Mercurial > hg > nginx-tests
comparison ssl_stapling.t @ 1842:af47a0b348a5
Tests: LibreSSL certificate negotiation with TLSv1.3.
LibreSSL fails to negotiate certificates based on signature algorithms
when using TLSv1.3, and fails with "missing rsa certificate" and
"unknown pkey type" errors.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Thu, 23 Mar 2023 19:50:17 +0300 |
parents | 2d371452658c |
children | 0e1865aa9b33 |
comparison
equal
deleted
inserted
replaced
1841:db6fd9184fa0 | 1842:af47a0b348a5 |
---|---|
36 | 36 |
37 my $t = Test::Nginx->new()->has(qw/http http_ssl/)->has_daemon('openssl'); | 37 my $t = Test::Nginx->new()->has(qw/http http_ssl/)->has_daemon('openssl'); |
38 | 38 |
39 plan(skip_all => 'no OCSP stapling') if $t->has_module('BoringSSL'); | 39 plan(skip_all => 'no OCSP stapling') if $t->has_module('BoringSSL'); |
40 | 40 |
41 $t->plan(9)->write_file_expand('nginx.conf', <<'EOF'); | 41 $t->plan(10)->write_file_expand('nginx.conf', <<'EOF'); |
42 | 42 |
43 %%TEST_GLOBALS%% | 43 %%TEST_GLOBALS%% |
44 | 44 |
45 daemon off; | 45 daemon off; |
46 | 46 |
257 staple(8449, 'ECDSA'); | 257 staple(8449, 'ECDSA'); |
258 | 258 |
259 sleep 1; | 259 sleep 1; |
260 | 260 |
261 ok(!staple(8443, 'RSA'), 'staple revoked'); | 261 ok(!staple(8443, 'RSA'), 'staple revoked'); |
262 | |
263 TODO: { | |
264 local $TODO = 'broken TLSv1.3 sigalgs in LibreSSL' | |
265 if $t->has_module('LibreSSL') && $version > 0x303; | |
266 | |
262 ok(staple(8443, 'ECDSA'), 'staple success'); | 267 ok(staple(8443, 'ECDSA'), 'staple success'); |
263 | 268 |
269 } | |
270 | |
264 ok(!staple(8444, 'RSA'), 'responder revoked'); | 271 ok(!staple(8444, 'RSA'), 'responder revoked'); |
272 | |
273 TODO: { | |
274 local $TODO = 'broken TLSv1.3 sigalgs in LibreSSL' | |
275 if $t->has_module('LibreSSL') && $version > 0x303; | |
276 | |
265 ok(staple(8444, 'ECDSA'), 'responder success'); | 277 ok(staple(8444, 'ECDSA'), 'responder success'); |
278 | |
279 } | |
266 | 280 |
267 ok(!staple(8445, 'ECDSA'), 'verify - root not trusted'); | 281 ok(!staple(8445, 'ECDSA'), 'verify - root not trusted'); |
268 | 282 |
269 ok(staple(8446, 'ECDSA', "$d/int.crt"), 'cert store'); | 283 ok(staple(8446, 'ECDSA', "$d/int.crt"), 'cert store'); |
270 | 284 |
271 is(staple(8447, 'RSA'), '1 1', 'file revoked'); | 285 is(staple(8447, 'RSA'), '1 1', 'file revoked'); |
272 is(staple(8448, 'ECDSA'), '1 0', 'file success'); | 286 is(staple(8448, 'ECDSA'), '1 0', 'file success'); |
273 | 287 |
274 ok(!staple(8449, 'ECDSA'), 'ocsp error'); | 288 ok(!staple(8449, 'ECDSA'), 'ocsp error'); |
289 | |
290 TODO: { | |
291 local $TODO = 'broken TLSv1.3 sigalgs in LibreSSL' | |
292 if $t->has_module('LibreSSL') && $version > 0x303; | |
293 | |
294 like(`grep -F '[crit]' ${\($t->testdir())}/error.log`, qr/^$/s, 'no crit'); | |
295 | |
296 } | |
275 | 297 |
276 ############################################################################### | 298 ############################################################################### |
277 | 299 |
278 sub staple { | 300 sub staple { |
279 my ($port, $ciphers, $ca) = @_; | 301 my ($port, $ciphers, $ca) = @_; |