Mercurial > hg > nginx-tests
annotate stream_ssl_verify_client.t @ 1982:fb25cbe9d4ec
Tests: explicit Valgrind support.
Valgrind logging is done to a separate file, as it is not able to
follow stderr redirection within nginx or append to a file without
corrupting it. Further, Valgrind logging seems to interfere with
error suppression in tests, and catches various startup errors and
warnings, so the log is additionally filtered.
Since startup under Valgrind can be really slow, timeout in waitforfile()
was changed to 10 seconds.
Prodded by Robert Mueller.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Fri, 31 May 2024 06:23:00 +0300 |
parents | b72a8c4a1bef |
children |
rev | line source |
---|---|
1104
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
1 #!/usr/bin/perl |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
2 |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
3 # (C) Sergey Kandaurov |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
4 # (C) Andrey Zelenkov |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
5 # (C) Nginx, Inc. |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
6 |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
7 # Tests for stream ssl module, ssl_verify_client. |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
8 |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
9 ############################################################################### |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
10 |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
11 use warnings; |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
12 use strict; |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
13 |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
14 use Test::More; |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
15 |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
16 BEGIN { use FindBin; chdir($FindBin::Bin); } |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
17 |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
18 use lib 'lib'; |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
19 use Test::Nginx; |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
20 use Test::Nginx::Stream qw/ stream /; |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
21 |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
22 ############################################################################### |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
23 |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
24 select STDERR; $| = 1; |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
25 select STDOUT; $| = 1; |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
26 |
1863
dbb7561a9441
Tests: reworked stream SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1843
diff
changeset
|
27 my $t = Test::Nginx->new()->has(qw/stream stream_ssl stream_return socket_ssl/) |
1104
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
28 ->has_daemon('openssl'); |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
29 |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
30 $t->write_file_expand('nginx.conf', <<'EOF'); |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
31 |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
32 %%TEST_GLOBALS%% |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
33 |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
34 daemon off; |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
35 |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
36 events { |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
37 } |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
38 |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
39 stream { |
1609
f3ba4c74de31
Tests: added TEST_GLOBALS_STREAM variable support.
Andrei Belov <defan@nginx.com>
parents:
1488
diff
changeset
|
40 %%TEST_GLOBALS_STREAM%% |
f3ba4c74de31
Tests: added TEST_GLOBALS_STREAM variable support.
Andrei Belov <defan@nginx.com>
parents:
1488
diff
changeset
|
41 |
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
42 log_format status $status; |
1104
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
43 |
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
44 ssl_certificate_key 1.example.com.key; |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
45 ssl_certificate 1.example.com.crt; |
1104
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
46 |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
47 server { |
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
48 listen 127.0.0.1:8080; |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
49 return $ssl_client_verify:$ssl_client_cert; |
1104
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
50 |
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
51 ssl_verify_client on; |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
52 ssl_client_certificate 2.example.com.crt; |
1104
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
53 } |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
54 |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
55 server { |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
56 listen 127.0.0.1:8081 ssl; |
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
57 return $ssl_client_verify:$ssl_client_cert; |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
58 |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
59 ssl_verify_client on; |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
60 ssl_client_certificate 2.example.com.crt; |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
61 |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
62 access_log %%TESTDIR%%/status.log status; |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
63 } |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
64 |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
65 server { |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
66 listen 127.0.0.1:8082 ssl; |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
