nginx-tests: ssl_ocsp.t annotate

annotate ssl_ocsp.t @ 1951:1867428f1673

Tests: fixed h3_limit_req.t spurious failures. In the "reset stream - cancellation" test, HTTP/3 stream is closed without sending the request body when the request is waiting in the limit_req module, and this results in error 444. However, when the request is received with some minor delay due to system load, it is not delayed by limit_req, and the stream is closed during reading the request body, which results in error 400 instead, breaking the test. Fix is to introduce yet another request before the "reset stream" test, so the stream in question is always delayed by limit_req.

author	Maxim Dounin <mdounin@mdounin.ru>
date	Thu, 14 Mar 2024 02:25:49 +0300
parents	0b5ec15c62ed
children	c924ae8d7104

rev	line source
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	1 #!/usr/bin/perl
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	2
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	3 # (C) Sergey Kandaurov
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	4 # (C) Nginx, Inc.
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	5
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	6 # Tests for OCSP with client certificates.
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	7
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	8 ###############################################################################
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	9
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	10 use warnings;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	11 use strict;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	12
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	13 use Test::More;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	14
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	15 use MIME::Base64 qw/ decode_base64 /;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	16
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	17 BEGIN { use FindBin; chdir($FindBin::Bin); }
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	18
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	19 use lib 'lib';
1865 0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	20 use Test::Nginx qw/ :DEFAULT http_end /;
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	21
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	22 ###############################################################################
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	23
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	24 select STDERR; $\| = 1;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	25 select STDOUT; $\| = 1;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	26
1865 0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	27 my $t = Test::Nginx->new()->has(qw/http http_ssl sni socket_ssl_sni/)
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	28 ->has_daemon('openssl');
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	29
1846 9d98c2ad3126 Tests: cleaned up ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1693 diff changeset	30 plan(skip_all => 'no OCSP support in BoringSSL')
9d98c2ad3126 Tests: cleaned up ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1693 diff changeset	31 if $t->has_module('BoringSSL');
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	32
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	33 $t->write_file_expand('nginx.conf', <<'EOF');
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	34
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	35 %%TEST_GLOBALS%%
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	36
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	37 daemon off;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	38
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	39 events {
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	40 }
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	41
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	42 http {
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	43 %%TEST_GLOBALS_HTTP%%
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	44
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	45 ssl_ocsp leaf;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	46 ssl_verify_client on;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	47 ssl_verify_depth 2;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	48 ssl_client_certificate trusted.crt;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	49
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	50 ssl_certificate_key rsa.key;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	51 ssl_certificate rsa.crt;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	52
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	53 ssl_session_cache shared:SSL:1m;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	54 ssl_session_tickets off;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	55
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	56 add_header X-Verify x${ssl_client_verify}:${ssl_session_reused}x always;
1865 0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	57 add_header X-SSL-Protocol $ssl_protocol always;
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	58
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	59 server {
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	60 listen 127.0.0.1:8443 ssl;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	61 server_name localhost;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	62 }
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	63
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	64 server {
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	65 listen 127.0.0.1:8443 ssl;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	66 server_name sni;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	67
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	68 ssl_ocsp_responder http://127.0.0.1:8082;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	69 }
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	70
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	71 server {
1577 804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	72 listen 127.0.0.1:8443 ssl;
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	73 server_name resolver;
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	74
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	75 ssl_ocsp on;
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	76 }
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	77
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	78 server {
