Mercurial > hg > nginx-tests
annotate ssl_ocsp.t @ 1848:727741cdff74
Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3.
LibreSSL does not support session reuse with TLSv1.3.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Thu, 23 Mar 2023 19:50:29 +0300 |
parents | a9704b9ed7a2 |
children | 0e1865aa9b33 |
rev | line source |
---|---|
1570 | 1 #!/usr/bin/perl |
2 | |
3 # (C) Sergey Kandaurov | |
4 # (C) Nginx, Inc. | |
5 | |
6 # Tests for OCSP with client certificates. | |
7 | |
8 ############################################################################### | |
9 | |
10 use warnings; | |
11 use strict; | |
12 | |
13 use Test::More; | |
14 | |
15 use MIME::Base64 qw/ decode_base64 /; | |
16 | |
17 BEGIN { use FindBin; chdir($FindBin::Bin); } | |
18 | |
19 use lib 'lib'; | |
20 use Test::Nginx; | |
21 | |
22 ############################################################################### | |
23 | |
24 select STDERR; $| = 1; | |
25 select STDOUT; $| = 1; | |
26 | |
27 eval { | |
28 require Net::SSLeay; | |
29 Net::SSLeay::load_error_strings(); | |
30 Net::SSLeay::SSLeay_add_ssl_algorithms(); | |
31 Net::SSLeay::randomize(); | |
32 Net::SSLeay::SSLeay(); | |
33 defined &Net::SSLeay::set_tlsext_status_type or die; | |
34 }; | |
35 plan(skip_all => 'Net::SSLeay not installed or too old') if $@; | |
36 | |
37 eval { | |
38 my $ctx = Net::SSLeay::CTX_new() or die; | |
39 my $ssl = Net::SSLeay::new($ctx) or die; | |
40 Net::SSLeay::set_tlsext_host_name($ssl, 'example.org') == 1 or die; | |
41 }; | |
42 plan(skip_all => 'Net::SSLeay with OpenSSL SNI support required') if $@; | |
43 | |
44 my $t = Test::Nginx->new()->has(qw/http http_ssl sni/)->has_daemon('openssl'); | |
45 | |
1846
9d98c2ad3126
Tests: cleaned up ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1693
diff
changeset
|
46 plan(skip_all => 'no OCSP support in BoringSSL') |
9d98c2ad3126
Tests: cleaned up ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1693
diff
changeset
|
47 if $t->has_module('BoringSSL'); |
1570 | 48 |
49 $t->write_file_expand('nginx.conf', <<'EOF'); | |
50 | |
51 %%TEST_GLOBALS%% | |
52 | |
53 daemon off; | |
54 | |
55 events { | |
56 } | |
57 | |
58 http { | |
59 %%TEST_GLOBALS_HTTP%% | |
60 | |
61 ssl_ocsp leaf; | |
62 ssl_verify_client on; | |
63 ssl_verify_depth 2; | |
64 ssl_client_certificate trusted.crt; | |
65 | |
66 ssl_certificate_key rsa.key; | |
67 ssl_certificate rsa.crt; | |
68 | |
69 ssl_session_cache shared:SSL:1m; | |
70 ssl_session_tickets off; | |
71 | |
72 add_header X-Verify x${ssl_client_verify}:${ssl_session_reused}x always; | |
73 | |
74 server { | |
75 listen 127.0.0.1:8443 ssl; | |
76 server_name localhost; | |
77 } | |
78 | |
79 server { | |
80 listen 127.0.0.1:8443 ssl; | |
81 server_name sni; | |
82 | |
83 ssl_ocsp_responder http://127.0.0.1:8082; | |
84 } | |
85 | |
86 server { | |
1577
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
87 listen 127.0.0.1:8443 ssl; |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
88 server_name resolver; |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
89 |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
90 ssl_ocsp on; |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
91 } |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
92 |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
93 server { |
1570 | 94 listen 127.0.0.1:8444 ssl; |
95 server_name localhost; | |
96 | |
1577
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
97 ssl_ocsp_responder http://127.0.0.1:8081; |
1570 | 98 ssl_ocsp on; |
99 } | |
100 | |
101 server { | |
102 listen 127.0.0.1:8445 ssl; | |
103 server_name localhost; | |
104 | |
105 ssl_ocsp_responder http://127.0.0.1:8082; | |
106 } | |
107 | |
108 server { | |
109 listen 127.0.0.1:8446 ssl; | |
110 server_name localhost; | |
111 | |
112 ssl_ocsp_cache shared:OCSP:1m; | |
113 } | |
114 | |
115 server { | |
116 listen 127.0.0.1:8447 ssl; | |
