Mercurial > hg > nginx-tests
annotate h3_ssl_early_data.t @ 1965:84f4d4930835
Tests: relaxed mail_imap_ssl.t cipher matching.
Previously, exact match between cipher name in the log and the one from
IO::Socket:SSL was needed, which might not be the case if nginx and
Net::SSLeay are compiled with different SSL libraries, notably LibreSSL
(which uses names like AEAD-AES256-GCM-SHA384 till 3.5.0), and
OpenSSL or BoringSSL (which use TLS_AES_256_GCM_SHA384). In particular,
this affects macOS, where Net::SSLeay compiled with LibreSSL 3.3.6 is
shipped with the OS, while nginx is likely to be compiled with OpenSSL.
Fix is to not require exact match but instead accept properly looking names
as checked by a regular expression, similarly to how it is already tested
in ssl.t and stream_ssl_variables.t.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Mon, 06 May 2024 00:01:40 +0300 |
parents | 22f45bf99a9e |
children |
rev | line source |
---|---|
1917
24fea64f233f
Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
1 #!/usr/bin/perl |
24fea64f233f
Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
2 |
24fea64f233f
Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
3 # (C) Sergey Kandaurov |
24fea64f233f
Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
4 # (C) Nginx, Inc. |
24fea64f233f
Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
5 |
24fea64f233f
Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
6 # Tests for TLS early data with HTTP/3. |
24fea64f233f
Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
7 |
24fea64f233f
Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
8 ############################################################################### |
24fea64f233f
Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
9 |
24fea64f233f
Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
10 use warnings; |
24fea64f233f
Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
11 use strict; |
24fea64f233f
Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
12 |
24fea64f233f
Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
13 use Test::More; |
24fea64f233f
Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
14 |
24fea64f233f
Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
15 BEGIN { use FindBin; chdir($FindBin::Bin); } |
24fea64f233f
Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
16 |
24fea64f233f
Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
17 use lib 'lib'; |
24fea64f233f
Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
18 use Test::Nginx; |
24fea64f233f
Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
19 use Test::Nginx::HTTP3; |
24fea64f233f
Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
20 |
24fea64f233f
Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
21 ############################################################################### |
24fea64f233f
Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
22 |
24fea64f233f
Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
23 select STDERR; $| = 1; |
24fea64f233f
Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
24 select STDOUT; $| = 1; |
24fea64f233f
Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
25 |
24fea64f233f
Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
26 my $t = Test::Nginx->new()->has(qw/http http_v3 cryptx/) |
24fea64f233f
Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
27 ->has_daemon('openssl')->plan(5) |
24fea64f233f
Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
28 ->write_file_expand('nginx.conf', <<'EOF'); |
24fea64f233f
Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
29 |
24fea64f233f
Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
30 %%TEST_GLOBALS%% |
24fea64f233f
Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
31 |
24fea64f233f
Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
32 daemon off; |
24fea64f233f
Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
33 |
24fea64f233f
Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
34 events { |
24fea64f233f
Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
35 } |
24fea64f233f
Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
36 |
24fea64f233f
Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
37 http { |
24fea64f233f
Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
38 %%TEST_GLOBALS_HTTP%% |
24fea64f233f
Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
39 |
24fea64f233f
Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
40 ssl_certificate_key localhost.key; |
24fea64f233f
Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
41 ssl_certificate localhost.crt; |
24fea64f233f
Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
42 ssl_early_data on; |
24fea64f233f
Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
43 |
24fea64f233f
Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
44 add_header X-Session $ssl_session_reused always; |
24fea64f233f
Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
45 add_header X-Early $ssl_early_data always; |
24fea64f233f
Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
46 |
24fea64f233f
Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
47 server { |
24fea64f233f
Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
48 listen 127.0.0.1:%%PORT_8980_UDP%% quic; |
24fea64f233f
Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
49 server_name localhost; |
24fea64f233f
Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
50 } |
24fea64f233f
Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
51 } |
24fea64f233f
Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
52 |
24fea64f233f
Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
53 EOF |
24fea64f233f
Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
54 |
24fea64f233f
Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
55 $t->write_file('openssl.conf', <<EOF); |
24fea64f233f
Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
56 [ req ] |
24fea64f233f
Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
57 default_bits = 2048 |
24fea64f233f
Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
58 encrypt_key = no |
24fea64f233f
Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
59 distinguished_name = req_distinguished_name |
24fea64f233f
Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
60 [ req_distinguished_name ] |
24fea64f233f
Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
61 EOF |
24fea64f233f
Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
62 |
24fea64f233f
Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
63 my $d = $t->testdir(); |
24fea64f233f
Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
64 |
24fea64f233f
Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
65 foreach my $name ('localhost') { |
24fea64f233f
Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
66 system('openssl req -x509 -new ' |
24fea64f233f
Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
67 . "-config $d/openssl.conf -subj /CN=$name/ " |
24fea64f233f
Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
68 . "-out $d/$name.crt -keyout $d/$name.key " |
24fea64f233f
Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
69 . ">>$d/openssl.out 2>&1") == 0 |
24fea64f233f
Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
70 or die "Can't create certificate for $name: $!\n"; |
24fea64f233f
Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
71 } |
24fea64f233f
Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
72 |
24fea64f233f
Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
73 $t->run(); |
24fea64f233f
Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
74 |
24fea64f233f
Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
75 ############################################################################### |
24fea64f233f
Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
76 |
24fea64f233f
Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
77 my $s = Test::Nginx::HTTP3->new(8980); |
24fea64f233f
Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
78 my $frames = $s->read(all => [{ sid => $s->new_stream(), fin => 1 }]); |
24fea64f233f
Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
79 |
24fea64f233f
Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
80 my ($frame) = grep { $_->{type} eq "HEADERS" } @$frames; |
24fea64f233f
Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
81 is($frame->{headers}->{'x-session'}, '.', 'new session'); |
24fea64f233f
Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
82 |
24fea64f233f
Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
83 local $TODO = 'no TLSv1.3 sessions in LibreSSL' if $t->has_module('LibreSSL'); |
24fea64f233f
Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
84 |
24fea64f233f
Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
85 my $psk_list = $s->{psk_list}; |
24fea64f233f
Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
86 |
24fea64f233f
Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
87 $s = Test::Nginx::HTTP3->new(8980, psk_list => $psk_list, early_data => {}); |
24fea64f233f
Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
88 |
24fea64f233f
Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
89 TODO: { |
24fea64f233f
Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
90 local $TODO = 'no 0-RTT in OpenSSL compat layer' |
24fea64f233f
Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
91 unless $t->has_module('OpenSSL [.0-9]+\+quic') |
24fea64f233f
Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
92 or $t->has_module('BoringSSL') |
24fea64f233f
Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
93 or $t->has_module('LibreSSL'); |
24fea64f233f
Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
94 |
24fea64f233f
Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
95 $frames = $s->read(all => [{ sid => 0, fin => 1 }]); |
24fea64f233f
Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
96 ($frame) = grep { $_->{type} eq "HEADERS" } @$frames; |
24fea64f233f
Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
97 is($frame->{headers}->{'x-session'}, 'r', 'reused session 0rtt'); |
24fea64f233f
Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
98 is($frame->{headers}->{'x-early'}, '1', 'reused session is early'); |
24fea64f233f
Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
99 |
24fea64f233f
Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
100 } |
24fea64f233f
Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
101 |
24fea64f233f
Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
102 $frames = $s->read(all => [{ sid => $s->new_stream(), fin => 1 }]); |
24fea64f233f
Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
103 ($frame) = grep { $_->{type} eq "HEADERS" } @$frames; |
24fea64f233f
Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
104 is($frame->{headers}->{'x-session'}, 'r', 'reused session 1rtt'); |
24fea64f233f
Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
105 is($frame->{headers}->{'x-early'}, undef, 'reused session not early'); |
24fea64f233f
Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
106 |
24fea64f233f
Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
107 ############################################################################### |