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	79 listen 127.0.0.1:8444 ssl;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	80 server_name localhost;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	81
1577 804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	82 ssl_ocsp_responder http://127.0.0.1:8081;
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	83 ssl_ocsp on;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	84 }
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	85
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	86 server {
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	87 listen 127.0.0.1:8445 ssl;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	88 server_name localhost;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	89
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	90 ssl_ocsp_responder http://127.0.0.1:8082;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	91 }
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	92
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	93 server {
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	94 listen 127.0.0.1:8446 ssl;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	95 server_name localhost;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	96
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	97 ssl_ocsp_cache shared:OCSP:1m;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	98 }
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	99
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	100 server {
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	101 listen 127.0.0.1:8447 ssl;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	102 server_name localhost;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	103
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	104 ssl_ocsp_responder http://127.0.0.1:8082;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	105 ssl_client_certificate root.crt;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	106 }
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	107 }
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	108
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	109 EOF
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	110
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	111 my $d = $t->testdir();
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	112 my $p = port(8081);
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	113
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	114 $t->write_file('openssl.conf', <<EOF);
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	115 [ req ]
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	116 default_bits = 2048
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	117 encrypt_key = no
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	118 distinguished_name = req_distinguished_name
1945 0b5ec15c62ed Tests: compatibility with "openssl" app from OpenSSL 3.2.0. Maxim Dounin <mdounin@mdounin.ru> parents: 1865 diff changeset	119 x509_extensions = myca_extensions
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	120 [ req_distinguished_name ]
1945 0b5ec15c62ed Tests: compatibility with "openssl" app from OpenSSL 3.2.0. Maxim Dounin <mdounin@mdounin.ru> parents: 1865 diff changeset	121 [ myca_extensions ]
0b5ec15c62ed Tests: compatibility with "openssl" app from OpenSSL 3.2.0. Maxim Dounin <mdounin@mdounin.ru> parents: 1865 diff changeset	122 basicConstraints = critical,CA:TRUE
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	123 EOF
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	124
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	125 $t->write_file('ca.conf', <<EOF);
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	126 [ ca ]
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	127 default_ca = myca
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	128
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	129 [ myca ]
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	130 new_certs_dir = $d
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	131 database = $d/certindex
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	132 default_md = sha256
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	133 policy = myca_policy
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	134 serial = $d/certserial
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	135 default_days = 1
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	136 x509_extensions = myca_extensions
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	137
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	138 [ myca_policy ]
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	139 commonName = supplied
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	140
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	141 [ myca_extensions ]
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	142 basicConstraints = critical,CA:TRUE
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	143 authorityInfoAccess = OCSP;URI:http://127.0.0.1:$p
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	144 EOF
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	145
1577 804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	146 # variant for int.crt to trigger missing resolver
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	147
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	148 $t->write_file('ca2.conf', <<EOF);
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	149 [ ca ]
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	150 default_ca = myca
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	151
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	152 [ myca ]
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	153 new_certs_dir = $d
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	154 database = $d/certindex
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	155 default_md = sha256
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	156 policy = myca_policy
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	157 serial = $d/certserial
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	158 default_days = 1
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	159 x509_extensions = myca_extensions
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	160
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	161 [ myca_policy ]
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	162 commonName = supplied
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	163
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	164 [ myca_extensions ]
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	165 basicConstraints = critical,CA:TRUE
