Mercurial > hg > nginx-tests
annotate ssl_stapling.t @ 1962:f1ba89f735ba
Tests: fixed auth_basic.t on OpenBSD.
OpenBSD does not provide any crypt() schemes except bcrypt-based "$2"
anymore. As such, relevant tests are now skipped not for win32 only,
but based on crypt() results.
Note that just testing crypt('password', 'salt') is not enough, since
Perl on win32 provides its own crypt() implementation, which is able
to handle traditional DES crypt(), but rejects "$1$".
| author | Maxim Dounin <mdounin@mdounin.ru> |
|---|---|
| date | Sun, 05 May 2024 23:56:07 +0300 |
| parents | 0b5ec15c62ed |
| children | 0a93f101925a |
| rev | line source |
|---|---|
|
1330
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
1 #!/usr/bin/perl |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
2 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
3 # (C) Sergey Kandaurov |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
4 # (C) Nginx, Inc. |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
5 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
6 # Tests for OCSP stapling. |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
7 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
8 ############################################################################### |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
9 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
10 use warnings; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
11 use strict; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
12 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
13 use Test::More; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
14 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
15 use MIME::Base64 qw/ decode_base64 /; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
16 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
17 BEGIN { use FindBin; chdir($FindBin::Bin); } |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
18 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
19 use lib 'lib'; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
20 use Test::Nginx; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
21 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
22 ############################################################################### |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
23 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
24 select STDERR; $| = 1; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
25 select STDOUT; $| = 1; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
26 |
|
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1842
diff
changeset
|
27 my $t = Test::Nginx->new()->has(qw/http http_ssl socket_ssl/) |
|
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1842
diff
changeset
|
28 ->has_daemon('openssl'); |
|
1330
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
29 |
|
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1842
diff
changeset
|
30 eval { defined &Net::SSLeay::set_tlsext_status_type or die; }; |
|
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1842
diff
changeset
|
31 plan(skip_all => 'Net::SSLeay too old') if $@; |
|
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1842
diff
changeset
|
32 eval { defined &IO::Socket::SSL::SSL_OCSP_TRY_STAPLE or die; }; |
|
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1842
diff
changeset
|
33 plan(skip_all => 'IO::Socket::SSL too old') if $@; |
|
1400
94bcad5611af
Tests: skip OCSP stapling and multiple cert tests with BoringSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1397
diff
changeset
|
34 |
|
94bcad5611af
Tests: skip OCSP stapling and multiple cert tests with BoringSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1397
diff
changeset
|
35 plan(skip_all => 'no OCSP stapling') if $t->has_module('BoringSSL'); |
|
94bcad5611af
Tests: skip OCSP stapling and multiple cert tests with BoringSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1397
diff
changeset
|
36 |
|
1842
af47a0b348a5
Tests: LibreSSL certificate negotiation with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1636
diff
changeset
|
37 $t->plan(10)->write_file_expand('nginx.conf', <<'EOF'); |
|
1330
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
38 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
39 %%TEST_GLOBALS%% |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
40 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
41 daemon off; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
42 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
43 events { |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
44 } |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
45 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
46 http { |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
47 %%TEST_GLOBALS_HTTP%% |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
48 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
49 ssl_stapling on; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
50 ssl_trusted_certificate trusted.crt; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
51 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
52 ssl_certificate ec-end-int.crt; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
53 ssl_certificate_key ec-end.key; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
54 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
55 ssl_certificate end-int.crt; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
56 ssl_certificate_key end.key; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
57 |
|
1476
e8ba4ae5e3ac
Tests: fixed ssl_stapling.t for nginx built with OpenSSL 0.9.8y+.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1421
diff
changeset
|
58 ssl_ciphers DEFAULT:ECCdraft; |
|
e8ba4ae5e3ac
Tests: fixed ssl_stapling.t for nginx built with OpenSSL 0.9.8y+.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1421
diff
changeset
|
59 |
|
1867
231b14e2041a
Tests: unbreak ssl_stapling.t after IO::Socket::SSL refactoring.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1865
diff
changeset
|
60 add_header X-SSL-Protocol $ssl_protocol always; |
|
231b14e2041a
Tests: unbreak ssl_stapling.t after IO::Socket::SSL refactoring.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1865
diff
changeset
|
61 |
|
1330
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
62 server { |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
