nginx-tests: ssl_curve.t annotate

annotate ssl_curve.t @ 1842:af47a0b348a5

Tests: LibreSSL certificate negotiation with TLSv1.3. LibreSSL fails to negotiate certificates based on signature algorithms when using TLSv1.3, and fails with "missing rsa certificate" and "unknown pkey type" errors.

author	Maxim Dounin <mdounin@mdounin.ru>
date	Thu, 23 Mar 2023 19:50:17 +0300
parents	34fc85598287
children	cdcd75657e52

rev	line source
1749 34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	1 #!/usr/bin/perl
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	2
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	3 # (C) Sergey Kandaurov
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	4 # (C) Nginx, Inc.
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	5
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	6 # Tests for http ssl module, $ssl_curve variable.
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	7
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	8 ###############################################################################
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	9
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	10 use warnings;
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	11 use strict;
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	12
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	13 use Test::More;
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	14
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	15 BEGIN { use FindBin; chdir($FindBin::Bin); }
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	16
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	17 use lib 'lib';
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	18 use Test::Nginx;
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	19
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	20 ###############################################################################
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	21
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	22 select STDERR; $\| = 1;
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	23 select STDOUT; $\| = 1;
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	24
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	25 eval { require IO::Socket::SSL; };
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	26 plan(skip_all => 'IO::Socket::SSL not installed') if $@;
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	27 eval { IO::Socket::SSL::SSL_VERIFY_NONE(); };
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	28 plan(skip_all => 'IO::Socket::SSL too old') if $@;
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	29
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	30 my $t = Test::Nginx->new()->has(qw/http http_ssl rewrite/)
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	31 ->has_daemon('openssl');
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	32
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	33 $t->{_configure_args} =~ /OpenSSL (\d+)/;
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	34 plan(skip_all => 'OpenSSL too old') unless defined $1 and $1 >= 3;
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	35
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	36 $t->write_file_expand('nginx.conf', <<'EOF');
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	37
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	38 %%TEST_GLOBALS%%
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	39
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	40 daemon off;
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	41
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	42 events {
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	43 }
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	44
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	45 http {
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	46 %%TEST_GLOBALS_HTTP%%
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	47
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	48 ssl_certificate_key localhost.key;
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	49 ssl_certificate localhost.crt;
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	50
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	51 ssl_ecdh_curve prime256v1;
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	52
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	53 server {
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	54 listen 127.0.0.1:8443 ssl;
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	55 server_name localhost;
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	56
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	57 return 200 "$ssl_curve $ssl_curves";
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	58 }
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	59 }
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	60
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	61 EOF
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	62
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	63 $t->write_file('openssl.conf', <<EOF);
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	64 [ req ]
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	65 default_bits = 2048
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	66 encrypt_key = no
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	67 distinguished_name = req_distinguished_name
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	68 [ req_distinguished_name ]
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	69 EOF
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	70
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	71 my $d = $t->testdir();
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	72
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	73 foreach my $name ('localhost') {
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	74 system('openssl req -x509 -new '
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	75 . "-config $d/openssl.conf -subj /CN=$name/ "
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	76 . "-out $d/$name.crt -keyout $d/$name.key "
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	77 . ">>$d/openssl.out 2>&1") == 0
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	78 or die "Can't create certificate for $name: $!\n";
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	79 }
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	80
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	81 $t->try_run('no $ssl_curve')->plan(1);
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	82
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	83 ###############################################################################
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	84
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	85 like(get('/curve'), qr/^prime256v1 /m, 'ssl curve');
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	86
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	87 ###############################################################################
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	88
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	89 sub get {
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	90 my ($uri, $port, $ctx) = @_;
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	91 my $s = get_ssl_socket($port) or return;
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	92 my $r = http_get($uri, socket => $s);
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	93 $s->close();
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	94 return $r;
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	95 }
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	96
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	97 sub get_ssl_socket {
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	98 my ($port, $ctx) = @_;
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	99 my $s;
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	100
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	101 eval {
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	102 local $SIG{ALRM} = sub { die "timeout\n" };
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	103 local $SIG{PIPE} = sub { die "sigpipe\n" };
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	104 alarm(8);
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	105 $s = IO::Socket::SSL->new(
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	106 Proto => 'tcp',
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	107 PeerAddr => '127.0.0.1',
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	108 PeerPort => port(8443),
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	109 SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE(),
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	110 SSL_error_trap => sub { die $_[1] },
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	111 );
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	112 alarm(0);
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	113 };
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	114 alarm(0);
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	115
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	116 if ($@) {
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	117 log_in("died: $@");
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	118 return undef;
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	119 }
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	120
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	121 return $s;
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	122 }
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	123
34fc85598287 Tests: $ssl_curve. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	124 ###############################################################################

Mercurial > hg > nginx-tests

annotate ssl_curve.t @ 1842:af47a0b348a5