Mercurial > hg > nginx-tests
annotate ssl_ocsp.t @ 1951:1867428f1673
Tests: fixed h3_limit_req.t spurious failures.
In the "reset stream - cancellation" test, HTTP/3 stream is closed without
sending the request body when the request is waiting in the limit_req
module, and this results in error 444. However, when the request is received
with some minor delay due to system load, it is not delayed by limit_req,
and the stream is closed during reading the request body, which results
in error 400 instead, breaking the test.
Fix is to introduce yet another request before the "reset stream" test,
so the stream in question is always delayed by limit_req.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Thu, 14 Mar 2024 02:25:49 +0300 |
parents | 0b5ec15c62ed |
children | c924ae8d7104 |
rev | line source |
---|---|
1570 | 1 #!/usr/bin/perl |
2 | |
3 # (C) Sergey Kandaurov | |
4 # (C) Nginx, Inc. | |
5 | |
6 # Tests for OCSP with client certificates. | |
7 | |
8 ############################################################################### | |
9 | |
10 use warnings; | |
11 use strict; | |
12 | |
13 use Test::More; | |
14 | |
15 use MIME::Base64 qw/ decode_base64 /; | |
16 | |
17 BEGIN { use FindBin; chdir($FindBin::Bin); } | |
18 | |
19 use lib 'lib'; | |
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
20 use Test::Nginx qw/ :DEFAULT http_end /; |
1570 | 21 |
22 ############################################################################### | |
23 | |
24 select STDERR; $| = 1; | |
25 select STDOUT; $| = 1; | |
26 | |
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
27 my $t = Test::Nginx->new()->has(qw/http http_ssl sni socket_ssl_sni/) |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
28 ->has_daemon('openssl'); |
1570 | 29 |
1846
9d98c2ad3126
Tests: cleaned up ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1693
diff
changeset
|
30 plan(skip_all => 'no OCSP support in BoringSSL') |
9d98c2ad3126
Tests: cleaned up ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1693
diff
changeset
|
31 if $t->has_module('BoringSSL'); |
1570 | 32 |
33 $t->write_file_expand('nginx.conf', <<'EOF'); | |
34 | |
35 %%TEST_GLOBALS%% | |
36 | |
37 daemon off; | |
38 | |
39 events { | |
40 } | |
41 | |
42 http { | |
43 %%TEST_GLOBALS_HTTP%% | |
44 | |
45 ssl_ocsp leaf; | |
46 ssl_verify_client on; | |
47 ssl_verify_depth 2; | |
48 ssl_client_certificate trusted.crt; | |
49 | |
50 ssl_certificate_key rsa.key; | |
51 ssl_certificate rsa.crt; | |
52 | |
53 ssl_session_cache shared:SSL:1m; | |
54 ssl_session_tickets off; | |
55 | |
56 add_header X-Verify x${ssl_client_verify}:${ssl_session_reused}x always; | |
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
57 add_header X-SSL-Protocol $ssl_protocol always; |
1570 | 58 |
59 server { | |
60 listen 127.0.0.1:8443 ssl; | |
61 server_name localhost; | |
62 } | |
63 | |
64 server { | |
65 listen 127.0.0.1:8443 ssl; | |
66 server_name sni; | |
67 | |
68 ssl_ocsp_responder http://127.0.0.1:8082; | |
69 } | |
70 | |
71 server { | |
1577
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
72 listen 127.0.0.1:8443 ssl; |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
73 server_name resolver; |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
74 |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
75 ssl_ocsp on; |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
76 } |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
77 |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
78 server { |
1570 | 79 listen 127.0.0.1:8444 ssl; |
80 server_name localhost; | |
81 | |
1577
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
82 ssl_ocsp_responder http://127.0.0.1:8081; |
1570 | 83 ssl_ocsp on; |
84 } | |
85 | |
86 server { | |
87 listen 127.0.0.1:8445 ssl; | |
88 server_name localhost; | |
89 | |
90 ssl_ocsp_responder http://127.0.0.1:8082; | |
91 } | |
92 | |
93 server { | |
94 listen 127.0.0.1:8446 ssl; | |
95 server_name localhost; | |
96 | |
97 ssl_ocsp_cache shared:OCSP:1m; | |
98 } | |
99 | |
100 server { | |
101 listen 127.0.0.1:8447 ssl; | |
102 server_name localhost; | |
103 | |
104 ssl_ocsp_responder http://127.0.0.1:8082; | |
105 ssl_client_certificate root.crt; | |
