Mercurial > hg > nginx-tests
annotate ssl_verify_client.t @ 1851:0351dee227a8
Tests: unbreak tests with dynamic certificates on stable.
In 74cffa9d4c43, ticket based session reuse is enabled in addition to
using a shared SSL session cache. This changed how a session can be
resumed in a different server:
- for a session ID based resumption, it is resumed in the same context
- when using session tickets, a key name is also checked for matching
- with a ticket callback, this is skipped in favor of callback's logic
This makes 'session id context match' tests fail with session tickets
on stable since ticket key names are unique in distinct SSL contexts.
On the other hand, tests pass on 1.23.2+ due to automatic ticket keys
rotation that installs ticket callback, and using a common shared SSL
session cache.
author | Sergey Kandaurov <pluknet@nginx.com> |
---|---|
date | Tue, 28 Mar 2023 01:36:32 +0400 |
parents | 818e6d8c43b5 |
children | 0e1865aa9b33 |
rev | line source |
---|---|
932
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
1 #!/usr/bin/perl |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
2 |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
3 # (C) Sergey Kandaurov |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
4 # (C) Nginx, Inc. |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
5 |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
6 # Tests for http ssl module, ssl_verify_client. |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
7 |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
8 ############################################################################### |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
9 |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
10 use warnings; |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
11 use strict; |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
12 |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
13 use Test::More; |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
14 |
1621
fd440d324700
Tests: simplified get_ssl_socket() functions that use Net::SSLeay.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1578
diff
changeset
|
15 use Socket qw/ CRLF /; |
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
16 |
932
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
17 BEGIN { use FindBin; chdir($FindBin::Bin); } |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
18 |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
19 use lib 'lib'; |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
20 use Test::Nginx; |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
21 |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
22 ############################################################################### |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
23 |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
24 select STDERR; $| = 1; |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
25 select STDOUT; $| = 1; |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
26 |
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
27 eval { |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
28 require Net::SSLeay; |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
29 Net::SSLeay::load_error_strings(); |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
30 Net::SSLeay::SSLeay_add_ssl_algorithms(); |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
31 Net::SSLeay::randomize(); |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
32 }; |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
33 plan(skip_all => 'Net::SSLeay not installed') if $@; |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
34 |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
35 eval { |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
36 my $ctx = Net::SSLeay::CTX_new() or die; |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
37 my $ssl = Net::SSLeay::new($ctx) or die; |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
38 Net::SSLeay::set_tlsext_host_name($ssl, 'example.org') == 1 or die; |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
39 }; |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
40 plan(skip_all => 'Net::SSLeay with OpenSSL SNI support required') if $@; |
932
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
41 |
1032
43eedbfea090
Tests: add missing sni prerequisites.
Sergey Kandaurov <pluknet@nginx.com>
parents:
974
diff
changeset
|
42 my $t = Test::Nginx->new()->has(qw/http http_ssl sni/) |
1578
f55d25e08b3e
Tests: added "ssl_verify_client off" tests (ticket #2008).
Sergey Kandaurov <pluknet@nginx.com>
parents:
1572
diff
changeset
|
43 ->has_daemon('openssl')->plan(13); |
932
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
44 |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
45 $t->write_file_expand('nginx.conf', <<'EOF'); |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
46 |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
47 %%TEST_GLOBALS%% |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
48 |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
49 daemon off; |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
50 |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
51 events { |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
52 } |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
53 |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
54 http { |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
55 %%TEST_GLOBALS_HTTP%% |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
56 |
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
57 add_header X-Verify x$ssl_client_verify:${ssl_client_cert}x; |
1843
818e6d8c43b5
Tests: LibreSSL does not send CA lists with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1819
diff
changeset
|
58 add_header X-Protocol $ssl_protocol; |
932
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
59 |
1383
e5246e5caa31
Tests: use shared session cache in ssl_verify_client for coverage.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1381
diff
changeset
|
60 ssl_session_cache shared:SSL:1m; |
e5246e5caa31
Tests: use shared session cache in ssl_verify_client for coverage.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1381
diff
changeset
|
61 ssl_session_tickets off; |
e5246e5caa31
Tests: use shared session cache in ssl_verify_client for coverage.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1381
diff
changeset
|
62 |
932
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
63 server { |
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
64 listen 127.0.0.1:8080; |
932
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
65 server_name localhost; |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
66 |
1277
1d7c87dba788
Tests: added test for SSL session remove (ticket #1464).
