Mercurial > hg > nginx-tests
comparison ssl_sni.t @ 1866:a797d7428fa5
Tests: simplified http SSL tests with IO::Socket::SSL.
The http SSL tests which previously used IO::Socket::SSL were converted
to use improved IO::Socket::SSL infrastructure in Test::Nginx.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Thu, 18 May 2023 18:07:19 +0300 |
parents | cdcd75657e52 |
children | c924ae8d7104 |
comparison
equal
deleted
inserted
replaced
1865:0e1865aa9b33 | 1866:a797d7428fa5 |
---|---|
35 | 35 |
36 http { | 36 http { |
37 %%TEST_GLOBALS_HTTP%% | 37 %%TEST_GLOBALS_HTTP%% |
38 | 38 |
39 server { | 39 server { |
40 listen 127.0.0.1:8080 ssl; | 40 listen 127.0.0.1:8443 ssl; |
41 server_name localhost; | 41 server_name localhost; |
42 | 42 |
43 ssl_certificate_key localhost.key; | 43 ssl_certificate_key localhost.key; |
44 ssl_certificate localhost.crt; | 44 ssl_certificate localhost.crt; |
45 | 45 |
46 location / { | 46 location / { |
47 return 200 $server_name; | 47 return 200 $server_name:$ssl_server_name; |
48 } | 48 } |
49 | 49 |
50 location /protocol { | 50 location /protocol { |
51 return 200 $ssl_protocol; | 51 return 200 $ssl_protocol; |
52 } | 52 } |
53 | |
54 location /name { | |
55 return 200 $ssl_session_reused:$ssl_server_name; | |
56 } | |
53 } | 57 } |
54 | 58 |
55 server { | 59 server { |
56 listen 127.0.0.1:8080; | 60 listen 127.0.0.1:8443; |
57 server_name example.com; | 61 server_name example.com; |
58 | 62 |
59 ssl_certificate_key example.com.key; | 63 ssl_certificate_key example.com.key; |
60 ssl_certificate example.com.crt; | 64 ssl_certificate example.com.crt; |
61 | 65 |
62 location / { | 66 location / { |
63 return 200 $server_name; | 67 return 200 $server_name:$ssl_server_name; |
64 } | |
65 } | |
66 | |
67 server { | |
68 listen 127.0.0.1:8081 ssl; | |
69 server_name localhost; | |
70 | |
71 ssl_certificate_key localhost.key; | |
72 ssl_certificate localhost.crt; | |
73 | |
74 location / { | |
75 return 200 $ssl_session_reused:$ssl_server_name; | |
76 } | 68 } |
77 } | 69 } |
78 } | 70 } |
79 | 71 |
80 EOF | 72 EOF |
102 ############################################################################### | 94 ############################################################################### |
103 | 95 |
104 like(get_cert_cn(), qr!/CN=localhost!, 'default cert'); | 96 like(get_cert_cn(), qr!/CN=localhost!, 'default cert'); |
105 like(get_cert_cn('example.com'), qr!/CN=example.com!, 'sni cert'); | 97 like(get_cert_cn('example.com'), qr!/CN=example.com!, 'sni cert'); |
106 | 98 |
107 like(https_get_host('example.com'), qr!example.com!, | 99 like(get_host('example.com'), qr!example.com:example.com!, |
108 'host exists, sni exists, and host is equal sni'); | 100 'host exists, sni exists, and host is equal sni'); |
109 | 101 |
110 like(https_get_host('example.com', 'example.org'), qr!example.com!, | 102 like(get_host('example.com', 'example.org'), qr!example.com:example.org!, |
111 'host exists, sni not found'); | 103 'host exists, sni not found'); |
112 | 104 |
113 TODO: { | 105 TODO: { |
114 local $TODO = 'sni restrictions'; | 106 local $TODO = 'sni restrictions'; |
115 | 107 |
116 like(https_get_host('example.com', 'localhost'), qr!400 Bad Request!, | 108 like(get_host('example.com', 'localhost'), qr!400 Bad Request!, |
117 'host exists, sni exists, and host is not equal sni'); | 109 'host exists, sni exists, and host is not equal sni'); |
118 | 110 |
119 like(https_get_host('example.org', 'example.com'), qr!400 Bad Request!, | 111 like(get_host('example.org', 'example.com'), qr!400 Bad Request!, |
120 'host not found, sni exists'); | 112 'host not found, sni exists'); |
121 | 113 |
122 } | 114 } |
123 | 115 |
124 # $ssl_server_name in sessions | 116 # $ssl_server_name in sessions |
125 | 117 |