63 listen 127.0.0.1:8443 ssl; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
64 listen 127.0.0.1:8080; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
65 server_name localhost; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
66 } |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
67 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
68 server { |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
69 listen 127.0.0.1:8444 ssl; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
70 server_name localhost; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
71 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
72 ssl_stapling_responder http://127.0.0.1:8081/; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
73 } |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
74 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
75 server { |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
76 listen 127.0.0.1:8445 ssl; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
77 server_name localhost; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
78 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
79 ssl_stapling_verify on; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
80 } |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
81 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
82 server { |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
83 listen 127.0.0.1:8446 ssl; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
84 server_name localhost; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
85 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
86 ssl_certificate ec-end.crt; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
87 ssl_certificate_key ec-end.key; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
88 } |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
89 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
90 server { |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
91 listen 127.0.0.1:8447 ssl; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
92 server_name localhost; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
93 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
94 ssl_certificate end-int.crt; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
95 ssl_certificate_key end.key; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
96 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
97 ssl_stapling_file %%TESTDIR%%/resp.der; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
98 } |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
99 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
100 server { |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
101 listen 127.0.0.1:8448 ssl; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
102 server_name localhost; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
103 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
104 ssl_certificate ec-end-int.crt; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
105 ssl_certificate_key ec-end.key; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
106 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
107 ssl_stapling_file %%TESTDIR%%/ec-resp.der; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
108 } |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
109 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
110 server { |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
111 listen 127.0.0.1:8449 ssl; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
112 server_name localhost; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
113 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
114 ssl_stapling_responder http://127.0.0.1:8080/; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
115 } |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
116 } |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
117 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
118 EOF |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
119 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
120 my $d = $t->testdir(); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
121 my $p = port(8081); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
122 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
123 $t->write_file('openssl.conf', <<EOF); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
124 [ req ] |
|
1488
dbce8fb5f5f8
Tests: align with OpenSSL security level 2.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1476
diff
changeset
|
125 default_bits = 2048 |
|
1330
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
126 encrypt_key = no |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
127 distinguished_name = req_distinguished_name |
|
1945
0b5ec15c62ed
Tests: compatibility with "openssl" app from OpenSSL 3.2.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1871
diff
changeset
|
128 x509_extensions = myca_extensions |
|
1330
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
129 [ req_distinguished_name ] |
|
1945
0b5ec15c62ed
Tests: compatibility with "openssl" app from OpenSSL 3.2.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1871
diff
changeset
|
130 [ myca_extensions ] |
|
0b5ec15c62ed
Tests: compatibility with "openssl" app from OpenSSL 3.2.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1871
diff
changeset
|
131 basicConstraints = critical,CA:TRUE |
|
1330
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
132 EOF |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
133 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
134 $t->write_file('ca.conf', <<EOF); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
135 [ ca ] |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
136 default_ca = myca |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
137 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
138 [ myca ] |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
139 new_certs_dir = $d |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
140 database = $d/certindex |
|
1488
dbce8fb5f5f8
Tests: align with OpenSSL security level 2.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1476
diff
changeset
|
141 default_md = sha256 |
|
1330
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
142 policy = myca_policy |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
143 serial = $d/certserial |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
