
203 . "-out $d/$name.csr " | |
204 . ">>$d/openssl.out 2>&1") == 0 | |
205 or die "Can't create certificate for $name: $!\n"; | |
206 } | |
207 | |
208 $t->write_file('certserial', '1000'); | |
209 $t->write_file('certindex', ''); | |
210 | |
1577
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
211 system("openssl ca -batch -config $d/ca2.conf " |
1570 | 212 . "-keyfile $d/root.key -cert $d/root.crt " |
213 . "-subj /CN=int/ -in $d/int.csr -out $d/int.crt " | |
214 . ">>$d/openssl.out 2>&1") == 0 | |
215 or die "Can't sign certificate for int: $!\n"; | |
216 | |
217 system("openssl ca -batch -config $d/ca.conf " | |
218 . "-keyfile $d/int.key -cert $d/int.crt " | |
219 . "-subj /CN=ec-end/ -in $d/ec-end.csr -out $d/ec-end.crt " | |
220 . ">>$d/openssl.out 2>&1") == 0 | |
221 or die "Can't sign certificate for ec-end: $!\n"; | |
222 | |
223 system("openssl ca -batch -config $d/ca.conf " | |
224 . "-keyfile $d/int.key -cert $d/int.crt " | |
225 . "-subj /CN=end/ -in $d/end.csr -out $d/end.crt " | |
226 . ">>$d/openssl.out 2>&1") == 0 | |
227 or die "Can't sign certificate for end: $!\n"; | |
228 | |
229 # RFC 6960, serialNumber | |
230 | |
231 system("openssl x509 -in $d/int.crt -serial -noout " | |
232 . ">>$d/serial_int 2>>$d/openssl.out") == 0 | |
233 or die "Can't obtain serial for end: $!\n"; | |
234 | |
235 my $serial_int = pack("n2", 0x0202, hex $1) | |
236 if $t->read_file('serial_int') =~ /(\d+)/; | |
237 | |
238 system("openssl x509 -in $d/end.crt -serial -noout " | |
239 . ">>$d/serial 2>>$d/openssl.out") == 0 | |
240 or die "Can't obtain serial for end: $!\n"; | |
241 | |
242 my $serial = pack("n2", 0x0202, hex $1) if $t->read_file('serial') =~ /(\d+)/; | |
243 | |
244 # ocsp end | |
245 | |
246 system("openssl ocsp -issuer $d/int.crt -cert $d/end.crt " | |
247 . "-reqout $d/req.der >>$d/openssl.out 2>&1") == 0 | |
248 or die "Can't create OCSP request: $!\n"; | |
249 | |
250 system("openssl ocsp -index $d/certindex -CA $d/int.crt " | |
251 . "-rsigner $d/int.crt -rkey $d/int.key " | |
252 . "-reqin $d/req.der -respout $d/resp.der -ndays 1 " | |
253 . ">>$d/openssl.out 2>&1") == 0 | |
254 or die "Can't create OCSP response: $!\n"; | |
255 | |
256 system("openssl ocsp -issuer $d/int.crt -cert $d/ec-end.crt " | |
257 . "-reqout $d/ec-req.der >>$d/openssl.out 2>&1") == 0 | |
258 or die "Can't create EC OCSP request: $!\n"; | |
259 | |
260 system("openssl ocsp -index $d/certindex -CA $d/int.crt " | |
261 . "-rsigner $d/root.crt -rkey $d/root.key " | |
262 . "-reqin $d/ec-req.der -respout $d/ec-resp.der -ndays 1 " | |
263 . ">>$d/openssl.out 2>&1") == 0 | |
264 or die "Can't create EC OCSP response: $!\n"; | |
265 | |
266 $t->write_file('trusted.crt', | |
267 $t->read_file('int.crt') . $t->read_file('root.crt')); | |
268 | |
269 # server cert/key | |
270 | |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
271 foreach my $name ('rsa') { |
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
272 system('openssl req -x509 -new ' |
1570 | 273 . "-config $d/openssl.conf -subj /CN=$name/ " |
274 . "-out $d/$name.crt -keyout $d/$name.key " | |
275 . ">>$d/openssl.out 2>&1") == 0 | |
276 or die "Can't create certificate for $name: $!\n"; | |
277 } | |
278 | |
279 $t->run_daemon(\&http_daemon, $t, port(8081)); | |
280 $t->run_daemon(\&http_daemon, $t, port(8082)); | |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
281 $t->run()->plan(15); |
1570 | 282 |
283 $t->waitforsocket("127.0.0.1:" . port(8081)); | |
284 $t->waitforsocket("127.0.0.1:" . port(8082)); | |
285 | |
286 my $version = get_version(); | |
287 | |
288 ############################################################################### | |
289 | |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
290 like(get('end'), qr/200 OK.*SUCCESS/s, 'ocsp leaf'); |
1570 | 291 |
1577
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
292 # demonstrate that ocsp int request is failed due to missing resolver |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