Sergey Kandaurov <pluknet@nginx.com>
parents:
1260
diff
changeset
|
67 ssl_certificate_key 1.example.com.key; |
1d7c87dba788
Tests: added test for SSL session remove (ticket #1464).
Sergey Kandaurov <pluknet@nginx.com>
parents:
1260
diff
changeset
|
68 ssl_certificate 1.example.com.crt; |
1d7c87dba788
Tests: added test for SSL session remove (ticket #1464).
Sergey Kandaurov <pluknet@nginx.com>
parents:
1260
diff
changeset
|
69 |
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
70 ssl_verify_client on; |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
71 ssl_client_certificate 2.example.com.crt; |
932
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
72 } |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
73 |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
74 server { |
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
75 listen 127.0.0.1:8081 ssl; |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
76 server_name on; |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
77 |
1277
1d7c87dba788
Tests: added test for SSL session remove (ticket #1464).
Sergey Kandaurov <pluknet@nginx.com>
parents:
1260
diff
changeset
|
78 ssl_certificate_key 1.example.com.key; |
1d7c87dba788
Tests: added test for SSL session remove (ticket #1464).
Sergey Kandaurov <pluknet@nginx.com>
parents:
1260
diff
changeset
|
79 ssl_certificate 1.example.com.crt; |
1d7c87dba788
Tests: added test for SSL session remove (ticket #1464).
Sergey Kandaurov <pluknet@nginx.com>
parents:
1260
diff
changeset
|
80 |
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
81 ssl_verify_client on; |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
82 ssl_client_certificate 2.example.com.crt; |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
83 } |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
84 |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
85 server { |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
86 listen 127.0.0.1:8081 ssl; |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
87 server_name optional; |
932
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
88 |
1277
1d7c87dba788
Tests: added test for SSL session remove (ticket #1464).
Sergey Kandaurov <pluknet@nginx.com>
parents:
1260
diff
changeset
|
89 ssl_certificate_key 1.example.com.key; |
1d7c87dba788
Tests: added test for SSL session remove (ticket #1464).
Sergey Kandaurov <pluknet@nginx.com>
parents:
1260
diff
changeset
|
90 ssl_certificate 1.example.com.crt; |
1d7c87dba788
Tests: added test for SSL session remove (ticket #1464).
Sergey Kandaurov <pluknet@nginx.com>
parents:
1260
diff
changeset
|
91 |
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
92 ssl_verify_client optional; |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
93 ssl_client_certificate 2.example.com.crt; |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
94 ssl_trusted_certificate 3.example.com.crt; |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
95 } |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
96 |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
97 server { |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
98 listen 127.0.0.1:8081 ssl; |
1578
f55d25e08b3e
Tests: added "ssl_verify_client off" tests (ticket #2008).
Sergey Kandaurov <pluknet@nginx.com>
parents:
1572
diff
changeset
|
99 server_name off; |
f55d25e08b3e
Tests: added "ssl_verify_client off" tests (ticket #2008).
Sergey Kandaurov <pluknet@nginx.com>
parents:
1572
diff
changeset
|
100 |
f55d25e08b3e
Tests: added "ssl_verify_client off" tests (ticket #2008).
Sergey Kandaurov <pluknet@nginx.com>
parents:
1572
diff
changeset
|
101 ssl_certificate_key 1.example.com.key; |
f55d25e08b3e
Tests: added "ssl_verify_client off" tests (ticket #2008).