144 default_days = 1 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
145 x509_extensions = myca_extensions |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
146 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
147 [ myca_policy ] |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
148 commonName = supplied |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
149 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
150 [ myca_extensions ] |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
151 basicConstraints = critical,CA:TRUE |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
152 authorityInfoAccess = OCSP;URI:http://127.0.0.1:$p |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
153 EOF |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
154 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
155 foreach my $name ('root') { |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
156 system('openssl req -x509 -new ' |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
157 . "-config $d/openssl.conf -subj /CN=$name/ " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
158 . "-out $d/$name.crt -keyout $d/$name.key " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
159 . ">>$d/openssl.out 2>&1") == 0 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
160 or die "Can't create certificate for $name: $!\n"; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
161 } |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
162 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
163 foreach my $name ('int', 'end') { |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
164 system("openssl req -new " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
165 . "-config $d/openssl.conf -subj /CN=$name/ " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
166 . "-out $d/$name.csr -keyout $d/$name.key " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
167 . ">>$d/openssl.out 2>&1") == 0 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
168 or die "Can't create certificate for $name: $!\n"; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
169 } |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
170 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
171 foreach my $name ('ec-end') { |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
172 system("openssl ecparam -genkey -out $d/$name.key -name prime256v1 " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
173 . ">>$d/openssl.out 2>&1") == 0 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
174 or die "Can't create EC param: $!\n"; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
175 system("openssl req -new -key $d/$name.key " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
176 . "-config $d/openssl.conf -subj /CN=$name/ " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
177 . "-out $d/$name.csr " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
178 . ">>$d/openssl.out 2>&1") == 0 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
179 or die "Can't create certificate for $name: $!\n"; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
180 } |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
181 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
182 $t->write_file('certserial', '1000'); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
183 $t->write_file('certindex', ''); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
184 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
185 system("openssl ca -batch -config $d/ca.conf " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
186 . "-keyfile $d/root.key -cert $d/root.crt " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
187 . "-subj /CN=int/ -in $d/int.csr -out $d/int.crt " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
188 . ">>$d/openssl.out 2>&1") == 0 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
189 or die "Can't sign certificate for int: $!\n"; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
190 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
191 system("openssl ca -batch -config $d/ca.conf " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
192 . "-keyfile $d/int.key -cert $d/int.crt " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
193 . "-subj /CN=ec-end/ -in $d/ec-end.csr -out $d/ec-end.crt " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
194 . ">>$d/openssl.out 2>&1") == 0 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
195 or die "Can't sign certificate for ec-end: $!\n"; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
196 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
197 system("openssl ca -batch -config $d/ca.conf " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
198 . "-keyfile $d/int.key -cert $d/int.crt " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
199 . "-subj /CN=end/ -in $d/end.csr -out $d/end.crt " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
200 . ">>$d/openssl.out 2>&1") == 0 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
201 or die "Can't sign certificate for end: $!\n"; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
202 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
203 # RFC 6960, serialNumber |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
204 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
205 system("openssl x509 -in $d/end.crt -serial -noout " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
206 . ">>$d/serial 2>>$d/openssl.out") == 0 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
207 or die "Can't obtain serial for end: $!\n"; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
208 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
209 my $serial = pack("n2", 0x0202, hex $1) if $t->read_file('serial') =~ /(\d+)/; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
210 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
211 system("openssl ca -config $d/ca.conf -revoke $d/end.crt " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
212 . "-keyfile $d/root.key -cert $d/root.crt " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
213 . ">>$d/openssl.out 2>&1") == 0 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
214 or die "Can't revoke end.crt: $!\n"; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
215 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
216 system("openssl ocsp -issuer $d/int.crt -cert $d/end.crt " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