117 server_name localhost; | |
118 | |
119 ssl_ocsp_responder http://127.0.0.1:8082; | |
120 ssl_client_certificate root.crt; | |
121 } | |
122 } | |
123 | |
124 EOF | |
125 | |
126 my $d = $t->testdir(); | |
127 my $p = port(8081); | |
128 | |
129 $t->write_file('openssl.conf', <<EOF); | |
130 [ req ] | |
131 default_bits = 2048 | |
132 encrypt_key = no | |
133 distinguished_name = req_distinguished_name | |
134 [ req_distinguished_name ] | |
135 EOF | |
136 | |
137 $t->write_file('ca.conf', <<EOF); | |
138 [ ca ] | |
139 default_ca = myca | |
140 | |
141 [ myca ] | |
142 new_certs_dir = $d | |
143 database = $d/certindex | |
144 default_md = sha256 | |
145 policy = myca_policy | |
146 serial = $d/certserial | |
147 default_days = 1 | |
148 x509_extensions = myca_extensions | |
149 | |
150 [ myca_policy ] | |
151 commonName = supplied | |
152 | |
153 [ myca_extensions ] | |
154 basicConstraints = critical,CA:TRUE | |
155 authorityInfoAccess = OCSP;URI:http://127.0.0.1:$p | |
156 EOF | |
157 | |
1577
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
158 # variant for int.crt to trigger missing resolver |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
159 |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
160 $t->write_file('ca2.conf', <<EOF); |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
161 [ ca ] |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
162 default_ca = myca |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
163 |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
164 [ myca ] |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
165 new_certs_dir = $d |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
166 database = $d/certindex |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
167 default_md = sha256 |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
168 policy = myca_policy |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
169 serial = $d/certserial |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
170 default_days = 1 |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
171 x509_extensions = myca_extensions |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
172 |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
173 [ myca_policy ] |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
174 commonName = supplied |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
175 |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
176 [ myca_extensions ] |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
177 basicConstraints = critical,CA:TRUE |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
178 authorityInfoAccess = OCSP;URI:http://localhost:$p |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
179 EOF |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
180 |
1570 | 181 foreach my $name ('root') { |
182 system('openssl req -x509 -new ' | |
183 . "-config $d/openssl.conf -subj /CN=$name/ " | |
184 . "-out $d/$name.crt -keyout $d/$name.key " | |
185 . ">>$d/openssl.out 2>&1") == 0 | |
186 or die "Can't create certificate for $name: $!\n"; | |
187 } | |
188 | |
189 foreach my $name ('int', 'end') { | |
190 system("openssl req -new " | |
191 . "-config $d/openssl.conf -subj /CN=$name/ " | |
192 . "-out $d/$name.csr -keyout $d/$name.key " | |
193 . ">>$d/openssl.out 2>&1") == 0 | |
194 or die "Can't create certificate for $name: $!\n"; | |
195 } | |
196 | |
197 foreach my $name ('ec-end') { | |
198 system("openssl ecparam -genkey -out $d/$name.key -name prime256v1 " | |
199 . ">>$d/openssl.out 2>&1") == 0 | |
200 or die "Can't create EC param: $!\n"; | |
201 system("openssl req -new -key $d/$name.key " | |
202 . "-config $d/openssl.conf -subj /CN=$name/ " | |
203 . "-out $d/$name.csr " | |
204 . ">>$d/openssl.out 2>&1") == 0 | |
205 or die "Can't create certificate for $name: $!\n"; | |
206 } | |
207 | |
208 $t->write_file('certserial', '1000'); | |
209 $t->write_file('certindex', ''); | |
