Mercurial > hg > nginx-tests
comparison mail_ssl.t @ 1831:f6d1f82f314b
Tests: separate SSL session reuse tests in mail.
Instead of being mixed with generic SSL tests, session reuse variants
are now tested in a separate file.
| author | Maxim Dounin <mdounin@mdounin.ru> |
|---|---|
| date | Thu, 23 Mar 2023 19:49:51 +0300 |
| parents | 1f125771f1a1 |
| children | ce4a06d72256 |
comparison
equal
deleted
inserted
replaced
| 1830:8dec885fa3da | 1831:f6d1f82f314b |
|---|---|
| 35 | 35 |
| 36 eval { exists &Net::SSLeay::P_alpn_selected or die; }; | 36 eval { exists &Net::SSLeay::P_alpn_selected or die; }; |
| 37 plan(skip_all => 'Net::SSLeay with OpenSSL ALPN support required') if $@; | 37 plan(skip_all => 'Net::SSLeay with OpenSSL ALPN support required') if $@; |
| 38 | 38 |
| 39 my $t = Test::Nginx->new()->has(qw/mail mail_ssl imap pop3 smtp/) | 39 my $t = Test::Nginx->new()->has(qw/mail mail_ssl imap pop3 smtp/) |
| 40 ->has_daemon('openssl')->plan(22); | 40 ->has_daemon('openssl')->plan(18); |
| 41 | 41 |
| 42 $t->write_file_expand('nginx.conf', <<'EOF'); | 42 $t->write_file_expand('nginx.conf', <<'EOF'); |
| 43 | 43 |
| 44 %%TEST_GLOBALS%% | 44 %%TEST_GLOBALS%% |
| 45 | 45 |
| 49 } | 49 } |
| 50 | 50 |
| 51 mail { | 51 mail { |
| 52 ssl_certificate_key localhost.key; | 52 ssl_certificate_key localhost.key; |
| 53 ssl_certificate localhost.crt; | 53 ssl_certificate localhost.crt; |
| 54 ssl_session_tickets off; | |
| 55 | 54 |
| 56 ssl_password_file password; | 55 ssl_password_file password; |
| 57 | 56 |
| 58 auth_http http://127.0.0.1:8080; # unused | 57 auth_http http://127.0.0.1:8080; # unused |
| 59 | |
| 60 ssl_session_cache none; | |
| 61 | 58 |
| 62 server { | 59 server { |
| 63 listen 127.0.0.1:8143; | 60 listen 127.0.0.1:8143; |
| 64 listen 127.0.0.1:8145 ssl; | 61 listen 127.0.0.1:8145 ssl; |
| 65 protocol imap; | 62 protocol imap; |
| 66 | 63 } |
| 67 ssl_session_cache builtin; | 64 |
| 68 } | 65 server { |
| 69 | 66 listen 127.0.0.1:8148; |
| 70 server { | |
| 71 listen 127.0.0.1:8146 ssl; | |
| 72 protocol imap; | |
| 73 | |
| 74 ssl_session_cache off; | |
| 75 } | |
| 76 | |
| 77 server { | |
| 78 listen 127.0.0.1:8147; | |
| 79 protocol imap; | 67 protocol imap; |
| 80 | 68 |
| 81 # Special case for enabled "ssl" directive. | 69 # Special case for enabled "ssl" directive. |
| 82 | 70 |
| 83 ssl on; | 71 ssl on; |
| 84 ssl_session_cache builtin:1000; | 72 |
| 85 } | |
| 86 | |
| 87 server { | |
| 88 listen 127.0.0.1:8148 ssl; | |
| 89 protocol imap; | |
| 90 | |
| 91 ssl_session_cache shared:SSL:1m; | |
| 92 ssl_certificate_key inherits.key; | 73 ssl_certificate_key inherits.key; |
| 93 ssl_certificate inherits.crt; | 74 ssl_certificate inherits.crt; |
| 94 } | 75 } |
| 95 | 76 |
| 96 server { | 77 server { |
| 167 $t->run(); | 148 $t->run(); |
| 168 open STDERR, ">&", \*OLDERR; | 149 open STDERR, ">&", \*OLDERR; |
| 169 | 150 |
| 170 ############################################################################### | 151 ############################################################################### |
| 171 | 152 |
| 153 my ($s, $ssl); | |
| 154 | |
| 172 # simple tests to ensure that nothing broke with ssl_password_file directive | 155 # simple tests to ensure that nothing broke with ssl_password_file directive |
| 173 | 156 |
| 174 my $s = Test::Nginx::IMAP->new(); | 157 $s = Test::Nginx::IMAP->new(); |
| 175 $s->ok('greeting'); | 158 $s->ok('greeting'); |
| 176 | 159 |
| 177 $s->send('1 AUTHENTICATE LOGIN'); | 160 $s->send('1 AUTHENTICATE LOGIN'); |
| 178 $s->check(qr/\+ VXNlcm5hbWU6/, 'login'); | 161 $s->check(qr/\+ VXNlcm5hbWU6/, 'login'); |
| 179 | 162 |
| 180 # ssl_session_cache | |
| 181 | |
| 182 my ($ssl, $ses); | |
| 183 | |
| 184 ($s, $ssl) = get_ssl_socket(8145); | |
| 185 Net::SSLeay::read($ssl); | |
| 186 $ses = Net::SSLeay::get_session($ssl); | |