67 return $ssl_client_verify:$ssl_client_cert; |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
68 |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
69 ssl_verify_client optional; |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
70 ssl_client_certificate 2.example.com.crt; |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
71 ssl_trusted_certificate 3.example.com.crt; |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
72 } |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
73 |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
74 server { |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
75 listen 127.0.0.1:8083 ssl; |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
76 return $ssl_client_verify:$ssl_client_cert; |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
77 |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
78 ssl_verify_client optional_no_ca; |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
79 ssl_client_certificate 2.example.com.crt; |
1104
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
80 } |
1843
818e6d8c43b5
Tests: LibreSSL does not send CA lists with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1621
diff
changeset
|
81 |
818e6d8c43b5
Tests: LibreSSL does not send CA lists with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1621
diff
changeset
|
82 server { |
818e6d8c43b5
Tests: LibreSSL does not send CA lists with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1621
diff
changeset
|
83 listen 127.0.0.1:8084 ssl; |
818e6d8c43b5
Tests: LibreSSL does not send CA lists with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1621
diff
changeset
|
84 return $ssl_protocol; |
818e6d8c43b5
Tests: LibreSSL does not send CA lists with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1621
diff
changeset
|
85 } |
1104
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
86 } |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
87 |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
88 EOF |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
89 |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
90 $t->write_file('openssl.conf', <<EOF); |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
91 [ req ] |
1488
dbce8fb5f5f8
Tests: align with OpenSSL security level 2.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1251
diff
changeset
|
92 default_bits = 2048 |
1104
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
93 encrypt_key = no |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
94 distinguished_name = req_distinguished_name |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
95 [ req_distinguished_name ] |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
96 EOF |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
97 |
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
98 my $d = $t->testdir(); |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
99 |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
100 foreach my $name ('1.example.com', '2.example.com', '3.example.com') { |
1104
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
101 system('openssl req -x509 -new ' |
1220
0af58b78df35
Tests: removed single quotes from system() calls.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1116
diff
changeset
|
102 . "-config $d/openssl.conf -subj /CN=$name/ " |
0af58b78df35
Tests: removed single quotes from system() calls.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1116
diff
changeset
|
103 . "-out $d/$name.crt -keyout $d/$name.key " |
1104
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
104 . ">>$d/openssl.out 2>&1") == 0 |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
105 or die "Can't create certificate for $name: $!\n"; |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
106 } |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
107 |
1251
766bcbb632ee
Tests: removed TODO and try_run() checks for legacy versions.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1235
diff
changeset
|
108 $t->run()->plan(10); |
1104
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
109 |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
110 ############################################################################### |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
111 |
1235
3fc6817cd84a
Tests: explicit peer port in stream tests now required.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
1220
diff
changeset
|
112 is(stream('127.0.0.1:' . port(8080))->read(), ':', 'plain connection'); |
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
113 |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
114 is(get(8081), '', 'no cert'); |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
115 is(get(8082, '1.example.com'), '', 'bad optional cert'); |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
116 is(get(8082), 'NONE:', 'no optional cert'); |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
117 like(get(8083, '1.example.com'), qr/FAILED.*BEGIN/, 'bad optional_no_ca cert'); |
1104
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
118 |
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
119 like(get(8081, '2.example.com'), qr/SUCCESS.*BEGIN/, 'good cert'); |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
120 like(get(8082, '2.example.com'), qr/SUCCESS.*BEGIN/, 'good cert optional'); |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
121 like(get(8082, '3.example.com'), qr/SUCCESS.*BEGIN/, 'good cert trusted'); |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
122 |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
123 SKIP: { |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
124 skip 'Net::SSLeay version >= 1.36 required', 1 if $Net::SSLeay::VERSION < 1.36; |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
125 |
1843
818e6d8c43b5
Tests: LibreSSL does not send CA lists with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1621
diff
changeset
|
126 TODO: { |
818e6d8c43b5
Tests: LibreSSL does not send CA lists with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1621
