Mercurial > hg > nginx-tests
annotate ssl_verify_depth.t @ 1836:74cffa9d4c43
Tests: enabled session reuse via TLS session tickets.
This fixes tests with TLSv1.3 enabled when using BoringSSL, since
for TLSv1.3 it only supports session reuse via TLS session tickets,
and not server-side session cache.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Thu, 23 Mar 2023 19:50:02 +0300 |
parents | b28f88e352dd |
children | cdcd75657e52 |
rev | line source |
---|---|
1115
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
1 #!/usr/bin/perl |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
2 |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
3 # (C) Sergey Kandaurov |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
4 # (C) Nginx, Inc. |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
5 |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
6 # Tests for http ssl module, ssl_verify_depth. |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
7 |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
8 ############################################################################### |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
9 |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
10 use warnings; |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
11 use strict; |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
12 |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
13 use Test::More; |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
14 |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
15 BEGIN { use FindBin; chdir($FindBin::Bin); } |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
16 |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
17 use lib 'lib'; |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
18 use Test::Nginx; |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
19 |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
20 ############################################################################### |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
21 |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
22 select STDERR; $| = 1; |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
23 select STDOUT; $| = 1; |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
24 |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
25 eval { require IO::Socket::SSL; }; |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
26 plan(skip_all => 'IO::Socket::SSL not installed') if $@; |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
27 eval { IO::Socket::SSL::SSL_VERIFY_NONE(); }; |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
28 plan(skip_all => 'IO::Socket::SSL too old') if $@; |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
29 |
1750
b28f88e352dd
Tests: skip ssl_verify_depth.t with LibreSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1610
diff
changeset
|
30 my $t = Test::Nginx->new()->has(qw/http http_ssl/)->has_daemon('openssl'); |
1115
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
31 |
1750
b28f88e352dd
Tests: skip ssl_verify_depth.t with LibreSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1610
diff
changeset
|
32 plan(skip_all => 'LibreSSL') if $t->has_module('LibreSSL'); |
b28f88e352dd
Tests: skip ssl_verify_depth.t with LibreSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1610
diff
changeset
|
33 |
b28f88e352dd
Tests: skip ssl_verify_depth.t with LibreSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1610
diff
changeset
|
34 $t->plan(9)->write_file_expand('nginx.conf', <<'EOF'); |
1115
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
35 |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
36 %%TEST_GLOBALS%% |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
37 |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
38 daemon off; |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
39 |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
40 events { |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
41 } |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
42 |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
43 http { |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
44 %%TEST_GLOBALS_HTTP%% |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
45 |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
46 ssl_certificate localhost.crt; |
1610
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
47 ssl_certificate_key localhost.key; |
1115
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
48 |
1117
3e2af4dedd9c
Tests: ssl_verify_depth.t cleanup.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1115
diff
changeset
|
49 ssl_verify_client on; |
1610
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
50 ssl_client_certificate root-int.crt; |
1115
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
51 |
1610
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
52 add_header X-Client $ssl_client_s_dn always; |
1605
aa5a61d1254b
Tests: actually test the verification depth in ssl_verify_depth.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1488
diff
changeset
|
53 add_header X-Verify $ssl_client_verify always; |
1115
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
54 |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
55 server { |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
56 listen 127.0.0.1:8080 ssl; |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
57 server_name localhost; |
1610
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
58 ssl_verify_depth 0; |
1605
aa5a61d1254b
Tests: actually test the verification depth in ssl_verify_depth.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1488
diff
changeset
|
59 } |
aa5a61d1254b
Tests: actually test the verification depth in ssl_verify_depth.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1488
diff
changeset
|
60 |
aa5a61d1254b
Tests: actually test the verification depth in ssl_verify_depth.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1488
diff
changeset
|
61 server { |
aa5a61d1254b
Tests: actually test the verification depth in ssl_verify_depth.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1488
diff
changeset
|
62 listen 127.0.0.1:8081 ssl; |
aa5a61d1254b
Tests: actually test the verification depth in ssl_verify_depth.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1488
diff
changeset
|
63 server_name localhost; |
1610
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
64 ssl_verify_depth 1; |
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
65 } |
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
66 |
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
67 server { |
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
68 listen 127.0.0.1:8082 ssl; |
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
69 server_name localhost; |
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
70 ssl_verify_depth 2; |