210 | |
1577
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
211 system("openssl ca -batch -config $d/ca2.conf " |
1570 | 212 . "-keyfile $d/root.key -cert $d/root.crt " |
213 . "-subj /CN=int/ -in $d/int.csr -out $d/int.crt " | |
214 . ">>$d/openssl.out 2>&1") == 0 | |
215 or die "Can't sign certificate for int: $!\n"; | |
216 | |
217 system("openssl ca -batch -config $d/ca.conf " | |
218 . "-keyfile $d/int.key -cert $d/int.crt " | |
219 . "-subj /CN=ec-end/ -in $d/ec-end.csr -out $d/ec-end.crt " | |
220 . ">>$d/openssl.out 2>&1") == 0 | |
221 or die "Can't sign certificate for ec-end: $!\n"; | |
222 | |
223 system("openssl ca -batch -config $d/ca.conf " | |
224 . "-keyfile $d/int.key -cert $d/int.crt " | |
225 . "-subj /CN=end/ -in $d/end.csr -out $d/end.crt " | |
226 . ">>$d/openssl.out 2>&1") == 0 | |
227 or die "Can't sign certificate for end: $!\n"; | |
228 | |
229 # RFC 6960, serialNumber | |
230 | |
231 system("openssl x509 -in $d/int.crt -serial -noout " | |
232 . ">>$d/serial_int 2>>$d/openssl.out") == 0 | |
233 or die "Can't obtain serial for end: $!\n"; | |
234 | |
235 my $serial_int = pack("n2", 0x0202, hex $1) | |
236 if $t->read_file('serial_int') =~ /(\d+)/; | |
237 | |
238 system("openssl x509 -in $d/end.crt -serial -noout " | |
239 . ">>$d/serial 2>>$d/openssl.out") == 0 | |
240 or die "Can't obtain serial for end: $!\n"; | |
241 | |
242 my $serial = pack("n2", 0x0202, hex $1) if $t->read_file('serial') =~ /(\d+)/; | |
243 | |
244 # ocsp end | |
245 | |
246 system("openssl ocsp -issuer $d/int.crt -cert $d/end.crt " | |
247 . "-reqout $d/req.der >>$d/openssl.out 2>&1") == 0 | |
248 or die "Can't create OCSP request: $!\n"; | |
249 | |
250 system("openssl ocsp -index $d/certindex -CA $d/int.crt " | |
251 . "-rsigner $d/int.crt -rkey $d/int.key " | |
252 . "-reqin $d/req.der -respout $d/resp.der -ndays 1 " | |
253 . ">>$d/openssl.out 2>&1") == 0 | |
254 or die "Can't create OCSP response: $!\n"; | |
255 | |
256 system("openssl ocsp -issuer $d/int.crt -cert $d/ec-end.crt " | |
257 . "-reqout $d/ec-req.der >>$d/openssl.out 2>&1") == 0 | |
258 or die "Can't create EC OCSP request: $!\n"; | |
259 | |
260 system("openssl ocsp -index $d/certindex -CA $d/int.crt " | |
261 . "-rsigner $d/root.crt -rkey $d/root.key " | |
262 . "-reqin $d/ec-req.der -respout $d/ec-resp.der -ndays 1 " | |
263 . ">>$d/openssl.out 2>&1") == 0 | |
264 or die "Can't create EC OCSP response: $!\n"; | |
265 | |
266 $t->write_file('trusted.crt', | |
267 $t->read_file('int.crt') . $t->read_file('root.crt')); | |
268 | |
269 # server cert/key | |
270 | |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
271 foreach my $name ('rsa') { |
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
272 system('openssl req -x509 -new ' |
1570 | 273 . "-config $d/openssl.conf -subj /CN=$name/ " |
274 . "-out $d/$name.crt -keyout $d/$name.key " | |
275 . ">>$d/openssl.out 2>&1") == 0 | |
276 or die "Can't create certificate for $name: $!\n"; | |
277 } | |
278 | |
279 $t->run_daemon(\&http_daemon, $t, port(8081)); | |
280 $t->run_daemon(\&http_daemon, $t, port(8082)); | |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
281 $t->run()->plan(15); |
1570 | 282 |
283 $t->waitforsocket("127.0.0.1:" . port(8081)); | |
284 $t->waitforsocket("127.0.0.1:" . port(8082)); | |
285 | |
286 my $version = get_version(); | |
287 | |
288 ############################################################################### | |
289 | |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
290 like(get('end'), qr/200 OK.*SUCCESS/s, 'ocsp leaf'); |
1570 | 291 |
1577
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
292 # demonstrate that ocsp int request is failed due to missing resolver |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
293 |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
294 like(get('end', sni => 'resolver'), |
1577
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