diff
changeset
|
127 local $TODO = 'broken TLSv1.3 CA list in LibreSSL' |
818e6d8c43b5
Tests: LibreSSL does not send CA lists with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1621
diff
changeset
|
128 if $t->has_module('LibreSSL') && test_tls13(); |
1968
b72a8c4a1bef
Tests: CA list handling with Net::SSLeay with LibreSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1863
diff
changeset
|
129 local $TODO = 'no TLSv1.3 CA list in Net::SSLeay (LibreSSL)' |
b72a8c4a1bef
Tests: CA list handling with Net::SSLeay with LibreSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1863
diff
changeset
|
130 if Net::SSLeay::constant("LIBRESSL_VERSION_NUMBER") && test_tls13(); |
1843
818e6d8c43b5
Tests: LibreSSL does not send CA lists with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1621
diff
changeset
|
131 |
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
132 my $ca = join ' ', get(8082, '3.example.com'); |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
133 is($ca, '/CN=2.example.com', 'no trusted sent'); |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
134 |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
135 } |
1843
818e6d8c43b5
Tests: LibreSSL does not send CA lists with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1621
diff
changeset
|
136 } |
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
137 |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
138 $t->stop(); |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
139 |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
140 is($t->read_file('status.log'), "500\n200\n", 'log'); |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
141 |
1104
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
142 ############################################################################### |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
143 |
1843
818e6d8c43b5
Tests: LibreSSL does not send CA lists with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1621
diff
changeset
|
144 sub test_tls13 { |
818e6d8c43b5
Tests: LibreSSL does not send CA lists with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1621
diff
changeset
|
145 get(8084) =~ /TLSv1.3/; |
818e6d8c43b5
Tests: LibreSSL does not send CA lists with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1621
diff
changeset
|
146 } |
818e6d8c43b5
Tests: LibreSSL does not send CA lists with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1621
diff
changeset
|
147 |
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
148 sub get { |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
149 my ($port, $cert) = @_; |
1104
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
150 |
1863
dbb7561a9441
Tests: reworked stream SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1843
diff
changeset
|
151 my $s = stream( |
dbb7561a9441
Tests: reworked stream SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1843
diff
changeset
|
152 PeerAddr => '127.0.0.1:' . port($port), |
dbb7561a9441
Tests: reworked stream SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1843
diff
changeset
|
153 SSL => 1, |
dbb7561a9441
Tests: reworked stream SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1843
diff
changeset
|
154 $cert ? ( |
dbb7561a9441
Tests: reworked stream SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1843
diff
changeset
|
155 SSL_cert_file => "$d/$cert.crt", |
dbb7561a9441
Tests: reworked stream SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1843
diff
changeset
|
156 SSL_key_file => "$d/$cert.key" |
dbb7561a9441
Tests: reworked stream SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1843
diff
changeset
|
157 ) : () |
dbb7561a9441
Tests: reworked stream SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1843
diff
changeset
|
158 ); |
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
159 |
1863
dbb7561a9441
Tests: reworked stream SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1843
diff
changeset
|
160 return $s->read() unless wantarray(); |
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
161 |
1863
dbb7561a9441
Tests: reworked stream SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1843
diff
changeset
|
162 # Note: this uses IO::Socket::SSL::_get_ssl_object() internal method. |
dbb7561a9441
Tests: reworked stream SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1843
diff
changeset
|
163 # While not exactly correct, it looks like there is no other way to |
dbb7561a9441
Tests: reworked stream SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1843
diff
changeset
|
164 # obtain CA list with IO::Socket::SSL, and this seems to be good |
dbb7561a9441
Tests: reworked stream SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1843
diff
changeset
|
165 # enough for tests. |
dbb7561a9441
Tests: reworked stream SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1843
diff
changeset
|
166 |
dbb7561a9441
Tests: reworked stream SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1843
diff
changeset
|
167 my $ssl = $s->socket()->_get_ssl_object(); |
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
168 my $list = Net::SSLeay::get_client_CA_list($ssl); |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
169 my @names; |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
170 for my $i (0 .. Net::SSLeay::sk_X509_NAME_num($list) - 1) { |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
171 my $name = Net::SSLeay::sk_X509_NAME_value($list, $i); |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
172 push @names, Net::SSLeay::X509_NAME_oneline($name); |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
173 } |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1104
diff
changeset
|
174 return @names; |
1104
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
175 } |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
176 |
b3d5a2f8a00b
Tests: stream ssl_verify_client tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
diff
changeset
|
177 ############################################################################### |