106 } | |
107 } | |
108 | |
109 EOF | |
110 | |
111 my $d = $t->testdir(); | |
112 my $p = port(8081); | |
113 | |
114 $t->write_file('openssl.conf', <<EOF); | |
115 [ req ] | |
116 default_bits = 2048 | |
117 encrypt_key = no | |
118 distinguished_name = req_distinguished_name | |
1945
0b5ec15c62ed
Tests: compatibility with "openssl" app from OpenSSL 3.2.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1865
diff
changeset
|
119 x509_extensions = myca_extensions |
1570 | 120 [ req_distinguished_name ] |
1945
0b5ec15c62ed
Tests: compatibility with "openssl" app from OpenSSL 3.2.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1865
diff
changeset
|
121 [ myca_extensions ] |
0b5ec15c62ed
Tests: compatibility with "openssl" app from OpenSSL 3.2.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1865
diff
changeset
|
122 basicConstraints = critical,CA:TRUE |
1570 | 123 EOF |
124 | |
125 $t->write_file('ca.conf', <<EOF); | |
126 [ ca ] | |
127 default_ca = myca | |
128 | |
129 [ myca ] | |
130 new_certs_dir = $d | |
131 database = $d/certindex | |
132 default_md = sha256 | |
133 policy = myca_policy | |
134 serial = $d/certserial | |
135 default_days = 1 | |
136 x509_extensions = myca_extensions | |
137 | |
138 [ myca_policy ] | |
139 commonName = supplied | |
140 | |
141 [ myca_extensions ] | |
142 basicConstraints = critical,CA:TRUE | |
143 authorityInfoAccess = OCSP;URI:http://127.0.0.1:$p | |
144 EOF | |
145 | |
1577
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
146 # variant for int.crt to trigger missing resolver |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
147 |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
148 $t->write_file('ca2.conf', <<EOF); |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
149 [ ca ] |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
150 default_ca = myca |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
151 |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
152 [ myca ] |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
153 new_certs_dir = $d |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
154 database = $d/certindex |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
155 default_md = sha256 |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
156 policy = myca_policy |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
157 serial = $d/certserial |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
158 default_days = 1 |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
159 x509_extensions = myca_extensions |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
160 |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
161 [ myca_policy ] |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
162 commonName = supplied |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
163 |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
164 [ myca_extensions ] |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
165 basicConstraints = critical,CA:TRUE |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
166 authorityInfoAccess = OCSP;URI:http://localhost:$p |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
167 EOF |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
168 |
1570 | 169 foreach my $name ('root') { |
170 system('openssl req -x509 -new ' | |
171 . "-config $d/openssl.conf -subj /CN=$name/ " | |
172 . "-out $d/$name.crt -keyout $d/$name.key " | |
173 . ">>$d/openssl.out 2>&1") == 0 | |
174 or die "Can't create certificate for $name: $!\n"; | |
175 } | |
176 | |
177 foreach my $name ('int', 'end') { | |
178 system("openssl req -new " | |
179 . "-config $d/openssl.conf -subj /CN=$name/ " | |
180 . "-out $d/$name.csr -keyout $d/$name.key " | |
181 . ">>$d/openssl.out 2>&1") == 0 | |
182 or die "Can't create certificate for $name: $!\n"; | |
183 } | |
184 | |
185 foreach my $name ('ec-end') { | |
186 system("openssl ecparam -genkey -out $d/$name.key -name prime256v1 " | |
187 . ">>$d/openssl.out 2>&1") == 0 | |
188 or die "Can't create EC param: $!\n"; | |
189 system("openssl req -new -key $d/$name.key " | |
190 . "-config $d/openssl.conf -subj /CN=$name/ " | |
191 . "-out $d/$name.csr " | |
