Mercurial > hg > nginx-tests
annotate ssl_verify_client.t @ 1260:eadd24ccfda1
Tests: postponed startup in certain ssl certificate tests on win32.
At least, some win32 hosts exhibit a round-off error or some such in the
notBefore field of the certificate generated before starting nginx, such
that it can be set to the value one second ahead of the current time.
This manifests in spurious test failures due to certificate verify error
with a failure reason "certificate is not yet valid".
author | Sergey Kandaurov <pluknet@nginx.com> |
---|---|
date | Tue, 12 Dec 2017 12:53:53 +0300 |
parents | 0af58b78df35 |
children | 1d7c87dba788 |
rev | line source |
---|---|
932
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
1 #!/usr/bin/perl |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
2 |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
3 # (C) Sergey Kandaurov |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
4 # (C) Nginx, Inc. |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
5 |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
6 # Tests for http ssl module, ssl_verify_client. |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
7 |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
8 ############################################################################### |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
9 |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
10 use warnings; |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
11 use strict; |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
12 |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
13 use Test::More; |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
14 |
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
15 use Socket qw/ :DEFAULT CRLF /; |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
16 |
932
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
17 BEGIN { use FindBin; chdir($FindBin::Bin); } |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
18 |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
19 use lib 'lib'; |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
20 use Test::Nginx; |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
21 |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
22 ############################################################################### |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
23 |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
24 select STDERR; $| = 1; |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
25 select STDOUT; $| = 1; |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
26 |
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
27 eval { |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
28 require Net::SSLeay; |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
29 Net::SSLeay::load_error_strings(); |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
30 Net::SSLeay::SSLeay_add_ssl_algorithms(); |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
31 Net::SSLeay::randomize(); |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
32 }; |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
33 plan(skip_all => 'Net::SSLeay not installed') if $@; |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
34 |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
35 eval { |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
36 my $ctx = Net::SSLeay::CTX_new() or die; |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
37 my $ssl = Net::SSLeay::new($ctx) or die; |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
38 Net::SSLeay::set_tlsext_host_name($ssl, 'example.org') == 1 or die; |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
39 }; |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
40 plan(skip_all => 'Net::SSLeay with OpenSSL SNI support required') if $@; |
932
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
41 |
1032
43eedbfea090
Tests: add missing sni prerequisites.
Sergey Kandaurov <pluknet@nginx.com>
parents:
974
diff
changeset
|
42 my $t = Test::Nginx->new()->has(qw/http http_ssl sni/) |
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
43 ->has_daemon('openssl')->plan(10); |
932
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
44 |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
45 $t->write_file_expand('nginx.conf', <<'EOF'); |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
46 |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
47 %%TEST_GLOBALS%% |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
48 |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
49 daemon off; |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
50 |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
51 events { |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
52 } |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
53 |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
54 http { |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
55 %%TEST_GLOBALS_HTTP%% |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
56 |
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
57 add_header X-Verify x$ssl_client_verify:${ssl_client_cert}x; |
932
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
58 |
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
59 ssl_certificate_key 1.example.com.key; |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
60 ssl_certificate 1.example.com.crt; |
932
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
61 |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
62 server { |
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
63 listen 127.0.0.1:8080; |
932
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
64 server_name localhost; |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
65 |
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
66 ssl_verify_client on; |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
67 ssl_client_certificate 2.example.com.crt; |
932
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
68 } |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
69 |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
70 server { |
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
71 listen 127.0.0.1:8081 ssl; |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
72 server_name on; |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
73 |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
74 ssl_verify_client on; |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
75 ssl_client_certificate 2.example.com.crt; |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
76 } |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
77 |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
78 server { |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
79 listen 127.0.0.1:8081 ssl; |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
80 server_name optional; |
932
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
81 |
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
82 ssl_verify_client optional; |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
83 ssl_client_certificate 2.example.com.crt; |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
84 ssl_trusted_certificate 3.example.com.crt; |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
85 } |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
86 |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
87 server { |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
88 listen 127.0.0.1:8081 ssl; |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
89 server_name optional_no_ca; |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
90 |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
91 ssl_verify_client optional_no_ca; |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
92 ssl_client_certificate 2.example.com.crt; |
932
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
93 } |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
94 } |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
95 |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
96 EOF |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
97 |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
98 $t->write_file('openssl.conf', <<EOF); |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