217 . "-reqout $d/req.der >>$d/openssl.out 2>&1") == 0 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
218 or die "Can't create OCSP request: $!\n"; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
219 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
220 system("openssl ocsp -index $d/certindex -CA $d/int.crt " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
221 . "-rsigner $d/root.crt -rkey $d/root.key " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
222 . "-reqin $d/req.der -respout $d/resp.der -ndays 1 " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
223 . ">>$d/openssl.out 2>&1") == 0 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
224 or die "Can't create OCSP response: $!\n"; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
225 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
226 system("openssl ocsp -issuer $d/int.crt -cert $d/ec-end.crt " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
227 . "-reqout $d/ec-req.der >>$d/openssl.out 2>&1") == 0 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
228 or die "Can't create EC OCSP request: $!\n"; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
229 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
230 system("openssl ocsp -index $d/certindex -CA $d/int.crt " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
231 . "-rsigner $d/root.crt -rkey $d/root.key " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
232 . "-reqin $d/ec-req.der -respout $d/ec-resp.der -ndays 1 " |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
233 . ">>$d/openssl.out 2>&1") == 0 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
234 or die "Can't create EC OCSP response: $!\n"; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
235 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
236 $t->write_file('trusted.crt', |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
237 $t->read_file('int.crt') . $t->read_file('root.crt')); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
238 $t->write_file('end-int.crt', |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
239 $t->read_file('end.crt') . $t->read_file('int.crt')); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
240 $t->write_file('ec-end-int.crt', |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
241 $t->read_file('ec-end.crt') . $t->read_file('int.crt')); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
242 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
243 $t->run_daemon(\&http_daemon, $t); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
244 $t->run(); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
245 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
246 $t->waitforsocket("127.0.0.1:" . port(8081)); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
247 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
248 ############################################################################### |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
249 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
250 staple(8443, 'RSA'); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
251 staple(8443, 'ECDSA'); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
252 staple(8444, 'RSA'); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
253 staple(8444, 'ECDSA'); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
254 staple(8445, 'ECDSA'); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
255 staple(8446, 'ECDSA'); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
256 staple(8449, 'ECDSA'); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
257 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
258 sleep 1; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
259 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
260 ok(!staple(8443, 'RSA'), 'staple revoked'); |
|
1842
af47a0b348a5
Tests: LibreSSL certificate negotiation with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1636
diff
changeset
|
261 |
|
af47a0b348a5
Tests: LibreSSL certificate negotiation with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1636
diff
changeset
|
262 TODO: { |
|
af47a0b348a5
Tests: LibreSSL certificate negotiation with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1636
diff
changeset
|
263 local $TODO = 'broken TLSv1.3 sigalgs in LibreSSL' |
|
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1842
diff
changeset
|
264 if $t->has_module('LibreSSL') && test_tls13(); |
|
1842
af47a0b348a5
Tests: LibreSSL certificate negotiation with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1636
diff
changeset
|
265 |
|
1330
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
266 ok(staple(8443, 'ECDSA'), 'staple success'); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
267 |
|
1842
af47a0b348a5
Tests: LibreSSL certificate negotiation with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1636
diff
changeset
|
268 } |
|
af47a0b348a5
Tests: LibreSSL certificate negotiation with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1636
diff
changeset
|
269 |
|
1330
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
270 ok(!staple(8444, 'RSA'), 'responder revoked'); |
|
1842
af47a0b348a5
Tests: LibreSSL certificate negotiation with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1636
diff
changeset
|
271 |
|
af47a0b348a5
Tests: LibreSSL certificate negotiation with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1636
diff
changeset
|
272 TODO: { |
|
af47a0b348a5
Tests: LibreSSL certificate negotiation with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1636
diff
changeset
|
273 local $TODO = 'broken TLSv1.3 sigalgs in LibreSSL' |
|
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1842
diff
changeset
|
274 if $t->has_module('LibreSSL') && test_tls13(); |
|
1842
af47a0b348a5
Tests: LibreSSL certificate negotiation with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1636
diff
changeset
|
275 |
|
1330
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
276 ok(staple(8444, 'ECDSA'), 'responder success'); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
277 |
|
1842
af47a0b348a5
Tests: LibreSSL certificate negotiation with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1636
diff
changeset
|
278 } |
|
af47a0b348a5
Tests: LibreSSL certificate negotiation with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1636
diff
changeset
|
279 |
|
1330
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