293 |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
294 like(get('end', sni => 'resolver'), |
1577
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
295 qr/400 Bad.*FAILED:certificate status request failed/s, |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
296 'ocsp many failed request'); |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
297 |
1570 | 298 # demonstrate that ocsp int request is actually made by failing ocsp response |
299 | |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
300 like(get('end', port => 8444), |
1570 | 301 qr/400 Bad.*FAILED:certificate status request failed/s, |
302 'ocsp many failed'); | |
303 | |
304 # now prepare valid ocsp int response | |
305 | |
306 system("openssl ocsp -issuer $d/root.crt -cert $d/int.crt " | |
307 . "-reqout $d/int-req.der >>$d/openssl.out 2>&1") == 0 | |
308 or die "Can't create OCSP request: $!\n"; | |
309 | |
310 system("openssl ocsp -index $d/certindex -CA $d/root.crt " | |
311 . "-rsigner $d/root.crt -rkey $d/root.key " | |
312 . "-reqin $d/int-req.der -respout $d/int-resp.der -ndays 1 " | |
313 . ">>$d/openssl.out 2>&1") == 0 | |
314 or die "Can't create OCSP response: $!\n"; | |
315 | |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
316 like(get('end', port => 8444), qr/200 OK.*SUCCESS/s, 'ocsp many'); |
1570 | 317 |
318 # store into ssl_ocsp_cache | |
319 | |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
320 like(get('end', port => 8446), qr/200 OK.*SUCCESS/s, 'cache store'); |
1570 | 321 |
322 # revoke | |
323 | |
324 system("openssl ca -config $d/ca.conf -revoke $d/end.crt " | |
325 . "-keyfile $d/root.key -cert $d/root.crt " | |
326 . ">>$d/openssl.out 2>&1") == 0 | |
327 or die "Can't revoke end.crt: $!\n"; | |
328 | |
329 system("openssl ocsp -issuer $d/int.crt -cert $d/end.crt " | |
330 . "-reqout $d/req.der >>$d/openssl.out 2>&1") == 0 | |
331 or die "Can't create OCSP request: $!\n"; | |
332 | |
333 system("openssl ocsp -index $d/certindex -CA $d/int.crt " | |
334 . "-rsigner $d/int.crt -rkey $d/int.key " | |
335 . "-reqin $d/req.der -respout $d/revoked.der -ndays 1 " | |
336 . ">>$d/openssl.out 2>&1") == 0 | |
337 or die "Can't create OCSP response: $!\n"; | |
338 | |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
339 like(get('end'), qr/400 Bad.*FAILED:certificate revoked/s, 'revoked'); |
1570 | 340 |
341 # with different responder where it's still valid | |
342 | |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
343 like(get('end', port => 8445), qr/200 OK.*SUCCESS/s, 'ocsp responder'); |
1570 | 344 |
345 # with different context to responder where it's still valid | |
346 | |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
347 like(get('end', sni => 'sni'), qr/200 OK.*SUCCESS/s, 'ocsp context'); |
1570 | 348 |
349 # with cached ocsp response it's still valid | |
350 | |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
351 like(get('end', port => 8446), qr/200 OK.*SUCCESS/s, 'cache lookup'); |
1570 | 352 |
353 # ocsp end response signed with invalid (root) cert, expect HTTP 400 | |
354 | |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
355 like(get('ec-end'), |
1570 | 356 qr/400 Bad.*FAILED:certificate status request failed/s, |
357 'root ca not trusted'); | |
358 | |
359 # now sign ocsp end response with valid int cert | |
360 | |
361 system("openssl ocsp -index $d/certindex -CA $d/int.crt " | |
362 . "-rsigner $d/int.crt -rkey $d/int.key " | |
363 . "-reqin $d/ec-req.der -respout $d/ec-resp.der -ndays 1 " | |
364 . ">>$d/openssl.out 2>&1") == 0 | |
365 or die "Can't create EC OCSP response: $!\n"; | |
366 | |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
367 like(get('ec-end'), qr/200 OK.*SUCCESS/s, 'ocsp ecdsa'); |
1570 | 368 |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
369 my ($s, $ssl) = get('ec-end'); |
1570 | 370 my $ses = Net::SSLeay::get_session($ssl); |
371 | |
1848
727741cdff74
Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1847
