Mercurial > hg > nginx-tests
comparison mail_ssl.t @ 1831:f6d1f82f314b
Tests: separate SSL session reuse tests in mail.
Instead of being mixed with generic SSL tests, session reuse variants
are now tested in a separate file.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Thu, 23 Mar 2023 19:49:51 +0300 |
parents | 1f125771f1a1 |
children | ce4a06d72256 |
comparison
equal
deleted
inserted
replaced
1830:8dec885fa3da | 1831:f6d1f82f314b |
---|---|
35 | 35 |
36 eval { exists &Net::SSLeay::P_alpn_selected or die; }; | 36 eval { exists &Net::SSLeay::P_alpn_selected or die; }; |
37 plan(skip_all => 'Net::SSLeay with OpenSSL ALPN support required') if $@; | 37 plan(skip_all => 'Net::SSLeay with OpenSSL ALPN support required') if $@; |
38 | 38 |
39 my $t = Test::Nginx->new()->has(qw/mail mail_ssl imap pop3 smtp/) | 39 my $t = Test::Nginx->new()->has(qw/mail mail_ssl imap pop3 smtp/) |
40 ->has_daemon('openssl')->plan(22); | 40 ->has_daemon('openssl')->plan(18); |
41 | 41 |
42 $t->write_file_expand('nginx.conf', <<'EOF'); | 42 $t->write_file_expand('nginx.conf', <<'EOF'); |
43 | 43 |
44 %%TEST_GLOBALS%% | 44 %%TEST_GLOBALS%% |
45 | 45 |
49 } | 49 } |
50 | 50 |
51 mail { | 51 mail { |
52 ssl_certificate_key localhost.key; | 52 ssl_certificate_key localhost.key; |
53 ssl_certificate localhost.crt; | 53 ssl_certificate localhost.crt; |
54 ssl_session_tickets off; | |
55 | 54 |
56 ssl_password_file password; | 55 ssl_password_file password; |
57 | 56 |
58 auth_http http://127.0.0.1:8080; # unused | 57 auth_http http://127.0.0.1:8080; # unused |
59 | |
60 ssl_session_cache none; | |
61 | 58 |
62 server { | 59 server { |
63 listen 127.0.0.1:8143; | 60 listen 127.0.0.1:8143; |
64 listen 127.0.0.1:8145 ssl; | 61 listen 127.0.0.1:8145 ssl; |
65 protocol imap; | 62 protocol imap; |
66 | 63 } |
67 ssl_session_cache builtin; | 64 |
68 } | 65 server { |
69 | 66 listen 127.0.0.1:8148; |
70 server { | |
71 listen 127.0.0.1:8146 ssl; | |
72 protocol imap; | |
73 | |
74 ssl_session_cache off; | |
75 } | |
76 | |
77 server { | |
78 listen 127.0.0.1:8147; | |
79 protocol imap; | 67 protocol imap; |
80 | 68 |
81 # Special case for enabled "ssl" directive. | 69 # Special case for enabled "ssl" directive. |
82 | 70 |
83 ssl on; | 71 ssl on; |
84 ssl_session_cache builtin:1000; | 72 |
85 } | |
86 | |
87 server { | |
88 listen 127.0.0.1:8148 ssl; | |
89 protocol imap; | |
90 | |
91 ssl_session_cache shared:SSL:1m; | |
92 ssl_certificate_key inherits.key; | 73 ssl_certificate_key inherits.key; |
93 ssl_certificate inherits.crt; | 74 ssl_certificate inherits.crt; |
94 } | 75 } |
95 | 76 |
96 server { | 77 server { |
167 $t->run(); | 148 $t->run(); |
168 open STDERR, ">&", \*OLDERR; | 149 open STDERR, ">&", \*OLDERR; |
169 | 150 |
170 ############################################################################### | 151 ############################################################################### |
171 | 152 |
153 my ($s, $ssl); | |
154 | |
172 # simple tests to ensure that nothing broke with ssl_password_file directive | 155 # simple tests to ensure that nothing broke with ssl_password_file directive |
173 | 156 |
174 my $s = Test::Nginx::IMAP->new(); | 157 $s = Test::Nginx::IMAP->new(); |
175 $s->ok('greeting'); | 158 $s->ok('greeting'); |
176 | 159 |
177 $s->send('1 AUTHENTICATE LOGIN'); | 160 $s->send('1 AUTHENTICATE LOGIN'); |
178 $s->check(qr/\+ VXNlcm5hbWU6/, 'login'); | 161 $s->check(qr/\+ VXNlcm5hbWU6/, 'login'); |
179 | 162 |
180 # ssl_session_cache | |
181 | |
182 my ($ssl, $ses); | |
183 | |
184 ($s, $ssl) = get_ssl_socket(8145); | |
185 Net::SSLeay::read($ssl); | |
186 $ses = Net::SSLeay::get_session($ssl); | |
187 | |
