Mercurial > hg > nginx-tests
annotate stream_ssl_conf_command.t @ 1965:84f4d4930835
Tests: relaxed mail_imap_ssl.t cipher matching.
Previously, exact match between cipher name in the log and the one from
IO::Socket:SSL was needed, which might not be the case if nginx and
Net::SSLeay are compiled with different SSL libraries, notably LibreSSL
(which uses names like AEAD-AES256-GCM-SHA384 till 3.5.0), and
OpenSSL or BoringSSL (which use TLS_AES_256_GCM_SHA384). In particular,
this affects macOS, where Net::SSLeay compiled with LibreSSL 3.3.6 is
shipped with the OS, while nginx is likely to be compiled with OpenSSL.
Fix is to not require exact match but instead accept properly looking names
as checked by a regular expression, similarly to how it is already tested
in ssl.t and stream_ssl_variables.t.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Mon, 06 May 2024 00:01:40 +0300 |
parents | 3cae7b54841e |
children |
rev | line source |
---|---|
1603
8d2d37a4b48e
Tests: ssl_conf_command tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
1 #!/usr/bin/perl |
8d2d37a4b48e
Tests: ssl_conf_command tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
2 |
8d2d37a4b48e
Tests: ssl_conf_command tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
3 # (C) Sergey Kandaurov |
8d2d37a4b48e
Tests: ssl_conf_command tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
4 # (C) Nginx, Inc. |
8d2d37a4b48e
Tests: ssl_conf_command tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
5 |
8d2d37a4b48e
Tests: ssl_conf_command tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
6 # Tests for stream ssl module, ssl_conf_command. |
8d2d37a4b48e
Tests: ssl_conf_command tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
7 |
8d2d37a4b48e
Tests: ssl_conf_command tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
8 ############################################################################### |
8d2d37a4b48e
Tests: ssl_conf_command tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
9 |
8d2d37a4b48e
Tests: ssl_conf_command tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
10 use warnings; |
8d2d37a4b48e
Tests: ssl_conf_command tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
11 use strict; |
8d2d37a4b48e
Tests: ssl_conf_command tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
12 |
8d2d37a4b48e
Tests: ssl_conf_command tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
13 use Test::More; |
8d2d37a4b48e
Tests: ssl_conf_command tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
14 |
8d2d37a4b48e
Tests: ssl_conf_command tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
15 BEGIN { use FindBin; chdir($FindBin::Bin); } |
8d2d37a4b48e
Tests: ssl_conf_command tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
16 |
8d2d37a4b48e
Tests: ssl_conf_command tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
17 use lib 'lib'; |
8d2d37a4b48e
Tests: ssl_conf_command tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
18 use Test::Nginx; |
1863
dbb7561a9441
Tests: reworked stream SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1860
diff
changeset
|
19 use Test::Nginx::Stream qw/ stream /; |
1603
8d2d37a4b48e
Tests: ssl_conf_command tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
20 |
8d2d37a4b48e
Tests: ssl_conf_command tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
21 ############################################################################### |
8d2d37a4b48e
Tests: ssl_conf_command tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
22 |
8d2d37a4b48e
Tests: ssl_conf_command tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
23 select STDERR; $| = 1; |
8d2d37a4b48e
Tests: ssl_conf_command tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
24 select STDOUT; $| = 1; |
8d2d37a4b48e
Tests: ssl_conf_command tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
25 |
1860
58951cf933e1
Tests: added has_feature() test for SSL libraries.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1696
diff
changeset
|
26 my $t = Test::Nginx->new() |
58951cf933e1
Tests: added has_feature() test for SSL libraries.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1696
diff
changeset
|
27 ->has(qw/stream stream_ssl stream_return openssl:1.0.2/) |
1863
dbb7561a9441
Tests: reworked stream SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1860
diff
changeset
|
28 ->has(qw/socket_ssl_reused/) |
1603
8d2d37a4b48e
Tests: ssl_conf_command tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
29 ->has_daemon('openssl'); |
8d2d37a4b48e
Tests: ssl_conf_command tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
30 |
1696
4baeba0e0da2
Tests: skip ssl_conf_command tests with BoringSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1693
diff
changeset
|
31 plan(skip_all => 'no ssl_conf_command') if $t->has_module('BoringSSL'); |
1692
f6795e2e6a4b
Tests: skip ssl_conf_command tests on too old OpenSSL explicitly.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1609
diff
changeset
|
32 |
1603
8d2d37a4b48e
Tests: ssl_conf_command tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
33 $t->write_file_expand('nginx.conf', <<'EOF'); |
8d2d37a4b48e
Tests: ssl_conf_command tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
34 |
8d2d37a4b48e
Tests: ssl_conf_command tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
35 %%TEST_GLOBALS%% |
8d2d37a4b48e
Tests: ssl_conf_command tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
36 |
8d2d37a4b48e
Tests: ssl_conf_command tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
37 daemon off; |
8d2d37a4b48e
Tests: ssl_conf_command tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
38 |
8d2d37a4b48e
Tests: ssl_conf_command tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
39 events { |
8d2d37a4b48e
Tests: ssl_conf_command tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
40 } |
8d2d37a4b48e
Tests: ssl_conf_command tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
41 |
8d2d37a4b48e
Tests: ssl_conf_command tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
42 stream { |
1609
f3ba4c74de31
Tests: added TEST_GLOBALS_STREAM variable support.