diff
changeset
|
372 TODO: { |
727741cdff74
Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1847
diff
changeset
|
373 local $TODO = 'no TLSv1.3 sessions in LibreSSL' |
727741cdff74
Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1847
diff
changeset
|
374 if $t->has_module('LibreSSL') and $version > 0x303; |
727741cdff74
Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1847
diff
changeset
|
375 |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
376 like(get('ec-end', ses => $ses), |
1570 | 377 qr/200 OK.*SUCCESS:r/s, 'session reused'); |
378 | |
1848
727741cdff74
Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1847
diff
changeset
|
379 } |
727741cdff74
Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1847
diff
changeset
|
380 |
1570 | 381 # revoke with saved session |
382 | |
383 system("openssl ca -config $d/ca.conf -revoke $d/ec-end.crt " | |
384 . "-keyfile $d/root.key -cert $d/root.crt " | |
385 . ">>$d/openssl.out 2>&1") == 0 | |
386 or die "Can't revoke end.crt: $!\n"; | |
387 | |
388 system("openssl ocsp -issuer $d/int.crt -cert $d/ec-end.crt " | |
389 . "-reqout $d/ec-req.der >>$d/openssl.out 2>&1") == 0 | |
390 or die "Can't create OCSP request: $!\n"; | |
391 | |
392 system("openssl ocsp -index $d/certindex -CA $d/int.crt " | |
393 . "-rsigner $d/int.crt -rkey $d/int.key " | |
394 . "-reqin $d/ec-req.der -respout $d/ec-resp.der -ndays 1 " | |
395 . ">>$d/openssl.out 2>&1") == 0 | |
396 or die "Can't create OCSP response: $!\n"; | |
397 | |
398 # reusing session with revoked certificate | |
399 | |
1848
727741cdff74
Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1847
diff
changeset
|
400 TODO: { |
727741cdff74
Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1847
diff
changeset
|
401 local $TODO = 'no TLSv1.3 sessions in LibreSSL' |
727741cdff74
Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1847
diff
changeset
|
402 if $t->has_module('LibreSSL') and $version > 0x303; |
727741cdff74
Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1847
diff
changeset
|
403 |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
404 like(get('ec-end', ses => $ses), |
1570 | 405 qr/400 Bad.*FAILED:certificate revoked:r/s, 'session reused - revoked'); |
406 | |
1848
727741cdff74
Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1847
diff
changeset
|
407 } |
727741cdff74
Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1847
diff
changeset
|
408 |
1570 | 409 # regression test for self-signed |
410 | |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
411 like(get('root', port => 8447), qr/200 OK.*SUCCESS/s, 'ocsp one'); |
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
412 |
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
413 # check for errors |
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
414 |
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
415 like(`grep -F '[crit]' ${\($t->testdir())}/error.log`, qr/^$/s, 'no crit'); |
1570 | 416 |
417 ############################################################################### | |
418 | |
419 sub get { | |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
420 my ($cert, %extra) = @_; |
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
421 my ($s, $ssl) = get_ssl_socket($cert, %extra); |
1570 | 422 my $cipher = Net::SSLeay::get_cipher($ssl); |
423 Test::Nginx::log_core('||', "cipher: $cipher"); | |
424 my $host = $extra{sni} ? $extra{sni} : 'localhost'; | |
1846
9d98c2ad3126
Tests: cleaned up ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1693
diff
changeset
|
425 local $SIG{PIPE} = 'IGNORE'; |
9d98c2ad3126
Tests: cleaned up ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1693
diff
changeset
|
426 log_out("GET /serial HTTP/1.0\nHost: $host\n\n"); |
1570 | 427 Net::SSLeay::write($ssl, "GET /serial HTTP/1.0\nHost: $host\n\n"); |
428 my $r = Net::SSLeay::read($ssl); | |
1846
9d98c2ad3126
Tests: cleaned up ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1693
