Mercurial > hg > nginx-tests
comparison ssl.t @ 1514:c6f27bcdd9d9
Tests: revised ssl.t.
author | Sergey Kandaurov <pluknet@nginx.com> |
---|---|
date | Mon, 07 Oct 2019 16:19:07 +0300 |
parents | dbce8fb5f5f8 |
children | 3b6b2667ece9 |
comparison
equal
deleted
inserted
replaced
1513:02412b209838 | 1514:c6f27bcdd9d9 |
---|---|
57 ssl_certificate_key inner.key; | 57 ssl_certificate_key inner.key; |
58 ssl_certificate inner.crt; | 58 ssl_certificate inner.crt; |
59 ssl_session_cache shared:SSL:1m; | 59 ssl_session_cache shared:SSL:1m; |
60 ssl_verify_client optional_no_ca; | 60 ssl_verify_client optional_no_ca; |
61 | 61 |
62 location /reuse { | 62 location / { |
63 return 200 "body $ssl_session_reused"; | 63 return 200 "body $ssl_session_reused"; |
64 } | 64 } |
65 location /id { | 65 location /id { |
66 return 200 "body $ssl_session_id"; | 66 return 200 "body $ssl_session_id"; |
67 } | 67 } |
68 location /cipher { | 68 location /cipher { |
69 return 200 "body $ssl_cipher"; | 69 return 200 "body $ssl_cipher"; |
70 } | |
71 location /ciphers { | |
72 return 200 "body $ssl_ciphers"; | |
70 } | 73 } |
71 location /client_verify { | 74 location /client_verify { |
72 return 200 "body $ssl_client_verify"; | 75 return 200 "body $ssl_client_verify"; |
73 } | 76 } |
74 location /protocol { | 77 location /protocol { |
133 | 136 |
134 ssl_session_cache off; | 137 ssl_session_cache off; |
135 | 138 |
136 location / { | 139 location / { |
137 return 200 "body $ssl_session_reused"; | 140 return 200 "body $ssl_session_reused"; |
138 } | |
139 | |
140 location /ciphers { | |
141 return 200 "body $ssl_ciphers"; | |
142 } | |
143 | |
144 location /protocol { | |
145 return 200 "body $ssl_protocol"; | |
146 } | 141 } |
147 } | 142 } |
148 } | 143 } |
149 | 144 |
150 EOF | 145 EOF |
202 . "-out $d/$name.crt -keyout $d/$name.key " | 197 . "-out $d/$name.crt -keyout $d/$name.key " |
203 . ">>$d/openssl.out 2>&1") == 0 | 198 . ">>$d/openssl.out 2>&1") == 0 |
204 or die "Can't create certificate for $name: $!\n"; | 199 or die "Can't create certificate for $name: $!\n"; |
205 } | 200 } |
206 | 201 |
207 my $ctx = new IO::Socket::SSL::SSL_Context( | 202 # suppress deprecation warning |
208 SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE(), | |
209 SSL_session_cache_size => 100); | |
210 | 203 |
211 open OLDERR, ">&", \*STDERR; close STDERR; | 204 open OLDERR, ">&", \*STDERR; close STDERR; |
212 $t->run(); | 205 $t->run(); |
213 open STDERR, ">&", \*OLDERR; | 206 open STDERR, ">&", \*OLDERR; |
214 | 207 |
215 ############################################################################### | 208 ############################################################################### |
216 | 209 |
217 like(get('/reuse', 8085), qr/^body \.$/m, 'shared initial session'); | 210 my $ctx; |
218 like(get('/', 8081), qr/^body \.$/m, 'builtin initial session'); | |
219 like(get('/', 8082), qr/^body \.$/m, 'builtin size initial session'); | |
220 | 211 |
221 SKIP: { | 212 SKIP: { |
222 skip 'no TLS 1.3 sessions', 3 if get('/protocol', 8084) =~ /TLSv1.3/ | 213 skip 'no TLS 1.3 sessions', 6 if get('/protocol', 8085) =~ /TLSv1.3/ |
223 && ($Net::SSLeay::VERSION < 1.88 || $IO::Socket::SSL::VERSION < 2.061); | 214 && ($Net::SSLeay::VERSION < 1.88 || $IO::Socket::SSL::VERSION < 2.061); |
224 | 215 |
225 like(get('/reuse', 8085), qr/^body r$/m, 'shared session reused'); | 216 $ctx = get_ssl_context(); |
226 like(get('/', 8081), qr/^body r$/m, 'builtin session reused'); | 217 |
