Mercurial > hg > nginx-tests
annotate proxy_ssl_keepalive.t @ 1571:1b4ceab9cb1c
Tests: fixed ssl_certificate.t with LibreSSL client.
Net::SSLeay::connect() that manages TLS handshake could return unexpected
error when receiving server alert, as seen in server certificate tests if
it could not been selected. Typically, it returns the expected error -1,
but with certain libssl implementations it can be 0, as explained below.
The error is propagated from libssl's SSL_connect(), which is usually -1.
In modern OpenSSL versions, it is the default error code used in the state
machine returned when something went wrong with parsing TLS message header.
In versions up to OpenSSL 1.0.2, with SSLv23_method() used by default, -1
is the only error code in the ssl_connect() method implementation which is
used as well if receiving alert while parsing ServerHello. BoringSSL also
seems to return -1. But it is not so with LibreSSL that returns zero.
Previously, tests failed with client built with LibreSSL with SSLv3 removed.
Here, the error is propagated directly from ssl_read_bytes() method, which
is always implemented as ssl3_read_bytes() in all TLS methods. It could be
also seen with OpenSSL up to 1.0.2 with non-default methods explicitly set.
| author | Sergey Kandaurov <pluknet@nginx.com> |
|---|---|
| date | Fri, 29 May 2020 23:10:20 +0300 |
| parents | dbce8fb5f5f8 |
| children | da3889ba0b96 |
| rev | line source |
|---|---|
|
693
875900f02f15
Tests: added proxy keepalive tests to ssl backend.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
1 #!/usr/bin/perl |
|
875900f02f15
Tests: added proxy keepalive tests to ssl backend.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
2 |
|
875900f02f15
Tests: added proxy keepalive tests to ssl backend.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
3 # (C) Andrey Zelenkov |
|
875900f02f15
Tests: added proxy keepalive tests to ssl backend.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
4 # (C) Nginx, Inc. |
|
875900f02f15
Tests: added proxy keepalive tests to ssl backend.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
5 |
|
875900f02f15
Tests: added proxy keepalive tests to ssl backend.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
6 # Tests for proxy with keepalive to ssl backend. |
|
875900f02f15
Tests: added proxy keepalive tests to ssl backend.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
7 |
|
875900f02f15
Tests: added proxy keepalive tests to ssl backend.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
8 ############################################################################### |
|
875900f02f15
Tests: added proxy keepalive tests to ssl backend.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
9 |
|
875900f02f15
Tests: added proxy keepalive tests to ssl backend.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
10 use warnings; |
|
875900f02f15
Tests: added proxy keepalive tests to ssl backend.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
11 use strict; |
|
875900f02f15
Tests: added proxy keepalive tests to ssl backend.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
12 |
|
875900f02f15
Tests: added proxy keepalive tests to ssl backend.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
13 use Test::More; |
|
875900f02f15
Tests: added proxy keepalive tests to ssl backend.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
14 |
|
875900f02f15
Tests: added proxy keepalive tests to ssl backend.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
15 BEGIN { use FindBin; chdir($FindBin::Bin); } |
|
875900f02f15
Tests: added proxy keepalive tests to ssl backend.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
16 |
|
875900f02f15
Tests: added proxy keepalive tests to ssl backend.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
17 use lib 'lib'; |
|
875900f02f15
Tests: added proxy keepalive tests to ssl backend.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
18 use Test::Nginx; |
|
875900f02f15
Tests: added proxy keepalive tests to ssl backend.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
19 |
|
875900f02f15
Tests: added proxy keepalive tests to ssl backend.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
20 ############################################################################### |
|
875900f02f15
Tests: added proxy keepalive tests to ssl backend.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
21 |
|
875900f02f15
Tests: added proxy keepalive tests to ssl backend.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
22 select STDERR; $| = 1; |
|
875900f02f15
Tests: added proxy keepalive tests to ssl backend.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
23 select STDOUT; $| = 1; |
|
875900f02f15
Tests: added proxy keepalive tests to ssl backend.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
24 |
|
875900f02f15
Tests: added proxy keepalive tests to ssl backend.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
25 eval { require IO::Socket::SSL; }; |
|
875900f02f15
Tests: added proxy keepalive tests to ssl backend.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
26 plan(skip_all => 'IO::Socket::SSL not installed') if $@; |
|
875900f02f15
Tests: added proxy keepalive tests to ssl backend.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
27 |
|
875900f02f15
Tests: added proxy keepalive tests to ssl backend.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
28 my $t = Test::Nginx->new()->has(qw/http http_ssl proxy upstream_keepalive/) |
|
875900f02f15
Tests: added proxy keepalive tests to ssl backend.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