295 qr/400 Bad.*FAILED:certificate status request failed/s, |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
296 'ocsp many failed request'); |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
297 |
1570 | 298 # demonstrate that ocsp int request is actually made by failing ocsp response |
299 | |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
300 like(get('end', port => 8444), |
1570 | 301 qr/400 Bad.*FAILED:certificate status request failed/s, |
302 'ocsp many failed'); | |
303 | |
304 # now prepare valid ocsp int response | |
305 | |
306 system("openssl ocsp -issuer $d/root.crt -cert $d/int.crt " | |
307 . "-reqout $d/int-req.der >>$d/openssl.out 2>&1") == 0 | |
308 or die "Can't create OCSP request: $!\n"; | |
309 | |
310 system("openssl ocsp -index $d/certindex -CA $d/root.crt " | |
311 . "-rsigner $d/root.crt -rkey $d/root.key " | |
312 . "-reqin $d/int-req.der -respout $d/int-resp.der -ndays 1 " | |
313 . ">>$d/openssl.out 2>&1") == 0 | |
314 or die "Can't create OCSP response: $!\n"; | |
315 | |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
316 like(get('end', port => 8444), qr/200 OK.*SUCCESS/s, 'ocsp many'); |
1570 | 317 |
318 # store into ssl_ocsp_cache | |
319 | |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
320 like(get('end', port => 8446), qr/200 OK.*SUCCESS/s, 'cache store'); |
1570 | 321 |
322 # revoke | |
323 | |
324 system("openssl ca -config $d/ca.conf -revoke $d/end.crt " | |
325 . "-keyfile $d/root.key -cert $d/root.crt " | |
326 . ">>$d/openssl.out 2>&1") == 0 | |
327 or die "Can't revoke end.crt: $!\n"; | |
328 | |
329 system("openssl ocsp -issuer $d/int.crt -cert $d/end.crt " | |
330 . "-reqout $d/req.der >>$d/openssl.out 2>&1") == 0 | |
331 or die "Can't create OCSP request: $!\n"; | |
332 | |
333 system("openssl ocsp -index $d/certindex -CA $d/int.crt " | |
334 . "-rsigner $d/int.crt -rkey $d/int.key " | |
335 . "-reqin $d/req.der -respout $d/revoked.der -ndays 1 " | |
336 . ">>$d/openssl.out 2>&1") == 0 | |
337 or die "Can't create OCSP response: $!\n"; | |
338 | |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
339 like(get('end'), qr/400 Bad.*FAILED:certificate revoked/s, 'revoked'); |
1570 | 340 |
341 # with different responder where it's still valid | |
342 | |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
343 like(get('end', port => 8445), qr/200 OK.*SUCCESS/s, 'ocsp responder'); |
1570 | 344 |
345 # with different context to responder where it's still valid | |
346 | |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
347 like(get('end', sni => 'sni'), qr/200 OK.*SUCCESS/s, 'ocsp context'); |
1570 | 348 |
349 # with cached ocsp response it's still valid | |
350 | |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
351 like(get('end', port => 8446), qr/200 OK.*SUCCESS/s, 'cache lookup'); |
1570 | 352 |
353 # ocsp end response signed with invalid (root) cert, expect HTTP 400 | |
354 | |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
355 like(get('ec-end'), |
1570 | 356 qr/400 Bad.*FAILED:certificate status request failed/s, |
357 'root ca not trusted'); | |
358 | |
359 # now sign ocsp end response with valid int cert | |
360 | |
361 system("openssl ocsp -index $d/certindex -CA $d/int.crt " | |
362 . "-rsigner $d/int.crt -rkey $d/int.key " | |
363 . "-reqin $d/ec-req.der -respout $d/ec-resp.der -ndays 1 " | |
364 . ">>$d/openssl.out 2>&1") == 0 | |
365 or die "Can't create EC OCSP response: $!\n"; | |
366 | |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
367 like(get('ec-end'), qr/200 OK.*SUCCESS/s, 'ocsp ecdsa'); |
1570 | 368 |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
369 my ($s, $ssl) = get('ec-end'); |
1570 | 370 my $ses = Net::SSLeay::get_session($ssl); |
371 | |
1848
727741cdff74
Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1847
diff
changeset
|
372 TODO: { |
727741cdff74
Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1847
