Mercurial > hg > nginx-tests
annotate ssl_verify_depth.t @ 1933:9bafe7cddd3c
Tests: improved QUIC key update tests with old keys.
On unsuccessful protection removal, it is now retried with old keys.
Otherwise, old keys are removed to ensure they're no longer in use.
author | Sergey Kandaurov <pluknet@nginx.com> |
---|---|
date | Mon, 21 Aug 2023 17:26:47 +0400 |
parents | a797d7428fa5 |
children | 0b5ec15c62ed |
rev | line source |
---|---|
1115
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
1 #!/usr/bin/perl |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
2 |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
3 # (C) Sergey Kandaurov |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
4 # (C) Nginx, Inc. |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
5 |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
6 # Tests for http ssl module, ssl_verify_depth. |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
7 |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
8 ############################################################################### |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
9 |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
10 use warnings; |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
11 use strict; |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
12 |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
13 use Test::More; |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
14 |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
15 BEGIN { use FindBin; chdir($FindBin::Bin); } |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
16 |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
17 use lib 'lib'; |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
18 use Test::Nginx; |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
19 |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
20 ############################################################################### |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
21 |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
22 select STDERR; $| = 1; |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
23 select STDOUT; $| = 1; |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
24 |
1858
cdcd75657e52
Tests: added has_feature() tests for IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1750
diff
changeset
|
25 my $t = Test::Nginx->new()->has(qw/http http_ssl socket_ssl/) |
cdcd75657e52
Tests: added has_feature() tests for IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1750
diff
changeset
|
26 ->has_daemon('openssl'); |
1115
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
27 |
1750
b28f88e352dd
Tests: skip ssl_verify_depth.t with LibreSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1610
diff
changeset
|
28 plan(skip_all => 'LibreSSL') if $t->has_module('LibreSSL'); |
b28f88e352dd
Tests: skip ssl_verify_depth.t with LibreSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1610
diff
changeset
|
29 |
b28f88e352dd
Tests: skip ssl_verify_depth.t with LibreSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1610
diff
changeset
|
30 $t->plan(9)->write_file_expand('nginx.conf', <<'EOF'); |
1115
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
31 |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
32 %%TEST_GLOBALS%% |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
33 |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
34 daemon off; |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
35 |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
36 events { |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
37 } |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
38 |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
39 http { |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
40 %%TEST_GLOBALS_HTTP%% |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
41 |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
42 ssl_certificate localhost.crt; |
1610
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
43 ssl_certificate_key localhost.key; |
1115
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
44 |
1117
3e2af4dedd9c
Tests: ssl_verify_depth.t cleanup.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1115
diff
changeset
|
45 ssl_verify_client on; |
1610
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
46 ssl_client_certificate root-int.crt; |
1115
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
47 |
1610
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
48 add_header X-Client $ssl_client_s_dn always; |
1605
aa5a61d1254b
Tests: actually test the verification depth in ssl_verify_depth.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1488
diff
changeset
|
49 add_header X-Verify $ssl_client_verify always; |
1115
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
50 |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
51 server { |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
52 listen 127.0.0.1:8080 ssl; |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
53 server_name localhost; |
1610
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
54 ssl_verify_depth 0; |
1605
aa5a61d1254b
Tests: actually test the verification depth in ssl_verify_depth.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1488
diff
changeset
|
55 } |
aa5a61d1254b
Tests: actually test the verification depth in ssl_verify_depth.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1488
diff
changeset
|
56 |
aa5a61d1254b
Tests: actually test the verification depth in ssl_verify_depth.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1488
diff
changeset
|
57 server { |
aa5a61d1254b
Tests: actually test the verification depth in ssl_verify_depth.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1488
diff
changeset
|
58 listen 127.0.0.1:8081 ssl; |
aa5a61d1254b
Tests: actually test the verification depth in ssl_verify_depth.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1488
diff
changeset
|
59 server_name localhost; |
1610
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
60 ssl_verify_depth 1; |
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
61 } |
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
62 |
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
63 server { |
