Mercurial > hg > nginx-tests
annotate ssl_sni.t @ 1971:ab45ee8011df
Tests: guarded session ticket tests for old OpenSSL versions.
Much like SNI support, TLS session tickets are available starting with
OpenSSL 0.9.8f if TLS extensions support is explicitly configured, and
enabled by default since 0.9.8j. As such, SNI availability is checked
to ensure TLS extensions support is compiled in.
Additionally, the ssl_session_ticket_key.t tests for automatic ticket key
rotation, which uses session ticket key callback, as introduced in
OpenSSL 0.9.8h.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Mon, 06 May 2024 00:03:16 +0300 |
parents | 6d3a8f4eb9b2 |
children |
rev | line source |
---|---|
237 | 1 #!/usr/bin/perl |
2 | |
3 # (C) Maxim Dounin | |
4 # (C) Valentin Bartenev | |
5 | |
6 # Tests for Server Name Indication (SNI) TLS extension | |
7 | |
8 ############################################################################### | |
9 | |
10 use warnings; | |
11 use strict; | |
12 | |
13 use Test::More; | |
14 | |
15 BEGIN { use FindBin; chdir($FindBin::Bin); } | |
16 | |
17 use lib 'lib'; | |
18 use Test::Nginx; | |
19 | |
20 ############################################################################### | |
21 | |
22 select STDERR; $| = 1; | |
23 select STDOUT; $| = 1; | |
24 | |
1858
cdcd75657e52
Tests: added has_feature() tests for IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1841
diff
changeset
|
25 my $t = Test::Nginx->new()->has(qw/http http_ssl sni rewrite socket_ssl_sni/) |
cdcd75657e52
Tests: added has_feature() tests for IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1841
diff
changeset
|
26 ->has_daemon('openssl')->plan(8) |
237 | 27 ->write_file_expand('nginx.conf', <<'EOF'); |
28 | |
29 %%TEST_GLOBALS%% | |
30 | |
249
6a0d934950bc
Tests: remove extra spaces in "daemon off".
Maxim Dounin <mdounin@mdounin.ru>
parents:
246
diff
changeset
|
31 daemon off; |
237 | 32 |
33 events { | |
34 } | |
35 | |
36 http { | |
37 %%TEST_GLOBALS_HTTP%% | |
38 | |
39 server { | |
1866
a797d7428fa5
Tests: simplified http SSL tests with IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1858
diff
changeset
|
40 listen 127.0.0.1:8443 ssl; |
237 | 41 server_name localhost; |
42 | |
43 ssl_certificate_key localhost.key; | |
44 ssl_certificate localhost.crt; | |
45 | |
46 location / { | |
1866
a797d7428fa5
Tests: simplified http SSL tests with IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1858
diff
changeset
|
47 return 200 $server_name:$ssl_server_name; |
237 | 48 } |
1478
f9718a0773b9
Tests: skip TLS 1.3 session reuse tests with older Perl modules.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1450
diff
changeset
|
49 |
f9718a0773b9
Tests: skip TLS 1.3 session reuse tests with older Perl modules.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1450
diff
changeset
|
50 location /protocol { |
f9718a0773b9
Tests: skip TLS 1.3 session reuse tests with older Perl modules.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1450
diff
changeset
|
51 return 200 $ssl_protocol; |
f9718a0773b9
Tests: skip TLS 1.3 session reuse tests with older Perl modules.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1450
diff
changeset
|
52 } |
1866
a797d7428fa5
Tests: simplified http SSL tests with IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1858
diff
changeset
|
53 |
a797d7428fa5
Tests: simplified http SSL tests with IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1858
diff
changeset
|
54 location /name { |
a797d7428fa5
Tests: simplified http SSL tests with IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1858
diff
changeset
|
55 return 200 $ssl_session_reused:$ssl_server_name; |
a797d7428fa5
Tests: simplified http SSL tests with IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1858
diff
changeset
|
56 } |
237 | 57 } |
58 | |
59 server { | |
1866
a797d7428fa5
Tests: simplified http SSL tests with IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1858
diff
changeset
|
60 listen 127.0.0.1:8443; |
237 | 61 server_name example.com; |
62 | |
63 ssl_certificate_key example.com.key; | |
64 ssl_certificate example.com.crt; | |
65 | |
66 location / { | |
1866
a797d7428fa5
Tests: simplified http SSL tests with IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1858
diff
changeset
|
67 return 200 $server_name:$ssl_server_name; |
1449
eeababfd8726
Tests: moved $ssl_server_name tests in http to ssl_sni.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1421
diff
changeset
|
68 } |
eeababfd8726
Tests: moved $ssl_server_name tests in http to ssl_sni.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1421
diff
changeset
|
69 } |
237 | 70 } |
71 | |
72 EOF | |
73 | |
74 $t->write_file('openssl.conf', <<EOF); | |
75 [ req ] | |
1488
dbce8fb5f5f8
Tests: align with OpenSSL security level 2.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1478
diff
changeset
|
76 default_bits = 2048 |
237 | 77 encrypt_key = no |
78 distinguished_name = req_distinguished_name | |
79 [ req_distinguished_name ] | |
80 EOF | |
81 | |