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	166 authorityInfoAccess = OCSP;URI:http://localhost:$p
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	167 EOF
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	168
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	169 foreach my $name ('root') {
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	170 system('openssl req -x509 -new '
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	171 . "-config $d/openssl.conf -subj /CN=$name/ "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	172 . "-out $d/$name.crt -keyout $d/$name.key "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	173 . ">>$d/openssl.out 2>&1") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	174 or die "Can't create certificate for $name: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	175 }
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	176
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	177 foreach my $name ('int', 'end') {
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	178 system("openssl req -new "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	179 . "-config $d/openssl.conf -subj /CN=$name/ "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	180 . "-out $d/$name.csr -keyout $d/$name.key "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	181 . ">>$d/openssl.out 2>&1") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	182 or die "Can't create certificate for $name: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	183 }
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	184
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	185 foreach my $name ('ec-end') {
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	186 system("openssl ecparam -genkey -out $d/$name.key -name prime256v1 "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	187 . ">>$d/openssl.out 2>&1") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	188 or die "Can't create EC param: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	189 system("openssl req -new -key $d/$name.key "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	190 . "-config $d/openssl.conf -subj /CN=$name/ "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	191 . "-out $d/$name.csr "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	192 . ">>$d/openssl.out 2>&1") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	193 or die "Can't create certificate for $name: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	194 }
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	195
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	196 $t->write_file('certserial', '1000');
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	197 $t->write_file('certindex', '');
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	198
1577 804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	199 system("openssl ca -batch -config $d/ca2.conf "
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	200 . "-keyfile $d/root.key -cert $d/root.crt "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	201 . "-subj /CN=int/ -in $d/int.csr -out $d/int.crt "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	202 . ">>$d/openssl.out 2>&1") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	203 or die "Can't sign certificate for int: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	204
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	205 system("openssl ca -batch -config $d/ca.conf "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	206 . "-keyfile $d/int.key -cert $d/int.crt "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	207 . "-subj /CN=ec-end/ -in $d/ec-end.csr -out $d/ec-end.crt "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	208 . ">>$d/openssl.out 2>&1") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	209 or die "Can't sign certificate for ec-end: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	210
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	211 system("openssl ca -batch -config $d/ca.conf "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	212 . "-keyfile $d/int.key -cert $d/int.crt "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	213 . "-subj /CN=end/ -in $d/end.csr -out $d/end.crt "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	214 . ">>$d/openssl.out 2>&1") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	215 or die "Can't sign certificate for end: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	216
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	217 # RFC 6960, serialNumber
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	218
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	219 system("openssl x509 -in $d/int.crt -serial -noout "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	220 . ">>$d/serial_int 2>>$d/openssl.out") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	221 or die "Can't obtain serial for end: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	222
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	223 my $serial_int = pack("n2", 0x0202, hex $1)
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	224 if $t->read_file('serial_int') =~ /(\d+)/;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	225
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	226 system("openssl x509 -in $d/end.crt -serial -noout "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	227 . ">>$d/serial 2>>$d/openssl.out") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	228 or die "Can't obtain serial for end: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	229
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	230 my $serial = pack("n2", 0x0202, hex $1) if $t->read_file('serial') =~ /(\d+)/;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	231
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	232 # ocsp end
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	233
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	234 system("openssl ocsp -issuer $d/int.crt -cert $d/end.crt "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	235 . "-reqout $d/req.der >>$d/openssl.out 2>&1") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	236 or die "Can't create OCSP request: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	237
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	238 system("openssl ocsp -index $d/certindex -CA $d/int.crt "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	239 . "-rsigner $d/int.crt -rkey $d/int.key "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	240 . "-reqin $d/req.der -respout $d/resp.der -ndays 1 "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	241 . ">>$d/openssl.out 2>&1") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	242 or die "Can't create OCSP response: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	243