1115
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
71 } |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
72 } |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
73 |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
74 EOF |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
75 |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
76 my $d = $t->testdir(); |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
77 |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
78 $t->write_file('openssl.conf', <<EOF); |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
79 [ req ] |
1488
dbce8fb5f5f8
Tests: align with OpenSSL security level 2.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1421
diff
changeset
|
80 default_bits = 2048 |
1115
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
81 encrypt_key = no |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
82 distinguished_name = req_distinguished_name |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
83 [ req_distinguished_name ] |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
84 EOF |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
85 |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
86 $t->write_file('ca.conf', <<EOF); |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
87 [ ca ] |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
88 default_ca = myca |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
89 |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
90 [ myca ] |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
91 new_certs_dir = $d |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
92 database = $d/certindex |
1488
dbce8fb5f5f8
Tests: align with OpenSSL security level 2.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1421
diff
changeset
|
93 default_md = sha256 |
1115
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
94 policy = myca_policy |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
95 serial = $d/certserial |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
96 default_days = 1 |
1605
aa5a61d1254b
Tests: actually test the verification depth in ssl_verify_depth.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1488
diff
changeset
|
97 x509_extensions = myca_extensions |
1115
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
98 |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
99 [ myca_policy ] |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
100 commonName = supplied |
1605
aa5a61d1254b
Tests: actually test the verification depth in ssl_verify_depth.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1488
diff
changeset
|
101 |
aa5a61d1254b
Tests: actually test the verification depth in ssl_verify_depth.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1488
diff
changeset
|
102 [ myca_extensions ] |
aa5a61d1254b
Tests: actually test the verification depth in ssl_verify_depth.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1488
diff
changeset
|
103 basicConstraints = critical,CA:TRUE |
1115
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
104 EOF |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
105 |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
106 foreach my $name ('root', 'localhost') { |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
107 system('openssl req -x509 -new ' |
1220
0af58b78df35
Tests: removed single quotes from system() calls.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1124
diff
changeset
|
108 . "-config $d/openssl.conf -subj /CN=$name/ " |
0af58b78df35
Tests: removed single quotes from system() calls.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1124
diff
changeset
|
109 . "-out $d/$name.crt -keyout $d/$name.key " |
1115
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
110 . ">>$d/openssl.out 2>&1") == 0 |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
111 or die "Can't create certificate for $name: $!\n"; |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
112 } |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
113 |
1610
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
114 foreach my $name ('int', 'end') { |
1115
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
115 system("openssl req -new " |
1220
0af58b78df35
Tests: removed single quotes from system() calls.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1124
diff
changeset
|
116 . "-config $d/openssl.conf -subj /CN=$name/ " |
0af58b78df35
Tests: removed single quotes from system() calls.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1124
diff
changeset
|
117 . "-out $d/$name.csr -keyout $d/$name.key " |
1115
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
118 . ">>$d/openssl.out 2>&1") == 0 |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
119 or die "Can't create certificate for $name: $!\n"; |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
120 } |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
121 |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
122 $t->write_file('certserial', '1000'); |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
123 $t->write_file('certindex', ''); |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
124 |
1220
0af58b78df35
Tests: removed single quotes from system() calls.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1124
diff
changeset
|
125 system("openssl ca -batch -config $d/ca.conf " |
0af58b78df35
Tests: removed single quotes from system() calls.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1124
diff
changeset
|
126 . "-keyfile $d/root.key -cert $d/root.crt " |
0af58b78df35
Tests: removed single quotes from system() calls.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1124
diff
changeset
|
127 . "-subj /CN=int/ -in $d/int.csr -out $d/int.crt " |
1115
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
128 . ">>$d/openssl.out 2>&1") == 0 |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
129 or die "Can't sign certificate for int: $!\n"; |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
130 |
1220
0af58b78df35
Tests: removed single quotes from system() calls.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1124
diff
changeset
|
131 system("openssl ca -batch -config $d/ca.conf " |
0af58b78df35
Tests: removed single quotes from system() calls.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1124
diff
changeset
|
132 . "-keyfile $d/int.key -cert $d/int.crt " |
0af58b78df35
Tests: removed single quotes from system() calls.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1124
diff
changeset
|
133 . "-subj /CN=end/ -in $d/end.csr -out $d/end.crt " |
1115
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
134 . ">>$d/openssl.out 2>&1") == 0 |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
135 or die "Can't sign certificate for end: $!\n"; |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
136 |
1610
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