82 my $d = $t->testdir(); | |
83 | |
84 foreach my $name ('localhost', 'example.com') { | |
85 system('openssl req -x509 -new ' | |
1220
0af58b78df35
Tests: removed single quotes from system() calls.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1116
diff
changeset
|
86 . "-config $d/openssl.conf -subj /CN=$name/ " |
0af58b78df35
Tests: removed single quotes from system() calls.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1116
diff
changeset
|
87 . "-out $d/$name.crt -keyout $d/$name.key " |
237 | 88 . ">>$d/openssl.out 2>&1") == 0 |
89 or die "Can't create certificate for $name: $!\n"; | |
90 } | |
91 | |
92 $t->run(); | |
93 | |
94 ############################################################################### | |
95 | |
96 like(get_cert_cn(), qr!/CN=localhost!, 'default cert'); | |
97 like(get_cert_cn('example.com'), qr!/CN=example.com!, 'sni cert'); | |
98 | |
1866
a797d7428fa5
Tests: simplified http SSL tests with IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1858
diff
changeset
|
99 like(get_host('example.com'), qr!example.com:example.com!, |
237 | 100 'host exists, sni exists, and host is equal sni'); |
101 | |
1866
a797d7428fa5
Tests: simplified http SSL tests with IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1858
diff
changeset
|
102 like(get_host('example.com', 'example.org'), qr!example.com:example.org!, |
237 | 103 'host exists, sni not found'); |
104 | |
105 TODO: { | |
106 local $TODO = 'sni restrictions'; | |
107 | |
1866
a797d7428fa5
Tests: simplified http SSL tests with IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1858
diff
changeset
|
108 like(get_host('example.com', 'localhost'), qr!400 Bad Request!, |
237 | 109 'host exists, sni exists, and host is not equal sni'); |
110 | |
1866
a797d7428fa5
Tests: simplified http SSL tests with IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1858
diff
changeset
|
111 like(get_host('example.org', 'example.com'), qr!400 Bad Request!, |
237 | 112 'host not found, sni exists'); |
113 | |
114 } | |
115 | |
1449
eeababfd8726
Tests: moved $ssl_server_name tests in http to ssl_sni.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1421
diff
changeset
|
116 # $ssl_server_name in sessions |
eeababfd8726
Tests: moved $ssl_server_name tests in http to ssl_sni.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1421
diff
changeset
|
117 |
eeababfd8726
Tests: moved $ssl_server_name tests in http to ssl_sni.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1421
diff
changeset
|
118 my $ctx = new IO::Socket::SSL::SSL_Context( |
1970
6d3a8f4eb9b2
Tests: relaxed SSL version used in testing.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1966
diff
changeset
|
119 SSL_version => 'SSLv23', |
1449
eeababfd8726
Tests: moved $ssl_server_name tests in http to ssl_sni.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1421
diff
changeset
|
120 SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE(), |
eeababfd8726
Tests: moved $ssl_server_name tests in http to ssl_sni.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1421
diff
changeset
|
121 SSL_session_cache_size => 100); |
eeababfd8726
Tests: moved $ssl_server_name tests in http to ssl_sni.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1421
diff
changeset
|
122 |
1866
a797d7428fa5
Tests: simplified http SSL tests with IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1858
diff
changeset
|
123 like(get('/name', 'localhost', $ctx), qr/^\.:localhost$/m, 'ssl server name'); |
1449
eeababfd8726
Tests: moved $ssl_server_name tests in http to ssl_sni.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1421
diff
changeset
|
124 |
1841
db6fd9184fa0
Tests: fixed ssl_sni.t with LibreSSL and TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1535
diff
changeset
|
125 TODO: { |
db6fd9184fa0
Tests: fixed ssl_sni.t with LibreSSL and TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1535
diff
changeset
|
126 local $TODO = 'no TLSv1.3 sessions, old Net::SSLeay' |
db6fd9184fa0
Tests: fixed ssl_sni.t with LibreSSL and TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1535
diff
changeset
|
127 if $Net::SSLeay::VERSION < 1.88 && test_tls13(); |
db6fd9184fa0
Tests: fixed ssl_sni.t with LibreSSL and TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1535
diff
changeset
|
128 local $TODO = 'no TLSv1.3 sessions, old IO::Socket::SSL' |
db6fd9184fa0
Tests: fixed ssl_sni.t with LibreSSL and TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1535
diff
changeset
|
129 if $IO::Socket::SSL::VERSION < 2.061 && test_tls13(); |
db6fd9184fa0
Tests: fixed ssl_sni.t with LibreSSL and TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1535
diff
changeset
|
130 local $TODO = 'no TLSv1.3 sessions in LibreSSL' |
db6fd9184fa0
Tests: fixed ssl_sni.t with LibreSSL and TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1535
diff
changeset
|
131 if $t->has_module('LibreSSL') && test_tls13(); |
1966
c924ae8d7104
Tests: session reuse handling with Net::SSLeay with LibreSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1866
