Mercurial > hg > nginx-tests

comparison ssl.t @ 664:97660514e518

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Tests: more http ssl tests. Added ssl_session_cache, certificate inheritance, session timeout and some embedded variables tests.
author Andrey Zelenkov <zelenkov@nginx.com>
date Tue, 25 Aug 2015 18:36:04 +0300
parents 071e8941e3bf
children e9064d691790
comparison
equal deleted inserted replaced
663:4765f3981d91 664:97660514e518
1 #!/usr/bin/perl 1 #!/usr/bin/perl
2 2
3 # (C) Sergey Kandaurov 3 # (C) Sergey Kandaurov
4 # (C) Andrey Zelenkov
4 # (C) Nginx, Inc. 5 # (C) Nginx, Inc.
5 6
6 # Tests for http ssl module. 7 # Tests for http ssl module.
7 8
8 ############################################################################### 9 ###############################################################################
28 plan(skip_all => 'IO::Socket::SSL too old') if $@; 29 plan(skip_all => 'IO::Socket::SSL too old') if $@;
29 30
30 my $t = Test::Nginx->new()->has(qw/http http_ssl rewrite/) 31 my $t = Test::Nginx->new()->has(qw/http http_ssl rewrite/)
31 ->has_daemon('openssl'); 32 ->has_daemon('openssl');
32 33
33 $t->plan(4)->write_file_expand('nginx.conf', <<'EOF'); 34 $t->plan(18)->write_file_expand('nginx.conf', <<'EOF');
34 35
35 %%TEST_GLOBALS%% 36 %%TEST_GLOBALS%%
36 37
37 daemon off; 38 daemon off;
38 39
40 } 41 }
41 42
42 http { 43 http {
43 %%TEST_GLOBALS_HTTP%% 44 %%TEST_GLOBALS_HTTP%%
44 45
46 ssl_certificate_key localhost.key;
47 ssl_certificate localhost.crt;
48 ssl_session_tickets off;
49
45 server { 50 server {
46 listen 127.0.0.1:8443 ssl; 51 listen 127.0.0.1:8443 ssl;
47 listen 127.0.0.1:8080; 52 listen 127.0.0.1:8080;
48 server_name localhost; 53 server_name localhost;
49 54
50 ssl_certificate_key localhost.key; 55 ssl_certificate_key inner.key;
51 ssl_certificate localhost.crt; 56 ssl_certificate inner.crt;
52 ssl_session_cache shared:SSL:1m; 57 ssl_session_cache shared:SSL:1m;
53 ssl_session_tickets off;
54 58
55 location /reuse { 59 location /reuse {
56 return 200 "body $ssl_session_reused"; 60 return 200 "body $ssl_session_reused";
57 } 61 }
58 location /id { 62 location /id {
59 return 200 "body $ssl_session_id"; 63 return 200 "body $ssl_session_id";
64 }
65 location /cipher {
66 return 200 "body $ssl_cipher";
67 }
68 location /client_verify {
69 return 200 "body $ssl_client_verify";
70 }
71 location /protocol {
72 return 200 "body $ssl_protocol";
73 }
74 }
75
76 server {
77 listen 127.0.0.1:8081;
78 server_name localhost;
79
80 # Special case for enabled "ssl" directive.
81
82 ssl on;
83 ssl_session_cache builtin;
84 ssl_session_timeout 1;
85
86 location / {
87 return 200 "body $ssl_session_reused";
88 }
89 }
90
91 server {
92 listen 127.0.0.1:8082 ssl;
93 server_name localhost;
94
95 ssl_session_cache builtin:1000;
96
97 location / {
98 return 200 "body $ssl_session_reused";
99 }
100 }
101
102 server {
103 listen 127.0.0.1:8083 ssl;
104 server_name localhost;
105
106 ssl_session_cache none;
107
108 location / {
109 return 200 "body $ssl_session_reused";
110 }
111 }
112
113 server {
114 listen 127.0.0.1:8084 ssl;
115 server_name localhost;
116
117 ssl_session_cache off;
118
119 location / {
120 return 200 "body $ssl_session_reused";
60 } 121 }
61 } 122 }
62 } 123 }
63 124
64 EOF 125 EOF
71 [ req_distinguished_name ] 132 [ req_distinguished_name ]
72 EOF 133 EOF
73 134
74 my $d = $t->testdir(); 135 my $d = $t->testdir();
75 136
76 foreach my $name ('localhost') { 137 foreach my $name ('localhost', 'inner') {
77 system('openssl req -x509 -new ' 138 system('openssl req -x509 -new '
78 . "-config '$d/openssl.conf' -subj '/CN=$name/' " 139 . "-config '$d/openssl.conf' -subj '/CN=$name/' "
79 . "-out '$d/$name.crt' -keyout '$d/$name.key' " 140 . "-out '$d/$name.crt' -keyout '$d/$name.key' "
80 . ">>$d/openssl.out 2>&1") == 0 141 . ">>$d/openssl.out 2>&1") == 0