280 ok(!staple(8445, 'ECDSA'), 'verify - root not trusted'); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
281 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
282 ok(staple(8446, 'ECDSA', "$d/int.crt"), 'cert store'); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
283 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
284 is(staple(8447, 'RSA'), '1 1', 'file revoked'); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
285 is(staple(8448, 'ECDSA'), '1 0', 'file success'); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
286 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
287 ok(!staple(8449, 'ECDSA'), 'ocsp error'); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
288 |
|
1842
af47a0b348a5
Tests: LibreSSL certificate negotiation with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1636
diff
changeset
|
289 TODO: { |
|
af47a0b348a5
Tests: LibreSSL certificate negotiation with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1636
diff
changeset
|
290 local $TODO = 'broken TLSv1.3 sigalgs in LibreSSL' |
|
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1842
diff
changeset
|
291 if $t->has_module('LibreSSL') && test_tls13(); |
|
1842
af47a0b348a5
Tests: LibreSSL certificate negotiation with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1636
diff
changeset
|
292 |
|
af47a0b348a5
Tests: LibreSSL certificate negotiation with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1636
diff
changeset
|
293 like(`grep -F '[crit]' ${\($t->testdir())}/error.log`, qr/^$/s, 'no crit'); |
|
af47a0b348a5
Tests: LibreSSL certificate negotiation with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1636
diff
changeset
|
294 |
|
af47a0b348a5
Tests: LibreSSL certificate negotiation with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1636
diff
changeset
|
295 } |
|
af47a0b348a5
Tests: LibreSSL certificate negotiation with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1636
diff
changeset
|
296 |
|
1330
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
297 ############################################################################### |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
298 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
299 sub staple { |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
300 my ($port, $ciphers, $ca) = @_; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
301 my (@resp); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
302 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
303 my $staple_cb = sub { |
|
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1842
diff
changeset
|
304 my ($s, $resp) = @_; |
|
1330
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
305 push @resp, !!$resp; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
306 return 1 unless $resp; |
|
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1842
diff
changeset
|
307 |
|
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1842
diff
changeset
|
308 # Contrary to the documentation, IO::Socket::SSL calls the |
|
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1842
diff
changeset
|
309 # SSL_ocsp_staple_callback with the socket, and not the |
|
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1842
diff
changeset
|
310 # Net::SSLeay object. |
|
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1842
diff
changeset
|
311 |
|
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1842
diff
changeset
|
312 my $ssl = $s->_get_ssl_object(); |
|
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1842
diff
changeset
|
313 |
|
1389
73a9504ae6fd
Tests: support TLS 1.3 in ssl_stapling.t by preferring sigalgs.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1330
diff
changeset
|
314 my $cert = Net::SSLeay::get_peer_certificate($ssl); |
|
73a9504ae6fd
Tests: support TLS 1.3 in ssl_stapling.t by preferring sigalgs.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1330
diff
changeset
|
315 my $certid = eval { Net::SSLeay::OCSP_cert2ids($ssl, $cert) } |
|
1330
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
316 or do { die "no OCSP_CERTID for certificate: $@"; }; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
317 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
318 my @res = Net::SSLeay::OCSP_response_results($resp, $certid); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
319 push @resp, $res[0][2]->{'statusType'}; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
320 }; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
321 |
|
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1842
diff
changeset
|
322 my $ctx_cb = sub { |
|
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1842
diff
changeset
|
323 my $ctx = shift; |
|
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1842
diff
changeset
|
324 return unless defined $ciphers; |
|
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1842
diff
changeset
|
325 my $ssleay = Net::SSLeay::SSLeay(); |
|
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1842
diff
changeset
|
326 return if ($ssleay < 0x1000200f || $ssleay == 0x20000000); |
|
1871
1ba5108b6c24
Tests: handled unsupported PSS in sigalgs.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1867
diff
changeset
|
327 my @sigalgs = ('RSA+SHA256:PSS+SHA256', 'RSA+SHA256'); |
|
1ba5108b6c24
Tests: handled unsupported PSS in sigalgs.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1867
diff
changeset
|
328 @sigalgs = ($ciphers . '+SHA256') unless $ciphers eq 'RSA'; |
|
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1842
diff
changeset
|
329 # SSL_CTRL_SET_SIGALGS_LIST |
|
1871
1ba5108b6c24
Tests: handled unsupported PSS in sigalgs.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1867
diff
changeset
|
330 Net::SSLeay::CTX_ctrl($ctx, 98, 0, $sigalgs[0]) |
|
1ba5108b6c24
Tests: handled unsupported PSS in sigalgs.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1867
diff
changeset
|
331 or Net::SSLeay::CTX_ctrl($ctx, 98, 0, $sigalgs[1]) |
|
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1842
diff
changeset
|
332 or die("Failed to set sigalgs"); |
|
1330
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
333 }; |
|
1389
73a9504ae6fd
Tests: support TLS 1.3 in ssl_stapling.t by preferring sigalgs.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1330
diff
changeset
|
334 |
|
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1842
diff
changeset
|
335 my $s = http_get( |
|
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1842
diff
changeset
|