192 . ">>$d/openssl.out 2>&1") == 0 | |
193 or die "Can't create certificate for $name: $!\n"; | |
194 } | |
195 | |
196 $t->write_file('certserial', '1000'); | |
197 $t->write_file('certindex', ''); | |
198 | |
1577
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
199 system("openssl ca -batch -config $d/ca2.conf " |
1570 | 200 . "-keyfile $d/root.key -cert $d/root.crt " |
201 . "-subj /CN=int/ -in $d/int.csr -out $d/int.crt " | |
202 . ">>$d/openssl.out 2>&1") == 0 | |
203 or die "Can't sign certificate for int: $!\n"; | |
204 | |
205 system("openssl ca -batch -config $d/ca.conf " | |
206 . "-keyfile $d/int.key -cert $d/int.crt " | |
207 . "-subj /CN=ec-end/ -in $d/ec-end.csr -out $d/ec-end.crt " | |
208 . ">>$d/openssl.out 2>&1") == 0 | |
209 or die "Can't sign certificate for ec-end: $!\n"; | |
210 | |
211 system("openssl ca -batch -config $d/ca.conf " | |
212 . "-keyfile $d/int.key -cert $d/int.crt " | |
213 . "-subj /CN=end/ -in $d/end.csr -out $d/end.crt " | |
214 . ">>$d/openssl.out 2>&1") == 0 | |
215 or die "Can't sign certificate for end: $!\n"; | |
216 | |
217 # RFC 6960, serialNumber | |
218 | |
219 system("openssl x509 -in $d/int.crt -serial -noout " | |
220 . ">>$d/serial_int 2>>$d/openssl.out") == 0 | |
221 or die "Can't obtain serial for end: $!\n"; | |
222 | |
223 my $serial_int = pack("n2", 0x0202, hex $1) | |
224 if $t->read_file('serial_int') =~ /(\d+)/; | |
225 | |
226 system("openssl x509 -in $d/end.crt -serial -noout " | |
227 . ">>$d/serial 2>>$d/openssl.out") == 0 | |
228 or die "Can't obtain serial for end: $!\n"; | |
229 | |
230 my $serial = pack("n2", 0x0202, hex $1) if $t->read_file('serial') =~ /(\d+)/; | |
231 | |
232 # ocsp end | |
233 | |
234 system("openssl ocsp -issuer $d/int.crt -cert $d/end.crt " | |
235 . "-reqout $d/req.der >>$d/openssl.out 2>&1") == 0 | |
236 or die "Can't create OCSP request: $!\n"; | |
237 | |
238 system("openssl ocsp -index $d/certindex -CA $d/int.crt " | |
239 . "-rsigner $d/int.crt -rkey $d/int.key " | |
240 . "-reqin $d/req.der -respout $d/resp.der -ndays 1 " | |
241 . ">>$d/openssl.out 2>&1") == 0 | |
242 or die "Can't create OCSP response: $!\n"; | |
243 | |
244 system("openssl ocsp -issuer $d/int.crt -cert $d/ec-end.crt " | |
245 . "-reqout $d/ec-req.der >>$d/openssl.out 2>&1") == 0 | |
246 or die "Can't create EC OCSP request: $!\n"; | |
247 | |
248 system("openssl ocsp -index $d/certindex -CA $d/int.crt " | |
249 . "-rsigner $d/root.crt -rkey $d/root.key " | |
250 . "-reqin $d/ec-req.der -respout $d/ec-resp.der -ndays 1 " | |
251 . ">>$d/openssl.out 2>&1") == 0 | |
252 or die "Can't create EC OCSP response: $!\n"; | |
253 | |
254 $t->write_file('trusted.crt', | |
255 $t->read_file('int.crt') . $t->read_file('root.crt')); | |
256 | |
257 # server cert/key | |
258 | |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
259 foreach my $name ('rsa') { |
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
260 system('openssl req -x509 -new ' |
1570 | 261 . "-config $d/openssl.conf -subj /CN=$name/ " |
262 . "-out $d/$name.crt -keyout $d/$name.key " | |
263 . ">>$d/openssl.out 2>&1") == 0 | |
264 or die "Can't create certificate for $name: $!\n"; | |
265 } | |
266 | |
267 $t->run_daemon(\&http_daemon, $t, port(8081)); | |
268 $t->run_daemon(\&http_daemon, $t, port(8082)); | |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
269 $t->run()->plan(15); |
1570 | 270 |
271 $t->waitforsocket("127.0.0.1:" . port(8081)); | |
272 $t->waitforsocket("127.0.0.1:" . port(8082)); | |
273 | |
274 ############################################################################### | |
275 | |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
276 like(get('end'), qr/200 OK.*SUCCESS/s, 'ocsp leaf'); |
1570 | 277 |
1577
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
278 # demonstrate that ocsp int request is failed due to missing resolver |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
279 |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
280 like(get('end', sni => 'resolver'), |
1577
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
281 qr/400 Bad.*FAILED:certificate status request failed/s, |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
