Mercurial > hg > nginx-tests

view stream_ssl_preread.t @ 1851:0351dee227a8

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Tests: unbreak tests with dynamic certificates on stable. In 74cffa9d4c43, ticket based session reuse is enabled in addition to using a shared SSL session cache. This changed how a session can be resumed in a different server: - for a session ID based resumption, it is resumed in the same context - when using session tickets, a key name is also checked for matching - with a ticket callback, this is skipped in favor of callback's logic This makes 'session id context match' tests fail with session tickets on stable since ticket key names are unique in distinct SSL contexts. On the other hand, tests pass on 1.23.2+ due to automatic ticket keys rotation that installs ticket callback, and using a common shared SSL session cache.
author Sergey Kandaurov <pluknet@nginx.com>
date Tue, 28 Mar 2023 01:36:32 +0400
parents f3ba4c74de31
children cdcd75657e52
line wrap: on
line source

#!/usr/bin/perl

# (C) Sergey Kandaurov
# (C) Nginx, Inc.

# Tests for stream_ssl_preread module.

###############################################################################

use warnings;
use strict;

use Test::More;

BEGIN { use FindBin; chdir($FindBin::Bin); }

use lib 'lib';
use Test::Nginx;
use Test::Nginx::Stream qw/ stream /;

###############################################################################

select STDERR; $| = 1;
select STDOUT; $| = 1;

my $t = Test::Nginx->new()->has(qw/stream stream_map stream_ssl_preread/)
	->has(qw/stream_ssl stream_return/)->has_daemon('openssl')
	->write_file_expand('nginx.conf', <<'EOF');

%%TEST_GLOBALS%%

daemon off;

events {
}

stream {
    %%TEST_GLOBALS_STREAM%%

    log_format status $status;

    map $ssl_preread_server_name $name {
        ""       127.0.0.1:8093;
        default  $ssl_preread_server_name;
    }

    upstream foo {
        server 127.0.0.1:8091;
    }

    upstream bar {
        server 127.0.0.1:8092;
    }

    upstream next {
        server 127.0.0.1:8094;
        server 127.0.0.1:8080;
    }

    ssl_preread  on;

    server {
        listen       127.0.0.1:8080;
        return       $name;
    }

    server {
        listen       127.0.0.1:8081;
        proxy_pass   $name;
    }

    server {
        listen       127.0.0.1:8082;
        proxy_pass   $name;
        ssl_preread  off;
    }

    server {
        listen       127.0.0.1:8083;
        proxy_pass   $name;

        preread_timeout      2s;
        preread_buffer_size  42;

        access_log %%TESTDIR%%/status.log status;
    }

    server {
        listen       127.0.0.1:8084;
        proxy_pass   next;

        proxy_connect_timeout  2s;
        preread_buffer_size    8;
    }

    ssl_certificate_key localhost.key;
    ssl_certificate localhost.crt;

    server {
        listen       127.0.0.1:8091 ssl;
        listen       127.0.0.1:8092 ssl;
        listen       127.0.0.1:8093 ssl;
        ssl_preread  off;
        return       $server_port;
    }
}

EOF

eval { require IO::Socket::SSL; die if $IO::Socket::SSL::VERSION < 1.56; };
plan(skip_all => 'IO::Socket::SSL version >= 1.56 required') if $@;

eval {
	if (IO::Socket::SSL->can('can_client_sni')) {
		IO::Socket::SSL->can_client_sni() or die;
	}
};
plan(skip_all => 'IO::Socket::SSL with OpenSSL SNI support required') if $@;

eval {
	my $ctx = Net::SSLeay::CTX_new() or die;
	my $ssl = Net::SSLeay::new($ctx) or die;
	Net::SSLeay::set_tlsext_host_name($ssl, 'example.org') == 1 or die;
};
plan(skip_all => 'Net::SSLeay with OpenSSL SNI support required') if $@;

$t->plan(13);

