Mercurial > hg > nginx-tests
view ssl_certificates.t @ 1983:c7315caf2110
Tests: optimized processing of large QUIC packets with padding.
Path MTU discovery packets might contain a lot of padding, and creating
a copy of the whole buffer for each PADDING frame, which is just one
byte with type 0, consumes lots of resources. This was seen to result
in flapping of at least h3_keepalive.t and h3_ssl_early_data.t tests.
Fix is to copy at most 8 bytes for parse_int() calls when parsing
frame types.
| author | Maxim Dounin <mdounin@mdounin.ru> |
|---|---|
| date | Mon, 03 Jun 2024 04:17:28 +0300 |
| parents | 94e0390dc64f |
| children |
line wrap: on
line source
#!/usr/bin/perl # (C) Sergey Kandaurov # (C) Nginx, Inc. # Tests for http ssl module with multiple certificates. ############################################################################### use warnings; use strict; use Test::More; BEGIN { use FindBin; chdir($FindBin::Bin); } use lib 'lib'; use Test::Nginx; ############################################################################### select STDERR; $| = 1; select STDOUT; $| = 1; my $t = Test::Nginx->new()->has(qw/http http_ssl socket_ssl/) ->has_daemon('openssl'); plan(skip_all => 'no multiple certificates') if $t->has_module('BoringSSL'); plan(skip_all => 'no ECDSA support') if $t->has_module('OpenSSL') and not $t->has_feature('openssl:0.9.8b'); $t->write_file_expand('nginx.conf', <<'EOF'); %%TEST_GLOBALS%% daemon off; events { } http { %%TEST_GLOBALS_HTTP%% ssl_certificate_key rsa.key; ssl_certificate rsa.crt; ssl_ciphers DEFAULT:ECCdraft; add_header X-SSL-Protocol $ssl_protocol; server { listen 127.0.0.1:8443 ssl; server_name localhost; ssl_certificate_key ec.key; ssl_certificate ec.crt; ssl_certificate_key rsa.key; ssl_certificate rsa.crt; ssl_certificate_key rsa.key; ssl_certificate rsa.crt; } } EOF $t->write_file('openssl.conf', <<EOF); [ req ] default_bits = 2048 encrypt_key = no distinguished_name = req_distinguished_name [ req_distinguished_name ] EOF my $d = $t->testdir(); system("openssl ecparam -genkey -out $d/ec.key -name prime256v1 " . ">>$d/openssl.out 2>&1") == 0 or die "Can't create EC pem: $!\n"; system("openssl genrsa -out $d/rsa.key 2048 >>$d/openssl.out 2>&1") == 0 or die "Can't create RSA pem: $!\n"; foreach my $name ('ec', 'rsa') { system("openssl req -x509 -new -key $d/$name.key " . "-config $d/openssl.conf -subj /CN=$name/ " . "-out $d/$name.crt -keyout $d/$name.key " . ">>$d/openssl.out 2>&1") == 0 or die "Can't create certificate for $name: $!\n"; } $t->write_file('index.html', ''); $t->run()->plan(2); ############################################################################### TODO: { local $TODO = 'broken TLSv1.3 sigalgs in LibreSSL' if $t->has_module('LibreSSL') && test_tls13(); like(cert('RSA'), qr/CN=rsa/, 'ssl cert RSA'); } TODO: { local $TODO = 'no TLSv1.3 sigalgs in Net::SSLeay (LibreSSL)' if Net::SSLeay::constant("LIBRESSL_VERSION_NUMBER") && !$t->has_module('LibreSSL') && test_tls13(); like(cert('ECDSA'), qr/CN=ec/, 'ssl cert ECDSA'); } ############################################################################### sub test_tls13 { return http_get('/', SSL => 1) =~ /TLSv1.3/; } sub cert { my $s = get_socket(@_) || return; return $s->dump_peer_certificate(); } sub get_socket { my ($type) = @_; my $ctx_cb = sub { my $ctx = shift; return unless defined $type; my $ssleay = Net::SSLeay::SSLeay(); return if ($ssleay < 0x1000200f || $ssleay == 0x20000000); my @sigalgs = ('RSA+SHA256:PSS+SHA256', 'RSA+SHA256'); @sigalgs = ($type . '+SHA256') unless $type eq 'RSA'; # SSL_CTRL_SET_SIGALGS_LIST Net::SSLeay::CTX_ctrl($ctx, 98, 0, $sigalgs[0]) or Net::SSLeay::CTX_ctrl($ctx, 98, 0, $sigalgs[1]) or die("Failed to set sigalgs"); }; return http_get( '/', start => 1, SSL => 1, SSL_cipher_list => $type, SSL_create_ctx_callback => $ctx_cb ); } ###############################################################################