Mercurial > hg > nginx-tests
comparison ssl_verify_depth.t @ 1605:aa5a61d1254b
Tests: actually test the verification depth in ssl_verify_depth.t.
This reverts 5b22e2014f76. Two basic cases are now provided for a full chain:
when the verification depth is big enough and when it is insufficient.
author | Sergey Kandaurov <pluknet@nginx.com> |
---|---|
date | Fri, 06 Nov 2020 14:32:13 +0000 |
parents | dbce8fb5f5f8 |
children | bad6aa24ec10 |
comparison
equal
deleted
inserted
replaced
1604:4be791074207 | 1605:aa5a61d1254b |
---|---|
44 | 44 |
45 ssl_certificate_key localhost.key; | 45 ssl_certificate_key localhost.key; |
46 ssl_certificate localhost.crt; | 46 ssl_certificate localhost.crt; |
47 | 47 |
48 ssl_verify_client on; | 48 ssl_verify_client on; |
49 ssl_client_certificate int-root.crt; | 49 ssl_client_certificate root.crt; |
50 | 50 |
51 add_header X-Verify $ssl_client_verify; | 51 add_header X-Verify $ssl_client_verify always; |
52 | 52 |
53 server { | 53 server { |
54 listen 127.0.0.1:8080 ssl; | 54 listen 127.0.0.1:8080 ssl; |
55 server_name localhost; | 55 server_name localhost; |
56 ssl_verify_depth 0; | 56 ssl_verify_depth 3; |
57 } | |
58 | |
59 server { | |
60 listen 127.0.0.1:8081 ssl; | |
61 server_name localhost; | |
57 } | 62 } |
58 } | 63 } |
59 | 64 |
60 EOF | 65 EOF |
61 | 66 |
78 database = $d/certindex | 83 database = $d/certindex |
79 default_md = sha256 | 84 default_md = sha256 |
80 policy = myca_policy | 85 policy = myca_policy |
81 serial = $d/certserial | 86 serial = $d/certserial |
82 default_days = 1 | 87 default_days = 1 |
88 x509_extensions = myca_extensions | |
83 | 89 |
84 [ myca_policy ] | 90 [ myca_policy ] |
85 commonName = supplied | 91 commonName = supplied |
92 | |
93 [ myca_extensions ] | |
94 basicConstraints = critical,CA:TRUE | |
86 EOF | 95 EOF |
87 | 96 |
88 foreach my $name ('root', 'localhost') { | 97 foreach my $name ('root', 'localhost') { |
89 system('openssl req -x509 -new ' | 98 system('openssl req -x509 -new ' |
90 . "-config $d/openssl.conf -subj /CN=$name/ " | 99 . "-config $d/openssl.conf -subj /CN=$name/ " |
91 . "-out $d/$name.crt -keyout $d/$name.key " | 100 . "-out $d/$name.crt -keyout $d/$name.key " |
92 . ">>$d/openssl.out 2>&1") == 0 | 101 . ">>$d/openssl.out 2>&1") == 0 |
93 or die "Can't create certificate for $name: $!\n"; | 102 or die "Can't create certificate for $name: $!\n"; |
94 } | 103 } |
95 | 104 |
96 foreach my $name ('int', 'end') { | 105 foreach my $name ('int', 'int2', 'end') { |
97 system("openssl req -new " | 106 system("openssl req -new " |
98 . "-config $d/openssl.conf -subj /CN=$name/ " | 107 . "-config $d/openssl.conf -subj /CN=$name/ " |
99 . "-out $d/$name.csr -keyout $d/$name.key " | 108 . "-out $d/$name.csr -keyout $d/$name.key " |
100 . ">>$d/openssl.out 2>&1") == 0 | 109 . ">>$d/openssl.out 2>&1") == 0 |
101 or die "Can't create certificate for $name: $!\n"; | 110 or die "Can't create certificate for $name: $!\n"; |
110 . ">>$d/openssl.out 2>&1") == 0 | 119 . ">>$d/openssl.out 2>&1") == 0 |
111 or die "Can't sign certificate for int: $!\n"; | 120 or die "Can't sign certificate for int: $!\n"; |
112 | 121 |
113 system("openssl ca -batch -config $d/ca.conf " | 122 system("openssl ca -batch -config $d/ca.conf " |
114 . "-keyfile $d/int.key -cert $d/int.crt " | 123 . "-keyfile $d/int.key -cert $d/int.crt " |
124 . "-subj /CN=int2/ -in $d/int2.csr -out $d/int2.crt " | |
125 . ">>$d/openssl.out 2>&1") == 0 | |
126 or die "Can't sign certificate for int2: $!\n"; | |
127 | |
128 system("openssl ca -batch -config $d/ca.conf " | |
129 . "-keyfile $d/int2.key -cert $d/int2.crt " | |
115 . "-subj /CN=end/ -in $d/end.csr -out $d/end.crt " | 130 . "-subj /CN=end/ -in $d/end.csr -out $d/end.crt " |
116 . ">>$d/openssl.out 2>&1") == 0 | 131 . ">>$d/openssl.out 2>&1") == 0 |
117 or die "Can't sign certificate for end: $!\n"; | 132 or die "Can't sign certificate for end: $!\n"; |
118 | 133 |
119 $t->write_file('int-root.crt', | 134 $t->write_file('client.key', $t->read_file('end.key') . |
120 $t->read_file('int.crt') . $t->read_file('root.crt')); | 135 $t->read_file('int.key') . $t->read_file('int2.key')); |
136 $t->write_file('client.crt', $t->read_file('end.crt') . | |
137 $t->read_file('int.crt') . $t->read_file('int2.crt')); | |
121 | 138 |
122 $t->write_file('t', ''); | 139 $t->write_file('t', ''); |
123 $t->run(); | 140 $t->run(); |
124 | 141 |
125 ############################################################################### | 142 ############################################################################### |
126 | 143 |
127 like(get(8080, 'root'), qr/SUCCESS/, 'verify depth'); | 144 like(get(8080, 'client'), qr/SUCCESS/, 'verify depth'); |
128 like(get(8080, 'end'), qr/400 Bad Request/, 'verify depth limited'); | 145 like(get(8081, 'client'), qr/FAILED/, 'verify depth limited'); |
129 | 146 |
130 ############################################################################### | 147 ############################################################################### |
131 | 148 |
132 sub get { | 149 sub get { |
133 my ($port, $cert) = @_; | 150 my ($port, $cert) = @_; |