Sergey Kandaurov <pluknet@nginx.com>
parents:
1572
diff
changeset
|
102 ssl_certificate 1.example.com.crt; |
f55d25e08b3e
Tests: added "ssl_verify_client off" tests (ticket #2008).
Sergey Kandaurov <pluknet@nginx.com>
parents:
1572
diff
changeset
|
103 |
f55d25e08b3e
Tests: added "ssl_verify_client off" tests (ticket #2008).
Sergey Kandaurov <pluknet@nginx.com>
parents:
1572
diff
changeset
|
104 ssl_verify_client off; |
f55d25e08b3e
Tests: added "ssl_verify_client off" tests (ticket #2008).
Sergey Kandaurov <pluknet@nginx.com>
parents:
1572
diff
changeset
|
105 ssl_client_certificate 2.example.com.crt; |
f55d25e08b3e
Tests: added "ssl_verify_client off" tests (ticket #2008).
Sergey Kandaurov <pluknet@nginx.com>
parents:
1572
diff
changeset
|
106 ssl_trusted_certificate 3.example.com.crt; |
f55d25e08b3e
Tests: added "ssl_verify_client off" tests (ticket #2008).
Sergey Kandaurov <pluknet@nginx.com>
parents:
1572
diff
changeset
|
107 } |
f55d25e08b3e
Tests: added "ssl_verify_client off" tests (ticket #2008).
Sergey Kandaurov <pluknet@nginx.com>
parents:
1572
diff
changeset
|
108 |
f55d25e08b3e
Tests: added "ssl_verify_client off" tests (ticket #2008).
Sergey Kandaurov <pluknet@nginx.com>
parents:
1572
diff
changeset
|
109 server { |
f55d25e08b3e
Tests: added "ssl_verify_client off" tests (ticket #2008).
Sergey Kandaurov <pluknet@nginx.com>
parents:
1572
diff
changeset
|
110 listen 127.0.0.1:8081 ssl; |
1572
f5a3b70c0f2f
Tests: fixed ssl_verify_client.t with LibreSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1488
diff
changeset
|
111 server_name optional.no.ca; |
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
112 |
1277
1d7c87dba788
Tests: added test for SSL session remove (ticket #1464).
Sergey Kandaurov <pluknet@nginx.com>
parents:
1260
diff
changeset
|
113 ssl_certificate_key 1.example.com.key; |
1d7c87dba788
Tests: added test for SSL session remove (ticket #1464).
Sergey Kandaurov <pluknet@nginx.com>
parents:
1260
diff
changeset
|
114 ssl_certificate 1.example.com.crt; |
1d7c87dba788
Tests: added test for SSL session remove (ticket #1464).
Sergey Kandaurov <pluknet@nginx.com>
parents:
1260
diff
changeset
|
115 |
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
116 ssl_verify_client optional_no_ca; |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
117 ssl_client_certificate 2.example.com.crt; |
932
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
118 } |
1277
1d7c87dba788
Tests: added test for SSL session remove (ticket #1464).
Sergey Kandaurov <pluknet@nginx.com>
parents:
1260
diff
changeset
|
119 |
1d7c87dba788
Tests: added test for SSL session remove (ticket #1464).
Sergey Kandaurov <pluknet@nginx.com>
parents:
1260
diff
changeset
|
120 server { |
1819
dc89eb420196
Tests: fixed warning about protocol options redefinition.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1621
diff
changeset
|
121 listen 127.0.0.1:8081 ssl; |
1572
f5a3b70c0f2f
Tests: fixed ssl_verify_client.t with LibreSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1488
diff
changeset
|
122 server_name no.context; |
1277
1d7c87dba788
Tests: added test for SSL session remove (ticket #1464).
Sergey Kandaurov <pluknet@nginx.com>
parents:
1260
diff
changeset
|
123 |
1d7c87dba788
Tests: added test for SSL session remove (ticket #1464).