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	244 system("openssl ocsp -issuer $d/int.crt -cert $d/ec-end.crt "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	245 . "-reqout $d/ec-req.der >>$d/openssl.out 2>&1") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	246 or die "Can't create EC OCSP request: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	247
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	248 system("openssl ocsp -index $d/certindex -CA $d/int.crt "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	249 . "-rsigner $d/root.crt -rkey $d/root.key "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	250 . "-reqin $d/ec-req.der -respout $d/ec-resp.der -ndays 1 "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	251 . ">>$d/openssl.out 2>&1") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	252 or die "Can't create EC OCSP response: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	253
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	254 $t->write_file('trusted.crt',
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	255 $t->read_file('int.crt') . $t->read_file('root.crt'));
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	256
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	257 # server cert/key
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	258
1847 a9704b9ed7a2 Tests: removed multiple server certificates from ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1846 diff changeset	259 foreach my $name ('rsa') {
a9704b9ed7a2 Tests: removed multiple server certificates from ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1846 diff changeset	260 system('openssl req -x509 -new '
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	261 . "-config $d/openssl.conf -subj /CN=$name/ "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	262 . "-out $d/$name.crt -keyout $d/$name.key "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	263 . ">>$d/openssl.out 2>&1") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	264 or die "Can't create certificate for $name: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	265 }
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	266
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	267 $t->run_daemon(\&http_daemon, $t, port(8081));
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	268 $t->run_daemon(\&http_daemon, $t, port(8082));
1847 a9704b9ed7a2 Tests: removed multiple server certificates from ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1846 diff changeset	269 $t->run()->plan(15);
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	270
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	271 $t->waitforsocket("127.0.0.1:" . port(8081));
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	272 $t->waitforsocket("127.0.0.1:" . port(8082));
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	273
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	274 ###############################################################################
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	275
1847 a9704b9ed7a2 Tests: removed multiple server certificates from ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1846 diff changeset	276 like(get('end'), qr/200 OK.*SUCCESS/s, 'ocsp leaf');
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	277
1577 804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	278 # demonstrate that ocsp int request is failed due to missing resolver
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	279
1847 a9704b9ed7a2 Tests: removed multiple server certificates from ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1846 diff changeset	280 like(get('end', sni => 'resolver'),
1577 804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	281 qr/400 Bad.*FAILED:certificate status request failed/s,
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	282 'ocsp many failed request');
804a7409bc63 Tests: added ssl_ocsp test with failing request. Sergey Kandaurov <pluknet@nginx.com> parents: 1570 diff changeset	283
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	284 # demonstrate that ocsp int request is actually made by failing ocsp response
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	285
1847 a9704b9ed7a2 Tests: removed multiple server certificates from ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1846 diff changeset	286 like(get('end', port => 8444),
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	287 qr/400 Bad.*FAILED:certificate status request failed/s,
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	288 'ocsp many failed');
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	289
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	290 # now prepare valid ocsp int response
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	291
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	292 system("openssl ocsp -issuer $d/root.crt -cert $d/int.crt "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	293 . "-reqout $d/int-req.der >>$d/openssl.out 2>&1") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	294 or die "Can't create OCSP request: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	295
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	296 system("openssl ocsp -index $d/certindex -CA $d/root.crt "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	297 . "-rsigner $d/root.crt -rkey $d/root.key "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	298 . "-reqin $d/int-req.der -respout $d/int-resp.der -ndays 1 "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	299 . ">>$d/openssl.out 2>&1") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	300 or die "Can't create OCSP response: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	301
1847 a9704b9ed7a2 Tests: removed multiple server certificates from ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1846 diff changeset	302 like(get('end', port => 8444), qr/200 OK.*SUCCESS/s, 'ocsp many');
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	303
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	304 # store into ssl_ocsp_cache
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	305
1847 a9704b9ed7a2 Tests: removed multiple server certificates from ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1846 diff changeset	306 like(get('end', port => 8446), qr/200 OK.*SUCCESS/s, 'cache store');
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	307
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	308 # revoke
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	309
