Mercurial > hg > nginx-tests
annotate ssl_verify_depth.t @ 1983:c7315caf2110
Tests: optimized processing of large QUIC packets with padding.
Path MTU discovery packets might contain a lot of padding, and creating
a copy of the whole buffer for each PADDING frame, which is just one
byte with type 0, consumes lots of resources. This was seen to result
in flapping of at least h3_keepalive.t and h3_ssl_early_data.t tests.
Fix is to copy at most 8 bytes for parse_int() calls when parsing
frame types.
| author | Maxim Dounin <mdounin@mdounin.ru> |
|---|---|
| date | Mon, 03 Jun 2024 04:17:28 +0300 |
| parents | 0b5ec15c62ed |
| children |
| rev | line source |
|---|---|
|
1115
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
1 #!/usr/bin/perl |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
2 |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
3 # (C) Sergey Kandaurov |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
4 # (C) Nginx, Inc. |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
5 |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
6 # Tests for http ssl module, ssl_verify_depth. |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
7 |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
8 ############################################################################### |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
9 |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
10 use warnings; |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
11 use strict; |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
12 |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
13 use Test::More; |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
14 |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
15 BEGIN { use FindBin; chdir($FindBin::Bin); } |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
16 |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
17 use lib 'lib'; |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
18 use Test::Nginx; |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
19 |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
20 ############################################################################### |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
21 |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
22 select STDERR; $| = 1; |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
23 select STDOUT; $| = 1; |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
24 |
|
1858
cdcd75657e52
Tests: added has_feature() tests for IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1750
diff
changeset
|
25 my $t = Test::Nginx->new()->has(qw/http http_ssl socket_ssl/) |
|
cdcd75657e52
Tests: added has_feature() tests for IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1750
diff
changeset
|
26 ->has_daemon('openssl'); |
|
1115
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
27 |
|
1750
b28f88e352dd
Tests: skip ssl_verify_depth.t with LibreSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1610
diff
changeset
|
28 plan(skip_all => 'LibreSSL') if $t->has_module('LibreSSL'); |
|
b28f88e352dd
Tests: skip ssl_verify_depth.t with LibreSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1610
diff
changeset
|
29 |
|
b28f88e352dd
Tests: skip ssl_verify_depth.t with LibreSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1610
diff
changeset
|
30 $t->plan(9)->write_file_expand('nginx.conf', <<'EOF'); |
|
1115
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
31 |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
32 %%TEST_GLOBALS%% |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
33 |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
34 daemon off; |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
35 |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
36 events { |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
37 } |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
38 |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
39 http { |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
40 %%TEST_GLOBALS_HTTP%% |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
41 |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
42 ssl_certificate localhost.crt; |
|
1610
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
43 ssl_certificate_key localhost.key; |
|
1115
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
44 |
|
1117
3e2af4dedd9c
Tests: ssl_verify_depth.t cleanup.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1115
diff
changeset
|
45 ssl_verify_client on; |
|
1610
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
46 ssl_client_certificate root-int.crt; |
|
1115
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
47 |
|
1610
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
48 add_header X-Client $ssl_client_s_dn always; |
|
1605
aa5a61d1254b
Tests: actually test the verification depth in ssl_verify_depth.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1488
diff
changeset
|
49 add_header X-Verify $ssl_client_verify always; |
|
1115
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
50 |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
51 server { |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
52 listen 127.0.0.1:8080 ssl; |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
53 server_name localhost; |
|
1610
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
54 ssl_verify_depth 0; |
|
1605
aa5a61d1254b
Tests: actually test the verification depth in ssl_verify_depth.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1488
diff
changeset
|
55 } |
|
aa5a61d1254b
Tests: actually test the verification depth in ssl_verify_depth.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1488
diff
changeset
|
56 |
|
aa5a61d1254b
Tests: actually test the verification depth in ssl_verify_depth.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1488
diff
changeset
|
57 server { |
|
aa5a61d1254b
Tests: actually test the verification depth in ssl_verify_depth.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1488
diff
changeset
|
58 listen 127.0.0.1:8081 ssl; |
|
aa5a61d1254b
Tests: actually test the verification depth in ssl_verify_depth.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1488
diff
changeset
|
59 server_name localhost; |
|
1610
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
60 ssl_verify_depth 1; |
|
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
61 } |
|
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
62 |
|
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
63 server { |
|
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
64 listen 127.0.0.1:8082 ssl; |
|