227 like(get('/', 8082), qr/^body r$/m, 'builtin size session reused'); | 218 like(get('/', 8085, $ctx), qr/^body \.$/m, 'cache shared'); |
228 | 219 like(get('/', 8085, $ctx), qr/^body r$/m, 'cache shared reused'); |
229 } | 220 |
230 | 221 $ctx = get_ssl_context(); |
231 like(get('/', 8083), qr/^body \.$/m, 'reused none initial session'); | 222 |
232 like(get('/', 8083), qr/^body \.$/m, 'session not reused 1'); | 223 like(get('/', 8081, $ctx), qr/^body \.$/m, 'cache builtin'); |
233 | 224 like(get('/', 8081, $ctx), qr/^body r$/m, 'cache builtin reused'); |
234 like(get('/', 8084), qr/^body \.$/m, 'reused off initial session'); | 225 |
235 like(get('/', 8084), qr/^body \.$/m, 'session not reused 2'); | 226 $ctx = get_ssl_context(); |
227 | |
228 like(get('/', 8082, $ctx), qr/^body \.$/m, 'cache builtin size'); | |
229 like(get('/', 8082, $ctx), qr/^body r$/m, 'cache builtin size reused'); | |
230 | |
231 } | |
232 | |
233 $ctx = get_ssl_context(); | |
234 | |
235 like(get('/', 8083, $ctx), qr/^body \.$/m, 'cache none'); | |
236 like(get('/', 8083, $ctx), qr/^body \.$/m, 'cache none not reused'); | |
237 | |
238 $ctx = get_ssl_context(); | |
239 | |
240 like(get('/', 8084, $ctx), qr/^body \.$/m, 'cache off'); | |
241 like(get('/', 8084, $ctx), qr/^body \.$/m, 'cache off not reused'); | |
236 | 242 |
237 # ssl certificate inheritance | 243 # ssl certificate inheritance |
238 | 244 |
239 my $s = get_ssl_socket($ctx, port(8081)); | 245 my $s = get_ssl_socket(8081); |
240 like($s->dump_peer_certificate(), qr/CN=localhost/, 'CN'); | 246 like($s->dump_peer_certificate(), qr/CN=localhost/, 'CN'); |
241 | 247 |
242 $s->close(); | 248 $s->close(); |
243 | 249 |
244 $s = get_ssl_socket($ctx, port(8085)); | 250 $s = get_ssl_socket(8085); |
245 like($s->dump_peer_certificate(), qr/CN=inner/, 'CN inner'); | 251 like($s->dump_peer_certificate(), qr/CN=inner/, 'CN inner'); |
246 | 252 |
247 $s->close(); | 253 $s->close(); |
248 | 254 |
249 # session timeout | 255 # session timeout |
255 # embedded variables | 261 # embedded variables |
256 | 262 |
257 like(get('/id', 8085), qr/^body \w{64}$/m, 'session id'); | 263 like(get('/id', 8085), qr/^body \w{64}$/m, 'session id'); |
258 unlike(http_get('/id'), qr/body \w/, 'session id no ssl'); | 264 unlike(http_get('/id'), qr/body \w/, 'session id no ssl'); |
259 like(get('/cipher', 8085), qr/^body [\w-]+$/m, 'cipher'); | 265 like(get('/cipher', 8085), qr/^body [\w-]+$/m, 'cipher'); |
260 my $re = $t->has_module('BoringSSL') ? '' : qr/[:\w-]+/; | 266 |
261 like(get('/ciphers', 8084), qr/^body $re$/m, 'ciphers'); | 267 SKIP: { |
268 skip 'BoringSSL', 1 if $t->has_module('BoringSSL'); | |
269 | |
270 like(get('/ciphers', 8085), qr/^body [:\w-]+$/m, 'ciphers'); | |
271 | |
272 } | |
273 | |
262 like(get('/client_verify', 8085), qr/^body NONE$/m, 'client verify'); | 274 like(get('/client_verify', 8085), qr/^body NONE$/m, 'client verify'); |
263 like(get('/protocol', 8085), qr/^body (TLS|SSL)v(\d|\.)+$/m, 'protocol'); | 275 like(get('/protocol', 8085), qr/^body (TLS|SSL)v(\d|\.)+$/m, 'protocol'); |
264 like(cert('/issuer', 8085), qr!^body CN=issuer:/CN=issuer$!m, 'issuer'); | 276 like(cert('/issuer', 8085), qr!^body CN=issuer:/CN=issuer$!m, 'issuer'); |
265 like(cert('/subject', 8085), qr!^body CN=subject:/CN=subject$!m, 'subject'); | 277 like(cert('/subject', 8085), qr!^body CN=subject:/CN=subject$!m, 'subject'); |