diff
changeset
|
373 local $TODO = 'no TLSv1.3 sessions in LibreSSL' |
727741cdff74
Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1847
diff
changeset
|
374 if $t->has_module('LibreSSL') and $version > 0x303; |
727741cdff74
Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1847
diff
changeset
|
375 |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
376 like(get('ec-end', ses => $ses), |
1570 | 377 qr/200 OK.*SUCCESS:r/s, 'session reused'); |
378 | |
1848
727741cdff74
Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1847
diff
changeset
|
379 } |
727741cdff74
Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1847
diff
changeset
|
380 |
1570 | 381 # revoke with saved session |
382 | |
383 system("openssl ca -config $d/ca.conf -revoke $d/ec-end.crt " | |
384 . "-keyfile $d/root.key -cert $d/root.crt " | |
385 . ">>$d/openssl.out 2>&1") == 0 | |
386 or die "Can't revoke end.crt: $!\n"; | |
387 | |
388 system("openssl ocsp -issuer $d/int.crt -cert $d/ec-end.crt " | |
389 . "-reqout $d/ec-req.der >>$d/openssl.out 2>&1") == 0 | |
390 or die "Can't create OCSP request: $!\n"; | |
391 | |
392 system("openssl ocsp -index $d/certindex -CA $d/int.crt " | |
393 . "-rsigner $d/int.crt -rkey $d/int.key " | |
394 . "-reqin $d/ec-req.der -respout $d/ec-resp.der -ndays 1 " | |
395 . ">>$d/openssl.out 2>&1") == 0 | |
396 or die "Can't create OCSP response: $!\n"; | |
397 | |
398 # reusing session with revoked certificate | |
399 | |
1848
727741cdff74
Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1847
diff
changeset
|
400 TODO: { |
727741cdff74
Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1847
diff
changeset
|
401 local $TODO = 'no TLSv1.3 sessions in LibreSSL' |
727741cdff74
Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1847
diff
changeset
|
402 if $t->has_module('LibreSSL') and $version > 0x303; |
727741cdff74
Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1847
diff
changeset
|
403 |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
404 like(get('ec-end', ses => $ses), |
1570 | 405 qr/400 Bad.*FAILED:certificate revoked:r/s, 'session reused - revoked'); |
406 | |
1848
727741cdff74
Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1847
diff
changeset
|
407 } |
727741cdff74
Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1847
diff
changeset
|
408 |
1570 | 409 # regression test for self-signed |
410 | |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
411 like(get('root', port => 8447), qr/200 OK.*SUCCESS/s, 'ocsp one'); |
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
412 |
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
413 # check for errors |
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
414 |
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
415 like(`grep -F '[crit]' ${\($t->testdir())}/error.log`, qr/^$/s, 'no crit'); |
1570 | 416 |
417 ############################################################################### | |
418 | |
419 sub get { | |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
420 my ($cert, %extra) = @_; |
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
421 my ($s, $ssl) = get_ssl_socket($cert, %extra); |
1570 | 422 my $cipher = Net::SSLeay::get_cipher($ssl); |
423 Test::Nginx::log_core('||', "cipher: $cipher"); | |
424 my $host = $extra{sni} ? $extra{sni} : 'localhost'; | |
1846
9d98c2ad3126
Tests: cleaned up ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1693
diff
changeset
|
425 local $SIG{PIPE} = 'IGNORE'; |
9d98c2ad3126
Tests: cleaned up ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1693
diff
changeset
|
426 log_out("GET /serial HTTP/1.0\nHost: $host\n\n"); |
1570 | 427 Net::SSLeay::write($ssl, "GET /serial HTTP/1.0\nHost: $host\n\n"); |
428 my $r = Net::SSLeay::read($ssl); | |
1846
9d98c2ad3126
Tests: cleaned up ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1693
diff
changeset
|
429 log_in($r); |
1570 | 430 $s->close(); |