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
65 server_name localhost; |
|
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
66 ssl_verify_depth 2; |
|
1115
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
67 } |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
68 } |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
69 |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
70 EOF |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
71 |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
72 my $d = $t->testdir(); |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
73 |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
74 $t->write_file('openssl.conf', <<EOF); |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
75 [ req ] |
|
1488
dbce8fb5f5f8
Tests: align with OpenSSL security level 2.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1421
diff
changeset
|
76 default_bits = 2048 |
|
1115
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
77 encrypt_key = no |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
78 distinguished_name = req_distinguished_name |
|
1945
0b5ec15c62ed
Tests: compatibility with "openssl" app from OpenSSL 3.2.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1866
diff
changeset
|
79 x509_extensions = myca_extensions |
|
1115
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
80 [ req_distinguished_name ] |
|
1945
0b5ec15c62ed
Tests: compatibility with "openssl" app from OpenSSL 3.2.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1866
diff
changeset
|
81 [ myca_extensions ] |
|
0b5ec15c62ed
Tests: compatibility with "openssl" app from OpenSSL 3.2.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1866
diff
changeset
|
82 basicConstraints = critical,CA:TRUE |
|
1115
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
83 EOF |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
84 |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
85 $t->write_file('ca.conf', <<EOF); |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
86 [ ca ] |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
87 default_ca = myca |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
88 |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
89 [ myca ] |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
90 new_certs_dir = $d |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
91 database = $d/certindex |
|
1488
dbce8fb5f5f8
Tests: align with OpenSSL security level 2.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1421
diff
changeset
|
92 default_md = sha256 |
|
1115
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
93 policy = myca_policy |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
94 serial = $d/certserial |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
95 default_days = 1 |
|
1605
aa5a61d1254b
Tests: actually test the verification depth in ssl_verify_depth.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1488
diff
changeset
|
96 x509_extensions = myca_extensions |
|
1115
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
97 |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
98 [ myca_policy ] |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
99 commonName = supplied |
|
1605
aa5a61d1254b
Tests: actually test the verification depth in ssl_verify_depth.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1488
diff
changeset
|
100 |
|
aa5a61d1254b
Tests: actually test the verification depth in ssl_verify_depth.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1488
diff
changeset
|
101 [ myca_extensions ] |
|
aa5a61d1254b
Tests: actually test the verification depth in ssl_verify_depth.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1488
diff
changeset
|
102 basicConstraints = critical,CA:TRUE |
|
1115
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
103 EOF |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
104 |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
105 foreach my $name ('root', 'localhost') { |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
106 system('openssl req -x509 -new ' |
|
1220
0af58b78df35
Tests: removed single quotes from system() calls.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1124
diff
changeset
|
107 . "-config $d/openssl.conf -subj /CN=$name/ " |
|
0af58b78df35
Tests: removed single quotes from system() calls.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1124
diff
changeset
|
108 . "-out $d/$name.crt -keyout $d/$name.key " |
|
1115
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
109 . ">>$d/openssl.out 2>&1") == 0 |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
110 or die "Can't create certificate for $name: $!\n"; |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
111 } |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
112 |
|
1610
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
113 foreach my $name ('int', 'end') { |
|
1115
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
114 system("openssl req -new " |
|
1220
0af58b78df35
Tests: removed single quotes from system() calls.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1124
diff
changeset
|
115 . "-config $d/openssl.conf -subj /CN=$name/ " |
|
0af58b78df35
Tests: removed single quotes from system() calls.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1124
diff
changeset
|
116 . "-out $d/$name.csr -keyout $d/$name.key " |
|
1115
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
117 . ">>$d/openssl.out 2>&1") == 0 |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
118 or die "Can't create certificate for $name: $!\n"; |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
119 } |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
120 |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
121 $t->write_file('certserial', '1000'); |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
122 $t->write_file('certindex', ''); |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
123 |
|
1220
0af58b78df35
Tests: removed single quotes from system() calls.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1124
diff
changeset
|
124 system("openssl ca -batch -config $d/ca.conf " |
|
0af58b78df35
Tests: removed single quotes from system() calls.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1124
diff
changeset
|
125 . "-keyfile $d/root.key -cert $d/root.crt " |
|
0af58b78df35
Tests: removed single quotes from system() calls.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1124
diff
changeset
|
126 . "-subj /CN=int/ -in $d/int.csr -out $d/int.crt " |
|
1115
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
127 . ">>$d/openssl.out 2>&1") == 0 |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