$t->write_file('openssl.conf', <<EOF);
[ req ]
default_bits = 2048
encrypt_key = no
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
EOF

my $d = $t->testdir();

foreach my $name ('localhost') {
	system('openssl req -x509 -new '
		. "-config $d/openssl.conf -subj /CN=$name/ "
		. "-out $d/$name.crt -keyout $d/$name.key "
		. ">>$d/openssl.out 2>&1") == 0
		or die "Can't create certificate for $name: $!\n";
}

$t->run();

###############################################################################

my ($p1, $p2, $p3, $p4) = (port(8091), port(8092), port(8093), port(8084));

is(get_ssl('foo', 8081), $p1, 'sni');
is(get_ssl('foo', 8081), $p1, 'sni again');

is(get_ssl('bar', 8081), $p2, 'sni 2');
is(get_ssl('bar', 8081), $p2, 'sni 2 again');

# fallback to an empty value for some reason

is(get_ssl('', 8081), $p3, 'no sni');
is(get_ssl('foo', 8082), $p3, 'preread off');
is(get_ssl('foo', 8083), undef, 'preread buffer full');
is(stream('127.0.0.1:' . port(8080))->io('x' x 1000), "127.0.0.1:$p3",
	'not a handshake');

# ticket #1317

is(stream("127.0.0.1:$p4")->io('x' x 16), "127.0.0.1:$p3",
	'pending buffers on next upstream');

# no junk in variable due to short ClientHello length value

is(get_short(), "127.0.0.1:$p3", 'short client hello');

# allow record with older SSL version, such as 3.0

is(get_oldver(), 'foo', 'older version in ssl record');

# SNI "foo|f" fragmented across TLS records

is(get_frag(), 'foof', 'handshake fragment split on SNI');

$t->stop();

is($t->read_file('status.log'), "400\n", 'preread buffer full - log');

###############################################################################

sub get_frag {
	my $r = pack("N*", 0x16030100, 0x3b010000, 0x380303ac,
		0x8c8678a0, 0xaa1e7eed, 0x3644eed6, 0xc3bd2c69,
		0x7bc7deda, 0x249db0e3, 0x0c339eba, 0xa80b7600,
		0x00020000, 0x0100000d, 0x00000009, 0x00070000,
		0x04666f6f, 0x16030100);
	$r .= pack("n", 0x0166);

	http($r);
}

sub get_short {
	my $r = pack("N*", 0x16030100, 0x38010000, 0x330303eb);
	$r .= pack("N*", 0x6357cdba, 0xa6b8d853, 0xf1f6ac0f);
	$r .= pack("N*", 0xdf03178c, 0x0ae41824, 0xe7643682);
	$r .= pack("N*", 0x3c1b273f, 0xbfde4b00, 0x00000000);
	$r .= pack("CN3", 0x0c, 0x00000008, 0x00060000, 0x03666f6f);

	http($r);
}

sub get_oldver {
	my $r = pack("N*", 0x16030000, 0x38010000, 0x340303eb);
	$r .= pack("N*", 0x6357cdba, 0xa6b8d853, 0xf1f6ac0f);
	$r .= pack("N*", 0xdf03178c, 0x0ae41824, 0xe7643682);
	$r .= pack("N*", 0x3c1b273f, 0xbfde4b00, 0x00000000);
	$r .= pack("CN3", 0x0c, 0x00000008, 0x00060000, 0x03666f6f);

	http($r);
}

sub get_ssl {
	my ($host, $port) = @_;
	my $s = stream('127.0.0.1:' . port($port));

	eval {
		local $SIG{ALRM} = sub { die "timeout\n" };
		local $SIG{PIPE} = sub { die "sigpipe\n" };
		alarm(8);
		IO::Socket::SSL->start_SSL($s->{_socket},
			SSL_hostname => $host,
			SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE(),
			SSL_error_trap => sub { die $_[1] }
		);
		alarm(0);
	};
	alarm(0);

	if ($@) {
		log_in("died: $@");
		return undef;
	}

	return $s->read();
}

###############################################################################