282 'ocsp many failed request'); |
804a7409bc63
Tests: added ssl_ocsp test with failing request.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1570
diff
changeset
|
283 |
1570 | 284 # demonstrate that ocsp int request is actually made by failing ocsp response |
285 | |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
286 like(get('end', port => 8444), |
1570 | 287 qr/400 Bad.*FAILED:certificate status request failed/s, |
288 'ocsp many failed'); | |
289 | |
290 # now prepare valid ocsp int response | |
291 | |
292 system("openssl ocsp -issuer $d/root.crt -cert $d/int.crt " | |
293 . "-reqout $d/int-req.der >>$d/openssl.out 2>&1") == 0 | |
294 or die "Can't create OCSP request: $!\n"; | |
295 | |
296 system("openssl ocsp -index $d/certindex -CA $d/root.crt " | |
297 . "-rsigner $d/root.crt -rkey $d/root.key " | |
298 . "-reqin $d/int-req.der -respout $d/int-resp.der -ndays 1 " | |
299 . ">>$d/openssl.out 2>&1") == 0 | |
300 or die "Can't create OCSP response: $!\n"; | |
301 | |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
302 like(get('end', port => 8444), qr/200 OK.*SUCCESS/s, 'ocsp many'); |
1570 | 303 |
304 # store into ssl_ocsp_cache | |
305 | |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
306 like(get('end', port => 8446), qr/200 OK.*SUCCESS/s, 'cache store'); |
1570 | 307 |
308 # revoke | |
309 | |
310 system("openssl ca -config $d/ca.conf -revoke $d/end.crt " | |
311 . "-keyfile $d/root.key -cert $d/root.crt " | |
312 . ">>$d/openssl.out 2>&1") == 0 | |
313 or die "Can't revoke end.crt: $!\n"; | |
314 | |
315 system("openssl ocsp -issuer $d/int.crt -cert $d/end.crt " | |
316 . "-reqout $d/req.der >>$d/openssl.out 2>&1") == 0 | |
317 or die "Can't create OCSP request: $!\n"; | |
318 | |
319 system("openssl ocsp -index $d/certindex -CA $d/int.crt " | |
320 . "-rsigner $d/int.crt -rkey $d/int.key " | |
321 . "-reqin $d/req.der -respout $d/revoked.der -ndays 1 " | |
322 . ">>$d/openssl.out 2>&1") == 0 | |
323 or die "Can't create OCSP response: $!\n"; | |
324 | |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
325 like(get('end'), qr/400 Bad.*FAILED:certificate revoked/s, 'revoked'); |
1570 | 326 |
327 # with different responder where it's still valid | |
328 | |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
329 like(get('end', port => 8445), qr/200 OK.*SUCCESS/s, 'ocsp responder'); |
1570 | 330 |
331 # with different context to responder where it's still valid | |
332 | |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
333 like(get('end', sni => 'sni'), qr/200 OK.*SUCCESS/s, 'ocsp context'); |
1570 | 334 |
335 # with cached ocsp response it's still valid | |
336 | |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
337 like(get('end', port => 8446), qr/200 OK.*SUCCESS/s, 'cache lookup'); |
1570 | 338 |
339 # ocsp end response signed with invalid (root) cert, expect HTTP 400 | |
340 | |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
341 like(get('ec-end'), |
1570 | 342 qr/400 Bad.*FAILED:certificate status request failed/s, |
343 'root ca not trusted'); | |
344 | |
345 # now sign ocsp end response with valid int cert | |
346 | |
347 system("openssl ocsp -index $d/certindex -CA $d/int.crt " | |
348 . "-rsigner $d/int.crt -rkey $d/int.key " | |
349 . "-reqin $d/ec-req.der -respout $d/ec-resp.der -ndays 1 " | |
350 . ">>$d/openssl.out 2>&1") == 0 | |
351 or die "Can't create EC OCSP response: $!\n"; | |
352 | |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
353 like(get('ec-end'), qr/200 OK.*SUCCESS/s, 'ocsp ecdsa'); |
1570 | 354 |
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
355 my $s = session('ec-end'); |
1570 | 356 |
1848
727741cdff74
Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1847
diff
changeset
|
357 TODO: { |
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
358 local $TODO = 'no TLSv1.3 sessions, old Net::SSLeay' |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
359 if $Net::SSLeay::VERSION < 1.88 && test_tls13(); |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
360 local $TODO = 'no TLSv1.3 sessions, old IO::Socket::SSL' |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
361 if $IO::Socket::SSL::VERSION < 2.061 && test_tls13(); |
