Mercurial > hg > nginx-tests
comparison ssl.t @ 664:97660514e518
Tests: more http ssl tests.
Added ssl_session_cache, certificate inheritance, session timeout and some
embedded variables tests.
author | Andrey Zelenkov <zelenkov@nginx.com> |
---|---|
date | Tue, 25 Aug 2015 18:36:04 +0300 |
parents | 071e8941e3bf |
children | e9064d691790 |
comparison
equal
deleted
inserted
replaced
663:4765f3981d91 | 664:97660514e518 |
---|---|
1 #!/usr/bin/perl | 1 #!/usr/bin/perl |
2 | 2 |
3 # (C) Sergey Kandaurov | 3 # (C) Sergey Kandaurov |
4 # (C) Andrey Zelenkov | |
4 # (C) Nginx, Inc. | 5 # (C) Nginx, Inc. |
5 | 6 |
6 # Tests for http ssl module. | 7 # Tests for http ssl module. |
7 | 8 |
8 ############################################################################### | 9 ############################################################################### |
28 plan(skip_all => 'IO::Socket::SSL too old') if $@; | 29 plan(skip_all => 'IO::Socket::SSL too old') if $@; |
29 | 30 |
30 my $t = Test::Nginx->new()->has(qw/http http_ssl rewrite/) | 31 my $t = Test::Nginx->new()->has(qw/http http_ssl rewrite/) |
31 ->has_daemon('openssl'); | 32 ->has_daemon('openssl'); |
32 | 33 |
33 $t->plan(4)->write_file_expand('nginx.conf', <<'EOF'); | 34 $t->plan(18)->write_file_expand('nginx.conf', <<'EOF'); |
34 | 35 |
35 %%TEST_GLOBALS%% | 36 %%TEST_GLOBALS%% |
36 | 37 |
37 daemon off; | 38 daemon off; |
38 | 39 |
40 } | 41 } |
41 | 42 |
42 http { | 43 http { |
43 %%TEST_GLOBALS_HTTP%% | 44 %%TEST_GLOBALS_HTTP%% |
44 | 45 |
46 ssl_certificate_key localhost.key; | |
47 ssl_certificate localhost.crt; | |
48 ssl_session_tickets off; | |
49 | |
45 server { | 50 server { |
46 listen 127.0.0.1:8443 ssl; | 51 listen 127.0.0.1:8443 ssl; |
47 listen 127.0.0.1:8080; | 52 listen 127.0.0.1:8080; |
48 server_name localhost; | 53 server_name localhost; |
49 | 54 |
50 ssl_certificate_key localhost.key; | 55 ssl_certificate_key inner.key; |
51 ssl_certificate localhost.crt; | 56 ssl_certificate inner.crt; |
52 ssl_session_cache shared:SSL:1m; | 57 ssl_session_cache shared:SSL:1m; |
53 ssl_session_tickets off; | |
54 | 58 |
55 location /reuse { | 59 location /reuse { |
56 return 200 "body $ssl_session_reused"; | 60 return 200 "body $ssl_session_reused"; |
57 } | 61 } |
58 location /id { | 62 location /id { |
59 return 200 "body $ssl_session_id"; | 63 return 200 "body $ssl_session_id"; |
64 } | |
65 location /cipher { | |
66 return 200 "body $ssl_cipher"; | |
67 } | |
68 location /client_verify { | |
69 return 200 "body $ssl_client_verify"; | |
70 } | |
71 location /protocol { | |
72 return 200 "body $ssl_protocol"; | |
73 } | |
74 } | |
75 | |
76 server { | |
77 listen 127.0.0.1:8081; | |
78 server_name localhost; | |
79 | |
80 # Special case for enabled "ssl" directive. | |
81 | |
82 ssl on; | |
83 ssl_session_cache builtin; | |
84 ssl_session_timeout 1; | |
85 | |
86 location / { | |
87 return 200 "body $ssl_session_reused"; | |
88 } | |
89 } | |
90 | |
91 server { | |
92 listen 127.0.0.1:8082 ssl; | |
93 server_name localhost; | |
94 | |
95 ssl_session_cache builtin:1000; | |
96 | |
97 location / { | |
98 return 200 "body $ssl_session_reused"; | |
99 } | |
100 } | |
101 | |
102 server { | |
103 listen 127.0.0.1:8083 ssl; | |
104 server_name localhost; | |
105 | |
106 ssl_session_cache none; | |
107 | |
108 location / { | |
109 return 200 "body $ssl_session_reused"; | |
110 } | |
111 } | |
112 | |
113 server { | |
114 listen 127.0.0.1:8084 ssl; | |
115 server_name localhost; | |
116 | |
117 ssl_session_cache off; | |
118 | |
119 location / { | |
120 return 200 "body $ssl_session_reused"; | |
60 } | 121 } |
61 } | 122 } |
62 } | 123 } |
63 | 124 |
64 EOF | 125 EOF |
71 [ req_distinguished_name ] | 132 [ req_distinguished_name ] |
72 EOF | 133 EOF |
73 | 134 |
74 my $d = $t->testdir(); | 135 my $d = $t->testdir(); |
75 | 136 |
76 foreach my $name ('localhost') { | 137 foreach my $name ('localhost', 'inner') { |
77 system('openssl req -x509 -new ' | 138 system('openssl req -x509 -new ' |
78 . "-config '$d/openssl.conf' -subj '/CN=$name/' " | 139 . "-config '$d/openssl.conf' -subj '/CN=$name/' " |
79 . "-out '$d/$name.crt' -keyout '$d/$name.key' " | 140 . "-out '$d/$name.crt' -keyout '$d/$name.key' " |