188 ($s, $ssl) = get_ssl_socket(8145, $ses); | |
189 is(Net::SSLeay::session_reused($ssl), 1, 'builtin session reused'); | |
190 | |
191 ($s, $ssl) = get_ssl_socket(8146); | |
192 Net::SSLeay::read($ssl); | |
193 $ses = Net::SSLeay::get_session($ssl); | |
194 | |
195 ($s, $ssl) = get_ssl_socket(8146, $ses); | |
196 is(Net::SSLeay::session_reused($ssl), 0, 'session not reused'); | |
197 | |
198 ($s, $ssl) = get_ssl_socket(8147); | |
199 Net::SSLeay::read($ssl); | |
200 $ses = Net::SSLeay::get_session($ssl); | |
201 | |
202 ($s, $ssl) = get_ssl_socket(8147, $ses); | |
203 is(Net::SSLeay::session_reused($ssl), 1, 'builtin size session reused'); | |
204 | |
205 ($s, $ssl) = get_ssl_socket(8148); | |
206 Net::SSLeay::read($ssl); | |
207 $ses = Net::SSLeay::get_session($ssl); | |
208 | |
209 ($s, $ssl) = get_ssl_socket(8148, $ses); | |
210 is(Net::SSLeay::session_reused($ssl), 1, 'shared session reused'); | |
211 | |
212 # ssl_certificate inheritance | 163 # ssl_certificate inheritance |
213 | 164 |
214 ($s, $ssl) = get_ssl_socket(8145); | 165 ($s, $ssl) = get_ssl_socket(8145); |
215 like(Net::SSLeay::dump_peer_certificate($ssl), qr/CN=localhost/, 'CN'); | 166 like(Net::SSLeay::dump_peer_certificate($ssl), qr/CN=localhost/, 'CN'); |
216 | 167 |
217 ($s, $ssl) = get_ssl_socket(8148); | 168 ($s, $ssl) = get_ssl_socket(8148); |
218 like(Net::SSLeay::dump_peer_certificate($ssl), qr/CN=inherits/, 'CN inner'); | 169 like(Net::SSLeay::dump_peer_certificate($ssl), qr/CN=inherits/, 'CN inner'); |
219 | 170 |
220 # alpn | 171 # alpn |
221 | 172 |
222 ok(get_ssl_socket(8148, undef, ['imap']), 'alpn'); | 173 ok(get_ssl_socket(8148, ['imap']), 'alpn'); |
223 | 174 |
224 SKIP: { | 175 SKIP: { |
225 $t->{_configure_args} =~ /LibreSSL ([\d\.]+)/; | 176 $t->{_configure_args} =~ /LibreSSL ([\d\.]+)/; |
226 skip 'LibreSSL too old', 1 if defined $1 and $1 lt '3.4.0'; | 177 skip 'LibreSSL too old', 1 if defined $1 and $1 lt '3.4.0'; |
227 $t->{_configure_args} =~ /OpenSSL ([\d\.]+)/; | 178 $t->{_configure_args} =~ /OpenSSL ([\d\.]+)/; |
228 skip 'OpenSSL too old', 1 if defined $1 and $1 lt '1.1.0'; | 179 skip 'OpenSSL too old', 1 if defined $1 and $1 lt '1.1.0'; |
229 | 180 |
230 TODO: { | 181 TODO: { |
231 local $TODO = 'not yet' unless $t->has_version('1.21.4'); | 182 local $TODO = 'not yet' unless $t->has_version('1.21.4'); |
232 | 183 |
233 ok(!get_ssl_socket(8148, undef, ['unknown']), 'alpn rejected'); | 184 ok(!get_ssl_socket(8148, ['unknown']), 'alpn rejected'); |
234 | 185 |
235 } | 186 } |
236 | 187 |
237 } | 188 } |
238 | 189 |
315 $s->ok('smtp starttls only'); | 266 $s->ok('smtp starttls only'); |
316 | 267 |
317 ############################################################################### | 268 ############################################################################### |
318 | 269 |
319 sub get_ssl_socket { | 270 sub get_ssl_socket { |
320 my ($port, $ses, $alpn) = @_; | 271 my ($port, $alpn) = @_; |
321 | 272 |
322 my $s = IO::Socket::INET->new('127.0.0.1:' . port($port)); | 273 my $s = IO::Socket::INET->new('127.0.0.1:' . port($port)); |
323 my $ssl = Net::SSLeay::new($ctx) or die("Failed to create SSL $!"); | 274 my $ssl = Net::SSLeay::new($ctx) or die("Failed to create SSL $!"); |
324 Net::SSLeay::set_session($ssl, $ses) if defined $ses; | |
325 Net::SSLeay::set_alpn_protos($ssl, $alpn) if defined $alpn; | 275 Net::SSLeay::set_alpn_protos($ssl, $alpn) if defined $alpn; |
326 Net::SSLeay::set_fd($ssl, fileno($s)); | 276 Net::SSLeay::set_fd($ssl, fileno($s)); |
327 Net::SSLeay::connect($ssl) == 1 or return; | 277 Net::SSLeay::connect($ssl) == 1 or return; |
328 return ($s, $ssl); | 278 return ($s, $ssl); |
329 } | 279 } |