changeset 1605:aa5a61d1254b

Tests: actually test the verification depth in ssl_verify_depth.t. This reverts 5b22e2014f76. Two basic cases are now provided for a full chain: when the verification depth is big enough and when it is insufficient.
author Sergey Kandaurov <pluknet@nginx.com>
date Fri, 06 Nov 2020 14:32:13 +0000
parents 4be791074207
children e4e0695552ed
files ssl_verify_depth.t
diffstat 1 files changed, 25 insertions(+), 8 deletions(-) [+]
line wrap: on
line diff
--- a/ssl_verify_depth.t
+++ b/ssl_verify_depth.t
@@ -46,14 +46,19 @@ http {
     ssl_certificate localhost.crt;
 
     ssl_verify_client on;
-    ssl_client_certificate int-root.crt;
+    ssl_client_certificate root.crt;
 
-    add_header X-Verify $ssl_client_verify;
+    add_header X-Verify $ssl_client_verify always;
 
     server {
         listen       127.0.0.1:8080 ssl;
         server_name  localhost;
-        ssl_verify_depth 0;
+        ssl_verify_depth 3;
+    }
+
+    server {
+        listen       127.0.0.1:8081 ssl;
+        server_name  localhost;
     }
 }
 
@@ -80,9 +85,13 @@ default_md = sha256
 policy = myca_policy
 serial = $d/certserial
 default_days = 1
+x509_extensions = myca_extensions
 
 [ myca_policy ]
 commonName = supplied
+
+[ myca_extensions ]
+basicConstraints = critical,CA:TRUE
 EOF
 
 foreach my $name ('root', 'localhost') {
@@ -93,7 +102,7 @@ foreach my $name ('root', 'localhost') {
 		or die "Can't create certificate for $name: $!\n";
 }
 
-foreach my $name ('int', 'end') {
+foreach my $name ('int', 'int2', 'end') {
 	system("openssl req -new "
 		. "-config $d/openssl.conf -subj /CN=$name/ "
 		. "-out $d/$name.csr -keyout $d/$name.key "
@@ -112,20 +121,28 @@ system("openssl ca -batch -config $d/ca.
 
 system("openssl ca -batch -config $d/ca.conf "
 	. "-keyfile $d/int.key -cert $d/int.crt "
+	. "-subj /CN=int2/ -in $d/int2.csr -out $d/int2.crt "
+	. ">>$d/openssl.out 2>&1") == 0
+	or die "Can't sign certificate for int2: $!\n";
+
+system("openssl ca -batch -config $d/ca.conf "
+	. "-keyfile $d/int2.key -cert $d/int2.crt "
 	. "-subj /CN=end/ -in $d/end.csr -out $d/end.crt "
 	. ">>$d/openssl.out 2>&1") == 0
 	or die "Can't sign certificate for end: $!\n";
 
-$t->write_file('int-root.crt',
-	$t->read_file('int.crt') . $t->read_file('root.crt'));
+$t->write_file('client.key', $t->read_file('end.key') .
+	$t->read_file('int.key') . $t->read_file('int2.key'));
+$t->write_file('client.crt', $t->read_file('end.crt') .
+	$t->read_file('int.crt') . $t->read_file('int2.crt'));
 
 $t->write_file('t', '');
 $t->run();
 
 ###############################################################################
 
-like(get(8080, 'root'), qr/SUCCESS/, 'verify depth');
-like(get(8080, 'end'), qr/400 Bad Request/, 'verify depth limited');
+like(get(8080, 'client'), qr/SUCCESS/, 'verify depth');
+like(get(8081, 'client'), qr/FAILED/, 'verify depth limited');
 
 ###############################################################################