Mercurial > hg > nginx-tests

comparison ssl_verify_client.t @ 932:f9ab0aa6e14e

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Tests: simple ssl_verify_client tests.
author Sergey Kandaurov <pluknet@nginx.com>
date Mon, 23 May 2016 13:58:34 +0300
parents
children e9064d691790
comparison
equal deleted inserted replaced
931:bf86f9ad0c23 932:f9ab0aa6e14e
1 #!/usr/bin/perl
2
3 # (C) Sergey Kandaurov
4 # (C) Nginx, Inc.
5
6 # Tests for http ssl module, ssl_verify_client.
7
8 ###############################################################################
9
10 use warnings;
11 use strict;
12
13 use Test::More;
14
15 BEGIN { use FindBin; chdir($FindBin::Bin); }
16
17 use lib 'lib';
18 use Test::Nginx;
19
20 ###############################################################################
21
22 select STDERR; $| = 1;
23 select STDOUT; $| = 1;
24
25 eval { require IO::Socket::SSL; };
26 plan(skip_all => 'IO::Socket::SSL not installed') if $@;
27 eval { IO::Socket::SSL->can_client_sni() or die; };
28 plan(skip_all => 'IO::Socket::SSL with OpenSSL SNI support required') if $@;
29
30 my $t = Test::Nginx->new()->has(qw/http http_ssl/)
31 ->has_daemon('openssl')->plan(3);
32
33 $t->write_file_expand('nginx.conf', <<'EOF');
34
35 %%TEST_GLOBALS%%
36
37 daemon off;
38
39 events {
40 }
41
42 http {
43 %%TEST_GLOBALS_HTTP%%
44
45 ssl_certificate_key localhost.key;
46 ssl_certificate localhost.crt;
47
48 ssl_verify_client optional_no_ca;
49
50 add_header X-Verify $ssl_client_verify;
51
52 server {
53 listen 127.0.0.1:8443 ssl;
54 server_name localhost;
55
56 ssl_client_certificate client.crt;
57
58 location / { }
59 }
60
61 server {
62 listen 127.0.0.1:8443 ssl;
63 server_name example.com;
64
65 location / { }
66 }
67 }
68
69 EOF
70
71 $t->write_file('openssl.conf', <<EOF);
72 [ req ]
73 default_bits = 2048
74 encrypt_key = no
75 distinguished_name = req_distinguished_name
76 [ req_distinguished_name ]
77 EOF
78
79 my $d = $t->testdir();
80
81 foreach my $name ('localhost', 'client') {
82 system('openssl req -x509 -new '
83 . "-config '$d/openssl.conf' -subj '/CN=$name/' "
84 . "-out '$d/$name.crt' -keyout '$d/$name.key' "
85 . ">>$d/openssl.out 2>&1") == 0
86 or die "Can't create certificate for $name: $!\n";
87 }
88
89 $t->write_file('t', 'SEE-THIS');
90
91 $t->run();
92
93 ###############################################################################
94
95 like(get('localhost'), qr/SUCCESS/, 'success');
96 like(get('example.com'), qr/FAILED/, 'failed');
97
98 # used to be "400 Bad Request" before 654d2dae97d3 (1.11.0)
99
100 TODO: {
101 local $TODO = 'not yet' unless $t->has_version('1.11.0');
102
103 like(get('localhost', 'example.com'), qr/421 Misdirected/, 'misdirected');
104
105 }
106
107 ###############################################################################
108
109 sub get {
110 my ($sni, $host) = @_;
111 my $s;
112
113 $host = $sni if !defined $host;
114
115 eval {
116 local $SIG{ALRM} = sub { die "timeout\n" };
117 local $SIG{PIPE} = sub { die "sigpipe\n" };
118 alarm(2);
119 $s = IO::Socket::SSL->new(
120 Proto => 'tcp',
121 PeerAddr => '127.0.0.1',
122 PeerPort => 8443,
123 SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE(),
124 SSL_hostname => $sni,
125 SSL_cert_file => "$d/client.crt",
126 SSL_key_file => "$d/client.key",
127 SSL_error_trap => sub { die $_[1] }
128 );
129 alarm(0);
130 };
131 alarm(0);
132
133 if ($@) {
134 log_in("died: $@");
135 return undef;
136 }
137
138 return http(<<EOF, socket => $s);
139 GET /t HTTP/1.0
140 Host: $host
141
142 EOF
143 }
144
145 ###############################################################################