1848
727741cdff74
Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1847
diff
changeset
|
362 local $TODO = 'no TLSv1.3 sessions in LibreSSL' |
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
363 if $t->has_module('LibreSSL') && test_tls13(); |
1848
727741cdff74
Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1847
diff
changeset
|
364 |
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
365 like(get('ec-end', ses => $s), |
1570 | 366 qr/200 OK.*SUCCESS:r/s, 'session reused'); |
367 | |
1848
727741cdff74
Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1847
diff
changeset
|
368 } |
727741cdff74
Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1847
diff
changeset
|
369 |
1570 | 370 # revoke with saved session |
371 | |
372 system("openssl ca -config $d/ca.conf -revoke $d/ec-end.crt " | |
373 . "-keyfile $d/root.key -cert $d/root.crt " | |
374 . ">>$d/openssl.out 2>&1") == 0 | |
375 or die "Can't revoke end.crt: $!\n"; | |
376 | |
377 system("openssl ocsp -issuer $d/int.crt -cert $d/ec-end.crt " | |
378 . "-reqout $d/ec-req.der >>$d/openssl.out 2>&1") == 0 | |
379 or die "Can't create OCSP request: $!\n"; | |
380 | |
381 system("openssl ocsp -index $d/certindex -CA $d/int.crt " | |
382 . "-rsigner $d/int.crt -rkey $d/int.key " | |
383 . "-reqin $d/ec-req.der -respout $d/ec-resp.der -ndays 1 " | |
384 . ">>$d/openssl.out 2>&1") == 0 | |
385 or die "Can't create OCSP response: $!\n"; | |
386 | |
387 # reusing session with revoked certificate | |
388 | |
1848
727741cdff74
Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1847
diff
changeset
|
389 TODO: { |
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
390 local $TODO = 'no TLSv1.3 sessions, old Net::SSLeay' |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
391 if $Net::SSLeay::VERSION < 1.88 && test_tls13(); |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
392 local $TODO = 'no TLSv1.3 sessions, old IO::Socket::SSL' |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
393 if $IO::Socket::SSL::VERSION < 2.061 && test_tls13(); |
1848
727741cdff74
Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1847
diff
changeset
|
394 local $TODO = 'no TLSv1.3 sessions in LibreSSL' |
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
395 if $t->has_module('LibreSSL') && test_tls13(); |
1848
727741cdff74
Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1847
diff
changeset
|
396 |
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
397 like(get('ec-end', ses => $s), |
1570 | 398 qr/400 Bad.*FAILED:certificate revoked:r/s, 'session reused - revoked'); |
399 | |
1848
727741cdff74
Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1847
diff
changeset
|
400 } |
727741cdff74
Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1847
diff
changeset
|
401 |
1570 | 402 # regression test for self-signed |
403 | |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
404 like(get('root', port => 8447), qr/200 OK.*SUCCESS/s, 'ocsp one'); |
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
405 |
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
406 # check for errors |
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
407 |
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
408 like(`grep -F '[crit]' ${\($t->testdir())}/error.log`, qr/^$/s, 'no crit'); |
1570 | 409 |
410 ############################################################################### | |
411 | |
412 sub get { | |
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
413 my $s = get_socket(@_) || return; |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
414 return http_end($s); |
1570 | 415 } |
416 | |
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
417 sub session { |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
418 my $s = get_socket(@_) || return; |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
419 http_end($s); |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
420 return $s; |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
421 } |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
422 |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
423 sub get_socket { |
1847
a9704b9ed7a2