137 $t->write_file('root-int.crt', $t->read_file('root.crt') |
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
138 . $t->read_file('int.crt')); |
1115
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
139 |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
140 $t->write_file('t', ''); |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
141 $t->run(); |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
142 |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
143 ############################################################################### |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
144 |
1610
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
145 # with verify depth 0, only self-signed certificates should |
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
146 # be allowed |
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
147 |
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
148 # OpenSSL 1.1.0+ instead limits the number of intermediate certs allowed; |
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
149 # as a result, it is not possible to limit certificate checking |
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
150 # to self-signed certificates only when using OpenSSL 1.1.0+ |
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
151 |
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
152 like(get(8080, 'root'), qr/SUCCESS/, 'verify depth 0 - root'); |
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
153 like(get(8080, 'int'), qr/FAI|SUC/, 'verify depth 0 - no int'); |
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
154 like(get(8080, 'end'), qr/FAILED/, 'verify depth 0 - no end'); |
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
155 |
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
156 # with verify depth 1 (the default), one signature is |
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
157 # expected to be checked, so certificates directly signed |
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
158 # by the root cert are allowed, but nothing more |
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
159 |
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
160 # OpenSSL 1.1.0+ instead limits the number of intermediate certs allowed; |
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
161 # so with depth 1 it is possible to validate not only directly signed |
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
162 # certificates, but also chains with one intermediate certificate |
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
163 |
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
164 like(get(8081, 'root'), qr/SUCCESS/, 'verify depth 1 - root'); |
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
165 like(get(8081, 'int'), qr/SUCCESS/, 'verify depth 1 - int'); |
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
166 like(get(8081, 'end'), qr/FAI|SUC/, 'verify depth 1 - no end'); |
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
167 |
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
168 # with verify depth 2 it is also possible to validate up to two signatures, |
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
169 # so chains with one intermediate certificate are allowed |
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
170 |
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
171 like(get(8082, 'root'), qr/SUCCESS/, 'verify depth 2 - root'); |
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
172 like(get(8082, 'int'), qr/SUCCESS/, 'verify depth 2 - int'); |
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
173 like(get(8082, 'end'), qr/SUCCESS/, 'verify depth 2 - end'); |
1115
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
174 |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
175 ############################################################################### |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
176 |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
177 sub get { |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
178 my ($port, $cert) = @_; |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
179 my $s = get_ssl_socket($port, $cert) or return; |
1610
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
180 http_get("/t?$cert", socket => $s); |
1115
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
181 } |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
182 |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
183 sub get_ssl_socket { |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
184 my ($port, $cert) = @_; |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
185 my ($s); |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
186 |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
187 eval { |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
188 local $SIG{ALRM} = sub { die "timeout\n" }; |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
189 local $SIG{PIPE} = sub { die "sigpipe\n" }; |
1421
4e48bf51714f
Tests: aligned various generic read timeouts to http_end().
Sergey Kandaurov <pluknet@nginx.com>
parents:
1407
diff
changeset
|
190 alarm(8); |
1115
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
191 $s = IO::Socket::SSL->new( |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
192 Proto => 'tcp', |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
193 PeerAddr => '127.0.0.1', |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
194 PeerPort => port($port), |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
195 SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE(), |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
196 SSL_cert_file => "$d/$cert.crt", |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
197 SSL_key_file => "$d/$cert.key", |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
198 SSL_error_trap => sub { die $_[1] } |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
199 ); |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
200 alarm(0); |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
201 }; |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
202 alarm(0); |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
203 |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
204 if ($@) { |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
205 log_in("died: $@"); |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
206 return undef; |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
207 } |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
208 |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
209 return $s; |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
210 } |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
211 |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
212 ############################################################################### |