diff
changeset
|
132 local $TODO = 'no TLSv1.3 sessions in Net::SSLeay (LibreSSL)' |
c924ae8d7104
Tests: session reuse handling with Net::SSLeay with LibreSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1866
diff
changeset
|
133 if Net::SSLeay::constant("LIBRESSL_VERSION_NUMBER") && test_tls13(); |
1478
f9718a0773b9
Tests: skip TLS 1.3 session reuse tests with older Perl modules.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1450
diff
changeset
|
134 |
1866
a797d7428fa5
Tests: simplified http SSL tests with IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1858
diff
changeset
|
135 like(get('/name', 'localhost', $ctx), qr/^r:localhost$/m, |
1450
5f53a1d6b83c
Tests: fixed session reuse in ssl_sni.t with OpenSSL 1.1.0+.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1449
diff
changeset
|
136 'ssl server name - reused'); |
1449
eeababfd8726
Tests: moved $ssl_server_name tests in http to ssl_sni.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1421
diff
changeset
|
137 |
eeababfd8726
Tests: moved $ssl_server_name tests in http to ssl_sni.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1421
diff
changeset
|
138 } |
eeababfd8726
Tests: moved $ssl_server_name tests in http to ssl_sni.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1421
diff
changeset
|
139 |
237 | 140 ############################################################################### |
141 | |
1841
db6fd9184fa0
Tests: fixed ssl_sni.t with LibreSSL and TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1535
diff
changeset
|
142 sub test_tls13 { |
db6fd9184fa0
Tests: fixed ssl_sni.t with LibreSSL and TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1535
diff
changeset
|
143 get('/protocol', 'localhost') =~ /TLSv1.3/; |
db6fd9184fa0
Tests: fixed ssl_sni.t with LibreSSL and TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1535
diff
changeset
|
144 } |
db6fd9184fa0
Tests: fixed ssl_sni.t with LibreSSL and TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1535
diff
changeset
|
145 |
237 | 146 sub get_cert_cn { |
147 my ($host) = @_; | |
1866
a797d7428fa5
Tests: simplified http SSL tests with IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1858
diff
changeset
|
148 my $s = http('', start => 1, SSL => 1, SSL_hostname => $host); |
237 | 149 return $s->dump_peer_certificate(); |
150 } | |
151 | |
1866
a797d7428fa5
Tests: simplified http SSL tests with IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1858
diff
changeset
|
152 sub get_host { |
243
de7338227832
Tests: removed trailing spaces.
Homutov Vladimir <vl@nginx.com>
parents:
237
diff
changeset
|
153 my ($host, $sni) = @_; |
1866
a797d7428fa5
Tests: simplified http SSL tests with IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1858
diff
changeset
|
154 return http( |
a797d7428fa5
Tests: simplified http SSL tests with IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1858
diff
changeset
|
155 "GET / HTTP/1.0\nHost: $host\n\n", |
a797d7428fa5
Tests: simplified http SSL tests with IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1858
diff
changeset
|
156 SSL => 1, |
a797d7428fa5
Tests: simplified http SSL tests with IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1858
diff
changeset
|
157 SSL_hostname => $sni || $host |
a797d7428fa5
Tests: simplified http SSL tests with IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1858
diff
changeset
|
158 ); |
237 | 159 } |
160 | |
1450
5f53a1d6b83c
Tests: fixed session reuse in ssl_sni.t with OpenSSL 1.1.0+.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1449
diff
changeset
|
161 sub get { |
1866
a797d7428fa5
Tests: simplified http SSL tests with IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1858
diff
changeset
|
162 my ($uri, $host, $ctx) = @_; |
a797d7428fa5
Tests: simplified http SSL tests with IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1858
diff
changeset
|
163 return http_get( |
a797d7428fa5
Tests: simplified http SSL tests with IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1858
diff
changeset
|
164 $uri, |
a797d7428fa5
Tests: simplified http SSL tests with IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1858
diff
changeset
|
165 SSL => 1, |
a797d7428fa5
Tests: simplified http SSL tests with IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1858
diff
changeset
|
166 SSL_hostname => $host, |
a797d7428fa5
Tests: simplified http SSL tests with IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1858
diff
changeset
|
167 SSL_reuse_ctx => $ctx |
a797d7428fa5
Tests: simplified http SSL tests with IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1858
diff
changeset
|
168 ); |
1450
5f53a1d6b83c
Tests: fixed session reuse in ssl_sni.t with OpenSSL 1.1.0+.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1449
diff
changeset
|
169 } |
5f53a1d6b83c
Tests: fixed session reuse in ssl_sni.t with OpenSSL 1.1.0+.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1449
diff
changeset
|
170 |
237 | 171 ############################################################################### |