80 . ">>$d/openssl.out 2>&1") == 0 | 141 . ">>$d/openssl.out 2>&1") == 0 |
81 or die "Can't create certificate for $name: $!\n"; | 142 or die "Can't create certificate for $name: $!\n"; |
88 $t->run(); | 149 $t->run(); |
89 | 150 |
90 ############################################################################### | 151 ############################################################################### |
91 | 152 |
92 like(http_get('/reuse', socket => get_ssl_socket($ctx)), qr/^body \.$/m, | 153 like(http_get('/reuse', socket => get_ssl_socket($ctx)), qr/^body \.$/m, |
93 'initial session'); | 154 'shared initial session'); |
94 like(http_get('/reuse', socket => get_ssl_socket($ctx)), qr/^body r$/m, | 155 like(http_get('/reuse', socket => get_ssl_socket($ctx)), qr/^body r$/m, |
95 'session reused'); | 156 'shared session reused'); |
157 | |
158 like(http_get('/', socket => get_ssl_socket($ctx, 8081)), qr/^body \.$/m, | |
159 'builtin initial session'); | |
160 like(http_get('/', socket => get_ssl_socket($ctx, 8081)), qr/^body r$/m, | |
161 'builtin session reused'); | |
162 | |
163 like(http_get('/', socket => get_ssl_socket($ctx, 8082)), qr/^body \.$/m, | |
164 'builtin size initial session'); | |
165 like(http_get('/', socket => get_ssl_socket($ctx, 8082)), qr/^body r$/m, | |
166 'builtin size session reused'); | |
167 | |
168 like(http_get('/', socket => get_ssl_socket($ctx, 8083)), qr/^body \.$/m, | |
169 'reused none initial session'); | |
170 like(http_get('/', socket => get_ssl_socket($ctx, 8083)), qr/^body \.$/m, | |
171 'session not reused 1'); | |
172 | |
173 like(http_get('/', socket => get_ssl_socket($ctx, 8084)), qr/^body \.$/m, | |
174 'reused off initial session'); | |
175 like(http_get('/', socket => get_ssl_socket($ctx, 8084)), qr/^body \.$/m, | |
176 'session not reused 2'); | |
177 | |
178 # ssl certificate inheritance | |
179 | |
180 my $s = get_ssl_socket($ctx, 8081); | |
181 like($s->dump_peer_certificate(), qr/CN=localhost/, 'CN'); | |
182 | |
183 $s->close(); | |
184 | |
185 $s = get_ssl_socket($ctx); | |
186 like($s->dump_peer_certificate(), qr/CN=inner/, 'CN inner'); | |
187 | |
188 $s->close(); | |
189 | |
190 # session timeout | |
191 | |
192 select undef, undef, undef, 2.1; | |
193 | |
194 like(http_get('/', socket => get_ssl_socket($ctx, 8081)), qr/^body \.$/m, | |
195 'session timeout'); | |
196 | |
197 # embedded variables | |
96 | 198 |
97 my ($sid) = http_get('/id', socket => get_ssl_socket($ctx)) =~ /^body (\w+)$/m; | 199 my ($sid) = http_get('/id', socket => get_ssl_socket($ctx)) =~ /^body (\w+)$/m; |
98 is(length $sid, 64, 'session id'); | 200 is(length $sid, 64, 'session id'); |
99 | 201 |
100 unlike(http_get('/id'), qr/body \w/, 'session id no ssl'); | 202 unlike(http_get('/id'), qr/body \w/, 'session id no ssl'); |
101 | 203 |
204 like(http_get('/cipher', socket => get_ssl_socket($ctx)), | |
205 qr/^body [\w-]+$/m, 'cipher'); | |
206 | |
207 like(http_get('/client_verify', socket => get_ssl_socket($ctx)), | |
208 qr/^body NONE$/m, 'client verify'); | |
209 | |
210 like(http_get('/protocol', socket => get_ssl_socket($ctx)), | |
211 qr/^body (TLS|SSL)v(\d|\.)+$/m, 'protocol'); | |
212 | |
102 ############################################################################### | 213 ############################################################################### |
103 | 214 |
104 sub get_ssl_socket { | 215 sub get_ssl_socket { |
105 my ($ctx) = @_; | 216 my ($ctx, $port) = @_; |
106 my $s; | 217 my $s; |
107 | 218 |
108 eval { | 219 eval { |
109 local $SIG{ALRM} = sub { die "timeout\n" }; | 220 local $SIG{ALRM} = sub { die "timeout\n" }; |
110 local $SIG{PIPE} = sub { die "sigpipe\n" }; | 221 local $SIG{PIPE} = sub { die "sigpipe\n" }; |
111 alarm(2); | 222 alarm(2); |
112 $s = IO::Socket::SSL->new( | 223 $s = IO::Socket::SSL->new( |
113 Proto => 'tcp', | 224 Proto => 'tcp', |
114 PeerAddr => '127.0.0.1:8443', | 225 PeerAddr => '127.0.0.1', |
226 PeerPort => $port || '8443', | |
115 SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE(), | 227 SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE(), |
116 SSL_reuse_ctx => $ctx, | 228 SSL_reuse_ctx => $ctx, |
117 SSL_error_trap => sub { die $_[1] } | 229 SSL_error_trap => sub { die $_[1] } |
118 ); | 230 ); |
119 alarm(0); | 231 alarm(0); |