Mercurial > hg > nginx-tests
comparison uwsgi_ssl_verify.t @ 1688:31ea330ac360
Tests: more uwsgi tests with SSL.
This covers tests for client certificate (including encrypted) to SSL backend
and backend certificate verification.
author | Sergey Kandaurov <pluknet@nginx.com> |
---|---|
date | Mon, 24 May 2021 18:28:17 +0300 |
parents | |
children | 1b9f21836f57 |
comparison
equal
deleted
inserted
replaced
1687:41b213d611f5 | 1688:31ea330ac360 |
---|---|
1 #!/usr/bin/perl | |
2 | |
3 # (C) Maxim Dounin | |
4 # (C) Sergey Kandaurov | |
5 # (C) Nginx, Inc. | |
6 | |
7 # Tests for uwsgi backend with SSL, backend certificate verification. | |
8 | |
9 ############################################################################### | |
10 | |
11 use warnings; | |
12 use strict; | |
13 | |
14 use Test::More; | |
15 | |
16 BEGIN { use FindBin; chdir($FindBin::Bin); } | |
17 | |
18 use lib 'lib'; | |
19 use Test::Nginx; | |
20 | |
21 ############################################################################### | |
22 | |
23 select STDERR; $| = 1; | |
24 select STDOUT; $| = 1; | |
25 | |
26 my $t = Test::Nginx->new()->has(qw/http http_ssl uwsgi/) | |
27 ->has_daemon('uwsgi')->has_daemon('openssl')->plan(6) | |
28 ->write_file_expand('nginx.conf', <<'EOF'); | |
29 | |
30 %%TEST_GLOBALS%% | |
31 | |
32 daemon off; | |
33 | |
34 events { | |
35 } | |
36 | |
37 http { | |
38 %%TEST_GLOBALS_HTTP%% | |
39 | |
40 server { | |
41 listen 127.0.0.1:8080; | |
42 server_name localhost; | |
43 | |
44 location /verify { | |
45 uwsgi_pass suwsgi://127.0.0.1:8081; | |
46 uwsgi_ssl_name example.com; | |
47 uwsgi_ssl_verify on; | |
48 uwsgi_ssl_trusted_certificate 1.example.com.crt; | |
49 } | |
50 | |
51 location /wildcard { | |
52 uwsgi_pass suwsgi://127.0.0.1:8081; | |
53 uwsgi_ssl_name foo.example.com; | |
54 uwsgi_ssl_verify on; | |
55 uwsgi_ssl_trusted_certificate 1.example.com.crt; | |
56 } | |
57 | |
58 location /fail { | |
59 uwsgi_pass suwsgi://127.0.0.1:8081; | |
60 uwsgi_ssl_name no.match.example.com; | |
61 uwsgi_ssl_verify on; | |
62 uwsgi_ssl_trusted_certificate 1.example.com.crt; | |
63 } | |
64 | |
65 location /cn { | |
66 uwsgi_pass suwsgi://127.0.0.1:8082; | |
67 uwsgi_ssl_name 2.example.com; | |
68 uwsgi_ssl_verify on; | |
69 uwsgi_ssl_trusted_certificate 2.example.com.crt; | |
70 } | |
71 | |
72 location /cn/fail { | |
73 uwsgi_pass suwsgi://127.0.0.1:8082; | |
74 uwsgi_ssl_name bad.example.com; | |
75 uwsgi_ssl_verify on; | |
76 uwsgi_ssl_trusted_certificate 2.example.com.crt; | |
77 } | |
78 | |
79 location /untrusted { | |
80 uwsgi_pass suwsgi://127.0.0.1:8082; | |
81 uwsgi_ssl_verify on; | |
82 uwsgi_ssl_trusted_certificate 1.example.com.crt; | |
83 uwsgi_ssl_session_reuse off; | |
84 } | |
85 } | |
86 } | |
87 | |
88 EOF | |
89 | |
90 $t->write_file('openssl.1.example.com.conf', <<EOF); | |
91 [ req ] | |
92 prompt = no | |
93 default_bits = 2048 | |
94 encrypt_key = no | |
95 distinguished_name = req_distinguished_name | |
