Mercurial > hg > nginx-tests
diff ssl_sni.t @ 237:90af19544dd2
Tests: https sni tests.
author | Valentin Bartenev <ne@vbart.ru> |
---|---|
date | Mon, 01 Oct 2012 02:54:57 +0400 |
parents | |
children | de7338227832 |
line wrap: on
line diff
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/ssl_sni.t Mon Oct 01 02:54:57 2012 +0400 @@ -0,0 +1,166 @@ +#!/usr/bin/perl + +# (C) Maxim Dounin +# (C) Valentin Bartenev + +# Tests for Server Name Indication (SNI) TLS extension + +############################################################################### + +use warnings; +use strict; + +use Test::More; + +BEGIN { use FindBin; chdir($FindBin::Bin); } + +use lib 'lib'; +use Test::Nginx; + +############################################################################### + +select STDERR; $| = 1; +select STDOUT; $| = 1; + +my $t = Test::Nginx->new()->has(qw/http http_ssl sni rewrite/) + ->has_daemon('openssl') + ->write_file_expand('nginx.conf', <<'EOF'); + +%%TEST_GLOBALS%% + +daemon off; + +events { +} + +http { + %%TEST_GLOBALS_HTTP%% + + server { + listen 127.0.0.1:8443 ssl; + server_name localhost; + + ssl_certificate_key localhost.key; + ssl_certificate localhost.crt; + + location / { + return 200 $server_name; + } + } + + server { + listen 127.0.0.1:8443; + server_name example.com; + + ssl_certificate_key example.com.key; + ssl_certificate example.com.crt; + + location / { + return 200 $server_name; + } + } +} + +EOF + +eval { require IO::Socket::SSL; die if $IO::Socket::SSL::VERSION < 1.56; }; +plan(skip_all => 'IO::Socket::SSL version >= 1.56 required') if $@; + +eval { + my $ctx = Net::SSLeay::CTX_new() or die; + my $ssl = Net::SSLeay::new($ctx) or die; + Net::SSLeay::set_tlsext_host_name($ssl, 'example.org') == 1 or die; +}; +plan(skip_all => 'Net::SSLeay with OpenSSL SNI support required') if $@; + +$t->plan(6); + +$t->write_file('openssl.conf', <<EOF); +[ req ] +default_bits = 2048 +encrypt_key = no +distinguished_name = req_distinguished_name +[ req_distinguished_name ] +EOF + +my $d = $t->testdir(); + +foreach my $name ('localhost', 'example.com') { + system('openssl req -x509 -new ' + . "-config '$d/openssl.conf' -subj '/CN=$name/' " + . "-out '$d/$name.crt' -keyout '$d/$name.key' " + . ">>$d/openssl.out 2>&1") == 0 + or die "Can't create certificate for $name: $!\n"; +} + +$t->run(); + +############################################################################### + +like(get_cert_cn(), qr!/CN=localhost!, 'default cert'); +like(get_cert_cn('example.com'), qr!/CN=example.com!, 'sni cert'); + +like(https_get_host('example.com'), qr!example.com!, + 'host exists, sni exists, and host is equal sni'); + +like(https_get_host('example.com', 'example.org'), qr!example.com!, + 'host exists, sni not found'); + +TODO: { +local $TODO = 'sni restrictions'; + +like(https_get_host('example.com', 'localhost'), qr!400 Bad Request!, + 'host exists, sni exists, and host is not equal sni'); + +like(https_get_host('example.org', 'example.com'), qr!400 Bad Request!, + 'host not found, sni exists'); + +} + +############################################################################### + +sub get_ssl_socket { + my ($host) = @_; + my $s; + + eval { + local $SIG{ALRM} = sub { die "timeout\n" }; + local $SIG{PIPE} = sub { die "sigpipe\n" }; + alarm(2); + $s = IO::Socket::SSL->new( + Proto => 'tcp', + PeerAddr => '127.0.0.1:8443', + SSL_hostname => $host, + SSL_error_trap => sub { die $_[1] } + ); + alarm(0); + }; + alarm(0); + + if ($@) { + log_in("died: $@"); + return undef; + } + + return $s; +} + +sub get_cert_cn { + my ($host) = @_; + my $s = get_ssl_socket($host); + + return $s->dump_peer_certificate(); +} + +sub https_get_host { + my ($host, $sni) = @_; + my $s = get_ssl_socket($sni ? $sni : $host); + + return http(<<EOF, socket => $s); +GET / HTTP/1.0 +Host: $host + +EOF +} + +###############################################################################