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	310 system("openssl ca -config $d/ca.conf -revoke $d/end.crt "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	311 . "-keyfile $d/root.key -cert $d/root.crt "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	312 . ">>$d/openssl.out 2>&1") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	313 or die "Can't revoke end.crt: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	314
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	315 system("openssl ocsp -issuer $d/int.crt -cert $d/end.crt "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	316 . "-reqout $d/req.der >>$d/openssl.out 2>&1") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	317 or die "Can't create OCSP request: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	318
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	319 system("openssl ocsp -index $d/certindex -CA $d/int.crt "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	320 . "-rsigner $d/int.crt -rkey $d/int.key "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	321 . "-reqin $d/req.der -respout $d/revoked.der -ndays 1 "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	322 . ">>$d/openssl.out 2>&1") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	323 or die "Can't create OCSP response: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	324
1847 a9704b9ed7a2 Tests: removed multiple server certificates from ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1846 diff changeset	325 like(get('end'), qr/400 Bad.*FAILED:certificate revoked/s, 'revoked');
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	326
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	327 # with different responder where it's still valid
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	328
1847 a9704b9ed7a2 Tests: removed multiple server certificates from ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1846 diff changeset	329 like(get('end', port => 8445), qr/200 OK.*SUCCESS/s, 'ocsp responder');
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	330
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	331 # with different context to responder where it's still valid
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	332
1847 a9704b9ed7a2 Tests: removed multiple server certificates from ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1846 diff changeset	333 like(get('end', sni => 'sni'), qr/200 OK.*SUCCESS/s, 'ocsp context');
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	334
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	335 # with cached ocsp response it's still valid
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	336
1847 a9704b9ed7a2 Tests: removed multiple server certificates from ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1846 diff changeset	337 like(get('end', port => 8446), qr/200 OK.*SUCCESS/s, 'cache lookup');
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	338
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	339 # ocsp end response signed with invalid (root) cert, expect HTTP 400
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	340
1847 a9704b9ed7a2 Tests: removed multiple server certificates from ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1846 diff changeset	341 like(get('ec-end'),
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	342 qr/400 Bad.*FAILED:certificate status request failed/s,
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	343 'root ca not trusted');
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	344
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	345 # now sign ocsp end response with valid int cert
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	346
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	347 system("openssl ocsp -index $d/certindex -CA $d/int.crt "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	348 . "-rsigner $d/int.crt -rkey $d/int.key "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	349 . "-reqin $d/ec-req.der -respout $d/ec-resp.der -ndays 1 "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	350 . ">>$d/openssl.out 2>&1") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	351 or die "Can't create EC OCSP response: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	352
1847 a9704b9ed7a2 Tests: removed multiple server certificates from ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1846 diff changeset	353 like(get('ec-end'), qr/200 OK.*SUCCESS/s, 'ocsp ecdsa');
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	354
1865 0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	355 my $s = session('ec-end');
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	356
1848 727741cdff74 Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3. Maxim Dounin <mdounin@mdounin.ru> parents: 1847 diff changeset	357 TODO: {
1865 0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	358 local $TODO = 'no TLSv1.3 sessions, old Net::SSLeay'
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	359 if $Net::SSLeay::VERSION < 1.88 && test_tls13();
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	360 local $TODO = 'no TLSv1.3 sessions, old IO::Socket::SSL'
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	361 if $IO::Socket::SSL::VERSION < 2.061 && test_tls13();
1848 727741cdff74 Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3. Maxim Dounin <mdounin@mdounin.ru> parents: 1847 diff changeset	362 local $TODO = 'no TLSv1.3 sessions in LibreSSL'
1865 0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	363 if $t->has_module('LibreSSL') && test_tls13();
1848 727741cdff74 Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3. Maxim Dounin <mdounin@mdounin.ru> parents: 1847 diff changeset	364
1865 0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	365 like(get('ec-end', ses => $s),
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	366 qr/200 OK.*SUCCESS:r/s, 'session reused');
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	367
1848 727741cdff74 Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3. Maxim Dounin <mdounin@mdounin.ru> parents: 1847 diff changeset	368 }
727741cdff74 Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3. Maxim Dounin <mdounin@mdounin.ru> parents: 1847 diff changeset	369
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	370 # revoke with saved session
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	371
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	372 system("openssl ca -config $d/ca.conf -revoke $d/ec-end.crt "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	373 . "-keyfile $d/root.key -cert $d/root.crt "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	374 . ">>$d/openssl.out 2>&1") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	375 or die "Can't revoke end.crt: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	376
