Mercurial > hg > nginx-tests

annotate ssl_verify_depth.t @ 1851:0351dee227a8

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Tests: unbreak tests with dynamic certificates on stable. In 74cffa9d4c43, ticket based session reuse is enabled in addition to using a shared SSL session cache. This changed how a session can be resumed in a different server: - for a session ID based resumption, it is resumed in the same context - when using session tickets, a key name is also checked for matching - with a ticket callback, this is skipped in favor of callback's logic This makes 'session id context match' tests fail with session tickets on stable since ticket key names are unique in distinct SSL contexts. On the other hand, tests pass on 1.23.2+ due to automatic ticket keys rotation that installs ticket callback, and using a common shared SSL session cache.
author Sergey Kandaurov <pluknet@nginx.com>
date Tue, 28 Mar 2023 01:36:32 +0400
parents b28f88e352dd
children cdcd75657e52
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
1115
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
1 #!/usr/bin/perl
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
2
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
3 # (C) Sergey Kandaurov
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
4 # (C) Nginx, Inc.
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
5
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
6 # Tests for http ssl module, ssl_verify_depth.
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
7
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
8 ###############################################################################
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
9
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
10 use warnings;
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
11 use strict;
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
12
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
13 use Test::More;
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
14
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
15 BEGIN { use FindBin; chdir($FindBin::Bin); }
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
16
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
17 use lib 'lib';
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
18 use Test::Nginx;
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
19
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
20 ###############################################################################
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
21
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
22 select STDERR; $| = 1;
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
23 select STDOUT; $| = 1;
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
24
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
25 eval { require IO::Socket::SSL; };
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
26 plan(skip_all => 'IO::Socket::SSL not installed') if $@;
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
27 eval { IO::Socket::SSL::SSL_VERIFY_NONE(); };
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
28 plan(skip_all => 'IO::Socket::SSL too old') if $@;
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
29
1750
b28f88e352dd Tests: skip ssl_verify_depth.t with LibreSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1610
diff changeset
30 my $t = Test::Nginx->new()->has(qw/http http_ssl/)->has_daemon('openssl');
1115
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
31
1750
b28f88e352dd Tests: skip ssl_verify_depth.t with LibreSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1610
diff changeset
32 plan(skip_all => 'LibreSSL') if $t->has_module('LibreSSL');
b28f88e352dd Tests: skip ssl_verify_depth.t with LibreSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1610
diff changeset
33
b28f88e352dd Tests: skip ssl_verify_depth.t with LibreSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1610
diff changeset
34 $t->plan(9)->write_file_expand('nginx.conf', <<'EOF');
1115
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
35
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
36 %%TEST_GLOBALS%%
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
37
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
38 daemon off;
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
39
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
40 events {
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
41 }
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
42
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
43 http {
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
44 %%TEST_GLOBALS_HTTP%%
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
45
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
46 ssl_certificate localhost.crt;
1610
bad6aa24ec10 Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents: 1605
diff changeset
47 ssl_certificate_key localhost.key;
1115
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
48
1117
3e2af4dedd9c Tests: ssl_verify_depth.t cleanup.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1115
diff changeset
49 ssl_verify_client on;
1610
bad6aa24ec10 Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents: 1605
diff changeset
50 ssl_client_certificate root-int.crt;
1115
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
51
1610
bad6aa24ec10 Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents: 1605
diff changeset
52 add_header X-Client $ssl_client_s_dn always;
1605
aa5a61d1254b Tests: actually test the verification depth in ssl_verify_depth.t.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1488
diff changeset
53 add_header X-Verify $ssl_client_verify always;
1115
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
54
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
55 server {
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
56 listen 127.0.0.1:8080 ssl;
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
57 server_name localhost;
1610
bad6aa24ec10 Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents: 1605
diff changeset
58 ssl_verify_depth 0;
1605
aa5a61d1254b Tests: actually test the verification depth in ssl_verify_depth.t.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1488
diff changeset
59 }
aa5a61d1254b Tests: actually test the verification depth in ssl_verify_depth.t.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1488
diff changeset
60
aa5a61d1254b Tests: actually test the verification depth in ssl_verify_depth.t.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1488
diff changeset
61 server {
aa5a61d1254b Tests: actually test the verification depth in ssl_verify_depth.t.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1488
diff changeset
62 listen 127.0.0.1:8081 ssl;
aa5a61d1254b Tests: actually test the verification depth in ssl_verify_depth.t.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1488
diff changeset
63 server_name localhost;
1610
bad6aa24ec10 Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents: 1605
diff changeset
64 ssl_verify_depth 1;
bad6aa24ec10 Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents: 1605
diff changeset
65 }
bad6aa24ec10 Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents: 1605
diff changeset
66
bad6aa24ec10 Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents: 1605
diff changeset
67 server {
bad6aa24ec10 Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents: 1605
diff changeset
68 listen 127.0.0.1:8082 ssl;