431 return $r unless wantarray(); | |
432 return ($s, $ssl); | |
433 } | |
434 | |
435 sub get_ssl_socket { | |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
436 my ($cert, %extra) = @_; |
1570 | 437 my $ses = $extra{ses}; |
438 my $sni = $extra{sni}; | |
439 my $port = $extra{port} || 8443; | |
440 my $s; | |
441 | |
442 eval { | |
443 local $SIG{ALRM} = sub { die "timeout\n" }; | |
444 local $SIG{PIPE} = sub { die "sigpipe\n" }; | |
445 alarm(8); | |
446 $s = IO::Socket::INET->new('127.0.0.1:' . port($port)); | |
447 alarm(0); | |
448 }; | |
449 alarm(0); | |
450 | |
451 if ($@) { | |
452 log_in("died: $@"); | |
453 return undef; | |
454 } | |
455 | |
456 my $ctx = Net::SSLeay::CTX_new() or die("Failed to create SSL_CTX $!"); | |
457 | |
458 Net::SSLeay::set_cert_and_key($ctx, "$d/$cert.crt", "$d/$cert.key") | |
459 or die if $cert; | |
460 my $ssl = Net::SSLeay::new($ctx) or die("Failed to create SSL $!"); | |
461 Net::SSLeay::set_session($ssl, $ses) if defined $ses; | |
462 Net::SSLeay::set_tlsext_host_name($ssl, $sni) if $sni; | |
463 Net::SSLeay::set_fd($ssl, fileno($s)); | |
464 Net::SSLeay::connect($ssl) or die("ssl connect"); | |
465 return ($s, $ssl); | |
466 } | |
467 | |
468 sub get_version { | |
469 my ($s, $ssl) = get_ssl_socket(); | |
470 return Net::SSLeay::version($ssl); | |
471 } | |
472 | |
473 ############################################################################### | |
474 | |
475 sub http_daemon { | |
476 my ($t, $port) = @_; | |
477 my $server = IO::Socket::INET->new( | |
478 Proto => 'tcp', | |
479 LocalHost => "127.0.0.1:$port", | |
480 Listen => 5, | |
481 Reuse => 1 | |
482 ) | |
483 or die "Can't create listening socket: $!\n"; | |
484 | |
485 local $SIG{PIPE} = 'IGNORE'; | |
486 | |
487 while (my $client = $server->accept()) { | |
488 $client->autoflush(1); | |
489 | |
490 my $headers = ''; | |
491 my $uri = ''; | |
492 my $resp; | |
493 | |
494 while (<$client>) { | |
1846
9d98c2ad3126
Tests: cleaned up ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1693
diff
changeset
|
495 Test::Nginx::log_core('||', $_); |
1570 | 496 $headers .= $_; |
497 last if (/^\x0d?\x0a?$/); | |
498 } | |
499 | |
500 $uri = $1 if $headers =~ /^\S+\s+\/([^ ]+)\s+HTTP/i; | |
501 next unless $uri; | |
502 | |
503 $uri =~ s/%([0-9A-Fa-f]{2})/chr(hex($1))/eg; | |
504 my $req = decode_base64($uri); | |
505 | |
506 if (index($req, $serial_int) > 0) { | |
507 $resp = 'int-resp'; | |
508 | |
509 } elsif (index($req, $serial) > 0) { | |
510 $resp = 'resp'; | |
511 | |
512 # used to differentiate ssl_ocsp_responder | |
513 | |
514 if ($port == port(8081) && -e "$d/revoked.der") { | |
515 $resp = 'revoked'; | |
516 } | |
517 | |
518 } else { | |
519 $resp = 'ec-resp'; | |
520 } | |
521 | |
1636
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
522 next unless -s "$d/$resp.der"; |
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
523 |
1570 | 524 # ocsp dummy handler |
525 | |
526 select undef, undef, undef, 0.02; | |
527 | |
528 $headers = <<"EOF"; | |
529 HTTP/1.1 200 OK | |
530 Connection: close | |
531 Content-Type: application/ocsp-response | |
532 | |
533 EOF | |
534 | |
1636
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
535 local $/; |
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
536 open my $fh, '<', "$d/$resp.der" |
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
537 or die "Can't open $resp.der: $!"; |
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
538 binmode $fh; |
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
539 my $content = <$fh>; |
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
540 close $fh; |
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
541 |
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
542 print $client $headers . $content; |
1570 | 543 } |
544 } | |
545 | |
546 ############################################################################### |