128 or die "Can't sign certificate for int: $!\n"; |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
129 |
|
1220
0af58b78df35
Tests: removed single quotes from system() calls.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1124
diff
changeset
|
130 system("openssl ca -batch -config $d/ca.conf " |
|
0af58b78df35
Tests: removed single quotes from system() calls.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1124
diff
changeset
|
131 . "-keyfile $d/int.key -cert $d/int.crt " |
|
0af58b78df35
Tests: removed single quotes from system() calls.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1124
diff
changeset
|
132 . "-subj /CN=end/ -in $d/end.csr -out $d/end.crt " |
|
1115
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
133 . ">>$d/openssl.out 2>&1") == 0 |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
134 or die "Can't sign certificate for end: $!\n"; |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
135 |
|
1610
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
136 $t->write_file('root-int.crt', $t->read_file('root.crt') |
|
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
137 . $t->read_file('int.crt')); |
|
1115
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
138 |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
139 $t->write_file('t', ''); |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
140 $t->run(); |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
141 |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
142 ############################################################################### |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
143 |
|
1610
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
144 # with verify depth 0, only self-signed certificates should |
|
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
145 # be allowed |
|
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
146 |
|
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
147 # OpenSSL 1.1.0+ instead limits the number of intermediate certs allowed; |
|
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
148 # as a result, it is not possible to limit certificate checking |
|
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
149 # to self-signed certificates only when using OpenSSL 1.1.0+ |
|
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
150 |
|
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
151 like(get(8080, 'root'), qr/SUCCESS/, 'verify depth 0 - root'); |
|
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
152 like(get(8080, 'int'), qr/FAI|SUC/, 'verify depth 0 - no int'); |
|
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
153 like(get(8080, 'end'), qr/FAILED/, 'verify depth 0 - no end'); |
|
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
154 |
|
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
155 # with verify depth 1 (the default), one signature is |
|
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
156 # expected to be checked, so certificates directly signed |
|
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
157 # by the root cert are allowed, but nothing more |
|
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
158 |
|
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
159 # OpenSSL 1.1.0+ instead limits the number of intermediate certs allowed; |
|
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
160 # so with depth 1 it is possible to validate not only directly signed |
|
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
161 # certificates, but also chains with one intermediate certificate |
|
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
162 |
|
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
163 like(get(8081, 'root'), qr/SUCCESS/, 'verify depth 1 - root'); |
|
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
164 like(get(8081, 'int'), qr/SUCCESS/, 'verify depth 1 - int'); |
|
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
165 like(get(8081, 'end'), qr/FAI|SUC/, 'verify depth 1 - no end'); |
|
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
166 |
|
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
167 # with verify depth 2 it is also possible to validate up to two signatures, |
|
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
168 # so chains with one intermediate certificate are allowed |
|
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
169 |
|
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
170 like(get(8082, 'root'), qr/SUCCESS/, 'verify depth 2 - root'); |
|
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
171 like(get(8082, 'int'), qr/SUCCESS/, 'verify depth 2 - int'); |
|
bad6aa24ec10
Tests: reworked ssl_verify_depth tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1605
diff
changeset
|
172 like(get(8082, 'end'), qr/SUCCESS/, 'verify depth 2 - end'); |
|
1115
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
173 |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
174 ############################################################################### |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
175 |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
176 sub get { |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
177 my ($port, $cert) = @_; |
|
1866
a797d7428fa5
Tests: simplified http SSL tests with IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1858
diff
changeset
|
178 http_get( |
|
a797d7428fa5
Tests: simplified http SSL tests with IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1858
diff
changeset
|
179 "/t?$cert", |
|
a797d7428fa5
Tests: simplified http SSL tests with IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1858
diff
changeset
|
180 PeerAddr => '127.0.0.1:' . port($port), |
|
a797d7428fa5
Tests: simplified http SSL tests with IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1858
diff
changeset
|
181 SSL => 1, |
|
a797d7428fa5
Tests: simplified http SSL tests with IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1858
diff
changeset
|
182 SSL_cert_file => "$d/$cert.crt", |
|
a797d7428fa5
Tests: simplified http SSL tests with IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1858
diff
changeset
|
183 SSL_key_file => "$d/$cert.key" |
|
a797d7428fa5
Tests: simplified http SSL tests with IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1858
diff
changeset
|
184 ); |
|
1115
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
185 } |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
186 |
|
54e07593713a
Tests: ssl_verify_depth tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
187 ############################################################################### |