diff
changeset
|
429 log_in($r); |
1570 | 430 $s->close(); |
431 return $r unless wantarray(); | |
432 return ($s, $ssl); | |
433 } | |
434 | |
435 sub get_ssl_socket { | |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
436 my ($cert, %extra) = @_; |
1570 | 437 my $ses = $extra{ses}; |
438 my $sni = $extra{sni}; | |
439 my $port = $extra{port} || 8443; | |
440 my $s; | |
441 | |
442 eval { | |
443 local $SIG{ALRM} = sub { die "timeout\n" }; | |
444 local $SIG{PIPE} = sub { die "sigpipe\n" }; | |
445 alarm(8); | |
446 $s = IO::Socket::INET->new('127.0.0.1:' . port($port)); | |
447 alarm(0); | |
448 }; | |
449 alarm(0); | |
450 | |
451 if ($@) { | |
452 log_in("died: $@"); | |
453 return undef; | |
454 } | |
455 | |
456 my $ctx = Net::SSLeay::CTX_new() or die("Failed to create SSL_CTX $!"); | |
457 | |
458 Net::SSLeay::set_cert_and_key($ctx, "$d/$cert.crt", "$d/$cert.key") | |
459 or die if $cert; | |
460 my $ssl = Net::SSLeay::new($ctx) or die("Failed to create SSL $!"); | |
461 Net::SSLeay::set_session($ssl, $ses) if defined $ses; | |
462 Net::SSLeay::set_tlsext_host_name($ssl, $sni) if $sni; | |
463 Net::SSLeay::set_fd($ssl, fileno($s)); | |
464 Net::SSLeay::connect($ssl) or die("ssl connect"); | |
465 return ($s, $ssl); | |
466 } | |
467 | |
468 sub get_version { | |
469 my ($s, $ssl) = get_ssl_socket(); | |
470 return Net::SSLeay::version($ssl); | |
471 } | |
472 | |
473 ############################################################################### | |
474 | |
475 sub http_daemon { | |
476 my ($t, $port) = @_; | |
477 my $server = IO::Socket::INET->new( | |
478 Proto => 'tcp', | |
479 LocalHost => "127.0.0.1:$port", | |
480 Listen => 5, | |
481 Reuse => 1 | |
482 ) | |
483 or die "Can't create listening socket: $!\n"; | |
484 | |
485 local $SIG{PIPE} = 'IGNORE'; | |
486 | |
487 while (my $client = $server->accept()) { | |
488 $client->autoflush(1); | |
489 | |
490 my $headers = ''; | |
491 my $uri = ''; | |
492 my $resp; | |
493 | |
494 while (<$client>) { | |
1846
9d98c2ad3126
Tests: cleaned up ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1693
diff
changeset
|
495 Test::Nginx::log_core('||', $_); |
1570 | 496 $headers .= $_; |
497 last if (/^\x0d?\x0a?$/); | |
498 } | |
499 | |
500 $uri = $1 if $headers =~ /^\S+\s+\/([^ ]+)\s+HTTP/i; | |
501 next unless $uri; | |
502 | |
503 $uri =~ s/%([0-9A-Fa-f]{2})/chr(hex($1))/eg; | |
504 my $req = decode_base64($uri); | |
505 | |
506 if (index($req, $serial_int) > 0) { | |
507 $resp = 'int-resp'; | |
508 | |
509 } elsif (index($req, $serial) > 0) { | |
510 $resp = 'resp'; | |
511 | |
512 # used to differentiate ssl_ocsp_responder | |
513 | |
514 if ($port == port(8081) && -e "$d/revoked.der") { | |
515 $resp = 'revoked'; | |
516 } | |
517 | |
518 } else { | |
519 $resp = 'ec-resp'; | |
520 } | |
521 | |
1636
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
522 next unless -s "$d/$resp.der"; |
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
523 |
1570 | 524 # ocsp dummy handler |
525 | |
526 select undef, undef, undef, 0.02; | |
527 | |
528 $headers = <<"EOF"; | |
529 HTTP/1.1 200 OK | |
530 Connection: close | |
531 Content-Type: application/ocsp-response | |
532 | |
533 EOF | |
534 | |
1636
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
535 local $/; |
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
536 open my $fh, '<', "$d/$resp.der" |
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
537 or die "Can't open $resp.der: $!"; |
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
538 binmode $fh; |
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
539 my $content = <$fh>; |
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
540 close $fh; |
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
541 |
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
542 print $client $headers . $content; |
1570 | 543 } |
544 } | |
545 | |
546 ############################################################################### |