Mercurial > hg > nginx-tests

comparison ssl_sni_sessions.t @ 1866:a797d7428fa5

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Tests: simplified http SSL tests with IO::Socket::SSL. The http SSL tests which previously used IO::Socket::SSL were converted to use improved IO::Socket::SSL infrastructure in Test::Nginx.
author Maxim Dounin <mdounin@mdounin.ru>
date Thu, 18 May 2023 18:07:19 +0300
parents cdcd75657e52
children c924ae8d7104
comparison
equal deleted inserted replaced
1865:0e1865aa9b33 1866:a797d7428fa5
108 $t->write_file('ticket1.key', '1' x 48); 108 $t->write_file('ticket1.key', '1' x 48);
109 $t->write_file('ticket2.key', '2' x 48); 109 $t->write_file('ticket2.key', '2' x 48);
110 110
111 $t->run(); 111 $t->run();
112 112
113 plan(skip_all => 'no TLS 1.3 sessions') 113 plan(skip_all => 'no TLSv1.3 sessions, old Net::SSLeay')
114 if get('default', port(8443), get_ssl_context()) =~ /TLSv1.3/ 114 if $Net::SSLeay::VERSION < 1.88 && test_tls13();
115 && ($Net::SSLeay::VERSION < 1.88 || $IO::Socket::SSL::VERSION < 2.061); 115 plan(skip_all => 'no TLSv1.3 sessions, old IO::Socket::SSL')
116 plan(skip_all => 'no TLS 1.3 sessions in LibreSSL') 116 if $IO::Socket::SSL::VERSION < 2.061 && test_tls13();
117 if get('default', port(8443), get_ssl_context()) =~ /TLSv1.3/ 117 plan(skip_all => 'no TLSv1.3 sessions in LibreSSL')
118 && $t->has_module('LibreSSL'); 118 if $t->has_module('LibreSSL') && test_tls13();
119 plan(skip_all => 'no TLS 1.3 session cache in BoringSSL') 119 plan(skip_all => 'no TLS 1.3 session cache in BoringSSL')
120 if get('default', port(8443), get_ssl_context()) =~ /TLSv1.3/ 120 if $t->has_module('BoringSSL') && test_tls13();
121 && $t->has_module('BoringSSL');
122 121
123 $t->plan(6); 122 $t->plan(6);
124 123
125 ############################################################################### 124 ###############################################################################
126 125
127 # check that everything works fine with default server 126 # check that everything works fine with default server
128 127
129 my $ctx = get_ssl_context(); 128 my $ctx = get_ssl_context();
130 129
131 like(get('default', port(8443), $ctx), qr!default:\.!, 'default server'); 130 like(get('default', 8443, $ctx), qr!default:\.!, 'default server');
132 like(get('default', port(8443), $ctx), qr!default:r!, 'default server reused'); 131 like(get('default', 8443, $ctx), qr!default:r!, 'default server reused');
133 132
134 # check that sessions are still properly saved and restored 133 # check that sessions are still properly saved and restored
135 # when using an SNI-based virtual server with different session cache; 134 # when using an SNI-based virtual server with different session cache;
136 # as session resumption happens before SNI, only default server 135 # as session resumption happens before SNI, only default server
137 # settings are expected to matter 136 # settings are expected to matter
141 # creating new sessions, uses callbacks from the default server context, but 140 # creating new sessions, uses callbacks from the default server context, but
142 # provides access to the SNI-selected server context only (ticket #235) 141 # provides access to the SNI-selected server context only (ticket #235)
143 142
144 $ctx = get_ssl_context(); 143 $ctx = get_ssl_context();
145 144
146 like(get('nocache', port(8443), $ctx), qr!nocache:\.!, 'without cache'); 145 like(get('nocache', 8443, $ctx), qr!nocache:\.!, 'without cache');
147 like(get('nocache', port(8443), $ctx), qr!nocache:r!, 'without cache reused'); 146 like(get('nocache', 8443, $ctx), qr!nocache:r!, 'without cache reused');
148 147
149 # make sure tickets can be used if an SNI-based virtual server 148 # make sure tickets can be used if an SNI-based virtual server
150 # uses a different set of session ticket keys explicitly set 149 # uses a different set of session ticket keys explicitly set
151 150
152 $ctx = get_ssl_context(); 151 $ctx = get_ssl_context();
153 152
154 like(get('tickets', port(8444), $ctx), qr!tickets:\.!, 'tickets'); 153 like(get('tickets', 8444, $ctx), qr!tickets:\.!, 'tickets');
155 like(get('tickets', port(8444), $ctx), qr!tickets:r!, 'tickets reused'); 154 like(get('tickets', 8444, $ctx), qr!tickets:r!, 'tickets reused');
156 155
157 ############################################################################### 156 ###############################################################################
158 157
159 sub get_ssl_context { 158 sub get_ssl_context {
160 return IO::Socket::SSL::SSL_Context->new( 159 return IO::Socket::SSL::SSL_Context->new(
161 SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE(), 160 SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE(),
162 SSL_session_cache_size => 100 161 SSL_session_cache_size => 100
163 ); 162 );
164 } 163 }
165 164
166 sub get_ssl_socket { 165 sub get {
167 my ($host, $port, $ctx) = @_; 166 my ($host, $port, $ctx) = @_;
168 my $s; 167 return http(
169 168 "GET / HTTP/1.0\nHost: $host\n\n",
170 eval { 169 PeerAddr => '127.0.0.1:' . port($port),
171 local $SIG{ALRM} = sub { die "timeout\n" }; 170 SSL => 1,
172 local $SIG{PIPE} = sub { die "sigpipe\n" }; 171 SSL_hostname => $host,
173 alarm(8); 172 SSL_reuse_ctx => $ctx
174 $s = IO::Socket::SSL->new( 173 );
175 Proto => 'tcp',
176 PeerAddr => '127.0.0.1',
177 PeerPort => $port,
178 SSL_hostname => $host,
179 SSL_reuse_ctx => $ctx,
180 SSL_error_trap => sub { die $_[1] }
181 );
182 alarm(0);
183 };
184 alarm(0);
185
186 if ($@) {
187 log_in("died: $@");
188 return undef;
189 }
190
191 return $s;
192 } 174 }
193 175
194 sub get { 176 sub test_tls13 {
195 my ($host, $port, $ctx) = @_; 177 return get('default', 8443) =~ /TLSv1.3/;
196
197 my $s = get_ssl_socket($host, $port, $ctx) or return;
198 my $r = http(<<EOF, socket => $s);
199 GET / HTTP/1.0
200 Host: $host
201
202 EOF
203
204 $s->close();
205 return $r;
206 } 178 }
207 179
208 ############################################################################### 180 ###############################################################################