Andrei Belov <defan@nginx.com>
parents:
1603
diff
changeset
|
43 %%TEST_GLOBALS_STREAM%% |
f3ba4c74de31
Tests: added TEST_GLOBALS_STREAM variable support.
Andrei Belov <defan@nginx.com>
parents:
1603
diff
changeset
|
44 |
1603
8d2d37a4b48e
Tests: ssl_conf_command tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
45 server { |
8d2d37a4b48e
Tests: ssl_conf_command tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
46 listen 127.0.0.1:8443 ssl; |
8d2d37a4b48e
Tests: ssl_conf_command tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
47 return OK; |
8d2d37a4b48e
Tests: ssl_conf_command tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
48 |
8d2d37a4b48e
Tests: ssl_conf_command tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
49 ssl_protocols TLSv1.2; |
8d2d37a4b48e
Tests: ssl_conf_command tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
50 |
8d2d37a4b48e
Tests: ssl_conf_command tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
51 ssl_session_tickets off; |
8d2d37a4b48e
Tests: ssl_conf_command tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
52 ssl_conf_command Options SessionTicket; |
8d2d37a4b48e
Tests: ssl_conf_command tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
53 |
8d2d37a4b48e
Tests: ssl_conf_command tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
54 ssl_prefer_server_ciphers on; |
8d2d37a4b48e
Tests: ssl_conf_command tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
55 ssl_conf_command Options -ServerPreference; |
8d2d37a4b48e
Tests: ssl_conf_command tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
56 ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256; |
8d2d37a4b48e
Tests: ssl_conf_command tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
57 |
8d2d37a4b48e
Tests: ssl_conf_command tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
58 ssl_certificate localhost.crt; |
8d2d37a4b48e
Tests: ssl_conf_command tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
59 ssl_certificate_key localhost.key; |
8d2d37a4b48e
Tests: ssl_conf_command tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
60 ssl_conf_command Certificate override.crt; |
8d2d37a4b48e
Tests: ssl_conf_command tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
61 ssl_conf_command PrivateKey override.key; |
8d2d37a4b48e
Tests: ssl_conf_command tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
62 } |
8d2d37a4b48e
Tests: ssl_conf_command tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
63 } |
8d2d37a4b48e
Tests: ssl_conf_command tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
64 |
8d2d37a4b48e
Tests: ssl_conf_command tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
65 EOF |
8d2d37a4b48e
Tests: ssl_conf_command tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
66 |
8d2d37a4b48e
Tests: ssl_conf_command tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
67 $t->write_file('openssl.conf', <<EOF); |
8d2d37a4b48e
Tests: ssl_conf_command tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
68 [ req ] |
8d2d37a4b48e
Tests: ssl_conf_command tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
69 default_bits = 2048 |
8d2d37a4b48e
Tests: ssl_conf_command tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
70 encrypt_key = no |
8d2d37a4b48e
Tests: ssl_conf_command tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
71 distinguished_name = req_distinguished_name |
8d2d37a4b48e
Tests: ssl_conf_command tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
72 [ req_distinguished_name ] |
8d2d37a4b48e
Tests: ssl_conf_command tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
73 EOF |
8d2d37a4b48e
Tests: ssl_conf_command tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
74 |
8d2d37a4b48e
Tests: ssl_conf_command tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
75 my $d = $t->testdir(); |
8d2d37a4b48e
Tests: ssl_conf_command tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
76 |
8d2d37a4b48e
Tests: ssl_conf_command tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
77 foreach my $name ('localhost', 'override') { |
8d2d37a4b48e
Tests: ssl_conf_command tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
78 system('openssl req -x509 -new ' |
8d2d37a4b48e
Tests: ssl_conf_command tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
79 . "-config $d/openssl.conf -subj /CN=$name/ " |
8d2d37a4b48e
Tests: ssl_conf_command tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
80 . "-out $d/$name.crt -keyout $d/$name.key " |
8d2d37a4b48e
Tests: ssl_conf_command tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
81 . ">>$d/openssl.out 2>&1") == 0 |
8d2d37a4b48e
Tests: ssl_conf_command tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
82 or die "Can't create certificate for $name: $!\n"; |
8d2d37a4b48e
Tests: ssl_conf_command tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