266 like(cert('/time', 8085), qr/^body [:\s\w]+![:\s\w]+![23]$/m, 'time'); | 278 like(cert('/time', 8085), qr/^body [:\s\w]+![:\s\w]+![23]$/m, 'time'); |
271 'request body chunked'); | 283 'request body chunked'); |
272 | 284 |
273 ############################################################################### | 285 ############################################################################### |
274 | 286 |
275 sub get { | 287 sub get { |
276 my ($uri, $port) = @_; | 288 my ($uri, $port, $ctx) = @_; |
277 my $s = get_ssl_socket($ctx, port($port)) or return; | 289 my $s = get_ssl_socket($port, $ctx) or return; |
278 my $r = http_get($uri, socket => $s); | 290 my $r = http_get($uri, socket => $s); |
279 $s->close(); | 291 $s->close(); |
280 return $r; | 292 return $r; |
281 } | 293 } |
282 | 294 |
283 sub get_body { | 295 sub get_body { |
284 my ($uri, $body, $len, $n) = @_; | 296 my ($uri, $body, $len, $n) = @_; |
285 my $s = get_ssl_socket($ctx, port(8085)) or return; | 297 my $s = get_ssl_socket(8085) or return; |
286 http("GET /body HTTP/1.1" . CRLF | 298 http("GET /body HTTP/1.1" . CRLF |
287 . "Host: localhost" . CRLF | 299 . "Host: localhost" . CRLF |
288 . "Connection: close" . CRLF | 300 . "Connection: close" . CRLF |
289 . "Transfer-Encoding: chunked" . CRLF . CRLF, | 301 . "Transfer-Encoding: chunked" . CRLF . CRLF, |
290 socket => $s, start => 1); | 302 socket => $s, start => 1); |
291 http("c8" . CRLF . $body x $len . CRLF, socket => $s, start => 1) | 303 my $chs = unpack("H*", pack("C", length($body) * $len)); |
304 http($chs . CRLF . $body x $len . CRLF, socket => $s, start => 1) | |
292 for 1 .. $n; | 305 for 1 .. $n; |
293 my $r = http("0" . CRLF . CRLF, socket => $s); | 306 my $r = http("0" . CRLF . CRLF, socket => $s); |
294 $s->close(); | 307 $s->close(); |
295 return $r; | 308 return $r; |
296 } | 309 } |
297 | 310 |
298 sub cert { | 311 sub cert { |
299 my ($uri, $port) = @_; | 312 my ($uri, $port) = @_; |
300 my $s = get_ssl_socket(undef, port($port), | 313 my $s = get_ssl_socket($port, undef, |
301 SSL_cert_file => "$d/subject.crt", | 314 SSL_cert_file => "$d/subject.crt", |
302 SSL_key_file => "$d/subject.key") or return; | 315 SSL_key_file => "$d/subject.key") or return; |
303 http_get($uri, socket => $s); | 316 http_get($uri, socket => $s); |
304 } | 317 } |
305 | 318 |
319 sub get_ssl_context { | |
320 return IO::Socket::SSL::SSL_Context->new( | |
321 SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE(), | |
322 SSL_session_cache_size => 100 | |
323 ); | |
324 } | |
325 | |
306 sub get_ssl_socket { | 326 sub get_ssl_socket { |
307 my ($ctx, $port, %extra) = @_; | 327 my ($port, $ctx, %extra) = @_; |
308 my $s; | 328 my $s; |
309 | 329 |
310 eval { | 330 eval { |
311 local $SIG{ALRM} = sub { die "timeout\n" }; | 331 local $SIG{ALRM} = sub { die "timeout\n" }; |
312 local $SIG{PIPE} = sub { die "sigpipe\n" }; | 332 local $SIG{PIPE} = sub { die "sigpipe\n" }; |
313 alarm(8); | 333 alarm(8); |
314 $s = IO::Socket::SSL->new( | 334 $s = IO::Socket::SSL->new( |
315 Proto => 'tcp', | 335 Proto => 'tcp', |
316 PeerAddr => '127.0.0.1', | 336 PeerAddr => '127.0.0.1', |
317 PeerPort => $port, | 337 PeerPort => port($port), |
318 SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE(), | 338 SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE(), |
319 SSL_reuse_ctx => $ctx, | 339 SSL_reuse_ctx => $ctx, |
320 SSL_error_trap => sub { die $_[1] }, | 340 SSL_error_trap => sub { die $_[1] }, |
321 %extra | 341 %extra |
322 ); | 342 ); |