bad6aa24ec10 Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents: 1605
diff changeset
69 server_name localhost;
bad6aa24ec10 Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents: 1605
diff changeset
70 ssl_verify_depth 2;
1115
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
71 }
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
72 }
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
73
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
74 EOF
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
75
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
76 my $d = $t->testdir();
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
77
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
78 $t->write_file('openssl.conf', <<EOF);
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
79 [ req ]
1488
dbce8fb5f5f8 Tests: align with OpenSSL security level 2.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1421
diff changeset
80 default_bits = 2048
1115
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
81 encrypt_key = no
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
82 distinguished_name = req_distinguished_name
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
83 [ req_distinguished_name ]
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
84 EOF
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
85
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
86 $t->write_file('ca.conf', <<EOF);
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
87 [ ca ]
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
88 default_ca = myca
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
89
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
90 [ myca ]
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
91 new_certs_dir = $d
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
92 database = $d/certindex
1488
dbce8fb5f5f8 Tests: align with OpenSSL security level 2.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1421
diff changeset
93 default_md = sha256
1115
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
94 policy = myca_policy
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
95 serial = $d/certserial
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
96 default_days = 1
1605
aa5a61d1254b Tests: actually test the verification depth in ssl_verify_depth.t.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1488
diff changeset
97 x509_extensions = myca_extensions
1115
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
98
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
99 [ myca_policy ]
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
100 commonName = supplied
1605
aa5a61d1254b Tests: actually test the verification depth in ssl_verify_depth.t.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1488
diff changeset
101
aa5a61d1254b Tests: actually test the verification depth in ssl_verify_depth.t.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1488
diff changeset
102 [ myca_extensions ]
aa5a61d1254b Tests: actually test the verification depth in ssl_verify_depth.t.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1488
diff changeset
103 basicConstraints = critical,CA:TRUE
1115
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
104 EOF
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
105
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
106 foreach my $name ('root', 'localhost') {
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
107 system('openssl req -x509 -new '
1220
0af58b78df35 Tests: removed single quotes from system() calls.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1124
diff changeset
108 . "-config $d/openssl.conf -subj /CN=$name/ "
0af58b78df35 Tests: removed single quotes from system() calls.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1124
diff changeset
109 . "-out $d/$name.crt -keyout $d/$name.key "
1115
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
110 . ">>$d/openssl.out 2>&1") == 0
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
111 or die "Can't create certificate for $name: $!\n";
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
112 }
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
113
1610
bad6aa24ec10 Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents: 1605
diff changeset
114 foreach my $name ('int', 'end') {
1115
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
115 system("openssl req -new "
1220
0af58b78df35 Tests: removed single quotes from system() calls.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1124
diff changeset
116 . "-config $d/openssl.conf -subj /CN=$name/ "
0af58b78df35 Tests: removed single quotes from system() calls.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1124
diff changeset
117 . "-out $d/$name.csr -keyout $d/$name.key "
1115
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
118 . ">>$d/openssl.out 2>&1") == 0
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
119 or die "Can't create certificate for $name: $!\n";
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
120 }
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
121
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
122 $t->write_file('certserial', '1000');
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
123 $t->write_file('certindex', '');
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
124
1220
0af58b78df35 Tests: removed single quotes from system() calls.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1124
diff changeset
125 system("openssl ca -batch -config $d/ca.conf "
0af58b78df35 Tests: removed single quotes from system() calls.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1124
diff changeset
126 . "-keyfile $d/root.key -cert $d/root.crt "
0af58b78df35 Tests: removed single quotes from system() calls.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1124
diff changeset
127 . "-subj /CN=int/ -in $d/int.csr -out $d/int.crt "
1115
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
128 . ">>$d/openssl.out 2>&1") == 0
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
129 or die "Can't sign certificate for int: $!\n";
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
130
1220
0af58b78df35 Tests: removed single quotes from system() calls.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1124
diff changeset
131 system("openssl ca -batch -config $d/ca.conf "
0af58b78df35 Tests: removed single quotes from system() calls.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1124
diff changeset
132 . "-keyfile $d/int.key -cert $d/int.crt "
0af58b78df35 Tests: removed single quotes from system() calls.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1124
diff changeset
133 . "-subj /CN=end/ -in $d/end.csr -out $d/end.crt "
1115
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
134 . ">>$d/openssl.out 2>&1") == 0
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
135 or die "Can't sign certificate for end: $!\n";
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
136
1610
bad6aa24ec10 Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents: 1605
diff changeset
137 $t->write_file('root-int.crt', $t->read_file('root.crt')
bad6aa24ec10 Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents: 1605
diff changeset
138 . $t->read_file('int.crt'));
1115
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
139
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
140 $t->write_file('t', '');
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
141 $t->run();
