Mercurial > hg > nginx-tests

diff ssl_sni.t @ 1866:a797d7428fa5

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Tests: simplified http SSL tests with IO::Socket::SSL. The http SSL tests which previously used IO::Socket::SSL were converted to use improved IO::Socket::SSL infrastructure in Test::Nginx.
author Maxim Dounin <mdounin@mdounin.ru>
date Thu, 18 May 2023 18:07:19 +0300
parents cdcd75657e52
children c924ae8d7104
line wrap: on
line diff
--- a/ssl_sni.t
+++ b/ssl_sni.t
@@ -37,42 +37,34 @@ http {
     %%TEST_GLOBALS_HTTP%%
 
     server {
-        listen       127.0.0.1:8080 ssl;
+        listen       127.0.0.1:8443 ssl;
         server_name  localhost;
 
         ssl_certificate_key localhost.key;
         ssl_certificate localhost.crt;
 
         location / {
-            return 200 $server_name;
+            return 200 $server_name:$ssl_server_name;
         }
 
         location /protocol {
             return 200 $ssl_protocol;
         }
+
+        location /name {
+            return 200 $ssl_session_reused:$ssl_server_name;
+        }
     }
 
     server {
-        listen       127.0.0.1:8080;
+        listen       127.0.0.1:8443;
         server_name  example.com;
 
         ssl_certificate_key example.com.key;
         ssl_certificate example.com.crt;
 
         location / {
-            return 200 $server_name;
-        }
-    }
-
-    server {
-        listen       127.0.0.1:8081 ssl;
-        server_name  localhost;
-
-        ssl_certificate_key localhost.key;
-        ssl_certificate localhost.crt;
-
-        location / {
-            return 200 $ssl_session_reused:$ssl_server_name;
+            return 200 $server_name:$ssl_server_name;
         }
     }
 }
@@ -104,19 +96,19 @@ foreach my $name ('localhost', 'example.
 like(get_cert_cn(), qr!/CN=localhost!, 'default cert');
 like(get_cert_cn('example.com'), qr!/CN=example.com!, 'sni cert');
 
-like(https_get_host('example.com'), qr!example.com!,
+like(get_host('example.com'), qr!example.com:example.com!,
 	'host exists, sni exists, and host is equal sni');
 
-like(https_get_host('example.com', 'example.org'), qr!example.com!,
+like(get_host('example.com', 'example.org'), qr!example.com:example.org!,
 	'host exists, sni not found');
 
 TODO: {
 local $TODO = 'sni restrictions';
 
-like(https_get_host('example.com', 'localhost'), qr!400 Bad Request!,
+like(get_host('example.com', 'localhost'), qr!400 Bad Request!,
 	'host exists, sni exists, and host is not equal sni');
 
-like(https_get_host('example.org', 'example.com'), qr!400 Bad Request!,
+like(get_host('example.org', 'example.com'), qr!400 Bad Request!,
 	'host not found, sni exists');
 
 }
@@ -127,7 +119,7 @@ my $ctx = new IO::Socket::SSL::SSL_Conte
 	SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE(),
 	SSL_session_cache_size => 100);
 
-like(get('/', 'localhost', 8081, $ctx), qr/^\.:localhost$/m, 'ssl server name');
+like(get('/name', 'localhost', $ctx), qr/^\.:localhost$/m, 'ssl server name');
 
 TODO: {
 local $TODO = 'no TLSv1.3 sessions, old Net::SSLeay'
@@ -137,7 +129,7 @@ local $TODO = 'no TLSv1.3 sessions, old 
 local $TODO = 'no TLSv1.3 sessions in LibreSSL'
 	if $t->has_module('LibreSSL') && test_tls13();
 
-like(get('/', 'localhost', 8081, $ctx), qr/^r:localhost$/m,
+like(get('/name', 'localhost', $ctx), qr/^r:localhost$/m,
 	'ssl server name - reused');
 
 }
@@ -148,58 +140,29 @@ sub test_tls13 {
 	get('/protocol', 'localhost') =~ /TLSv1.3/;
 }
 
-sub get_ssl_socket {
-	my ($host, $port, $ctx) = @_;
-	my $s;
-
-	eval {
-		local $SIG{ALRM} = sub { die "timeout\n" };
-		local $SIG{PIPE} = sub { die "sigpipe\n" };
-		alarm(8);
-		$s = IO::Socket::SSL->new(
-			Proto => 'tcp',
-			PeerAddr => '127.0.0.1:' . port($port || 8080),
-			SSL_hostname => $host,
-			SSL_reuse_ctx => $ctx,
-			SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE(),
-			SSL_error_trap => sub { die $_[1] }
-		);
-		alarm(0);
-	};
-	alarm(0);
-
-	if ($@) {
-		log_in("died: $@");
-		return undef;
-	}
-
-	return $s;
-}
-
 sub get_cert_cn {
 	my ($host) = @_;
-	my $s = get_ssl_socket($host);
-
+	my $s = http('', start => 1, SSL => 1, SSL_hostname => $host);
 	return $s->dump_peer_certificate();
 }
 
-sub https_get_host {
+sub get_host {
 	my ($host, $sni) = @_;
-	my $s = get_ssl_socket($sni ? $sni : $host);
-
-	return http(<<EOF, socket => $s);
-GET / HTTP/1.0
-Host: $host
-
-EOF
+	return http(
+		"GET / HTTP/1.0\nHost: $host\n\n",
+		SSL => 1,
+		SSL_hostname => $sni || $host
+	);
 }
 
 sub get {
-	my ($uri, $host, $port, $ctx) = @_;
-	my $s = get_ssl_socket($host, $port, $ctx) or return;
-	my $r = http_get($uri, socket => $s);
-	$s->close();
-	return $r;
+	my ($uri, $host, $ctx) = @_;
+	return http_get(
+		$uri,
+		SSL => 1,
+		SSL_hostname => $host,
+		SSL_reuse_ctx => $ctx
+	);
 }
 
 ###############################################################################