Sergey Kandaurov <pluknet@nginx.com>
parents:
1260
diff
changeset
|
124 ssl_verify_client on; |
1d7c87dba788
Tests: added test for SSL session remove (ticket #1464).
Sergey Kandaurov <pluknet@nginx.com>
parents:
1260
diff
changeset
|
125 } |
932
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
126 } |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
127 |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
128 EOF |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
129 |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
130 $t->write_file('openssl.conf', <<EOF); |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
131 [ req ] |
1488
dbce8fb5f5f8
Tests: align with OpenSSL security level 2.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1383
diff
changeset
|
132 default_bits = 2048 |
932
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
133 encrypt_key = no |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
134 distinguished_name = req_distinguished_name |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
135 [ req_distinguished_name ] |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
136 EOF |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
137 |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
138 my $d = $t->testdir(); |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
139 |
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
140 foreach my $name ('1.example.com', '2.example.com', '3.example.com') { |
932
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
141 system('openssl req -x509 -new ' |
1220
0af58b78df35
Tests: removed single quotes from system() calls.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1207
diff
changeset
|
142 . "-config $d/openssl.conf -subj /CN=$name/ " |
0af58b78df35
Tests: removed single quotes from system() calls.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1207
diff
changeset
|
143 . "-out $d/$name.crt -keyout $d/$name.key " |
932
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
144 . ">>$d/openssl.out 2>&1") == 0 |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
145 or die "Can't create certificate for $name: $!\n"; |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
146 } |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
147 |
1260
eadd24ccfda1
Tests: postponed startup in certain ssl certificate tests on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1220
diff
changeset
|
148 sleep 1 if $^O eq 'MSWin32'; |
eadd24ccfda1
Tests: postponed startup in certain ssl certificate tests on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1220
diff
changeset
|
149 |
932
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
150 $t->write_file('t', 'SEE-THIS'); |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
151 |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
152 $t->run(); |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
153 |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
154 ############################################################################### |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
155 |
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
156 like(http_get('/t'), qr/x:x/, 'plain connection'); |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
157 like(get('on'), qr/400 Bad Request/, 'no cert'); |
1572
f5a3b70c0f2f
Tests: fixed ssl_verify_client.t with LibreSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1488
diff
changeset
|
158 like(get('no.context'), qr/400 Bad Request/, 'no server cert'); |
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
159 like(get('optional'), qr/NONE:x/, 'no optional cert'); |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
160 like(get('optional', '1.example.com'), qr/400 Bad/, 'bad optional cert'); |
1572
f5a3b70c0f2f
Tests: fixed ssl_verify_client.t with LibreSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1488
diff
changeset
|
161 like(get('optional.no.ca', '1.example.com'), qr/FAILED.*BEGIN/, |
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
162 'bad optional_no_ca cert'); |
1578
f55d25e08b3e
Tests: added "ssl_verify_client off" tests (ticket #2008).
Sergey Kandaurov <pluknet@nginx.com>
parents:
1572
diff
changeset
|
163 like(get('off', '2.example.com'), qr/NONE/, 'off cert'); |
f55d25e08b3e
Tests: added "ssl_verify_client off" tests (ticket #2008).