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
142
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
143 ###############################################################################
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
144
1610
bad6aa24ec10 Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents: 1605
diff changeset
145 # with verify depth 0, only self-signed certificates should
bad6aa24ec10 Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents: 1605
diff changeset
146 # be allowed
bad6aa24ec10 Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents: 1605
diff changeset
147
bad6aa24ec10 Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents: 1605
diff changeset
148 # OpenSSL 1.1.0+ instead limits the number of intermediate certs allowed;
bad6aa24ec10 Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents: 1605
diff changeset
149 # as a result, it is not possible to limit certificate checking
bad6aa24ec10 Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents: 1605
diff changeset
150 # to self-signed certificates only when using OpenSSL 1.1.0+
bad6aa24ec10 Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents: 1605
diff changeset
151
bad6aa24ec10 Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents: 1605
diff changeset
152 like(get(8080, 'root'), qr/SUCCESS/, 'verify depth 0 - root');
bad6aa24ec10 Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents: 1605
diff changeset
153 like(get(8080, 'int'), qr/FAI|SUC/, 'verify depth 0 - no int');
bad6aa24ec10 Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents: 1605
diff changeset
154 like(get(8080, 'end'), qr/FAILED/, 'verify depth 0 - no end');
bad6aa24ec10 Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents: 1605
diff changeset
155
bad6aa24ec10 Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents: 1605
diff changeset
156 # with verify depth 1 (the default), one signature is
bad6aa24ec10 Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents: 1605
diff changeset
157 # expected to be checked, so certificates directly signed
bad6aa24ec10 Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents: 1605
diff changeset
158 # by the root cert are allowed, but nothing more
bad6aa24ec10 Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents: 1605
diff changeset
159
bad6aa24ec10 Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents: 1605
diff changeset
160 # OpenSSL 1.1.0+ instead limits the number of intermediate certs allowed;
bad6aa24ec10 Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents: 1605
diff changeset
161 # so with depth 1 it is possible to validate not only directly signed
bad6aa24ec10 Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents: 1605
diff changeset
162 # certificates, but also chains with one intermediate certificate
bad6aa24ec10 Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents: 1605
diff changeset
163
bad6aa24ec10 Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents: 1605
diff changeset
164 like(get(8081, 'root'), qr/SUCCESS/, 'verify depth 1 - root');
bad6aa24ec10 Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents: 1605
diff changeset
165 like(get(8081, 'int'), qr/SUCCESS/, 'verify depth 1 - int');
bad6aa24ec10 Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents: 1605
diff changeset
166 like(get(8081, 'end'), qr/FAI|SUC/, 'verify depth 1 - no end');
bad6aa24ec10 Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents: 1605
diff changeset
167
bad6aa24ec10 Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents: 1605
diff changeset
168 # with verify depth 2 it is also possible to validate up to two signatures,
bad6aa24ec10 Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents: 1605
diff changeset
169 # so chains with one intermediate certificate are allowed
bad6aa24ec10 Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents: 1605
diff changeset
170
bad6aa24ec10 Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents: 1605
diff changeset
171 like(get(8082, 'root'), qr/SUCCESS/, 'verify depth 2 - root');
bad6aa24ec10 Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents: 1605
diff changeset
172 like(get(8082, 'int'), qr/SUCCESS/, 'verify depth 2 - int');
bad6aa24ec10 Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents: 1605
diff changeset
173 like(get(8082, 'end'), qr/SUCCESS/, 'verify depth 2 - end');
1115
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
174
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
175 ###############################################################################
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
176
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
177 sub get {
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
178 my ($port, $cert) = @_;
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
179 my $s = get_ssl_socket($port, $cert) or return;
1610
bad6aa24ec10 Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents: 1605
diff changeset
180 http_get("/t?$cert", socket => $s);
1115
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
181 }
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
182
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
183 sub get_ssl_socket {
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
184 my ($port, $cert) = @_;
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
185 my ($s);
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
186
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
187 eval {
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
188 local $SIG{ALRM} = sub { die "timeout\n" };
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
189 local $SIG{PIPE} = sub { die "sigpipe\n" };
1421
4e48bf51714f Tests: aligned various generic read timeouts to http_end().
Sergey Kandaurov <pluknet@nginx.com>
parents: 1407
diff changeset
190 alarm(8);
1115
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
191 $s = IO::Socket::SSL->new(
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
192 Proto => 'tcp',
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
193 PeerAddr => '127.0.0.1',
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
194 PeerPort => port($port),
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
195 SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE(),
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
196 SSL_cert_file => "$d/$cert.crt",
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
197 SSL_key_file => "$d/$cert.key",
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
198 SSL_error_trap => sub { die $_[1] }
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
199 );
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
200 alarm(0);
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
201 };
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
202 alarm(0);
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
203
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
204 if ($@) {
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
205 log_in("died: $@");
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
206 return undef;
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
207 }
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
208
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
209 return $s;
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
210 }
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
211
54e07593713a Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
212 ###############################################################################