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
64 listen 127.0.0.1:8082 ssl; |
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
65 server_name localhost; |
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
66 ssl_verify_depth 2; |
1115
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
67 } |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
68 } |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
69 |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
70 EOF |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
71 |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
72 my $d = $t->testdir(); |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
73 |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
74 $t->write_file('openssl.conf', <<EOF); |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
75 [ req ] |
1488
dbce8fb5f5f8
Tests: align with OpenSSL security level 2.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1421
diff
changeset
|
76 default_bits = 2048 |
1115
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
77 encrypt_key = no |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
78 distinguished_name = req_distinguished_name |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
79 [ req_distinguished_name ] |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
80 EOF |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
81 |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
82 $t->write_file('ca.conf', <<EOF); |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
83 [ ca ] |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
84 default_ca = myca |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
85 |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
86 [ myca ] |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
87 new_certs_dir = $d |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
88 database = $d/certindex |
1488
dbce8fb5f5f8
Tests: align with OpenSSL security level 2.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1421
diff
changeset
|
89 default_md = sha256 |
1115
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
90 policy = myca_policy |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
91 serial = $d/certserial |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
92 default_days = 1 |
1605
aa5a61d1254b
Tests: actually test the verification depth in ssl_verify_depth.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1488
diff
changeset
|
93 x509_extensions = myca_extensions |
1115
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
94 |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
95 [ myca_policy ] |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
96 commonName = supplied |
1605
aa5a61d1254b
Tests: actually test the verification depth in ssl_verify_depth.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1488
diff
changeset
|
97 |
aa5a61d1254b
Tests: actually test the verification depth in ssl_verify_depth.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1488
diff
changeset
|
98 [ myca_extensions ] |
aa5a61d1254b
Tests: actually test the verification depth in ssl_verify_depth.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1488
diff
changeset
|
99 basicConstraints = critical,CA:TRUE |
1115
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
100 EOF |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
101 |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
102 foreach my $name ('root', 'localhost') { |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
103 system('openssl req -x509 -new ' |
1220
0af58b78df35
Tests: removed single quotes from system() calls.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1124
diff
changeset
|
104 . "-config $d/openssl.conf -subj /CN=$name/ " |
0af58b78df35
Tests: removed single quotes from system() calls.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1124
diff
changeset
|
105 . "-out $d/$name.crt -keyout $d/$name.key " |
1115
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
106 . ">>$d/openssl.out 2>&1") == 0 |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
107 or die "Can't create certificate for $name: $!\n"; |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
108 } |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
109 |
1610
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
110 foreach my $name ('int', 'end') { |
1115
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
111 system("openssl req -new " |
1220
0af58b78df35
Tests: removed single quotes from system() calls.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1124
diff
changeset
|
112 . "-config $d/openssl.conf -subj /CN=$name/ " |
0af58b78df35
Tests: removed single quotes from system() calls.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1124
diff
changeset
|
113 . "-out $d/$name.csr -keyout $d/$name.key " |
1115
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
114 . ">>$d/openssl.out 2>&1") == 0 |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
115 or die "Can't create certificate for $name: $!\n"; |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
116 } |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
117 |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
118 $t->write_file('certserial', '1000'); |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
119 $t->write_file('certindex', ''); |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
120 |
1220
0af58b78df35
Tests: removed single quotes from system() calls.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1124
diff
changeset
|
121 system("openssl ca -batch -config $d/ca.conf " |
0af58b78df35
Tests: removed single quotes from system() calls.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1124
diff
changeset
|
122 . "-keyfile $d/root.key -cert $d/root.crt " |
0af58b78df35
Tests: removed single quotes from system() calls.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1124
diff
changeset
|
123 . "-subj /CN=int/ -in $d/int.csr -out $d/int.crt " |
1115
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
124 . ">>$d/openssl.out 2>&1") == 0 |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
125 or die "Can't sign certificate for int: $!\n"; |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
126 |
1220
0af58b78df35