336 '/', start => 1, PeerAddr => '127.0.0.1:' . port($port), |
|
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1842
diff
changeset
|
337 SSL => 1, |
|
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1842
diff
changeset
|
338 SSL_cipher_list => $ciphers, |
|
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1842
diff
changeset
|
339 SSL_create_ctx_callback => $ctx_cb, |
|
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1842
diff
changeset
|
340 SSL_ocsp_staple_callback => $staple_cb, |
|
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1842
diff
changeset
|
341 SSL_ocsp_mode => IO::Socket::SSL::SSL_OCSP_TRY_STAPLE(), |
|
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1842
diff
changeset
|
342 SSL_ca_file => $ca |
|
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1842
diff
changeset
|
343 ); |
|
1389
73a9504ae6fd
Tests: support TLS 1.3 in ssl_stapling.t by preferring sigalgs.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1330
diff
changeset
|
344 |
|
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1842
diff
changeset
|
345 return $s unless $s; |
|
1330
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
346 return join ' ', @resp; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
347 } |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
348 |
|
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1842
diff
changeset
|
349 sub test_tls13 { |
|
1867
231b14e2041a
Tests: unbreak ssl_stapling.t after IO::Socket::SSL refactoring.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1865
diff
changeset
|
350 return http_get('/', SSL => 1) =~ /TLSv1.3/; |
|
1389
73a9504ae6fd
Tests: support TLS 1.3 in ssl_stapling.t by preferring sigalgs.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1330
diff
changeset
|
351 } |
|
73a9504ae6fd
Tests: support TLS 1.3 in ssl_stapling.t by preferring sigalgs.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1330
diff
changeset
|
352 |
|
1330
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
353 ############################################################################### |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
354 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
355 sub http_daemon { |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
356 my ($t) = shift; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
357 my $server = IO::Socket::INET->new( |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
358 Proto => 'tcp', |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
359 LocalHost => "127.0.0.1:" . port(8081), |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
360 Listen => 5, |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
361 Reuse => 1 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
362 ) |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
363 or die "Can't create listening socket: $!\n"; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
364 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
365 local $SIG{PIPE} = 'IGNORE'; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
366 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
367 while (my $client = $server->accept()) { |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
368 $client->autoflush(1); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
369 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
370 my $headers = ''; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
371 my $uri = ''; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
372 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
373 while (<$client>) { |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
374 $headers .= $_; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
375 last if (/^\x0d?\x0a?$/); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
376 } |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
377 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
378 $uri = $1 if $headers =~ /^\S+\s+\/([^ ]+)\s+HTTP/i; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
379 next unless $uri; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
380 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
381 $uri =~ s/%([0-9A-Fa-f]{2})/chr(hex($1))/eg; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
382 my $req = decode_base64($uri); |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
383 my $resp = index($req, $serial) > 0 ? 'resp' : 'ec-resp'; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
384 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
385 # ocsp dummy handler |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
386 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
387 select undef, undef, undef, 0.02; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
388 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
389 $headers = <<"EOF"; |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
390 HTTP/1.1 200 OK |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
391 Connection: close |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
392 Content-Type: application/ocsp-response |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
393 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
394 EOF |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
395 |
|
1636
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1488
diff
changeset
|
396 local $/; |
|
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1488
diff
changeset
|
397 open my $fh, '<', "$d/$resp.der" |
|
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1488
diff
changeset
|
398 or die "Can't open $resp.der: $!"; |
|
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1488
diff
changeset
|
399 binmode $fh; |
|
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1488
diff
changeset
|
400 my $content = <$fh>; |
|
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1488
diff
changeset
|
401 close $fh; |
|
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1488
diff
changeset
|
402 |
|
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1488
diff
changeset
|
403 print $client $headers . $content; |
|
1330
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
404 } |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
405 } |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
406 |
|
b82ed2061f65
Tests: OCSP stapling tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
407 ############################################################################### |