Mercurial > hg > nginx-tests
view ssl_verify_depth.t @ 1116:8ef51dbb5d69
Tests: reduced OpenSSL default key length to 1024.
This allows to speed up ssl tests up to two times and above.
author | Sergey Kandaurov <pluknet@nginx.com> |
---|---|
date | Fri, 20 Jan 2017 18:55:03 +0300 |
parents | 54e07593713a |
children | 3e2af4dedd9c |
line wrap: on
line source
#!/usr/bin/perl # (C) Sergey Kandaurov # (C) Nginx, Inc. # Tests for http ssl module, ssl_verify_depth. ############################################################################### use warnings; use strict; use Test::More; BEGIN { use FindBin; chdir($FindBin::Bin); } use lib 'lib'; use Test::Nginx; ############################################################################### select STDERR; $| = 1; select STDOUT; $| = 1; eval { require IO::Socket::SSL; }; plan(skip_all => 'IO::Socket::SSL not installed') if $@; eval { IO::Socket::SSL::SSL_VERIFY_NONE(); }; plan(skip_all => 'IO::Socket::SSL too old') if $@; my $t = Test::Nginx->new()->has(qw/http http_ssl/) ->has_daemon('openssl')->plan(7); $t->write_file_expand('nginx.conf', <<'EOF'); %%TEST_GLOBALS%% daemon off; events { } http { %%TEST_GLOBALS_HTTP%% ssl_certificate_key localhost.key; ssl_certificate localhost.crt; ssl_verify_client optional_no_ca; ssl_client_certificate int-root.crt; add_header X-Verify $ssl_client_verify; server { listen 127.0.0.1:8080 ssl; server_name localhost; ssl_verify_depth 0; } server { listen 127.0.0.1:8081 ssl; server_name localhost; ssl_verify_depth 1; } server { listen 127.0.0.1:8082 ssl; server_name localhost; ssl_verify_depth 2; } } EOF my $d = $t->testdir(); $t->write_file('openssl.conf', <<EOF); [ req ] default_bits = 1024 encrypt_key = no distinguished_name = req_distinguished_name [ req_distinguished_name ] EOF $t->write_file('ca.conf', <<EOF); [ ca ] default_ca = myca [ myca ] new_certs_dir = $d database = $d/certindex default_md = sha1 policy = myca_policy serial = $d/certserial default_days = 1 x509_extensions = myca_extensions [ myca_policy ] commonName = supplied [ myca_extensions ] basicConstraints = critical,CA:TRUE EOF foreach my $name ('root', 'localhost') { system('openssl req -x509 -new ' . "-config '$d/openssl.conf' -subj '/CN=$name/' " . "-out '$d/$name.crt' -keyout '$d/$name.key' " . ">>$d/openssl.out 2>&1") == 0 or die "Can't create certificate for $name: $!\n"; } foreach my $name ('int', 'end') { system("openssl req -new " . "-config '$d/openssl.conf' -subj '/CN=$name/' " . "-out '$d/$name.csr' -keyout '$d/$name.key' " . ">>$d/openssl.out 2>&1") == 0 or die "Can't create certificate for $name: $!\n"; } $t->write_file('certserial', '1000'); $t->write_file('certindex', ''); system("openssl ca -batch -config '$d/ca.conf' " . "-keyfile '$d/root.key' -cert '$d/root.crt' " . "-subj '/CN=int/' -in '$d/int.csr' -out '$d/int.crt' " . ">>$d/openssl.out 2>&1") == 0 or die "Can't sign certificate for int: $!\n"; system("openssl ca -batch -config '$d/ca.conf' " . "-keyfile '$d/int.key' -cert '$d/int.crt' " . "-subj '/CN=end/' -in '$d/end.csr' -out '$d/end.crt' " . ">>$d/openssl.out 2>&1") == 0 or die "Can't sign certificate for end: $!\n"; $t->write_file('int-root.crt', $t->read_file('int.crt') . $t->read_file('root.crt')); $t->write_file('t', ''); $t->run(); ############################################################################### like(get(8080, 'end'), qr/FAILED/, 'verify depth 2 max 0'); TODO: { local $TODO = 'not yet'; like(get(8081, 'end'), qr/FAILED/, 'verify depth 2 max 1'); } like(get(8082, 'end'), qr/SUCCESS/, 'verify depth 2 max 2'); like(get(8080, 'int'), qr/FAILED/, 'verify depth 1 max 0'); like(get(8081, 'int'), qr/SUCCESS/, 'verify depth 1 max 1'); like(get(8082, 'int'), qr/SUCCESS/, 'verify depth 1 max 2'); like(get(8080, 'root'), qr/SUCCESS/, 'verify depth 0 max 0'); ############################################################################### sub get { my ($port, $cert) = @_; my $s = get_ssl_socket($port, $cert) or return; http_get('/t', socket => $s); } sub get_ssl_socket { my ($port, $cert) = @_; my ($s); eval { local $SIG{ALRM} = sub { die "timeout\n" }; local $SIG{PIPE} = sub { die "sigpipe\n" }; alarm(2); $s = IO::Socket::SSL->new( Proto => 'tcp', PeerAddr => '127.0.0.1', PeerPort => port($port), SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE(), SSL_cert_file => "$d/$cert.crt", SSL_key_file => "$d/$cert.key", SSL_error_trap => sub { die $_[1] } ); alarm(0); }; alarm(0); if ($@) { log_in("died: $@"); return undef; } return $s; } ###############################################################################