29 ->has_daemon('openssl')->plan(3) |
|
875900f02f15
Tests: added proxy keepalive tests to ssl backend.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
30 ->write_file_expand('nginx.conf', <<'EOF'); |
|
875900f02f15
Tests: added proxy keepalive tests to ssl backend.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
31 |
|
875900f02f15
Tests: added proxy keepalive tests to ssl backend.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
32 %%TEST_GLOBALS%% |
|
875900f02f15
Tests: added proxy keepalive tests to ssl backend.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
33 |
|
875900f02f15
Tests: added proxy keepalive tests to ssl backend.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
34 daemon off; |
|
875900f02f15
Tests: added proxy keepalive tests to ssl backend.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
35 |
|
875900f02f15
Tests: added proxy keepalive tests to ssl backend.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
36 events { |
|
875900f02f15
Tests: added proxy keepalive tests to ssl backend.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
37 } |
|
875900f02f15
Tests: added proxy keepalive tests to ssl backend.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
38 |
|
875900f02f15
Tests: added proxy keepalive tests to ssl backend.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
39 http { |
|
875900f02f15
Tests: added proxy keepalive tests to ssl backend.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
40 %%TEST_GLOBALS_HTTP%% |
|
875900f02f15
Tests: added proxy keepalive tests to ssl backend.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
41 |
|
875900f02f15
Tests: added proxy keepalive tests to ssl backend.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
42 upstream u { |
|
974
882267679006
Tests: simplified parallel modifications in tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
952
diff
changeset
|
43 server 127.0.0.1:8081; |
|
693
875900f02f15
Tests: added proxy keepalive tests to ssl backend.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
44 keepalive 1; |
|
875900f02f15
Tests: added proxy keepalive tests to ssl backend.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
45 } |
|
875900f02f15
Tests: added proxy keepalive tests to ssl backend.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
46 |
|
875900f02f15
Tests: added proxy keepalive tests to ssl backend.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
47 server { |
|
974
882267679006
Tests: simplified parallel modifications in tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
952
diff
changeset
|
48 listen 127.0.0.1:8080; |
|
693
875900f02f15
Tests: added proxy keepalive tests to ssl backend.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
49 server_name localhost; |
|
875900f02f15
Tests: added proxy keepalive tests to ssl backend.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
50 |
|
875900f02f15
Tests: added proxy keepalive tests to ssl backend.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
51 proxy_http_version 1.1; |
|
875900f02f15
Tests: added proxy keepalive tests to ssl backend.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
52 |
|
875900f02f15
Tests: added proxy keepalive tests to ssl backend.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
53 location / { |
|
875900f02f15
Tests: added proxy keepalive tests to ssl backend.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
54 proxy_pass https://u/; |
|
875900f02f15
Tests: added proxy keepalive tests to ssl backend.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
55 proxy_set_header Connection $args; |
|
875900f02f15
Tests: added proxy keepalive tests to ssl backend.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
56 } |
|
875900f02f15
Tests: added proxy keepalive tests to ssl backend.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
57 } |
|
875900f02f15
Tests: added proxy keepalive tests to ssl backend.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
58 |
|
875900f02f15
Tests: added proxy keepalive tests to ssl backend.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
59 server { |
|
974
882267679006
Tests: simplified parallel modifications in tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
952
diff
changeset
|
60 listen 127.0.0.1:8081 ssl; |
|
693
875900f02f15
Tests: added proxy keepalive tests to ssl backend.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
61 server_name localhost; |
|
875900f02f15
Tests: added proxy keepalive tests to ssl backend.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
62 |
|
875900f02f15
Tests: added proxy keepalive tests to ssl backend.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
63 ssl_certificate_key localhost.key; |
|
875900f02f15
Tests: added proxy keepalive tests to ssl backend.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
64 ssl_certificate localhost.crt; |
|
875900f02f15
Tests: added proxy keepalive tests to ssl backend.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
65 |
|
875900f02f15
Tests: added proxy keepalive tests to ssl backend.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
66 location / { |
|
875900f02f15
Tests: added proxy keepalive tests to ssl backend.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
67 add_header X-Connection $connection; |
|
875900f02f15
Tests: added proxy keepalive tests to ssl backend.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
68 } |
|
875900f02f15
Tests: added proxy keepalive tests to ssl backend.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