Tests: removed single quotes from system() calls.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1124
diff
changeset
|
127 system("openssl ca -batch -config $d/ca.conf " |
0af58b78df35
Tests: removed single quotes from system() calls.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1124
diff
changeset
|
128 . "-keyfile $d/int.key -cert $d/int.crt " |
0af58b78df35
Tests: removed single quotes from system() calls.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1124
diff
changeset
|
129 . "-subj /CN=end/ -in $d/end.csr -out $d/end.crt " |
1115
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
130 . ">>$d/openssl.out 2>&1") == 0 |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
131 or die "Can't sign certificate for end: $!\n"; |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
132 |
1610
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
133 $t->write_file('root-int.crt', $t->read_file('root.crt') |
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
134 . $t->read_file('int.crt')); |
1115
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
135 |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
136 $t->write_file('t', ''); |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
137 $t->run(); |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
138 |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
139 ############################################################################### |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
140 |
1610
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
141 # with verify depth 0, only self-signed certificates should |
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
142 # be allowed |
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
143 |
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
144 # OpenSSL 1.1.0+ instead limits the number of intermediate certs allowed; |
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
145 # as a result, it is not possible to limit certificate checking |
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
146 # to self-signed certificates only when using OpenSSL 1.1.0+ |
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
147 |
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
148 like(get(8080, 'root'), qr/SUCCESS/, 'verify depth 0 - root'); |
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
149 like(get(8080, 'int'), qr/FAI|SUC/, 'verify depth 0 - no int'); |
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
150 like(get(8080, 'end'), qr/FAILED/, 'verify depth 0 - no end'); |
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
151 |
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
152 # with verify depth 1 (the default), one signature is |
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
153 # expected to be checked, so certificates directly signed |
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
154 # by the root cert are allowed, but nothing more |
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
155 |
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
156 # OpenSSL 1.1.0+ instead limits the number of intermediate certs allowed; |
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
157 # so with depth 1 it is possible to validate not only directly signed |
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
158 # certificates, but also chains with one intermediate certificate |
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
159 |
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
160 like(get(8081, 'root'), qr/SUCCESS/, 'verify depth 1 - root'); |
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
161 like(get(8081, 'int'), qr/SUCCESS/, 'verify depth 1 - int'); |
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
162 like(get(8081, 'end'), qr/FAI|SUC/, 'verify depth 1 - no end'); |
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
163 |
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
164 # with verify depth 2 it is also possible to validate up to two signatures, |
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
165 # so chains with one intermediate certificate are allowed |
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
166 |
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
167 like(get(8082, 'root'), qr/SUCCESS/, 'verify depth 2 - root'); |
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
168 like(get(8082, 'int'), qr/SUCCESS/, 'verify depth 2 - int'); |
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
169 like(get(8082, 'end'), qr/SUCCESS/, 'verify depth 2 - end'); |
1115
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
170 |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
171 ############################################################################### |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
172 |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
173 sub get { |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
174 my ($port, $cert) = @_; |
1866
a797d7428fa5
Tests: simplified http SSL tests with IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1858
diff
changeset
|
175 http_get( |
a797d7428fa5
Tests: simplified http SSL tests with IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1858
diff
changeset
|
176 "/t?$cert", |
a797d7428fa5
Tests: simplified http SSL tests with IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1858
diff
changeset
|
177 PeerAddr => '127.0.0.1:' . port($port), |
a797d7428fa5
Tests: simplified http SSL tests with IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1858
diff
changeset
|
178 SSL => 1, |
a797d7428fa5
Tests: simplified http SSL tests with IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1858
diff
changeset
|
179 SSL_cert_file => "$d/$cert.crt", |
a797d7428fa5
Tests: simplified http SSL tests with IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1858
diff
changeset
|
180 SSL_key_file => "$d/$cert.key" |
a797d7428fa5
Tests: simplified http SSL tests with IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1858
diff
changeset
|
181 ); |
1115
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
182 } |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
183 |
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
184 ############################################################################### |