Mercurial > hg > nginx-tests
view mail_imap_ssl.t @ 1983:c7315caf2110
Tests: optimized processing of large QUIC packets with padding.
Path MTU discovery packets might contain a lot of padding, and creating
a copy of the whole buffer for each PADDING frame, which is just one
byte with type 0, consumes lots of resources. This was seen to result
in flapping of at least h3_keepalive.t and h3_ssl_early_data.t tests.
Fix is to copy at most 8 bytes for parse_int() calls when parsing
frame types.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Mon, 03 Jun 2024 04:17:28 +0300 |
parents | 84f4d4930835 |
children |
line wrap: on
line source
#!/usr/bin/perl # (C) Maxim Dounin # (C) Sergey Kandaurov # (C) Nginx, Inc. # Tests for nginx mail imap module with ssl. ############################################################################### use warnings; use strict; use Test::More; use MIME::Base64; BEGIN { use FindBin; chdir($FindBin::Bin); } use lib 'lib'; use Test::Nginx; use Test::Nginx::IMAP; ############################################################################### select STDERR; $| = 1; select STDOUT; $| = 1; local $SIG{PIPE} = 'IGNORE'; my $t = Test::Nginx->new() ->has(qw/mail mail_ssl imap http rewrite socket_ssl/) ->has_daemon('openssl')->plan(13) ->write_file_expand('nginx.conf', <<'EOF'); %%TEST_GLOBALS%% daemon off; events { } mail { proxy_pass_error_message on; proxy_timeout 15s; auth_http http://127.0.0.1:8080/mail/auth; auth_http_pass_client_cert on; ssl_certificate_key 1.example.com.key; ssl_certificate 1.example.com.crt; server { listen 127.0.0.1:8143; protocol imap; } server { listen 127.0.0.1:8993 ssl; protocol imap; ssl_verify_client on; ssl_client_certificate 2.example.com.crt; } server { listen 127.0.0.1:8994 ssl; protocol imap; ssl_verify_client optional; ssl_client_certificate 2.example.com.crt; } server { listen 127.0.0.1:8995 ssl; protocol imap; ssl_verify_client optional; ssl_client_certificate 2.example.com.crt; ssl_trusted_certificate 3.example.com.crt; } server { listen 127.0.0.1:8996 ssl; protocol imap; ssl_verify_client optional_no_ca; ssl_client_certificate 2.example.com.crt; } } http { %%TEST_GLOBALS_HTTP%% log_format test '$http_auth_ssl:$http_auth_ssl_verify:' '$http_auth_ssl_subject:$http_auth_ssl_issuer:' '$http_auth_ssl_serial:$http_auth_ssl_fingerprint:' '$http_auth_ssl_cert:$http_auth_pass'; log_format test2 '$http_auth_ssl_cipher:$http_auth_ssl_protocol'; server { listen 127.0.0.1:8080; server_name localhost; location = /mail/auth { access_log auth.log test; access_log auth2.log test2; add_header Auth-Status OK; add_header Auth-Server 127.0.0.1; add_header Auth-Port %%PORT_8144%%; add_header Auth-Wait 1; return 204; } } } EOF $t->write_file('openssl.conf', <<EOF); [ req ] default_bits = 2048 encrypt_key = no distinguished_name = req_distinguished_name [ req_distinguished_name ] EOF my $d = $t->testdir(); foreach my $name ('1.example.com', '2.example.com', '3.example.com') { system('openssl req -x509 -new ' . "-config $d/openssl.conf -subj /CN=$name/ " . "-out $d/$name.crt -keyout $d/$name.key " . ">>$d/openssl.out 2>&1") == 0 or die "Can't create certificate for $name: $!\n"; } $t->run_daemon(\&Test::Nginx::IMAP::imap_test_daemon); $t->run()->waitforsocket('127.0.0.1:' . port(8144)); ############################################################################### my $cred = sub { encode_base64("\0test\@example.com\0$_[0]", '') }; # no ssl connection my $s = Test::Nginx::IMAP->new(); $s->ok('plain connection'); $s->send('1 AUTHENTICATE PLAIN ' . $cred->("s1")); # no cert $s = Test::Nginx::IMAP->new(SSL => 1); $s->check(qr/BYE No required SSL certificate/, 'no cert'); # no cert with ssl_verify_client optional $s = Test::Nginx::IMAP->new(PeerAddr => '127.0.0.1:' . port(8994), SSL => 1); $s->ok('no optional cert'); $s->send('1 AUTHENTICATE PLAIN ' . $cred->("s2")); # wrong cert with ssl_verify_client optional $s = Test::Nginx::IMAP->new( PeerAddr => '127.0.0.1:' . port(8995), SSL => 1, SSL_cert_file => "$d/1.example.com.crt", SSL_key_file => "$d/1.example.com.key" ); $s->check(qr/BYE SSL certificate error/, 'bad optional cert'); # wrong cert with ssl_verify_client optional_no_ca $s = Test::Nginx::IMAP->new( PeerAddr => '127.0.0.1:' . port(8996), SSL => 1, SSL_cert_file => "$d/1.example.com.crt", SSL_key_file => "$d/1.example.com.key" ); $s->ok('bad optional_no_ca cert'); $s->send('1 AUTHENTICATE PLAIN ' . $cred->("s3")); # matching cert with ssl_verify_client optional $s = Test::Nginx::IMAP->new( PeerAddr => '127.0.0.1:' . port(8995), SSL => 1, SSL_cert_file => "$d/2.example.com.crt", SSL_key_file => "$d/2.example.com.key" ); $s->ok('good cert'); $s->send('1 AUTHENTICATE PLAIN ' . $cred->("s4")); # trusted cert with ssl_verify_client optional $s = Test::Nginx::IMAP->new( PeerAddr => '127.0.0.1:' . port(8995), SSL => 1, SSL_cert_file => "$d/3.example.com.crt", SSL_key_file => "$d/3.example.com.key" ); $s->ok('trusted cert'); $s->send('1 AUTHENTICATE PLAIN ' . $cred->("s5")); $s->read(); undef $s; # test auth_http request header fields with access_log $t->stop(); my $f = $t->read_file('auth.log'); like($f, qr/^-:-:-:-:-:-:-\x0d?\x0a?:s1$/m, 'log - plain connection'); like($f, qr/^on:NONE:-:-:-:-:-\x0d?\x0a?:s2$/m, 'log - no cert'); like($f, qr!^on:FAILED(?:.*):(/?CN=1.example.com):\1:\w+:\w+:[^:]+:s3$!m, 'log - bad cert'); like($f, qr!^on:SUCCESS:(/?CN=2.example.com):\1:\w+:\w+:[^:]+:s4$!m, 'log - good cert'); like($f, qr!^on:SUCCESS:(/?CN=3.example.com):\1:\w+:\w+:[^:]+:s5$!m, 'log - trusted cert'); $f = $t->read_file('auth2.log'); like($f, qr/^[\w-]+:(TLS|SSL)v[\d.]+$/m, 'log - cipher sslversion'); ###############################################################################