83 } |
8d2d37a4b48e
Tests: ssl_conf_command tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
84 |
1693
5ac6efbe5552
Tests: removed TODO and try_run() checks for legacy versions.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1692
diff
changeset
|
85 $t->run()->plan(3); |
1603
8d2d37a4b48e
Tests: ssl_conf_command tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
86 |
8d2d37a4b48e
Tests: ssl_conf_command tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
87 ############################################################################### |
8d2d37a4b48e
Tests: ssl_conf_command tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
88 |
1863
dbb7561a9441
Tests: reworked stream SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1860
diff
changeset
|
89 my $s; |
1603
8d2d37a4b48e
Tests: ssl_conf_command tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
90 |
1863
dbb7561a9441
Tests: reworked stream SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1860
diff
changeset
|
91 $s = stream( |
dbb7561a9441
Tests: reworked stream SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1860
diff
changeset
|
92 PeerAddr => '127.0.0.1:' . port(8443), |
dbb7561a9441
Tests: reworked stream SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1860
diff
changeset
|
93 SSL => 1, |
dbb7561a9441
Tests: reworked stream SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1860
diff
changeset
|
94 SSL_session_cache_size => 100 |
dbb7561a9441
Tests: reworked stream SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1860
diff
changeset
|
95 ); |
dbb7561a9441
Tests: reworked stream SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1860
diff
changeset
|
96 $s->read(); |
dbb7561a9441
Tests: reworked stream SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1860
diff
changeset
|
97 |
dbb7561a9441
Tests: reworked stream SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1860
diff
changeset
|
98 like($s->socket()->dump_peer_certificate(), qr/CN=override/, 'Certificate'); |
1603
8d2d37a4b48e
Tests: ssl_conf_command tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
99 |
1863
dbb7561a9441
Tests: reworked stream SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1860
diff
changeset
|
100 $s = stream( |
dbb7561a9441
Tests: reworked stream SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1860
diff
changeset
|
101 PeerAddr => '127.0.0.1:' . port(8443), |
dbb7561a9441
Tests: reworked stream SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1860
diff
changeset
|
102 SSL => 1, |
dbb7561a9441
Tests: reworked stream SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1860
diff
changeset
|
103 SSL_reuse_ctx => $s->socket() |
dbb7561a9441
Tests: reworked stream SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1860
diff
changeset
|
104 ); |
dbb7561a9441
Tests: reworked stream SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1860
diff
changeset
|
105 ok($s->socket()->get_session_reused(), 'SessionTicket'); |
1603
8d2d37a4b48e
Tests: ssl_conf_command tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
106 |
1964
3cae7b54841e
Tests: fixed hangs with Net::SSLeay with LibreSSL on macOS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1863
diff
changeset
|
107 $s->socket()->close(SSL_no_shutdown => 1); |
3cae7b54841e
Tests: fixed hangs with Net::SSLeay with LibreSSL on macOS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1863
diff
changeset
|
108 |
1863
dbb7561a9441
Tests: reworked stream SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1860
diff
changeset
|
109 $s = stream( |
dbb7561a9441
Tests: reworked stream SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1860
diff
changeset
|
110 PeerAddr => '127.0.0.1:' . port(8443), |
dbb7561a9441
Tests: reworked stream SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1860
diff
changeset
|
111 SSL => 1, |
dbb7561a9441
Tests: reworked stream SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1860
diff
changeset
|
112 SSL_cipher_list => |
dbb7561a9441
Tests: reworked stream SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1860
diff
changeset
|
113 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384' |
dbb7561a9441
Tests: reworked stream SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1860
diff
changeset
|
114 ); |
dbb7561a9441
Tests: reworked stream SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1860
diff
changeset
|
115 is($s->socket()->get_cipher(), |
1603
8d2d37a4b48e
Tests: ssl_conf_command tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
116 'ECDHE-RSA-AES128-GCM-SHA256', 'ServerPreference'); |
8d2d37a4b48e
Tests: ssl_conf_command tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
117 |
8d2d37a4b48e
Tests: ssl_conf_command tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
118 ############################################################################### |