126 my $ctx = new IO::Socket::SSL::SSL_Context( | 118 my $ctx = new IO::Socket::SSL::SSL_Context( |
127 SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE(), | 119 SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE(), |
128 SSL_session_cache_size => 100); | 120 SSL_session_cache_size => 100); |
129 | 121 |
130 like(get('/', 'localhost', 8081, $ctx), qr/^\.:localhost$/m, 'ssl server name'); | 122 like(get('/name', 'localhost', $ctx), qr/^\.:localhost$/m, 'ssl server name'); |
131 | 123 |
132 TODO: { | 124 TODO: { |
133 local $TODO = 'no TLSv1.3 sessions, old Net::SSLeay' | 125 local $TODO = 'no TLSv1.3 sessions, old Net::SSLeay' |
134 if $Net::SSLeay::VERSION < 1.88 && test_tls13(); | 126 if $Net::SSLeay::VERSION < 1.88 && test_tls13(); |
135 local $TODO = 'no TLSv1.3 sessions, old IO::Socket::SSL' | 127 local $TODO = 'no TLSv1.3 sessions, old IO::Socket::SSL' |
136 if $IO::Socket::SSL::VERSION < 2.061 && test_tls13(); | 128 if $IO::Socket::SSL::VERSION < 2.061 && test_tls13(); |
137 local $TODO = 'no TLSv1.3 sessions in LibreSSL' | 129 local $TODO = 'no TLSv1.3 sessions in LibreSSL' |
138 if $t->has_module('LibreSSL') && test_tls13(); | 130 if $t->has_module('LibreSSL') && test_tls13(); |
139 | 131 |
140 like(get('/', 'localhost', 8081, $ctx), qr/^r:localhost$/m, | 132 like(get('/name', 'localhost', $ctx), qr/^r:localhost$/m, |
141 'ssl server name - reused'); | 133 'ssl server name - reused'); |
142 | 134 |
143 } | 135 } |
144 | 136 |
145 ############################################################################### | 137 ############################################################################### |
146 | 138 |
147 sub test_tls13 { | 139 sub test_tls13 { |
148 get('/protocol', 'localhost') =~ /TLSv1.3/; | 140 get('/protocol', 'localhost') =~ /TLSv1.3/; |
149 } | 141 } |
150 | 142 |
151 sub get_ssl_socket { | |
152 my ($host, $port, $ctx) = @_; | |
153 my $s; | |
154 | |
155 eval { | |
156 local $SIG{ALRM} = sub { die "timeout\n" }; | |
157 local $SIG{PIPE} = sub { die "sigpipe\n" }; | |
158 alarm(8); | |
159 $s = IO::Socket::SSL->new( | |
160 Proto => 'tcp', | |
161 PeerAddr => '127.0.0.1:' . port($port || 8080), | |
162 SSL_hostname => $host, | |
163 SSL_reuse_ctx => $ctx, | |
164 SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE(), | |
165 SSL_error_trap => sub { die $_[1] } | |
166 ); | |
167 alarm(0); | |
168 }; | |
169 alarm(0); | |
170 | |
171 if ($@) { | |
172 log_in("died: $@"); | |
173 return undef; | |
174 } | |
175 | |
176 return $s; | |
177 } | |
178 | |
179 sub get_cert_cn { | 143 sub get_cert_cn { |
180 my ($host) = @_; | 144 my ($host) = @_; |
181 my $s = get_ssl_socket($host); | 145 my $s = http('', start => 1, SSL => 1, SSL_hostname => $host); |
182 | |
183 return $s->dump_peer_certificate(); | 146 return $s->dump_peer_certificate(); |
184 } | 147 } |
185 | 148 |
186 sub https_get_host { | 149 sub get_host { |
187 my ($host, $sni) = @_; | 150 my ($host, $sni) = @_; |
188 my $s = get_ssl_socket($sni ? $sni : $host); | 151 return http( |
189 | 152 "GET / HTTP/1.0\nHost: $host\n\n", |
190 return http(<<EOF, socket => $s); | 153 SSL => 1, |
191 GET / HTTP/1.0 | 154 SSL_hostname => $sni || $host |
192 Host: $host | 155 ); |
193 | |
194 EOF | |
195 } | 156 } |
196 | 157 |
197 sub get { | 158 sub get { |
198 my ($uri, $host, $port, $ctx) = @_; | 159 my ($uri, $host, $ctx) = @_; |
199 my $s = get_ssl_socket($host, $port, $ctx) or return; | 160 return http_get( |
200 my $r = http_get($uri, socket => $s); | 161 $uri, |
201 $s->close(); | 162 SSL => 1, |
202 return $r; | 163 SSL_hostname => $host, |
164 SSL_reuse_ctx => $ctx | |
165 ); | |
203 } | 166 } |
204 | 167 |
205 ############################################################################### | 168 ############################################################################### |