99 [ req ] |
1116
8ef51dbb5d69
Tests: reduced OpenSSL default key length to 1024.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1114
diff
changeset
|
100 default_bits = 1024 |
932
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
101 encrypt_key = no |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
102 distinguished_name = req_distinguished_name |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
103 [ req_distinguished_name ] |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
104 EOF |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
105 |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
106 my $d = $t->testdir(); |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
107 |
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
108 foreach my $name ('1.example.com', '2.example.com', '3.example.com') { |
932
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
109 system('openssl req -x509 -new ' |
1220
0af58b78df35
Tests: removed single quotes from system() calls.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1207
diff
changeset
|
110 . "-config $d/openssl.conf -subj /CN=$name/ " |
0af58b78df35
Tests: removed single quotes from system() calls.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1207
diff
changeset
|
111 . "-out $d/$name.crt -keyout $d/$name.key " |
932
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
112 . ">>$d/openssl.out 2>&1") == 0 |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
113 or die "Can't create certificate for $name: $!\n"; |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
114 } |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
115 |
1260
eadd24ccfda1
Tests: postponed startup in certain ssl certificate tests on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1220
diff
changeset
|
116 sleep 1 if $^O eq 'MSWin32'; |
eadd24ccfda1
Tests: postponed startup in certain ssl certificate tests on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1220
diff
changeset
|
117 |
932
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
118 $t->write_file('t', 'SEE-THIS'); |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
119 |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
120 $t->run(); |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
121 |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
122 ############################################################################### |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
123 |
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
124 like(http_get('/t'), qr/x:x/, 'plain connection'); |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
125 like(get('on'), qr/400 Bad Request/, 'no cert'); |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
126 like(get('optional'), qr/NONE:x/, 'no optional cert'); |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
127 like(get('optional', '1.example.com'), qr/400 Bad/, 'bad optional cert'); |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
128 like(get('optional_no_ca', '1.example.com'), qr/FAILED.*BEGIN/, |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
129 'bad optional_no_ca cert'); |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
130 |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
131 like(get('localhost', '2.example.com'), qr/SUCCESS.*BEGIN/, 'good cert'); |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
132 like(get('optional', '2.example.com'), qr/SUCCESS.*BEGI/, 'good cert optional'); |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
133 like(get('optional', '3.example.com'), qr/SUCCESS.*BEGIN/, 'good cert trusted'); |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
134 |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
135 SKIP: { |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
136 skip 'Net::SSLeay version >= 1.36 required', 1 if $Net::SSLeay::VERSION < 1.36; |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
137 |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
138 my $ca = join ' ', get('optional', '3.example.com'); |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
139 is($ca, '/CN=2.example.com', 'no trusted sent'); |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
140 |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
141 } |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
142 |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
143 like(get('optional', undef, 'localhost'), qr/421 Misdirected/, 'misdirected'); |
932
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
144 |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
145 ############################################################################### |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
146 |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
147 sub get { |
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
148 my ($sni, $cert, $host) = @_; |
932
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
149 |
1207
b1dc56ad15e9
Tests: ignore SIGPIPE in ssl_verify_client.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1116
diff
changeset
|
150 local $SIG{PIPE} = 'IGNORE'; |
b1dc56ad15e9
Tests: ignore SIGPIPE in ssl_verify_client.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1116
diff
changeset
|
151 |
932
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
152 $host = $sni if !defined $host; |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
153 |
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
154 my $dest_ip = inet_aton('127.0.0.1'); |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
155 my $dest_serv_params = sockaddr_in(port(8081), $dest_ip); |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
156 |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
157 socket(my $s, &AF_INET, &SOCK_STREAM, 0) or die "socket: $!"; |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
158 connect($s, $dest_serv_params) or die "connect: $!"; |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
159 |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
160 my $ctx = Net::SSLeay::CTX_new() or die("Failed to create SSL_CTX $!"); |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
161 Net::SSLeay::set_cert_and_key($ctx, "$d/$cert.crt", "$d/$cert.key") |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
162 or die if $cert; |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
163 my $ssl = Net::SSLeay::new($ctx) or die("Failed to create SSL $!"); |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
164 Net::SSLeay::set_tlsext_host_name($ssl, $sni) == 1 or die; |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
165 Net::SSLeay::set_fd($ssl, fileno($s)); |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
166 Net::SSLeay::connect($ssl) or die("ssl connect"); |
932
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
167 |
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
168 Net::SSLeay::write($ssl, 'GET /t HTTP/1.0' . CRLF); |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
169 Net::SSLeay::write($ssl, "Host: $host" . CRLF . CRLF); |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
170 my $buf = Net::SSLeay::read($ssl); |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
171 log_in($buf); |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
172 return $buf unless wantarray(); |
932
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
173 |
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
174 my $list = Net::SSLeay::get_client_CA_list($ssl); |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
175 my @names; |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
176 for my $i (0 .. Net::SSLeay::sk_X509_NAME_num($list) - 1) { |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
177 my $name = Net::SSLeay::sk_X509_NAME_value($list, $i); |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
178 push @names, Net::SSLeay::X509_NAME_oneline($name); |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
179 } |
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
180 return @names; |
932
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
181 } |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
182 |
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
183 ############################################################################### |