Sergey Kandaurov <pluknet@nginx.com>
parents:
1572
diff
changeset
|
164 like(get('off', '3.example.com'), qr/NONE/, 'off cert trusted'); |
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
165 |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
166 like(get('localhost', '2.example.com'), qr/SUCCESS.*BEGIN/, 'good cert'); |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
167 like(get('optional', '2.example.com'), qr/SUCCESS.*BEGI/, 'good cert optional'); |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
168 like(get('optional', '3.example.com'), qr/SUCCESS.*BEGIN/, 'good cert trusted'); |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
169 |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
170 SKIP: { |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
171 skip 'Net::SSLeay version >= 1.36 required', 1 if $Net::SSLeay::VERSION < 1.36; |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
172 |
1843
818e6d8c43b5
Tests: LibreSSL does not send CA lists with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1819
diff
changeset
|
173 TODO: { |
818e6d8c43b5
Tests: LibreSSL does not send CA lists with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1819
diff
changeset
|
174 local $TODO = 'broken TLSv1.3 CA list in LibreSSL' |
818e6d8c43b5
Tests: LibreSSL does not send CA lists with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1819
diff
changeset
|
175 if $t->has_module('LibreSSL') && test_tls13(); |
818e6d8c43b5
Tests: LibreSSL does not send CA lists with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1819
diff
changeset
|
176 |
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
177 my $ca = join ' ', get('optional', '3.example.com'); |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
178 is($ca, '/CN=2.example.com', 'no trusted sent'); |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
179 |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
180 } |
1843
818e6d8c43b5
Tests: LibreSSL does not send CA lists with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1819
diff
changeset
|
181 } |
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
182 |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
183 like(get('optional', undef, 'localhost'), qr/421 Misdirected/, 'misdirected'); |
932
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
184 |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
185 ############################################################################### |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
186 |
1843
818e6d8c43b5
Tests: LibreSSL does not send CA lists with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1819
diff
changeset
|
187 sub test_tls13 { |
818e6d8c43b5
Tests: LibreSSL does not send CA lists with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1819
diff
changeset
|
188 get('optional') =~ /TLSv1.3/; |
818e6d8c43b5
Tests: LibreSSL does not send CA lists with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1819
diff
changeset
|
189 } |
818e6d8c43b5
Tests: LibreSSL does not send CA lists with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1819
diff
changeset
|
190 |
932
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
191 sub get { |
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
192 my ($sni, $cert, $host) = @_; |
932
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
193 |
1207
b1dc56ad15e9
Tests: ignore SIGPIPE in ssl_verify_client.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1116
diff
changeset
|
194 local $SIG{PIPE} = 'IGNORE'; |
b1dc56ad15e9
Tests: ignore SIGPIPE in ssl_verify_client.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1116
diff
changeset
|
195 |
932
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
196 $host = $sni if !defined $host; |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
197 |
1621
fd440d324700
Tests: simplified get_ssl_socket() functions that use Net::SSLeay.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1578
diff
changeset
|
198 my $s = IO::Socket::INET->new('127.0.0.1:' . port(8081)); |
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
199 my $ctx = Net::SSLeay::CTX_new() or die("Failed to create SSL_CTX $!"); |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
200 Net::SSLeay::set_cert_and_key($ctx, "$d/$cert.crt", "$d/$cert.key") |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
201 or die if $cert; |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
202 my $ssl = Net::SSLeay::new($ctx) or die("Failed to create SSL $!"); |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
203 Net::SSLeay::set_tlsext_host_name($ssl, $sni) == 1 or die; |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
204 Net::SSLeay::set_fd($ssl, fileno($s)); |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
205 Net::SSLeay::connect($ssl) or die("ssl connect"); |
932
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
206 |
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
207 Net::SSLeay::write($ssl, 'GET /t HTTP/1.0' . CRLF); |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
208 Net::SSLeay::write($ssl, "Host: $host" . CRLF . CRLF); |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
209 my $buf = Net::SSLeay::read($ssl); |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
210 log_in($buf); |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
211 return $buf unless wantarray(); |
932
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
212 |
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
213 my $list = Net::SSLeay::get_client_CA_list($ssl); |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
214 my @names; |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
215 for my $i (0 .. Net::SSLeay::sk_X509_NAME_num($list) - 1) { |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
216 my $name = Net::SSLeay::sk_X509_NAME_value($list, $i); |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
217 push @names, Net::SSLeay::X509_NAME_oneline($name); |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
218 } |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
219 return @names; |
932
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
220 } |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
221 |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
222 ############################################################################### |