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	377 system("openssl ocsp -issuer $d/int.crt -cert $d/ec-end.crt "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	378 . "-reqout $d/ec-req.der >>$d/openssl.out 2>&1") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	379 or die "Can't create OCSP request: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	380
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	381 system("openssl ocsp -index $d/certindex -CA $d/int.crt "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	382 . "-rsigner $d/int.crt -rkey $d/int.key "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	383 . "-reqin $d/ec-req.der -respout $d/ec-resp.der -ndays 1 "
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	384 . ">>$d/openssl.out 2>&1") == 0
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	385 or die "Can't create OCSP response: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	386
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	387 # reusing session with revoked certificate
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	388
1848 727741cdff74 Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3. Maxim Dounin <mdounin@mdounin.ru> parents: 1847 diff changeset	389 TODO: {
1865 0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	390 local $TODO = 'no TLSv1.3 sessions, old Net::SSLeay'
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	391 if $Net::SSLeay::VERSION < 1.88 && test_tls13();
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	392 local $TODO = 'no TLSv1.3 sessions, old IO::Socket::SSL'
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	393 if $IO::Socket::SSL::VERSION < 2.061 && test_tls13();
1848 727741cdff74 Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3. Maxim Dounin <mdounin@mdounin.ru> parents: 1847 diff changeset	394 local $TODO = 'no TLSv1.3 sessions in LibreSSL'
1865 0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	395 if $t->has_module('LibreSSL') && test_tls13();
1848 727741cdff74 Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3. Maxim Dounin <mdounin@mdounin.ru> parents: 1847 diff changeset	396
1865 0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	397 like(get('ec-end', ses => $s),
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	398 qr/400 Bad.*FAILED:certificate revoked:r/s, 'session reused - revoked');
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	399
1848 727741cdff74 Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3. Maxim Dounin <mdounin@mdounin.ru> parents: 1847 diff changeset	400 }
727741cdff74 Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3. Maxim Dounin <mdounin@mdounin.ru> parents: 1847 diff changeset	401
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	402 # regression test for self-signed
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	403
1847 a9704b9ed7a2 Tests: removed multiple server certificates from ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1846 diff changeset	404 like(get('root', port => 8447), qr/200 OK.*SUCCESS/s, 'ocsp one');
a9704b9ed7a2 Tests: removed multiple server certificates from ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1846 diff changeset	405
a9704b9ed7a2 Tests: removed multiple server certificates from ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1846 diff changeset	406 # check for errors
a9704b9ed7a2 Tests: removed multiple server certificates from ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1846 diff changeset	407
a9704b9ed7a2 Tests: removed multiple server certificates from ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1846 diff changeset	408 like(`grep -F '[crit]' ${\($t->testdir())}/error.log`, qr/^$/s, 'no crit');
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	409
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	410 ###############################################################################
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	411
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	412 sub get {
1865 0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	413 my $s = get_socket(@_) \|\| return;
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	414 return http_end($s);
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	415 }
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	416
1865 0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	417 sub session {
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	418 my $s = get_socket(@_) \|\| return;
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	419 http_end($s);
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	420 return $s;
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	421 }
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	422
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	423 sub get_socket {
1847 a9704b9ed7a2 Tests: removed multiple server certificates from ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1846 diff changeset	424 my ($cert, %extra) = @_;
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	425 my $ses = $extra{ses};
1865 0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	426 my $sni = $extra{sni} \|\| 'localhost';
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	427 my $port = $extra{port} \|\| 8443;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	428
1865 0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	429 return http(
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	430 "GET /serial HTTP/1.0\nHost: $sni\n\n",
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	431 start => 1, PeerAddr => '127.0.0.1:' . port($port),
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	432 SSL => 1,
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	433 SSL_hostname => $sni,
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	434 SSL_session_cache_size => 100,
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	435 SSL_reuse_ctx => $ses,
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	436 $cert ? (
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	437 SSL_cert_file => "$d/$cert.crt",
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	438 SSL_key_file => "$d/$cert.key"
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	439 ) : ()
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	440 );
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	441 }
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	442
1865 0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	443 sub test_tls13 {
0e1865aa9b33 Tests: reworked http SSL tests to use IO::Socket::SSL. Maxim Dounin <mdounin@mdounin.ru> parents: 1848 diff changeset	444 return http_get('/', SSL => 1) =~ /TLSv1.3/;
