Mercurial > hg > nginx-tests
comparison ssl_sni.t @ 1866:a797d7428fa5
Tests: simplified http SSL tests with IO::Socket::SSL.
The http SSL tests which previously used IO::Socket::SSL were converted
to use improved IO::Socket::SSL infrastructure in Test::Nginx.
| author | Maxim Dounin <mdounin@mdounin.ru> |
|---|---|
| date | Thu, 18 May 2023 18:07:19 +0300 |
| parents | cdcd75657e52 |
| children | c924ae8d7104 |
comparison
equal
deleted
inserted
replaced
| 1865:0e1865aa9b33 | 1866:a797d7428fa5 |
|---|---|
| 35 | 35 |
| 36 http { | 36 http { |
| 37 %%TEST_GLOBALS_HTTP%% | 37 %%TEST_GLOBALS_HTTP%% |
| 38 | 38 |
| 39 server { | 39 server { |
| 40 listen 127.0.0.1:8080 ssl; | 40 listen 127.0.0.1:8443 ssl; |
| 41 server_name localhost; | 41 server_name localhost; |
| 42 | 42 |
| 43 ssl_certificate_key localhost.key; | 43 ssl_certificate_key localhost.key; |
| 44 ssl_certificate localhost.crt; | 44 ssl_certificate localhost.crt; |
| 45 | 45 |
| 46 location / { | 46 location / { |
| 47 return 200 $server_name; | 47 return 200 $server_name:$ssl_server_name; |
| 48 } | 48 } |
| 49 | 49 |
| 50 location /protocol { | 50 location /protocol { |
| 51 return 200 $ssl_protocol; | 51 return 200 $ssl_protocol; |
| 52 } | 52 } |
| 53 | |
| 54 location /name { | |
| 55 return 200 $ssl_session_reused:$ssl_server_name; | |
| 56 } | |
| 53 } | 57 } |
| 54 | 58 |
| 55 server { | 59 server { |
| 56 listen 127.0.0.1:8080; | 60 listen 127.0.0.1:8443; |
| 57 server_name example.com; | 61 server_name example.com; |
| 58 | 62 |
| 59 ssl_certificate_key example.com.key; | 63 ssl_certificate_key example.com.key; |
| 60 ssl_certificate example.com.crt; | 64 ssl_certificate example.com.crt; |
| 61 | 65 |
| 62 location / { | 66 location / { |
| 63 return 200 $server_name; | 67 return 200 $server_name:$ssl_server_name; |
| 64 } | |
| 65 } | |
| 66 | |
| 67 server { | |
| 68 listen 127.0.0.1:8081 ssl; | |
| 69 server_name localhost; | |
| 70 | |
| 71 ssl_certificate_key localhost.key; | |
| 72 ssl_certificate localhost.crt; | |
| 73 | |
| 74 location / { | |
| 75 return 200 $ssl_session_reused:$ssl_server_name; | |
| 76 } | 68 } |
| 77 } | 69 } |
| 78 } | 70 } |
| 79 | 71 |
| 80 EOF | 72 EOF |
| 102 ############################################################################### | 94 ############################################################################### |
| 103 | 95 |
| 104 like(get_cert_cn(), qr!/CN=localhost!, 'default cert'); | 96 like(get_cert_cn(), qr!/CN=localhost!, 'default cert'); |
| 105 like(get_cert_cn('example.com'), qr!/CN=example.com!, 'sni cert'); | 97 like(get_cert_cn('example.com'), qr!/CN=example.com!, 'sni cert'); |
| 106 | 98 |
| 107 like(https_get_host('example.com'), qr!example.com!, | 99 like(get_host('example.com'), qr!example.com:example.com!, |
| 108 'host exists, sni exists, and host is equal sni'); | 100 'host exists, sni exists, and host is equal sni'); |
| 109 | 101 |
| 110 like(https_get_host('example.com', 'example.org'), qr!example.com!, | 102 like(get_host('example.com', 'example.org'), qr!example.com:example.org!, |
| 111 'host exists, sni not found'); | 103 'host exists, sni not found'); |
| 112 | 104 |
| 113 TODO: { | 105 TODO: { |
| 114 local $TODO = 'sni restrictions'; | 106 local $TODO = 'sni restrictions'; |
| 115 | 107 |
| 116 like(https_get_host('example.com', 'localhost'), qr!400 Bad Request!, | 108 like(get_host('example.com', 'localhost'), qr!400 Bad Request!, |
| 117 'host exists, sni exists, and host is not equal sni'); | 109 'host exists, sni exists, and host is not equal sni'); |
| 118 | 110 |
| 119 like(https_get_host('example.org', 'example.com'), qr!400 Bad Request!, | 111 like(get_host('example.org', 'example.com'), qr!400 Bad Request!, |
| 120 'host not found, sni exists'); | 112 'host not found, sni exists'); |
| 121 | 113 |
| 122 } | 114 } |
| 123 | 115 |
| 124 # $ssl_server_name in sessions | 116 # $ssl_server_name in sessions |
| 125 | 117 |