96 x509_extensions = v3_req | |
97 | |
98 [ req_distinguished_name ] | |
99 commonName=no.match.example.com | |
100 | |
101 [ v3_req ] | |
102 subjectAltName = DNS:example.com,DNS:*.example.com | |
103 EOF | |
104 | |
105 $t->write_file('openssl.2.example.com.conf', <<EOF); | |
106 [ req ] | |
107 prompt = no | |
108 default_bits = 2048 | |
109 encrypt_key = no | |
110 distinguished_name = req_distinguished_name | |
111 | |
112 [ req_distinguished_name ] | |
113 commonName=2.example.com | |
114 EOF | |
115 | |
116 my $d = $t->testdir(); | |
117 my $crt1 = "$d/1.example.com.crt"; | |
118 my $crt2 = "$d/2.example.com.crt"; | |
119 my $key1 = "$d/1.example.com.key"; | |
120 my $key2 = "$d/2.example.com.key"; | |
121 | |
122 foreach my $name ('1.example.com', '2.example.com') { | |
123 system('openssl req -x509 -new ' | |
124 . "-config $d/openssl.$name.conf " | |
125 . "-out $d/$name.crt -keyout $d/$name.key " | |
126 . ">>$d/openssl.out 2>&1") == 0 | |
127 or die "Can't create certificate for $name: $!\n"; | |
128 } | |
129 | |
130 $t->write_file('uwsgi_test_app.py', <<END); | |
131 | |
132 def application(env, start_response): | |
133 start_response('200 OK', [('Content-Type','text/plain')]) | |
134 return b"SEE-THIS" | |
135 | |
136 END | |
137 | |
138 my $uwsgihelp = `uwsgi -h`; | |
139 my @uwsgiopts = (); | |
140 | |
141 if ($uwsgihelp !~ /--wsgi-file/) { | |
142 # uwsgi has no python support, maybe plugin load is necessary | |
143 push @uwsgiopts, '--plugin', 'python'; | |
144 push @uwsgiopts, '--plugin', 'python3'; | |
145 } | |
146 | |
147 open OLDERR, ">&", \*STDERR; close STDERR; | |
148 $t->run_daemon('uwsgi', @uwsgiopts, | |
149 '--ssl-socket', '127.0.0.1:' . port(8081) . ",$crt1,$key1", | |
150 '--wsgi-file', $d . '/uwsgi_test_app.py', | |
151 '--logto', $d . '/uwsgi_log'); | |
152 $t->run_daemon('uwsgi', @uwsgiopts, | |
153 '--ssl-socket', '127.0.0.1:' . port(8082) . ",$crt2,$key2", | |
154 '--wsgi-file', $d . '/uwsgi_test_app.py', | |
155 '--logto', $d . '/uwsgi_log'); | |
156 open STDERR, ">&", \*OLDERR; | |
157 | |
158 $t->run(); | |
159 | |
160 $t->waitforsocket('127.0.0.1:' . port(8081)) | |
161 or die "Can't start uwsgi"; | |
162 $t->waitforsocket('127.0.0.1:' . port(8082)) | |
163 or die "Can't start uwsgi"; | |
164 | |
165 ############################################################################### | |
166 | |
167 # subjectAltName | |
168 | |
169 like(http_get('/verify'), qr/200 OK/ms, 'verify'); | |
170 like(http_get('/wildcard'), qr/200 OK/ms, 'verify wildcard'); | |
171 like(http_get('/fail'), qr/502 Bad/ms, 'verify fail'); | |
172 | |
173 # commonName | |
174 | |
175 like(http_get('/cn'), qr/200 OK/ms, 'verify cn'); | |
176 like(http_get('/cn/fail'), qr/502 Bad/ms, 'verify cn fail'); | |
177 | |
178 # untrusted | |
179 | |
180 like(http_get('/untrusted'), qr/502 Bad/ms, 'untrusted'); | |
181 | |
182 ############################################################################### |