69 } |
|
875900f02f15
Tests: added proxy keepalive tests to ssl backend.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
70 } |
|
875900f02f15
Tests: added proxy keepalive tests to ssl backend.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
71 |
|
875900f02f15
Tests: added proxy keepalive tests to ssl backend.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
72 EOF |
|
875900f02f15
Tests: added proxy keepalive tests to ssl backend.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
73 |
|
875900f02f15
Tests: added proxy keepalive tests to ssl backend.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
74 $t->write_file('openssl.conf', <<EOF); |
|
875900f02f15
Tests: added proxy keepalive tests to ssl backend.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
75 [ req ] |
|
1488
dbce8fb5f5f8
Tests: align with OpenSSL security level 2.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1220
diff
changeset
|
76 default_bits = 2048 |
|
693
875900f02f15
Tests: added proxy keepalive tests to ssl backend.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
77 encrypt_key = no |
|
875900f02f15
Tests: added proxy keepalive tests to ssl backend.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
78 distinguished_name = req_distinguished_name |
|
875900f02f15
Tests: added proxy keepalive tests to ssl backend.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
79 [ req_distinguished_name ] |
|
875900f02f15
Tests: added proxy keepalive tests to ssl backend.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
80 EOF |
|
875900f02f15
Tests: added proxy keepalive tests to ssl backend.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
81 |
|
875900f02f15
Tests: added proxy keepalive tests to ssl backend.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
82 my $d = $t->testdir(); |
|
875900f02f15
Tests: added proxy keepalive tests to ssl backend.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
83 |
|
875900f02f15
Tests: added proxy keepalive tests to ssl backend.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
84 foreach my $name ('localhost') { |
|
875900f02f15
Tests: added proxy keepalive tests to ssl backend.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
85 system('openssl req -x509 -new ' |
|
1220
0af58b78df35
Tests: removed single quotes from system() calls.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1116
diff
changeset
|
86 . "-config $d/openssl.conf -subj /CN=$name/ " |
|
0af58b78df35
Tests: removed single quotes from system() calls.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1116
diff
changeset
|
87 . "-out $d/$name.crt -keyout $d/$name.key " |
|
693
875900f02f15
Tests: added proxy keepalive tests to ssl backend.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
88 . ">>$d/openssl.out 2>&1") == 0 |
|
875900f02f15
Tests: added proxy keepalive tests to ssl backend.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
89 or die "Can't create certificate for $name: $!\n"; |
|
875900f02f15
Tests: added proxy keepalive tests to ssl backend.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
90 } |
|
875900f02f15
Tests: added proxy keepalive tests to ssl backend.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
91 |
|
875900f02f15
Tests: added proxy keepalive tests to ssl backend.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
92 $t->write_file('index.html', 'SEE-THIS'); |
|
875900f02f15
Tests: added proxy keepalive tests to ssl backend.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
93 $t->run(); |
|
875900f02f15
Tests: added proxy keepalive tests to ssl backend.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
94 |
|
875900f02f15
Tests: added proxy keepalive tests to ssl backend.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
95 ############################################################################### |
|
875900f02f15
Tests: added proxy keepalive tests to ssl backend.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
96 |
|
875900f02f15
Tests: added proxy keepalive tests to ssl backend.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
97 my ($r, $n); |
|
875900f02f15
Tests: added proxy keepalive tests to ssl backend.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
98 |
|
875900f02f15
Tests: added proxy keepalive tests to ssl backend.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
99 like($r = http_get('/'), qr/200 OK.*SEE-THIS/ms, 'first'); |
|
875900f02f15
Tests: added proxy keepalive tests to ssl backend.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
100 $r =~ m/X-Connection: (\d+)/; $n = $1; |
|
875900f02f15
Tests: added proxy keepalive tests to ssl backend.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
101 like(http_get('/'), qr/X-Connection: $n[^\d].*SEE-THIS/ms, 'second'); |
|
875900f02f15
Tests: added proxy keepalive tests to ssl backend.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
102 |
|
875900f02f15
Tests: added proxy keepalive tests to ssl backend.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
103 http_get('/?close'); |
|
875900f02f15
Tests: added proxy keepalive tests to ssl backend.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
104 unlike(http_get('/'), qr/X-Connection: $n[^\d]/, 'close'); |
|
875900f02f15
Tests: added proxy keepalive tests to ssl backend.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
105 |
|
875900f02f15
Tests: added proxy keepalive tests to ssl backend.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
106 ############################################################################### |