| 126 my $ctx = new IO::Socket::SSL::SSL_Context( | 118 my $ctx = new IO::Socket::SSL::SSL_Context( |
| 127 SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE(), | 119 SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE(), |
| 128 SSL_session_cache_size => 100); | 120 SSL_session_cache_size => 100); |
| 129 | 121 |
| 130 like(get('/', 'localhost', 8081, $ctx), qr/^\.:localhost$/m, 'ssl server name'); | 122 like(get('/name', 'localhost', $ctx), qr/^\.:localhost$/m, 'ssl server name'); |
| 131 | 123 |
| 132 TODO: { | 124 TODO: { |
| 133 local $TODO = 'no TLSv1.3 sessions, old Net::SSLeay' | 125 local $TODO = 'no TLSv1.3 sessions, old Net::SSLeay' |
| 134 if $Net::SSLeay::VERSION < 1.88 && test_tls13(); | 126 if $Net::SSLeay::VERSION < 1.88 && test_tls13(); |
| 135 local $TODO = 'no TLSv1.3 sessions, old IO::Socket::SSL' | 127 local $TODO = 'no TLSv1.3 sessions, old IO::Socket::SSL' |
| 136 if $IO::Socket::SSL::VERSION < 2.061 && test_tls13(); | 128 if $IO::Socket::SSL::VERSION < 2.061 && test_tls13(); |
| 137 local $TODO = 'no TLSv1.3 sessions in LibreSSL' | 129 local $TODO = 'no TLSv1.3 sessions in LibreSSL' |
| 138 if $t->has_module('LibreSSL') && test_tls13(); | 130 if $t->has_module('LibreSSL') && test_tls13(); |
| 139 | 131 |
| 140 like(get('/', 'localhost', 8081, $ctx), qr/^r:localhost$/m, | 132 like(get('/name', 'localhost', $ctx), qr/^r:localhost$/m, |
| 141 'ssl server name - reused'); | 133 'ssl server name - reused'); |
| 142 | 134 |
| 143 } | 135 } |
| 144 | 136 |
| 145 ############################################################################### | 137 ############################################################################### |
| 146 | 138 |
| 147 sub test_tls13 { | 139 sub test_tls13 { |
| 148 get('/protocol', 'localhost') =~ /TLSv1.3/; | 140 get('/protocol', 'localhost') =~ /TLSv1.3/; |
| 149 } | 141 } |
| 150 | 142 |
| 151 sub get_ssl_socket { | |
| 152 my ($host, $port, $ctx) = @_; | |
| 153 my $s; | |
| 154 | |
| 155 eval { | |
| 156 local $SIG{ALRM} = sub { die "timeout\n" }; | |
| 157 local $SIG{PIPE} = sub { die "sigpipe\n" }; | |
| 158 alarm(8); | |
| 159 $s = IO::Socket::SSL->new( | |
| 160 Proto => 'tcp', | |
| 161 PeerAddr => '127.0.0.1:' . port($port || 8080), | |
| 162 SSL_hostname => $host, | |
| 163 SSL_reuse_ctx => $ctx, | |
| 164 SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE(), | |
| 165 SSL_error_trap => sub { die $_[1] } | |
| 166 ); | |
| 167 alarm(0); | |
| 168 }; | |
| 169 alarm(0); | |
| 170 | |
| 171 if ($@) { | |
| 172 log_in("died: $@"); | |
| 173 return undef; | |
| 174 } | |
| 175 | |
| 176 return $s; | |
| 177 } | |
| 178 | |
| 179 sub get_cert_cn { | 143 sub get_cert_cn { |
| 180 my ($host) = @_; | 144 my ($host) = @_; |
| 181 my $s = get_ssl_socket($host); | 145 my $s = http('', start => 1, SSL => 1, SSL_hostname => $host); |
| 182 | |
| 183 return $s->dump_peer_certificate(); | 146 return $s->dump_peer_certificate(); |
| 184 } | 147 } |
| 185 | 148 |
| 186 sub https_get_host { | 149 sub get_host { |
| 187 my ($host, $sni) = @_; | 150 my ($host, $sni) = @_; |
| 188 my $s = get_ssl_socket($sni ? $sni : $host); | 151 return http( |
| 189 | 152 "GET / HTTP/1.0\nHost: $host\n\n", |
| 190 return http(<<EOF, socket => $s); | 153 SSL => 1, |
| 191 GET / HTTP/1.0 | 154 SSL_hostname => $sni || $host |
| 192 Host: $host | 155 ); |
| 193 | |
| 194 EOF | |
| 195 } | 156 } |
| 196 | 157 |
| 197 sub get { | 158 sub get { |
| 198 my ($uri, $host, $port, $ctx) = @_; | 159 my ($uri, $host, $ctx) = @_; |
| 199 my $s = get_ssl_socket($host, $port, $ctx) or return; | 160 return http_get( |
| 200 my $r = http_get($uri, socket => $s); | 161 $uri, |
| 201 $s->close(); | 162 SSL => 1, |
| 202 return $r; | 163 SSL_hostname => $host, |
| 164 SSL_reuse_ctx => $ctx | |
| 165 ); | |
| 203 } | 166 } |
| 204 | 167 |
| 205 ############################################################################### | 168 ############################################################################### |