| 187 | |
| 188 ($s, $ssl) = get_ssl_socket(8145, $ses); | |
| 189 is(Net::SSLeay::session_reused($ssl), 1, 'builtin session reused'); | |
| 190 | |
| 191 ($s, $ssl) = get_ssl_socket(8146); | |
| 192 Net::SSLeay::read($ssl); | |
| 193 $ses = Net::SSLeay::get_session($ssl); | |
| 194 | |
| 195 ($s, $ssl) = get_ssl_socket(8146, $ses); | |
| 196 is(Net::SSLeay::session_reused($ssl), 0, 'session not reused'); | |
| 197 | |
| 198 ($s, $ssl) = get_ssl_socket(8147); | |
| 199 Net::SSLeay::read($ssl); | |
| 200 $ses = Net::SSLeay::get_session($ssl); | |
| 201 | |
| 202 ($s, $ssl) = get_ssl_socket(8147, $ses); | |
| 203 is(Net::SSLeay::session_reused($ssl), 1, 'builtin size session reused'); | |
| 204 | |
| 205 ($s, $ssl) = get_ssl_socket(8148); | |
| 206 Net::SSLeay::read($ssl); | |
| 207 $ses = Net::SSLeay::get_session($ssl); | |
| 208 | |
| 209 ($s, $ssl) = get_ssl_socket(8148, $ses); | |
| 210 is(Net::SSLeay::session_reused($ssl), 1, 'shared session reused'); | |
| 211 | |
| 212 # ssl_certificate inheritance | 163 # ssl_certificate inheritance |
| 213 | 164 |
| 214 ($s, $ssl) = get_ssl_socket(8145); | 165 ($s, $ssl) = get_ssl_socket(8145); |
| 215 like(Net::SSLeay::dump_peer_certificate($ssl), qr/CN=localhost/, 'CN'); | 166 like(Net::SSLeay::dump_peer_certificate($ssl), qr/CN=localhost/, 'CN'); |
| 216 | 167 |
| 217 ($s, $ssl) = get_ssl_socket(8148); | 168 ($s, $ssl) = get_ssl_socket(8148); |
| 218 like(Net::SSLeay::dump_peer_certificate($ssl), qr/CN=inherits/, 'CN inner'); | 169 like(Net::SSLeay::dump_peer_certificate($ssl), qr/CN=inherits/, 'CN inner'); |
| 219 | 170 |
| 220 # alpn | 171 # alpn |
| 221 | 172 |
| 222 ok(get_ssl_socket(8148, undef, ['imap']), 'alpn'); | 173 ok(get_ssl_socket(8148, ['imap']), 'alpn'); |
| 223 | 174 |
| 224 SKIP: { | 175 SKIP: { |
| 225 $t->{_configure_args} =~ /LibreSSL ([\d\.]+)/; | 176 $t->{_configure_args} =~ /LibreSSL ([\d\.]+)/; |
| 226 skip 'LibreSSL too old', 1 if defined $1 and $1 lt '3.4.0'; | 177 skip 'LibreSSL too old', 1 if defined $1 and $1 lt '3.4.0'; |
| 227 $t->{_configure_args} =~ /OpenSSL ([\d\.]+)/; | 178 $t->{_configure_args} =~ /OpenSSL ([\d\.]+)/; |
| 228 skip 'OpenSSL too old', 1 if defined $1 and $1 lt '1.1.0'; | 179 skip 'OpenSSL too old', 1 if defined $1 and $1 lt '1.1.0'; |
| 229 | 180 |
| 230 TODO: { | 181 TODO: { |
| 231 local $TODO = 'not yet' unless $t->has_version('1.21.4'); | 182 local $TODO = 'not yet' unless $t->has_version('1.21.4'); |
| 232 | 183 |
| 233 ok(!get_ssl_socket(8148, undef, ['unknown']), 'alpn rejected'); | 184 ok(!get_ssl_socket(8148, ['unknown']), 'alpn rejected'); |
| 234 | 185 |
| 235 } | 186 } |
| 236 | 187 |
| 237 } | 188 } |
| 238 | 189 |
| 315 $s->ok('smtp starttls only'); | 266 $s->ok('smtp starttls only'); |
| 316 | 267 |
| 317 ############################################################################### | 268 ############################################################################### |
| 318 | 269 |
| 319 sub get_ssl_socket { | 270 sub get_ssl_socket { |
| 320 my ($port, $ses, $alpn) = @_; | 271 my ($port, $alpn) = @_; |
| 321 | 272 |
| 322 my $s = IO::Socket::INET->new('127.0.0.1:' . port($port)); | 273 my $s = IO::Socket::INET->new('127.0.0.1:' . port($port)); |
| 323 my $ssl = Net::SSLeay::new($ctx) or die("Failed to create SSL $!"); | 274 my $ssl = Net::SSLeay::new($ctx) or die("Failed to create SSL $!"); |
| 324 Net::SSLeay::set_session($ssl, $ses) if defined $ses; | |
| 325 Net::SSLeay::set_alpn_protos($ssl, $alpn) if defined $alpn; | 275 Net::SSLeay::set_alpn_protos($ssl, $alpn) if defined $alpn; |
| 326 Net::SSLeay::set_fd($ssl, fileno($s)); | 276 Net::SSLeay::set_fd($ssl, fileno($s)); |
| 327 Net::SSLeay::connect($ssl) == 1 or return; | 277 Net::SSLeay::connect($ssl) == 1 or return; |
| 328 return ($s, $ssl); | 278 return ($s, $ssl); |
| 329 } | 279 } |