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	445 }
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	446
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	447 ###############################################################################
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	448
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	449 sub http_daemon {
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	450 my ($t, $port) = @_;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	451 my $server = IO::Socket::INET->new(
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	452 Proto => 'tcp',
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	453 LocalHost => "127.0.0.1:$port",
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	454 Listen => 5,
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	455 Reuse => 1
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	456 )
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	457 or die "Can't create listening socket: $!\n";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	458
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	459 local $SIG{PIPE} = 'IGNORE';
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	460
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	461 while (my $client = $server->accept()) {
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	462 $client->autoflush(1);
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	463
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	464 my $headers = '';
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	465 my $uri = '';
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	466 my $resp;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	467
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	468 while (<$client>) {
1846 9d98c2ad3126 Tests: cleaned up ssl_ocsp.t. Maxim Dounin <mdounin@mdounin.ru> parents: 1693 diff changeset	469 Test::Nginx::log_core('\|\|', $_);
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	470 $headers .= $_;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	471 last if (/^\x0d?\x0a?$/);
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	472 }
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	473
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	474 $uri = $1 if $headers =~ /^\S+\s+\/([^ ]+)\s+HTTP/i;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	475 next unless $uri;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	476
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	477 $uri =~ s/%([0-9A-Fa-f]{2})/chr(hex($1))/eg;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	478 my $req = decode_base64($uri);
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	479
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	480 if (index($req, $serial_int) > 0) {
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	481 $resp = 'int-resp';
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	482
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	483 } elsif (index($req, $serial) > 0) {
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	484 $resp = 'resp';
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	485
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	486 # used to differentiate ssl_ocsp_responder
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	487
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	488 if ($port == port(8081) && -e "$d/revoked.der") {
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	489 $resp = 'revoked';
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	490 }
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	491
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	492 } else {
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	493 $resp = 'ec-resp';
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	494 }
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	495
1636 2d371452658c Tests: fixed serving binary OCSP responses on win32. Sergey Kandaurov <pluknet@nginx.com> parents: 1577 diff changeset	496 next unless -s "$d/$resp.der";
2d371452658c Tests: fixed serving binary OCSP responses on win32. Sergey Kandaurov <pluknet@nginx.com> parents: 1577 diff changeset	497
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	498 # ocsp dummy handler
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	499
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	500 select undef, undef, undef, 0.02;
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	501
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	502 $headers = <<"EOF";
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	503 HTTP/1.1 200 OK
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	504 Connection: close
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	505 Content-Type: application/ocsp-response
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	506
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	507 EOF
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	508
1636 2d371452658c Tests: fixed serving binary OCSP responses on win32. Sergey Kandaurov <pluknet@nginx.com> parents: 1577 diff changeset	509 local $/;
2d371452658c Tests: fixed serving binary OCSP responses on win32. Sergey Kandaurov <pluknet@nginx.com> parents: 1577 diff changeset	510 open my $fh, '<', "$d/$resp.der"
2d371452658c Tests: fixed serving binary OCSP responses on win32. Sergey Kandaurov <pluknet@nginx.com> parents: 1577 diff changeset	511 or die "Can't open $resp.der: $!";
2d371452658c Tests: fixed serving binary OCSP responses on win32. Sergey Kandaurov <pluknet@nginx.com> parents: 1577 diff changeset	512 binmode $fh;
2d371452658c Tests: fixed serving binary OCSP responses on win32. Sergey Kandaurov <pluknet@nginx.com> parents: 1577 diff changeset	513 my $content = <$fh>;
2d371452658c Tests: fixed serving binary OCSP responses on win32. Sergey Kandaurov <pluknet@nginx.com> parents: 1577 diff changeset	514 close $fh;
2d371452658c Tests: fixed serving binary OCSP responses on win32. Sergey Kandaurov <pluknet@nginx.com> parents: 1577 diff changeset	515
2d371452658c Tests: fixed serving binary OCSP responses on win32. Sergey Kandaurov <pluknet@nginx.com> parents: 1577 diff changeset	516 print $client $headers . $content;
1570 0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	517 }
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	518 }
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	519
0077b80ef745 Tests: ssl_ocsp tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	520 ###############################################################################

Mercurial > hg > nginx-tests

annotate ssl_ocsp.t @ 1951:1867428f1673