Mercurial > hg > nginx-tests
comparison ssl_reject_handshake.t @ 1601:376cbc2c2b20
Tests: ssl_reject_handshake tests.
author | Sergey Kandaurov <pluknet@nginx.com> |
---|---|
date | Thu, 22 Oct 2020 18:55:53 +0100 |
parents | |
children | d35db22947ab |
comparison
equal
deleted
inserted
replaced
1600:b61e820caa83 | 1601:376cbc2c2b20 |
---|---|
1 #!/usr/bin/perl | |
2 | |
3 # (C) Sergey Kandaurov | |
4 # (C) Nginx, Inc. | |
5 | |
6 # Tests for http ssl module, ssl_reject_handshake. | |
7 | |
8 ############################################################################### | |
9 | |
10 use warnings; | |
11 use strict; | |
12 | |
13 use Test::More; | |
14 | |
15 BEGIN { use FindBin; chdir($FindBin::Bin); } | |
16 | |
17 use lib 'lib'; | |
18 use Test::Nginx; | |
19 | |
20 ############################################################################### | |
21 | |
22 select STDERR; $| = 1; | |
23 select STDOUT; $| = 1; | |
24 | |
25 eval { require IO::Socket::SSL; }; | |
26 plan(skip_all => 'IO::Socket::SSL not installed') if $@; | |
27 eval { IO::Socket::SSL::SSL_VERIFY_NONE(); }; | |
28 plan(skip_all => 'IO::Socket::SSL too old') if $@; | |
29 | |
30 my $t = Test::Nginx->new()->has(qw/http http_ssl/)->has_daemon('openssl'); | |
31 | |
32 $t->write_file_expand('nginx.conf', <<'EOF'); | |
33 | |
34 %%TEST_GLOBALS%% | |
35 | |
36 daemon off; | |
37 | |
38 events { | |
39 } | |
40 | |
41 http { | |
42 %%TEST_GLOBALS_HTTP%% | |
43 | |
44 add_header X-Name $ssl_server_name; | |
45 | |
46 server { | |
47 listen 127.0.0.1:8080 ssl; | |
48 server_name localhost; | |
49 | |
50 ssl_reject_handshake on; | |
51 } | |
52 | |
53 server { | |
54 listen 127.0.0.1:8081; | |
55 server_name ssl; | |
56 | |
57 ssl on; | |
58 ssl_reject_handshake on; | |
59 } | |
60 | |
61 server { | |
62 listen 127.0.0.1:8080 ssl; | |
63 listen 127.0.0.1:8081 ssl; | |
64 server_name virtual; | |
65 | |
66 ssl_certificate localhost.crt; | |
67 ssl_certificate_key localhost.key; | |
68 } | |
69 | |
70 server { | |
71 listen 127.0.0.1:8082 ssl; | |
72 server_name localhost; | |
73 | |
74 ssl_certificate localhost.crt; | |
75 ssl_certificate_key localhost.key; | |
76 } | |
77 | |
78 server { | |
79 listen 127.0.0.1:8082 ssl; | |
80 server_name virtual1; | |
81 } | |
82 | |
83 server { | |
84 listen 127.0.0.1:8082 ssl; | |
85 server_name virtual2; | |
86 | |
87 ssl_reject_handshake on; | |
88 } | |
89 } | |
90 | |
91 EOF | |
92 | |
93 $t->write_file('openssl.conf', <<EOF); | |
94 [ req ] | |
95 default_bits = 2048 | |
96 encrypt_key = no | |
97 distinguished_name = req_distinguished_name | |
98 [ req_distinguished_name ] | |
99 EOF | |
100 | |
101 my $d = $t->testdir(); | |
102 | |
103 foreach my $name ('localhost') { | |
104 system('openssl req -x509 -new ' | |
105 . "-config $d/openssl.conf -subj /CN=$name/ " | |
106 . "-out $d/$name.crt -keyout $d/$name.key " | |
107 . ">>$d/openssl.out 2>&1") == 0 | |
108 or die "Can't create certificate for $name: $!\n"; | |
109 } | |
110 | |
111 $t->write_file('index.html', ''); | |
112 $t->try_run('no ssl_reject_handshake')->plan(9); | |
113 | |
114 ############################################################################### | |
115 | |
116 # default virtual server rejected | |
117 | |
118 like(get('default', 8080), qr/unrecognized name/, 'default rejected'); | |
119 like(get(undef, 8080), qr/unrecognized name/, 'absent sni rejected'); | |
120 like(get('virtual', 8080), qr/virtual/, 'virtual accepted'); | |
121 | |
122 # default virtual server rejected - ssl on | |
123 | |
124 like(get('default', 8081), qr/unrecognized name/, 'default rejected - ssl on'); | |
125 like(get('virtual', 8081), qr/virtual/, 'virtual accepted - ssl on'); | |
126 | |
127 # non-default server "virtual2" rejected | |
128 | |
129 like(get('default', 8082), qr/default/, 'default accepted'); | |
130 like(get(undef, 8082), qr/200 OK(?!.*X-Name)/is, 'absent sni accepted'); | |
131 like(get('virtual1', 8082), qr/virtual1/, 'virtual 1 accepted'); | |
132 like(get('virtual2', 8082), qr/unrecognized name/, 'virtual 2 rejected'); | |
133 | |
134 ############################################################################### | |
135 | |
136 sub get { | |
137 my ($host, $port) = @_; | |
138 my $s = get_ssl_socket($host, $port) or return $@; | |
139 $host = 'localhost' if !defined $host; | |
140 my $r = http(<<EOF, socket => $s); | |
141 GET / HTTP/1.0 | |
142 Host: $host | |
143 | |
144 EOF | |
145 | |
146 $s->close(); | |
147 return $r; | |
148 } | |
149 | |
150 sub get_ssl_socket { | |
151 my ($host, $port) = @_; | |
152 my $s; | |
153 | |
154 eval { | |
155 local $SIG{ALRM} = sub { die "timeout\n" }; | |
156 local $SIG{PIPE} = sub { die "sigpipe\n" }; | |
157 alarm(8); | |
158 $s = IO::Socket::SSL->new( | |
159 Proto => 'tcp', | |
160 PeerAddr => '127.0.0.1', | |
161 PeerPort => port($port), | |
162 SSL_hostname => $host, | |
163 SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE(), | |
164 SSL_error_trap => sub { die $_[1] }, | |
165 ); | |
166 alarm(0); | |
167 }; | |
168 alarm(0); | |
169 | |
170 if ($@) { | |
171 log_in("died: $@"); | |
172 return undef; | |
173 } | |
174 | |
175 return $s; | |
176 } | |
177 | |
178 ############################################################################### |