81 or die "Can't create certificate for $name: $!\n"; 142 or die "Can't create certificate for $name: $!\n";
88 $t->run(); 149 $t->run();
89 150
90 ############################################################################### 151 ###############################################################################
91 152
92 like(http_get('/reuse', socket => get_ssl_socket($ctx)), qr/^body \.$/m, 153 like(http_get('/reuse', socket => get_ssl_socket($ctx)), qr/^body \.$/m,
93 'initial session'); 154 'shared initial session');
94 like(http_get('/reuse', socket => get_ssl_socket($ctx)), qr/^body r$/m, 155 like(http_get('/reuse', socket => get_ssl_socket($ctx)), qr/^body r$/m,
95 'session reused'); 156 'shared session reused');
157
158 like(http_get('/', socket => get_ssl_socket($ctx, 8081)), qr/^body \.$/m,
159 'builtin initial session');
160 like(http_get('/', socket => get_ssl_socket($ctx, 8081)), qr/^body r$/m,
161 'builtin session reused');
162
163 like(http_get('/', socket => get_ssl_socket($ctx, 8082)), qr/^body \.$/m,
164 'builtin size initial session');
165 like(http_get('/', socket => get_ssl_socket($ctx, 8082)), qr/^body r$/m,
166 'builtin size session reused');
167
168 like(http_get('/', socket => get_ssl_socket($ctx, 8083)), qr/^body \.$/m,
169 'reused none initial session');
170 like(http_get('/', socket => get_ssl_socket($ctx, 8083)), qr/^body \.$/m,
171 'session not reused 1');
172
173 like(http_get('/', socket => get_ssl_socket($ctx, 8084)), qr/^body \.$/m,
174 'reused off initial session');
175 like(http_get('/', socket => get_ssl_socket($ctx, 8084)), qr/^body \.$/m,
176 'session not reused 2');
177
178 # ssl certificate inheritance
179
180 my $s = get_ssl_socket($ctx, 8081);
181 like($s->dump_peer_certificate(), qr/CN=localhost/, 'CN');
182
183 $s->close();
184
185 $s = get_ssl_socket($ctx);
186 like($s->dump_peer_certificate(), qr/CN=inner/, 'CN inner');
187
188 $s->close();
189
190 # session timeout
191
192 select undef, undef, undef, 2.1;
193
194 like(http_get('/', socket => get_ssl_socket($ctx, 8081)), qr/^body \.$/m,
195 'session timeout');
196
197 # embedded variables
96 198
97 my ($sid) = http_get('/id', socket => get_ssl_socket($ctx)) =~ /^body (\w+)$/m; 199 my ($sid) = http_get('/id', socket => get_ssl_socket($ctx)) =~ /^body (\w+)$/m;
98 is(length $sid, 64, 'session id'); 200 is(length $sid, 64, 'session id');
99 201
100 unlike(http_get('/id'), qr/body \w/, 'session id no ssl'); 202 unlike(http_get('/id'), qr/body \w/, 'session id no ssl');
101 203
204 like(http_get('/cipher', socket => get_ssl_socket($ctx)),
205 qr/^body [\w-]+$/m, 'cipher');
206
207 like(http_get('/client_verify', socket => get_ssl_socket($ctx)),
208 qr/^body NONE$/m, 'client verify');
209
210 like(http_get('/protocol', socket => get_ssl_socket($ctx)),
211 qr/^body (TLS|SSL)v(\d|\.)+$/m, 'protocol');
212
102 ############################################################################### 213 ###############################################################################
103 214
104 sub get_ssl_socket { 215 sub get_ssl_socket {
105 my ($ctx) = @_; 216 my ($ctx, $port) = @_;
106 my $s; 217 my $s;
107 218
108 eval { 219 eval {
109 local $SIG{ALRM} = sub { die "timeout\n" }; 220 local $SIG{ALRM} = sub { die "timeout\n" };
110 local $SIG{PIPE} = sub { die "sigpipe\n" }; 221 local $SIG{PIPE} = sub { die "sigpipe\n" };
111 alarm(2); 222 alarm(2);
112 $s = IO::Socket::SSL->new( 223 $s = IO::Socket::SSL->new(
113 Proto => 'tcp', 224 Proto => 'tcp',
114 PeerAddr => '127.0.0.1:8443', 225 PeerAddr => '127.0.0.1',
226 PeerPort => $port || '8443',
115 SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE(), 227 SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE(),
116 SSL_reuse_ctx => $ctx, 228 SSL_reuse_ctx => $ctx,
117 SSL_error_trap => sub { die $_[1] } 229 SSL_error_trap => sub { die $_[1] }
118 ); 230 );
119 alarm(0); 231 alarm(0);