Tests: removed multiple server certificates from ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1846
diff
changeset
|
424 my ($cert, %extra) = @_; |
1570 | 425 my $ses = $extra{ses}; |
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
426 my $sni = $extra{sni} || 'localhost'; |
1570 | 427 my $port = $extra{port} || 8443; |
428 | |
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
429 return http( |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
430 "GET /serial HTTP/1.0\nHost: $sni\n\n", |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
431 start => 1, PeerAddr => '127.0.0.1:' . port($port), |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
432 SSL => 1, |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
433 SSL_hostname => $sni, |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
434 SSL_session_cache_size => 100, |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
435 SSL_reuse_ctx => $ses, |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
436 $cert ? ( |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
437 SSL_cert_file => "$d/$cert.crt", |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
438 SSL_key_file => "$d/$cert.key" |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
439 ) : () |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
440 ); |
1570 | 441 } |
442 | |
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
443 sub test_tls13 { |
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1848
diff
changeset
|
444 return http_get('/', SSL => 1) =~ /TLSv1.3/; |
1570 | 445 } |
446 | |
447 ############################################################################### | |
448 | |
449 sub http_daemon { | |
450 my ($t, $port) = @_; | |
451 my $server = IO::Socket::INET->new( | |
452 Proto => 'tcp', | |
453 LocalHost => "127.0.0.1:$port", | |
454 Listen => 5, | |
455 Reuse => 1 | |
456 ) | |
457 or die "Can't create listening socket: $!\n"; | |
458 | |
459 local $SIG{PIPE} = 'IGNORE'; | |
460 | |
461 while (my $client = $server->accept()) { | |
462 $client->autoflush(1); | |
463 | |
464 my $headers = ''; | |
465 my $uri = ''; | |
466 my $resp; | |
467 | |
468 while (<$client>) { | |
1846
9d98c2ad3126
Tests: cleaned up ssl_ocsp.t.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1693
diff
changeset
|
469 Test::Nginx::log_core('||', $_); |
1570 | 470 $headers .= $_; |
471 last if (/^\x0d?\x0a?$/); | |
472 } | |
473 | |
474 $uri = $1 if $headers =~ /^\S+\s+\/([^ ]+)\s+HTTP/i; | |
475 next unless $uri; | |
476 | |
477 $uri =~ s/%([0-9A-Fa-f]{2})/chr(hex($1))/eg; | |
478 my $req = decode_base64($uri); | |
479 | |
480 if (index($req, $serial_int) > 0) { | |
481 $resp = 'int-resp'; | |
482 | |
483 } elsif (index($req, $serial) > 0) { | |
484 $resp = 'resp'; | |
485 | |
486 # used to differentiate ssl_ocsp_responder | |
487 | |
488 if ($port == port(8081) && -e "$d/revoked.der") { | |
489 $resp = 'revoked'; | |
490 } | |
491 | |
492 } else { | |
493 $resp = 'ec-resp'; | |
494 } | |
495 | |
1636
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
496 next unless -s "$d/$resp.der"; |
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
497 |
1570 | 498 # ocsp dummy handler |
499 | |
500 select undef, undef, undef, 0.02; | |
501 | |
502 $headers = <<"EOF"; | |
503 HTTP/1.1 200 OK | |
504 Connection: close | |
505 Content-Type: application/ocsp-response | |
506 | |
507 EOF | |
508 | |
1636
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
509 local $/; |
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
510 open my $fh, '<', "$d/$resp.der" |
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
511 or die "Can't open $resp.der: $!"; |
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
512 binmode $fh; |
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
513 my $content = <$fh>; |
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
514 close $fh; |
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
515 |
2d371452658c
Tests: fixed serving binary OCSP responses on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1577
diff
changeset
|
516 print $client $headers . $content; |
1570 | 517 } |
518 } | |
519 | |
520 ############################################################################### |